microsoft
/
AzureTRE
зеркало из https://github.com/microsoft/AzureTRE.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Environment files consolidation (#2944) 

* Condolidate env files

* Update changelog.

* Revert changes in devcontainer

* Remove devops sample env file

* Revert makefile load envs

* Remove auth from  makefile check dependencies

* Update version

* Update core version

* Fix sourcing

* Fix yaml lint

* Fix lint in bash

* Fix usage in bash

* CR fixes

* Update comment on var

* Fix lint

* Fix lint

* CR fixes + Disable hyphens in tre_id

* Update docs

* Update config file structure

* Remove tre_id from tre section

* CR fixes

* CR changes

* Fix version

* CR changes

* Update migration script
This commit is contained in:
Liza Shakury 2022-12-12 14:09:03 +02:00 коммит произвёл GitHub
Родитель 26ffaaefdd
Коммит 2c62e05ffa
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
41 изменённых файлов: 490 добавлений и 247 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
.devcontainer/Dockerfile
Просмотреть файл

@ -88,6 +88,9 @@ ARG YQ_VERSION="v4.27.2"
RUN curl -L --fail -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" \
&& chmod +x /usr/local/bin/yq
ARG PAJV_VERSION="1.2.0"
RUN npm install -g pajv@${PAJV_VERSION}
USER $USERNAME
# Save command line history

4
.devcontainer/devcontainer.json
Просмотреть файл

@ -209,12 +209,12 @@
"tasks": [
{
"label": "Copy_env_file_for_api_debug",
"command": "cat ${workspaceFolder}/templates/core/.env ${workspaceFolder}/devops/auth.env ${workspaceFolder}/templates/core/private.env > ${workspaceFolder}/api_app/.env",
"command": "./.devcontainer/scripts/consolidate_env.sh ${workspaceFolder} ${workspaceFolder}/api_app/.env",
"type": "shell"
},
{
"label": "Copy_env_file_for_e2e_debug",
"command": "cat ${workspaceFolder}/templates/core/.env ${workspaceFolder}/devops/auth.env ${workspaceFolder}/templates/core/private.env > ${workspaceFolder}/e2e_tests/.env",
"command": "./.devcontainer/scripts/consolidate_env.sh ${workspaceFolder} ${workspaceFolder}/e2e_tests/.env",
"type": "shell"
},
{

26
.devcontainer/scripts/consolidate_env.sh Executable file
Просмотреть файл

@ -0,0 +1,26 @@
#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
# Uncomment this line to see each command for debugging (careful: this will show secrets!)
# set -o xtrace
# usage: consolidate_env.sh [workdir] [file]
WORKDIR=${1:-"automatic"}
FILE=${2:-"automatic"}
# YQ query to get leaf keys
GET_LEAF_KEYS=".. | select(. == \"*\") | {(path | .[-1]): .} "
# YQ query to uppercase keys
UPCASE_KEYS="with_entries(.key |= upcase)"
# YQ query to map yaml entries to the following format: key=value
# needed for later env export
FORMAT_TO_ENV_FILE="to_entries| map(.key + \"=\" + .value)|.[]"
# Export as UPPERCASE keys to file
# shellcheck disable=SC2086
yq e "$GET_LEAF_KEYS|$UPCASE_KEYS| $FORMAT_TO_ENV_FILE" config.yaml > $FILE
# shellcheck disable=SC2086
cat $WORKDIR/templates/core/private.env >> $FILE

3
.gitignore поставляемый
Просмотреть файл

@ -115,6 +115,9 @@ templates/core/tre.env
devops/auth.env
private.env
# Config
config.yaml
# Spyder project settings
.spyderproject
.spyproject

3
CHANGELOG.md
Просмотреть файл

@ -4,6 +4,9 @@
**BREAKING CHANGES & MIGRATIONS**:
* The model for `reviewUserResources` in airlock requests has changed from being a list to a dictionary. A migration has been added to update your existing requests automatically; please make sure you run the migrations as part of updating your API and UI.
* Note that any in-flight requests that have review resources deployed will show `UNKNOWN[i]` for the user key of that resource and in the UI users will be prompted to deploy a new resource. [#2883](https://github.com/microsoft/AzureTRE/pull/2883)
* Env files consolidation - The files /templates/core/.env, /devops/.env, /devops/auth.env are no longer used. The settings and configuration that they contain has been consolidated into a single file config.yaml that lives in the root folder of the project.
Use the script devops/scripts/env_to_yaml_config.sh to migrate /templates/core/.env, /devops/.env, and /devops/auth.env to the new config.yaml file.
FEATURES:
* Support review VMs for multiple reviewers for each airlock request [#2883](https://github.com/microsoft/AzureTRE/pull/2883)

