From 8c1cea9c7e3e3e71734fab4b2a77e9d8152a6e0b Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Tue, 7 Jan 2025 08:56:40 +0000 Subject: [PATCH 1/2] Consolidate upgrade scripts for Terraform (#4126) --- .../workflows/build_validation_develop.yml | 5 ++ .github/workflows/codeql-analysis.yml | 2 +- CHANGELOG.md | 1 + Makefile | 2 +- core/terraform/upgrade.sh | 13 ---- core/version.txt | 2 +- devops/scripts/upgrade.sh | 61 +++++++++++++++++++ devops/terraform/upgrade.sh | 13 ---- .../admin-vm/terraform/upgrade.sh | 13 ---- .../airlock_notifier/terraform/upgrade.sh | 13 ---- .../certs/terraform/upgrade.sh | 13 ---- .../cyclecloud/terraform/upgrade.sh | 13 ---- .../databricks-auth/terraform/upgrade.sh | 13 ---- .../firewall/terraform/upgrade.sh | 13 ---- .../gitea/terraform/upgrade.sh | 13 ---- .../sonatype-nexus-vm/terraform/upgrade.sh | 13 ---- .../databricks/terraform/upgrade.sh | 13 ---- .../gitea/terraform/upgrade.sh | 13 ---- .../guacamole/terraform/upgrade.sh | 13 ---- .../terraform/upgrade.sh | 13 ---- .../terraform/upgrade.sh | 13 ---- .../terraform/upgrade.sh | 13 ---- .../terraform/upgrade.sh | 13 ---- 23 files changed, 70 insertions(+), 224 deletions(-) delete mode 100644 core/terraform/upgrade.sh create mode 100755 devops/scripts/upgrade.sh delete mode 100644 devops/terraform/upgrade.sh delete mode 100644 templates/shared_services/admin-vm/terraform/upgrade.sh delete mode 100755 templates/shared_services/airlock_notifier/terraform/upgrade.sh delete mode 100644 templates/shared_services/certs/terraform/upgrade.sh delete mode 100644 templates/shared_services/cyclecloud/terraform/upgrade.sh delete mode 100644 templates/shared_services/databricks-auth/terraform/upgrade.sh delete mode 100755 templates/shared_services/firewall/terraform/upgrade.sh delete mode 100644 templates/shared_services/gitea/terraform/upgrade.sh delete mode 100644 templates/shared_services/sonatype-nexus-vm/terraform/upgrade.sh delete mode 100644 templates/workspace_services/databricks/terraform/upgrade.sh delete mode 100644 templates/workspace_services/gitea/terraform/upgrade.sh delete mode 100644 templates/workspace_services/guacamole/terraform/upgrade.sh delete mode 100644 templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/upgrade.sh delete mode 100644 templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/upgrade.sh delete mode 100644 templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/upgrade.sh delete mode 100644 templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/upgrade.sh diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index c44cba4b9d..01be02c3c0 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -52,6 +52,11 @@ jobs: terraform_workspace_services: - templates/workspace_services/**/terraform/**/*.tf + - uses: hashicorp/setup-terraform@v3 + if: ${{ steps.filter.outputs.terraform == 'true' }} + with: + terraform_version: "1.9.8" + - name: Terraform format check if: ${{ steps.filter.outputs.terraform == 'true' }} run: terraform fmt -check -recursive diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 176b3b6a39..2cb40d1fd9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -29,7 +29,7 @@ concurrency: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: actions: read contents: read diff --git a/CHANGELOG.md b/CHANGELOG.md index df36da2a72..e99edc513f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ ENHANCEMENTS: * Split log entries with [Log chunk X of Y] for better readability. ([#3992](https://github.com/microsoft/AzureTRE/issues/3992)) * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111)) * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103)) +* Consolidate Terraform upgrade scripts ([#4099](https://github.com/microsoft/AzureTRE/issues/4099)) * Storage accounts should use infrastructure encryption ([#4001](https://github.com/microsoft/AzureTRE/issues/4001)) * Update obsolete Terraform properties ([#4136](https://github.com/microsoft/AzureTRE/issues/4136)) * Update Guacamole version and dependencies ([#4140](https://github.com/microsoft/AzureTRE/issues/4140)) diff --git a/Makefile b/Makefile index 78e89c76f4..90e7686808 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,7 @@ terraform-upgrade: && . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \ && . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \ && . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${DIR}/.env \ - && cd ${DIR}/terraform/ && ./upgrade.sh + && ./devops/scripts/upgrade.sh ${DIR} terraform-import: $(call target_title, "Importing ${DIR} with Terraform") \ diff --git a/core/terraform/upgrade.sh b/core/terraform/upgrade.sh deleted file mode 100644 index 861e28d2f1..0000000000 --- a/core/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TF_VAR_tre_resource_id}-core" diff --git a/core/version.txt b/core/version.txt index 87583f1acf..1e6e806534 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.15" +__version__ = "0.11.16" diff --git a/devops/scripts/upgrade.sh b/devops/scripts/upgrade.sh new file mode 100755 index 0000000000..89733492f7 --- /dev/null +++ b/devops/scripts/upgrade.sh @@ -0,0 +1,61 @@ +#!/bin/bash +set -e + +# This script is used to upgrade terraform providers in a specified directory + +# Usage: ./upgrade.sh + +DIR=$1 + +# Load environment variables from .env file +if [ -f "$DIR/.env" ]; then + set -a + # shellcheck source=/dev/null + . "$DIR/.env" + set +a +fi + +# Ensure TF_VAR_mgmt_resource_group_name is set +if [ -z "${TF_VAR_mgmt_resource_group_name}" ]; then + echo "Error: TF_VAR_mgmt_resource_group_name is not set." + exit 1 +fi + +# Ensure TF_VAR_mgmt_storage_account_name is set +if [ -z "${TF_VAR_mgmt_storage_account_name}" ]; then + echo "Error: TF_VAR_mgmt_storage_account_name is not set." + exit 1 +fi + +# Ensure TF_VAR_terraform_state_container_name is set +if [ -z "${TF_VAR_terraform_state_container_name}" ]; then + echo "Error: TF_VAR_terraform_state_container_name is not set." + exit 1 +fi + +# Ensure TRE_ID is set +if [ -z "${TRE_ID}" ]; then + echo "Error: TRE_ID is not set." + exit 1 +fi + +# Infer the key from the directory names +PARENT_DIR=$(basename "$(dirname "$DIR")") +GRANDPARENT_DIR=$(basename "$(dirname "$(dirname "$DIR")")") + +if [[ "$GRANDPARENT_DIR" == "workspaces" || "$GRANDPARENT_DIR" == "shared_services" ]]; then + KEY="${TRE_ID?}_${TF_VAR_id?}_${PARENT_DIR}" +elif [[ "$GRANDPARENT_DIR" == "workspace_services" ]]; then + KEY="${TRE_ID?}_${TF_VAR_workspace_id?}_${TF_VAR_id?}_${PARENT_DIR}" +elif [[ "$GRANDPARENT_DIR" == "user_resources" ]]; then + KEY="${TRE_ID?}_${TF_VAR_workspace_id?}_${TF_VAR_workspace_service_id?}_${TF_VAR_id?}_${PARENT_DIR}" +else + KEY="${TRE_ID?}_${PARENT_DIR}" +fi + +# Run terraform init with upgrade and reconfigure options +terraform -chdir="$DIR/terraform" init -upgrade -reconfigure -input=false -backend=true \ + -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ + -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ + -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ + -backend-config="key=${KEY}" diff --git a/devops/terraform/upgrade.sh b/devops/terraform/upgrade.sh deleted file mode 100644 index a05032d544..0000000000 --- a/devops/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TF_VAR_tre_resource_id}-devops" diff --git a/templates/shared_services/admin-vm/terraform/upgrade.sh b/templates/shared_services/admin-vm/terraform/upgrade.sh deleted file mode 100644 index 12597ee325..0000000000 --- a/templates/shared_services/admin-vm/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TF_VAR_tre_resource_id}-shared-adminvm" diff --git a/templates/shared_services/airlock_notifier/terraform/upgrade.sh b/templates/shared_services/airlock_notifier/terraform/upgrade.sh deleted file mode 100755 index 72785516f5..0000000000 --- a/templates/shared_services/airlock_notifier/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TF_VAR_tre_resource_id}-shared-airlock-notifier" diff --git a/templates/shared_services/certs/terraform/upgrade.sh b/templates/shared_services/certs/terraform/upgrade.sh deleted file mode 100644 index aae4c58cef..0000000000 --- a/templates/shared_services/certs/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}-certs" diff --git a/templates/shared_services/cyclecloud/terraform/upgrade.sh b/templates/shared_services/cyclecloud/terraform/upgrade.sh deleted file mode 100644 index 5368cb1a55..0000000000 --- a/templates/shared_services/cyclecloud/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TF_VAR_tre_resource_id}-${ID}" diff --git a/templates/shared_services/databricks-auth/terraform/upgrade.sh b/templates/shared_services/databricks-auth/terraform/upgrade.sh deleted file mode 100644 index 70b3863871..0000000000 --- a/templates/shared_services/databricks-auth/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=tre-workspace-service-gitea-${TF_VAR_id}" diff --git a/templates/shared_services/firewall/terraform/upgrade.sh b/templates/shared_services/firewall/terraform/upgrade.sh deleted file mode 100755 index d690d433a7..0000000000 --- a/templates/shared_services/firewall/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}-shared-service-firewall" diff --git a/templates/shared_services/gitea/terraform/upgrade.sh b/templates/shared_services/gitea/terraform/upgrade.sh deleted file mode 100644 index 6618fcb445..0000000000 --- a/templates/shared_services/gitea/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}-gitea" diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/upgrade.sh b/templates/shared_services/sonatype-nexus-vm/terraform/upgrade.sh deleted file mode 100644 index f15b4a2ee6..0000000000 --- a/templates/shared_services/sonatype-nexus-vm/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID:?