From 1c85eaacf416caff253592948f91033d431c38ed Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 7 Nov 2023 11:51:20 +0000
Subject: [PATCH] Provide Airlock Import Review Workspace with its own DNS zone
 (#3769)

* Airlock fails due to DNS timeout - returns "Request failed due to an unknown reason."
Fixes #3767

* Update changelog description

* Word smithing

* Add HACK comment to more easily id items pending delete

---------

Co-authored-by: Sven Aelterman <17446043+SvenAelterman@users.noreply.github.com>
---
 CHANGELOG.md                                  |  4 +++
 .../airlock-import-review/Dockerfile.tmpl     |  4 ++-
 .../airlock-import-review/porter.yaml         |  2 +-
 .../import_review_resources.terraform         | 31 ++++++++++++++++---
 .../terraform/network_output.terraform        |  4 +++
 templates/workspaces/base/porter.yaml         |  2 +-
 .../base/terraform/network/outputs.tf         |  4 +++
 7 files changed, 43 insertions(+), 8 deletions(-)
 create mode 100644 templates/workspaces/airlock-import-review/terraform/network_output.terraform

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 93676f6f91..80e2fdd7dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,16 @@
 <!-- markdownlint-disable MD041 -->
 ## 0.16.0 (Unreleased)
 
+**BREAKING CHANGES & MIGRATIONS**:
+To resolve the Airlock import issue described in ([#3767](https://github.com/microsoft/AzureTRE/pull/3767)), the new airlock import review tempalte will need to be registered using `make workspace_bundle BUNDLE=airlock-import-review`. Any existing airlock import review workspaces will need to be upgraded. After upgrading, run `make deploy-core` to reinstate any deleted DNS records.
+
 FEATURES:
 
 ENHANCEMENTS:
 
 BUG FIXES:
 * Enabling support for more than 20 users/groups in Workspace API ([#3759](https://github.com/microsoft/AzureTRE/pull/3759  ))
+* Airlock Import Review workspace uses dedicated DNS zone to prevent conflict with core ([#3767](https://github.com/microsoft/AzureTRE/pull/3767))
 
 COMPONENTS:
 
diff --git a/templates/workspaces/airlock-import-review/Dockerfile.tmpl b/templates/workspaces/airlock-import-review/Dockerfile.tmpl
index d62e919eb8..418b77a087 100644
--- a/templates/workspaces/airlock-import-review/Dockerfile.tmpl
+++ b/templates/workspaces/airlock-import-review/Dockerfile.tmpl
@@ -9,7 +9,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
     apt-get update && apt-get install -y git jq curl ca-certificates patch --no-install-recommends
 
-ARG AZURE_TRE_VERSION="0.14.0"
+ARG AZURE_TRE_VERSION="0.15.2"
 
 WORKDIR ${BUNDLE_DIR}
 
@@ -20,6 +20,8 @@ RUN curl -o azuretre.tar.gz -L "https://github.com/microsoft/AzureTRE/archive/re
 
 # Copy and change the file extension of .terraform file to .tf
 COPY ./terraform/import_review_resources.terraform "${BUNDLE_DIR}"/terraform/import_review_resources.tf
+# HACK: PR #3769: Remove once base workspace includes this change
+COPY ./terraform/network_output.terraform "${BUNDLE_DIR}"/terraform/network/temp_output.tf
 
 # PORTER_MIXINS
 
diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml
index 63cd8a1915..6e93efaca4 100644
--- a/templates/workspaces/airlock-import-review/porter.yaml
+++ b/templates/workspaces/airlock-import-review/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-airlock-import-review
-version: 0.12.7
+version: 0.12.15
 description: "A workspace to do Airlock Data Import Reviews for Azure TRE"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/workspaces/airlock-import-review/terraform/import_review_resources.terraform b/templates/workspaces/airlock-import-review/terraform/import_review_resources.terraform
index fb6d441ebb..8c3fac50e4 100644
--- a/templates/workspaces/airlock-import-review/terraform/import_review_resources.terraform
+++ b/templates/workspaces/airlock-import-review/terraform/import_review_resources.terraform
@@ -30,11 +30,6 @@ resource "azurerm_private_endpoint" "sa_import_inprogress_pe" {
 
   lifecycle { ignore_changes = [tags] }
 
-  private_dns_zone_group {
-    name                 = "pdzg-stg-ip-import-blob-${local.workspace_resource_name_suffix}"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
-  }
-
   private_service_connection {
     name                           = "psc-stg-ip-import-blob-${local.workspace_resource_name_suffix}"
     private_connection_resource_id = data.azurerm_storage_account.sa_import_inprogress.id
@@ -44,3 +39,29 @@ resource "azurerm_private_endpoint" "sa_import_inprogress_pe" {
 
   tags = local.tre_workspace_tags
 }
+
+resource "azurerm_private_dns_zone" "stg_import_inprogress_blob" {
+  name                = "${data.azurerm_storage_account.sa_import_inprogress.name}.${module.terraform_azurerm_environment_configuration.private_links["privatelink.blob.core.windows.net"]}"
+  resource_group_name = azurerm_resource_group.ws.name
+
+  tags = local.tre_workspace_tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "stg_import_inprogress_blob" {
+  name                  = "vnl-stg-ip-import-blob-${local.workspace_resource_name_suffix}"
+  resource_group_name   = azurerm_resource_group.ws.name
+  private_dns_zone_name = azurerm_private_dns_zone.stg_import_inprogress_blob.name
+  virtual_network_id    = module.network.vnet_id
+
+  tags = local.tre_workspace_tags
+}
+
+resource "azurerm_private_dns_a_record" "stg_import_inprogress_blob" {
+  name                = "@" # Root record
+  zone_name           = azurerm_private_dns_zone.stg_import_inprogress_blob.name
+  resource_group_name = azurerm_resource_group.ws.name
+  ttl                 = 300
+  records             = [azurerm_private_endpoint.sa_import_inprogress_pe.private_service_connection[0].private_ip_address]
+
+  tags = local.tre_workspace_tags
+}
diff --git a/templates/workspaces/airlock-import-review/terraform/network_output.terraform b/templates/workspaces/airlock-import-review/terraform/network_output.terraform
new file mode 100644
index 0000000000..67d264f66b
--- /dev/null
+++ b/templates/workspaces/airlock-import-review/terraform/network_output.terraform
@@ -0,0 +1,4 @@
+# HACK: PR #3769: Remove file when base workspace release updated
+output "vnet_id" {
+  value = azurerm_virtual_network.ws.id
+}
diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
index 9b32b0c66b..ee0e27050c 100644
--- a/templates/workspaces/base/porter.yaml
+++ b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.5.0
+version: 1.5.1
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/workspaces/base/terraform/network/outputs.tf b/templates/workspaces/base/terraform/network/outputs.tf
index b101b61ee8..b3d6ecf106 100644
--- a/templates/workspaces/base/terraform/network/outputs.tf
+++ b/templates/workspaces/base/terraform/network/outputs.tf
@@ -1,3 +1,7 @@
+output "vnet_id" {
+  value = azurerm_virtual_network.ws.id
+}
+
 output "services_subnet_id" {
   value = azurerm_subnet.services.id
 }