From c79d9e160fc404b246b4583a83ff5f5c5ad9caa7 Mon Sep 17 00:00:00 2001 From: Ron Shakutai <58519179+ShakutaiGit@users.noreply.github.com> Date: Thu, 2 Jan 2025 11:58:48 +0200 Subject: [PATCH] Fix public exposure in Guacamole service (#4236) * Update Guacamole service exposure settings and change the service plan configuration to the data * update the changelog.md --- CHANGELOG.md | 2 +- templates/workspace_services/guacamole/.env.sample | 2 +- templates/workspace_services/guacamole/porter.yaml | 2 +- templates/workspace_services/guacamole/terraform/data.tf | 5 +++++ templates/workspace_services/guacamole/terraform/web_app.tf | 6 +----- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e5bb603e1..b4585221a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,7 @@ BUG FIXES: * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212)) * Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004)) * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222)) - +* Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)]) COMPONENTS: ## 0.19.1 diff --git a/templates/workspace_services/guacamole/.env.sample b/templates/workspace_services/guacamole/.env.sample index bd6e4ba57a..cadae76d21 100644 --- a/templates/workspace_services/guacamole/.env.sample +++ b/templates/workspace_services/guacamole/.env.sample @@ -17,6 +17,6 @@ GUAC_DRIVE_NAME="transfer" GUAC_DRIVE_PATH="/guac-transfer" GUAC_DISABLE_DOWNLOAD=true GUAC_DISABLE_UPLOAD=true -IS_EXPOSED_EXTERNALLY=false +IS_EXPOSED_EXTERNALLY=true image_name="guac-server" image_tag="" diff --git a/templates/workspace_services/guacamole/porter.yaml b/templates/workspace_services/guacamole/porter.yaml index e6f4164915..c7009d1c04 100644 --- a/templates/workspace_services/guacamole/porter.yaml +++ b/templates/workspace_services/guacamole/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole -version: 0.12.5 +version: 0.12.6 description: "An Azure TRE service for Guacamole" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspace_services/guacamole/terraform/data.tf b/templates/workspace_services/guacamole/terraform/data.tf index 93d29f4d97..35b523ae88 100644 --- a/templates/workspace_services/guacamole/terraform/data.tf +++ b/templates/workspace_services/guacamole/terraform/data.tf @@ -71,3 +71,8 @@ data "azurerm_monitor_diagnostic_categories" "guacamole" { azurerm_linux_web_app.guacamole, ] } + +data "azurerm_service_plan" "workspace" { + name = "plan-${var.workspace_id}" + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/guacamole/terraform/web_app.tf b/templates/workspace_services/guacamole/terraform/web_app.tf index e81ddc284e..c92190b9e1 100644 --- a/templates/workspace_services/guacamole/terraform/web_app.tf +++ b/templates/workspace_services/guacamole/terraform/web_app.tf @@ -1,8 +1,3 @@ -data "azurerm_service_plan" "workspace" { - name = "plan-${var.workspace_id}" - resource_group_name = data.azurerm_resource_group.ws.name -} - # we have to use user-assigned to break a cycle in the dependencies: app identity, kv-policy, secrets in app settings resource "azurerm_user_assigned_identity" "guacamole_id" { resource_group_name = data.azurerm_resource_group.ws.name @@ -24,6 +19,7 @@ resource "azurerm_linux_web_app" "guacamole" { ftp_publish_basic_authentication_enabled = false webdeploy_publish_basic_authentication_enabled = false tags = local.workspace_service_tags + public_network_access_enabled = var.is_exposed_externally site_config { http2_enabled = true