Merge branch 'main' into dependabot/pip/api_app/pip-e346daff9e

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,6 +4,7 @@ about: Create a report to help us improve
 title: ''
 labels: bug
 assignees: ''
+type: 'bug'
 
 ---
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -4,6 +4,7 @@ about: Suggest an idea for this project
 title: ''
 labels: feature
 assignees: ''
+type: 'feature'
 
 ---
 

.github/ISSUE_TEMPLATE/user_story.md

@@ -4,6 +4,7 @@ about: User story with acceptance criteria
 title: ''
 labels: story
 assignees: ''
+type: 'task'
 
 ---
 

.github/actions/devcontainer_run_command/action.yml

@@ -129,6 +129,10 @@ inputs:
     description: "Firewall SKU"
     required: false
     default: ""
+  APP_GATEWAY_SKU:
+    description: "Application Gateway SKU"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -239,6 +243,7 @@ runs:
           -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
             && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
           -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
+          -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c "${{ inputs.COMMAND }}"

.github/linters/.tflint.hcl

@@ -30,8 +30,3 @@ rule "terraform_naming_convention" {
 rule "terraform_standard_module_structure" {
   enabled = true
 }
-
-rule "azurerm_resource_missing_tags" {
-  enabled = true
-  tags = ["tre_id"]
-}

.github/linters/.tflint_core.hcl

@@ -0,0 +1,19 @@
+# This is used for TRE tags validation only.
+
+config {
+  module = true
+  force = false
+}
+
+plugin "azurerm" {
+    enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = false
+}
+
+rule "azurerm_resource_missing_tags" {
+  enabled = true
+  tags = ["tre_id"]
+}

.github/workflows/build_validation_develop.yml

@@ -40,6 +40,9 @@ jobs:
             docs:
               - 'docs/**/*'
 
+            terraform_core:
+              - core/**/terraform/**/*.tf
+
             terraform_workspaces:
               - templates/workspaces/**/terraform/**/*.tf
 
@@ -95,6 +98,17 @@ jobs:
           pip install -r docs/requirements.txt
           mkdocs build --strict
 
+      - name: Core Tags
+        if: ${{ steps.filter.outputs.terraform_core == 'true' }}
+        uses: github/super-linter/[email protected]
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_TERRAFORM_TFLINT: true
+          TERRAFORM_TFLINT_CONFIG_FILE: .tflint_core.hcl
+          FILTER_REGEX_INCLUDE: './core/.*'
+
       - name: Workspace Tags
         if: ${{ steps.filter.outputs.terraform_workspaces == 'true' }}
         uses: github/super-linter/[email protected]
@@ -104,7 +118,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspaces.hcl
-          LINTER_REGEX_INCLUDE: './templates/workspaces/.*'
+          FILTER_REGEX_INCLUDE: './templates/workspaces/.*'
 
       - name: Workspace Services Tags
         if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }}
@@ -115,7 +129,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspace_services.hcl
-          LINTER_REGEX_INCLUDE: './templates/workspaces/.*'
+          FILTER_REGEX_INCLUDE: './templates/workspaces/.*'
           FILTER_REGEX_EXCLUDE: '.*user_resource.*'
 
       - name: User Resources Tags
@@ -127,7 +141,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_user_resources.hcl
-          LINTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*'
+          FILTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*'
 
       - name: Shared Services Tags
         if: ${{ steps.filter.outputs.terraform_shared_services == 'true' }}
@@ -138,4 +152,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_shared_services.hcl
-          LINTER_REGEX_INCLUDE: './templates/shared_services/.*'
+          FILTER_REGEX_INCLUDE: './templates/shared_services/.*'

.github/workflows/deploy_tre_reusable.yml

@@ -358,6 +358,7 @@ jobs:
           RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE: ${{ vars.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE }}
           RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
           FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}
+          APP_GATEWAY_SKU: ${{ vars.APP_GATEWAY_SKU }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command

CHANGELOG.md

@@ -6,8 +6,13 @@
 FEATURES:
 
 ENHANCEMENTS:
+* Key Vaults should use RBAC instead of access policies for access control ([#4000](https://github.com/microsoft/AzureTRE/issues/4000))
+* Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992)
+* Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
+* Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103))
 
 BUG FIXES:
+- Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
 
 COMPONENTS:
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: bootstrap-init mgmt-deploy mgmt-destroy build-api-image push-api-image deploy-tre destroy-tre letsencrypt
+.PHONY: bootstrap-init mgmt-deploy mgmt-destroy build-api-image push-api-image tre-deploy tre-destroy letsencrypt
 .DEFAULT_GOAL := help
 
