0.5.0

0.5.0 (October 10, 2022)

BREAKING CHANGES & MIGRATIONS:

• Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. (#2654)
• Align Github Action secret names. Existing Github environments must be updated, see PR for details. (#2655)
• Add workspace creator as an owner of the workspace enterprise application (#2627). Migration if the AUTO_WORKSPACE_APP_REGISTRATION is set, the Directory.Read.All MS Graph API permission permission needs granting to the Application Registration identified by APPLICATION_ADMIN_CLIENT_ID.
• Add support for setting AppService plan SKU in GitHub Actions. Previous environment variable names of API_APP_SERVICE_PLAN_SKU_SIZE and APP_SERVICE_PLAN_SKU have been renamed to CORE_APP_SERVICE_PLAN_SKU and WORKSPACE_APP_SERVICE_PLAN_SKU (#2684)
• Reworked how status update messages are handled by the API, to enforce ordering and run the queue subscription in a dedicated thread. Since sessions are now enabled for the status update queue, a tre-deploy is required, which will re-create the queue. (#2700)
• Guacamole user-resource templates have been updated. VM SKU and image details are now specified in porter.yaml. See README.md in the guacamole user-resources folder for details.
• deploy_shared_services.sh now uses the tre CLI. Ensure that your CI/CD environment installs the CLI ((cd cli && make install-cli))

FEATURES:

• Add Import Review Workspace (#2498)
• Restrict resource templates to specific roles (#2600)
• Import review user resource template (#2601)
• Export review user resource template (#2602)
• Airlock Manager can use user resources (#2499)
• Users only see templates they are authorized to use (#2640)
• Guacamole user-resource templates now have support for custom VM images from image galleries (#2634)
• Add initial tre CLI (2537)

ENHANCEMENTS:

• Cancelling an Airlock request triggers deletion of the request container and files (#2584)
• Airlock requests with status "blocked_by_scan" have the reason for being blocked by the malware scanner in the status_message field (#2666)
• Move admin-vm from core to a shared service (#2624)
• Remove obsolete docker environment variables (#2675)
• Using Porter's Terrform mixin 1.0.0-rc.1 where mirror in done internally (#2677)
• Airlock function internal storage is accessed with private endpoints (#2679)

BUG FIXES:

• Resource processor error on deploying user-resource: TypeError: 'NoneType' object is not iterable (#2569)
• Update Porter and Terraform mixin versions (#2639)
• Airlock Manager should have permissions to get SAS token (#2502)
• Terraform unmarshal errors in migrate.sh (#2673)

COMPONENTS:

name	version
devops	0.4.2
core	0.4.36
porter-hello	0.1.0
tre-workspace-base-sl-test	0.3.19
tre-workspace-base	0.4.0
tre-workspace-unrestricted	0.2.0
tre-workspace-airlock-import-review	0.4.0
tre-service-mlflow	0.4.0
tre-service-innereye	0.4.0
tre-workspace-service-gitea	0.5.0
tre-workspace-service-mysql	0.2.0
tre-service-guacamole-linuxvm	0.5.1
tre-service-guacamole-export-reviewvm	0.0.4
tre-service-guacamole-windowsvm	0.5.1
tre-service-guacamole-import-reviewvm	0.1.1
tre-service-guacamole	0.5.0
tre-user-resource-aml-compute-instance	0.4.1
tre-service-azureml	0.5.1
tre-shared-service-cyclecloud	0.3.0
tre-shared-service-gitea	0.4.0
tre-shared-service-airlock-notifier	0.2.0
tre-shared-service-admin-vm	0.2.0
tre-shared-service-certs	0.2.0
tre-shared-service-sonatype-nexus	2.2.0
tre-shared-service-firewall	0.6.1

Full Changelog: v0.4.3...v0.5.0

0.4.3

BREAKING CHANGES & MIGRATIONS:

• Remove support for Nexus V1 (#2580). Please migrate to the newer version as described here.

