Add network rule set for Service Bus namespace (#3858)

CHANGELOG.md

@@ -18,6 +18,7 @@ BUG FIXES:
 * Fix user resource upgrade validation: use the parent_service_template_name instead of the parent_resource_id. ([#3824](https://github.com/microsoft/AzureTRE/issues/3824))
 * Airlock: Creating an import/export request causes a routing error ([#3830](https://github.com/microsoft/AzureTRE/issues/3830))
 * Fix registration of templates with no 'authorizedRoles' or 'required' defined ([#3849](https://github.com/microsoft/AzureTRE/pull/3849))
+* Update terraform for services bus to move network rules into namespace resource to avoid depreciation warning, and update setup_local_debugging.sh to use network_rule_sets ([#3858](https://github.com/microsoft/AzureTRE/pull/3858))
 
 COMPONENTS:
 

core/terraform/migrate.sh

@@ -217,4 +217,13 @@ if [ "${state_store_serverless}" == "false" ]; then
   export TF_VAR_is_cosmos_defined_throughput
 fi
 
+# prep for migration of azurerm_servicebus_namespace_network_rule_set https://github.com/microsoft/AzureTRE/pull/3858
+# as described https://github.com/hashicorp/terraform-provider-azurerm/issues/23954
+state_store_servicebus_network_rule_set=$(echo "${terraform_show_json}" \
+  | jq 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_servicebus_namespace_network_rule_set.servicebus_network_rule_set") | .values.id')
+if [ -n "${state_store_servicebus_network_rule_set}" ]; then
+  echo "Removing state of azurerm_servicebus_namespace_network_rule_set"
+  terraform state rm azurerm_servicebus_namespace_network_rule_set.servicebus_network_rule_set
+fi
+
 echo "*** Migration is done. ***"

core/terraform/servicebus.tf

@@ -6,6 +6,24 @@ resource "azurerm_servicebus_namespace" "sb" {
   capacity            = "1"
   tags                = local.tre_core_tags
 
+  # Block public access
+  # See https://docs.microsoft.com/azure/service-bus-messaging/service-bus-service-endpoints
+  network_rule_set {
+    ip_rules = var.enable_local_debugging ? [local.myip] : null
+
+    # Allows the Eventgrid to access the SB
+    trusted_services_allowed = true
+
+    # We must enable the Airlock events subnet to access the SB, as the Eventgrid topics can't send messages over PE
+    # https://docs.microsoft.com/en-us/azure/event-grid/consume-private-endpoints
+    default_action                = "Deny"
+    public_network_access_enabled = true
+    network_rules {
+      subnet_id                            = module.network.airlock_events_subnet_id
+      ignore_missing_vnet_service_endpoint = false
+    }
+  }
+
   lifecycle { ignore_changes = [tags] }
 }
 
@@ -73,30 +91,6 @@ resource "azurerm_private_endpoint" "sbpe" {
   ]
 }
 
-# Block public access
-# See https://docs.microsoft.com/azure/service-bus-messaging/service-bus-service-endpoints
-resource "azurerm_servicebus_namespace_network_rule_set" "servicebus_network_rule_set" {
-  namespace_id = azurerm_servicebus_namespace.sb.id
-  ip_rules     = var.enable_local_debugging ? [local.myip] : null
-
-
-  # We must enable the Airlock events subnet to access the SB, as the Eventgrid topics can't send messages over PE
-  # https://docs.microsoft.com/en-us/azure/event-grid/consume-private-endpoints
-  default_action                = "Deny"
-  public_network_access_enabled = true
-  network_rules {
-    subnet_id                            = module.network.airlock_events_subnet_id
-    ignore_missing_vnet_service_endpoint = false
-  }
-
-  # Allows the Eventgrid to access the SB
-  trusted_services_allowed = true
-
-  depends_on = [
-    module.network
-  ]
-}
-
 resource "azurerm_monitor_diagnostic_setting" "sb" {
   name                       = "diagnostics-${azurerm_servicebus_namespace.sb.name}"
   target_resource_id         = azurerm_servicebus_namespace.sb.id

core/version.txt

@@ -1 +1 @@
-__version__ = "0.9.5"
+__version__ = "0.9.6"

devops/scripts/setup_local_debugging.sh

@@ -41,11 +41,17 @@ az cosmosdb update \
   --ip-range-filter "${IPADDR}"
 
 echo "Adding local IP Address to ${SERVICE_BUS_NAMESPACE}."
-az servicebus namespace network-rule add \
+if az servicebus namespace network-rule-set list \
   --resource-group "${RESOURCE_GROUP_NAME}" \
   --namespace-name "${SERVICE_BUS_NAMESPACE}" \
-  --ip-address "${IPADDR}" \
-  --action Allow
+  -o json | grep -q "${IPADDR}" ; then
+  echo "IP Address ${IPADDR} already exists in ${SERVICE_BUS_NAMESPACE}. Skipping..."
+else
+  az servicebus namespace network-rule-set ip-rule add \
+    --resource-group "${RESOURCE_GROUP_NAME}" \
+    --namespace-name "${SERVICE_BUS_NAMESPACE}" \
+    --ip-rule ip-address="${IPADDR}" action=Allow
+fi
 
 echo "Adding local IP Address to Event Grid Topics."
 az eventgrid topic update \
@@ -99,6 +105,12 @@ az role assignment create \
     --assignee "${LOGGED_IN_OBJECT_ID}" \
     --scope "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID}"
 
+# For end to E2E add Storage Blob Data Contributor role to the logged in user
+az role assignment create \
+    --role "Storage Blob Data Contributor" \
+    --assignee "${LOGGED_IN_OBJECT_ID}" \
+    --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.Storage/storageAccounts/stalimex${TRE_ID}"
+
 
 if [[ -z ${ARM_CLIENT_ID:-} ]]; then
   # Configure SP for local resource processor debugging (Porter can't use local creds)
@@ -138,6 +150,8 @@ sed -i '/ARM_CLIENT_SECRET/d' "${private_env_path}"
 sed -i '/AAD_TENANT_ID/d' "${private_env_path}"
 sed -i '/APPLICATION_ADMIN_CLIENT_ID/d' "${private_env_path}"
 sed -i '/APPLICATION_ADMIN_CLIENT_SECRET/d' "${private_env_path}"
+sed -i '/TEST_WORKSPACE_APP_ID/d' "${private_env_path}"
+sed -i '/TEST_WORKSPACE_APP_SECRET/d' "${private_env_path}"
 
 # Append them to the TRE file so that the Resource Processor can use them
 tee -a "${private_env_path}" <<EOF
@@ -146,6 +160,8 @@ ARM_CLIENT_SECRET=${RP_TESTING_SP_PASSWORD}
 AAD_TENANT_ID=${AAD_TENANT_ID}
 APPLICATION_ADMIN_CLIENT_ID=${APPLICATION_ADMIN_CLIENT_ID}
 APPLICATION_ADMIN_CLIENT_SECRET=${APPLICATION_ADMIN_CLIENT_SECRET}
+TEST_WORKSPACE_APP_ID=${WORKSPACE_API_CLIENT_ID}
+TEST_WORKSPACE_APP_SECRET=${WORKSPACE_API_CLIENT_SECRET}
 EOF
 
 # copy porter configuration to porter home