38
Makefile
Просмотреть файл

@ -95,14 +95,14 @@ push-airlock-processor:
# # See https://github.com/microsoft/AzureTRE/issues/1177
prepare-tf-state:
$(call target_title, "Preparing terraform state") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
&& pushd ${MAKEFILE_DIR}/templates/core/terraform > /dev/null && ../../shared_services/firewall/terraform/remove_state.sh && popd > /dev/null \
&& pushd ${MAKEFILE_DIR}/templates/shared_services/firewall/terraform > /dev/null && ./import_state.sh && popd > /dev/null
# / End migration targets
deploy-core: tre-start
$(call target_title, "Deploying TRE") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
&& if [[ "$${TF_LOG}" == "DEBUG" ]]; \
then echo "TF DEBUG set - output supressed - see tflogs container for log file" && cd ${MAKEFILE_DIR}/templates/core/terraform/ \
&& ./deploy.sh 1>/dev/null 2>/dev/null; \
@ -110,7 +110,7 @@ deploy-core: tre-start
letsencrypt:
$(call target_title, "Requesting LetsEncrypt SSL certificate") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,certbot,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,certbot,env \
&& pushd ${MAKEFILE_DIR}/templates/core/terraform/ > /dev/null && . ./outputs.sh && popd > /dev/null \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/templates/core/private.env \
&& ${MAKEFILE_DIR}/templates/core/terraform/scripts/letsencrypt.sh
@ -132,18 +132,18 @@ tre-destroy:
terraform-deploy:
$(call target_title, "Deploying ${DIR} with Terraform") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${DIR}/.env \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
&& cd ${DIR}/terraform/ && ./deploy.sh
terraform-import:
$(call target_title, "Importing ${DIR} with Terraform") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
&& cd ${DIR}/terraform/ && ./import.sh
terraform-destroy:
$(call target_title, "Destroying ${DIR} Service") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
&& cd ${DIR}/terraform/ && ./destroy.sh
# This will validate all files, not only the changed ones as the CI version does.
@ -178,7 +178,7 @@ lint-docs:
# so we build it first and then run the check.
bundle-build:
$(call target_title, "Building ${DIR} bundle with Porter") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& . ${MAKEFILE_DIR}/devops/scripts/set_docker_sock_permission.sh \
&& cd ${DIR} \
&& if [ -d terraform ]; then terraform -chdir=terraform init -backend=false; terraform -chdir=terraform validate; fi \
@ -189,8 +189,8 @@ bundle-build:
bundle-install: bundle-check-params
$(call target_title, "Deploying ${DIR} with Porter") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${DIR}/.env \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
&& cd ${DIR} && porter install -p ./parameters.json \
--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
@ -212,7 +212,7 @@ bundle-check-params:
bundle-uninstall:
$(call target_title, "Uninstalling ${DIR} with Porter") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& cd ${DIR} && porter uninstall -p ./parameters.json \
--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
@ -220,7 +220,7 @@ bundle-uninstall:
bundle-custom-action:
$(call target_title, "Performing:${ACTION} ${DIR} with Porter") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& cd ${DIR} && porter invoke --action ${ACTION} -p ./parameters.json \
--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/arm_auth_local_debugging.json \
--cred ${MAKEFILE_DIR}/resource_processor/vmss_porter/aad_auth_local_debugging.json \
@ -228,7 +228,7 @@ bundle-custom-action:
bundle-publish:
$(call target_title, "Publishing ${DIR} bundle with Porter") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& . ${MAKEFILE_DIR}/devops/scripts/set_docker_sock_permission.sh \
&& az acr login --name $${ACR_NAME} \
&& cd ${DIR} \
@ -239,7 +239,7 @@ bundle-publish:
bundle-register:
@# NOTE: ACR_NAME below comes from the env files, so needs the double '$$'. Others are set on command execution and don't
$(call target_title, "Registering ${DIR} bundle") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& az acr login --name $${ACR_NAME} \
&& ${MAKEFILE_DIR}/devops/scripts/ensure_cli_signed_in.sh TRE_URL="$${TRE_URL:-https://$${TRE_ID}.$${LOCATION}.cloudapp.azure.com}" \
&& cd ${DIR} \
@ -266,7 +266,7 @@ user_resource_bundle:
deploy-shared-service:
@# NOTE: ACR_NAME below comes from the env files, so needs the double '$$'. Others are set on command execution and don't
$(call target_title, "Deploying ${DIR} shared service") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh porter,env \
&& ${MAKEFILE_DIR}/devops/scripts/ensure_cli_signed_in.sh TRE_URL="$${TRE_URL:-https://$${TRE_ID}.$${LOCATION}.cloudapp.azure.com}" \
&& cd ${DIR} \
&& ${MAKEFILE_DIR}/devops/scripts/deploy_shared_service.sh $${PROPS}
@ -277,14 +277,14 @@ firewall-install:
static-web-upload:
$(call target_title, "Uploading to static website") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
&& pushd ${MAKEFILE_DIR}/templates/core/terraform/ > /dev/null && . ./outputs.sh && popd > /dev/null \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/templates/core/private.env \
&& ${MAKEFILE_DIR}/devops/scripts/upload_static_web.sh
build-and-deploy-ui:
$(call target_title, "Build and deploy UI") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
&& pushd ${MAKEFILE_DIR}/templates/core/terraform/ > /dev/null && . ./outputs.sh && popd > /dev/null \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/templates/core/private.env \
&& if [ "$${DEPLOY_UI}" != "false" ]; then ${MAKEFILE_DIR}/devops/scripts/build_deploy_ui.sh; else echo "UI Deploy skipped as DEPLOY_UI is false"; fi \
@ -327,7 +327,7 @@ test-e2e-custom:
setup-local-debugging:
$(call target_title,"Setting up the ability to debug the API and Resource Processor") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
&& pushd ${MAKEFILE_DIR}/templates/core/terraform/ > /dev/null && . ./outputs.sh && popd > /dev/null \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/templates/core/private.env \
&& . ${MAKEFILE_DIR}/devops/scripts/setup_local_debugging.sh
@ -349,7 +349,7 @@ api-healthcheck:
db-migrate: api-healthcheck
$(call target_title,"Migrating Cosmos Data") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env,auth \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
&& pushd ${MAKEFILE_DIR}/templates/core/terraform/ > /dev/null && . ./outputs.sh && popd > /dev/null \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/templates/core/private.env \
&& . ${MAKEFILE_DIR}/devops/scripts/get_access_token.sh \

82
config.sample.yaml Normal file
Просмотреть файл

@ -0,0 +1,82 @@
---
# After you have replaced all the __CHANGE_ME__ values in this file, you need to
# run `make auth` to setup the Auth.
tre_id: __CHANGE_ME__
location: __CHANGE_ME__
management:
mgmt_resource_group_name: __CHANGE_ME__
mgmt_storage_account_name: __CHANGE_ME__
terraform_state_container_name: tfstate
acr_name: __CHANGE_ME__
# Azure Resource Manager credentials used for CI/CD pipelines
arm_subscription_id: __CHANGE_ME__
# If you want to override the currently signed in credentials
# You would do this if running commands like `make terraform-install DIR=./templates/workspaces/base`
# arm_tenant_id: __CHANGE_ME__
# arm_client_id: __CHANGE_ME__
# arm_client_secret: __CHANGE_ME__
tre:
# If your local machine/build agent cannot get the public IP
# address from https://ipecho.net/plain, then you can circumvent
# this by setting this Environment variable. This blockage can
# be caused by trying to deploy TRE in an Office environment where
# this website is blocked. This value is the public facing IP
# address of the deploying machine.
# public_deployment_ip_address: __CHANGE_ME__
core_address_space: 10.1.0.0/22
tre_address_space: 10.0.0.0/12
core_app_service_plan_sku: P1v2
resource_processor_vmss_sku: Standard_B2s
enable_airlock_malware_scanning: false
# TODO: move to RP default with https://github.com/microsoft/AzureTRE/issues/2948
workspace_app_service_plan_sku: P1v2
# The TRE Web UI is deployed by default.
# Uncomment the following to disable deployment of the Web UI.
# deploy_ui: false
authentication:
aad_tenant_id: __CHANGE_ME__
# Setting AUTO_WORKSPACE_APP_REGISTRATION to false will:
# create an identity with `Application.ReadWrite.OwnedBy`.
# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will:
# create an identity with `Application.ReadWrite.All` and `Directory.Read.All`.
# When this is true, create Workspaces will also create an AAD Application automatically.
# When this is false, the AAD Application will need creating manually.
auto_workspace_app_registration: true
# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All`
auto_workspace_group_creation: false
resource_processor:
# The number of processes to start in the resource processor VMSS image
resource_processor_number_processes_per_instance: 5
# This setting provides a way to pass environment values to the resource processor
# to use as a source of bundle parameter values
# For example, to specify your image_gallery_id for use in VM user resources with custom VM images:
# yamllint disable-line rule:line-length
# rp_bundle_values: {"image_gallery_id":"/subscriptions/<subscription-id>/resourceGroups/<your-rg>/providers/Microsoft.Compute/galleries/<your-gallery-name>"}
developer_settings:
# Locks will not be added to stateful resources so they can be easily removed
# stateful_resources_locked: false
# If you want to use TRE_URL to point to your local TRE API instance,
# uncomment and set this variable
# tre_url: __CHANGE_ME__
# This setting will enable your local machine to be able to
# communicate with Service Bus and Cosmos. It will also allow deploying
# the base workspace.
# enable_local_debugging: true
# Used by the API and Resource processor application to change log level
# debug: true
# To avoid creating + deleting a workspace + service in tests set the vars for existing ones
performance_in_e2e_test:
# perf_test_workspace_id: __CHANGE_ME__
# perf_test_worspace_service_id: __CHANGE_ME__

154
config_schema.json Normal file
Просмотреть файл

@ -0,0 +1,154 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"$id": "https://github.com/microsoft/AzureTRE/schema/config_schema.json",
"title": "AzureTRE configuration file",
"description": "This document contains all the configuration needed to deploy and setup AzureTRE.",
"type": "object",
"properties": {
"location": {
"description": "The Azure location (region) for all resources.",
"type": "string",
"pattern": "[a-z]+"
},
"tre_id": {
"description": "TRE unique identifier",
"type": "string",
"pattern": "^[a-zA-Z 0-9\\_]*$",
"maxLength": 11
},
"management": {
"description": "Management configuration",
"type": "object",
"properties": {
"mgmt_resource_group_name": {
"description": "The shared resource group for all management resources, including the storage account.",
"type": "string",
"pattern": "^[-\\w\\._\\(\\)]+$",
"maxLength": 90
},
"mgmt_storage_account_name": {
"description": "The name of the storage account to hold the Terraform state and other deployment artifacts.",
"type": "string",
"pattern": "[A-Za-z09]+",
"minLength": 3,
"maxLength": 24
},
"terraform_state_container_name": {
"description": "Optional. The name of the blob container to hold the Terraform state. Default value is `tfstate`.",
"type": "string",
"pattern": "^[a-z0-9](?!.*--)[a-z0-9-]{1,61}[a-z0-9]$",
"minLength": 3,
"maxLength": 63
},
"acr_name": {
"description": "A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images.",
"type": "string",
"pattern": "^[a-zA-Z0-9]*$",
"minLength": 5,
"maxLength": 50
},
"arm_subscription_id": {
"description": "The Azure subscription ID for all resources.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
}
},
"required": [
"mgmt_resource_group_name",
"mgmt_storage_account_name",
"terraform_state_container_name",
"acr_name",
"arm_subscription_id"
]
},
"tre": {
"description": "TRE configuration",
"type": "object",
"properties": {
"enable_airlock_malware_scanning": {
"description": "Allow airlock malware scanning.",
"type": "boolean"
},
"core_address_space": {
"description": "TRE core address spaces.",
"type": "string"
},
"tre_address_space": {
"description": "TRE address spaces.",
"type": "string"
}
}
},
"authentication": {
"description": "Authentication configuration",
"type": "object",
"properties": {
"aad_tenant_id": {
"description": "Tenant id against which auth is performed.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
},
"auto_workspace_app_registration": {
"description": "This identity is used to manage other AAD applications that it owns. Read more about it here: docs/tre-admins/auth.md",
"type": "boolean"
},
"auto_workspace_group_creation": {
"description": "This identity can create security groups aligned to each applciation role. Read more about it here: docs/tre-admins/auth.md",
"type": "boolean"
},
"api_client_id": {
"description": "API application (client) ID.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
},
"api_client_secret": {
"description": "API application client secret.",
"type": "string",
"minLength": 11
},
"swagger_ui_client_id": {
"description": "Swagger/UI application (client) ID.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
},
"application_admin_client_id": {
"description": "This client will administer AAD Applications for TRE.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
},
"application_admin_client_secret": {
"description": "Secret to client which will administer AAD Applications for TRE",
"type": "string",
"minLength": 11
},
"test_account_client_id": {
"description": "This is the app that will run the tests for you.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
},
"test_account_client_secret": {
"description": "This is the secret to an app that will run the tests for you",
"type": "string",
"minLength": 11
},
"workspace_api_client_id": {
"description": "Workspace AD Application. This will be created for you for future use - when creating workspaces.",
"type": "string",
"pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
},
"workspace_api_client_secret": {
"description": "Workspace AD Application secret. This will be created for you for future use - when creating workspaces.",
"type": "string",
"minLength": 11
}
},
"required": [
"aad_tenant_id"
]
}
},
"required": [
"location",
"tre_id"
]
}

