Merge branch 'main' into jr/upstream-main/107-adminvm-os-image

Author: jonnyry

.github/actions/devcontainer_run_command/action.yml

@@ -178,9 +178,19 @@ runs:
     - name: Run command in DevContainer
       shell: bash
       run: |
+        # Write command to a command.sh script file
+        cat <<EOF >> ./command.sh
+        #!/bin/bash
+        set -x
+        ${{ inputs.COMMAND }}
+        EOF
+
+        chmod +x ./command.sh
+
         docker run --rm --mount \
           "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
           -v /var/run/docker.sock:/var/run/docker.sock \
+          -v "./command.sh:/workspaces/tre/command.sh" \
           --workdir /workspaces/tre \
           --user vscode \
           -e TF_INPUT="0" \
@@ -246,4 +256,7 @@ runs:
           -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
-        bash -c "${{ inputs.COMMAND }}"
+        bash -c -x "./command.sh"
+
+        # Clean up temporary script file
+        rm ./command.sh

.github/workflows/deploy_tre_reusable.yml

@@ -424,9 +424,14 @@ jobs:
         uses: ./.github/actions/devcontainer_run_command
         with:
           # Although porter publish will build automatically, our makefile build target includes logic that should run
-          COMMAND: >-
-            for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }}
-            && ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec)
+          COMMAND: |
+            # Loop to retry the make command up to 3 times
+            for i in {1..3}; do
+              make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 30;
+            done;
+
+            # Exit with the last status code
+            (exit \$ec)
           DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
           AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }}
@@ -470,9 +475,14 @@ jobs:
         uses: ./.github/actions/devcontainer_run_command
         with:
           # Although porter publish will build automatically, our makefile build target includes logic that should run
-          COMMAND: >-
-            for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }}
-            && ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec)
+          COMMAND: |
+            # Loop to retry the make command up to 3 times
+            for i in {1..3}; do
+            make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 30;
+            done
+
+            # Exit with the last status code
+            (exit \$ec)
           DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
           AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }}
@@ -514,9 +524,14 @@ jobs:
       - name: Register bundle
         uses: ./.github/actions/devcontainer_run_command
         with:
-          COMMAND: >-
-            for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }}
-            && ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec)
+          COMMAND: |
+            # Loop to retry the make command up to 3 times
+            for i in {1..3}; do
+              make bundle-register DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 10;
+            done
+
+            # Exit with the last status code
+            (exit \$ec)
           DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
           CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -574,9 +589,14 @@ jobs:
       - name: Register bundle
         uses: ./.github/actions/devcontainer_run_command
         with:
-          COMMAND: >-
-            for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }}
-            && ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec)
+          COMMAND: |
+            # Loop to retry the make command up to 3 times
+            for i in {1..3}; do
+              make bundle-register DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 10;
+            done;
+
+            # Exit with the last status code
+            (exit \$ec)
           DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
           CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -623,9 +643,14 @@ jobs:
       - name: Register bundle
         uses: ./.github/actions/devcontainer_run_command
         with:
-          COMMAND: >-
-            for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }}
-            && ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec)
+          COMMAND: |
+            # Loop to retry the make command up to 3 times
+            for i in {1..3}; do
+              make bundle-register DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 10;
+            done;
+
+            # Exit with the last status code
+            (exit \$ec)
           DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
           CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}

CHANGELOG.md

@@ -4,18 +4,18 @@
 **BREAKING CHANGES & MIGRATIONS**:
 
 ENHANCEMENTS:
-* Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
+* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))
 * Allow workspace App Service Plan SKU to be updated ([#4331](https://github.com/microsoft/AzureTRE/issues/4331))
 * Add core requests endpoint and UI to enable requests to be managed TRE wide. ([[#2510](https://github.com/microsoft/AzureTRE/issues/2510)])
 * Remove public IP from TRE's firewall when forced tunneling is configured ([#4346](https://github.com/microsoft/AzureTRE/pull/4346))
 * Upgrade AzureRM Terraform provider from `3.117.0` to `4.14.0`. ([[#4255](https://github.com/microsoft/AzureTRE/pull/4255/)])
 * Subnet definitions are now inline in the `azurerm_virtual_network` resource, and NSG associations are set using `security_group` in each subnet block (no separate `azurerm_subnet_network_security_group_association` needed). ([[#4255](https://github.com/microsoft/AzureTRE/pull/4255/)])
+* Azure Cosmos DB should disable public network access ([#4322](https://github.com/microsoft/AzureTRE/issues/4322))
+* Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
 
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
 
-
-
 COMPONENTS:
 
