microsoft · marrobi · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
diff --git a/config.sample.yaml b/config.sample.yaml
@@ -49,6 +49,9 @@ tre:
   # firewall_force_tunnel_ip: __CHANGE_ME__
   firewall_sku: Standard
   app_gateway_sku: Standard_v2
+  # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku
+  # Set to Basic if wish to connect to VMs in workspaces.
+  bastion_sku: Developer
 
   # Uncomment to deploy to a custom domain
   # custom_domain: __CHANGE_ME__

diff --git a/config_schema.json b/config_schema.json
@@ -93,6 +93,10 @@
           "description": "SKU of the Application Gateway.",
           "type": "string"
         },
+        "bastion_sku": {
+          "description": "SKU of the Azure Bastion.",
+          "type": "string"
+        },
         "custom_domain": {
           "description": "Custom domain name.",
           "type": "string"

diff --git a/core/terraform/bastion.tf b/core/terraform/bastion.tf
@@ -13,6 +13,8 @@ resource "azurerm_bastion_host" "bastion" {
   name                = "bas-${var.tre_id}"
   resource_group_name = azurerm_resource_group.core.name
   location            = azurerm_resource_group.core.location
+  sku                 = var.bastion_sku
+  virtual_network_id  = module.network.core_vnet_id
 
   ip_configuration {
     name                 = "configuration"
@@ -24,4 +26,3 @@ resource "azurerm_bastion_host" "bastion" {
 
   lifecycle { ignore_changes = [tags] }
 }
-
diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
@@ -241,3 +241,9 @@ variable "encryption_kv_name" {
   description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)"
   default     = null
 }
+
+variable "bastion_sku" {
+  type        = string
+  description = "Azure Bastion SKU"
+  default     = "Developer"
+}
diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.12.3"
+__version__ = "0.12.4"
diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
@@ -43,6 +43,7 @@
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
 | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
+| `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Developer`. Allowed values [`Developer`, `Standard`, `Basic`, `Premium`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). |
 | `ENABLE_CMK_ENCRYPTION` | If set to `true`, customer-managed key encryption will be enabled for all supported resources. |
 ## For authentication in `/config.yaml`