FEATURES:

ENHANCEMENTS:

• Adding Log Analytics & Antimalware VM extensions (#2520)
• Block anonymous access to 2 storage accounts (#2524)
• Gitea shared service support app-service standard SKUs (#2523)
• Keyvault diagnostic settings in base workspace (#2521)
• Airlock requests contain a field with information about the files that were submitted (#2504)
• UI - Operations and notifications stability improvements ([#2530)
• UI - Initial implemetation of Workspace Airlock Request View (#2512)
• Add is_expsed_externally option to Azure ML Workspace Service (#2548)
• Azure ML workspace service assigns Azure ML Data Scientist role to Workspace Researchers (#2539)
• UI is deployed by default (#2554)
• Remove manual/makefile option to install Gitea/Nexus (#2573)
• Exact Terraform provider versions in bundles (#2579)
• Stabilize E2E tests by issuing the access token prior using it, hence, reducing the change of expired token (#2572)

BUG FIXES:

• API health check is also returned by accessing the root path at / (#2469)
• Temporary disable AppInsight's private endpoint in base workspace (#2543)
• Resource Processor execution optimization (porter show) for long-standing services (#2542)
• Move AML Compute deployment to use AzApi Terraform Provider {#2555
• Invalid token exceptions in the API app are catched, throwing 401 instead of 500 Internal server error (#2572)

COMPONENTS:

name	version
devops	0.4.0
core	0.4.23
tre-workspace-base	0.3.28
tre-workspace-unrestricted	0.1.9
tre-service-mlflow	0.3.7
tre-service-innereye	0.3.5
tre-workspace-service-gitea	0.3.8
tre-workspace-service-mysql	0.1.2
tre-service-guacamole-linuxvm	0.4.14
tre-service-guacamole-windowsvm	0.4.8
tre-service-guacamole	0.4.5
tre-user-resource-aml-compute-instance	0.3.2
tre-service-azureml	0.4.8
tre-shared-service-cyclecloud	0.2.6
tre-shared-service-gitea	0.3.14
tre-shared-service-airlock-notifier	0.1.2
tre-shared-service-certs	0.1.3
tre-shared-service-sonatype-nexus	2.1.6
tre-shared-service-firewall	0.4.3

Full Changelog: v0.4.2...v0.4.3

0.4.2

BREAKING CHANGES & MIGRATIONS:

• API identity is only assigned Virtual Machine Contributor on the workspace level (#2398). Review the PR for migration steps.

FEATURES:

• MySql workspace service (#2476)

ENHANCEMENTS:

• 'CreationTime' field was added to Airlock requests (#2432)
• Bundles mirror Terraform plugins when built (#2446)
• 'Get all Airlock requests' endpoint supports filtering (#2433)
• API uses user delagation key when generating SAS token for airlock requests (#2460)
• Longer docker caching in Resource Processor (#2486)
• Remove AppInsights Profiler support in base workspace bundle and deploy with native Terraform resources (#2478)

BUG FIXES:

• Azure monitor resourced provided by Terraform and don't allow ingestion over internet (#2375)
• Enable route table on the Airlock Processor subnet (#2414)
• Support for Standard app service plan SKUs (#2415)
• Fix Azure ML Workspace deletion (#2452)
• Get all pages in MS Graph queries (#2492)

COMPONENTS:

name	version
devops	0.4.0
core	0.4.18
tre-workspace-base	0.3.19
tre-workspace-base	0.3.25
tre-service-mlflow	0.3.5
tre-service-innereye	0.3.3
tre-workspace-service-gitea	0.3.6
tre-workspace-service-mysql	0.1.0
tre-service-guacamole-linuxvm	0.4.11
tre-service-guacamole-windowsvm	0.4.4
tre-service-guacamole	0.4.3
tre-user-resource-aml-compute-instance	0.3.1
tre-service-azureml	0.4.3
tre-shared-service-cyclecloud	0.2.4
tre-shared-service-gitea	0.3.11
tre-shared-service-airlock-notifier	0.1.0
tre-shared-service-certs	0.1.2
tre-shared-service-sonatype-nexus	2.1.4
tre-shared-service-firewall	0.4.2
tre-shared-service-nexus	0.3.6

Full Changelog: v0.4.1...v0.4.2

0.4.1

BREAKING CHANGES & MIGRATIONS:

• Guacamole workspace service configures firewall requirements with deployment pipeline (#2371). Migration is manual - update the templateVersion of tre-shared-service-firewall in Cosmos to 0.4.0 in order to use this capability.
• Workspace now has an AirlockManager role that has the permissions to review airlock requests (#2349).

