Merge branch 'core-network-subnets-change' of https://github.com/micr…

…osoft/AzureTRE into test-main

CHANGELOG.md

@@ -73,6 +73,8 @@ BUG FIXES:
 * Windows R version must be 4.1.2 otherwise post install script doesn't update package mirror URL ([#4288](https://github.com/microsoft/AzureTRE/issues/4288))
 * Recreate tre_output.json if empty. ([[#4292](https://github.com/microsoft/AzureTRE/issues/4292)])
 * Ensure R directory is present before attempting to update package mirror URL ([#4332](https://github.com/microsoft/AzureTRE/pull/4332))
+* Upgrade AzureRM Terraform provider from `3.117.0` to `4.14.0`. ([[PR_link](https://github.com/microsoft/AzureTRE/pull/4255/)])
+* Subnet definitions are now inline in the `azurerm_virtual_network` resource, and NSG associations are set using `security_group` in each subnet block (no separate `azurerm_subnet_network_security_group_association` needed). ([[PR_link](https://github.com/microsoft/AzureTRE/pull/4255/)])
 
 COMPONENTS:
 

core/terraform/cosmos_mongo.tf

@@ -6,7 +6,7 @@ resource "azurerm_cosmosdb_account" "mongo" {
   kind                       = "MongoDB"
   automatic_failover_enabled = false
   mongo_server_version       = 4.2
-  ip_range_filter            = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
+  ip_range_filter            = local.cosmos_ip_filter_set
 
   capabilities {
     name = "EnableServerless"

core/terraform/locals.tf

@@ -14,7 +14,20 @@ locals {
   docker_registry_server = data.azurerm_container_registry.mgmt_acr.login_server
 
   # https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
-  azure_portal_cosmos_ips = "104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
+
+  azure_portal_cosmos_ips_list = [
+    "104.42.195.92",
+    "40.76.54.131",
+    "52.176.6.30",
+    "52.169.50.45",
+    "52.187.184.26"
+  ]
+
+  cosmos_ip_filter_set = toset(
+    var.enable_local_debugging
+    ? concat(local.azure_portal_cosmos_ips_list, [local.myip])
+    : local.azure_portal_cosmos_ips_list
+  )
 
   # we define some zones in core despite not used by the core infra because
   # it's the easier way to make them available to other services in the system.

core/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.117.0"
+      version = "=4.14.0"
     }
     random = {
       source  = "hashicorp/random"

core/terraform/migrate.sh

@@ -5,16 +5,25 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
-# Configure AzureRM provider to user Azure AD to connect to storage accounts
+get_resource_id() {
+  local json_data="$1"
+  local resource_addr="$2"
+  echo "$json_data" | jq -r --arg addr "$resource_addr" '
+    def walk_resources:
+      (.resources[]?),
+      (.child_modules[]? | walk_resources);
+    .values.root_module | walk_resources | select(.address==$addr) | .values.id
+  '
+}
+
+# Configure AzureRM provider to use Azure AD to connect to storage accounts
 export ARM_STORAGE_USE_AZUREAD=true
 
-# Configure AzureRM backend to user Azure AD to connect to storage accounts
+# Configure AzureRM backend to use Azure AD to connect to storage accounts
 export ARM_USE_AZUREAD=true
 export ARM_USE_OIDC=true
 
-# terraform_wrapper_path="../../devops/scripts/terraform_wrapper.sh"
-
-# This variables are loaded in for us
+# These variables are loaded in for us
 # shellcheck disable=SC2154
 terraform init -input=false -backend=true -reconfigure \
     -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \
@@ -24,42 +33,68 @@ terraform init -input=false -backend=true -reconfigure \
 
 echo "*** Migrating TF Resources... ***"
 
+terraform refresh
 
+# get TF state in JSON
 terraform_show_json=$(terraform show -json)
 
