Airlock Azure Function Host Storage Access with Managed Identity

CHANGELOG.md

@@ -37,6 +37,7 @@ ENHANCEMENTS:
 * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
 * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
 * Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263))
+* Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
@@ -54,7 +55,6 @@ BUG FIXES:
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
-* Fix dev container build failure on missing mount directories, add copilot extensions, and CI fixes  ([#4290](https://github.com/microsoft/AzureTRE/pull/4290))
 
 COMPONENTS:
 

core/terraform/airlock/airlock_processor.tf

@@ -21,9 +21,8 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   local_user_enabled               = false
-  # Function Host Storage doesn't seem to be able to use a User Managed ID, which is why we continue to use a key.
-  shared_access_key_enabled = true
-  tags                      = var.tre_core_tags
+  shared_access_key_enabled        = false
+  tags                             = var.tre_core_tags
 
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
@@ -57,9 +56,7 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   ftp_publish_basic_authentication_enabled       = false
   webdeploy_publish_basic_authentication_enabled = false
   storage_account_name                           = azurerm_storage_account.sa_airlock_processor_func_app.name
-
-  # Function Host Storage doesn't seem to be able to use a User Managed ID, which is why we continue to use a key.
-  storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key
+  storage_uses_managed_identity                  = true
 
   tags = var.tre_core_tags
 
@@ -86,6 +83,8 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
     "TRE_ID"                                     = var.tre_id
     "WEBSITE_CONTENTOVERVNET"                    = 1
     "STORAGE_ENDPOINT_SUFFIX"                    = module.terraform_azurerm_environment_configuration.storage_suffix
+    "AzureWebJobsStorage__clientId"              = azurerm_user_assigned_identity.airlock_id.client_id
+    "AzureWebJobsStorage__credential"            = "managedidentity"
   }
 
   site_config {

core/terraform/airlock/identity.tf

@@ -52,3 +52,11 @@ resource "azurerm_role_assignment" "api_sa_data_contributor" {
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = var.api_principal_id
 }
+
+# Permissions needed for the Function Host to work correctly.
+resource "azurerm_role_assignment" "function_host_storage" {
+  for_each             = toset(["Storage Account Contributor", "Storage Blob Data Owner", "Storage Queue Data Contributor"])
+  scope                = azurerm_storage_account.sa_airlock_processor_func_app.id
+  role_definition_name = each.value
+  principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
+}

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.19"
+__version__ = "0.11.20"