}-shared-service-sonatype-nexus" diff --git a/templates/workspace_services/databricks/terraform/upgrade.sh b/templates/workspace_services/databricks/terraform/upgrade.sh deleted file mode 100644 index 70b3863871..0000000000 --- a/templates/workspace_services/databricks/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=tre-workspace-service-gitea-${TF_VAR_id}" diff --git a/templates/workspace_services/gitea/terraform/upgrade.sh b/templates/workspace_services/gitea/terraform/upgrade.sh deleted file mode 100644 index 70b3863871..0000000000 --- a/templates/workspace_services/gitea/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=tre-workspace-service-gitea-${TF_VAR_id}" diff --git a/templates/workspace_services/guacamole/terraform/upgrade.sh b/templates/workspace_services/guacamole/terraform/upgrade.sh deleted file mode 100644 index edf24afb36..0000000000 --- a/templates/workspace_services/guacamole/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}${TF_VAR_workspace_id}guacamole" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/upgrade.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/upgrade.sh deleted file mode 100644 index e5bbe41a91..0000000000 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}${TF_VAR_workspace_id}${TF_VAR_parent_service_id}guacamolewindowsvm" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/upgrade.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/upgrade.sh deleted file mode 100644 index e5bbe41a91..0000000000 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}${TF_VAR_workspace_id}${TF_VAR_parent_service_id}guacamolewindowsvm" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/upgrade.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/upgrade.sh deleted file mode 100644 index f6d9bbcefe..0000000000 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TF_VAR_tre_id}${TF_VAR_workspace_id}${TF_VAR_parent_service_id}guacamolelinuxvm" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/upgrade.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/upgrade.sh deleted file mode 100644 index e5bbe41a91..0000000000 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/upgrade.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e - -# This script is used to install the bundle directly without having to interact with Porter - -# This script assumes you have created an .env from the sample and the variables -# will come from there. -# shellcheck disable=SC2154 -terraform init -upgrade -reconfigure -input=false -backend=true \ - -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \ - -backend-config="storage_account_name=${TF_VAR_mgmt_storage_account_name}" \ - -backend-config="container_name=${TF_VAR_terraform_state_container_name}" \ - -backend-config="key=${TRE_ID}${TF_VAR_workspace_id}${TF_VAR_parent_service_id}guacamolewindowsvm" From 97debdc23783e76ce04d6bd230e54713b2fa1f72 Mon Sep 17 00:00:00 2001 From: Yuval Yaron <43217306+yuvalyaron@users.noreply.github.com> Date: Tue, 7 Jan 2025 20:43:09 +0200 Subject: [PATCH 2/2] Add option for forced tunneling through TRE's Firewall (#4238) * Add option for forced tunneling through TRE's Firewall * fix linting issues * refine doc * rename force tunnel route * add variables to schema * fix github actions * add warning to fw force tunnel doc * refine doc * fix linting errors * send firewall props through makefile command * update doc * update config.yaml.sample * remove typo * shorten comment * Update docs/tre-admins/configure-firewall-force-tunneling.