ENHANCEMENTS:

• Guacamole logs are sent to Application Insights (#2376)
• make tre-start/stop run in parallel which saves ~5 minutes (#2394)

BUG FIXES:

• Airlock processor creates SAS tokens with user delegated key (#2382)
• Script updates to work with deployment repo structure (#2385)

0.4

What's Changed

• Fix Firewall Logging by @martinpeck in #1870
• Change how access properties in get_scope by @marrobi in #1882
• added missing param for invoke-action by @damoodamoo in #1906
• Add Bicep tools to devcontainer by @SvenAelterman in #1848
• E2E tests: Fix shared service and performance tests by @tanya-borisova in #1860
• Add .terraform in .dockerignore files by @sonali-rajput in #1872
• Add resource id var to shared services by @LizaShak in #1914
• Add TFLint config by @tamirkamara in #1919
• Update httpx package by @martinpeck in #1917
• Improve documentation for Resource Processor by @tanya-borisova in #1827
• Re-host Nexus on vm by @jjgriff93 in #1584
• Mandatory client-secret when creating a workspace by @ross-p-smith in #1924
• Disable app service's ftp by @tamirkamara in #1930
• Airlock resources - tf scripts by @eladiw in #1843
• Make etag required in API documentaiton, remove custom check by @SharonHart in #1932
• Reimage Resource Processor Automatically by @tamirkamara in #1929
• Tag tre core services by @guybartal in #1916
• Setting workspace_owner_object_id when creating workspaces by @ross-p-smith in #1928
• Optimize Guacamole docker image by @tamirkamara in #1933
• Upgrade azurerm provider version to 3.5.0 by @tanya-borisova in #1947
• E2E on main run in sequence by @tamirkamara in #1945
• Fix pr-bot e2eTestsCustomSelector param by @tamirkamara in #1959
• Airlock processor - function app based - Base by @eladiw in #1950
• Cost Report - Tag Gitea shared service by @LizaShak in #1941
• Fix Guacamole firewall rule name by @dusan-ilic-mhra in #1957
• azurerm_app_service_plan is deprecated and we should use azurerm_service_plan by @ross-p-smith in #1958
• Don't migrate Terraform state by @ross-p-smith in #1977
• [cost] Tag firewall and nexus shared services. by @LizaShak in #1979
• Create Application Administrator by @ross-p-smith in #1975
• Cleanup bundle dockerfiles by @tamirkamara in #1969
• Register VM Bundle for E2E tests by @ross-p-smith in #1987
• Publish before Register by @ross-p-smith in #1988
• Registering a user_resource needs the Workspace Service Name by @ross-p-smith in #1989
• add missing dockerfile.tmpl references by @tamirkamara in #1990
• Create user_resource in e2e tests by @ross-p-smith in #1952
• Missing TF_VARS passed into devcontainer by @ross-p-smith in #1993
• Missing TF_VAR_application_admin_client_id Inputs by @ross-p-smith in #1994
• Use different identity to create applications by @ross-p-smith in #1976
• [cost] Tag Guacamole Workspace Service in Terraform by @ciprianmaf in #1971
• PR Bot Condition Fix by @tamirkamara in #2002
• Checking Bundle's parameter.json file by @tamirkamara in #1995
• Fix a pytest error when running only smoke tests in CI by @tamirkamara in #2007
• [cost] add billing reader role to api identity by @guybartal in #2004
• Mandatory Identity with Application.ReadWrite.OwnedBy by @ross-p-smith in #2008
• UI MVP by @damoodamoo in #2001
• Change the build to have a new Identity by @ross-p-smith in #2015
• Block WS Airlock storage acccounts from public network by @eladiw in #2017
• Update tomcat url to download a fixed version by @tamirkamara in #2024
• Remove e2e workflow by @tamirkamara in #2027
• Airlock API (Draft + Submit) by @anatbal in #1949
• Fix missing MAKEFILE_DIR by @tamirkamara in #2020
• Enable purge protection by @tanya-borisova in #1973
