From 30c3c2f11fff54339771b56f0b937ddec8456877 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 31 Dec 2024 19:24:00 +0000 Subject: [PATCH 01/18] Add option for forced tunneling through TRE's Firewall --- CHANGELOG.md | 1 + .../configure-firewall-force-tunneling.md | 20 +++++++++++++++ mkdocs.yml | 1 + .../shared_services/firewall/porter.yaml | 8 +++++- .../firewall/terraform/firewall.tf | 4 +-- .../firewall/terraform/routetable.tf | 25 +++++++++++++++++++ .../firewall/terraform/variables.tf | 5 ++++ 7 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 docs/tre-admins/configure-firewall-force-tunneling.md diff --git a/CHANGELOG.md b/CHANGELOG.md index cebff01908..b53d675aa0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,6 +43,7 @@ BUG FIXES: * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212)) * Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004)) * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222)) +* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) COMPONENTS: diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md new file mode 100644 index 0000000000..2e175ee624 --- /dev/null +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -0,0 +1,20 @@ +# Forced Tunneling to External Firewall in TRE + +Forced tunneling ensures that all traffic from TRE is routed through a specific external firewall. This guarantees that all data passes through the firewall for inspection, control, or further processing before reaching its destination. + +To route TRE’s traffic through an external firewall: + +##1. Set the rp_bundle_values Parameter in the config.yaml file +Provide the external firewall's IP address: + +```json +rp_bundle_values: '{"firewall_force_tunnel_ip":"10.0.0.4"}' +``` +This automatically creates a route table to direct TRE’s traffic to the specified IP and deploys a public IP for firewall management. + +##2. Manually Connect TRE to Your Firewall +Configure connectivity between TRE’s VNet and your external firewall using one of the following methods: + +1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet. +1. **ExpressRoute**: Use a private connection for firewalls located on-premises. +1. **Site-to-Site VPN**: Establish a VPN connection as an alternative. diff --git a/mkdocs.yml b/mkdocs.yml index d81cd08297..ed2b2c72aa 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -140,6 +140,7 @@ nav: - Supported Clouds: tre-admins/supported-clouds.md - Customer Managed Keys: tre-admins/customer-managed-keys.md - Custom Domain Name: tre-admins/custom-domain.md + - Firewall Force Tunneling: tre-admins/configure-firewall-force-tunneling.md - Development: # Docs related to the developing code for the AzureTRE - Local Development: using-tre/local-development/local-development.md diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index d5e7003d14..ffba80504b 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-firewall -version: 1.2.8 +version: 1.3.0 description: "An Azure TRE Firewall shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -54,6 +54,9 @@ parameters: default: "graph.microsoft.com" - name: arm_environment type: string + - name: firewall_force_tunnel_ip + type: string + default: "" mixins: - terraform: @@ -69,6 +72,7 @@ install: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -87,6 +91,7 @@ upgrade: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -105,6 +110,7 @@ uninstall: api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections } firewall_sku: ${ bundle.parameters.firewall_sku } microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn } + firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/firewall/terraform/firewall.tf b/templates/shared_services/firewall/terraform/firewall.tf index ae94aecff0..6697a359b6 100644 --- a/templates/shared_services/firewall/terraform/firewall.tf +++ b/templates/shared_services/firewall/terraform/firewall.tf @@ -15,7 +15,7 @@ moved { } resource "azurerm_public_ip" "fwmanagement" { - count = local.effective_firewall_sku == "Basic" ? 1 : 0 + count = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? 