 SHELL:=/bin/bash

config.sample.yaml

@@ -43,6 +43,7 @@ tre:
   # Uncomment the following to disable deployment of the Web UI.
   # deploy_ui: false
   firewall_sku: Standard
+  app_gateway_sku: Standard_v2
 
   # Uncomment to deploy to a custom domain
   # custom_domain: __CHANGE_ME__

config_schema.json

@@ -89,6 +89,10 @@
           "description": "SKU of the Azure Firewall.",
           "type": "string"
         },
+        "app_gateway_sku": {
+          "description": "SKU of the Application Gateway.",
+          "type": "string"
+        },
         "custom_domain": {
           "description": "Custom domain name.",
           "type": "string"

core/terraform/airlock/service_bus.tf

@@ -3,35 +3,35 @@ resource "azurerm_servicebus_queue" "step_result" {
   name         = local.step_result_queue_name
   namespace_id = var.airlock_servicebus.id
 
-  enable_partitioning = false
+  partitioning_enabled = false
 }
 
 resource "azurerm_servicebus_queue" "status_changed" {
   name         = local.status_changed_queue_name
   namespace_id = var.airlock_servicebus.id
 
-  enable_partitioning = false
+  partitioning_enabled = false
 }
 
 resource "azurerm_servicebus_queue" "scan_result" {
   name         = local.scan_result_queue_name
   namespace_id = var.airlock_servicebus.id
 
-  enable_partitioning = false
+  partitioning_enabled = false
 }
 
 resource "azurerm_servicebus_queue" "data_deletion" {
   name         = local.data_deletion_queue_name
   namespace_id = var.airlock_servicebus.id
 
-  enable_partitioning = false
+  partitioning_enabled = false
 }
 
 resource "azurerm_servicebus_topic" "blob_created" {
   name         = local.blob_created_topic_name
   namespace_id = var.airlock_servicebus.id
 
-  enable_partitioning = false
+  partitioning_enabled = false
 }
 
 resource "azurerm_servicebus_subscription" "airlock_processor" {

core/terraform/api-webapp.tf

@@ -47,9 +47,9 @@ resource "azurerm_linux_web_app" "api" {
     "RESOURCE_LOCATION"                              = azurerm_resource_group.core.location
     "ENABLE_SWAGGER"                                 = var.enable_swagger
     "SWAGGER_UI_CLIENT_ID"                           = var.swagger_ui_client_id
-    "AAD_TENANT_ID"                                  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.auth_tenant_id.id})"
-    "API_CLIENT_ID"                                  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.api_client_id.id})"
-    "API_CLIENT_SECRET"                              = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.api_client_secret.id})"
+    "AAD_TENANT_ID"                                  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv.vault_uri}secrets/${azurerm_key_vault_secret.auth_tenant_id.name}/${azurerm_key_vault_secret.auth_tenant_id.version})"
+    "API_CLIENT_ID"                                  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv.vault_uri}secrets/${azurerm_key_vault_secret.api_client_id.name}/${azurerm_key_vault_secret.api_client_id.version})"
+    "API_CLIENT_SECRET"                              = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv.vault_uri}secrets/${azurerm_key_vault_secret.api_client_secret.name}/${azurerm_key_vault_secret.api_client_secret.version})"
     "RESOURCE_GROUP_NAME"                            = azurerm_resource_group.core.name
     "SUBSCRIPTION_ID"                                = data.azurerm_subscription.current.subscription_id
     CORE_ADDRESS_SPACE                               = var.core_address_space
@@ -85,8 +85,8 @@ resource "azurerm_linux_web_app" "api" {
     ftps_state                                    = "Disabled"
 
     application_stack {
-      docker_image     = "${local.docker_registry_server}/${var.api_image_repository}"
-      docker_image_tag = local.version
+      docker_registry_url = "https://${local.docker_registry_server}"
+      docker_image_name   = "${var.api_image_repository}:${local.version}"
     }
 
     cors {

core/terraform/appgateway/appgateway.tf

@@ -26,11 +26,13 @@ resource "azurerm_application_gateway" "agw" {
   tags                = local.tre_core_tags
 
   sku {
-    name     = "Standard_v2"
-    tier     = "Standard_v2"
+    name     = coalesce(var.app_gateway_sku, "Standard_v2")
+    tier     = coalesce(var.app_gateway_sku, "Standard_v2")
     capacity = 1
   }
 
+  firewall_policy_id = var.app_gateway_sku == "WAF_v2" ? azurerm_web_application_firewall_policy.waf[0].id : null
+
   # User-assign managed identify id required to access certificate in KeyVault
   identity {
     type         = "UserAssigned"
@@ -120,6 +122,12 @@ resource "azurerm_application_gateway" "agw" {
     path                = "/api/ping"
     timeout             = "30"
     unhealthy_threshold = "3"
+
+    match {
+      status_code = [
+        "200-399"
+      ]
+    }
   }
 
