Merge branch 'main' into remove_unused_vars_from_workflows

.devcontainer/Dockerfile

@@ -8,15 +8,13 @@ FROM --platform="${TARGETPLATFORM}" mcr.microsoft.com/vscode/devcontainers/pytho
 # This will be set to true when running in VSCode
 ARG INTERACTIVE="false"
 
-ARG USERNAME=vscode
 ARG USER_UID=1000
-ARG USER_GID=$USER_UID
+ARG USERNAME=vscode
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# Set up non-root user
-COPY .devcontainer/scripts/non-root-user.sh /tmp/
-RUN bash /tmp/non-root-user.sh "${USERNAME}" "${USER_UID}" "${USER_GID}"
+# make user ID match user ID on host machine
+RUN usermod --uid $USER_UID $USERNAME
 
 # Set env for tracking that we're running in a devcontainer
 ENV DEVCONTAINER=true
@@ -100,8 +98,9 @@ ARG OSS_VERSION
 ENV AZURETRE_HOME=/home/$USERNAME/AzureTRE
 COPY .devcontainer/scripts/install-azure-tre-oss.sh .devcontainer/devcontainer.json /tmp/
 # hadolint ignore=DL3004
-RUN oss_version_in_json=$(grep -oP '(?<="OSS_VERSION": ")[^"]*' /tmp/devcontainer.json) \
- && /tmp/install-azure-tre-oss.sh "${OSS_VERSION:-$oss_version_in_json}" "${AZURETRE_HOME}" \
+RUN oss_repo_in_json=$(grep -oP '(?<="OSS_REPO": ")[^"]*' /tmp/devcontainer.json) \
+ && oss_version_in_json=$(grep -oP '(?<="OSS_VERSION": ")[^"]*' /tmp/devcontainer.json) \
+ && /tmp/install-azure-tre-oss.sh "${OSS_REPO:-$oss_repo_in_json}" "${OSS_VERSION:-$oss_version_in_json}" "${AZURETRE_HOME}" \
  && sudo chown -R $USERNAME ${AZURETRE_HOME}
 
 # Install tre-cli

.devcontainer/devcontainer.json

@@ -11,7 +11,8 @@
  // export DOCKER_GROUP_ID=$(getent group docker | awk -F ":" '{ print $3 }')
  "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}",
  "INTERACTIVE": "true",
- "OSS_VERSION": "v0.11.0"
+ "OSS_REPO": "microsoft/AzureTRE",
+ "OSS_VERSION": "v0.15.2"
  }
  },
  "runArgs": [

.devcontainer/scripts/install-azure-tre-oss.sh

@@ -5,14 +5,17 @@ set -o nounset
 # Uncomment this line to see each command for debugging (careful: this will show secrets!)
 # set -o xtrace
 
-oss_version="$1"
-oss_home="$2"
+
+oss_repo="$1"
+oss_version="$2"
+oss_home="$3"
 archive=/tmp/AzureTRE.tar.gz
 
-wget -O "$archive" "http://github.com/microsoft/AzureTRE/archive/${oss_version}.tar.gz" --progress=dot:giga
+wget -O "$archive" "http://github.com/${oss_repo}/archive/${oss_version}.tar.gz" --progress=dot:giga
 
 mkdir -p "$oss_home"
 tar -xzf "$archive" -C "$oss_home" --strip-components=1
 rm "$archive"
 
+echo "${oss_repo}" > "$oss_home/repository.txt"
 echo "${oss_version}" > "$oss_home/version.txt"

.github/linters/.tflint.hcl

@@ -12,7 +12,7 @@ rule "terraform_unused_declarations" {
 }
 
 rule "terraform_typed_variables" {
- enabled = false
+ enabled = true
 }
 
 rule "terraform_required_providers" {

.github/linters/.tflint_shared_services.hcl

@@ -9,10 +9,6 @@ plugin "azurerm" {
  enabled = true
 }
 
-rule "terraform_typed_variables" {
- enabled = false
-}
-
 rule "azurerm_resource_missing_tags" {
  enabled = true
  tags = ["tre_id", "tre_shared_service_id"]

.github/linters/.tflint_user_resources.hcl

@@ -9,10 +9,6 @@ plugin "azurerm" {
  enabled = true
 }
 
-rule "terraform_typed_variables" {
- enabled = false
-}
-
 rule "azurerm_resource_missing_tags" {
  enabled = true
  tags = ["tre_id", "tre_workspace_id", "tre_workspace_service_id", "tre_user_resource_id"]

.github/linters/.tflint_workspace_services.hcl

@@ -9,10 +9,6 @@ plugin "azurerm" {
  enabled = true
 }
 
-rule "terraform_typed_variables" {
- enabled = false
-}
-
 rule "azurerm_resource_missing_tags" {
  enabled = true
  tags = ["tre_id", "tre_workspace_id", "tre_workspace_service_id"]