1 : 0 name = "pip-fw-management-${var.tre_id}" resource_group_name = local.core_resource_group_name location = data.azurerm_resource_group.rg.location @@ -42,7 +42,7 @@ resource "azurerm_firewall" "fw" { } dynamic "management_ip_configuration" { - for_each = local.effective_firewall_sku == "Basic" ? [1] : [] + for_each = (var.firewall_force_tunnel_ip != "" || local.effective_firewall_sku == "Basic") ? [1] : [] content { name = "mgmtconfig" subnet_id = data.azurerm_subnet.firewall_management.id diff --git a/templates/shared_services/firewall/terraform/routetable.tf b/templates/shared_services/firewall/terraform/routetable.tf index f0e4388d9b..0c38dd6c9a 100644 --- a/templates/shared_services/firewall/terraform/routetable.tf +++ b/templates/shared_services/firewall/terraform/routetable.tf @@ -87,3 +87,28 @@ resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_asso azurerm_firewall_policy_rule_collection_group.dynamic_application ] } + +resource "azurerm_route_table" "fw_tunnel_rt" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + name = "rt-fw-tunnel-${var.tre_id}" + resource_group_name = local.core_resource_group_name + location = data.azurerm_resource_group.rg.location + bgp_route_propagation_enabled = true + tags = local.tre_shared_service_tags + + lifecycle { ignore_changes = [tags] } + + route { + name = "DefaultRoute" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = var.firewall_force_tunnel_ip + } +} + +resource "azurerm_subnet_route_table_association" "rt_fw_tunnel_subnet_association" { + count = var.firewall_force_tunnel_ip != "" ? 1 : 0 + subnet_id = data.azurerm_subnet.firewall.id + route_table_id = azurerm_route_table.fw_tunnel_rt[0].id +} + diff --git a/templates/shared_services/firewall/terraform/variables.tf b/templates/shared_services/firewall/terraform/variables.tf index a1017e157f..1140c25f40 100644 --- a/templates/shared_services/firewall/terraform/variables.tf +++ b/templates/shared_services/firewall/terraform/variables.tf @@ -27,3 +27,8 @@ variable "firewall_sku" { type = string default = "" } + +variable "firewall_force_tunnel_ip" { + type = string + default = "" +} From 65fcaffc652dd855f0393cc17d4309201b67c194 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 31 Dec 2024 23:24:54 +0000 Subject: [PATCH 02/18] fix linting issues --- docs/tre-admins/configure-firewall-force-tunneling.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index 2e175ee624..b84a4b5ca4 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -1,10 +1,10 @@ -# Forced Tunneling to External Firewall in TRE +# Forced Tunneling to External Firewall in TRE Forced tunneling ensures that all traffic from TRE is routed through a specific external firewall. This guarantees that all data passes through the firewall for inspection, control, or further processing before reaching its destination. To route TRE’s traffic through an external firewall: -##1. Set the rp_bundle_values Parameter in the config.yaml file +## 1. Set the rp_bundle_values Parameter in the config.yaml file Provide the external firewall's IP address: ```json @@ -12,7 +12,7 @@ rp_bundle_values: '{"firewall_force_tunnel_ip":"10.0.0.4"}' ``` This automatically creates a route table to direct TRE’s traffic to the specified IP and deploys a public IP for firewall management. -##2. Manually Connect TRE to Your Firewall +## 2. Manually Connect TRE to Your Firewall Configure connectivity between TRE’s VNet and your external firewall using one of the following methods: 1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet. From 20c4349d486703875a58e37683e2d60908fe163d Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 31 Dec 2024 23:28:10 +0000 Subject: [PATCH 03/18] refine doc --- docs/tre-admins/configure-firewall-force-tunneling.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index b84a4b5ca4..316f2c447a 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -2,7 +2,7 @@ Forced tunneling ensures that all traffic from TRE is routed through a specific external firewall. This guarantees that all data passes through the firewall for inspection, control, or further processing before reaching its destination. -To route TRE’s traffic through an external firewall: +To setup forced tunneling to an external firewall, follow these steps: ## 1. Set the rp_bundle_values Parameter in the config.yaml file Provide the external firewall's IP address: @@ -10,7 +10,7 @@ Provide the external firewall's IP address: ```json rp_bundle_values: '{"firewall_force_tunnel_ip":"10.0.0.4"}' ``` -This automatically creates a route table to direct TRE’s traffic to the specified IP and deploys a public IP for firewall management. +This automatically creates a route table to direct TRE’s traffic to the specified IP. ## 2. Manually Connect TRE to Your Firewall Configure connectivity between TRE’s VNet and your external firewall using one of the following methods: From 60f3106f90e574164bfea0e2039964d152b01dd7 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Wed, 1 Jan 2025 10:42:10 +0000 Subject: [PATCH 04/18] rename force tunnel route --- templates/shared_services/firewall/terraform/routetable.