 ## 0.20.0 (Feburary 9, 2025)

core/terraform/cosmos_mongo.tf

@@ -1,12 +1,13 @@
 resource "azurerm_cosmosdb_account" "mongo" {
-  name                       = "cosmos-mongo-${var.tre_id}"
-  location                   = azurerm_resource_group.core.location
-  resource_group_name        = azurerm_resource_group.core.name
-  offer_type                 = "Standard"
-  kind                       = "MongoDB"
-  automatic_failover_enabled = false
-  mongo_server_version       = 4.2
-  ip_range_filter            = local.cosmos_ip_filter_set
+  name                          = "cosmos-mongo-${var.tre_id}"
+  location                      = azurerm_resource_group.core.location
+  resource_group_name           = azurerm_resource_group.core.name
+  offer_type                    = "Standard"
+  kind                          = "MongoDB"
+  automatic_failover_enabled    = false
+  mongo_server_version          = 4.2
+  ip_range_filter               = local.cosmos_ip_filter_set
+  public_network_access_enabled = var.enable_local_debugging
 
   capabilities {
     name = "EnableServerless"

core/terraform/deploy.sh

@@ -5,6 +5,9 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
+# shellcheck disable=SC1091
+source "../../devops/scripts/kv_add_network_exception.sh"
+
 # This is where we can migrate any Terraform before we plan and apply
 # For instance deprecated Terraform resources
 # shellcheck disable=SC1091

core/terraform/destroy.sh

@@ -5,6 +5,9 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
+# shellcheck disable=SC1091
+source "../../devops/scripts/kv_add_network_exception.sh"
+
 # These variables are loaded in for us
 # shellcheck disable=SC2154
 ../../devops/scripts/terraform_wrapper.sh -g "${TF_VAR_mgmt_resource_group_name}" \

core/terraform/keyvault.tf

@@ -1,5 +1,5 @@
 resource "azurerm_key_vault" "kv" {
-  name                      = "kv-${var.tre_id}"
+  name                      = local.kv_name
   tenant_id                 = data.azurerm_client_config.current.tenant_id
   location                  = azurerm_resource_group.core.location
   resource_group_name       = azurerm_resource_group.core.name
@@ -8,7 +8,27 @@ resource "azurerm_key_vault" "kv" {
   purge_protection_enabled  = var.kv_purge_protection_enabled
   tags                      = local.tre_core_tags
 
-  lifecycle { ignore_changes = [access_policy, tags] }
+  public_network_access_enabled = local.kv_public_network_access_enabled
+
+  network_acls {
+    default_action = local.kv_network_default_action
+    bypass         = local.kv_network_bypass
+    ip_rules       = [local.myip] # exception for deployment IP, this is removed in kv_remove_network_exception.sh
+  }
+
+  lifecycle {
+    ignore_changes = [access_policy, tags]
+  }
+
+  # create provisioner required due to https://github.com/hashicorp/terraform-provider-azurerm/issues/18970
+  #
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+az keyvault update --name ${local.kv_name} --public-network-access ${local.kv_public_network_access_enabled ? "Enabled" : "Disabled"} --default-action ${local.kv_network_default_action} --bypass "${local.kv_network_bypass}" --output none
+az keyvault network-rule add --name ${local.kv_name} --ip-address ${local.myip} --output none
+EOT
+  }
 }
 
 resource "azurerm_role_assignment" "keyvault_deployer_role" {

core/terraform/locals.tf

@@ -16,17 +16,16 @@ locals {
   # https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
 
   azure_portal_cosmos_ips_list = [
-    "104.42.195.92",
-    "40.76.54.131",
-    "52.176.6.30",
-    "52.169.50.45",
-    "52.187.184.26"
+    "13.91.105.215",
+    "4.210.172.107",
+    "13.88.56.148",
+    "40.91.218.243"
   ]
 
   cosmos_ip_filter_set = toset(
     var.enable_local_debugging
     ? concat(local.azure_portal_cosmos_ips_list, [local.myip])
-    : local.azure_portal_cosmos_ips_list
+    : []
   )
 
   # we define some zones in core despite not used by the core infra because
@@ -59,4 +58,10 @@ locals {
 
   cmk_name                 = "tre-encryption-${var.tre_id}"
   encryption_identity_name = "id-encryption-${var.tre_id}"
+
+  # key vault variables
+  kv_name                          = "kv-${var.tre_id}"
+  kv_public_network_access_enabled = true
+  kv_network_default_action        = var.enable_local_debugging ? "Allow" : "Deny"
+  kv_network_bypass                = "AzureServices"
 }

core/terraform/scripts/letsencrypt.sh

@@ -8,6 +8,11 @@ if [[ -z ${STORAGE_ACCOUNT} ]]; then
   exit 1
 fi
 
+if [[ -n ${KEYVAULT} ]]; then
+  # shellcheck disable=SC1091
+  source "$script_dir/../../../devops/scripts/kv_add_network_exception.sh"
+fi
+
 # The storage account is protected by network rules
 #
 # The rules need to be temporarily lifted so that the script can determine if the index.html file

core/terraform/statestore.tf

@@ -5,9 +5,11 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
   offer_type                    = "Standard"
   kind                          = "GlobalDocumentDB"
   automatic_failover_enabled    = false
+  public_network_access_enabled = var.enable_local_debugging
   ip_range_filter               = local.cosmos_ip_filter_set
   local_authentication_disabled = true
   tags                          = local.tre_core_tags
+
   dynamic "capabilities" {
     # We can't change an existing cosmos
     for_each = var.is_cosmos_defined_throughput ? [] : [1]

core/version.txt

@@ -1 +1 @@
-__version__ = "0.12.0"
+__version__ = "0.12.2"

devops/scripts/destroy_env_no_terraform.sh

@@ -66,6 +66,11 @@ then
   no_wait_option="--no-wait"
 fi
 
+script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+
+# shellcheck disable=SC1091
+source "$script_dir/kv_add_network_exception.sh"
+
 group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?)
 if [[ "$group_show_result" !=  "0" ]]; then
   echo "Resource group ${core_tre_rg} not found - skipping destroy"