From 41e97cbff096245ca30a3d770909ec48786df6d1 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Wed, 19 Feb 2025 16:53:20 +0000 Subject: [PATCH 1/6] Add bastion sku configuration Fixes #86 Add a variable to configure Azure Bastion SKU and default to Developer (free). * Add `bastion_sku` variable to `config.sample.yaml` with default value `Developer`. * Add conditional logic in `core/terraform/bastion.tf` to deploy Azure Bastion based on `bastion_sku` variable. * Update `azurerm_bastion_host` resource in `core/terraform/bastion.tf` to use `bastion_sku` variable. * Add `bastion_sku` variable to `core/terraform/variables.tf` with default value `Developer`. * Add `bastion_sku` variable to `config_schema.json`. * Document the new `bastion_sku` variable in `docs/tre-admins/environment-variables.md`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/microsoft/AzureTRE/issues/86?shareId=XXXX-XXXX-XXXX-XXXX). --- config.sample.yaml | 3 +++ config_schema.json | 4 ++++ core/terraform/bastion.tf | 5 ++++- core/terraform/variables.tf | 6 ++++++ docs/tre-admins/environment-variables.md | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/config.sample.yaml b/config.sample.yaml index 009f017920..2008e32878 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -49,6 +49,9 @@ tre: # firewall_force_tunnel_ip: __CHANGE_ME__ firewall_sku: Standard app_gateway_sku: Standard_v2 + # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku + # Set to Standard if wish to connect to VMs in workspaces. + bastion_sku: Developer # Uncomment to deploy to a custom domain # custom_domain: __CHANGE_ME__ diff --git a/config_schema.json b/config_schema.json index 8885822acb..030c460c41 100644 --- a/config_schema.json +++ b/config_schema.json @@ -93,6 +93,10 @@ "description": "SKU of the Application Gateway.", "type": "string" }, + "bastion_sku": { + "description": "SKU of the Azure Bastion.", + "type": "string" + }, "custom_domain": { "description": "Custom domain name.", "type": "string" diff --git a/core/terraform/bastion.tf b/core/terraform/bastion.tf index 1eec8f3d6d..f08ec426f4 100644 --- a/core/terraform/bastion.tf +++ b/core/terraform/bastion.tf @@ -20,8 +20,11 @@ resource "azurerm_bastion_host" "bastion" { public_ip_address_id = azurerm_public_ip.bastion.id } + sku { + name = var.bastion_sku + } + tags = local.tre_core_tags lifecycle { ignore_changes = [tags] } } - diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index 1f1004d8bb..b028028061 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -241,3 +241,9 @@ variable "encryption_kv_name" { description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)" default = null } + +variable "bastion_sku" { + type = string + description = "Azure Bastion SKU" + default = "Developer" +} diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 04395b9ec9..0c970ec084 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -43,6 +43,7 @@ | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. | | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). | | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | +| `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Developer`. Allowed values [`Developer`, `Standard`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). | | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). | | `ENABLE_CMK_ENCRYPTION` | If set to `true`, customer-managed key encryption will be enabled for all supported resources. | ## For authentication in `/config.yaml` From 3f984924e9c662db458b738e6af6c81712af6871 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Wed, 19 Feb 2025 16:55:13 +0000 Subject: [PATCH 2/6] Add `bastion_sku` variable to configuration and documentation * Update `config.sample.yaml` to include `bastion_sku` variable with default value `Developer` * Update `docs/tre-admins/environment-variables.md` to document the new `bastion_sku` variable and its allowed values --- config.sample.yaml | 2 +- docs/tre-admins/environment-variables.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config.sample.yaml b/config.sample.yaml index 2008e32878..7cf0da9f3f 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -50,7 +50,7 @@ tre: firewall_sku: Standard app_gateway_sku: Standard_v2 # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku - # Set to Standard if wish to connect to VMs in workspaces. + # Set to Basic if wish to connect to VMs in workspaces. bastion_sku: Developer # Uncomment to deploy to a custom domain diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 0c970ec084..1a9f46b265 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -43,7 +43,7 @@ | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. | | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). | | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | -| `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Developer`. Allowed values [`Developer`, `Standard`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). | +| `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Developer`. Allowed values [`Developer`, `Standard`, `Basic`, `Premium`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). | | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). | | `ENABLE_CMK_ENCRYPTION` | If set to `true`, customer-managed key encryption will be enabled for all supported resources. | ## For authentication in `/config.yaml` From 8fb4d8fa278afd24cf598fe0564bd25a8d8d8753 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Wed, 19 Feb 2025 17:28:03 +0000 Subject: [PATCH 3/6] Fix sku and version --- core/terraform/bastion.tf | 7 ++----- core/version.txt | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/core/terraform/bastion.tf b/core/terraform/bastion.tf index f08ec426f4..416df92aab 100644 --- a/core/terraform/bastion.tf +++ b/core/terraform/bastion.tf @@ -13,17 +13,14 @@ resource "azurerm_bastion_host" "bastion" { name = "bas-${var.tre_id}" resource_group_name = azurerm_resource_group.core.name location = azurerm_resource_group.core.location - + sku = var.bastion_sku + ip_configuration { name = "configuration" subnet_id = module.network.bastion_subnet_id public_ip_address_id = azurerm_public_ip.bastion.id } - sku { - name = var.bastion_sku - } - tags = local.tre_core_tags lifecycle { ignore_changes = [tags] } diff --git a/core/version.txt b/core/version.txt index 8e1395bd35..6dd4954d0d 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.12.3" +__version__ = "0.12.4" From 7c75346f278261393bc79760db377b7d0e4204a2 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Wed, 19 Feb 2025 20:14:24 +0000 Subject: [PATCH 4/6] Fix linting --- core/terraform/bastion.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/terraform/bastion.tf b/core/terraform/bastion.tf index 416df92aab..fc7ad5dfb1 100644 --- a/core/terraform/bastion.tf +++ b/core/terraform/bastion.tf @@ -14,7 +14,7 @@ resource "azurerm_bastion_host" "bastion" { resource_group_name = azurerm_resource_group.core.name location = azurerm_resource_group.core.location sku = var.bastion_sku - + ip_configuration { name = "configuration" subnet_id = module.network.bastion_subnet_id From 3bf19e036547d2cb1774c0c2a27c4e049a21fe99 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Wed, 19 Feb 2025 20:20:41 +0000 Subject: [PATCH 5/6] linting --- config.sample.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.sample.yaml b/config.sample.yaml index 7cf0da9f3f..733b726f4e 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -49,7 +49,7 @@ tre: # firewall_force_tunnel_ip: __CHANGE_ME__ firewall_sku: Standard app_gateway_sku: Standard_v2 - # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku + # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku # Set to Basic if wish to connect to VMs in workspaces. bastion_sku: Developer From fe098ad99e043ad357cc64a08d45737722727902 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Wed, 19 Feb 2025 20:25:05 +0000 Subject: [PATCH 6/6] Add network id --- core/terraform/bastion.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/core/terraform/bastion.tf b/core/terraform/bastion.tf index fc7ad5dfb1..5a08c236db 100644 --- a/core/terraform/bastion.tf +++ b/core/terraform/bastion.tf @@ -14,6 +14,7 @@ resource "azurerm_bastion_host" "bastion" { resource_group_name = azurerm_resource_group.core.name location = azurerm_resource_group.core.location sku = var.bastion_sku + virtual_network_id = module.network.core_vnet_id ip_configuration { name = "configuration"