   # Public HTTPS listener
@@ -198,6 +206,40 @@ resource "azurerm_application_gateway" "agw" {
 
 }
 
+resource "azurerm_web_application_firewall_policy" "waf" {
+
+  // only create WAF policy when App Gateway sku.tier == "WAF_v2"
+  count = var.app_gateway_sku == "WAF_v2" ? 1 : 0
+
+  name                = "wafpolicy-${var.tre_id}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  policy_settings {
+    enabled = true
+    mode    = "Detection"
+  }
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = 3.2
+    }
+  }
+
+  // once created ignore policy_settings and rulesets allow to be managed outside of here
+  lifecycle { ignore_changes = [policy_settings, managed_rules] }
+
+  // terraform doesn't handle the downgrade from WAF_v2 > Standard_v2 SKU, this is required to detatch the policy from the app gateway before deletion of the policy
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+          APP_GATEWAY_ID=$(az network application-gateway waf-policy show --name ${self.name} --resource-group ${self.resource_group_name} --query applicationGateways[0].id --output tsv)
+          az network application-gateway update --ids $APP_GATEWAY_ID --set firewallPolicy=null --set sku.name=Standard_v2 --set sku.tier=Standard_v2
+        EOT
+  }
+}
+
 resource "azurerm_monitor_diagnostic_setting" "agw" {
   name                       = "diagnostics-agw-${var.tre_id}"
   target_resource_id         = azurerm_application_gateway.agw.id

core/terraform/appgateway/certificate.tf

@@ -1,15 +1,7 @@
-resource "azurerm_key_vault_access_policy" "app_gw_managed_identity" {
-  key_vault_id = var.keyvault_id
-  tenant_id    = azurerm_user_assigned_identity.agw_id.tenant_id
-  object_id    = azurerm_user_assigned_identity.agw_id.principal_id
-
-  key_permissions = [
-    "Get",
-  ]
-
-  secret_permissions = [
-    "Get",
-  ]
+resource "azurerm_role_assignment" "keyvault_appgw_role" {
+  scope                = var.keyvault_id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azurerm_user_assigned_identity.agw_id.principal_id // id-agw-<TRE_ID>
 }
 
 resource "azurerm_key_vault_certificate" "tlscert" {

core/terraform/appgateway/variables.tf

@@ -26,3 +26,6 @@ variable "static_web_dns_zone_id" {
 variable "log_analytics_workspace_id" {
   type = string
 }
+variable "app_gateway_sku" {
+  type = string
+}

core/terraform/cosmos_mongo.tf

@@ -1,12 +1,12 @@
 resource "azurerm_cosmosdb_account" "mongo" {
-  name                      = "cosmos-mongo-${var.tre_id}"
-  location                  = azurerm_resource_group.core.location
-  resource_group_name       = azurerm_resource_group.core.name
-  offer_type                = "Standard"
-  kind                      = "MongoDB"
-  enable_automatic_failover = false
-  mongo_server_version      = 4.2
-  ip_range_filter           = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
+  name                       = "cosmos-mongo-${var.tre_id}"
+  location                   = azurerm_resource_group.core.location
+  resource_group_name        = azurerm_resource_group.core.name
+  offer_type                 = "Standard"
+  kind                       = "MongoDB"
+  automatic_failover_enabled = false
+  mongo_server_version       = 4.2
+  ip_range_filter            = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
 
   capabilities {
     name = "EnableServerless"
@@ -93,11 +93,11 @@ resource "azurerm_private_endpoint" "mongo" {
 
 resource "azurerm_key_vault_secret" "cosmos_mongo_connstr" {
   name         = "porter-db-connection-string"
-  value        = azurerm_cosmosdb_account.mongo.connection_strings[0]
+  value        = azurerm_cosmosdb_account.mongo.primary_mongodb_connection_string
   key_vault_id = azurerm_key_vault.kv.id
   tags         = local.tre_core_tags
   depends_on = [
-    azurerm_key_vault_access_policy.deployer
+    azurerm_role_assignment.keyvault_deployer_role
   ]
 
   lifecycle { ignore_changes = [tags] }

core/terraform/json-to-env.sh

@@ -29,6 +29,10 @@ jq -r '
             "path": "keyvault_uri",
             "env_var": "KEYVAULT_URI"
         },
+        {
+            "path": "keyvault_resource_id",
+            "env_var": "KEYVAULT_RESOURCE_ID"
+        },
         {
             "path": "azure_tre_fqdn",
             "env_var": "FQDN"