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/shared_services/firewall/terraform/routetable.tf b/templates/shared_services/firewall/terraform/routetable.tf index 0c38dd6c9a..23202788eb 100644 --- a/templates/shared_services/firewall/terraform/routetable.tf +++ b/templates/shared_services/firewall/terraform/routetable.tf @@ -99,7 +99,7 @@ resource "azurerm_route_table" "fw_tunnel_rt" { lifecycle { ignore_changes = [tags] } route { - name = "DefaultRoute" + name = "ForceTunnelRoute" address_prefix = "0.0.0.0/0" next_hop_type = "VirtualAppliance" next_hop_in_ip_address = var.firewall_force_tunnel_ip From 4b36db6b64a33ef5d423906be8bbb5bcb3d7dfd3 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 6 Jan 2025 14:05:23 +0000 Subject: [PATCH 05/18] add variables to schema --- .../shared_services/firewall/parameters.json | 6 + .../firewall/template_schema.json | 634 +++++++++--------- 2 files changed, 331 insertions(+), 309 deletions(-) diff --git a/templates/shared_services/firewall/parameters.json b/templates/shared_services/firewall/parameters.json index 7883f0aa13..6a1df98da8 100755 --- a/templates/shared_services/firewall/parameters.json +++ b/templates/shared_services/firewall/parameters.json @@ -63,6 +63,12 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "firewall_force_tunnel_ip", + "source": { + "env": "FIREWALL_FORCE_TUNNEL_IP" + } } ] } diff --git a/templates/shared_services/firewall/template_schema.json b/templates/shared_services/firewall/template_schema.json index cd3aab13b3..23b0f8a526 100644 --- a/templates/shared_services/firewall/template_schema.json +++ b/templates/shared_services/firewall/template_schema.json @@ -6,111 +6,127 @@ "description": "Provides Firewall shared service", "required": [], "properties": { + "firewall_sku": { + "type": "string", + "title": "Firewall SKU", + "description": "The SKU that will be used when deploying The Firewall.", + "default": "Standard", + "enum": [ + "Basic", + "Standard", + "Premium" + ] + }, + "firewall_force_tunnel_ip": { + "type": "string", + "title": "Force Tunnel IP", + "description": "Optionally specify an IP address to forward all traffic to" + }, "rule_collections": { - "$id": "#properties/rule_collections", - "title": "application rule collections", - "type": "array", - "default": [], + "$id": "#properties/rule_collections", + "title": "application rule collections", + "type": "array", + "default": [], "updateable": true, - "items":{ - "title": "items", - "type": "object", - "required": [ - "name", - "rules" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "my-rule" - ], - "pattern": "^.*$" - }, - "action": { - "title": "action DEPRECATED", - "type": "string", - "examples": [ - "Allow" - ], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "rules" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "my-rule" + ], + "pattern": "^.*$" + }, + "action": { + "title": "action DEPRECATED", + "type": "string", + "examples": [ + "Allow" + ], "enum": [ "Allow", "Deny" ] }, - "rules": { - "title": "rules", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "rule 1" - ], - "pattern": "^.*$" - }, - "description": { - "title": "description", - "type": "string", - "default": "", - "examples": [ - "My rule description here" - ], - "pattern": "^.*$" - }, - "protocols": { - "title": "protocols", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "port", - "type" - ], - "properties": { - "port": { - "title": "port", - "type": "string", - "examples": [ - "1234" - ], - "pattern": "^.*$" - }, - "type": { - "title": "type", - "type": "string", + "rules": { + "title": "rules", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "rule 1" + ], + "pattern": "^.*$" + }, + "description": { + "title": "description", + "type": "string", + "default": "", + "examples": [ + "My rule description here" + ], + "pattern": "^.*$" + }, + "protocols": { + "title": "protocols", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "port", + "type" + ], + "properties": { + "port": { + "title": "port", + "type": "string", + "examples": [ + "1234" + ], + "pattern": "^.