Disable storage account cross tenant replication (#4116)

* Disable storage account cross tenant replication * Update CHANGELOG.md * Update version numbers after merge (code in merge used them) * Increment core version number following merge * Increment core version number following merge
microsoft · Nov 25, 2024 · f40dee6 · f40dee6
1 parent 16dff47
commit f40dee6
Show file tree

Hide file tree

Showing 20 changed files with 168 additions and 146 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 FEATURES:
 
 ENHANCEMENTS:
+* Disable storage account cross tenant replication ([#4116](https://github.com/microsoft/AzureTRE/pull/4116))
 * Key Vaults should use RBAC instead of access policies for access control ([#4000](https://github.com/microsoft/AzureTRE/issues/4000))
 * Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992)
 * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -19,13 +19,14 @@ resource "azurerm_service_plan" "airlock_plan" {
 }
 
 resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
-  name                            = local.airlock_function_sa_name
-  resource_group_name             = var.resource_group_name
-  location                        = var.location
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
-  tags                            = var.tre_core_tags
+  name                             = local.airlock_function_sa_name
+  resource_group_name              = var.resource_group_name
+  location                         = var.location
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
+  tags                             = var.tre_core_tags
 
   lifecycle { ignore_changes = [tags] }
 }

diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf
@@ -1,10 +1,11 @@
 # 'External' storage account - drop location for import
 resource "azurerm_storage_account" "sa_import_external" {
-  name                     = local.import_external_storage_name
-  location                 = var.location
-  resource_group_name      = var.resource_group_name
-  account_tier             = "Standard"
-  account_replication_type = "LRS"
+  name                             = local.import_external_storage_name
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  cross_tenant_replication_enabled = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
   allow_nested_items_to_be_public = false
@@ -44,11 +45,12 @@ resource "azurerm_private_endpoint" "stg_import_external_pe" {
 
 # 'Approved' export
 resource "azurerm_storage_account" "sa_export_approved" {
-  name                     = local.export_approved_storage_name
-  location                 = var.location
-  resource_group_name      = var.resource_group_name
-  account_tier             = "Standard"
-  account_replication_type = "LRS"
+  name                             = local.export_approved_storage_name
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  cross_tenant_replication_enabled = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
   allow_nested_items_to_be_public = false
@@ -88,12 +90,13 @@ resource "azurerm_private_endpoint" "stg_export_approved_pe" {
 
 # 'In-Progress' storage account
 resource "azurerm_storage_account" "sa_import_in_progress" {
-  name                            = local.import_in_progress_storage_name
-  location                        = var.location
-  resource_group_name             = var.resource_group_name
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
+  name                             = local.import_in_progress_storage_name
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -162,12 +165,13 @@ resource "azurerm_private_endpoint" "stg_import_inprogress_pe" {
 
 # 'Rejected' storage account
 resource "azurerm_storage_account" "sa_import_rejected" {
-  name                            = local.import_rejected_storage_name
-  location                        = var.location
-  resource_group_name             = var.resource_group_name
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
+  name                             = local.import_rejected_storage_name
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -210,12 +214,13 @@ resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
 
 # 'Blocked' storage account
 resource "azurerm_storage_account" "sa_import_blocked" {
-  name                            = local.import_blocked_storage_name
-  location                        = var.location
-  resource_group_name             = var.resource_group_name
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
+  name                             = local.import_blocked_storage_name
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED

diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf
@@ -1,14 +1,15 @@
 # See https://microsoft.github.io/AzureTRE/tre-developers/letsencrypt/
 resource "azurerm_storage_account" "staticweb" {
-  name                            = local.staticweb_storage_name
-  resource_group_name             = var.resource_group_name
-  location                        = var.location
-  account_kind                    = "StorageV2"
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  enable_https_traffic_only       = true
-  allow_nested_items_to_be_public = false
-  tags                            = local.tre_core_tags
+  name                             = local.staticweb_storage_name
+  resource_group_name              = var.resource_group_name
+  location                         = var.location
+  account_kind                     = "StorageV2"
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  enable_https_traffic_only        = true
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
+  tags                             = local.tre_core_tags
 
   static_website {
     index_document     = "index.html"

diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf
@@ -14,14 +14,15 @@ resource "azurerm_log_analytics_workspace" "core" {
 # Storage account for Azure Monitor ingestion
 # Because Private Link is enabled on Application Performance Management (APM), Bring Your Own Storage (BYOS) approach is required
 resource "azurerm_storage_account" "az_monitor" {
-  name                            = lower(replace("stazmonitor${var.tre_id}", "-", ""))
-  resource_group_name             = var.resource_group_name
-  location                        = var.location
-  account_kind                    = "StorageV2"
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
-  tags                            = var.tre_core_tags
+  name                             = lower(replace("stazmonitor${var.tre_id}", "-", ""))
+  resource_group_name              = var.resource_group_name
+  location                         = var.location
+  account_kind                     = "StorageV2"
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
+  tags                             = var.tre_core_tags
 
   network_rules {
     default_action = "Deny"

diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf
@@ -1,11 +1,12 @@
 resource "azurerm_storage_account" "stg" {
-  name                            = lower(replace("stg-${var.tre_id}", "-", ""))
-  resource_group_name             = azurerm_resource_group.core.name
-  location                        = azurerm_resource_group.core.location
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
-  tags                            = local.tre_core_tags
+  name                             = lower(replace("stg-${var.tre_id}", "-", ""))
+  resource_group_name              = azurerm_resource_group.core.name
+  location                         = azurerm_resource_group.core.location
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
+  tags                             = local.tre_core_tags
   lifecycle { ignore_changes = [tags] }
 }
 

