From 5047495ad62472fba218b447d52ea1868cc95079 Mon Sep 17 00:00:00 2001 From: Guy Bertental Date: Sun, 19 Jan 2025 15:21:01 +0000 Subject: [PATCH 1/6] support managed idendity authentication in azure function binding between airlock and servicebus queue --- airlock_processor/_version.py | 2 +- airlock_processor/host.json | 4 ++-- core/terraform/airlock/airlock_processor.tf | 4 ++++ core/terraform/airlock/variables.tf | 3 +++ core/terraform/servicebus.tf | 1 + 5 files changed, 11 insertions(+), 3 deletions(-) diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py index 777f190df0..8088f75131 100644 --- a/airlock_processor/_version.py +++ b/airlock_processor/_version.py @@ -1 +1 @@ -__version__ = "0.8.0" +__version__ = "0.8.1" diff --git a/airlock_processor/host.json b/airlock_processor/host.json index 95b6b4b7d6..111d883ee6 100644 --- a/airlock_processor/host.json +++ b/airlock_processor/host.json @@ -8,8 +8,8 @@ } } }, - "extensionBundle": { +"extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", - "version": "[4.0.0, 5.0.0)" + "version": "[4.*, 5.0.0)" } } diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index 80a6968e97..d7d0b719b1 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -70,6 +70,10 @@ resource "azurerm_linux_function_app" "airlock_function_app" { app_settings = { "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string + "SB_CONNECTION_STRING__tenantId" = azurerm_user_assigned_identity.airlock_id.tenant_id + "SB_CONNECTION_STRING__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + "SB_CONNECTION_STRING__credential" = "managedidentity" + "SB_CONNECTION_STRING__fullyQualifiedNamespace" = var.airlock_servicebus_fqdn "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf index 95e03b4ba4..bb0fad04df 100644 --- a/core/terraform/airlock/variables.tf +++ b/core/terraform/airlock/variables.tf @@ -62,6 +62,9 @@ variable "airlock_servicebus" { default_primary_connection_string = string }) } +variable "airlock_servicebus_fqdn" { + type = string +} variable "tre_core_tags" { type = map(string) } diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf index faef9322d7..e35f612355 100644 --- a/core/terraform/servicebus.tf +++ b/core/terraform/servicebus.tf @@ -5,6 +5,7 @@ resource "azurerm_servicebus_namespace" "sb" { sku = "Premium" premium_messaging_partitions = "1" capacity = "1" + local_auth_enabled = false tags = local.tre_core_tags # Block public access From ab18f686e83a14c0fd58159b113a7212161195e8 Mon Sep 17 00:00:00 2001 From: Guy Bertental Date: Sun, 19 Jan 2025 15:21:32 +0000 Subject: [PATCH 2/6] Add FQDN for Airlock Service Bus in Terraform configuration and disable local auth --- core/terraform/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 49693884c1..4d6d910257 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -132,6 +132,7 @@ module "airlock_resources" { airlock_app_service_plan_sku = var.core_app_service_plan_sku airlock_processor_subnet_id = module.network.airlock_processor_subnet_id airlock_servicebus = azurerm_servicebus_namespace.sb + airlock_servicebus_fqdn = azurerm_servicebus_namespace.sb.endpoint applicationinsights_connection_string = module.azure_monitor.app_insights_connection_string enable_malware_scanning = var.enable_airlock_malware_scanning arm_environment = var.arm_environment From 7ad89d48263d4d5486a0b7bf669fd1706d97c282 Mon Sep 17 00:00:00 2001 From: Guy Bertental Date: Sun, 19 Jan 2025 15:37:11 +0000 Subject: [PATCH 3/6] Refactor app settings in Airlock function app for improved readability --- core/terraform/airlock/airlock_processor.tf | 40 ++++++++++----------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index d7d0b719b1..37d82031ed 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -69,27 +69,27 @@ resource "azurerm_linux_function_app" "airlock_function_app" { } app_settings = { - "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string - "SB_CONNECTION_STRING__tenantId" = azurerm_user_assigned_identity.airlock_id.tenant_id - "SB_CONNECTION_STRING__clientId" = azurerm_user_assigned_identity.airlock_id.client_id - "SB_CONNECTION_STRING__credential" = "managedidentity" + "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string + "SB_CONNECTION_STRING__tenantId" = azurerm_user_assigned_identity.airlock_id.tenant_id + "SB_CONNECTION_STRING__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + "SB_CONNECTION_STRING__credential" = "managedidentity" "SB_CONNECTION_STRING__fullyQualifiedNamespace" = var.airlock_servicebus_fqdn - "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name - "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name - "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint - "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key - "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint - "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key - "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false - "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name - "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name - "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name - "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning - "ARM_ENVIRONMENT" = var.arm_environment - "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id - "TRE_ID" = var.tre_id - "WEBSITE_CONTENTOVERVNET" = 1 - "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix + "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name + "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name + "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint + "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key + "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint + "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key + "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false + "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name + "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name + "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name + "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning + "ARM_ENVIRONMENT" = var.arm_environment + "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id + "TRE_ID" = var.tre_id + "WEBSITE_CONTENTOVERVNET" = 1 + "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix } site_config { From 30f3151e2b242cf643998ccb2d18d47dea7fafc3 Mon Sep 17 00:00:00 2001 From: Guy Bertental Date: Mon, 20 Jan 2025 08:07:25 +0000 Subject: [PATCH 4/6] Add entry to CHANGELOG for disabling local authentication in ServiceBus --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fcc8d8b3f6..613e9285c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ ENHANCEMENTS: * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)]) * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) +* Disable local authentication in ServiceBus ([#4259](https://github.com/microsoft/AzureTRE/issues/4259)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) From 228de03526243dd41b64b3b869b49abc2afce03d Mon Sep 17 00:00:00 2001 From: Guy Bertental Date: Mon, 20 Jan 2025 08:26:06 +0000 Subject: [PATCH 5/6] - update SB connection string to use service bus connection name. - reuse that name as prefix with local var --- .../BlobCreatedTrigger/function.json | 2 +- .../DataDeletionTrigger/function.json | 2 +- .../ScanResultTrigger/function.json | 2 +- .../StatusChangedQueueTrigger/function.json | 2 +- core/terraform/airlock/airlock_processor.tf | 42 +++++++++---------- core/terraform/airlock/locals.tf | 2 + 6 files changed, 27 insertions(+), 25 deletions(-) diff --git a/airlock_processor/BlobCreatedTrigger/function.json b/airlock_processor/BlobCreatedTrigger/function.json index 5bde252c39..cc68827414 100644 --- a/airlock_processor/BlobCreatedTrigger/function.json +++ b/airlock_processor/BlobCreatedTrigger/function.json @@ -8,7 +8,7 @@ "direction": "in", "topicName": "%BLOB_CREATED_TOPIC_NAME%", "subscriptionName": "%TOPIC_SUBSCRIPTION_NAME%", - "connection": "SB_CONNECTION_STRING" + "connection": "SERVICEBUS_CONNECTION" }, { "type": "eventGrid", diff --git a/airlock_processor/DataDeletionTrigger/function.json b/airlock_processor/DataDeletionTrigger/function.json index 2b2bb580da..a6eb88ce28 100644 --- a/airlock_processor/DataDeletionTrigger/function.json +++ b/airlock_processor/DataDeletionTrigger/function.json @@ -7,7 +7,7 @@ "type": "serviceBusTrigger", "direction": "in", "queueName": "%AIRLOCK_DATA_DELETION_QUEUE_NAME%", - "connection": "SB_CONNECTION_STRING" + "connection": "SERVICEBUS_CONNECTION" } ] } diff --git a/airlock_processor/ScanResultTrigger/function.json b/airlock_processor/ScanResultTrigger/function.json index 4dee63e389..9d6fa95b01 100644 --- a/airlock_processor/ScanResultTrigger/function.json +++ b/airlock_processor/ScanResultTrigger/function.json @@ -7,7 +7,7 @@ "type": "serviceBusTrigger", "direction": "in", "queueName": "%AIRLOCK_SCAN_RESULT_QUEUE_NAME%", - "connection": "SB_CONNECTION_STRING" + "connection": "SERVICEBUS_CONNECTION" }, { "type": "eventGrid", diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json index c5e7be3356..2878f4b8d3 100644 --- a/airlock_processor/StatusChangedQueueTrigger/function.json +++ b/airlock_processor/StatusChangedQueueTrigger/function.json @@ -6,7 +6,7 @@ "type": "serviceBusTrigger", "direction": "in", "queueName": "%AIRLOCK_STATUS_CHANGED_QUEUE_NAME%", - "connection": "SB_CONNECTION_STRING" + "connection": "SERVICEBUS_CONNECTION" }, { "type": "eventGrid", diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index 37d82031ed..0c6c2379d7 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -69,27 +69,27 @@ resource "azurerm_linux_function_app" "airlock_function_app" { } app_settings = { - "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string - "SB_CONNECTION_STRING__tenantId" = azurerm_user_assigned_identity.airlock_id.tenant_id - "SB_CONNECTION_STRING__clientId" = azurerm_user_assigned_identity.airlock_id.client_id - "SB_CONNECTION_STRING__credential" = "managedidentity" - "SB_CONNECTION_STRING__fullyQualifiedNamespace" = var.airlock_servicebus_fqdn - "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name - "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name - "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint - "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key - "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint - "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key - "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false - "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name - "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name - "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name - "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning - "ARM_ENVIRONMENT" = var.arm_environment - "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id - "TRE_ID" = var.tre_id - "WEBSITE_CONTENTOVERVNET" = 1 - "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix + "SERVICEBUS_CONNECTION" = local.servicebus_connection + "${local.servicebus_connection}__tenantId" = azurerm_user_assigned_identity.airlock_id.tenant_id + "${local.servicebus_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + "${local.servicebus_connection}__credential" = "managedidentity" + "${local.servicebus_connection}__fullyQualifiedNamespace" = var.airlock_servicebus_fqdn + "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name + "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name + "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint + "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key + "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint + "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key + "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false + "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name + "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name + "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name + "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning + "ARM_ENVIRONMENT" = var.arm_environment + "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id + "TRE_ID" = var.tre_id + "WEBSITE_CONTENTOVERVNET" = 1 + "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix } site_config { diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf index 3bc09392b6..88bb352681 100644 --- a/core/terraform/airlock/locals.tf +++ b/core/terraform/airlock/locals.tf @@ -60,4 +60,6 @@ locals { azurerm_storage_account.sa_import_in_progress.id, azurerm_storage_account.sa_export_approved.id ] + + servicebus_connection = "SB_CONNECTION_STRING" } From e1a2a746ff2d302603b6b8f319067f31daf8b941 Mon Sep 17 00:00:00 2001 From: Guy Bertental Date: Mon, 20 Jan 2025 15:27:38 +0000 Subject: [PATCH 6/6] update service bus connection string variable for clarity --- core/terraform/airlock/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf index 88bb352681..202ee8943c 100644 --- a/core/terraform/airlock/locals.tf +++ b/core/terraform/airlock/locals.tf @@ -61,5 +61,5 @@ locals { azurerm_storage_account.sa_export_approved.id ] - servicebus_connection = "SB_CONNECTION_STRING" + servicebus_connection = "SERVICEBUS_CONNECTION" }