Upgrade Porter to v1 (#3014)

* Porter v1 core changes (#2977) * Update templates for Porter v1 (#2985) * Update docs for porter v1 (#2992)
2022-12-26 15:14:53 +02:00 · 2022-12-26 15:14:53 +02:00 · 28693097cd
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -11,9 +11,10 @@ ARG USERNAME=vscode
 ARG USER_UID=1000
 ARG USER_GID=$USER_UID

+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 # Set up non-root user
 COPY .devcontainer/scripts/non-root-user.sh /tmp/
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN bash /tmp/non-root-user.sh "${USERNAME}" "${USER_UID}" "${USER_GID}"

 # Set env for tracking that we're running in a devcontainer
@ -24,7 +25,7 @@ ARG NODE_VERSION="lts/*"
 RUN su $USERNAME -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"

 # Install terraform
-ARG TERRAFORM_VERSION="1.3.5"
+ARG TERRAFORM_VERSION="1.3.6"
 COPY .devcontainer/scripts/terraform.sh /tmp/
 RUN bash /tmp/terraform.sh "${TERRAFORM_VERSION}" /usr/bin

@ -42,7 +43,7 @@ RUN apt-get update && apt-get install -y ca-certificates curl gnupg lsb-release

 # Install Certbot
 RUN if [ "${INTERACTIVE}" = "true" ]; then \
-    apt-get update && apt-get install -y python3 python3-venv libaugeas0 --no-install-recommends \
+    apt-get update && apt-get install -y libaugeas0 --no-install-recommends \
    && python3 -m venv /opt/certbot/ \
    && /opt/certbot/bin/pip install --no-cache-dir --upgrade pip \
    && /opt/certbot/bin/pip install --no-cache-dir certbot \
@ -51,23 +52,39 @@ RUN if [ "${INTERACTIVE}" = "true" ]; then \
 # Install Porter
 # Not using the script from https://cdn.porter.sh/latest/install-linux.sh
 # as it installs things we don't need and duplicates the binary.
+# TODO: Remove Porter v0 https://github.com/microsoft/AzureTRE/issues/2990
 ARG PORTER_MIRROR=https://cdn.porter.sh
 ARG PORTER_VERSION=v0.38.13
 ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.0-rc.1
 ARG PORTER_AZ_MIXIN_VERSION=v0.7.3
 ARG PORTER_AZURE_PLUGIN_VERSION=v0.11.2
-ARG PORTER_HOME=/home/$USERNAME/.porter/
+ARG PORTER_HOME_V0=/home/$USERNAME/.porter-v0/
 COPY .devcontainer/scripts/porter.sh /tmp/
-RUN export PORTER_MIRROR=${PORTER_MIRROR} \
+RUN if [ "${INTERACTIVE}" = "true" ]; then \
+    export PORTER_MIRROR=${PORTER_MIRROR} \
    PORTER_VERSION=${PORTER_VERSION} \
    PORTER_TERRAFORM_MIXIN_VERSION=${PORTER_TERRAFORM_MIXIN_VERSION} \
    PORTER_AZ_MIXIN_VERSION=${PORTER_AZ_MIXIN_VERSION} \
-    PORTER_DOCKER_MIXIN_VERSION=${PORTER_DOCKER_MIXIN_VERSION} \
    PORTER_AZURE_PLUGIN_VERSION=${PORTER_AZURE_PLUGIN_VERSION} \
-    PORTER_HOME=${PORTER_HOME} \
-    && /tmp/porter.sh
+    PORTER_HOME=${PORTER_HOME_V0} \
+    && /tmp/porter.sh ; fi

-ENV PATH ${PORTER_HOME}:$PATH
+# can't be in a non default path
+# ARG PORTER_HOME_V1=/home/$USERNAME/.porter-v1/
+ARG PORTER_HOME_V1=/home/$USERNAME/.porter/
+ARG PORTER_VERSION=v1.0.4
+ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.0
+ARG PORTER_AZ_MIXIN_VERSION=v1.0.0
+ARG PORTER_AZURE_PLUGIN_VERSION=v1.0.1
+COPY .devcontainer/scripts/porter-v1.sh /tmp/
+RUN export PORTER_VERSION=${PORTER_VERSION} \
+    PORTER_TERRAFORM_MIXIN_VERSION=${PORTER_TERRAFORM_MIXIN_VERSION} \
+    PORTER_AZ_MIXIN_VERSION=${PORTER_AZ_MIXIN_VERSION} \
+    PORTER_AZURE_PLUGIN_VERSION=${PORTER_AZURE_PLUGIN_VERSION} \
+    PORTER_HOME=${PORTER_HOME_V1} \
+    && /tmp/porter-v1.sh
+
+ENV PATH ${PORTER_HOME_V1}:$PATH

 # Install requirements
 COPY ["requirements.txt", "/tmp/pip-tmp/" ]
@ -76,7 +93,7 @@ COPY ["resource_processor/vmss_porter/requirements.txt", "/tmp/pip-tmp/resource_
 COPY ["docs/requirements.txt", "/tmp/pip-tmp/docs/"]
 COPY ["e2e_tests/requirements.txt", "/tmp/pip-tmp/e2e_tests/"]
 COPY ["airlock_processor/requirements.txt", "/tmp/pip-tmp/airlock_processor/"]
-RUN pip3 --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt && rm -rf /tmp/pip-tmp
+RUN pip3 --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt

 # Install azure-cli
 ARG AZURE_CLI_VERSION=2.37.0-1~bullseye
@ -84,7 +101,7 @@ COPY .devcontainer/scripts/azure-cli.sh /tmp/
 RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \
    && /tmp/azure-cli.sh

-ARG YQ_VERSION="v4.27.2"
+ARG YQ_VERSION="v4.30.6"
 RUN curl -L --fail -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" \
    && chmod +x /usr/local/bin/yq

--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -21,7 +21,9 @@
    // Mounts the login details from the host machine to azcli works in the container
    "type=bind,source=${env:HOME}${env:USERPROFILE}/.azure,target=/home/vscode/.azure",
    // Mount docker socket for docker builds
-    "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock"
+    "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock",
+    // Mounts the github cli login details from the host machine to the container (~/.config/gh/hosts.yml)
+    "type=bind,source=${env:HOME}${env:USERPROFILE}/.config,target=/home/vscode/.config",
  ],
  "remoteUser": "vscode",
  "containerEnv": {
--- a/.devcontainer/scripts/porter-v1.sh
+++ b/.devcontainer/scripts/porter-v1.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+set -o nounset
+# Uncomment this line to see each command for debugging (careful: this will show secrets!)
+# set -o xtrace
+
+export PORTER_HOME=${PORTER_HOME:-~/.porter}
+export PORTER_MIRROR=${PORTER_MIRROR:-https://cdn.porter.sh}
+PORTER_VERSION=${PORTER_VERSION:-latest}
+
+echo "Installing porter@$PORTER_VERSION to $PORTER_HOME from $PORTER_MIRROR"
+
+mkdir -p "$PORTER_HOME/runtimes"
+
+curl -fsSLo "$PORTER_HOME/porter" "$PORTER_MIRROR/$PORTER_VERSION/porter-linux-amd64"
+chmod +x "$PORTER_HOME/porter"
+ln -s "$PORTER_HOME/porter" "$PORTER_HOME/runtimes/porter-runtime"
+echo "Installed $("${PORTER_HOME}"/porter version)"
+
+"${PORTER_HOME}/porter" mixin install exec --version "$PORTER_VERSION"
+"${PORTER_HOME}/porter" mixin install terraform --version "$PORTER_TERRAFORM_MIXIN_VERSION"
+"${PORTER_HOME}/porter" mixin install az --version "$PORTER_AZ_MIXIN_VERSION"
+
+"${PORTER_HOME}/porter" plugin install azure --version "$PORTER_AZURE_PLUGIN_VERSION"
+
+chown -R "${USERNAME}" "${PORTER_HOME}"
+
+echo "Installation complete."
--- a/.dockerignore
+++ b/.dockerignore
@ -1,5 +1,5 @@
 # See https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Put files here that you don't want copied into your bundle's invocation image
+# Put files here that you need in the devcontainer's context
 .gitignore
 Dockerfile.tmpl

@ -18,8 +18,16 @@ cli/build
 cli/dist
 *.egg-info/

-.terraform
+**/.terraform
 tfplan*
 *.log

 templates/workspace_services/guacamole/guacamole-server/guacamole-auth-azure/target
+
+**/node_modules
+**/.cnab
+
+ui/app/build
+site
+
+.git
--- a/.github/workflows/build_docker_images.yml
+++ b/.github/workflows/build_docker_images.yml
@ -3,7 +3,9 @@ name: Docker build

 on:  # yamllint disable-line rule:truthy
  pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'feature/**'
  workflow_dispatch:

 # for each ref (branch/pr) run just the most recent, cancel
--- a/.github/workflows/build_validation_develop.yml
+++ b/.github/workflows/build_validation_develop.yml
@ -3,7 +3,9 @@ name: Build Validation

 on:  # yamllint disable-line rule:truthy
  pull_request:
-    branches: [main]
+    branches:
+      - main
+      - 'feature/**'

 # for each ref (branch/pr) run just the most recent,
 # cancel other pending/running ones
--- a/.github/workflows/deploy_tre_reusable.yml
+++ b/.github/workflows/deploy_tre_reusable.yml
@ -206,8 +206,12 @@ jobs:
        # failure in the first attempt indicates a new ACR, so we need to try again after it's been created
        if: steps.ci_cache_cr_login.outcome != 'success'
        run: |
-          # shellcheck disable=SC2034,SC2015
-          for i in {1..3}; do az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" && break || sleep 10; done
+          # shellcheck disable=SC2034,SC2015,SC2125
+          for i in {1..3}; do
+            az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" && ec=0 && break || ec=\$? && sleep 10
+          done
+          # shellcheck disable=SC2242
+          (exit \$ec)

      - name: Push cached devcontainer
        run: docker image push ${{ env.CI_CACHE_ACR_URI }}/tredev:${{ secrets.DEVCONTAINER_TAG }}
@ -359,7 +363,7 @@ jobs:
          # Although porter publish will build automatically, our makefile build target includes logic that should run
          COMMAND: >-
            for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }}
-            && break || sleep 30; done
+            && ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec)
          DEVCONTAINER_TAG: ${{ secrets.DEVCONTAINER_TAG }}
          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
          CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
@ -392,7 +396,7 @@ jobs:
          # Although porter publish will build automatically, our makefile build target includes logic that should run
          COMMAND: >-
            for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }}
-            && break || sleep 30; done
+            && ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec)
          DEVCONTAINER_TAG: ${{ secrets.DEVCONTAINER_TAG }}
          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
          CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
--- a/.gitignore
+++ b/.gitignore
@ -115,8 +115,9 @@ templates/core/tre.env
 devops/auth.env
 private.env

-# Config
+# TRE Config
 config.yaml
+!resource_processor/vmss_porter/config.yaml

 # Spyder project settings
 .spyderproject
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,9 +4,9 @@
 **BREAKING CHANGES & MIGRATIONS**:
 * The model for `reviewUserResources` in airlock requests has changed from being a list to a dictionary. A migration has been added to update your existing requests automatically; please make sure you run the migrations as part of updating your API and UI.
  * Note that any in-flight requests that have review resources deployed will show `UNKNOWN[i]` for the user key of that resource and in the UI users will be prompted to deploy a new resource. [#2883](https://github.com/microsoft/AzureTRE/pull/2883)
-* Env files consolidation - The files /templates/core/.env, /devops/.env, /devops/auth.env are no longer used. The settings and configuration that they contain has been consolidated into a single file config.yaml that lives in the root folder of the project.
-
+* Env files consolidation ([#2944](https://github.com/microsoft/AzureTRE/pull/2944)) - The files /templates/core/.env, /devops/.env, /devops/auth.env are no longer used. The settings and configuration that they contain has been consolidated into a single file config.yaml that lives in the root folder of the project.
 Use the script devops/scripts/env_to_yaml_config.sh to migrate /templates/core/.env, /devops/.env, and /devops/auth.env to the new config.yaml file.
+* Upgrade to Porter v1 ([#3014](https://github.com/microsoft/AzureTRE/pull/3014)). You should upgrade all custom template definitions and rebuild them.

 FEATURES:
 * Support review VMs for multiple reviewers for each airlock request [#2883](https://github.com/microsoft/AzureTRE/pull/2883)
--- a/57
+++ b/57
@ -184,16 +184,22 @@ bundle-build:
 	&& if [ -d terraform ]; then terraform -chdir=terraform init -backend=false; terraform -chdir=terraform validate; fi \
 	&& FULL_IMAGE_NAME_PREFIX=${FULL_IMAGE_NAME_PREFIX} IMAGE_NAME_PREFIX=${IMAGE_NAME_PREFIX} \
 		${MAKEFILE_DIR}/devops/scripts/bundle_runtime_image_build.sh \
-	&& porter build --debug
+	&& porter build
 	$(MAKE) bundle-check-params

 bundle-install: bundle-check-params
 	$(call target_title, "Deploying ${DIR} with Porter") \
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
 	&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
-	&& cd ${DIR} && porter install -p ./parameters.json \
-		--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
-		--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
+	&& cd ${DIR} \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh .env \
+	&& porter parameters apply parameters.json \
+	&& porter credentials apply ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
+	&& porter credentials apply ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
+	&& . ${MAKEFILE_DIR}/devops/scripts/porter_local_env.sh \
+	&& porter install --parameter-set $$(yq ".name" porter.yaml) \
+		--credential-set arm_auth \
+		--credential-set aad_auth \
 		--allow-docker-host-access --debug