*$" + }, + "type": { + "title": "type", + "type": "string", "enum": [ "Http", "Https", "Mssql" ], - "examples": [ - "Http" - ] - } - } - } - }, + "examples": [ + "Http" + ] + } + } + } + }, "fqdn_tags": { - "title": "fqdn tags", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "enum":[ + "title": "fqdn tags", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "enum": [ "AppServiceEnvironment", "AzureBackup", "AzureKubernetesService", @@ -120,246 +136,246 @@ "WindowsUpdate", "WindowsVirtualDesktop" ], - "examples": [ - "AzureKubernetesService" - ] - } - }, - "target_fqdns": { - "title": "destination fqdns", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "one.two.three.com" - ] - } - }, - "source_addresses": { - "title": "source addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "examples": [ + "AzureKubernetesService" + ] + } + }, + "target_fqdns": { + "title": "destination fqdns", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "one.two.three.com" + ] + } + }, + "source_addresses": { + "title": "source addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "source_ip_group_ids": { - "title": "source ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "source ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "source_ip_groups_in_core": { - "title": "source ip group names in core", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "ip_group_name_in_core_resource_group" - ] - } - } - } - } - } - } - } + "title": "source ip group names in core", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "ip_group_name_in_core_resource_group" + ] + } + } + } + } + } + } + } }, "network_rule_collections": { - "$id": "#properties/network_rule_collections", - "title": "network rule collections", - "type": "array", - "default": [], + "$id": "#properties/network_rule_collections", + "title": "network rule collections", + "type": "array", + "default": [], "updateable": true, - "items":{ - "title": "items", - "type": "object", - "required": [ - "name", - "rules" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "my-rule" - ], - "pattern": "^.*$" - }, - "action": { - "title": "action DEPRECATED", - "type": "string", - "examples": [ - "Allow" - ], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "rules" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "my-rule" + ], + "pattern": "^.*$" + }, + "action": { + "title": "action DEPRECATED", + "type": "string", + "examples": [ + "Allow" + ], "enum": [ "Allow", "Deny" ] }, - "rules": { - "title": "rules", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "title": "name", - "type": "string", - "examples": [ - "rule 1" - ], - "pattern": "^.{5,80}$" - }, - "description": { - "title": "description DEPRECATED", - "type": "string", - "default": "", - "examples": [ - "My rule description here" - ], - "pattern": "^.*$" - }, - "source_addresses": { - "title": "source addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "rules": { + "title": "rules", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "examples": [ + "rule 1" + ], + "pattern": "^.{5,80}$" + }, + "description": { + "title": "description DEPRECATED", + "type": "string", + "default": "", + "examples": [ + "My rule description here" + ], + "pattern": "^.*$" + }, + "source_addresses": { + "title": "source addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "source_ip_group_ids": { - "title": "source ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "source ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "source_ip_groups_in_core": { - "title": "source ip group names in core", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_name" - ] - } - }, - "destination_addresses": { - "title": "destination addresses", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "172.196.0.0" - ] - } - }, + "title": "source ip group names in core", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_name" + ] + } + }, + "destination_addresses": { + "title": "destination addresses", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "172.196.0.0" + ] + } + }, "destination_ip_group_ids": { - "title": "destination ip group ids", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "some_ip_group_id" - ] - } - }, + "title": "destination ip group ids", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "some_ip_group_id" + ] + } + }, "destination_fqdns": { - "title": "destination fqdns", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "one.two.three.com" - ] - } - }, + "title": "destination fqdns", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "one.two.three.com" + ] + } + }, "destination_ports": { - "title": "destination ports", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", - "default": "", - "examples": [ - "80", + "title": "destination ports", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", + "default": "", + "examples": [ + "80", "443", "*" - ] - } - }, - "protocols": { - "title": "protocols", - "type": "array", - "default": [], - "items":{ - "title": "items", - "type": "string", + ] + } + }, + "protocols": { + "title": "protocols", + "type": "array", + "default": [], + "items": { + "title": "items", + "type": "string", "enum": [ "Any", "ICMP", "TCP", "UDP" ], - "examples": [ - "TCP" - ] - } - } - } - } - } - } - } + "examples": [ + "TCP" + ] + } + } + } + } + } + } + } } } } From f7bc6a685cd04eda28c60bb68b09a6ce45a437f3 