diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml index e775bed80b..99b9c7e4d0 100644 --- a/.github/workflows/deploy_tre_reusable.yml +++ b/.github/workflows/deploy_tre_reusable.yml @@ -863,3 +863,4 @@ jobs: with: junit_files: "artifacts/**/*.xml" check_name: "E2E Test Results" + comment_mode: off diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b9113b73a..f6ea6de28e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ ENHANCEMENTS: * Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263)) * Downgrade certs shared service App Gateway to Basic SKU ([#4300](https://github.com/microsoft/AzureTRE/issues/4300)) * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276)) +* Disable local authentication in EventGrid ([#4254](https://github.com/microsoft/AzureTRE/issues/4254)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/airlock_processor/BlobCreatedTrigger/function.json b/airlock_processor/BlobCreatedTrigger/function.json index 5bde252c39..5a652a8eff 100644 --- a/airlock_processor/BlobCreatedTrigger/function.json +++ b/airlock_processor/BlobCreatedTrigger/function.json @@ -13,15 +13,13 @@ { "type": "eventGrid", "name": "stepResultEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" }, { "type": "eventGrid", "name": "dataDeletionEvent", - "topicEndpointUri": "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_DATA_DELETION_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/ScanResultTrigger/function.json b/airlock_processor/ScanResultTrigger/function.json index 4dee63e389..32758cea1c 100644 --- a/airlock_processor/ScanResultTrigger/function.json +++ b/airlock_processor/ScanResultTrigger/function.json @@ -12,8 +12,7 @@ { "type": "eventGrid", "name": "outputEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json index c5e7be3356..f686eca80a 100644 --- a/airlock_processor/StatusChangedQueueTrigger/function.json +++ b/airlock_processor/StatusChangedQueueTrigger/function.json @@ -11,15 +11,13 @@ { "type": "eventGrid", "name": "stepResultEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" }, { "type": "eventGrid", "name": "dataDeletionEvent", - "topicEndpointUri": "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_DATA_DELETION_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py index 777f190df0..8088f75131 100644 --- a/airlock_processor/_version.py +++ b/airlock_processor/_version.py @@ -1 +1 @@ -__version__ = "0.8.0" +__version__ = "0.8.1" diff --git a/airlock_processor/run_tests_and_exit_succesfully.sh b/airlock_processor/run_tests_and_exit_succesfully.sh index 0b50ba6067..12884a743d 100755 --- a/airlock_processor/run_tests_and_exit_succesfully.sh +++ b/airlock_processor/run_tests_and_exit_succesfully.sh @@ -6,6 +6,6 @@ rm -f ../test-results/pytest_airlock_processor* mkdir -p ../test-results -if ! pytest --junit-xml ../test-results/pytest_airlock_processor_unit.xml --ignore e2e_tests; then +if ! python -m pytest --junit-xml ../test-results/pytest_airlock_processor_unit.xml --ignore e2e_tests; then touch ../test-results/pytest_airlock_processor_unit_failed fi diff --git a/api_app/_version.py b/api_app/_version.py index 8815fb52f3..8b8252f484 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.20.3" +__version__ = "0.20.4" diff --git a/api_app/run_tests_and_exit_succesfully.sh b/api_app/run_tests_and_exit_succesfully.sh index 34873d4c16..311a59f2d1 100755 --- a/api_app/run_tests_and_exit_succesfully.sh +++ b/api_app/run_tests_and_exit_succesfully.sh @@ -6,6 +6,6 @@ rm -f ../test-results/pytest_api* mkdir -p ../test-results -if ! pytest --junit-xml ../test-results/pytest_api_unit.xml --ignore e2e_tests -W ignore::pytest.PytestUnraisableExceptionWarning -W ignore::DeprecationWarning; then +if ! python -m pytest --junit-xml ../test-results/pytest_api_unit.xml --ignore e2e_tests -W ignore::pytest.PytestUnraisableExceptionWarning -W ignore::DeprecationWarning; then touch ../test-results/pytest_api_unit_failed fi diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index a95bf54eaa..ccb36b81bb 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -66,25 +66,31 @@ resource "azurerm_linux_function_app" "airlock_function_app" { } app_settings = { - "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string - "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name - "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name - "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint - "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key - "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint - "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key - "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false - "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name - "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name - "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name - "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning - "ARM_ENVIRONMENT" = var.arm_environment - "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id - "TRE_ID" = var.tre_id - "WEBSITE_CONTENTOVERVNET" = 1 - "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix - "AzureWebJobsStorage__clientId" = azurerm_user_assigned_identity.airlock_id.client_id - "AzureWebJobsStorage__credential" = "managedidentity" + "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string + "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name + "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name + "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false + "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name + "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name + "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name + "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning + "ARM_ENVIRONMENT" = var.arm_environment + "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id + "TRE_ID" = var.tre_id + "WEBSITE_CONTENTOVERVNET" = 1 + "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix + "AzureWebJobsStorage__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + "AzureWebJobsStorage__credential" = "managedidentity" + + "EVENT_GRID_STEP_RESULT_CONNECTION" = local.step_result_eventgrid_connection + "${local.step_result_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.step_result.endpoint + "${local.step_result_eventgrid_connection}__credential" = "managedidentity" + "${local.step_result_eventgrid_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + + "EVENT_GRID_DATA_DELETION_CONNECTION" = local.data_deletion_eventgrid_connection + "${local.data_deletion_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.data_deletion.endpoint + "${local.data_deletion_eventgrid_connection}__credential" = "managedidentity" + "${local.data_deletion_eventgrid_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id } site_config { diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf index 2b967a6b79..d9faaef013 100644 --- a/core/terraform/airlock/eventgrid_topics.tf +++ b/core/terraform/airlock/eventgrid_topics.tf @@ -6,6 +6,7 @@ resource "azurerm_eventgrid_topic" "step_result" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -60,6 +61,7 @@ resource "azurerm_eventgrid_topic" "status_changed" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -113,6 +115,7 @@ resource "azurerm_eventgrid_topic" "data_deletion" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -163,6 +166,7 @@ resource "azurerm_eventgrid_topic" "scan_result" { resource_group_name = var.resource_group_name # This is mandatory for the scan result to be published since private networks are not supported yet public_network_access_enabled = true + local_auth_enabled = false identity { type = "SystemAssigned" @@ -323,6 +327,7 @@ resource "azurerm_eventgrid_topic" "airlock_notification" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf index 7f452ebdbb..a21a26f562 100644 --- a/core/terraform/airlock/identity.tf +++ b/core/terraform/airlock/identity.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "servicebus_receiver" { principal_id = azurerm_user_assigned_identity.airlock_id.principal_id } -resource "azurerm_role_assignment" "eventgrid_data_sender" { +resource "azurerm_role_assignment" "eventgrid_data_sender_status_changed" { scope = azurerm_eventgrid_topic.status_changed.id role_definition_name = "EventGrid Data Sender" principal_id = var.api_principal_id @@ -37,6 +37,18 @@ resource "azurerm_role_assignment" "eventgrid_data_sender_notification" { principal_id = var.api_principal_id } +resource "azurerm_role_assignment" "eventgrid_data_sender_step_result" { + scope = azurerm_eventgrid_topic.step_result.id + role_definition_name = "EventGrid Data Sender" + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} + +resource "azurerm_role_assignment" "eventgrid_data_sender_data_deletion" { + scope = azurerm_eventgrid_topic.data_deletion.id + role_definition_name = "EventGrid Data Sender" + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} + resource "azurerm_role_assignment" "airlock_blob_data_contributor" { count = length(local.airlock_sa_blob_data_contributor) scope = local.airlock_sa_blob_data_contributor[count.index] diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf index 3bc09392b6..8ed6805e0e 100644 --- a/core/terraform/airlock/locals.tf +++ b/core/terraform/airlock/locals.tf @@ -60,4 +60,7 @@ locals { azurerm_storage_account.sa_import_in_progress.id, azurerm_storage_account.sa_export_approved.id ] + + step_result_eventgrid_connection = "EVENT_GRID_STEP_RESULT_CONNECTION" + data_deletion_eventgrid_connection = "EVENT_GRID_DATA_DELETION_CONNECTION" } diff --git a/core/version.txt b/core/version.txt index 3c85494aac..663d6b3572 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.21" +__version__ = "0.11.22"