• Event Grid uses managed identity instead of access key by @anatbal in #2032
• [cost] Create Cost Reporting API stubs by @guybartal in #2003
• [cost] Tag Gitea workspace service in Terraform by @ciprianmaf in #2005
• Add stateful_resources_locked to firewall bundle by @tamirkamara in #2029
• Build airlock_processor image in CI by @tamirkamara in #2022
• Configure docker hub proxy by @jjgriff93 in #2026
• Airlock processor handles request Submission by @eladiw in #1978
• Tests for User Resources by @ross-p-smith in #2035
• [cost] Cost Management ARM REST API call methods by @guybartal in #2030
• Disable API health check of downstream services by @tamirkamara in #2049
• Split user resource registration in CI workflow by @tamirkamara in #2051
• Airlock processor networking (vnet integration and airlock subnet) by @eladiw in #2040
• Airlock - API - approve/reject a request by @anatbal in #2044
• Update create_aad_assets.sh for switch changes in aad-app-reg.sh by @stuartleeks in #2039
• [cost] Tagging Base workspace by @pedro-pelegrin-nttdata in #1970
• Give AML dedicated storage by @marrobi in #2043
• Increase e2e timeouts by @tamirkamara in #2054
• Disable ftp in airlock app by @tamirkamara in #2059
• Pipeline Property Substitution by @damoodamoo in #2052
• Fixing Airlock API bugs when integrating to airlock processor by @anatbal in #2067
• Added auth docs for Application Admin by @ross-p-smith in #2068
• [cost] Tag innereye Workspace Service in Terraform by @pedro-pelegrin-nttdata in #1998
• Redact secrets before saving resources in Cosmos by @tanya-borisova in #2066
• make db-migrate now uses API by @ross-p-smith in #2075
• Database Migrate doesn't work in main by @ross-p-smith in #2088
• TRE costs API endpoint (/api/costs) by @guybartal in #2057
• Update parent workspace in pipeline (and set Guac redirect URI after install) by @damoodamoo in #2083
• Doc Site Updates to Move Docs and Fix Broken Links by @martinpeck in #2090
• make linting easier by @martinpeck in #2094
• Adding networking changes (Eventgrid to SB enablement) by @eladiw in #2055
• Run extended-aad tests only on main by @tamirkamara in #2102
• fix broken airlock upgrades by @eladiw in #2107
• Add curl retry by @tamirkamara in #2046
• Update workspace redirect uris when auto-aad is disabled by @tamirkamara in #2100
• Guacamole user resource templates tagging by @pedro-pelegrin-nttdata in #2061
• Workspace app service SKU as top level parameter by @tamirkamara in #2117
• Rename event grid topics to force recreate by @tamirkamara in #2120
• Fix Guacamole's authentication URI to support auto update in workspace app by @tamirkamara in #2118
• Stop running Terraform in base workspace upgrade (temp fix) by @tamirkamara in https://gi...

0.3

v0.3

update all versions to 0.3 (#1754)

0.2

This release marks a working version of the solution accelerator Azure Trusted Research Environment (TRE)

The high-level features for this release are:

• Composition Service to manage and deploy Workspaces, Workspace Service and User Resources.
• Source code read-only mirror. Researchers can get source code from external git-based repositories via internal mirror.
• App package read-only mirror. Researchers can get NPM, NuGet, PyPi etc. packages via internal mirror.
• Virtual Desktop Workspace Service (Guacamole) enabling Researchers to access data and Azure services within a Workspace without being able to exfiltrate data.
• InnerEye Azure Machine Learning Workspace template enabling provisioning of InnerEye Deeplearning research environments.
• Documentation on GitHub Pages based on MkDocs. With easy to follow setup instructions and extensibility through authoring new Workspaces, Workspace Services or User Resources.