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 6 Jan 2025 16:16:50 +0000 Subject: [PATCH 06/18] fix github actions --- .github/workflows/build_validation_develop.yml | 5 +++++ .github/workflows/codeql-analysis.yml | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index c44cba4b9d..0a545a7437 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -51,6 +51,11 @@ jobs: terraform_workspace_services: - templates/workspace_services/**/terraform/**/*.tf + + - uses: hashicorp/setup-terraform@v3 + if: ${{ steps.filter.outputs.terraform == 'true' }} + with: + terraform_version: "1.9.8" - name: Terraform format check if: ${{ steps.filter.outputs.terraform == 'true' }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 176b3b6a39..92327b53ff 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,13 +12,13 @@ # name: "CodeQL" -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy push: branches: [main] pull_request: branches: [main] schedule: - - cron: '41 3 * * 5' + - cron: "41 3 * * 5" # for each ref (branch/pr) run just the most recent, # cancel other pending/running ones @@ -29,7 +29,7 @@ concurrency: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: actions: read contents: read @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - language: ['python', 'java', 'javascript', 'typescript'] + language: ["python", "java", "javascript", "typescript"] steps: - name: Checkout repository From a8f31adfa468dabcefa6963cd42e281c518fe98a Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 6 Jan 2025 16:33:33 +0000 Subject: [PATCH 07/18] add warning to fw force tunnel doc --- docs/tre-admins/configure-firewall-force-tunneling.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index 316f2c447a..fb00d68bb5 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -18,3 +18,6 @@ Configure connectivity between TRE’s VNet and your external firewall using one 1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet. 1. **ExpressRoute**: Use a private connection for firewalls located on-premises. 1. **Site-to-Site VPN**: Establish a VPN connection as an alternative. + +!!! warning + To ensure workspace-level rules can be created when TRE workspaces are provisioned without manual intervention, we highly recommend leaving the Azure TRE firewall in place. However, if all traffic must pass through a centralized enterprise firewall, forced tunneling should be configured. This enterprise firewall must also include a superset of the rules used by the TRE firewall. From e209d70158dd2ab31f3eb250f7416f6b68bc1580 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 6 Jan 2025 16:40:54 +0000 Subject: [PATCH 08/18] refine doc --- docs/tre-admins/configure-firewall-force-tunneling.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index fb00d68bb5..d6d73d75b2 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -1,6 +1,6 @@ # Forced Tunneling to External Firewall in TRE -Forced tunneling ensures that all traffic from TRE is routed through a specific external firewall. This guarantees that all data passes through the firewall for inspection, control, or further processing before reaching its destination. +Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. It is highly recommend leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need needs a superset of rules used by the TRE. To setup forced tunneling to an external firewall, follow these steps: @@ -18,6 +18,3 @@ Configure connectivity between TRE’s VNet and your external firewall using one 1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet. 1. **ExpressRoute**: Use a private connection for firewalls located on-premises. 1. **Site-to-Site VPN**: Establish a VPN connection as an alternative. - -!!! warning - To ensure workspace-level rules can be created when TRE workspaces are provisioned without manual intervention, we highly recommend leaving the Azure TRE firewall in place. However, if all traffic must pass through a centralized enterprise firewall, forced tunneling should be configured. This enterprise firewall must also include a superset of the rules used by the TRE firewall. From f34e670bf505c79ae7cc05a6d54369bd104477e8 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 6 Jan 2025 16:46:57 +0000 Subject: [PATCH 09/18] fix linting errors --- docs/tre-admins/configure-firewall-force-tunneling.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index d6d73d75b2..93a48eb8eb 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -1,6 +1,7 @@ # Forced Tunneling to External Firewall in TRE -Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. It is highly recommend leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need needs a superset of rules used by the TRE. +Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. +It is highly recommend leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need needs a superset of rules used by the TRE. To setup forced tunneling to an external firewall, follow these steps: From 48b972468337534b7c9e6460087abedc9773543c Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 16:18:24 +0000 Subject: [PATCH 10/18] send firewall props through makefile command --- Makefile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 78e89c76f4..73d93c80f0 100644 --- a/Makefile +++ b/Makefile @@ -309,8 +309,10 @@ deploy-shared-service: && ${MAKEFILE_DIR}/devops/scripts/deploy_shared_service.sh $${PROPS} firewall-install: - $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ - DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service + . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \ + && $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ + DIR=${MAKEFILE_DIR}/templates/shared_services/firewall2/ BUNDLE_TYPE=shared_service \ + PROPS="$${FIREWALL_SKU+--firewall_sku $${FIREWALL_SKU} }$${FIREWALL_FORCE_TUNNEL_IP+--firewall_force_tunnel_ip $${FIREWALL_FORCE_TUNNEL_IP} }" static-web-upload: $(call target_title, "Uploading to static website") \ From 0d12fb1aa9c3285da2ba756df9982de98363a178 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 16:20:09 +0000 Subject: [PATCH 11/18] update doc --- docs/tre-admins/configure-firewall-force-tunneling.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index 93a48eb8eb..3e44477b4b 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -5,11 +5,11 @@ It is highly recommend leaving the Azure TRE firewall in place. If there is stil To setup forced tunneling to an external firewall, follow these steps: -## 1. Set the rp_bundle_values Parameter in the config.yaml file +## 1. Set the firewall_force_tunnel_ip parameter in the config.yaml file Provide the external firewall's IP address: ```json -rp_bundle_values: '{"firewall_force_tunnel_ip":"10.0.0.4"}' +firewall_force_tunnel_ip: 192.168.0.4 ``` This automatically creates a route table to direct TRE’s traffic to the specified IP. From b7ce67c180fb1dc2f4158263ff21e0c7360adba6 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 16:21:33 +0000 Subject: [PATCH 12/18] update config.yaml.sample --- config.sample.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config.sample.yaml b/config.sample.yaml index 44777e89a3..2ea21cef85 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -46,6 +46,7 @@ tre: # The TRE Web UI is deployed by default. # Uncomment the following to disable deployment of the Web UI. # deploy_ui: false + # firewall_force_tunnel_ip: __CHANGE_ME__ firewall_sku: Standard app_gateway_sku: Standard_v2 From 642af82e3d56afbb1ad079201fb439b3b454303d Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 16:24:22 +0000 Subject: [PATCH 13/18] remove typo --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 73d93c80f0..1de6bf6a8f 100644 --- a/Makefile +++ b/Makefile @@ -311,7 +311,7 @@ deploy-shared-service: firewall-install: . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \ && $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \ - DIR=${MAKEFILE_DIR}/templates/shared_services/firewall2/ BUNDLE_TYPE=shared_service \ + DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service \ PROPS="$${FIREWALL_SKU+--firewall_sku $${FIREWALL_SKU} }$${FIREWALL_FORCE_TUNNEL_IP+--firewall_force_tunnel_ip $${FIREWALL_FORCE_TUNNEL_IP} }" static-web-upload: From 1b0d9ee90c41d3cbc15fc21dd12701211ae84f96 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 16:43:14 +0000 Subject: [PATCH 14/18] shorten comment --- config.sample.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.sample.yaml b/config.sample.yaml index 2ea21cef85..cc1eca7c14 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -10,7 +10,7 @@ management: acr_name: __CHANGE_ME__ # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true) # external_key_store_id: __CHANGE_ME__ - # Name of Key Vault for encryption keys, required only if enable_cmk_encryption is true and not using external_key_store_id + # Name of Key Vault for encryption keys, required if enable_cmk_encryption is true and external_key_store_id is not set # encryption_kv_name: __CHANGE_ME__ # Azure Resource Manager credentials used for CI/CD pipelines arm_subscription_id: __CHANGE_ME__ From 19f12fd1fbe14e8d955661ec78164448f474d47d Mon Sep 17 00:00:00 2001 From: Yuval Yaron <43217306+yuvalyaron@users.noreply.github.com> Date: Tue, 7 Jan 2025 18:48:25 +0200 Subject: [PATCH 15/18] Update docs/tre-admins/configure-firewall-force-tunneling.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/tre-admins/configure-firewall-force-tunneling.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index 3e44477b4b..f716e86c16 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -1,7 +1,7 @@ # Forced Tunneling to External Firewall in TRE Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. -It is highly recommend leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need needs a superset of rules used by the TRE. +It is highly recommended to leave the Azure TRE firewall in place. To setup forced tunneling to an external firewall, follow these steps: From 46973b354ce645fb60a159337de00c9a2b17e414 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 16:54:08 +0000 Subject: [PATCH 16/18] fix typo in docs --- docs/tre-admins/configure-firewall-force-tunneling.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tre-admins/configure-firewall-force-tunneling.md b/docs/tre-admins/configure-firewall-force-tunneling.md index 3e44477b4b..3d3cd44111 100644 --- a/docs/tre-admins/configure-firewall-force-tunneling.md +++ b/docs/tre-admins/configure-firewall-force-tunneling.md @@ -1,7 +1,7 @@ # Forced Tunneling to External Firewall in TRE Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention. -It is highly recommend leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need needs a superset of rules used by the TRE. +It is highly recommend leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need a superset of rules used by the TRE. To setup forced tunneling to an external firewall, follow these steps: From 549b7d96510d9366da4c4d9e3b6a9e16f4c4e47d Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 17:28:25 +0000 Subject: [PATCH 17/18] fix linting issues --- config.sample.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.sample.yaml b/config.sample.yaml index cc1eca7c14..009f017920 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -10,7 +10,7 @@ management: acr_name: __CHANGE_ME__ # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true) # external_key_store_id: __CHANGE_ME__ - # Name of Key Vault for encryption keys, required if enable_cmk_encryption is true and external_key_store_id is not set + # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set # encryption_kv_name: __CHANGE_ME__ # Azure Resource Manager credentials used for CI/CD pipelines arm_subscription_id: __CHANGE_ME__ From c8d9dbccc7ef187cd642ce4fa0e7530a9b1ec6d7 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 7 Jan 2025 17:35:17 +0000 Subject: [PATCH 18/18] fix linting error --- .github/workflows/build_validation_develop.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index 8458fe583d..a9364293d8 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -1,11 +1,11 @@ --- name: Build Validation -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy pull_request: branches: - main - - 'feature/**' + - "feature/**" # for each ref (branch/pr) run just the most recent, # cancel other pending/running ones @@ -51,7 +51,7 @@ jobs: terraform_workspace_services: - templates/workspace_services/**/terraform/**/*.tf - + - uses: hashicorp/setup-terraform@v3 if: ${{ steps.filter.outputs.terraform == 'true' }} with: @@ -117,7 +117,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_core.hcl - FILTER_REGEX_INCLUDE: './core/.*' + FILTER_REGEX_INCLUDE: "./core/.*" - name: Workspace Tags if: ${{ steps.filter.outputs.terraform_workspaces == 'true' }} @@ -128,7 +128,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspaces.hcl - FILTER_REGEX_INCLUDE: './templates/workspaces/.*' + FILTER_REGEX_INCLUDE: "./templates/workspaces/.*" - name: Workspace Services Tags if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }} @@ -139,8 +139,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspace_services.hcl - FILTER_REGEX_INCLUDE: './templates/workspaces/.*' - FILTER_REGEX_EXCLUDE: '.*user_resource.*' + FILTER_REGEX_INCLUDE: "./templates/workspaces/.*" + FILTER_REGEX_EXCLUDE: ".*user_resource.*" - name: User Resources Tags if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }} @@ -151,7 +151,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_user_resources.hcl - FILTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*' + FILTER_REGEX_INCLUDE: "./templates/workspace_services/.*/user_resources/.*" - name: Shared Services Tags if: ${{ steps.filter.outputs.terraform_shared_services == 'true' }} @@ -162,4 +162,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_TERRAFORM_TFLINT: true TERRAFORM_TFLINT_CONFIG_FILE: .tflint_shared_services.hcl - FILTER_REGEX_INCLUDE: './templates/shared_services/.*' + FILTER_REGEX_INCLUDE: "./templates/shared_services/.*"