.github/linters/.tflint_workspaces.hcl

@@ -9,10 +9,6 @@ plugin "azurerm" {
  enabled = true
 }
 
-rule "terraform_typed_variables" {
- enabled = false
-}
-
 rule "azurerm_resource_missing_tags" {
  enabled = true
  tags = ["tre_id", "tre_workspace_id"]

.github/scripts/yarn.lock

@@ -2089,6 +2089,11 @@ punycode@^2.1.1:
  resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.1.1.tgz#b58b010ac40c22c5657616c8d2c2c02c7bf479ec"
  integrity sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==
 
+querystringify@^2.1.1:
+ version "2.2.0"
+ resolved "https://registry.yarnpkg.com/querystringify/-/querystringify-2.2.0.tgz#3345941b4153cb9d082d8eee4cda2016a9aef7f6"
+ integrity sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==
+
 react-is@^17.0.1:
  version "17.0.2"
  resolved "https://registry.yarnpkg.com/react-is/-/react-is-17.0.2.tgz#e691d4a8e9c789365655539ab372762b0efb54f0"
@@ -2099,6 +2104,11 @@ require-directory@^2.1.1:
  resolved "https://registry.yarnpkg.com/require-directory/-/require-directory-2.1.1.tgz#8c64ad5fd30dab1c976e2344ffe7f792a6a6df42"
  integrity sha1-jGStX9MNqxyXbiNE/+f3kqam30I=
 
+requires-port@^1.0.0:
+ version "1.0.0"
+ resolved "https://registry.yarnpkg.com/requires-port/-/requires-port-1.0.0.tgz#925d2601d39ac485e091cf0da5c6e694dc3dcaff"
+ integrity sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==
+
 resolve-cwd@^3.0.0:
  version "3.0.0"
  resolved "https://registry.yarnpkg.com/resolve-cwd/-/resolve-cwd-3.0.0.tgz#0f0075f1bb2544766cf73ba6a6e2adfebcb13f2d"
@@ -2150,14 +2160,14 @@ saxes@^5.0.1:
  xmlchars "^2.2.0"
 
 semver@^6.0.0, semver@^6.3.0:
- version "6.3.0"
- resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.0.tgz#ee0a64c8af5e8ceea67687b133761e1becbd1d3d"
- integrity sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==
+ version "6.3.1"
+ resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
+ integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
 
 semver@^7.3.2:
- version "7.3.5"
- resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.5.tgz#0b621c879348d8998e4b0e4be94b3f12e6018ef7"
- integrity sha512-PoeGJYh8HK4BTO/a9Tf6ZG3veo/A7ZVsYrSA6J8ny9nb3B1VrpkuN+z9OE5wfE5p6H4LchYZsegiQgbJD94ZFQ==
+ version "7.5.4"
+ resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
+ integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
  dependencies:
  lru-cache "^6.0.0"
 
@@ -2341,13 +2351,14 @@ to-regex-range@^5.0.1:
  is-number "^7.0.0"
 
 tough-cookie@^4.0.0:
- version "4.0.0"
- resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-4.0.0.tgz#d822234eeca882f991f0f908824ad2622ddbece4"
- integrity sha512-tHdtEpQCMrc1YLrMaqXXcj6AxhYi/xgit6mZu1+EDWUn+qhUf8wMQoFIy9NXuq23zAwtcB0t/MjACGR18pcRbg==
+ version "4.1.3"
+ resolved "https://registry.yarnpkg.com/tough-cookie/-/tough-cookie-4.1.3.tgz#97b9adb0728b42280aa3d814b6b999b2ff0318bf"
+ integrity sha512-aX/y5pVRkfRnfmuX+OdbSdXvPe6ieKX/G2s7e98f4poJHnqH3281gDPm/metm6E/WRamfx7WC4HUqkWHfQHprw==
  dependencies:
  psl "^1.1.33"
  punycode "^2.1.1"
- universalify "^0.1.2"
+ universalify "^0.2.0"
+ url-parse "^1.5.3"
 
 tr46@^2.1.0:
  version "2.1.0"
@@ -2380,10 +2391,18 @@ typedarray-to-buffer@^3.1.5:
  dependencies:
  is-typedarray "^1.0.0"
 