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix typo in docs * fix linting issues * fix linting error --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../workflows/build_validation_develop.yml | 21 +- .github/workflows/codeql-analysis.yml | 6 +- CHANGELOG.md | 1 + Makefile | 6 +- config.sample.yaml | 3 +- .../configure-firewall-force-tunneling.md | 21 + mkdocs.yml | 1 + .../shared_services/firewall/parameters.json | 6 + .../shared_services/firewall/porter.yaml | 8 +- .../firewall/template_schema.json | 634 +++++++++--------- .../firewall/terraform/firewall.tf | 4 +- .../firewall/terraform/routetable.tf | 25 + .../firewall/terraform/variables.tf | 5 + 13 files changed, 415 insertions(+), 326 deletions(-) create mode 100644 docs/tre-admins/configure-firewall-force-tunneling.md diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index 01be02c3c0..a9364293d8 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -1,11 +1,11 @@ --- name: Build Validation -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy pull_request: branches: - main - - 'feature/**' + - "feature/**" # for each ref (branch/pr) run just the most recent, # cancel other pending/running ones @@ -57,6 +57,11 @@ jobs: with: terraform_version: "1.9.8" + - uses: hashicorp/setup-terraform@v3 + if: ${{ steps.filter.outputs.terraform == 'true' }} + with: + terraform_version: "1.9.8" + - name: Terraform format check if: ${{ steps.filter.outputs.terraform == 'true' }} run: terraform fmt -check -recursive @@ -112,7 +117,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_core.hcl - FILTER_REGEX_INCLUDE: './core/.*' + FILTER_REGEX_INCLUDE: "./core/.*" - name: Workspace Tags if: ${{ steps.filter.outputs.terraform_workspaces == 'true' }} @@ -123,7 +128,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspaces.hcl - FILTER_REGEX_INCLUDE: './templates/workspaces/.*' + FILTER_REGEX_INCLUDE: "./templates/workspaces/.*" - name: Workspace Services Tags if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }} @@ -134,8 +139,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspace_services.hcl - FILTER_REGEX_INCLUDE: './templates/workspaces/.*' - FILTER_REGEX_EXCLUDE: '.*user_resource.*' + FILTER_REGEX_INCLUDE: "./templates/workspaces/.*" + FILTER_REGEX_EXCLUDE: ".*user_resource.*" - name: User Resources Tags if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }} @@ -146,7 +151,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_user_resources.hcl - FILTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*' + FILTER_REGEX_INCLUDE: "./templates/workspace_services/.*/user_resources/.*" - name: Shared Services Tags if: ${{ steps.filter.outputs.terraform_shared_services == 'true' }} @@ -157,4 +162,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_shared_services.hcl - FILTER_REGEX_INCLUDE: './templates/shared_services/.*' + FILTER_REGEX_INCLUDE: "./templates/shared_services/.*" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2cb40d1fd9..92327b53ff 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,13 +12,13 @@ # name: "CodeQL" -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy push: branches: [main] pull_request: branches: [main] schedule: - - cron: '41 3 * * 5' + - cron: "41 3 * * 5" # for each ref (branch/pr) run just the most recent, # cancel other pending/running ones @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - language: ['python', 'java', 'javascript', 'typescript'] + language: ["python", "java", "javascript", "typescript"] steps: - name: Checkout repository diff --git a/CHANGELOG.md b/CHANGELOG.md index e99edc513f..6d19e990a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ BUG FIXES: * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222)) * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)]) * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)]) +* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) COMPONENTS: diff --git a/Makefile b/Makefile index 90e7686808..58719016b3 100644 --- a/Makefile +++ b/Makefile @@ -309,8 +309,10 @@ deploy-shared-service: && ${MAKEFILE_DIR}/devops/scripts/deploy_shared_service.sh $${PROPS} firewall-install: - $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ - DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service + . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \ + && $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ + DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service \ + PROPS="$${FIREWALL_SKU+--firewall_sku $${FIREWALL_SKU} }$${FIREWALL_FORCE_TUNNEL_IP+--firewall_force_tunnel_ip $${FIREWALL_FORCE_TUNNEL_IP} }" static-web-upload: $(call target_title, "Uploading to static website") \ diff --git a/config.sample.yaml b/config.sample.yaml index 44777e89a3..009f017920 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -10,7 +10,7 @@ management: acr_name: __CHANGE_ME__ # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true) # external_key_store_id: __CHANGE_ME__ - # Name of Key Vault for encryption keys, required only if enable_cmk_encryption is true and not using external_key_store_id + # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set # encryption_kv_name: __CHANGE_ME__ # Azure Resource Manager credentials used for CI/CD pipelines arm_subscription_id: __CHANGE_ME__ @@ -46,6 +46,7 @@ tre: # The TRE Web UI is deployed by default. # Uncomment the following to disable deployment of the Web UI. # deploy_ui: false + # firewall_force_tunnel_ip: __CHANGE_ME__ firewall_sku: Standard app_gateway_sku: Standard_v2 diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md new file mode 100644 index 0000000000..68d5886c93 --- /dev/null +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -0,0 +1,21 @@ +# Forced Tunneling to External Firewall in TRE + +Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. +It is highly recommended leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need a superset of rules used by the TRE. + +To setup forced tunneling to an external firewall, follow these steps: + +## 1. Set the firewall_force_tunnel_ip parameter in the config.yaml file +Provide the external firewall's IP address: + +```json +firewall_force_tunnel_ip: 192.168.0.4 +``` +This automatically creates a route table to direct TRE’s traffic to the specified IP. + +## 2. Manually Connect TRE to Your Firewall +Configure connectivity between TRE’s VNet and your external firewall using one of the following methods: + +1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet. +1. **ExpressRoute**: Use a private connection for firewalls located on-premises. +1. **Site-to-Site VPN**: Establish a VPN connection as an alternative. diff --git a/mkdocs.yml b/mkdocs.yml index d81cd08297..ed2b2c72aa 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -140,6 +140,7 @@ nav: - Supported Clouds: tre-admins/supported-clouds.md - Customer Managed Keys: tre-admins/customer-managed-keys.md - Custom Domain Name: tre-admins/custom-domain.md + - Firewall Force Tunneling: tre-admins/configure-firewall-force-tunneling.md - Development: # Docs related to the developing code for the AzureTRE - Local Development: using-tre/local-development/local-development.md diff --git a/templates/shared_services/firewall/parameters.json b/templates/shared_services/firewall/parameters.json index 7883f0aa13..6a1df98da8 100755 --- a/templates/shared_services/firewall/parameters.json +++ b/templates/shared_services/firewall/parameters.json @@ -63,6 +63,12 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "firewall_force_tunnel_ip", + "source": { + "env": "FIREWALL_FORCE_TUNNEL_IP" + } } ] } diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index d5e7003d14..ffba80504b 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-firewall -version: 1.2.8 +version: 1.3.0 description: "An Azure TRE Firewall shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -54,6 +54,9 @@ parameters: default: "graph.microsoft.com" - name: arm_environment type: string + - name: firewall_force_tunnel_ip + type: string + default: "" mixins: - terraform: @@ -69,6 +72,7 @@ install: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -87,6 +91,7 @@ upgrade: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -105,6 +110,7 @@ uninstall: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/firewall/template_schema.json b/templates/shared_services/firewall/template_schema.json index cd3aab13b3..23b0f8a526 100644 --- a/templates/shared_services/firewall/template_schema.json +++ b/templates/shared_services/firewall/template_schema.json @@ -6,111 +6,127 @@ "description": "Provides Firewall shared service", "required": [], "properties": { + "firewall_sku": { + "type": "string", + "title": "Firewall SKU", + "description": "The SKU that will be used when deploying The Firewall.", + "default": "Standard", + "enum": [ + "Basic", + "Standard", + "Premium" + ] + }, + "firewall_force_tunnel_ip": { + "type": "string", + "title": "Force Tunnel IP", + "description": "Optionally specify an IP address to forward all traffic to" + }, "rule_collections": { - "$id": "#properties/rule_collections", - "title": "application rule collections", - "type": "array", - "default": [], + "$id": "#properties/rule_collections", + "title": "application rule collections", + "type": "array", + "default": [], "updateable": true, - "items":{ - "title": "items", - "type": "object", - "required": [ - "name", - "rules" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "my-rule" - ], - "pattern": "^.