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.1"
+__version__ = "0.11.2"
diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
@@ -19,14 +19,15 @@ resource "azurerm_resource_group" "mgmt" {
 
 # Holds Terraform shared state (already exists, created by bootstrap.sh)
 resource "azurerm_storage_account" "state_storage" {
-  name                            = var.mgmt_storage_account_name
-  resource_group_name             = azurerm_resource_group.mgmt.name
-  location                        = azurerm_resource_group.mgmt.location
-  account_tier                    = "Standard"
-  account_kind                    = "StorageV2"
-  account_replication_type        = "LRS"
-  allow_nested_items_to_be_public = false
-  shared_access_key_enabled       = false
+  name                             = var.mgmt_storage_account_name
+  resource_group_name              = azurerm_resource_group.mgmt.name
+  location                         = azurerm_resource_group.mgmt.location
+  account_tier                     = "Standard"
+  account_kind                     = "StorageV2"
+  account_replication_type         = "LRS"
+  cross_tenant_replication_enabled = false
+  allow_nested_items_to_be_public  = false
+  shared_access_key_enabled        = false
 
   lifecycle { ignore_changes = [tags] }
 }

diff --git a/devops/version.txt b/devops/version.txt
@@ -1 +1 @@
-__version__ = "0.5.2"
+__version__ = "0.5.3"
diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-certs
-version: 0.6.0
+version: 0.6.1
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl

diff --git a/templates/shared_services/certs/terraform/staticweb.tf b/templates/shared_services/certs/terraform/staticweb.tf
@@ -1,14 +1,15 @@
 # See https://microsoft.github.io/AzureTRE/tre-developers/letsencrypt/
 resource "azurerm_storage_account" "staticweb" {
-  name                            = local.staticweb_storage_name
-  resource_group_name             = data.azurerm_resource_group.rg.name
-  location                        = data.azurerm_resource_group.rg.location
-  account_kind                    = "StorageV2"
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  enable_https_traffic_only       = true
-  allow_nested_items_to_be_public = false
-  tags                            = local.tre_shared_service_tags
+  name                             = local.staticweb_storage_name
+  resource_group_name              = data.azurerm_resource_group.rg.name
+  location                         = data.azurerm_resource_group.rg.location
+  account_kind                     = "StorageV2"
+  account_tier                     = "Standard"
+  account_replication_type         = "LRS"
+  enable_https_traffic_only        = true
+  allow_nested_items_to_be_public  = false
+  cross_tenant_replication_enabled = false
+  tags                             = local.tre_shared_service_tags
 
   static_website {
     index_document     = "index.html"

diff --git a/templates/shared_services/cyclecloud/porter.yaml b/templates/shared_services/cyclecloud/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-cyclecloud
-version: 0.6.6
+version: 0.6.7
 description: "An Azure TRE Shared Service Template for Azure Cyclecloud"
 registry: azuretre
 dockerfile: Dockerfile.tmpl

diff --git a/templates/shared_services/cyclecloud/terraform/storage.tf b/templates/shared_services/cyclecloud/terraform/storage.tf
@@ -1,10 +1,11 @@
 resource "azurerm_storage_account" "cyclecloud" {
-  name                     = local.storage_name
-  location                 = data.azurerm_resource_group.rg.location
-  resource_group_name      = data.azurerm_resource_group.rg.name
-  account_tier             = "Standard"
-  account_replication_type = "GRS"
-  tags                     = local.tre_shared_service_tags
+  name                             = local.storage_name
+  location                         = data.azurerm_resource_group.rg.location
+  resource_group_name              = data.azurerm_resource_group.rg.name
+  account_tier                     = "Standard"
+  account_replication_type         = "GRS"
+  cross_tenant_replication_enabled = false
+  tags                             = local.tre_shared_service_tags
 
   lifecycle { ignore_changes = [tags] }
 }

diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf
@@ -1,10 +1,11 @@
 resource "azurerm_storage_account" "aml" {
-  name                     = local.storage_name
-  location                 = data.azurerm_resource_group.ws.location
-  resource_group_name      = data.azurerm_resource_group.ws.name
-  account_tier             = "Standard"
-  account_replication_type = "GRS"
-  tags                     = local.tre_workspace_service_tags
+  name                             = local.storage_name
+  location                         = data.azurerm_resource_group.ws.location
+  resource_group_name              = data.azurerm_resource_group.ws.name
+  account_tier                     = "Standard"
+  account_replication_type         = "GRS"
+  cross_tenant_replication_enabled = false
+  tags                             = local.tre_workspace_service_tags
   network_rules {
     default_action = "Deny"
   }

diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-gitea
-version: 1.1.0
+version: 1.1.1
 description: "A Gitea workspace service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf
@@ -1,10 +1,11 @@
 resource "azurerm_storage_account" "gitea" {
-  name                     = local.storage_name
-  resource_group_name      = data.azurerm_resource_group.ws.name
-  location                 = data.azurerm_resource_group.ws.location
-  account_tier             = "Standard"
-  account_replication_type = "GRS"
-  tags                     = local.workspace_service_tags
+  name                             = local.storage_name
+  resource_group_name              = data.azurerm_resource_group.ws.name
+  location                         = data.azurerm_resource_group.ws.location
+  account_tier                     = "Standard"
+  account_replication_type         = "GRS"
+  cross_tenant_replication_enabled = false
+  tags                             = local.workspace_service_tags
 
   lifecycle { ignore_changes = [tags] }
 }

diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.6.0
+version: 1.6.1
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre