Disable local/basic accounts (#4219)

Disbale storage local and appservice basic deployment accounts Co-authored-by: Tamir Kamara <takamara@microsoft.com>
microsoft · Dec 29, 2024 · c07361c · c07361c
1 parent 475829a
commit c07361c
Show file tree

Hide file tree

Showing 19 changed files with 80 additions and 55 deletions.
diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -53,16 +53,19 @@ resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_fu
 }
 
 resource "azurerm_linux_function_app" "airlock_function_app" {
-  name                      = local.airlock_function_app_name
-  resource_group_name       = var.resource_group_name
-  location                  = var.location
-  https_only                = true
-  virtual_network_subnet_id = var.airlock_processor_subnet_id
-  service_plan_id           = azurerm_service_plan.airlock_plan.id
-  storage_account_name      = azurerm_storage_account.sa_airlock_processor_func_app.name
+  name                                           = local.airlock_function_app_name
+  resource_group_name                            = var.resource_group_name
+  location                                       = var.location
+  https_only                                     = true
+  virtual_network_subnet_id                      = var.airlock_processor_subnet_id
+  service_plan_id                                = azurerm_service_plan.airlock_plan.id
+  ftp_publish_basic_authentication_enabled       = false
+  webdeploy_publish_basic_authentication_enabled = false
+  storage_account_name                           = azurerm_storage_account.sa_airlock_processor_func_app.name
   # consider moving to a managed identity here
   storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key
-  tags                       = var.tre_core_tags
+
+  tags = var.tre_core_tags
 
   identity {
     type         = "UserAssigned"

diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf
@@ -10,7 +10,7 @@ resource "azurerm_storage_account" "sa_import_external" {
   table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
-
+  local_user_enabled               = false
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
   allow_nested_items_to_be_public = false
 
@@ -76,6 +76,7 @@ resource "azurerm_storage_account" "sa_export_approved" {
   table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
   allow_nested_items_to_be_public = false
@@ -143,6 +144,7 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -239,6 +241,7 @@ resource "azurerm_storage_account" "sa_import_rejected" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -309,6 +312,7 @@ resource "azurerm_storage_account" "sa_import_blocked" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED

diff --git a/core/terraform/api-webapp.tf b/core/terraform/api-webapp.tf
@@ -18,15 +18,17 @@ resource "azurerm_service_plan" "core" {
 }
 
 resource "azurerm_linux_web_app" "api" {
-  name                            = "api-${var.tre_id}"
-  resource_group_name             = azurerm_resource_group.core.name
-  location                        = azurerm_resource_group.core.location
-  service_plan_id                 = azurerm_service_plan.core.id
-  https_only                      = true
-  key_vault_reference_identity_id = azurerm_user_assigned_identity.id.id
-  virtual_network_subnet_id       = module.network.web_app_subnet_id
-  public_network_access_enabled   = false
-  tags                            = local.tre_core_tags
+  name                                           = "api-${var.tre_id}"
+  resource_group_name                            = azurerm_resource_group.core.name
+  location                                       = azurerm_resource_group.core.location
+  service_plan_id                                = azurerm_service_plan.core.id
+  https_only                                     = true
+  key_vault_reference_identity_id                = azurerm_user_assigned_identity.id.id
+  virtual_network_subnet_id                      = module.network.web_app_subnet_id
+  public_network_access_enabled                  = false
+  ftp_publish_basic_authentication_enabled       = false
+  webdeploy_publish_basic_authentication_enabled = false
+  tags                                           = local.tre_core_tags
 
   app_settings = {
     "APPLICATIONINSIGHTS_CONNECTION_STRING"          = module.azure_monitor.app_insights_connection_string

diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf
@@ -11,6 +11,7 @@ resource "azurerm_storage_account" "staticweb" {
   enable_https_traffic_only        = true
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
   tags                             = local.tre_core_tags
 
   # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below

diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf
@@ -24,6 +24,7 @@ resource "azurerm_storage_account" "az_monitor" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
   tags                             = var.tre_core_tags
 
   # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below

diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf
@@ -8,6 +8,7 @@ resource "azurerm_storage_account" "stg" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
   infrastructure_encryption_enabled = true