*$" - }, - "action": { - "title": "action DEPRECATED", - "type": "string", - "examples": [ - "Allow" - ], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "rules" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "my-rule" + ], + "pattern": "^.*$" + }, + "action": { + "title": "action DEPRECATED", + "type": "string", + "examples": [ + "Allow" + ], "enum": [ "Allow", "Deny" ] }, - "rules": { - "title": "rules", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "rule 1" - ], - "pattern": "^.*$" - }, - "description": { - "title": "description", - "type": "string", - "default": "", - "examples": [ - "My rule description here" - ], - "pattern": "^.*$" - }, - "protocols": { - "title": "protocols", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "port", - "type" - ], - "properties": { - "port": { - "title": "port", - "type": "string", - "examples": [ - "1234" - ], - "pattern": "^.*$" - }, - "type": { - "title": "type", - "type": "string", + "rules": { + "title": "rules", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "rule 1" + ], + "pattern": "^.*$" + }, + "description": { + "title": "description", + "type": "string", + "default": "", + "examples": [ + "My rule description here" + ], + "pattern": "^.*$" + }, + "protocols": { + "title": "protocols", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "port", + "type" + ], + "properties": { + "port": { + "title": "port", + "type": "string", + "examples": [ + "1234" + ], + "pattern": "^.*$" + }, + "type": { + "title": "type", + "type": "string", "enum": [ "Http", "Https", "Mssql" ], - "examples": [ - "Http" - ] - } - } - } - }, + "examples": [ + "Http" + ] + } + } + } + }, "fqdn_tags": { - "title": "fqdn tags", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "enum":[ + "title": "fqdn tags", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "enum": [ "AppServiceEnvironment", "AzureBackup", "AzureKubernetesService", @@ -120,246 +136,246 @@ "WindowsUpdate", "WindowsVirtualDesktop" ], - "examples": [ - "AzureKubernetesService" - ] - } - }, - "target_fqdns": { - "title": "destination fqdns", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "one.two.three.com" - ] - } - }, - "source_addresses": { - "title": "source addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "examples": [ + "AzureKubernetesService" + ] + } + }, + "target_fqdns": { + "title": "destination fqdns", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "one.two.three.com" + ] + } + }, + "source_addresses": { + "title": "source addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "source_ip_group_ids": { - "title": "source ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "source ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "source_ip_groups_in_core": { - "title": "source ip group names in core", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "ip_group_name_in_core_resource_group" - ] - } - } - } - } - } - } - } + "title": "source ip group names in core", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "ip_group_name_in_core_resource_group" + ] + } + } + } + } + } + } + } }, "network_rule_collections": { - "$id": "#properties/network_rule_collections", - "title": "network rule collections", - "type": "array", - "default": [], + "$id": "#properties/network_rule_collections", + "title": "network rule collections", + "type": "array", + "default": [], "updateable": true, - "items":{ - "title": "items", - "type": "object", - "required": [ - "name", - "rules" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "my-rule" - ], - "pattern": "^.*$" - }, - "action": { - "title": "action DEPRECATED", - "type": "string", - "examples": [ - "Allow" - ], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "rules" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "my-rule" + ], + "pattern": "^.*$" + }, + "action": { + "title": "action DEPRECATED", + "type": "string", + "examples": [ + "Allow" + ], "enum": [ "Allow", "Deny" ] }, - "rules": { - "title": "rules", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "rule 1" - ], - "pattern": "^.{5,80}$" - }, - "description": { - "title": "description DEPRECATED", - "type": "string", - "default": "", - "examples": [ - "My rule description here" - ], - "pattern": "^.*$" - }, - "source_addresses": { - "title": "source addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "rules": { + "title": "rules", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "rule 1" + ], + "pattern": "^.