18
devops/.env.sample
Просмотреть файл

@ -1,18 +0,0 @@
# Management infrastructure
LOCATION=__CHANGE_ME__
MGMT_RESOURCE_GROUP_NAME=__CHANGE_ME__
MGMT_STORAGE_ACCOUNT_NAME=__CHANGE_ME__
TERRAFORM_STATE_CONTAINER_NAME=tfstate
ACR_NAME=__CHANGE_ME__
# Azure Resource Manager credentials used for CI/CD pipelines
ARM_SUBSCRIPTION_ID=__CHANGE_ME__
# If you want to override the currently signed in credentials
# You would do this if running commands like `make terraform-install DIR=./templates/workspaces/base`
# ARM_TENANT_ID=__CHANGE_ME__
# ARM_CLIENT_ID=__CHANGE_ME__
# ARM_CLIENT_SECRET=__CHANGE_ME__
# Debug mode
DEBUG="false"

24
devops/auth.env.sample
Просмотреть файл

@ -1,24 +0,0 @@
# The file auth.env will be created for you by running `make auth`
# This file just explains what teh variables are used for
# This identity is used by the Resource Processor to administer the
# AAD Applications (e.g. Add Redirect URIs)
# APPLICATION_ADMIN_CLIENT_ID=""
# APPLICATION_ADMIN_CLIENT_SECRET=""
# The API Client ID is used to provide Auth for the API/UX. These
# are mandatory for the running of `make all`
# API_CLIENT_ID=""
# API_CLIENT_SECRET=""
# SWAGGER_UI_CLIENT_ID=""
# The following 2 environment variables are only required
# if you want to automated bundle registration.
# TEST_ACCOUNT_CLIENT_ID=""
# TEST_ACCOUNT_CLIENT_SECRET=""
# You will only need a workspace identity if you running this TRE
# locally for E2E. Normally, these will be supplied by the Tenant
# Admin if you are not automatically creating Workspaces.
# WORKSPACE_API_CLIENT_ID=""
# WORKSPACE_API_CLIENT_SECRET=""

13
devops/scripts/aad/create_api_application.sh
Просмотреть файл

@ -352,11 +352,14 @@ JSON
fi
fi
{
echo "API_CLIENT_ID=\"${appId}\""
echo "API_CLIENT_SECRET=\"${spPassword}\""
echo "SWAGGER_UI_CLIENT_ID=\"${uxAppId}\""
} >> "devops/auth.env"
# Set outputs in configuration file
yq -i ".authentication.api_client_id |= \"${appId}\"" config.yaml
yq -i ".authentication.api_client_secret |= \"${spPassword}\"" config.yaml
yq -i ".authentication.swagger_ui_client_id |= \"${uxAppId}\"" config.yaml
echo "api_client_id=\"${appId}\""
echo "api_client_secret=\"${spPassword}\""
echo "swagger_ui_client_id=\"${uxAppId}\""
if [[ $grantAdminConsent -eq 0 ]]; then
echo -e "\e[96mNOTE: Make sure the API permissions of the app registrations have admin consent granted."

8
devops/scripts/aad/create_application_administrator.sh
Просмотреть файл

@ -167,8 +167,12 @@ if [[ $grantAdminConsent -eq 1 ]]; then
done
fi
echo "APPLICATION_ADMIN_CLIENT_ID=\"${appId}\"" > "devops/auth.env"
echo "APPLICATION_ADMIN_CLIENT_SECRET=\"${spPassword}\"" >> "devops/auth.env"
# Set outputs in configuration file
yq -i ".authentication.application_admin_client_id |= \"${appId}\"" config.yaml
yq -i ".authentication.application_admin_client_secret |= \"${spPassword}\"" config.yaml
echo "application_admin_client_id=\"${appId}\""
echo "application_admin_client_secret=\"${spPassword}\""
if [[ $grantAdminConsent -eq 0 ]]; then
echo "NOTE: Make sure the API permissions of the app registrations have admin consent granted."

10
devops/scripts/aad/create_automation_administrator.sh
Просмотреть файл

@ -117,7 +117,9 @@ az ad app owner add --id "${appId}" --owner-object-id "$currentUserId" --only-sh
# Create a Service Principal for the app.
spPassword=$(create_or_update_service_principal "${appId}" "${resetPassword}")
{
echo "TEST_ACCOUNT_CLIENT_ID=\"${appId}\""
echo "TEST_ACCOUNT_CLIENT_SECRET=\"${spPassword}\""
} >> "devops/auth.env"
# Set outputs in configuration file
yq -i ".authentication.test_account_client_id |= \"${appId}\"" config.yaml
yq -i ".authentication.test_account_client_secret |= \"${spPassword}\"" config.yaml
echo "test_account_client_id=\"${appId}\""
echo "test_account_client_secret=\"${spPassword}\""

10
devops/scripts/aad/create_workspace_application.sh
Просмотреть файл

@ -355,10 +355,12 @@ JSON
fi
fi
{
echo "WORKSPACE_API_CLIENT_ID=\"${workspaceAppId}\""
echo "WORKSPACE_API_CLIENT_SECRET=\"${spPassword}\""
} >> "devops/auth.env"
# Set outputs in configuration file
yq -i ".authentication.workspace_api_client_id |= \"${workspaceAppId}\"" config.yaml
yq -i ".authentication.workspace_api_client_secret |= \"${spPassword}\"" config.yaml
echo "workspace_api_client_id=\"${workspaceAppId}\""
echo "workspace_api_client_secret=\"${spPassword}\""
if [[ $grantAdminConsent -eq 0 ]]; then
echo "NOTE: Make sure the API permissions of the app registrations have admin consent granted."