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.11"
+__version__ = "0.11.12"
diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
@@ -18,7 +18,7 @@ if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name"
   # shellcheck disable=SC2154
   az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
     --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
-    --allow-blob-public-access false \
+    --allow-blob-public-access false --min-tls-version TLS1_2 \
     --kind StorageV2 --sku Standard_LRS -o table \
     --encryption-key-type-for-queue "$encryption_type" \
     --encryption-key-type-for-table "$encryption_type" \

diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
@@ -32,6 +32,7 @@ resource "azurerm_storage_account" "state_storage" {
   cross_tenant_replication_enabled = false
   allow_nested_items_to_be_public  = false
   shared_access_key_enabled        = false
+  local_user_enabled               = false
 
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []

diff --git a/devops/version.txt b/devops/version.txt
@@ -1 +1 @@
-__version__ = "0.5.4"
+__version__ = "0.5.5"
diff --git a/templates/shared_services/gitea/porter.yaml b/templates/shared_services/gitea/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-gitea
-version: 1.1.2
+version: 1.1.3
 description: "A Gitea shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/shared_services/gitea/terraform/gitea-webapp.tf b/templates/shared_services/gitea/terraform/gitea-webapp.tf
@@ -18,14 +18,16 @@ resource "azurerm_user_assigned_identity" "gitea_id" {
 }
 
 resource "azurerm_linux_web_app" "gitea" {
-  name                            = local.webapp_name
-  resource_group_name             = local.core_resource_group_name
-  location                        = data.azurerm_resource_group.rg.location
-  service_plan_id                 = data.azurerm_service_plan.core.id
-  https_only                      = true
-  key_vault_reference_identity_id = azurerm_user_assigned_identity.gitea_id.id
-  virtual_network_subnet_id       = data.azurerm_subnet.web_app.id
-  tags                            = local.tre_shared_service_tags
+  name                                           = local.webapp_name
+  resource_group_name                            = local.core_resource_group_name
+  location                                       = data.azurerm_resource_group.rg.location
+  service_plan_id                                = data.azurerm_service_plan.core.id
+  https_only                                     = true
+  key_vault_reference_identity_id                = azurerm_user_assigned_identity.gitea_id.id
+  virtual_network_subnet_id                      = data.azurerm_subnet.web_app.id
+  ftp_publish_basic_authentication_enabled       = false
+  webdeploy_publish_basic_authentication_enabled = false
+  tags                                           = local.tre_shared_service_tags
 
   app_settings = {
     WEBSITES_PORT                       = "3000"
@@ -68,8 +70,8 @@ resource "azurerm_linux_web_app" "gitea" {
     vnet_route_all_enabled                        = true
 
     application_stack {
-      docker_image     = "${data.azurerm_container_registry.mgmt_acr.login_server}/microsoft/azuretre/gitea"
-      docker_image_tag = local.version
+      docker_registry_url = "https://${data.azurerm_container_registry.mgmt_acr.login_server}"
+      docker_image_name   = "microsoft/azuretre/gitea:${local.version}"
     }
   }
 

diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-gitea
-version: 1.2.1
+version: 1.2.2
 description: "A Gitea workspace service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspace_services/gitea/terraform/gitea-webapp.tf b/templates/workspace_services/gitea/terraform/gitea-webapp.tf
@@ -23,14 +23,16 @@ data "azurerm_service_plan" "workspace" {
 }
 
 resource "azurerm_linux_web_app" "gitea" {
-  name                            = local.webapp_name
-  location                        = data.azurerm_resource_group.ws.location
-  resource_group_name             = data.azurerm_resource_group.ws.name
-  service_plan_id                 = data.azurerm_service_plan.workspace.id
-  https_only                      = true
-  key_vault_reference_identity_id = azurerm_user_assigned_identity.gitea_id.id
-  virtual_network_subnet_id       = data.azurerm_subnet.web_apps.id
-  tags                            = local.workspace_service_tags
+  name                                           = local.webapp_name
+  location                                       = data.azurerm_resource_group.ws.location
+  resource_group_name                            = data.azurerm_resource_group.ws.name
+  service_plan_id                                = data.azurerm_service_plan.workspace.id
+  https_only                                     = true
+  key_vault_reference_identity_id                = azurerm_user_assigned_identity.gitea_id.id
+  virtual_network_subnet_id                      = data.azurerm_subnet.web_apps.id
+  ftp_publish_basic_authentication_enabled       = false
+  webdeploy_publish_basic_authentication_enabled = false
+  tags                                           = local.workspace_service_tags
 