{5,80}$" + }, + "description": { + "title": "description DEPRECATED", + "type": "string", + "default": "", + "examples": [ + "My rule description here" + ], + "pattern": "^.*$" + }, + "source_addresses": { + "title": "source addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "source_ip_group_ids": { - "title": "source ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "source ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "source_ip_groups_in_core": { - "title": "source ip group names in core", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_name" - ] - } - }, - "destination_addresses": { - "title": "destination addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "title": "source ip group names in core", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_name" + ] + } + }, + "destination_addresses": { + "title": "destination addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "destination_ip_group_ids": { - "title": "destination ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "destination ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "destination_fqdns": { - "title": "destination fqdns", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "one.two.three.com" - ] - } - }, + "title": "destination fqdns", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "one.two.three.com" + ] + } + }, "destination_ports": { - "title": "destination ports", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "80", + "title": "destination ports", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "80", "443", "*" - ] - } - }, - "protocols": { - "title": "protocols", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", + ] + } + }, + "protocols": { + "title": "protocols", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", "enum": [ "Any", "ICMP", "TCP", "UDP" ], - "examples": [ - "TCP" - ] - } - } - } - } - } - } - } + "examples": [ + "TCP" + ] + } + } + } + } + } + } + } } } } diff --git a/templates/shared_services/firewall/terraform/firewall.tf b/templates/shared_services/firewall/terraform/firewall.tf index ae94aecff0..6697a359b6 100644 --- a/templates/shared_services/firewall/terraform/firewall.tf +++ b/templates/shared_services/firewall/terraform/firewall.tf @@ -15,7 +15,7 @@ moved { } resource "azurerm_public_ip" "fwmanagement" { - count = local.effective_firewall_sku == "Basic" ? 1 : 0 + count = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? 1 : 0 name = "pip-fw-management-${var.tre_id}" resource_group_name = local.core_resource_group_name location = data.azurerm_resource_group.rg.location @@ -42,7 +42,7 @@ resource "azurerm_firewall" "fw" { } dynamic "management_ip_configuration" { - for_each = local.effective_firewall_sku == "Basic" ? [1] : [] + for_each = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? [1] : [] content { name = "mgmtconfig" subnet_id = data.azurerm_subnet.firewall_management.id diff --git a/templates/shared_services/firewall/terraform/routetable.tf b/templates/shared_services/firewall/terraform/routetable.tf index f0e4388d9b..23202788eb 100644 --- a/templates/shared_services/firewall/terraform/routetable.tf +++ b/templates/shared_services/firewall/terraform/routetable.tf @@ -87,3 +87,28 @@ resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_asso azurerm_firewall_policy_rule_collection_group.dynamic_application ] } + +resource "azurerm_route_table" "fw_tunnel_rt" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + name = "rt-fw-tunnel-${var.tre_id}" + resource_group_name = local.core_resource_group_name + location = data.azurerm_resource_group.rg.location + bgp_route_propagation_enabled = true + tags = local.tre_shared_service_tags + + lifecycle { ignore_changes = [tags] } + + route { + name = "ForceTunnelRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = var.firewall_force_tunnel_ip + } +} + +resource "azurerm_subnet_route_table_association" "rt_fw_tunnel_subnet_association" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + subnet_id = data.azurerm_subnet.firewall.id + route_table_id = azurerm_route_table.fw_tunnel_rt[0].id +} + diff --git a/templates/shared_services/firewall/terraform/variables.tf b/templates/shared_services/firewall/terraform/variables.tf index a1017e157f..1140c25f40 100644 --- a/templates/shared_services/firewall/terraform/variables.tf +++ b/templates/shared_services/firewall/terraform/variables.tf @@ -27,3 +27,8 @@ variable "firewall_sku" { type = string default = "" } + +variable "firewall_force_tunnel_ip" { + type = string + default = "" +}