Skip to content

Commit eea0352

Browse files
authored
Merge branch 'main' into marrobi/fix-ui-deps
2 parents 5013669 + 5cff723 commit eea0352

File tree

11 files changed

+177
-42
lines changed

11 files changed

+177
-42
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
**BREAKING CHANGES & MIGRATIONS**:
55

66
ENHANCEMENTS:
7+
* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))
78
* Allow workspace App Service Plan SKU to be updated ([#4331](https://github.com/microsoft/AzureTRE/issues/4331))
89
* Add core requests endpoint and UI to enable requests to be managed TRE wide. ([[#2510](https://github.com/microsoft/AzureTRE/issues/2510)])
910
* Remove public IP from TRE's firewall when forced tunneling is configured ([#4346](https://github.com/microsoft/AzureTRE/pull/4346))

core/terraform/deploy.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ set -o pipefail
55
set -o nounset
66
# set -o xtrace
77

8+
# shellcheck disable=SC1091
9+
source "../../devops/scripts/kv_add_network_exception.sh"
10+
811
# This is where we can migrate any Terraform before we plan and apply
912
# For instance deprecated Terraform resources
1013
# shellcheck disable=SC1091

core/terraform/destroy.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ set -o pipefail
55
set -o nounset
66
# set -o xtrace
77

8+
# shellcheck disable=SC1091
9+
source "../../devops/scripts/kv_add_network_exception.sh"
10+
811
# These variables are loaded in for us
912
# shellcheck disable=SC2154
1013
../../devops/scripts/terraform_wrapper.sh -g "${TF_VAR_mgmt_resource_group_name}" \

core/terraform/keyvault.tf

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
resource "azurerm_key_vault" "kv" {
2-
name = "kv-${var.tre_id}"
2+
name = local.kv_name
33
tenant_id = data.azurerm_client_config.current.tenant_id
44
location = azurerm_resource_group.core.location
55
resource_group_name = azurerm_resource_group.core.name
@@ -8,7 +8,27 @@ resource "azurerm_key_vault" "kv" {
88
purge_protection_enabled = var.kv_purge_protection_enabled
99
tags = local.tre_core_tags
1010

11-
lifecycle { ignore_changes = [access_policy, tags] }
11+
public_network_access_enabled = local.kv_public_network_access_enabled
12+
13+
network_acls {
14+
default_action = local.kv_network_default_action
15+
bypass = local.kv_network_bypass
16+
ip_rules = [local.myip] # exception for deployment IP, this is removed in kv_remove_network_exception.sh
17+
}
18+
19+
lifecycle {
20+
ignore_changes = [access_policy, tags]
21+
}
22+
23+
# create provisioner required due to https://github.com/hashicorp/terraform-provider-azurerm/issues/18970
24+
#
25+
provisioner "local-exec" {
26+
when = create
27+
command = <<EOT
28+
az keyvault update --name ${local.kv_name} --public-network-access ${local.kv_public_network_access_enabled ? "Enabled" : "Disabled"} --default-action ${local.kv_network_default_action} --bypass "${local.kv_network_bypass}" --output none
29+
az keyvault network-rule add --name ${local.kv_name} --ip-address ${local.myip} --output none
30+
EOT
31+
}
1232
}
1333

1434
resource "azurerm_role_assignment" "keyvault_deployer_role" {

core/terraform/locals.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,4 +58,10 @@ locals {
5858

5959
cmk_name = "tre-encryption-${var.tre_id}"
6060
encryption_identity_name = "id-encryption-${var.tre_id}"
61+
62+
# key vault variables
63+
kv_name = "kv-${var.tre_id}"
64+
kv_public_network_access_enabled = true
65+
kv_network_default_action = var.enable_local_debugging ? "Allow" : "Deny"
66+
kv_network_bypass = "AzureServices"
6167
}

core/terraform/scripts/letsencrypt.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,11 @@ if [[ -z ${STORAGE_ACCOUNT} ]]; then
88
exit 1
99
fi
1010

11+
if [[ -n ${KEYVAULT} ]]; then
12+
# shellcheck disable=SC1091
13+
source "$script_dir/../../../devops/scripts/kv_add_network_exception.sh"
14+
fi
15+
1116
# The storage account is protected by network rules
1217
#
1318
# The rules need to be temporarily lifted so that the script can determine if the index.html file

core/version.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
__version__ = "0.12.1"
1+
__version__ = "0.12.2"

devops/scripts/destroy_env_no_terraform.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,11 @@ then
6666
no_wait_option="--no-wait"
6767
fi
6868