25
devops/scripts/check_dependencies.sh
Просмотреть файл

@ -20,36 +20,17 @@ if ! command -v az &> /dev/null; then
exit 1
fi
if [[ "${1:-?}" == *"auth"* ]]; then
if [ -z "${USE_ENV_VARS_NOT_FILES:-}" ]; then
# We only do this for local builds
echo -e "\n\e[96mChecking for Auth setup\e[0m..."
if [ ! -f "devops/auth.env" ]; then
echo -e "\e[31m»»» ⚠️ Auth has not been setup! 😥 Please run make auth"
exit 1
fi
set -a
# shellcheck disable=SC1091
. "$DIR/load_env.sh" "devops/auth.env"
fi
fi
if [[ "${1:-?}" == *"env"* ]]; then
if [ -z "${USE_ENV_VARS_NOT_FILES:-}" ]; then
# We only do this for local builds
echo -e "\n\e[96mLoading local environment variables\e[0m..."
if [ ! -f "devops/.env" ]; then
echo -e "\e[31m»»» ⚠️ Your devops environment has not been setup! 😥 Please create a ./devops/.env file."
exit 1
fi
if [ ! -f "templates/core/.env" ]; then
echo -e "\e[31m»»» ⚠️ Your template environment has not been setup! 😥 Please create a ./templates/core/.env file."
if [ ! -f "config.yaml" ]; then
echo -e "\e[31m»»» ⚠️ Your config.yaml file has not been setup! 😥 Please create a config.yaml file."
exit 1
fi
# shellcheck disable=SC1091
. "$DIR/load_env.sh" "devops/.env"
# shellcheck disable=SC1091
. "$DIR/load_env.sh" "templates/core/.env"
. "$DIR/load_and_validate_env.sh"
fi
fi

12
devops/scripts/create_aad_assets.sh
Просмотреть файл

@ -3,7 +3,7 @@ set -euo pipefail
# Use this for debug only
# set -o xtrace
: "${AAD_TENANT_ID?'You have not set your AAD_TENANT_ID in ./templates/core/.env'}"
: "${AAD_TENANT_ID?'You have not set your aad_tenant_id in ./config.yaml'}"
# Get the directory that this script is in
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
@ -47,11 +47,8 @@ fi
# Load the new values back in because
# we need TEST_ACCOUNT_CLIENT_ID
set -a
# shellcheck disable=SC1091
. ./templates/core/.env
# shellcheck disable=SC1091
. ./devops/auth.env
. "$DIR/load_and_validate_env.sh"
# Then register an App for the TRE Core.
"$DIR/aad/create_api_application.sh" \
@ -63,11 +60,8 @@ set -a
if [ "${AUTO_WORKSPACE_APP_REGISTRATION:=false}" == false ]; then
# Load the new values back in
# This is because we want the SWAGGER_UI_CLIENT_ID
set -a
# shellcheck disable=SC1091
. ./templates/core/.env
# shellcheck disable=SC1091
. ./devops/auth.env
. "$DIR/load_and_validate_env.sh"
"$DIR/aad/create_workspace_application.sh" \
--name "${TRE_ID} - workspace 1" \

54
devops/scripts/env_to_yaml_config.sh Executable file
Просмотреть файл

@ -0,0 +1,54 @@
#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
# set -o xtrace
#
# Usage:
# env_to_yaml_config.sh <.env file>
#
cp config.sample.yaml config.yaml
# Loop over the relevant lines in the file specified in $1 (passed in after the loop)
# The loop source filters the lines in the source file to those that should be treated
# as variable definitions
env_files=()
for p in "devops/auth.env" "devops/.env" "templates/core/.env"
do
if [ -r "$p" ]
then
env_files+=("$p")
else
echo -e "\e[31m»»» ⚠️ Your $p file has not been setup! 😥 Make sure to fill in the missing configration in config.yaml."
fi
done
for f in "${env_files[@]}"
do
while read -r line
do
# split the line into name/value
name=$(echo "$line" | cut -d= -f1| tr '[:upper:]' '[:lower:]')
value=$(echo "$line" | cut -d= -f2)
if [ "$f" == "devops/auth.env" ]; then
yq e -i "(.authentication | .\"$name\") = $value" config.yaml
else
# if the value is quote-delimited then strip that as we quote in the declare statement
if [[ ("${value:0:1}" == "'" && "${value: -1:1}" == "'") || (("${value:0:1}" == "\"" && "${value: -1:1}" == "\"")) ]]; then
value=${value:1:-1}
fi
if [[ ($value == ?(-)+([0-9]) || $value == "true" || $value == "false")]]; then
yq e -i "(.. | select(has(\"$name\")).\"$name\") = $value" config.yaml
else
# Set value in config.yaml file
yq e -i "(.. | select(has(\"$name\")).\"$name\") = \"$value\"" config.yaml
fi
fi
done < <(grep -v -e '^[[:space:]]*$' -e '^#' "$f" )
done
set +o nounset

47
devops/scripts/load_and_validate_env.sh Executable file
Просмотреть файл

@ -0,0 +1,47 @@
#!/bin/bash
set -o errexit
set -o pipefail
set -o nounset
# set -o xtrace
#
# Usage:
# load_and_validate_env.sh
#
if [ ! -f "config.yaml" ]; then
if [ -z "${USE_ENV_VARS_NOT_FILES:-}" ]; then
echo -e "\e[31m»»» 💥 Unable to find config.yaml file, please create file and try again!\e[0m"
#exit
fi
else
# Validate no duplicate keys in config
has_dupes=$(yq e '.. | select(. == "*") | {(path | .[-1]): .}| keys' config.yaml | sort| uniq -d)
if [ -n "${has_dupes:-}" ]; then
echo -e "\e[31m»»» 💥 There are duplicate keys in your config, please fix and try again!\e[0m"
exit 1
fi
# Validate config schema
if [[ $(pajv validate -s config_schema.json -d config.yaml) != *valid* ]]; then
echo -e "\e[31m»»» ⚠️ Your config.yaml is invalid 😥 Please fix the errors and retry."
exit 1
fi
# Get leaf keys yq query
GET_LEAF_KEYS=".. | select(. == \"*\") | {(path | .[-1]): .}"
# Map keys to uppercase yq query
UPCASE_KEYS="with_entries(.key |= upcase)"
# Prefix keys with TF_VAR_ yq query
TF_KEYS="with_entries(.key |= \"TF_VAR_\" + .)"
# Yq query to format the output to be in form: key=value
FORMAT_FOR_ENV_EXPORT="to_entries| map(.key + \"=\" + .value)|join(\" \")"
# Export as UPPERCASE keys env vars
# shellcheck disable=SC2046
export $(yq e "$GET_LEAF_KEYS|$UPCASE_KEYS| $FORMAT_FOR_ENV_EXPORT" config.yaml)
# Export as Terraform keys env vars
# shellcheck disable=SC2046
export $(yq e "$GET_LEAF_KEYS|$TF_KEYS| $FORMAT_FOR_ENV_EXPORT" config.yaml)
fi
set +o nounset

2
devops/scripts/setup_local_debugging.sh
Просмотреть файл

@ -1,7 +1,7 @@
#!/bin/bash
set -e
: "${TRE_ID?"You have not set you TRE_ID in ./templates/core/.env"}"
: "${TRE_ID?"You have not set your TRE_ID in ./config_yaml"}"
: "${RESOURCE_GROUP_NAME?"Check RESOURCE_GROUP_NAME is defined in ./templates/core/private.env"}"
: "${SERVICE_BUS_RESOURCE_ID?"Check SERVICE_BUS_RESOURCE_ID is defined in ./templates/core/private.env"}"
: "${STATE_STORE_RESOURCE_ID?"Check STATE_STORE_RESOURCE_ID is defined in ./templates/core/private.env"}"

2
devops/version.txt
Просмотреть файл

@ -1 +1 @@
__version__ = "0.4.3"
__version__ = "0.4.4"

6
docs/tre-admins/auth.md
Просмотреть файл

@ -7,7 +7,7 @@ It is common that the Azure Administrator is not necessarily the Azure Active Di
This page describes the automated Auth setup for TRE.
## Pre-requisites
The automation utilises a `make` command, which reads a few environment variables and creates the AAD assets. The following values are needed to be in place before you run the creation process. (`/templates/core/.env`)
The automation utilises a `make` command, which reads a few environment variables and creates the AAD assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`)
| Key | Description |
| ----------- | ----------- |
@ -22,9 +22,9 @@ You can build all of the Identity assets by running the following at the command
```bash
make auth
```
This will create five identities, and if successful will write a new file; `/devops/auth.env`. If you are building locally, these values will be used when building your TRE. If you are setting this up for CI/CD, then these values will be needed by your Build Orchestrator.
This will create five identities, and if successful will write the outputs to athentication section in `config.yaml` file. If you are building locally, these values will be used when building your TRE. If you are setting this up for CI/CD, then these values will be needed by your Build Orchestrator.
The contents of your `/devops/auth.env` file should contain :
The contents of your authentication section in `config.yaml` file should contain :
| Variable | Description |
| -------- | ----------- |

8
docs/tre-admins/environment-variables.md
Просмотреть файл

@ -3,7 +3,7 @@
!!! info
The `.tfvars` file is intentionally not used. The `.env` file format is easier to parse, meaning we can use the values for bash scripts and other purposes.
## For shared management resources in `/devops/.env`
## For shared management resources in `/config.yaml`
| <div style="width: 330px">Environment variable name</div> | Description |
| ------------------------- | ----------- |
@ -17,11 +17,11 @@
| `ARM_CLIENT_SECRET` | *Optional for manual deployment without logged-in credentials.* The password of the client defined in `ARM_CLIENT_ID`. |
| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The AAD tenant of the client defined in `ARM_CLIENT_ID`. |
## For Azure TRE instance in `/templates/core/.env`
## For Azure TRE instance in `/config.yaml`
| <div style="width: 330px">Environment variable name</div> | Description |
| ------------------------- | ----------- |
| `TRE_ID` | A globally unique identifier. `TRE_ID` can be found in the resource names of the Azure TRE instance; for example, a `TRE_ID` of `mytre-dev` will result in a resource group name for Azure TRE instance of `rg-mytre-dev`. This must be less than 12 characters. Allowed characters: Alphanumeric, underscores, and hyphens. |
| `TRE_ID` | A globally unique identifier. `TRE_ID` can be found in the resource names of the Azure TRE instance; for example, a `TRE_ID` of `mytre-dev` will result in a resource group name for Azure TRE instance of `rg-mytre-dev`. This must be less than 12 characters. Allowed characters: Alphanumeric and underscores|
| `TRE_URL`| This will be generated for you by populating your `TRE_ID`. This is used so that you can automatically register bundles |
| `CORE_ADDRESS_SPACE` | The address space for the Azure TRE core virtual network. `/22` or larger. |
| `TRE_ADDRESS_SPACE` | The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. `10.0.0.0/12`|
@ -38,7 +38,7 @@
| `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |
| `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
## For authentication in `/devops/.env`
## For authentication in `/config.yaml`
| Variable | Description |
| -------- | ----------- |

6
docs/tre-admins/identities/api.md
Просмотреть файл

@ -55,7 +55,7 @@ Below is a sample where `TRE_ID` has value `mytre`:
!!! caution
The script will create an app password (client secret) for the **TRE API** app and the **Automation App** and write them to `/devops/auth.env` file. These values are only shown once, if you lose them, the script will create new secrets if run again.
The script will create an app password (client secret) for the **TRE API** app and the **Automation App** and write them to `/config.yaml` file. These values are only shown once, if you lose them, the script will create new secrets if run again.
You can create an automation account which will aid your development flow, if you don't want to do this you can omit the `--automation-clientid` switch.
@ -65,8 +65,8 @@ You can run the script without the `--admin-consent` and ask your admin to grant
## Environment Variables
| Variable | Description | Location |
| -------- | ----------- | -------- |
|API_CLIENT_ID|The Client Id|`./devops/auth.env`|
|API_CLIENT_SECRET|The client secret|`./devops/auth.env`|
|API_CLIENT_ID|The Client Id|`./config.yaml`|
|API_CLIENT_SECRET|The client secret|`./config.yaml`|
## Comments

4
docs/tre-admins/identities/application_admin.md
Просмотреть файл

@ -34,5 +34,5 @@ This user is currently only used from the Porter bundles hosted on the Resource
## Environment Variables
| Variable | Description | Location |
| -------- | ----------- | -------- |
|APPLICATION_ADMIN_CLIENT_ID|The Client Id|`./devops/auth.env`|
|APPLICATION_ADMIN_CLIENT_SECRET|The client secret|`./devops/auth.env`|
|APPLICATION_ADMIN_CLIENT_ID|The Client Id|`./config.yaml`|
|APPLICATION_ADMIN_CLIENT_SECRET|The client secret|`./config.yaml`|

2
docs/tre-admins/identities/client.md
Просмотреть файл

@ -51,5 +51,5 @@ The following Redirect URIs will be added to the application
## Environment Variables
| Variable | Description | Location |
| -------- | ----------- | -------- |
|SWAGGER_UI_CLIENT_ID|The Client Id|`./devops/auth.env`|
|SWAGGER_UI_CLIENT_ID|The Client Id|`./config.yaml`|