   app_settings = {
     WEBSITES_PORT                                    = "3000"
@@ -78,8 +80,8 @@ resource "azurerm_linux_web_app" "gitea" {
     vnet_route_all_enabled                        = true
 
     application_stack {
-      docker_image     = "${data.azurerm_container_registry.mgmt_acr.login_server}/microsoft/azuretre/gitea-workspace-service"
-      docker_image_tag = local.version
+      docker_registry_url = "https://${data.azurerm_container_registry.mgmt_acr.login_server}"
+      docker_image_name   = "/microsoft/azuretre/gitea-workspace-service:${local.version}"
     }
   }
 

diff --git a/templates/workspace_services/guacamole/porter.yaml b/templates/workspace_services/guacamole/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole
-version: 0.12.3
+version: 0.12.4
 description: "An Azure TRE service for Guacamole"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspace_services/guacamole/terraform/web_app.tf b/templates/workspace_services/guacamole/terraform/web_app.tf
@@ -14,14 +14,16 @@ resource "azurerm_user_assigned_identity" "guacamole_id" {
 }
 
 resource "azurerm_linux_web_app" "guacamole" {
-  name                            = local.webapp_name
-  location                        = data.azurerm_resource_group.ws.location
-  resource_group_name             = data.azurerm_resource_group.ws.name
-  service_plan_id                 = data.azurerm_service_plan.workspace.id
-  https_only                      = true
-  key_vault_reference_identity_id = azurerm_user_assigned_identity.guacamole_id.id
-  virtual_network_subnet_id       = data.azurerm_subnet.web_apps.id
-  tags                            = local.workspace_service_tags
+  name                                           = local.webapp_name
+  location                                       = data.azurerm_resource_group.ws.location
+  resource_group_name                            = data.azurerm_resource_group.ws.name
+  service_plan_id                                = data.azurerm_service_plan.workspace.id
+  https_only                                     = true
+  key_vault_reference_identity_id                = azurerm_user_assigned_identity.guacamole_id.id
+  virtual_network_subnet_id                      = data.azurerm_subnet.web_apps.id
+  ftp_publish_basic_authentication_enabled       = false
+  webdeploy_publish_basic_authentication_enabled = false
+  tags                                           = local.workspace_service_tags
 
   site_config {
     http2_enabled                                 = true
@@ -32,8 +34,8 @@ resource "azurerm_linux_web_app" "guacamole" {
     minimum_tls_version                           = "1.2"
 
     application_stack {
-      docker_image     = "${data.azurerm_container_registry.mgmt_acr.login_server}/microsoft/azuretre/${var.image_name}"
-      docker_image_tag = local.image_tag
+      docker_registry_url = "https://${data.azurerm_container_registry.mgmt_acr.login_server}"
+      docker_image_name   = "microsoft/azuretre/${var.image_name}:${local.image_tag}"
     }
   }
 

diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.8.1
+version: 1.8.2
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf
@@ -9,6 +9,7 @@ resource "azurerm_storage_account" "sa_import_approved" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -74,6 +75,7 @@ resource "azurerm_storage_account" "sa_export_internal" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -139,6 +141,7 @@ resource "azurerm_storage_account" "sa_export_inprogress" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -211,6 +214,7 @@ resource "azurerm_storage_account" "sa_export_rejected" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
@@ -276,6 +280,7 @@ resource "azurerm_storage_account" "sa_export_blocked" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
 
   # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED

diff --git a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf
@@ -23,6 +23,7 @@ resource "azurerm_storage_account" "app_insights" {
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
+  local_user_enabled               = false
   tags                             = var.tre_workspace_tags
 
   dynamic "identity" {