 # Validates that the parameters file is synced with the bundle.
@ -204,27 +210,40 @@ bundle-check-params:
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,porter \
 	&& cd ${DIR} \
 	&& if [ ! -f "parameters.json" ]; then echo "Error - please create a parameters.json file."; exit 1; fi \
-	&& if ! porter explain -ojson > /dev/null; then echo "Error - porter explain issue!"; exit 1; fi \
+	&& if [ "$$(jq -r '.name' parameters.json)" != "$$(yq eval '.name' porter.yaml)" ]; then echo "Error - ParameterSet name isn't equal to bundle's name."; exit 1; fi \
+	&& if ! porter explain; then echo "Error - porter explain issue!"; exit 1; fi \
 	&& comm_output=$$(set -o pipefail && comm -3 --output-delimiter=: <(porter explain -ojson | jq -r '.parameters[].name | select (. != "arm_use_msi")' | sort) <(jq -r '.parameters[].name | select(. != "arm_use_msi")' parameters.json | sort)) \
 	&& if [ ! -z "$${comm_output}" ]; \
-		then echo -e "*** Add to params ***:*** Remove from params ***\n$$comm_output" | column -t -s ":" -n; exit 1; \
+		then echo -e "*** Add to params ***:*** Remove from params ***\n$$comm_output" | column -t -s ":"; exit 1; \
 		else echo "parameters.json file up-to-date."; fi

 bundle-uninstall:
 	$(call target_title, "Uninstalling ${DIR} with Porter") \
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
-	&& cd ${DIR} && porter uninstall -p ./parameters.json \
-		--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
-		--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
+	&& cd ${DIR} \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh .env \
+	&& porter parameters apply parameters.json \
+	&& porter credentials apply ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
+	&& porter credentials apply ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
+	&& porter uninstall --parameter-set $$(yq ".name" porter.yaml) \
+		--credential-set arm_auth \
+		--credential-set aad_auth \
 		--allow-docker-host-access --debug

 bundle-custom-action:
 	$(call target_title, "Performing:${ACTION} ${DIR} with Porter") \
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
- 	&& cd ${DIR} && porter invoke --action ${ACTION} -p ./parameters.json \
- 		--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
- 		--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
- 		--allow-docker-host-access --debug
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
+	&& cd ${DIR}
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh .env \
+	&& porter parameters apply parameters.json \
+	&& porter credentials apply ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
+	&& porter credentials apply ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
+ 	&& porter invoke --action ${ACTION} --parameter-set $$(yq ".name" porter.yaml) \
+		--credential-set arm_auth \
+		--credential-set aad_auth \
+		--allow-docker-host-access --debug

 bundle-publish:
 	$(call target_title, "Publishing ${DIR} bundle with Porter") \
@ -234,7 +253,7 @@ bundle-publish:
 	&& cd ${DIR} \
 	&& FULL_IMAGE_NAME_PREFIX=${FULL_IMAGE_NAME_PREFIX} \
 		${MAKEFILE_DIR}/devops/scripts/bundle_runtime_image_push.sh \
-	&& porter publish --registry "$${ACR_NAME}.azurecr.io" --debug
+	&& porter publish --registry "$${ACR_NAME}.azurecr.io" --force

 bundle-register:
 	@# NOTE: ACR_NAME below comes from the env files, so needs the double '$$'. Others are set on command execution and don't
@ -290,11 +309,11 @@ build-and-deploy-ui:
 	&& if [ "$${DEPLOY_UI}" != "false" ]; then ${MAKEFILE_DIR}/devops/scripts/build_deploy_ui.sh; else echo "UI Deploy skipped as DEPLOY_UI is false"; fi \

 prepare-for-e2e:
-	$(MAKE) workspace_bundle BUNDLE=base \
-	&& $(MAKE) workspace_service_bundle BUNDLE=guacamole \
-	&& $(MAKE) shared_service_bundle BUNDLE=gitea \
-	&& $(MAKE) user_resource_bundle WORKSPACE_SERVICE=guacamole BUNDLE=guacamole-azure-windowsvm \
-	&& $(MAKE) user_resource_bundle WORKSPACE_SERVICE=guacamole BUNDLE=guacamole-azure-linuxvm
+	$(MAKE) workspace_bundle BUNDLE=base
+	$(MAKE) workspace_service_bundle BUNDLE=guacamole
+	$(MAKE) shared_service_bundle BUNDLE=gitea
+	$(MAKE) user_resource_bundle WORKSPACE_SERVICE=guacamole BUNDLE=guacamole-azure-windowsvm
+	$(MAKE) user_resource_bundle WORKSPACE_SERVICE=guacamole BUNDLE=guacamole-azure-linuxvm

 test-e2e-smoke:
 	$(call target_title, "Running E2E smoke tests") && \
--- a/api_app/_version.py
+++ b/api_app/_version.py
@ -1 +1 @@
-__version__ = "0.7.0"
+__version__ = "0.8.0"
--- a/api_app/models/domain/resource.py
+++ b/api_app/models/domain/resource.py
@ -75,5 +75,5 @@ class Resource(AzureTREModel):


 class Output(AzureTREModel):
-    Name: str = Field(title="", description="")
-    Value: Union[list, dict, str] = Field(None, title="", description="")
+    Name: str = Field(title="", description="", alias="name")
+    Value: Union[list, dict, str] = Field(None, title="", description="", alias="value")
--- a/api_app/service_bus/deployment_status_updater.py
+++ b/api_app/service_bus/deployment_status_updater.py
@ -81,10 +81,11 @@ class DeploymentStatusUpdater():
            complete_message = await self.update_status_in_database(message)
            logging.info(f"Update status in DB for {message.operationId} - {message.status}")
        except (json.JSONDecodeError, ValidationError) as e:
+            # TODO: should move to dead letter queue https://github.com/microsoft/AzureTRE/issues/2991
            complete_message = True
            logging.error(f"{strings.DEPLOYMENT_STATUS_MESSAGE_FORMAT_INCORRECT}: {msg.correlation_id} - {e}")
-        except Exception as e:
-            logging.info(f"Exception for: {msg.correlation_id} - {e}")
+        except Exception:
+            logging.exception(f"Exception processing message: {msg.correlation_id}")

        return complete_message

--- a/devops/scripts/porter_local_env.sh
+++ b/devops/scripts/porter_local_env.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+
+# This script adds missing env vars that are needed to run porter commands locally.
+# If a bundle defines a parameter that isn't in the environment it will be added.
+# When/if this issue will be address, we could remove the script:
+# https://github.com/getporter/porter/issues/2474
+
+set -o errexit
+set -o pipefail
+# set -o xtrace
+
+while read -r env_var_name; do
+  if [[ -z "${!env_var_name}" ]]; then
+    echo "${env_var_name} doesn't exist."
+    # shellcheck disable=SC2086
+    declare -g $env_var_name=
+    export "${env_var_name?}"
+  fi
+done < <(jq -r '.parameters[].source.env' parameters.json)
--- a/devops/scripts/setup_local_debugging.sh
+++ b/devops/scripts/setup_local_debugging.sh
@ -5,7 +5,9 @@ set -e
 : "${RESOURCE_GROUP_NAME?"Check RESOURCE_GROUP_NAME is defined in ./templates/core/private.env"}"
 : "${SERVICE_BUS_RESOURCE_ID?"Check SERVICE_BUS_RESOURCE_ID is defined in ./templates/core/private.env"}"
 : "${STATE_STORE_RESOURCE_ID?"Check STATE_STORE_RESOURCE_ID is defined in ./templates/core/private.env"}"
+: "${COSMOSDB_MONGO_RESOURCE_ID?"Check COSMOSDB_MONGO_RESOURCE_ID is defined in ./templates/core/private.env"}"
 : "${COSMOSDB_ACCOUNT_NAME?"Check COSMOSDB_ACCOUNT_NAME is defined in ./templates/core/private.env"}"
+: "${COSMOSDB_MONGO_ACCOUNT_NAME?"Check COSMOSDB_MONGO_ACCOUNT_NAME is defined in ./templates/core/private.env"}"
 : "${AZURE_SUBSCRIPTION_ID?"Check AZURE_SUBSCRIPTION_ID is defined in ./templates/core/private.env"}"
 : "${EVENT_GRID_STATUS_CHANGED_TOPIC_RESOURCE_ID?"Check EVENT_GRID_STATUS_CHANGED_TOPIC_RESOURCE_ID is defined in ./templates/core/private.env"}"
 : "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID?"Check EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID is defined in ./templates/core/private.env"}"
@ -28,6 +30,12 @@ az cosmosdb update \
  --resource-group "${RESOURCE_GROUP_NAME}" \
  --ip-range-filter "${IPADDR}"

+echo "Adding local IP Address to ${COSMOSDB_MONGO_ACCOUNT_NAME}. This may take a while . . . "
+az cosmosdb update \
+  --name "${COSMOSDB_MONGO_ACCOUNT_NAME}" \
+  --resource-group "${RESOURCE_GROUP_NAME}" \
+  --ip-range-filter "${IPADDR}"
+
 echo "Adding local IP Address to ${SERVICE_BUS_NAMESPACE}."
 az servicebus namespace network-rule add \
  --resource-group "${RESOURCE_GROUP_NAME}" \
@ -66,6 +74,11 @@ az role assignment create \
    --assignee "${LOGGED_IN_OBJECT_ID}" \
    --scope "${STATE_STORE_RESOURCE_ID}"

+az role assignment create \
+    --role "Contributor" \
+    --assignee "${LOGGED_IN_OBJECT_ID}" \
+    --scope "${COSMOSDB_MONGO_RESOURCE_ID}"
+
 az role assignment create \
    --role "EventGrid Data Sender" \
    --assignee "${LOGGED_IN_OBJECT_ID}" \
--- a/docs/azure-tre-overview/architecture.md
+++ b/docs/azure-tre-overview/architecture.md
@ -50,19 +50,19 @@ To automate Porter it needs a place to live in Azure TRE. The home chosen for Po
 [![Resource Processor overview](../assets/resource-processor-overview.jpg)](../assets/resource-processor-overview.jpg)

 <!-- markdownlint-disable MD013 -->
-During the deployment of Resource Processor itself it is given the credentials of a managed identity with the privileges to modify and deploy resources to the subscription associated with the Azure TRE instance. Resource Processor later then uses these credentials to receive and send Service Bus messages, authorizes Porter to deploy Porter bundles and to access the storage account to update installation data.
+During the deployment of Resource Processor itself it is given the credentials of a managed identity with the privileges to modify and deploy resources to the subscription associated with the Azure TRE instance. Resource Processor then uses these credentials to receive and send Service Bus messages, authorizes Porter to access its state (stored in Cosmos-MongoDB) and deploy bundles.
 <!-- markdownlint-enable MD013 -->

 The logic in Resource Processor is written in Python. The Resource Processor implementation is located in [`resource_processor` folder](https://github.com/microsoft/AzureTRE/blob/main/resource_processor/) of the repository.

-The [TRE Administrator](user-roles.md#tre-administrator) can register a Porter bundle to use the Composition Service to provision instances of the Workspace Templates.
+The [TRE Administrator](user-roles.md#tre-administrator) can register a Porter bundle that will be used to provision instances of bundle (template).

 This requires:

 1. The Porter bundle to be pushed to the Azure Container Registry (ACR).
-1. Registering the Workspace through the API.
+1. Registering the Template through the API.

-Details on how to [register a Workspace Template](../tre-admins/registering-templates.md).
+Details on how to [register a Template](../tre-admins/registering-templates.md).

 ## Provisioning a Workspace

@ -91,10 +91,10 @@ The flow to provision a Workspace is as follows (the flow is the same for all ki

    ```bash
    # simplified for readability
-    porter <action> --reference <ACR name>.azurecr.io/bundles/<name>:<version> --params key=value --cred <credentials set name or file>
+    porter <action> --reference <ACR name>.azurecr.io/bundles/<name>:<version> --params key=value --cred <credentials set name>

    # Example
-    porter install --reference msfttreacr.azurecr.io/bundles/BaseWorkspaceTemplate:1.0 --params param1=value1 --cred arm_auth_local_debugging.json
+    porter install --reference msfttreacr.azurecr.io/bundles/BaseWorkspaceTemplate:1.0 --params param1=value1 --cred arm_auth
    ```

    Deployments are carried out against the Azure Subscription using a User Assigned Managed Identity. The `arm_auth_local_debugging.json` tells Porter where the credential information can be found and for the Resource Processor they are set as environment variables.
@ -103,8 +103,7 @@ The flow to provision a Workspace is as follows (the flow is the same for all ki

 1. The Porter Docker bundle is pulled from the Azure Container Registry (ACR) and executed.
 1. The Porter bundle executes against Azure Resource Manager to provision Azure resources. Any kind of infrastructure of code frameworks like ARM, Terraform, or Pulumi can be used or scripted via PowerShell or Azure CLI.
-1. Porter stores state and outputs in Azure Storage Containers. State for keeping persistent state between executions of a bundled with the same Workspace.
-1. For the time being, the Porter bundle updates Firewall rules directly setting egress rules. An enhancement to implement a Shared Firewall services is planned ([#882](https://github.com/microsoft/AzureTRE/issues/882)).
-1. The Resource Processor sends events to the `deploymentstatus` queue on state changes and informs if the deployment succeeded or failed.
+1. Porter stores state (like outputs) in Cosmos-MongoDB.
+1. The Resource Processor sends events to the `deploymentstatus` queue on status changes and informs if the deployment succeeded or failed.
 1. The API receives the status of the Porter bundle execution.
 1. The API updates the status of the Porter bundle execution in the Configuration Store.
--- a/docs/azure-tre-overview/tre-resources-breakdown.md
+++ b/docs/azure-tre-overview/tre-resources-breakdown.md
@ -13,7 +13,7 @@ Once an Azure TRE has been [provisioned](../../tre-admins/setup-instructions/pre

 | Name | Azure Service | Description | Additional links
 |---|---|---|---|
-| {MGMT_STORAGE_ACCOUNT_NAME} | Storage Account | [Azure TRE Terraform and Porter state](../../tre-admins/setup-instructions/pre-deployment-steps)  | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)
+| {MGMT_STORAGE_ACCOUNT_NAME} | Storage Account | [Azure TRE Terraform](../../tre-admins/setup-instructions/pre-deployment-steps)  | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)
 | {ACR_NAME} | Container Registry | [Azure TRE container images (Porter bundles)](../architecture/#composition-service) | [Container Registry](https://docs.microsoft.com/en-gb/azure/container-registry/container-registry-intro)

 ## Azure TRE Resource Group
@ -42,7 +42,7 @@ Once an Azure TRE has been [provisioned](../../tre-admins/setup-instructions/pre
 | id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
 | sb-{TRE_ID} | Service Bus Namespace | Messaging for TRE API | [Service Bus](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview)
 | stappinsights{TRE_ID} | Storage Account | Storage for TRE Application Insights telemetry logs | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)
-| stg{TRE_ID} | Storage Account | Files shares for TRE services such as Porter, Gitea, Nexus | [Storage Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction)
+| stg{TRE_ID} | Storage Account | Files shares for TRE services such as Gitea, Nexus | [Storage Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction)
 | stweb{TRE_ID} | Storage Account | Storage for [Azure TRE Let's Encrypt](../../tre-admins/setup-instructions/deploying-azure-tre) | [Storage Blob](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)
 | vm-{TRE_ID} | Virtual Machine | [Azure TRE VM (jumpbox)](https://microsoft.github.io/AzureTRE/tre-admins/setup-instructions/configuring-shared-services) | [Windows Virtual Machine](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview)
 | vm-{TRE_ID} | Virtual Machine Scale Set | [Azure TRE Resource Processor](../../tre-developers/resource-processor) | [Virtual Machine Scale Sets](https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview)
--- a/docs/tre-developers/resource-processor.md
+++ b/docs/tre-developers/resource-processor.md
@ -128,7 +128,7 @@ Furthermore, Porter provides a set of [mixins](https://porter.sh/mixins/) - anal

 ### Porter Azure plugin

-Resource Processor uses [Porter Azure plugin](https://github.com/getporter/azure-plugins) to store Porter data in TRE management storage account. The storage table, named `porter`, is created during the bootstrapping phase of TRE deployment. The `/resource_processor/run.sh` script generates a `config.toml` file in Porter home folder to enable the Azure plugin when the image is started.
+Resource Processor uses [Porter Azure plugin](https://github.com/getporter/azure-plugins) to access secrets in Azure Key Vault.

 ### Porter bundle inputs

--- a/docs/troubleshooting-faq/troubleshooting-rp.md
+++ b/docs/troubleshooting-faq/troubleshooting-rp.md
@ -40,8 +40,15 @@ To start a processor container manually:
  docker run -v /var/run/docker.sock:/var/run/docker.sock --env-file .env --name resource_processor_vmss_porter_debug [runner_image:tag]
  ```

-!!! info
-    All logs from the resource processor should also be transferred to the App Insights instance, so it is not necessary to follow the progress by logging into the instance. Logging into the instance and starting a container manually however, is helpful in live debugging.
+## Logs
+
+All logs from the resource processor are transferred to the App Insights instance, so it is not usually necessary to follow the progress by logging into the instance.
+
+Logging into the instance and starting a container manually however, is helpful in live debugging.
+When doing so, you can use the following aliases to monitor progress:
+* rpstatus - a split screen with `docker ps` to show what containers are running (a bundle action run in its own container), the Resource Processor logs, and a _free_ section for you to type any other command you wish (see below).
+* dlf - runs `docker logs --since 1m --follow`, you should use with the name/id of the container you want to view, e.g. `dlf my_container`
+* dlf1 - same as `dlf` but will auto select the last container in the `docker ps` list (usually the last one started).

 ## Updating the running container

--- a/resource_processor/_version.py
+++ b/resource_processor/_version.py
@ -1 +1 @@
-__version__ = "0.4.14"
+__version__ = "0.5.1"
--- a/resource_processor/resources/commands.py
+++ b/resource_processor/resources/commands.py
@ -8,13 +8,13 @@ from shared.logging import shell_output_logger


 def azure_login_command(config):
-    # Use a Service Principal when running locally
-    local_login = f"az login --service-principal --username {config['arm_client_id']} --password {config['arm_client_secret']} --tenant {config['arm_tenant_id']}"
+    if config["vmss_msi_id"]:
+        # Use the Managed Identity when in VMSS context
+        command = f"az login --identity -u {config['vmss_msi_id']}"
+    else:
+        # Use a Service Principal when running locally
+        command = f"az login --service-principal --username {config['arm_client_id']} --password {config['arm_client_secret']} --tenant {config['arm_tenant_id']}"

-    # Use the Managed Identity when in VMSS context
-    vmss_login = f"az login --identity -u {config['vmss_msi_id']}"
-
-    command = vmss_login if config["vmss_msi_id"] else local_login
    return command


@ -63,22 +63,21 @@ async def build_porter_command(config, logger, msg_body, custom_action=False):

    installation_id = get_installation_id(msg_body)

-    command_line = [f"{azure_login_command(config)} && {azure_acr_login_command(config)} && porter "
+    command_line = [f"{azure_login_command(config)} && {azure_acr_login_command(config)} && porter"
                    # If a custom action (i.e. not install, uninstall, upgrade) we need to use 'invoke'
-                    f"{'invoke --action ' if custom_action else ''}"
-                    f"{msg_body['action']} \"{installation_id}\" "
+                    f"{' invoke --action' if custom_action else ''}"
+                    f" {msg_body['action']} \"{installation_id}\""
                    f" --reference {config['registry_server']}/{msg_body['name']}:v{msg_body['version']}"
                    f" {porter_parameters} --allow-docker-host-access --force"
-                    f" --cred ./vmss_porter/arm_auth_local_debugging.json"
-                    f" --cred ./vmss_porter/aad_auth.json"
+                    f" --credential-set arm_auth"
+                    f" --credential-set aad_auth"
                    ]
    return command_line


 async def build_porter_command_for_outputs(msg_body):
    installation_id = get_installation_id(msg_body)
-    # we only need "real" outputs and use jq to remove the logs which are big
-    command_line = [f"porter installations output list --installation {installation_id} --output json | jq -c 'del (.[] | select(.Name==\"io.cnab.outputs.invocationImageLogs\"))'"]
+    command_line = [f"porter installations output list --installation {installation_id} --output json"]
    return command_line


--- a/resource_processor/run.sh
+++ b/resource_processor/run.sh
@ -1,20 +1,16 @@
 #!/bin/bash

+set -o errexit
+set -o pipefail
+set -o nounset
+# Uncomment this line to see each command for debugging (careful: this will show secrets!)
+# set -o xtrace
+
 # Generate required configuration for Porter Azure plugin
-if [[ -z "${MGMT_RESOURCE_GROUP_NAME}" ]]; then
-  >&2 echo "Environment variable for TRE management resource group name missing"
-fi
-
-if [[ -z "${MGMT_STORAGE_ACCOUNT_NAME}" ]]; then
-  >&2 echo "Environment variable for TRE management storage account name missing"
-fi
-
-if [[ -z "${KEY_VAULT_NAME}" ]]; then
-  >&2 echo "Environment variable for Key Vault name missing"
-fi

+# TODO: Remove porter v0 https://github.com/microsoft/AzureTRE/issues/2990
 # Documentation here: - https://github.com/vdice/porter-bundles/tree/master/azure-keyvault
-cat > /root/.porter/config.toml << EOF
+cat > /"${PORTER_HOME_V0}"/config.toml << EOF
 default-storage = "azurestorage"
 default-secrets = "aad_auth"
 no-logs = true
@ -35,5 +31,37 @@ plugin = "azure.keyvault"
 vault = "${KEY_VAULT_NAME}"
 EOF

+# TODO: Remove porter v0 https://github.com/microsoft/AzureTRE/issues/2990
+echo "Azure cli login..."
+az login --identity -u "${VMSS_MSI_ID}"
+
+echo "Checking if porter v0 state exists..."
+exits=$(az storage table exists --account-name "${MGMT_STORAGE_ACCOUNT_NAME}" --name "porter" --auth-mode "login" --output tsv)
+if [ "${exits}" = "True" ]; then
+  echo "v0 state exists. Checking if migration was completed once before..."
+  migration_complete_container_name="porter-migration-completed"
+  exits=$(az storage container exists --account-name "${MGMT_STORAGE_ACCOUNT_NAME}" --name "${migration_complete_container_name}" --auth-mode "login" --output tsv)
+  if [ "${exits}" = "False" ]; then
+      echo "${migration_complete_container_name} container doesn't exist. Running porter migration..."
+      porter storage migrate --old-home "${PORTER_HOME_V0}" --old-account "azurestorage"
+      echo "Porter migration complete. Creating ${migration_complete_container_name} container to prevert migrating again in the future..."
+      az storage container create --account-name "${MGMT_STORAGE_ACCOUNT_NAME}" --name "${migration_complete_container_name}" --auth-mode "login" --fail-on-exist
+      echo "Migration is done."
+  else
+      echo "${migration_complete_container_name} container is present. Skipping porter migration."
+  fi
+else
+  echo "Porter v0 state doesn't exist."
+fi
+
+echo "Azure cli logout..."
+az logout
+
+# Can't be in the image since DB connection is needed.
+echo "Applying credential sets..."
+porter credentials apply vmss_porter/arm_auth_local_debugging.json
+porter credentials apply vmss_porter/aad_auth.json
+
 # Launch the runner
+echo "Starting resource processor..."
 python -u vmss_porter/runner.py
--- a/resource_processor/scripts/azure-cli.sh
+++ b/resource_processor/scripts/azure-cli.sh
@ -14,7 +14,3 @@ AZ_REPO="$(lsb_release -cs)"
 echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list
 apt-get update
 apt-get -y install azure-cli="${AZURE_CLI_VERSION}"
-
-# apt cleanup
-apt-get clean -y
-rm -rf /var/lib/apt/lists/*
--- a/resource_processor/scripts/porter-v1.sh
+++ b/resource_processor/scripts/porter-v1.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+set -o nounset
+# Uncomment this line to see each command for debugging (careful: this will show secrets!)
+# set -o xtrace
+
+export PORTER_HOME=${PORTER_HOME:-~/.porter}
+export PORTER_MIRROR=${PORTER_MIRROR:-https://cdn.porter.sh}
+PORTER_VERSION=${PORTER_VERSION:-latest}
+
+echo "Installing porter@$PORTER_VERSION to $PORTER_HOME from $PORTER_MIRROR"
+
+mkdir -p "$PORTER_HOME/runtimes"
+
+curl -fsSLo "$PORTER_HOME/porter" "$PORTER_MIRROR/$PORTER_VERSION/porter-linux-amd64"
+chmod +x "$PORTER_HOME/porter"
+ln -s "$PORTER_HOME/porter" "$PORTER_HOME/runtimes/porter-runtime"
+echo "Installed $("${PORTER_HOME}"/porter version)"
+
+"${PORTER_HOME}/porter" mixin install exec --version "$PORTER_VERSION"
+"${PORTER_HOME}/porter" mixin install terraform --version "$PORTER_TERRAFORM_MIXIN_VERSION"
+"${PORTER_HOME}/porter" mixin install az --version "$PORTER_AZ_MIXIN_VERSION"
+
+"${PORTER_HOME}/porter" plugin install azure --version "$PORTER_AZURE_PLUGIN_VERSION"
+
+echo "Installation complete."
--- a/resource_processor/shared/config.py
+++ b/resource_processor/shared/config.py
@ -17,6 +17,7 @@ def get_config(logger_adapter) -> dict:
    config["service_bus_namespace"] = os.environ["SERVICE_BUS_FULLY_QUALIFIED_NAMESPACE"]
    config["vmss_msi_id"] = os.environ.get("VMSS_MSI_ID", None)
    config["number_processes"] = os.environ.get("NUMBER_PROCESSES", "1")
+    config["key_vault_name"] = os.environ.get("KEY_VAULT_NAME", os.environ.get("KEYVAULT", None))

    try:
        config["number_processes_int"] = int(config["number_processes"])
@ -30,19 +31,38 @@ def get_config(logger_adapter) -> dict:
    config["arm_client_id"] = os.environ["ARM_CLIENT_ID"]
    config["arm_tenant_id"] = os.environ["AZURE_TENANT_ID"]

-    # Only set client secret if MSI is disabled
-    config["arm_client_secret"] = os.environ["ARM_CLIENT_SECRET"] if config["arm_use_msi"] == "false" else ""
+    if config["arm_use_msi"] == "false":
+        # These are needed when running locally
+        config["arm_client_secret"] = os.environ["ARM_CLIENT_SECRET"]
+        config["aad_tenant_id"] = os.environ["AAD_TENANT_ID"]
+        config["application_admin_client_id"] = os.environ["APPLICATION_ADMIN_CLIENT_ID"]
+        config["application_admin_client_secret"] = os.environ["APPLICATION_ADMIN_CLIENT_SECRET"]
+
+    else:
+        config["arm_client_secret"] = ""  # referenced in the credential set

    # Create env dict for porter
    config["porter_env"] = {
        "HOME": os.environ["HOME"],
        "PATH": os.environ["PATH"],
+        "KEY_VAULT_NAME": config["key_vault_name"],
+
+        # These are needed since they are referenced as credentials in every bundle and also in arm_auth credential set.
        "ARM_CLIENT_ID": config["arm_client_id"],
        "ARM_CLIENT_SECRET": config["arm_client_secret"],
        "ARM_SUBSCRIPTION_ID": config["arm_subscription_id"],
-        "ARM_TENANT_ID": config["arm_tenant_id"]
+        "ARM_TENANT_ID": config["arm_tenant_id"],
    }

+    if config["arm_use_msi"] == "false":
+        config["porter_env"].update(
+            {
+                "AAD_TENANT_ID": config["aad_tenant_id"],
+                "APPLICATION_ADMIN_CLIENT_ID": config["application_admin_client_id"],
+                "APPLICATION_ADMIN_CLIENT_SECRET": config["application_admin_client_secret"],
+            }
+        )
+
    # Load env vars for bundles
    def envvar_to_key(name: str) -> str:
        return name[len("RP_BUNDLE_"):].lower()
--- a/resource_processor/vmss_porter/Dockerfile
+++ b/resource_processor/vmss_porter/Dockerfile
@ -1,42 +1,62 @@
+# syntax=docker/dockerfile:1
 FROM python:3.8-slim-bullseye

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
 # Install Azure CLI
-ARG AZURE_CLI_VERSION=2.40.0-1~bullseye
+ARG AZURE_CLI_VERSION=2.43.0-1~bullseye
 COPY scripts/azure-cli.sh /tmp/
-RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \
    && /tmp/azure-cli.sh

+# TODO: Remove porter v0 https://github.com/microsoft/AzureTRE/issues/2990
 # Install Porter
 ARG PORTER_MIRROR=https://cdn.porter.sh
 ARG PORTER_VERSION=v0.38.13
 ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.0-rc.1
 ARG PORTER_AZ_MIXIN_VERSION=v0.7.3
 ARG PORTER_AZURE_PLUGIN_VERSION=v0.11.2
-ARG PORTER_HOME=/root/.porter/
+ARG PORTER_HOME=/root/.porter-v0/
 COPY scripts/porter.sh /tmp/
 RUN export PORTER_MIRROR=${PORTER_MIRROR} \
    PORTER_VERSION=${PORTER_VERSION} \
    PORTER_TERRAFORM_MIXIN_VERSION=${PORTER_TERRAFORM_MIXIN_VERSION} \
    PORTER_AZ_MIXIN_VERSION=${PORTER_AZ_MIXIN_VERSION} \
-    PORTER_DOCKER_MIXIN_VERSION=${PORTER_DOCKER_MIXIN_VERSION} \
    PORTER_AZURE_PLUGIN_VERSION=${PORTER_AZURE_PLUGIN_VERSION} \
    PORTER_HOME=${PORTER_HOME} \
    && /tmp/porter.sh

-ENV PATH ${PORTER_HOME}:$PATH
+ENV PORTER_HOME_V0 ${PORTER_HOME}
+
+# can't be in a non default path
+# ARG PORTER_HOME_V1=/home/$USERNAME/.porter-v1/
+ARG PORTER_HOME_V1=/root/.porter/
+ARG PORTER_VERSION=v1.0.4
+ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.0
+ARG PORTER_AZ_MIXIN_VERSION=v1.0.0
+ARG PORTER_AZURE_PLUGIN_VERSION=v1.0.1
+COPY scripts/porter-v1.sh /tmp/
+RUN export PORTER_VERSION=${PORTER_VERSION} \
+    PORTER_TERRAFORM_MIXIN_VERSION=${PORTER_TERRAFORM_MIXIN_VERSION} \
+    PORTER_AZ_MIXIN_VERSION=${PORTER_AZ_MIXIN_VERSION} \
+    PORTER_AZURE_PLUGIN_VERSION=${PORTER_AZURE_PLUGIN_VERSION} \
+    PORTER_HOME=${PORTER_HOME_V1} \
+    && /tmp/porter-v1.sh
+
+ENV PATH ${PORTER_HOME_V1}:$PATH

 # Install Docker
-RUN apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release --no-install-recommends \
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release --no-install-recommends \
    && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \
    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
    | tee /etc/apt/sources.list.d/docker.list > /dev/null \
-    && apt-get update && apt-get install -y docker-ce="5:20.10.21~3-0~debian-bullseye" docker-ce-cli="5:20.10.21~3-0~debian-bullseye" containerd.io="1.6.12-1" --no-install-recommends \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+    && apt-get update && apt-get install -y docker-ce="5:20.10.21~3-0~debian-bullseye" docker-ce-cli="5:20.10.21~3-0~debian-bullseye" containerd.io="1.6.12-1" --no-install-recommends

-# Install jq
-RUN apt-get update && apt-get install -y jq="1.6-2.1" --no-install-recommends && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+COPY ./vmss_porter/config.yaml ${PORTER_HOME_V1}/

 ENV PYTHONPATH .

--- a/resource_processor/vmss_porter/aad_auth.json
+++ b/resource_processor/vmss_porter/aad_auth.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+b6c701f",
+  "schemaType": "CredentialSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
  "name": "aad_auth",
-  "created": "2022-03-29T20:35:53.517982Z",
-  "modified": "2022-03-29T20:35:53.517982Z",
  "credentials": [
    {
      "name": "auth_tenant_id",
--- a/resource_processor/vmss_porter/aad_auth_local_debugging.json
+++ b/resource_processor/vmss_porter/aad_auth_local_debugging.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+b6c701f",
+  "schemaType": "CredentialSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
  "name": "aad_auth",
-  "created": "2022-03-29T20:35:53.517982Z",
-  "modified": "2022-03-29T20:35:53.517982Z",
  "credentials": [
    {
      "name": "auth_tenant_id",
--- a/resource_processor/vmss_porter/arm_auth_local_debugging.json
+++ b/resource_processor/vmss_porter/arm_auth_local_debugging.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+b6c701f",
-  "name": "azure",
-  "created": "2021-06-03T11:31:05.7314113Z",
-  "modified": "2021-06-03T11:31:05.7314113Z",
+  "schemaType": "CredentialSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "arm_auth",
  "credentials": [
    {
      "name": "azure_client_id",
@ -29,4 +29,4 @@
      }
    }
  ]
-}
+}
--- a/resource_processor/vmss_porter/config.yaml
+++ b/resource_processor/vmss_porter/config.yaml
@ -0,0 +1,15 @@
+---
+default-storage: mydb
+default-secrets: mysecrets
+
+storage:
+  - name: mydb
+    plugin: mongodb
+    config:
+      url: ${secret.porter-db-connection-string}
+
+secrets:
+  - name: mysecrets
+    plugin: azure.keyvault
+    config:
+      vault: ${env.KEY_VAULT_NAME}
--- a/resource_processor/vmss_porter/runner.py
+++ b/resource_processor/vmss_porter/runner.py
@ -142,6 +142,7 @@ def service_bus_message_generator(sb_message: dict, status: str, deployment_mess
        message_dict["outputs"] = outputs

    resource_request_message = json.dumps(message_dict)
+    logger_adapter.info(f"Deployment Status Message: {resource_request_message}")
    return resource_request_message


@ -168,13 +169,25 @@ async def invoke_porter_action(msg_body: dict, sb_client: ServiceBusClient, mess

    # Handle command output
    if returncode != 0:
-        error_message = "Error context message = " + " ".join(err.split('\n')) + " ; Command executed: ".join(porter_command)
-        resource_request_message = service_bus_message_generator(msg_body, statuses.failed_status_string_for[action], error_message)
+        error_message = "Error message: " + " ".join(err.split('\n')) + "; Command executed: " + " ".join(porter_command)
+
+        pass_despite_error = False
+        if "uninstall" == action and "could not find installation" in err:
+            message_logger_adapter.warning("The installation doesn't exist. Treating as a successful action to allow the flow to proceed.")
+            pass_despite_error = True
+            error_message = f"A success despite of underlying error. {error_message}"
+
+        if pass_despite_error:
+            status_for_sb_message = statuses.pass_status_string_for[action]
+        else:
+            status_for_sb_message = statuses.failed_status_string_for[action]
+
+        resource_request_message = service_bus_message_generator(msg_body, status_for_sb_message, error_message)

        # Post message on sb queue to notify receivers of action failure
        await sb_sender.send_messages(ServiceBusMessage(body=resource_request_message, correlation_id=msg_body["id"], session_id=msg_body["operationId"]))
        message_logger_adapter.info(f"{installation_id}: Porter action failed with error = {error_message}")
-        return False
+        return pass_despite_error

    else:
        # Get the outputs
@ -209,8 +222,8 @@ async def get_porter_outputs(msg_body: dict, message_logger_adapter: logging.Log

            # loop props individually to try to deserialise to dict/list, as all TF outputs are strings, but we want the pure value
            for i in range(0, len(outputs_json)):
-                if "{" in outputs_json[i]['Value'] or "[" in outputs_json[i]['Value']:
-                    outputs_json[i]['Value'] = json.loads(outputs_json[i]['Value'].replace("\\", ""))
+                if "{" in outputs_json[i]['value'] or "[" in outputs_json[i]['value']:
+                    outputs_json[i]['value'] = json.loads(outputs_json[i]['value'].replace("\\", ""))

            message_logger_adapter.info(f"Got outputs as json: {outputs_json}")
        except ValueError:
--- a/templates/core/terraform/cosmos_mongo.tf
+++ b/templates/core/terraform/cosmos_mongo.tf
@ -0,0 +1,102 @@
+resource "azurerm_cosmosdb_account" "mongo" {
+  name                      = "cosmos-mongo-${var.tre_id}"
+  location                  = azurerm_resource_group.core.location
+  resource_group_name       = azurerm_resource_group.core.name
+  offer_type                = "Standard"
+  kind                      = "MongoDB"
+  enable_automatic_failover = false
+  mongo_server_version      = 4.2
+  ip_range_filter           = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
+
+  capabilities {
+    name = "EnableServerless"
+  }
+
+  capabilities {
+    name = "EnableMongo"
+  }
+
+  capabilities {
+    name = "DisableRateLimitingResponses"
+  }
+
+  capabilities {
+    name = "mongoEnableDocLevelTTL"
+  }
+
+  consistency_policy {
+    consistency_level       = "BoundedStaleness"
+    max_interval_in_seconds = 5
+    max_staleness_prefix    = 100
+  }
+
+  geo_location {
+    location          = var.location
+    failover_priority = 0
+  }
+
+  tags = local.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_cosmosdb_mongo_database" "mongo" {
+  name                = "porter"
+  resource_group_name = azurerm_resource_group.core.name
+  account_name        = azurerm_cosmosdb_account.mongo.name
+}
+
+resource "azurerm_management_lock" "mongo" {
+  count      = var.stateful_resources_locked ? 1 : 0
+  name       = "mongo-lock"
+  scope      = azurerm_cosmosdb_mongo_database.mongo.id
+  lock_level = "CanNotDelete"
+  notes      = "Locked to prevent accidental deletion"
+}
+
+resource "azurerm_private_dns_zone" "mongo" {
+  name                = "privatelink.mongo.cosmos.azure.com"
+  resource_group_name = azurerm_resource_group.core.name
+  tags                = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "mongo" {
+  name                  = "cosmos_mongo_dns_link"
+  resource_group_name   = azurerm_resource_group.core.name
+  private_dns_zone_name = azurerm_private_dns_zone.mongo.name
+  virtual_network_id    = module.network.core_vnet_id
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_endpoint" "mongo" {
+  name                = "pe-${azurerm_cosmosdb_account.mongo.name}"
+  location            = azurerm_resource_group.core.location
+  resource_group_name = azurerm_resource_group.core.name
+  subnet_id           = module.network.resource_processor_subnet_id
+  tags                = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.mongo.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${azurerm_cosmosdb_account.mongo.name}"
+    private_connection_resource_id = azurerm_cosmosdb_account.mongo.id
+    is_manual_connection           = false
+    subresource_names              = ["MongoDB"]
+  }
+}
+
+resource "azurerm_key_vault_secret" "cosmos_mongo_connstr" {
+  name         = "porter-db-connection-string"
+  value        = azurerm_cosmosdb_account.mongo.connection_strings[0]
+  key_vault_id = azurerm_key_vault.kv.id
+  tags         = local.tre_core_tags
+  depends_on = [
+    azurerm_key_vault_access_policy.deployer
+  ]
+}
--- a/templates/core/terraform/json-to-env.sh
+++ b/templates/core/terraform/json-to-env.sh
@ -49,10 +49,19 @@ jq -r '
            "path": "state_store_resource_id",
            "env_var": "STATE_STORE_RESOURCE_ID"
        },
+        {
+            "path": "cosmosdb_mongo_resource_id",
+            "env_var": "COSMOSDB_MONGO_RESOURCE_ID"
+        },
+
        {
            "path": "state_store_account_name",
            "env_var": "COSMOSDB_ACCOUNT_NAME"
        },
+        {
+            "path": "cosmosdb_mongo_account_name",
+            "env_var": "COSMOSDB_MONGO_ACCOUNT_NAME"
+        },
        {
            "path": "state_store_endpoint",
            "env_var": "STATE_STORE_ENDPOINT"
--- a/templates/core/terraform/locals.tf
+++ b/templates/core/terraform/locals.tf
@ -9,4 +9,7 @@ locals {
    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"
  ]
  docker_registry_server = "${var.acr_name}.azurecr.io"
+
+  # https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
+  azure_portal_cosmos_ips = "104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
 }
--- a/templates/core/terraform/outputs.tf
+++ b/templates/core/terraform/outputs.tf
@ -42,14 +42,27 @@ output "state_store_resource_id" {
  value = azurerm_cosmosdb_account.tre_db_account.id
 }

+output "cosmosdb_mongo_resource_id" {
+  value = azurerm_cosmosdb_account.mongo.id
+}
+
 output "state_store_endpoint" {
  value = azurerm_cosmosdb_account.tre_db_account.endpoint
 }

+output "cosmosdb_mongo_endpoint" {
+  value     = azurerm_cosmosdb_account.mongo.connection_strings[0]
+  sensitive = true
+}
+
 output "state_store_account_name" {
  value = azurerm_cosmosdb_account.tre_db_account.name
 }

+output "cosmosdb_mongo_account_name" {
+  value = azurerm_cosmosdb_account.mongo.name
+}
+
 output "app_insights_connection_string" {
  value     = module.azure_monitor.app_insights_connection_string
  sensitive = true
--- a/templates/core/terraform/resource_processor/vmss_porter/cloud-config.yaml
+++ b/templates/core/terraform/resource_processor/vmss_porter/cloud-config.yaml
@ -59,18 +59,24 @@ write_files:
      set -o errexit
      used_percent=$(df / --output=pcent | tail -1 | sed 's/[^0-9]//g')
      echo "Used disk space percent: $${used_percent}"
-      if (( used_percent > 70 )); then
+      if (( used_percent > 75 )); then
        echo "Free space too low, pruning..."
        docker system prune -f
      fi
    permissions: '0755'

 runcmd:
+  # Those are useful live debug commands. Check the docs for details:
+  # (https://microsoft.github.io/AzureTRE/troubleshooting-faq/troubleshooting-rp/#Logs)
+  - printf '\nalias dlf="docker logs --since 1m --follow"' >> /etc/bash.bashrc
+  - printf '\nalias dlf1='\''dlf $(docker ps -q | head -n 1)'\''' >> /etc/bash.bashrc
+  - printf '\nalias rpstatus='\''tmux new-session -d "watch docker ps"; tmux split-window -p 100 -v "docker logs --since 1m --follow resource_processor1"; tmux split-window -v -p 90; tmux -2 attach-session -d'\''\n' >> /etc/bash.bashrc
+
  - export DEBIAN_FRONTEND=noninteractive
  - az login --identity -u ${vmss_msi_id}
  - az acr login --name ${docker_registry_server}
  - docker run -d -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock
    --restart always --env-file .env
-    --name resource_processor_vmss_porter1
+    --name resource_processor1
    --log-driver local
    ${docker_registry_server}/${resource_processor_vmss_porter_image_repository}:${resource_processor_vmss_porter_image_tag}
--- a/templates/core/terraform/statestore.tf
+++ b/templates/core/terraform/statestore.tf
@ -5,7 +5,7 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
  offer_type                = "Standard"
  kind                      = "GlobalDocumentDB"
  enable_automatic_failover = false
-  ip_range_filter           = var.enable_local_debugging ? local.myip : null
+  ip_range_filter           = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
  tags                      = local.tre_core_tags

  consistency_policy {
--- a/templates/core/version.txt
+++ b/templates/core/version.txt
@ -1 +1 @@
-__version__ = "0.4.49"
+__version__ = "0.5.0"
--- a/templates/shared_services/admin-vm/Dockerfile.tmpl
+++ b/templates/shared_services/admin-vm/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}//
--- a/templates/shared_services/admin-vm/parameters.json
+++ b/templates/shared_services/admin-vm/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-admin-vm",
  "parameters": [
    {
      "name": "tre_id",
--- a/templates/shared_services/admin-vm/porter.yaml
+++ b/templates/shared_services/admin-vm/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-admin-vm
-version: 0.2.0
+version: 0.3.0
 description: "An admin vm shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -42,46 +43,43 @@ parameters:

 mixins:
  - terraform:
-      clientVersion: 1.2.9
+      clientVersion: 1.3.6

 install:
  - terraform:
      description: "Deploy shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        admin_jumpbox_vm_sku: ${ bundle.parameters.admin_jumpbox_vm_sku }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-admin-vm

 upgrade:
  - terraform:
      description: "Upgrade shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        admin_jumpbox_vm_sku: ${ bundle.parameters.admin_jumpbox_vm_sku }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-admin-vm

 uninstall:
  - terraform:
      description: "Tear down shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        admin_jumpbox_vm_sku: ${ bundle.parameters.admin_jumpbox_vm_sku }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-admin-vm
--- a/templates/shared_services/airlock_notifier/Dockerfile.tmpl
+++ b/templates/shared_services/airlock_notifier/Dockerfile.tmpl
@ -1,28 +1,21 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

+# PORTER_INIT
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-ARG BUNDLE_DIR
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

-RUN apt-get update \
-    && apt-get install --no-install-recommends -y zip \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+# Install jq
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && \
+    apt-get install -y zip --no-install-recommends

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/

-WORKDIR $BUNDLE_DIR/app
+WORKDIR "${BUNDLE_DIR}/app"
 RUN zip -r /cnab/app/LogicApp.zip .
--- a/templates/shared_services/airlock_notifier/parameters.json
+++ b/templates/shared_services/airlock_notifier/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-airlock-notifier",
  "parameters": [
    {
      "name": "tre_id",
--- a/templates/shared_services/airlock_notifier/porter.yaml
+++ b/templates/shared_services/airlock_notifier/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-airlock-notifier
-version: 0.2.3
+version: 0.3.0
 description: "A shared service notifying on Airlock Operations"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -56,27 +57,27 @@ parameters:

 mixins:
  - exec
-  - az
+  - az:
+      clientVersion: 2.37.0
  - terraform:
-      clientVersion: 1.2.6
+      clientVersion: 1.3.6

 install:
  - terraform:
      description: "Deploy shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        tre_url: "{{ bundle.parameters.tre_url }}"
-        smtp_server_address: "{{ bundle.parameters.smtp_server_address }}"
-        smtp_username: "{{ bundle.parameters.smtp_username }}"
-        smtp_password: "{{ bundle.parameters.smtp_password }}"
-        smtp_from_email: "{{ bundle.parameters.smtp_from_email }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        tre_url: ${ bundle.parameters.tre_url }
+        smtp_server_address: ${ bundle.parameters.smtp_server_address }
+        smtp_username: ${ bundle.parameters.smtp_username }
+        smtp_password: ${ bundle.parameters.smtp_password }
+        smtp_from_email: ${ bundle.parameters.smtp_from_email }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-airlock-notifier"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-airlock-notifier
      outputs:
        - name: airlock_notifier_logic_app_name
        - name: airlock_notifier_logic_app_resource_group_name
@ -87,7 +88,7 @@ install:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }

  - az:
      description: "Deploy logic app"
@ -97,9 +98,9 @@ install:
        - source
        - config-zip
      flags:
-        name: "{{ bundle.outputs.airlock_notifier_logic_app_name }}"
-        resource-group: "{{ bundle.outputs.airlock_notifier_logic_app_resource_group_name }}"
-        subscription: "{{ bundle.credentials.azure_subscription_id }}"
+        name: ${ bundle.outputs.airlock_notifier_logic_app_name }
+        resource-group: ${ bundle.outputs.airlock_notifier_logic_app_resource_group_name }
+        subscription: ${ bundle.credentials.azure_subscription_id }
        src: LogicApp.zip


@ -114,17 +115,16 @@ upgrade:
 uninstall:
  - terraform:
      description: "Tear down shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        tre_url: "{{ bundle.parameters.tre_url }}"
-        smtp_server_address: "{{ bundle.parameters.smtp_server_address }}"
-        smtp_username: "{{ bundle.parameters.smtp_username }}"
-        smtp_password: "{{ bundle.parameters.smtp_password }}"
-        smtp_from_email: "{{ bundle.parameters.smtp_from_email }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        tre_url: ${ bundle.parameters.tre_url }
+        smtp_server_address: ${ bundle.parameters.smtp_server_address }
+        smtp_username: ${ bundle.parameters.smtp_username }
+        smtp_password: ${ bundle.parameters.smtp_password }
+        smtp_from_email: ${ bundle.parameters.smtp_from_email }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-airlock-notifier"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-airlock-notifier
--- a/templates/shared_services/certs/Dockerfile.tmpl
+++ b/templates/shared_services/certs/Dockerfile.tmpl
@ -1,40 +1,22 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM python:3.8-slim-bullseye

-ARG BUNDLE_DIR
+# PORTER_INIT

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-# Install Azure CLI
-# It's useless to specify azcli version since the mixin installs the latest anyway
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends ca-certificates jq curl apt-transport-https lsb-release gnupg \
-    && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \
-    && AZ_REPO=$(lsb_release -cs) \
-    && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \
-    && apt-get update && apt-get -y --no-install-recommends install azure-cli \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

 # Install Certbot
 # Some of the tools' versions seem to depend on the base image so proboably best not to specify them.
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends python3 python3-venv libaugeas0 \
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update \
+    && apt-get install -y --no-install-recommends libaugeas0 \
    && python3 -m venv /opt/certbot/ \
    && /opt/certbot/bin/pip install --no-cache-dir --upgrade pip \
-    && /opt/certbot/bin/pip install --no-cache-dir certbot \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+    && /opt/certbot/bin/pip install --no-cache-dir certbot

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/shared_services/certs/parameters.json
+++ b/templates/shared_services/certs/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-certs",
  "parameters": [
    {
      "name": "tre_id",
--- a/templates/shared_services/certs/porter.yaml
+++ b/templates/shared_services/certs/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-certs
-version: 0.2.2
+version: 0.3.0
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -46,27 +47,27 @@ parameters:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.6
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        domain_prefix: "{{ bundle.parameters.domain_prefix }}"
-        cert_name: "{{ bundle.parameters.cert_name }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        domain_prefix: ${ bundle.parameters.domain_prefix }
+        cert_name: ${ bundle.parameters.cert_name }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-certs"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-certs
      outputs:
        - name: fqdn
        - name: application_gateway_name
@ -79,19 +80,19 @@ install:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - exec:
      description: "Generate certificate"
      command: bash
      arguments:
        - ./scripts/letsencrypt.sh
      flags:
-        fqdn: "{{ bundle.outputs.fqdn }}"
-        application_gateway_name: "{{ bundle.outputs.application_gateway_name }}"
-        storage_account_name: "{{ bundle.outputs.storage_account_name }}"
-        resource_group_name: "{{ bundle.outputs.resource_group_name }}"
-        keyvault_name: "{{ bundle.outputs.keyvault_name }}"
-        cert_name: "{{ bundle.parameters.cert_name }}"
+        fqdn: ${ bundle.outputs.fqdn }
+        application_gateway_name: ${ bundle.outputs.application_gateway_name }
+        storage_account_name: ${ bundle.outputs.storage_account_name }
+        resource_group_name: ${ bundle.outputs.resource_group_name }
+        keyvault_name: ${ bundle.outputs.keyvault_name }
+        cert_name: ${ bundle.parameters.cert_name }

 upgrade:
  - exec:
@ -103,33 +104,33 @@ upgrade:
 uninstall:
  - terraform:
      description: "Tear down shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        domain_prefix: "{{ bundle.parameters.domain_prefix }}"
-        cert_name: "{{ bundle.parameters.cert_name }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        domain_prefix: ${ bundle.parameters.domain_prefix }
+        cert_name: ${ bundle.parameters.cert_name }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-certs"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-certs

 renew:
  - terraform:
      arguments:
        - "output"
      description: "Get Terraform output variables"
+      vars:
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-certs"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-certs
      outputs:
        - name: fqdn
        - name: application_gateway_name
@ -142,16 +143,16 @@ renew:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - exec:
      description: "Renew certificate"
      command: bash
      arguments:
        - ./scripts/letsencrypt.sh
      flags:
-        fqdn: "{{ bundle.outputs.fqdn }}"
-        application_gateway_name: "{{ bundle.outputs.application_gateway_name }}"
-        storage_account_name: "{{ bundle.outputs.storage_account_name }}"
-        resource_group_name: "{{ bundle.outputs.resource_group_name }}"
-        keyvault_name: "{{ bundle.outputs.keyvault_name }}"
-        cert_name: "{{ bundle.parameters.cert_name }}"
+        fqdn: ${ bundle.outputs.fqdn }
+        application_gateway_name: ${ bundle.outputs.application_gateway_name }
+        storage_account_name: ${ bundle.outputs.storage_account_name }
+        resource_group_name: ${ bundle.outputs.resource_group_name }
+        keyvault_name: ${ bundle.outputs.keyvault_name }
+        cert_name: ${ bundle.parameters.cert_name }
--- a/templates/shared_services/cyclecloud/Dockerfile.tmpl
+++ b/templates/shared_services/cyclecloud/Dockerfile.tmpl
@ -1,26 +1,16 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

 # Install Git
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y git \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update \
+    && apt-get install --no-install-recommends -y git

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/shared_services/cyclecloud/parameters.json
+++ b/templates/shared_services/cyclecloud/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "cyclecloud",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-cyclecloud",
  "parameters": [
    {
      "name": "tre_id",
--- a/templates/shared_services/cyclecloud/porter.yaml
+++ b/templates/shared_services/cyclecloud/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-cyclecloud
-version: 0.3.0
+version: 0.4.0
 description: "An Azure TRE Shared Service Template for Azure Cyclecloud"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -48,24 +49,25 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.6
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy Cyclecloud shared service"
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: connection_uri

@ -73,17 +75,17 @@ upgrade:
  - terraform:
      description: "Update Cyclecloud shared service"
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: connection_uri

@ -91,17 +93,17 @@ uninstall:
  - terraform:
      description: "Delete the Cyclecloud shared service"
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }

 start:
  - terraform:
@ -109,10 +111,10 @@ start:
        - "output"
      description: "Get resource ID from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -121,14 +123,14 @@ start:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Start the VM"
      arguments:
        - vm
        - start
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 stop:
  - terraform:
@ -136,10 +138,10 @@ stop:
        - "output"
      description: "Get VM hostname and rg from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -148,11 +150,11 @@ stop:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Stop the VM"
      arguments:
        - vm
        - deallocate
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }
--- a/templates/shared_services/firewall/Dockerfile.tmpl
+++ b/templates/shared_services/firewall/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/shared_services/firewall/parameters.json
+++ b/templates/shared_services/firewall/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-firewall",
  "parameters": [
    {
      "name": "tre_id",
@ -45,12 +45,6 @@
      "source": {
        "env": "NETWORK_RULE_COLLECTIONS"
      }
-    },
-    {
-      "name": "stateful_resources_locked",
-      "source": {
-        "env": "STATEFUL_RESOURCES_LOCKED"
-      }
    }
  ]
 }
--- a/templates/shared_services/firewall/porter.yaml
+++ b/templates/shared_services/firewall/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-firewall
-version: 0.6.3
+version: 0.7.0
 description: "An Azure TRE Firewall shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -44,59 +45,49 @@ parameters:
    type: string
    default: "W10=" # b64 for []
    description: "Network rule collection array"
-  - name: stateful_resources_locked
-    env: STATEFUL_RESOURCES_LOCKED
-    type: boolean
-    default: true

 mixins:
  - terraform:
-      clientVersion: 1.2.6
+      clientVersion: 1.3.6

 install:
  - terraform:
      description: "Deploy shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        api_driven_rule_collections_b64: "{{ bundle.parameters.rule_collections }}"
-        api_driven_network_rule_collections_b64: "{{ bundle.parameters.network_rule_collections }}"
-        stateful_resources_locked: "{{ bundle.parameters.stateful_resources_locked }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections }
+        api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-firewall"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-firewall

 upgrade:
  - terraform:
      description: "Upgrade shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        api_driven_rule_collections_b64: "{{ bundle.parameters.rule_collections }}"
-        api_driven_network_rule_collections_b64: "{{ bundle.parameters.network_rule_collections }}"
-        stateful_resources_locked: "{{ bundle.parameters.stateful_resources_locked }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections }
+        api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-firewall"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-firewall

 uninstall:
  - terraform:
      description: "Tear down shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        api_driven_rule_collections_b64: "{{ bundle.parameters.rule_collections }}"
-        api_driven_network_rule_collections_b64: "{{ bundle.parameters.network_rule_collections }}"
-        stateful_resources_locked: "{{ bundle.parameters.stateful_resources_locked }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections }
+        api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-firewall"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-firewall
--- a/templates/shared_services/firewall/terraform/.terraform.lock.hcl
+++ b/templates/shared_services/firewall/terraform/.terraform.lock.hcl
@ -2,21 +2,21 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.16.0"
-  constraints = "3.16.0"
+  version     = "3.33.0"
+  constraints = "3.33.0"
  hashes = [
-    "h1:cBZXnJ4WErrhAzoQ1IMUMkpRlUmr8KQ2a0vLKH6B2a8=",
-    "zh:02aecc67db3f7cf19bd39ed454824422c43a5dc9f18b44d9547bb79ba66e0beb",
-    "zh:1775b033e3a29395087d731387efc926251232c4469a6c262f7039669e2f3aed",
-    "zh:1b955c3134b8fa61486383fee609bc99e46883c9b5148cb8d3bdc3d6d25b1e5e",
-    "zh:1ca04c35917fcf9f15aa2f24ef52b823575efa213fcb6d241cd189fddb032268",
-    "zh:20663ca219acc95d1de2129aac941f08eca1093c61cd6775e9c0b239b70a573e",
-    "zh:28427df342789f106ce500a489c750d7971d67cb58c495274878dc55d52452fe",
-    "zh:2a2e0755b9ebedbb4dd55de53191ce02e0a5511648610bf816532cd1614f2d7a",
-    "zh:5cc4c086ff081379070ea8177025a92a53e3c7bec2eabbf8182efa146e05b371",
-    "zh:5df50ae712c2b6e850b5953d5b89a29aca98ef1ae5fac4cb9225080ac319207c",
-    "zh:944ec6ceac2a1af58b58c270db90992d5f32614714647f6086ebc42789fa0f15",
-    "zh:f1e2df2f7db13b234d2cfa5d7c70054df4039532829be6ce8ed11c6f99ba0cf5",
+    "h1:pXB6SKE4NKdf+LepsQjrLcBnVTL5ejeKvx/kyojai6c=",
+    "zh:136d9c642746d8d84e62ecd8ab0c7dc015eac504c1f068e06fad438ae222d934",
+    "zh:266e64b8e32a94ddcc20954ebad1d8ff3921d318addf576e981b1390e5d5ba79",
+    "zh:3bd84a1e5b3bbe34a5870f271d6a5bf9b35a4c924db32b450a1fb53bc910c37a",
+    "zh:3c6604041472bb4691b502877cf9d886ed9f973fbadf11389ec9499fdc66045e",
+    "zh:680c00a73c8054c36a58115a44d02d1ebb675c2ad3afaaab2d74a01f978f16ce",
+    "zh:6dab47ef64f90e43b75ed240a974c4119f5268be4433f3c1c3e97559e7ef2f38",
+    "zh:9f73f19fdc340c443693dc03f1a145c6bd0ee5fd425eab7473d06abbe39b99d7",
+    "zh:9ff008b6737e880f191b4be6dfcef95ff019969dd787c44a58c2d7d6aaf6623b",
+    "zh:be297f1515e9ac63886e3e092a0bcd10aa8aa2b69c2b0995ce4e069176b07a95",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fb29a566e7698cfae477f3efa3bba38526ec8343355763178c6e9c96e51399f3",
+    "zh:fbc3b625733ce5f0970fa8d9743f6db51064c168d6be5fc7a5e3d1a54af28bb7",
  ]
 }
--- a/templates/shared_services/firewall/terraform/firewall.tf
+++ b/templates/shared_services/firewall/terraform/firewall.tf
@ -26,14 +26,6 @@ resource "azurerm_firewall" "fw" {
  lifecycle { ignore_changes = [tags] }
 }

-resource "azurerm_management_lock" "fw" {
-  count      = var.stateful_resources_locked ? 1 : 0
-  name       = azurerm_firewall.fw.name
-  scope      = azurerm_firewall.fw.id
-  lock_level = "CanNotDelete"
-  notes      = "Locked to prevent accidental deletion"
-}
-
 data "azurerm_monitor_diagnostic_categories" "firewall" {
  resource_id = azurerm_firewall.fw.id
 }
@ -45,7 +37,7 @@ resource "azurerm_monitor_diagnostic_setting" "firewall" {
  log_analytics_destination_type = "AzureDiagnostics"

  dynamic "log" {
-    for_each = data.azurerm_monitor_diagnostic_categories.firewall.logs
+    for_each = data.azurerm_monitor_diagnostic_categories.firewall.log_category_types
    content {
      category = log.value
      enabled  = contains(local.firewall_diagnostic_categories_enabled, log.value) ? true : false
--- a/templates/shared_services/firewall/terraform/providers.tf
+++ b/templates/shared_services/firewall/terraform/providers.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = "=3.16.0"
+      version = "=3.33.0"
    }
  }

--- a/templates/shared_services/firewall/terraform/variables.tf
+++ b/templates/shared_services/firewall/terraform/variables.tf
@ -8,12 +8,6 @@ variable "tre_resource_id" {
  description = "Resource ID"
 }

-variable "stateful_resources_locked" {
-  type        = bool
-  default     = true
-  description = "Used to add locks on resources with state"
-}
-
 variable "api_driven_rule_collections_b64" {
  type    = string
  default = "W10=" #b64 for []
--- a/templates/shared_services/gitea/Dockerfile.tmpl
+++ b/templates/shared_services/gitea/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/shared_services/gitea/parameters.json
+++ b/templates/shared_services/gitea/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-gitea",
  "parameters": [
    {
      "name": "tre_id",
--- a/templates/shared_services/gitea/porter.yaml
+++ b/templates/shared_services/gitea/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-gitea
-version: 0.4.0
+version: 0.5.0
 description: "A Gitea shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -49,7 +50,7 @@ parameters:

 mixins:
  - terraform:
-      clientVersion: 1.2.6
+      clientVersion: 1.3.6

 outputs:
  - name: gitea_allowed_fqdns_list
@ -68,17 +69,16 @@ outputs:
 install:
  - terraform:
      description: "Deploy shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        mgmt_resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        acr_name: ${ bundle.parameters.mgmt_acr_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-gitea"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-gitea
      outputs:
        - name: gitea_allowed_fqdns_list
        - name: address_prefixes
@ -86,17 +86,16 @@ install:
 upgrade:
  - terraform:
      description: "Upgrade shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        mgmt_resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        acr_name: ${ bundle.parameters.mgmt_acr_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-gitea"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-gitea
      outputs:
        - name: gitea_allowed_fqdns_list
        - name: address_prefixes
@ -104,14 +103,13 @@ upgrade:
 uninstall:
  - terraform:
      description: "Tear down shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        mgmt_resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        acr_name: ${ bundle.parameters.mgmt_acr_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-gitea"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-gitea
--- a/templates/shared_services/gitea/terraform/.terraform.lock.hcl
+++ b/templates/shared_services/gitea/terraform/.terraform.lock.hcl
@ -2,28 +2,28 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.20.0"
-  constraints = "3.20.0"
+  version     = "3.33.0"
+  constraints = "3.33.0"
  hashes = [
-    "h1:heH/4bYgajEFQ+fwSV9Zduvpyb7eTCQUv+gl201EFg8=",
-    "zh:0d534bb2fed67b5b58d3adb2b0be7a9986f62b34f40eae450dafc9454fb54db8",
-    "zh:19f6d5f196a35500e0f1ae9d9baee44f49b90858524338a7b8aaec06d3e3a047",
-    "zh:1d042648d2eaffde8858a8006b944374599c5e8c2f834ae74b97adedd1468142",
-    "zh:278ebac38cf3c1e6df4bc5de00e931bfc04298607f428aa84a932bbf26dee421",
-    "zh:48f29b802e2de7e6dd2452a012c633686fce5d7ad3eadb490a7b8c0967a9ebfa",
-    "zh:731bf2e97c4a519723682beb2e85e065bf0bf53b2f50e2ff7b15b39ea74e37ff",
-    "zh:7c8187ebca19ca8f6ef82d3d79a418ccfa6574bb99e63cc930fa46ff938a7921",
-    "zh:82fdb2052601f6fa925195e77506fb609ce8bb4a6f6e94cf6a5058252ef570d4",
-    "zh:995ca23bb3765a16c6b3138b468d920acff5742b22492324c836579e3344ea40",
-    "zh:a970131232ad41203382f6fa3f0014a22767cbfe28cd7562346184ea6e678d63",
-    "zh:bf5036675a7f0b8691fe393e2782a76c7943ba17eec7255e16a31c7547436a48",
+    "h1:pXB6SKE4NKdf+LepsQjrLcBnVTL5ejeKvx/kyojai6c=",
+    "zh:136d9c642746d8d84e62ecd8ab0c7dc015eac504c1f068e06fad438ae222d934",
+    "zh:266e64b8e32a94ddcc20954ebad1d8ff3921d318addf576e981b1390e5d5ba79",
+    "zh:3bd84a1e5b3bbe34a5870f271d6a5bf9b35a4c924db32b450a1fb53bc910c37a",
+    "zh:3c6604041472bb4691b502877cf9d886ed9f973fbadf11389ec9499fdc66045e",
+    "zh:680c00a73c8054c36a58115a44d02d1ebb675c2ad3afaaab2d74a01f978f16ce",
+    "zh:6dab47ef64f90e43b75ed240a974c4119f5268be4433f3c1c3e97559e7ef2f38",
+    "zh:9f73f19fdc340c443693dc03f1a145c6bd0ee5fd425eab7473d06abbe39b99d7",
+    "zh:9ff008b6737e880f191b4be6dfcef95ff019969dd787c44a58c2d7d6aaf6623b",
+    "zh:be297f1515e9ac63886e3e092a0bcd10aa8aa2b69c2b0995ce4e069176b07a95",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fb29a566e7698cfae477f3efa3bba38526ec8343355763178c6e9c96e51399f3",
+    "zh:fbc3b625733ce5f0970fa8d9743f6db51064c168d6be5fc7a5e3d1a54af28bb7",
  ]
 }

 provider "registry.terraform.io/hashicorp/local" {
  version     = "2.2.3"
-  constraints = "~> 2.2.0"
+  constraints = "2.2.3"
  hashes = [
    "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=",
    "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0",
--- a/templates/shared_services/gitea/terraform/gitea-webapp.tf
+++ b/templates/shared_services/gitea/terraform/gitea-webapp.tf
@ -128,7 +128,7 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_gitea" {
  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id

  dynamic "log" {
-    for_each = data.azurerm_monitor_diagnostic_categories.webapp.logs
+    for_each = data.azurerm_monitor_diagnostic_categories.webapp.log_category_types
    content {
      category = log.value
      enabled  = contains(local.webapp_diagnostic_categories_enabled, log.value) ? true : false
--- a/templates/shared_services/gitea/terraform/main.tf
+++ b/templates/shared_services/gitea/terraform/main.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = "=3.20.0"
+      version = "=3.33.0"
    }
    local = {
      source  = "hashicorp/local"
--- a/templates/shared_services/sonatype-nexus-vm/Dockerfile.tmpl
+++ b/templates/shared_services/sonatype-nexus-vm/Dockerfile.tmpl
@ -1,21 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/shared_services/sonatype-nexus-vm/parameters.json
+++ b/templates/shared_services/sonatype-nexus-vm/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-shared-service-sonatype-nexus",
  "parameters": [
    {
      "name": "tre_id",
--- a/templates/shared_services/sonatype-nexus-vm/porter.yaml
+++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 2.2.4
+version: 2.3.0
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -61,22 +62,22 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.6
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        ssl_cert_name: "{{ bundle.parameters.ssl_cert_name }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        ssl_cert_name: ${ bundle.parameters.ssl_cert_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-sonatype-nexus-vm"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-sonatype-nexus-vm
      outputs:
        - name: workspace_vm_allowed_fqdns_list
        - name: nexus_allowed_fqdns_list
@ -85,16 +86,15 @@ install:
 upgrade:
  - terraform:
      description: "Upgrade shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        ssl_cert_name: "{{ bundle.parameters.ssl_cert_name }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        ssl_cert_name: ${ bundle.parameters.ssl_cert_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-sonatype-nexus-vm"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-sonatype-nexus-vm
      outputs:
        - name: workspace_vm_allowed_fqdns_list
        - name: nexus_allowed_fqdns_list
@ -102,13 +102,12 @@ upgrade:
 uninstall:
  - terraform:
      description: "Tear down shared service"
-      input: false
      vars:
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        ssl_cert_name: "{{ bundle.parameters.ssl_cert_name }}"
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        ssl_cert_name: ${ bundle.parameters.ssl_cert_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.tre_id }}-shared-service-sonatype-nexus-vm"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.tre_id }-shared-service-sonatype-nexus-vm
--- a/templates/workspace_services/azureml/Dockerfile.tmpl
+++ b/templates/workspace_services/azureml/Dockerfile.tmpl
@ -1,33 +1,16 @@
-FROM debian:stretch-slim
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM debian:bullseye-slim

-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+# PORTER_INIT

-# Install Azure CLI
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y ca-certificates jq curl apt-transport-https lsb-release gnupg \
-    && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \
-    && AZ_REPO=$(lsb_release -cs) \
-    && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \
-    && apt-get update && apt-get install --no-install-recommends -y azure-cli \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

-RUN az extension add --name azure-firewall
+# Install jq
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update \
+    && apt-get install --no-install-recommends -y jq

-ARG BUNDLE_DIR
-
-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/azureml/parameters.json
+++ b/templates/workspace_services/azureml/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "azureml",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-azureml",
  "parameters": [
    {
      "name": "workspace_id",
--- a/templates/workspace_services/azureml/porter.yaml
+++ b/templates/workspace_services/azureml/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-azureml
-version: 0.5.6
+version: 0.6.0
 description: "An Azure TRE service for Azure Machine Learning"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -95,30 +96,34 @@ outputs:

 mixins:
  - terraform:
-      clientVersion: 1.3.3
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0
+      extensions:
+        - azure-firewall

 install:
  - terraform:
      description: "Deploy Azure ML Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        display_name: "{{ bundle.parameters.display_name }}"
-        description: "{{ bundle.parameters.description }}"
-        is_exposed_externally: "{{ bundle.parameters.is_exposed_externally }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        auth_client_id: "{{ bundle.credentials.auth_client_id }}"
-        auth_client_secret: "{{ bundle.credentials.auth_client_secret }}"
-        auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        display_name: ${ bundle.parameters.display_name }
+        description: ${ bundle.parameters.description }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-azureml-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-azureml-${ bundle.parameters.id }
      outputs:
        - name: azureml_workspace_name
        - name: azureml_acr_id
@ -132,24 +137,24 @@ upgrade:
  - terraform:
      description: "Upgrade Azure ML Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        display_name: "{{ bundle.parameters.display_name }}"
-        description: "{{ bundle.parameters.description }}"
-        is_exposed_externally: "{{ bundle.parameters.is_exposed_externally }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        auth_client_id: "{{ bundle.credentials.auth_client_id }}"
-        auth_client_secret: "{{ bundle.credentials.auth_client_secret }}"
-        auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        display_name: ${ bundle.parameters.display_name }
+        description: ${ bundle.parameters.description }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-azureml-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-azureml-${ bundle.parameters.id }
      outputs:
        - name: azureml_workspace_name
        - name: azureml_acr_id
@ -163,21 +168,21 @@ uninstall:
  - terraform:
      description: "Delete the Azure ML Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        display_name: "{{ bundle.parameters.display_name }}"
-        description: "{{ bundle.parameters.description }}"
-        is_exposed_externally: "{{ bundle.parameters.is_exposed_externally }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        auth_client_id: "{{ bundle.credentials.auth_client_id }}"
-        auth_client_secret: "{{ bundle.credentials.auth_client_secret }}"
-        auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        display_name: ${ bundle.parameters.display_name }
+        description: ${ bundle.parameters.description }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-azureml-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-azureml-${ bundle.parameters.id }
--- a/templates/workspace_services/azureml/user_resources/aml_compute/Dockerfile.tmpl
+++ b/templates/workspace_services/azureml/user_resources/aml_compute/Dockerfile.tmpl
@ -1,9 +1,9 @@
-FROM debian:stretch-slim
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM debian:bullseye-slim

-ARG BUNDLE_DIR
-
-COPY . $BUNDLE_DIR
+# PORTER_INIT

 # PORTER_MIXINS

-WORKDIR $BUNDLE_DIR
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/azureml/user_resources/aml_compute/parameters.json
+++ b/templates/workspace_services/azureml/user_resources/aml_compute/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "avd-aad",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-user-resource-aml-compute-instance",
  "parameters": [
    {
      "name": "id",
--- a/templates/workspace_services/azureml/user_resources/aml_compute/porter.yaml
+++ b/templates/workspace_services/azureml/user_resources/aml_compute/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-user-resource-aml-compute-instance
-version: 0.4.1
+version: 0.5.0
 description: "Azure Machine Learning Compute Instance"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -51,48 +52,56 @@ parameters:

 mixins:
  - exec
-  - az
+  - az:
+      clientVersion: 2.37.0
  - terraform:
-      clientVersion: 1.2.8
+      clientVersion: 1.3.6

 install:
  - terraform:
      description: "Deploy service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        vm_size_sku: "{{ bundle.parameters.vm_size }}"
-        auth_tenant_id: "{{ bundle.parameters.auth_tenant_id }}"
-        user_object_id: "{{ bundle.parameters.user_object_id }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        vm_size_sku: ${ bundle.parameters.vm_size }
+        auth_tenant_id: ${ bundle.parameters.auth_tenant_id }
+        user_object_id: ${ bundle.parameters.user_object_id }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-user-resource-aml-compute-instance-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-user-resource-aml-compute-instance-${ bundle.parameters.id }
+
+upgrade:
+  - exec:
+      description: "Upgrade shared service"
+      command: echo
+      arguments:
+        - "This shared service does not implement upgrade action"

 uninstall:
  - terraform:
      description: "Uninstall service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        vm_size_sku: "{{ bundle.parameters.vm_size }}"
-        auth_tenant_id: "{{ bundle.parameters.auth_tenant_id }}"
-        user_object_id: "{{ bundle.parameters.user_object_id }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret: "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        vm_size_sku: ${ bundle.parameters.vm_size }
+        auth_tenant_id: ${ bundle.parameters.auth_tenant_id }
+        user_object_id: ${ bundle.parameters.user_object_id }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-user-resource-aml-compute-instance-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-user-resource-aml-compute-instance-${ bundle.parameters.id }
--- a/templates/workspace_services/gitea/Dockerfile.tmpl
+++ b/templates/workspace_services/gitea/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/gitea/parameters.json
+++ b/templates/workspace_services/gitea/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "base",
-  "created": "2021-06-04T13:37:29.5071039+03:00",
-  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-workspace-service-gitea",
  "parameters": [
    {
      "name": "id",
--- a/templates/workspace_services/gitea/porter.yaml
+++ b/templates/workspace_services/gitea/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-workspace-service-gitea
-version: 0.6.0
+version: 0.7.0
 description: "A Gitea workspace service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -59,7 +60,7 @@ parameters:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.6
+      clientVersion: 1.3.6

 outputs:
  - name: internal_connection_uri
@ -82,16 +83,16 @@ install:
  - terraform:
      description: "Deploy Gitea workspace service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        id: "{{ bundle.parameters.id }}"
-        mgmt_acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.mgmt_resource_group_name }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        id: ${ bundle.parameters.id }
+        mgmt_acr_name: ${ bundle.parameters.mgmt_acr_name }
+        mgmt_resource_group_name: ${ bundle.parameters.mgmt_resource_group_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-workspace-service-gitea-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-gitea-${ bundle.parameters.id }
      outputs:
        - name: internal_connection_uri
        - name: authentication_callback_uri
@ -101,16 +102,16 @@ upgrade:
  - terraform:
      description: "Deploy Gitea workspace service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        id: "{{ bundle.parameters.id }}"
-        mgmt_acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.mgmt_resource_group_name }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        id: ${ bundle.parameters.id }
+        mgmt_acr_name: ${ bundle.parameters.mgmt_acr_name }
+        mgmt_resource_group_name: ${ bundle.parameters.mgmt_resource_group_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-workspace-service-gitea-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-gitea-${ bundle.parameters.id }
      outputs:
        - name: internal_connection_uri
        - name: authentication_callback_uri
@ -120,13 +121,13 @@ uninstall:
  - terraform:
      description: "Tear down Gitead workspace service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        id: "{{ bundle.parameters.id }}"
-        mgmt_acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.mgmt_resource_group_name }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        id: ${ bundle.parameters.id }
+        mgmt_acr_name: ${ bundle.parameters.mgmt_acr_name }
+        mgmt_resource_group_name: ${ bundle.parameters.mgmt_resource_group_name }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-workspace-service-gitea-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-gitea-${ bundle.parameters.id }
--- a/templates/workspace_services/guacamole/Dockerfile.tmpl
+++ b/templates/workspace_services/guacamole/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/guacamole/parameters.json
+++ b/templates/workspace_services/guacamole/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "guacamole",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-guacamole",
  "parameters": [
    {
      "name": "id",
--- a/templates/workspace_services/guacamole/porter.yaml
+++ b/templates/workspace_services/guacamole/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-guacamole
-version: 0.5.2
+version: 0.6.0
 description: "An Azure TRE service for Guacamole"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -113,31 +114,31 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.6
+      clientVersion: 1.3.6

 install:
  - terraform:
      description: "Deploy Guacamole Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        image_name: "{{ bundle.custom.runtime_image.name }}"
-        image_tag: "{{ bundle.parameters.image_tag }}"
-        mgmt_acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.mgmt_resource_group_name }}"
-        guac_disable_copy: "{{ bundle.parameters.guac_disable_copy }}"
-        guac_disable_paste: "{{ bundle.parameters.guac_disable_paste }}"
-        guac_enable_drive: "{{ bundle.parameters.guac_enable_drive }}"
-        guac_drive_name: "{{ bundle.parameters.guac_drive_name }}"
-        guac_drive_path: "{{ bundle.parameters.guac_drive_path }}"
-        guac_disable_download: "{{ bundle.parameters.guac_disable_download }}"
-        is_exposed_externally: "{{ bundle.parameters.is_exposed_externally }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        image_name: ${ bundle.custom.runtime_image.name }
+        image_tag: ${ bundle.parameters.image_tag }
+        mgmt_acr_name: ${ bundle.parameters.mgmt_acr_name }
+        mgmt_resource_group_name: ${ bundle.parameters.mgmt_resource_group_name }
+        guac_disable_copy: ${ bundle.parameters.guac_disable_copy }
+        guac_disable_paste: ${ bundle.parameters.guac_disable_paste }
+        guac_enable_drive: ${ bundle.parameters.guac_enable_drive }
+        guac_drive_name: ${ bundle.parameters.guac_drive_name }
+        guac_drive_path: ${ bundle.parameters.guac_drive_path }
+        guac_disable_download: ${ bundle.parameters.guac_disable_download }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-guacamole-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-guacamole-${ bundle.parameters.id }
      outputs:
        - name: connection_uri
        - name: authentication_callback_uri
@ -147,25 +148,25 @@ upgrade:
  - terraform:
      description: "Upgrade Guacamole Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        image_name: "{{ bundle.custom.runtime_image.name }}"
-        image_tag: "{{ bundle.parameters.image_tag }}"
-        mgmt_acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.mgmt_resource_group_name }}"
-        guac_disable_copy: "{{ bundle.parameters.guac_disable_copy }}"
-        guac_disable_paste: "{{ bundle.parameters.guac_disable_paste }}"
-        guac_enable_drive: "{{ bundle.parameters.guac_enable_drive }}"
-        guac_drive_name: "{{ bundle.parameters.guac_drive_name }}"
-        guac_drive_path: "{{ bundle.parameters.guac_drive_path }}"
-        guac_disable_download: "{{ bundle.parameters.guac_disable_download }}"
-        is_exposed_externally: "{{ bundle.parameters.is_exposed_externally }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        image_name: ${ bundle.custom.runtime_image.name }
+        image_tag: ${ bundle.parameters.image_tag }
+        mgmt_acr_name: ${ bundle.parameters.mgmt_acr_name }
+        mgmt_resource_group_name: ${ bundle.parameters.mgmt_resource_group_name }
+        guac_disable_copy: ${ bundle.parameters.guac_disable_copy }
+        guac_disable_paste: ${ bundle.parameters.guac_disable_paste }
+        guac_enable_drive: ${ bundle.parameters.guac_enable_drive }
+        guac_drive_name: ${ bundle.parameters.guac_drive_name }
+        guac_drive_path: ${ bundle.parameters.guac_drive_path }
+        guac_disable_download: ${ bundle.parameters.guac_disable_download }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-guacamole-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-guacamole-${ bundle.parameters.id }
      outputs:
        - name: connection_uri
        - name: authentication_callback_uri
@ -176,22 +177,22 @@ uninstall:
  - terraform:
      description: "Delete the Guacamole Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        image_name: "{{ bundle.custom.runtime_image.name }}"
-        image_tag: "{{ bundle.parameters.image_tag }}"
-        mgmt_acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
-        mgmt_resource_group_name: "{{ bundle.parameters.mgmt_resource_group_name }}"
-        guac_disable_copy: "{{ bundle.parameters.guac_disable_copy }}"
-        guac_disable_paste: "{{ bundle.parameters.guac_disable_paste }}"
-        guac_enable_drive: "{{ bundle.parameters.guac_enable_drive }}"
-        guac_drive_name: "{{ bundle.parameters.guac_drive_name }}"
-        guac_drive_path: "{{ bundle.parameters.guac_drive_path }}"
-        guac_disable_download: "{{ bundle.parameters.guac_disable_download }}"
-        is_exposed_externally: "{{ bundle.parameters.is_exposed_externally }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        image_name: ${ bundle.custom.runtime_image.name }
+        image_tag: ${ bundle.parameters.image_tag }
+        mgmt_acr_name: ${ bundle.parameters.mgmt_acr_name }
+        mgmt_resource_group_name: ${ bundle.parameters.mgmt_resource_group_name }
+        guac_disable_copy: ${ bundle.parameters.guac_disable_copy }
+        guac_disable_paste: ${ bundle.parameters.guac_disable_paste }
+        guac_enable_drive: ${ bundle.parameters.guac_enable_drive }
+        guac_drive_name: ${ bundle.parameters.guac_drive_name }
+        guac_drive_path: ${ bundle.parameters.guac_drive_path }
+        guac_disable_download: ${ bundle.parameters.guac_disable_download }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        tre_resource_id: ${ bundle.parameters.id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-guacamole-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-guacamole-${ bundle.parameters.id }
--- a/templates/workspace_services/guacamole/terraform/.terraform.lock.hcl
+++ b/templates/workspace_services/guacamole/terraform/.terraform.lock.hcl
@ -2,28 +2,28 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.16.0"
-  constraints = "3.16.0"
+  version     = "3.33.0"
+  constraints = "3.33.0"
  hashes = [
-    "h1:cBZXnJ4WErrhAzoQ1IMUMkpRlUmr8KQ2a0vLKH6B2a8=",
-    "zh:02aecc67db3f7cf19bd39ed454824422c43a5dc9f18b44d9547bb79ba66e0beb",
-    "zh:1775b033e3a29395087d731387efc926251232c4469a6c262f7039669e2f3aed",
-    "zh:1b955c3134b8fa61486383fee609bc99e46883c9b5148cb8d3bdc3d6d25b1e5e",
-    "zh:1ca04c35917fcf9f15aa2f24ef52b823575efa213fcb6d241cd189fddb032268",
-    "zh:20663ca219acc95d1de2129aac941f08eca1093c61cd6775e9c0b239b70a573e",
-    "zh:28427df342789f106ce500a489c750d7971d67cb58c495274878dc55d52452fe",
-    "zh:2a2e0755b9ebedbb4dd55de53191ce02e0a5511648610bf816532cd1614f2d7a",
-    "zh:5cc4c086ff081379070ea8177025a92a53e3c7bec2eabbf8182efa146e05b371",
-    "zh:5df50ae712c2b6e850b5953d5b89a29aca98ef1ae5fac4cb9225080ac319207c",
-    "zh:944ec6ceac2a1af58b58c270db90992d5f32614714647f6086ebc42789fa0f15",
-    "zh:f1e2df2f7db13b234d2cfa5d7c70054df4039532829be6ce8ed11c6f99ba0cf5",
+    "h1:pXB6SKE4NKdf+LepsQjrLcBnVTL5ejeKvx/kyojai6c=",
+    "zh:136d9c642746d8d84e62ecd8ab0c7dc015eac504c1f068e06fad438ae222d934",
+    "zh:266e64b8e32a94ddcc20954ebad1d8ff3921d318addf576e981b1390e5d5ba79",
+    "zh:3bd84a1e5b3bbe34a5870f271d6a5bf9b35a4c924db32b450a1fb53bc910c37a",
+    "zh:3c6604041472bb4691b502877cf9d886ed9f973fbadf11389ec9499fdc66045e",
+    "zh:680c00a73c8054c36a58115a44d02d1ebb675c2ad3afaaab2d74a01f978f16ce",
+    "zh:6dab47ef64f90e43b75ed240a974c4119f5268be4433f3c1c3e97559e7ef2f38",
+    "zh:9f73f19fdc340c443693dc03f1a145c6bd0ee5fd425eab7473d06abbe39b99d7",
+    "zh:9ff008b6737e880f191b4be6dfcef95ff019969dd787c44a58c2d7d6aaf6623b",
+    "zh:be297f1515e9ac63886e3e092a0bcd10aa8aa2b69c2b0995ce4e069176b07a95",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fb29a566e7698cfae477f3efa3bba38526ec8343355763178c6e9c96e51399f3",
+    "zh:fbc3b625733ce5f0970fa8d9743f6db51064c168d6be5fc7a5e3d1a54af28bb7",
  ]
 }

 provider "registry.terraform.io/hashicorp/local" {
  version     = "2.2.3"
-  constraints = "~> 2.2.0"
+  constraints = "2.2.3"
  hashes = [
    "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=",
    "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0",
--- a/templates/workspace_services/guacamole/terraform/providers.tf
+++ b/templates/workspace_services/guacamole/terraform/providers.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
-      version = "=3.16.0"
+      version = "=3.33.0"
    }
    local = {
      source  = "hashicorp/local"
--- a/templates/workspace_services/guacamole/terraform/web_app.tf
+++ b/templates/workspace_services/guacamole/terraform/web_app.tf
@ -99,7 +99,7 @@ resource "azurerm_monitor_diagnostic_setting" "guacamole" {
  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id

  dynamic "log" {
-    for_each = data.azurerm_monitor_diagnostic_categories.guacamole.logs
+    for_each = data.azurerm_monitor_diagnostic_categories.guacamole.log_category_types
    content {
      category = log.value
      enabled  = contains(local.guacamole_diagnostic_categories_enabled, log.value) ? true : false
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/Dockerfile.tmpl
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "guacamole-win-export-reviewvm",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-guacamole-export-reviewvm",
  "parameters": [
    {
      "name": "workspace_id",
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-guacamole-export-reviewvm
-version: 0.0.6
+version: 0.1.0
 description: "An Azure TRE User Resource Template for reviewing Airlock export requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -91,25 +92,26 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.8
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy Guacamole User Resource Service (Reviewer VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        airlock_request_sas_url: "{{ bundle.parameters.airlock_request_sas_url }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        airlock_request_sas_url: ${ bundle.parameters.airlock_request_sas_url }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -120,18 +122,18 @@ upgrade:
  - terraform:
      description: "Update Guacamole User Resource Service (Reviewer VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
        airlock_request_sas_url: "unused"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -143,26 +145,26 @@ uninstall:
      description: "Delete the Extensions from the Terraform state manually"
      command: ./delete_vm_extensions.sh
      arguments:
-        - "{{ bundle.parameters.tfstate_resource_group_name }}"
-        - "{{ bundle.parameters.tfstate_storage_account_name }}"
-        - "{{ bundle.parameters.tfstate_container_name }}"
-        - "{{ bundle.parameters.id }}"
+        - ${ bundle.parameters.tfstate_resource_group_name }
+        - ${ bundle.parameters.tfstate_storage_account_name }
+        - ${ bundle.parameters.tfstate_container_name }
+        - ${ bundle.parameters.id }

  - terraform:
      description: "Delete the Guacamole User Resource Service (Reviewer VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
        airlock_request_sas_url: "unused"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }

 start:
  - terraform:
@ -170,10 +172,10 @@ start:
        - "output"
      description: "Get resource ID from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -182,14 +184,14 @@ start:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Start the VM"
      arguments:
        - vm
        - start
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 stop:
  - terraform:
@ -197,10 +199,10 @@ stop:
        - "output"
      description: "Get VM hostname and rg from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -209,14 +211,14 @@ stop:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Stop the VM"
      arguments:
        - vm
        - deallocate
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 reset_password:
  - terraform:
@ -224,10 +226,10 @@ reset_password:
        - "output"
      description: "Get VM details from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
        - name: vm_username
@ -239,13 +241,13 @@ reset_password:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - exec:
      description: "Reset password and persist to keyvault"
      suppress-output: true
      command: ./reset_password.sh
      arguments:
-        - "{{ bundle.outputs.vm_password_secret_name }}"
-        - "{{ bundle.outputs.keyvault_name }}"
-        - "{{ bundle.outputs.vm_username }}"
-        - "{{ bundle.outputs.azure_resource_id }}"
+        - ${ bundle.outputs.vm_password_secret_name }
+        - ${ bundle.outputs.keyvault_name }
+        - ${ bundle.outputs.vm_username }
+        - ${ bundle.outputs.azure_resource_id }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/Dockerfile.tmpl
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "guacamole-win-import-reviewvm",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-guacamole-import-reviewvm",
  "parameters": [
    {
      "name": "workspace_id",
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-guacamole-import-reviewvm
-version: 0.1.3
+version: 0.2.0
 description: "An Azure TRE User Resource Template for reviewing Airlock import requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -100,26 +101,27 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.8
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy Guacamole User Resource Service (Reviewer VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
-        airlock_request_sas_url: "{{ bundle.parameters.airlock_request_sas_url }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        airlock_request_sas_url: ${ bundle.parameters.airlock_request_sas_url }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -130,19 +132,19 @@ upgrade:
  - terraform:
      description: "Update Guacamole User Resource Service (Reviewer VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
        airlock_request_sas_url: "unused"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -154,27 +156,27 @@ uninstall:
      description: "Delete the Extensions from the Terraform state manually"
      command: ./delete_vm_extensions.sh
      arguments:
-        - "{{ bundle.parameters.tfstate_resource_group_name }}"
-        - "{{ bundle.parameters.tfstate_storage_account_name }}"
-        - "{{ bundle.parameters.tfstate_container_name }}"
-        - "{{ bundle.parameters.id }}"
+        - ${ bundle.parameters.tfstate_resource_group_name }
+        - ${ bundle.parameters.tfstate_storage_account_name }
+        - ${ bundle.parameters.tfstate_container_name }
+        - ${ bundle.parameters.id }

  - terraform:
      description: "Delete the Guacamole User Resource Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
        airlock_request_sas_url: "unused"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }

 start:
  - terraform:
@ -182,10 +184,10 @@ start:
        - "output"
      description: "Get resource ID from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -194,14 +196,14 @@ start:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Start the VM"
      arguments:
        - vm
        - start
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 stop:
  - terraform:
@ -209,10 +211,10 @@ stop:
        - "output"
      description: "Get VM hostname and rg from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -221,14 +223,14 @@ stop:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Stop the VM"
      arguments:
        - vm
        - deallocate
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 reset_password:
  - terraform:
@ -236,10 +238,10 @@ reset_password:
        - "output"
      description: "Get VM details from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
        - name: vm_username
@ -251,13 +253,13 @@ reset_password:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - exec:
      description: "Reset password and persist to keyvault"
      suppress-output: true
      command: ./reset_password.sh
      arguments:
-        - "{{ bundle.outputs.vm_password_secret_name }}"
-        - "{{ bundle.outputs.keyvault_name }}"
-        - "{{ bundle.outputs.vm_username }}"
-        - "{{ bundle.outputs.azure_resource_id }}"
+        - ${ bundle.outputs.vm_password_secret_name }
+        - ${ bundle.outputs.keyvault_name }
+        - ${ bundle.outputs.vm_username }
+        - ${ bundle.outputs.azure_resource_id }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/Dockerfile.tmpl
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "guacamole-linux-linuxvm",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-guacamole-linuxvm",
  "parameters": [
    {
      "name": "workspace_id",
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-guacamole-linuxvm
-version: 0.5.3
+version: 0.6.0
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -117,27 +118,28 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.6
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy Guacamole User Resource Service (Linux VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        shared_storage_access: "{{ bundle.parameters.shared_storage_access }}"
-        shared_storage_name: "{{ bundle.parameters.shared_storage_name }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        shared_storage_access: ${ bundle.parameters.shared_storage_access }
+        shared_storage_name: ${ bundle.parameters.shared_storage_name }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -148,20 +150,20 @@ upgrade:
  - terraform:
      description: "Update Guacamole User Resource Service (Linux VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        shared_storage_access: "{{ bundle.parameters.shared_storage_access }}"
-        shared_storage_name: "{{ bundle.parameters.shared_storage_name }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        shared_storage_access: ${ bundle.parameters.shared_storage_access }
+        shared_storage_name: ${ bundle.parameters.shared_storage_name }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -173,28 +175,28 @@ uninstall:
      description: "Delete the Extensions from the Terraform state manually"
      command: ./delete_vm_extensions.sh
      arguments:
-        - "{{ bundle.parameters.tfstate_resource_group_name }}"
-        - "{{ bundle.parameters.tfstate_storage_account_name }}"
-        - "{{ bundle.parameters.tfstate_container_name }}"
-        - "{{ bundle.parameters.id }}"
+        - ${ bundle.parameters.tfstate_resource_group_name }
+        - ${ bundle.parameters.tfstate_storage_account_name }
+        - ${ bundle.parameters.tfstate_container_name }
+        - ${ bundle.parameters.id }

  - terraform:
      description: "Delete the Guacamole User Resource Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        shared_storage_access: "{{ bundle.parameters.shared_storage_access }}"
-        shared_storage_name: "{{ bundle.parameters.shared_storage_name }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        shared_storage_access: ${ bundle.parameters.shared_storage_access }
+        shared_storage_name: ${ bundle.parameters.shared_storage_name }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }

 start:
  - terraform:
@ -202,10 +204,10 @@ start:
        - "output"
      description: "Get resource ID from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -214,14 +216,14 @@ start:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Start the VM"
      arguments:
        - vm
        - start
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 stop:
  - terraform:
@ -229,10 +231,10 @@ stop:
        - "output"
      description: "Get VM resource_id from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -241,14 +243,14 @@ stop:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Stop the VM"
      arguments:
        - vm
        - deallocate
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 reset_password:
  - terraform:
@ -256,10 +258,10 @@ reset_password:
        - "output"
      description: "Get VM details from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
        - name: vm_username
@ -271,13 +273,13 @@ reset_password:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - exec:
      description: "Reset password and persist to keyvault"
      suppress-output: true
      command: ./reset_password.sh
      arguments:
-        - "{{ bundle.outputs.vm_password_secret_name }}"
-        - "{{ bundle.outputs.keyvault_name }}"
-        - "{{ bundle.outputs.vm_username }}"
-        - "{{ bundle.outputs.azure_resource_id }}"
+        - ${ bundle.outputs.vm_password_secret_name }
+        - ${ bundle.outputs.keyvault_name }
+        - ${ bundle.outputs.vm_username }
+        - ${ bundle.outputs.azure_resource_id }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/Dockerfile.tmpl
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "guacamole-win-windowsvm",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-guacamole-windowsvm",
  "parameters": [
    {
      "name": "workspace_id",
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-guacamole-windowsvm
-version: 0.5.3
+version: 0.6.0
 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -111,27 +112,28 @@ outputs:
 mixins:
  - exec
  - terraform:
-      clientVersion: 1.2.8
-  - az
+      clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0

 install:
  - terraform:
      description: "Deploy Guacamole User Resource Service (Windows VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        shared_storage_access: "{{ bundle.parameters.shared_storage_access }}"
-        shared_storage_name: "{{ bundle.parameters.shared_storage_name }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        shared_storage_access: ${ bundle.parameters.shared_storage_access }
+        shared_storage_name: ${ bundle.parameters.shared_storage_name }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -142,20 +144,20 @@ upgrade:
  - terraform:
      description: "Update Guacamole User Resource Service (Windows VM)"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        shared_storage_access: "{{ bundle.parameters.shared_storage_access }}"
-        shared_storage_name: "{{ bundle.parameters.shared_storage_name }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        shared_storage_access: ${ bundle.parameters.shared_storage_access }
+        shared_storage_name: ${ bundle.parameters.shared_storage_name }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: ip
        - name: hostname
@ -167,28 +169,28 @@ uninstall:
      description: "Delete the Extensions from the Terraform state manually"
      command: ./delete_vm_extensions.sh
      arguments:
-        - "{{ bundle.parameters.tfstate_resource_group_name }}"
-        - "{{ bundle.parameters.tfstate_storage_account_name }}"
-        - "{{ bundle.parameters.tfstate_container_name }}"
-        - "{{ bundle.parameters.id }}"
+        - ${ bundle.parameters.tfstate_resource_group_name }
+        - ${ bundle.parameters.tfstate_storage_account_name }
+        - ${ bundle.parameters.tfstate_container_name }
+        - ${ bundle.parameters.id }

  - terraform:
      description: "Delete the Guacamole User Resource Service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        parent_service_id: "{{ bundle.parameters.parent_service_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        image: "{{ bundle.parameters.os_image }}"
-        vm_size: "{{ bundle.parameters.vm_size }}"
-        shared_storage_access: "{{ bundle.parameters.shared_storage_access }}"
-        shared_storage_name: "{{ bundle.parameters.shared_storage_name }}"
-        image_gallery_id: "{{ bundle.parameters.image_gallery_id }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        parent_service_id: ${ bundle.parameters.parent_service_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        image: ${ bundle.parameters.os_image }
+        vm_size: ${ bundle.parameters.vm_size }
+        shared_storage_access: ${ bundle.parameters.shared_storage_access }
+        shared_storage_name: ${ bundle.parameters.shared_storage_name }
+        image_gallery_id: ${ bundle.parameters.image_gallery_id }
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }

 start:
  - terraform:
@ -196,10 +198,10 @@ start:
        - "output"
      description: "Get resource ID from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -208,14 +210,14 @@ start:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Start the VM"
      arguments:
        - vm
        - start
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 stop:
  - terraform:
@ -223,10 +225,10 @@ stop:
        - "output"
      description: "Get VM hostname and rg from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
  - az:
@ -235,14 +237,14 @@ stop:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - az:
      description: "Stop the VM"
      arguments:
        - vm
        - deallocate
      flags:
-        ids: "{{ bundle.outputs.azure_resource_id }}"
+        ids: ${ bundle.outputs.azure_resource_id }

 reset_password:
  - terraform:
@ -250,10 +252,10 @@ reset_password:
        - "output"
      description: "Get VM details from Terraform outputs"
      backendConfig:
-        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
        - name: vm_username
@ -265,13 +267,13 @@ reset_password:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id }}"
+        username: ${ bundle.credentials.azure_client_id }
  - exec:
      description: "Reset password and persist to keyvault"
      suppress-output: true
      command: ./reset_password.sh
      arguments:
-        - "{{ bundle.outputs.vm_password_secret_name }}"
-        - "{{ bundle.outputs.keyvault_name }}"
-        - "{{ bundle.outputs.vm_username }}"
-        - "{{ bundle.outputs.azure_resource_id }}"
+        - ${ bundle.outputs.vm_password_secret_name }
+        - ${ bundle.outputs.keyvault_name }
+        - ${ bundle.outputs.vm_username }
+        - ${ bundle.outputs.azure_resource_id }
--- a/templates/workspace_services/innereye/Dockerfile.tmpl
+++ b/templates/workspace_services/innereye/Dockerfile.tmpl
@ -1,18 +1,14 @@
-FROM debian:stretch-slim
+FROM debian:bullseye-slim
+
+# PORTER_INIT

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-# Install Azure CLI
-# It's useless to specify azcli version since the mixin installs the latest anyway
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y ca-certificates jq curl apt-transport-https lsb-release gnupg \
-    && curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null \
-    && AZ_REPO=$(lsb_release -cs) \
-    && echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | tee /etc/apt/sources.list.d/azure-cli.list \
-    && apt-get update && apt-get --no-install-recommends -y install azure-cli \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

-RUN az extension add --name azure-firewall
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update \
+    && apt-get install --no-install-recommends -y jq curl ca-certificates

 RUN export PORTER_HOME=/home/"${USER}"/.porter \
    && curl -L https://cdn.porter.sh/latest/install-linux.sh | bash \
@ -20,21 +16,7 @@ RUN export PORTER_HOME=/home/"${USER}"/.porter \

 ENV PATH /home/$USER/.porter/:$PATH

-ARG BUNDLE_DIR
-
-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/innereye/parameters.json
+++ b/templates/workspace_services/innereye/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "innereye",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-innereye",
  "parameters": [
    {
      "name": "id",
@ -59,4 +59,4 @@
      }
    }
  ]
-}
+}
--- a/templates/workspace_services/innereye/parameters_service_azureml.json
+++ b/templates/workspace_services/innereye/parameters_service_azureml.json
@ -1,5 +1,5 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
+  "schemaVersion": "1.0.1",
  "name": "service-azureml",
  "created": "2021-06-03T11:54:54.0225968Z",
  "modified": "2021-06-03T11:54:54.0225968Z",
@ -47,4 +47,4 @@
      }
    }
  ]
-}
+}
--- a/templates/workspace_services/innereye/porter.yaml
+++ b/templates/workspace_services/innereye/porter.yaml
@ -1,6 +1,7 @@
 ---
+schemaVersion: 1.0.0
 name: tre-service-innereye
-version: 0.4.1
+version: 0.5.0
 description: "An Azure TRE service for InnerEye Deep Learning"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -49,9 +50,12 @@ parameters:

 mixins:
  - exec
-  - az
+  - az:
+      clientVersion: 2.37.0
+      extensions:
+        - azure-firewall
  - terraform:
-      clientVersion: 1.2.6
+      clientVersion: 1.3.6

 install:
  - az:
@ -60,40 +64,34 @@ install:
        - login
      flags:
        identity:
-        username: "{{ bundle.credentials.azure_client_id}}"
+        username: ${ bundle.credentials.azure_client_id}
  - az:
      description: "acr login"
      arguments:
        - acr
        - login
      flags:
-        name: "{{ bundle.parameters.mgmt_acr_name }}"
+        name: ${ bundle.parameters.mgmt_acr_name }
  - exec:
      description: "Install Azure ML service"
      command: ./install_service_azureml.sh
  - terraform:
      description: "Deploy service"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        inference_sp_client_id:
-          "{{ bundle.parameters.inference_sp_client_id }}"
-        inference_sp_client_secret:
-          "{{ bundle.parameters.inference_sp_client_secret }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret:
-          "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        inference_sp_client_id: ${ bundle.parameters.inference_sp_client_id }
+        inference_sp_client_secret: ${ bundle.parameters.inference_sp_client_secret }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
      backendConfig:
-        resource_group_name:
-          "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name:
-          "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key:
-          "tre-service-innereye-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-innereye-${ bundle.parameters.id }
      outputs:
        - name: azureml_compute_cluster_name

@ -108,21 +106,17 @@ uninstall:
  - terraform:
      description: "Tear down workspace"
      vars:
-        workspace_id: "{{ bundle.parameters.workspace_id }}"
-        tre_id: "{{ bundle.parameters.tre_id }}"
-        tre_resource_id: "{{ bundle.parameters.id }}"
-        inference_sp_client_id: "{{ bundle.parameters.inference_sp_client_id }}"
-        inference_sp_client_secret:
-          "{{ bundle.parameters.inference_sp_client_secret }}"
-        arm_tenant_id: "{{ bundle.credentials.azure_tenant_id }}"
-        arm_client_id: "{{ bundle.credentials.azure_client_id }}"
-        arm_client_secret:
-          "{{ bundle.credentials.azure_client_secret }}"
-        arm_use_msi: "{{ bundle.parameters.arm_use_msi }}"
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        inference_sp_client_id: ${ bundle.parameters.inference_sp_client_id }
+        inference_sp_client_secret: ${ bundle.parameters.inference_sp_client_secret }
+        arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
+        arm_client_id: ${ bundle.credentials.azure_client_id }
+        arm_client_secret: ${ bundle.credentials.azure_client_secret }
+        arm_use_msi: ${ bundle.parameters.arm_use_msi }
      backendConfig:
-        resource_group_name:
-          "{{ bundle.parameters.tfstate_resource_group_name }}"
-        storage_account_name:
-          "{{ bundle.parameters.tfstate_storage_account_name }}"
-        container_name: "{{ bundle.parameters.tfstate_container_name }}"
-        key: "tre-service-innereye-{{ bundle.parameters.id }}"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-service-innereye-${ bundle.parameters.id }
--- a/templates/workspace_services/innereye/terraform/.terraform.lock.hcl
+++ b/templates/workspace_services/innereye/terraform/.terraform.lock.hcl
@ -21,21 +21,21 @@ provider "registry.terraform.io/hashicorp/azurerm" {
 }

 provider "registry.terraform.io/hashicorp/external" {
-  version = "2.2.2"
+  version = "2.2.3"
  hashes = [
-    "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=",
-    "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca",
-    "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28",
-    "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b",
-    "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39",
+    "h1:uvOYRWcVIqOZSl8YjjaB18yZFz1AWIt2CnK7O45rckg=",
+    "zh:184ecd339d764de845db0e5b8a9c87893dcd0c9d822167f73658f89d80ec31c9",
+    "zh:2661eaca31d17d6bbb18a8f673bbfe3fe1b9b7326e60d0ceb302017003274e3c",
+    "zh:2c0a180f6d1fc2ba6e03f7dfc5f73b617e45408681f75bca75aa82f3796df0e4",
+    "zh:4b92ae44c6baef4c4952c47be00541055cb5280dd3bc8031dba5a1b2ee982387",
+    "zh:5641694d5daf3893d7ea90be03b6fa575211a08814ffe70998d5adb8b59cdc0a",
+    "zh:5bd55a2be8a1c20d732ac9c604b839e1cadc8c49006315dffa4d709b6874df32",
+    "zh:6e0ef5d11e1597202424b7d69b9da7b881494c9b13a3d4026fc47012dc651c79",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327",
-    "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955",
-    "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb",
-    "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0",
-    "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a",
-    "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372",
-    "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809",
+    "zh:9e19f89fa25004d3b926a8d15ea630b4bde62f1fa4ed5e11a3d27aabddb77353",
+    "zh:b763efdd69fd097616b4a4c89cf333b4cee9699ac6432d73d2756f8335d1213f",
+    "zh:e3b561efdee510b2b445f76a52a902c52bee8e13095e7f4bed7c80f10f8d294a",
+    "zh:fe660bb8781ee043a093b9a20e53069974475dcaa5791a1f45fd03c61a26478a",
  ]
 }

@ -59,21 +59,21 @@ provider "registry.terraform.io/hashicorp/local" {
 }

 provider "registry.terraform.io/hashicorp/null" {
-  version = "3.1.1"
+  version = "3.2.1"
  hashes = [
-    "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=",
-    "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597",
-    "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf",
-    "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe",
+    "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
+    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e",
-    "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa",
-    "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5",
-    "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4",
-    "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46",
-    "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924",
-    "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b",
-    "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f",
+    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
  ]
 }

--- a/templates/workspace_services/mlflow/Dockerfile.tmpl
+++ b/templates/workspace_services/mlflow/Dockerfile.tmpl
@ -1,19 +1,9 @@
+# syntax=docker/dockerfile-upstream:1.4.0
 FROM debian:bullseye-slim

-ARG BUNDLE_DIR
+# PORTER_INIT

-# This is a template Dockerfile for the bundle's invocation image
-# You can customize it to use different base images, install tools and copy configuration files.
-#
-# Porter will use it as a template and append lines to it for the mixins
-# and to set the CMD appropriately for the CNAB specification.
-#
-# Add the following line to porter.yaml to instruct Porter to use this template
-# dockerfile: Dockerfile.tmpl
-
-# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
-# another location in this file. If you remove that line, the mixins generated content is appended to this file.
 # PORTER_MIXINS

 # Use the BUNDLE_DIR build argument to copy files into the bundle
-COPY . $BUNDLE_DIR
+COPY --link . ${BUNDLE_DIR}/
--- a/templates/workspace_services/mlflow/parameters.json
+++ b/templates/workspace_services/mlflow/parameters.json
@ -1,8 +1,8 @@
 {
-  "schemaVersion": "1.0.0-DRAFT+TODO",
-  "name": "azureml",
-  "created": "2021-06-03T11:54:54.0225968Z",
-  "modified": "2021-06-03T11:54:54.0225968Z",
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-service-mlflow",
  "parameters": [
    {
      "name": "workspace_id",
--- a/Показать больше
+++ b/Показать больше