-# Remove cnab-state legacy state path form state. Needs to be run before refresh, as refresh will fail.
-state_store_legacy_path=$(echo "${terraform_show_json}" \
-   | jq 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_storage_share.storage_state_path") | .values.id')
-
-if [ -n "${state_store_legacy_path}" ]; then
-  echo -e "\n\e[96mRemoving legacy state path from TF state\e[0m..."
-  terraform state rm azurerm_storage_share.storage_state_path
-fi
-
-# terraform show might fail if provider schema has changed. Since we don't call apply at this stage a refresh is needed
-terraform refresh
+# List of resource addresses to remove.
+declare -a RESOURCES_TO_REMOVE=(
+  "module.network.azurerm_subnet_network_security_group_association.bastion"
+  "module.network.azurerm_subnet_network_security_group_association.app_gw"
+  "module.network.azurerm_subnet_network_security_group_association.shared"
+  "module.network.azurerm_subnet_network_security_group_association.web_app"
+  "module.network.azurerm_subnet_network_security_group_association.resource_processor"
+  "module.network.azurerm_subnet_network_security_group_association.airlock_processor"
+  "module.network.azurerm_subnet_network_security_group_association.airlock_notification"
+  "module.network.azurerm_subnet_network_security_group_association.airlock_storage"
+  "module.network.azurerm_subnet_network_security_group_association.airlock_events"
+  "module.network.azurerm_subnet.bastion"
+  "module.network.azurerm_subnet.azure_firewall"
+  "module.network.azurerm_subnet.app_gw"
+  "module.network.azurerm_subnet.web_app"
+  "module.network.azurerm_subnet.shared"
+  "module.network.azurerm_subnet.resource_processor"
+  "module.network.azurerm_subnet.airlock_processor"
+  "module.network.azurerm_subnet.airlock_notification"
+  "module.network.azurerm_subnet.airlock_storage"
+  "module.network.azurerm_subnet.airlock_events"
+  "module.network.azurerm_subnet.firewall_management"
+)
+vnet_address="module.network.azurerm_virtual_network.core"
 
-# 1. Check we have a root_module in state
-# 2. Grab the Resource ID
-# 3. Delete the old resource from state
-# 4. Import the new resource type in using the existing Azure Resource ID
+# Check if migration is needed
+migration_needed=0
+for resource in "${RESOURCES_TO_REMOVE[@]}"; do
+  resource_id=$(get_resource_id "${terraform_show_json}" "$resource")
+  if [ -n "$resource_id" ] && [ "$resource_id" != "null" ]; then
+    migration_needed=1
+    break
+  fi
+done
 
-terraform_show_json=$(terraform show -json)
+# Remove old resources
+if [ "$migration_needed" -eq 1 ]; then
+  for resource in "${RESOURCES_TO_REMOVE[@]}"; do
+    resource_id=$(get_resource_id "${terraform_show_json}" "$resource")
+    if [ -n "$resource_id" ] && [ "$resource_id" != "null" ]; then
+      terraform state rm "$resource"
+    else
+      echo "Resource that was supposed to be removed not found in state: ${resource}"
+    fi
+  done
 
-# example migration
-# # azurerm_app_service_plan -> azurerm_service_plan
-# core_app_service_plan_id=$(echo "${terraform_show_json}" \
-#   | jq -r 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_app_service_plan.core") | .values.id')
-# if [ -n "${core_app_service_plan_id}" ]; then
-#   echo "Migrating ${core_app_service_plan_id}"
-#   terraform state rm azurerm_app_service_plan.core
-#   if [[ $(az resource list --query "[?id=='${core_app_service_plan_id}'] | length(@)") == 0 ]];
-#   then
-#     echo "The resource doesn't exist on Azure. Skipping importing it back to state."
-#   else
-#     terraform import azurerm_service_plan.core "${core_app_service_plan_id}"
-#   fi
-# fi
-
-echo "*** Migration is done. ***"
-# check if main is that issue
+  # Remove and re-import the VNet
+  vnet_address="module.network.azurerm_virtual_network.core"
+  vnet_id=$(get_resource_id "${terraform_show_json}" "$vnet_address" "vnet")
+  if [ -n "${vnet_id}" ] && [ "${vnet_id}" != "null" ]; then
+    terraform state rm "${vnet_address}"
+    terraform import "${vnet_address}" "${vnet_id}"
+  else
+    echo "VNet resource not found in state: ${vnet_address}"
+  fi
+  echo "*** Migration Done ***"
+else
+  echo "No old resources found in the state, skipping migration."
+  echo "*** Migration Skipped ***"
+fi

core/terraform/network/locals.tf

@@ -32,4 +32,6 @@ locals {
     "privatelink.queue.core.windows.net",
     "privatelink.table.core.windows.net"
   ])
+
+  subnet_ids_map = { for s in azurerm_virtual_network.core.subnet : s.name => s.id }
 }

core/terraform/network/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117"
+      version = ">= 4.14.0"
     }
   }
 }