-universalify@^0.1.2:
- version "0.1.2"
- resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.1.2.tgz#b646f69be3942dabcecc9d6639c80dc105efaa66"
- integrity sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==
+universalify@^0.2.0:
+ version "0.2.0"
+ resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.2.0.tgz#6451760566fa857534745ab1dde952d1b1761be0"
+ integrity sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==
+
+url-parse@^1.5.3:
+ version "1.5.10"
+ resolved "https://registry.yarnpkg.com/url-parse/-/url-parse-1.5.10.tgz#9d3c2f736c1d75dd3bd2be507dcc111f1e2ea9c1"
+ integrity sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==
+ dependencies:
+ querystringify "^2.1.1"
+ requires-port "^1.0.0"
 
 v8-to-istanbul@^8.1.0:
  version "8.1.1"
@@ -2454,9 +2473,9 @@ which@^2.0.1:
  isexe "^2.0.0"
 
 word-wrap@~1.2.3:
- version "1.2.3"
- resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.3.tgz#610636f6b1f703891bd34771ccb17fb93b47079c"
- integrity sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==
+ version "1.2.4"
+ resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.4.tgz#cb4b50ec9aca570abd1f52f33cd45b6c61739a9f"
+ integrity sha512-2V81OA4ugVo5pRo46hAoD2ivUJx8jXmWXfUkY4KFNw0hEptvN0QfH3K4nHiwzGeKl5rFKedV48QVoqYavy4YpA==
 
 wrap-ansi@^7.0.0:
  version "7.0.0"

.github/workflows/build_validation_develop.yml

@@ -56,7 +56,7 @@ jobs:
  VALIDATE_DOCKERFILE_HADOLINT: true
 
  - name: Workspace Tags
- uses: github/super-linter/slim@v4.10.0
+ uses: github/super-linter/slim@v5.0.0
  env:
  VALIDATE_ALL_CODEBASE: false
  DEFAULT_BRANCH: main
@@ -66,7 +66,7 @@ jobs:
  LINTER_REGEX_INCLUDE: './templates/workspaces/.*'
 
  - name: Workspace Services Tags
- uses: github/super-linter/slim@v4.10.0
+ uses: github/super-linter/slim@v5.0.0
  env:
  VALIDATE_ALL_CODEBASE: false
  DEFAULT_BRANCH: main
@@ -77,7 +77,7 @@ jobs:
  FILTER_REGEX_EXCLUDE: '.*user_resource.*'
 
  - name: User Resources Tags
- uses: github/super-linter/slim@v4.10.0
+ uses: github/super-linter/slim@v5.0.0
  env:
  VALIDATE_ALL_CODEBASE: false
  DEFAULT_BRANCH: main
@@ -87,7 +87,7 @@ jobs:
  LINTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*'
 
  - name: Shared Services Tags
- uses: github/super-linter/slim@v4.10.0
+ uses: github/super-linter/slim@v5.0.0
  env:
  VALIDATE_ALL_CODEBASE: false
  DEFAULT_BRANCH: main

.github/workflows/deploy_tre_reusable.yml

@@ -343,6 +343,8 @@ jobs:
  include:
  - {BUNDLE_TYPE: "workspace",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspaces/base"}
+ - {BUNDLE_TYPE: "workspace",
+ BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspaces/unrestricted"}
  - {BUNDLE_TYPE: "workspace",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspaces/airlock-import-review"}
  - {BUNDLE_TYPE: "workspace_service",
@@ -361,6 +363,8 @@ jobs:
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/health-services"}
  - {BUNDLE_TYPE: "workspace_service",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/databricks"}
+ - {BUNDLE_TYPE: "workspace_service",
+ BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/ohdsi"}
  - {BUNDLE_TYPE: "user_resource",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm"}
  - {BUNDLE_TYPE: "user_resource",
@@ -500,6 +504,8 @@ jobs:
  # bundles type can be inferred from the bundle dir (but this is more explicit)
  - {BUNDLE_TYPE: "workspace",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspaces/base"}
+ - {BUNDLE_TYPE: "workspace",
+ BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspaces/unrestricted"}
  - {BUNDLE_TYPE: "workspace",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspaces/airlock-import-review"}
  - {BUNDLE_TYPE: "workspace_service",
@@ -518,6 +524,8 @@ jobs:
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/health-services"}
  - {BUNDLE_TYPE: "workspace_service",
  BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/databricks"}
+ - {BUNDLE_TYPE: "workspace_service",
+ BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/ohdsi"}
  # Add your bundles here
  environment: ${{ inputs.environmentName }}
  steps:

SECURITY.md

@@ -1,6 +1,6 @@
 <!-- BEGIN MICROSOFT SECURITY.MD V0.0.7 BLOCK -->
 
-## Security
+# Security
 
 Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
 
@@ -14,17 +14,17 @@ Instead, please report them to the Microsoft Security Response Center (MSRC) at
 
 If you prefer to submit without logging in, send email to [[email protected]](mailto:[email protected]). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
 
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
 
 Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
 
- * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- * Full paths of source file(s) related to the manifestation of the issue
- * The location of the affected source code (tag/branch/commit or direct URL)
- * Any special configuration required to reproduce the issue
- * Step-by-step instructions to reproduce the issue
- * Proof-of-concept or exploit code (if possible)
- * Impact of the issue, including how an attacker might exploit the issue
+* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+* Full paths of source file(s) related to the manifestation of the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Any special configuration required to reproduce the issue
+* Step-by-step instructions to reproduce the issue
+* Proof-of-concept or exploit code (if possible)
+* Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly.