Merge branch 'main' into stuartleeks-patch-1

CHANGELOG.md

@@ -17,7 +17,7 @@ ENHANCEMENTS:
 
 BUG FIXES:
 
-*
+* Resource processor error on deploying user-resource: TypeError: 'NoneType' object is not iterable ([#2569](https://github.com/microsoft/AzureTRE/issues/2569))
 
 ## 0.4.3 (September 12, 2022)
 

api_app/_version.py

@@ -1 +1 @@
-__version__ = "0.4.33"
+__version__ = "0.4.34"

api_app/services/azure_resource_status.py

@@ -14,7 +14,11 @@ def get_azure_resource_status(resource_id):
     try:
         if resource_type == 'Microsoft.Compute/virtualMachines':
             vm_instance_view: models.VirtualMachineInstanceView = get_azure_vm_instance_view(resource_name, resource_group_name)
-            power_state = [x for x in vm_instance_view.statuses if x.code.startswith('PowerState')][0].display_status
+            power_state = None
+            if vm_instance_view.statuses is not None:
+                power_states = [x for x in vm_instance_view.statuses if x.code.startswith('PowerState')]
+                if len(power_states) > 0:
+                    power_state = power_states[0].display_status
             return {"powerState": power_state}
     except ResourceNotFoundError:
         logging.warning(f"Unable to query resource status for {resource_id}, as the resource was not found.")

docs/tre-templates/workspaces/airlock_manager.md

@@ -0,0 +1,8 @@
+# Airlock Manager workspace
+
+**NOTE**: This feature is still in active development. More documentation will be added as the development progresses.
+
+Airlock Manager workspace is used as part of Review workflow for [Airlock](../../azure-tre-overview/airlock.md).
+It allows to review Airlock Data Import requests from, by providing a workspace to spin up VMs in that then can access the in-progress storage account.
+
+The workspace is built upon the base workspace template. It adds a private endpoint to connect to import in-progress storage account, adds corresponding roles, and disables shared storage for VMs.

templates/core/terraform/airlock/locals.tf

@@ -41,7 +41,7 @@ locals {
   export_approved_eventgrid_subscription_name   = "evgs-airlock-export-approved-blob-created"
 
   airlock_function_app_name = "func-airlock-processor-${var.tre_id}"
-  airlock_function_sa_name  = "saairlockp${var.tre_id}"
+  airlock_function_sa_name  = lower(replace("saairlockp${var.tre_id}", "-", ""))
 
   airlock_sa_blob_data_contributor = [
     azurerm_storage_account.sa_import_external.id,

templates/core/version.txt

@@ -1 +1 @@
-__version__ = "0.4.25"
+__version__ = "0.4.26"

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-service-guacamole-linuxvm
-version: 0.4.14
+version: 0.4.15
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -52,8 +52,8 @@ parameters:
     type: string
     default: "2 CPU | 8GB RAM"
   - name: shared_storage_access
-    type: string
-    default: "true"
+    type: boolean
+    default: true
   - name: shared_storage_name
     type: string
     default: "vm-shared-storage"

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json

@@ -29,6 +29,13 @@
         "16 CPU | 64GB RAM"
       ],
       "updateable": true
+    },
+    "shared_storage_access": {
+      "$id": "#/properties/shared_storage_access",
+      "type": "boolean",
+      "title": "Shared storage",
+      "default": true,
+      "description": "Enable access to shared storage"
     }
   }
 }

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf

@@ -98,7 +98,7 @@ data "template_file" "vm_config" {
     STORAGE_ACCOUNT_NAME  = data.azurerm_storage_account.stg.name
     STORAGE_ACCOUNT_KEY   = data.azurerm_storage_account.stg.primary_access_key
     HTTP_ENDPOINT         = data.azurerm_storage_account.stg.primary_file_endpoint
-    FILESHARE_NAME        = data.azurerm_storage_share.shared_storage.name
+    FILESHARE_NAME        = var.shared_storage_access ? data.azurerm_storage_share.shared_storage[0].name : ""
     NEXUS_PROXY_URL       = local.nexus_proxy_url
     CONDA_CONFIG          = local.image_ref[var.image].conda_config ? 1 : 0
   }
@@ -137,6 +137,7 @@ data "azurerm_storage_account" "stg" {
 }
 
 data "azurerm_storage_share" "shared_storage" {
+  count                = var.shared_storage_access ? 1 : 0
   name                 = var.shared_storage_name
   storage_account_name = data.azurerm_storage_account.stg.name
 }

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/variables.tf

@@ -4,5 +4,7 @@ variable "parent_service_id" {}
 variable "tre_resource_id" {}
 variable "image" {}
 variable "vm_size" {}
-variable "shared_storage_access" {}
+variable "shared_storage_access" {
+  type = bool
+}
 variable "shared_storage_name" {}

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-service-guacamole-windowsvm
-version: 0.4.8
+version: 0.4.14
 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -50,8 +50,8 @@ parameters:
     type: string
     default: "2 CPU | 8GB RAM"
   - name: shared_storage_access
-    type: string
-    default: "true"
+    type: boolean
+    default: true
   - name: shared_storage_name
     type: string
     default: "vm-shared-storage"

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/template_schema.json

@@ -29,6 +29,13 @@
           "16 CPU | 64GB RAM"
         ],
         "updateable": true
+      },
+      "shared_storage_access": {
+        "$id": "#/properties/shared_storage_access",
+        "type": "boolean",
+        "title": "Shared storage",
+        "default": true,
+        "description": "Enable access to shared storage"
       }
     }
 }

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/variables.tf

@@ -4,5 +4,7 @@ variable "parent_service_id" {}
 variable "tre_resource_id" {}
 variable "image" {}
 variable "vm_size" {}
-variable "shared_storage_access" {}
+variable "shared_storage_access" {
+  type = bool
+}
 variable "shared_storage_name" {}

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf

@@ -92,10 +92,10 @@ data "template_file" "vm_config" {
   template = file("${path.module}/vm_config.ps1")
   vars = {
     nexus_proxy_url     = local.nexus_proxy_url
-    SharedStorageAccess = tobool(var.shared_storage_access) ? 1 : 0
+    SharedStorageAccess = var.shared_storage_access ? 1 : 0
     StorageAccountName  = data.azurerm_storage_account.stg.name
     StorageAccountKey   = data.azurerm_storage_account.stg.primary_access_key
-    FileShareName       = data.azurerm_storage_share.shared_storage.name
+    FileShareName       = var.shared_storage_access ? data.azurerm_storage_share.shared_storage[0].name : ""
     CondaConfig         = local.image_ref[var.image].conda_config ? 1 : 0
   }
 }
@@ -106,6 +106,7 @@ data "azurerm_storage_account" "stg" {
 }
 
 data "azurerm_storage_share" "shared_storage" {
+  count                = var.shared_storage_access ? 1 : 0
   name                 = var.shared_storage_name
   storage_account_name = data.azurerm_storage_account.stg.name
 }

templates/workspaces/airlock_manager/.dockerignore

@@ -0,0 +1,9 @@
+# Local .terraform directories
+**/.terraform/*
+
+# TF backend files
+**/*_backend.tf
+
+Dockerfile.tmpl
+terraform/deploy.sh
+terraform/destroy.sh

templates/workspaces/airlock_manager/.env.sample

@@ -0,0 +1,29 @@
+ARM_CLIENT_ID="__CHANGE_ME__"
+ARM_CLIENT_SECRET="__CHANGE_ME__"
+ARM_TENANT_ID="__CHANGE_ME__"
+ARM_SUBSCRIPTION_ID="__CHANGE_ME__"
+AUTH_TENANT_ID="__CHANGE_ME__"
+
+# These are passed in if Terraform will create the Workspace AAD Application
+REGISTER_AAD_APPLICATION=true
+AUTH_CLIENT_ID="__CHANGE_ME__"
+AUTH_CLIENT_SECRET="__CHANGE_ME__"
+WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__"
+
+# These are passed in if you register the Workspace AAD Application before hand
+# REGISTER_AAD_APPLICATION=false
+# CLIENT_ID="__CHANGE_ME__"
+# CLIENT_SECRET="__CHANGE_ME__"
+# WORKSPACE_OWNER_OBJECT_ID=""
+
+# Used by Porter, aka TRE_RESOURCE_ID
+ID="MadeUp123"
+SP_ID=""
+SCOPE_ID="api://ws_0001"
+APP_ROLE_ID_WORKSPACE_OWNER=""
+APP_ROLE_ID_WORKSPACE_RESEARCHER=""
+APP_ROLE_ID_WORKSPACE_AIRLOCK_MANAGER=""
+ADDRESS_SPACE="10.2.8.0/24"
+ENABLE_LOCAL_DEBUGGING=true
+
+AAD_REDIRECT_URIS="W10="

templates/workspaces/airlock_manager/Dockerfile.tmpl

@@ -0,0 +1,43 @@
+# We need azurecli 2.37+ which doesn't exist for strech so the minimum is buster
+FROM debian:buster-slim
+
+ARG BUNDLE_DIR
+
+ARG AZURE_TRE_VERSION="0.4.3"
+
+RUN  apt-get update \
+  && apt-get install --no-install-recommends jq ca-certificates curl patch -y \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+WORKDIR $BUNDLE_DIR
+
+# Copy all files from base workspace (note: some of them will be overwritten with the following COPY command)
+RUN  curl -o azuretre.tar.gz -L "https://github.com/microsoft/AzureTRE/archive/refs/tags/v${AZURE_TRE_VERSION}.tar.gz" \
+  && tar -xzf azuretre.tar.gz "AzureTRE-${AZURE_TRE_VERSION}/templates/workspaces/base"  --strip-components=4 --skip-old-files \
+  && rm -rf azuretre.tar.gz
+
+# This is a template Dockerfile for the bundle's invocation image
+# You can customize it to use different base images, install tools and copy configuration files.
+#
+# Porter will use it as a template and append lines to it for the mixins
+# and to set the CMD appropriately for the CNAB specification.
+#
+# Add the following line to porter.yaml to instruct Porter to use this template
+# dockerfile: Dockerfile.tmpl
+
+# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
+# another location in this file. If you remove that line, the mixins generated content is appended to this file.
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY . $BUNDLE_DIR
+
+# Apply patch with the difference from the base workspace
+RUN patch -p0 < $BUNDLE_DIR/workspace_base.diff
+
+# Mirror plugins to prevent network access at runtime
+# Remove when available from https://github.com/getporter/terraform-mixin/issues/90
+WORKDIR $BUNDLE_DIR/terraform
+RUN terraform init -backend=false \
+  && rm -fr $BUNDLE_DIR/terraform/.terraform/providers \
+  && terraform providers mirror /usr/local/share/terraform/plugins

templates/workspaces/airlock_manager/parameters.json

@@ -0,0 +1,128 @@
+{
+  "schemaVersion": "1.0.0-DRAFT+TODO",
+  "name": "airlock_manager",
+  "created": "2021-06-04T13:37:29.5071039+03:00",
+  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "parameters": [
+    {
+      "name": "address_space",
+      "source": {
+        "env": "ADDRESS_SPACE"
+      }
+    },
+    {
+      "name": "azure_location",
+      "source": {
+        "env": "LOCATION"
+      }
+    },
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "enable_local_debugging",
+      "source": {
+        "env": "ENABLE_LOCAL_DEBUGGING"
+      }
+    },
+    {
+      "name": "register_aad_application",
+      "source": {
+        "env": "REGISTER_AAD_APPLICATION"
+      }
+    },
+    {
+      "name": "client_id",
+      "source": {
+        "env": "CLIENT_ID"
+      }
+    },
+    {
+      "name": "client_secret",
+      "source": {
+        "env": "CLIENT_SECRET"
+      }
+    },
+    {
+      "name": "scope_id",
+      "source": {
+        "env": "SCOPE_ID"
+      }
+    },
+    {
+      "name": "workspace_owner_object_id",
+      "source": {
+        "env": "WORKSPACE_OWNER_OBJECT_ID"
+      }
+    },
+    {
+      "name": "sp_id",
+      "source": {
+        "env": "SP_ID"
+      }
+    },
+    {
+      "name": "app_role_id_workspace_owner",
+      "source": {
+        "env": "APP_ROLE_ID_WORKSPACE_OWNER"
+      }
+    },
+    {
+      "name": "app_role_id_workspace_researcher",
+      "source": {
+        "env": "APP_ROLE_ID_WORKSPACE_RESEARCHER"
+      }
+    },
+    {
+      "name": "app_role_id_workspace_airlock_manager",
+      "source": {
+        "env": "APP_ROLE_ID_WORKSPACE_AIRLOCK_MANAGER"
+      }
+    },
+    {
+      "name": "aad_redirect_uris",
+      "source": {
+        "env": "AAD_REDIRECT_URIS"
+      }
+    },
+    {
+      "name": "app_service_plan_sku",
+      "source": {
+        "env": "APP_SERVICE_PLAN_SKU"
+      }
+    },
+    {
+      "name": "enable_airlock",
+      "source": {
+        "env": "ENABLE_AIRLOCK"
+      }
+    }
+  ]
+}