69+
script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
70+
71+
# shellcheck disable=SC1091
72+
source "$script_dir/kv_add_network_exception.sh"
73+
6974
group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?)
7075
if [[ "$group_show_result" != "0" ]]; then
7176
echo "Resource group ${core_tre_rg} not found - skipping destroy"

devops/scripts/key_vault_list.sh

Lines changed: 0 additions & 17 deletions
This file was deleted.
Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
#!/bin/bash
2+
3+
#
4+
# Add an IP exception to the Key Vault firewall for deployment, and remove on script exit
5+
# The current machine's IP address is used, or $PUBLIC_DEPLOYMENT_IP_ADDRESS if set
6+
#
7+
# Note: Ensure you "source" this script, or else the EXIT trap won't fire at the right time
8+
#
9+
10+
11+
function kv_add_network_exception() {
12+
13+
# set up variables
14+
#
15+
local KV_NAME
16+
KV_NAME=$(get_kv_name)
17+
18+
local MY_IP
19+
MY_IP=$(get_my_ip)
20+
21+
echo -e "\nAdding deployment network exception to key vault $KV_NAME..."
22+
23+
# ensure kv exists
24+
#
25+
if ! does_kv_exist "$KV_NAME"; then
26+
return 0 # don't cause outer sourced script to fail
27+
fi
28+
29+
# add keyvault network exception
30+
#
31+
az keyvault network-rule add --name "$KV_NAME" --ip-address "$MY_IP" --output none
32+
33+
local ATTEMPT=1
34+
local MAX_ATTEMPTS=10
35+
36+
while true; do
37+
38+
if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then
39+
echo -e " Keyvault $KV_NAME is now accessible\n"
40+
break
41+
fi
42+
43+
if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
44+
echo -e "Could not add deployment network exception for $KV_NAME"
45+
echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n"
46+
echo -e "$KV_OUTPUT\n"
47+
48+
exit 1
49+
fi
50+
51+
echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect."
52+
sleep 5
53+
((ATTEMPT++))
54+
55+
done
56+
57+
}
58+
59+
function kv_remove_network_exception() {
60+
61+
# set up variables
62+
#
63+
local KV_NAME
64+
KV_NAME=$(get_kv_name)
65+
66+
local MY_IP
67+
MY_IP=$(get_my_ip)
68+
69+
echo -e "\nRemoving deployment network exception to key vault $KV_NAME..."
70+
71+
# ensure kv exists
72+
#
73+
if ! does_kv_exist "$KV_NAME"; then
74+
return 0 # don't cause outer sourced script to fail
75+
fi
76+
77+
# remove keyvault network exception
78+
#
79+
az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none
80+
echo -e " Deployment network exception removed\n"
81+
}
82+
83+
84+
function get_kv_name() {
85+
86+
local TRE_ID_LOCAL="${TRE_ID:-}"
87+
88+
if [[ -z "$TRE_ID_LOCAL" ]]; then
89+
if [[ "${core_tre_rg:-}" == rg-* ]]; then # TRE_ID may not be available when called from destroy_env_no_terraform.sh
90+
TRE_ID_LOCAL="${core_tre_rg#rg-}"
91+
fi
92+
fi
93+
94+
if [[ -z "$TRE_ID_LOCAL" ]]; then
95+
echo -e "Could not add/remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n"
96+
exit 1
97+
fi
98+
99+
echo "kv-${TRE_ID_LOCAL}"
100+
}
101+
102+
function get_my_ip() {
103+
104+
local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"
105+
106+
if [[ -z "$MY_IP" ]]; then
107+
MY_IP=$(curl -s "ipecho.net/plain"; echo)
108+
fi
109+
110+
echo "$MY_IP"
111+
}
112+
113+
114+
function does_kv_exist() {
115+
116+
KV_NAME=$1
117+
118+
if [[ -z "$(az keyvault list --query "[?name=='$KV_NAME'].id" --output tsv)" ]]; then
119+
echo -e " Core key vault $KV_NAME not found\n"
120+
return 1
121+
fi
122+
123+
return 0
124+
}
125+
126+
127+
# setup the trap to remove network exception on exit
128+
trap kv_remove_network_exception EXIT
129+
130+
# now add the network exception
131+
kv_add_network_exception "$@"

0 commit comments

Comments
 (0)