4
docs/tre-admins/identities/test-account.md
Просмотреть файл

@ -30,8 +30,8 @@ This application is used locally to automatically register bundles against the A
## Environment Variables
| Variable | Description | Location |
| -------- | ----------- | -------- |
|TEST_ACCOUNT_CLIENT_ID|The Client Id|`./devops/auth.env`|
|TEST_ACCOUNT_CLIENT_SECRET|The client secret|`./devops/auth.env`|
|TEST_ACCOUNT_CLIENT_ID|The Client Id|`./config.yaml`|
|TEST_ACCOUNT_CLIENT_SECRET|The client secret|`./config.yaml`|
## How to create
Example on how to run the script:

6
docs/tre-admins/identities/workspace.md
Просмотреть файл

@ -53,15 +53,15 @@ Example on how to run the script:
!!! caution
The script will create an app password (client secret) for the workspace and write to `/devops/auth.env`. These values are only shown once, if you lose them, the script will create new secrets if run again.
The script will create an app password (client secret) for the workspace and write to `/config.yaml` under the authentication section. These values are only shown once, if you lose them, the script will create new secrets if run again.
If you do not wish to grant the Automation App permission to your workspace, just remove the `--automation-clientid` from the command.
## Environment Variables
| Variable | Description | Location |
| -------- | ----------- | -------- |
|WORKSPACE_API_CLIENT_ID|The Client Id|`./devops/auth.env`|
|WORKSPACE_API_CLIENT_SECRET|The client secret|`./devops/auth.env`|
|WORKSPACE_API_CLIENT_ID|The Client Id|`./config.yaml`|
|WORKSPACE_API_CLIENT_SECRET|The client secret|`./config.yaml`|
## Comments
When the Workspace AAD app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace AAD app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://<TRE_ID>_ws_<WORKSPACE_SHORT_IDENTIFIER>`

6
docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
Просмотреть файл

@ -76,7 +76,7 @@ Configure the following secrets in your github environment -
### Configure Authentication Secrets
In a previous [Setup Auth configuration](./setup-auth-entities.md) step a new `/devops/auth.env` env file was created. Go to this file and add those env vars to your github environment:
In a previous [Setup Auth configuration](./setup-auth-entities.md) step authentication configuration was added in `config.yaml` file. Go to this file and add those env vars to your github environment:
| Variable | Description |
| -------- | ----------- |
@ -88,8 +88,8 @@ In a previous [Setup Auth configuration](./setup-auth-entities.md) step a new `/
| `API_CLIENT_ID` | API application (client) ID. |
| `API_CLIENT_SECRET` | API application client secret. |
| `SWAGGER_UI_CLIENT_ID` | Swagger (OpenAPI) UI application (client) ID. |
| `TEST_WORKSPACE_APP_ID`| Each workspace is secured behind it's own AD Application. Use the value of `WORKSPACE_API_CLIENT_ID` created in the `/devops/auth.env` env file |
| `TEST_WORKSPACE_APP_SECRET`| Each workspace is secured behind it's own AD Application. This is the secret for that application. Use the value of `WORKSPACE_API_CLIENT_SECRET` created in the `/devops/auth.env` env file|
| `TEST_WORKSPACE_APP_ID`| Each workspace is secured behind it's own AD Application. Use the value of `WORKSPACE_API_CLIENT_ID` created in the `/config.yaml` env file |
| `TEST_WORKSPACE_APP_SECRET`| Each workspace is secured behind it's own AD Application. This is the secret for that application. Use the value of `WORKSPACE_API_CLIENT_SECRET` created in the `/config.yaml` env file|
### Create a Teams Webhook for deployment notifications

2
docs/tre-admins/setup-instructions/installing-base-workspace.md
Просмотреть файл

@ -31,7 +31,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin
!!! caution
If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details.
Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Copy these into `/templates/core/.env` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` in the POST body below.
Running the script will report `workspace_api_client_id` and `workspace_api_client_secret` for the generated app. Add these under the authenrication section in `/config.yaml` so that automated testing will work. You also need to use `workspace_api_client_id` in the POST body below.
### Create workspace using the API
Go to `https://<azure_tre_fqdn>/api/docs` and use POST `/api/workspaces` with the sample body to create a base workspace.

45
docs/tre-admins/setup-instructions/manual-pre-deployment-steps.md
Просмотреть файл

@ -5,43 +5,40 @@
## Set environment configuration variables of shared management resources
1. Open the `/devops/.env.sample` file and then save it without the .sample extension. You should now have a file called `.env` located in the `/devops` folder. The file contains configuration variables for the shared management infrastructure which is used to support the deployment of one or more Azure TRE instances.
1. In this part we will setup configuration variables in `config.yaml` file for the shared management infrastructure which is used to support the deployment of one or more Azure TRE instances.
2. Provide the values for the following variables:
| Variable | Description |
| -------- | ----------- |
| `LOCATION` | The [Azure location (region)](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) for all resources. E.g., `westeurope` |
| `MGMT_RESOURCE_GROUP_NAME` | The shared resource group for all management resources, including the storage account. |
| `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. |
| `ACR_NAME` | A globally unique name for the [Azure Container Registry (ACR)](https://docs.microsoft.com/azure/container-registry/) that will be created to store deployment images. |
| `ARM_SUBSCRIPTION_ID` | The Azure subscription ID for all resources. |
| `location` | The [Azure location (region)](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) for all resources. E.g., `westeurope` |
| `mgmt_resource_group_name` | The shared resource group for all management resources, including the storage account. |
| `mgmt_storage_account_name` | The name of the storage account to hold the Terraform state and other deployment artifacts. |
| `acr_name` | A globally unique name for the [Azure Container Registry (ACR)](https://docs.microsoft.com/azure/container-registry/) that will be created to store deployment images. |
| `arm_subscription_id` | The Azure subscription ID for all resources. |
!!! tip
To retrieve your Azure subscription ID, use the `az` command line interface available in the development container. In the terminal window in Visual Studio Code, type `az login` followed by `az account show` to see your default subscription. Please refer to `az account -help` for further details on how to change your active subscription.
The rest of the variables can have their default values. You should now have a `.env` file that looks similar to the one below:
The rest of the variables can have their default values. You should now have a management section in the `config.yaml` file that looks similar to the one below:
```plaintext
# Management infrastructure
LOCATION=westeurope
MGMT_RESOURCE_GROUP_NAME=aztremgmt
MGMT_STORAGE_ACCOUNT_NAME=aztremgmt
TERRAFORM_STATE_CONTAINER_NAME=tfstate
ACR_NAME=aztreacr
ARM_SUBSCRIPTION_ID=12...54e
# If you want to override the currently signed in credentials
# ARM_TENANT_ID=__CHANGE_ME__
# ARM_CLIENT_ID=__CHANGE_ME__
# ARM_CLIENT_SECRET=__CHANGE_ME__
# Debug mode
DEBUG="false"
management:
location: westeurope
mgmt_resource_group_name: aztremgmt
mgmt_storage_account_name: aztremgmt
terraform_state_container_name: tfstate
acr_name: aztreacr
# Azure Resource Manager credentials used for CI/CD pipelines
arm_subscription_id: 12...54e
# If you want to override the currently signed in credentials
# You would do this if running commands like `make terraform-install DIR=./templates/workspaces/base`
# arm_tenant_id: __CHANGE_ME__
# arm_client_id: __CHANGE_ME__
# arm_client_secret: __CHANGE_ME__
```
3. If you want to disable the built-in web UI (`./ui`) ensure you set `DEPLOY_UI=false` in the /templates/core/.env file.
3. If you want to disable the built-in web UI (`./ui`) ensure you set `deploy_ui=false` under tre defaults section in the `config.yaml` file.
## Next steps

21
docs/tre-admins/setup-instructions/setup-auth-entities.md
Просмотреть файл

@ -2,33 +2,32 @@
Next, you will set the configuration variables for the specific Azure TRE instance:
1. Open the `/devops/.env.sample` file and then save it without the .sample extension. You should now have a file called `.env` located in the `/devops` folder. The file contains configuration variables for the shared management infrastructure which is used to support the deployment of one or more Azure TRE instances.
1. Open the `/config.sample.yaml` file and then save it without the .sample extension. You should now have a file called `config.yaml` located in the root folder. The file contains configuration variables. In this part you will add the configuration required for the shared management infrastructure which is used to support the deployment of one or more Azure TRE instances.
1. Provide the values for the following variables:
1. Provide the values for the following variables under management section in your `config.yaml` file:
| Variable | Description |
| -------- | ----------- |
| `LOCATION` | The [Azure location (region)](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) for all resources. E.g., `westeurope` |
| `MGMT_RESOURCE_GROUP_NAME` | The shared resource group for all management resources, including the storage account. |
| `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. |
| `ACR_NAME` | A globally unique name for the [Azure Container Registry (ACR)](https://docs.microsoft.com/azure/container-registry/) that will be created to store deployment images. |
| `ARM_SUBSCRIPTION_ID` | The Azure subscription ID for all resources. |
| `location` | The [Azure location (region)](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) for all resources. E.g., `westeurope` |
| `mgmt_resource_group_name` | The shared resource group for all management resources, including the storage account. |
| `mgmt_storage_account_name` | The name of the storage account to hold the Terraform state and other deployment artifacts. |
| `acr_name` | A globally unique name for the [Azure Container Registry (ACR)](https://docs.microsoft.com/azure/container-registry/) that will be created to store deployment images. |
| `arm_subscription_id` | The Azure subscription ID for all resources. |
!!! tip
To retrieve your Azure subscription ID, use the `az` command line interface available in the development container. In the terminal window in Visual Studio Code, type `az login` followed by `az account show` to see your default subscription. Please refer to `az account -help` for further details on how to change your active subscription.
The rest of the variables can have their default values.
1. Open the `/templates/core/.env.sample` file and then save it without the .sample extension. You should now have a file called `.env` located in the `/templates/core` folder.
1. Decide on a name for your `TRE_ID`, which is an alphanumeric (with underscores and hyphens allowed) ID for the Azure TRE instance. The value will be used in various Azure resources and AAD application names. It **needs to be globally unique and less than 12 characters in length**. Use only lowercase letters. Choose wisely!
1. Once you have decided on which AD Tenant paradigm, then you should be able to set `AAD_TENANT_ID`
1. Decide on a name for your `tre_id`, which is an alphanumeric (with underscores allowed) ID for the Azure TRE instance. The value will be used in various Azure resources and AAD application names. It **needs to be globally unique and less than 12 characters in length**. Use only lowercase letters. Choose wisely!
1. Once you have decided on which AD Tenant paradigm, then you should be able to set `aad_tenant_id` in the authentication section in your `config.yaml` file.
1. Your AAD Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the AAD Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md).
```bash
make auth
```
!!! note
A new auth.env file will be created under /devops folder. It will contain all the credentials created by the `make auth` command.
Credentials created by the `make auth` command will be added under the authentication section in your `config.yaml` file
!!! note
In case you have several subscriptions and would like to change your default subscription use `az account set --subscription <desired subscription ID>`

2
docs/tre-admins/setup-instructions/ui-install-base-workspace.md
Просмотреть файл

@ -59,7 +59,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin
!!! caution
If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details.
Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Copy these into `/templates/core/.env` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form.
Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Set these under authentication section in `config.yaml` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form.
## Next steps

2
docs/tre-admins/setup-instructions/workflows.md
Просмотреть файл

@ -63,7 +63,7 @@ Configure the TRE ID and LOCATION repository secrets
| <div style="width: 230px">Secret name</div> | Description |
| ----------- | ----------- |
| `TRE_ID` | A globally unique identifier. `TRE_ID` can be found in the resource names of the Azure TRE instance; for example, a `TRE_ID` of `tre-dev-42` will result in a resource group name for Azure TRE instance of `rg-tre-dev-42`. This must be less than 12 characters. Allowed characters: Alphanumeric, underscores, and hyphens. |
| `TRE_ID` | A globally unique identifier. `TRE_ID` can be found in the resource names of the Azure TRE instance; for example, a `TRE_ID` of `tre-dev-42` will result in a resource group name for Azure TRE instance of `rg-tre-dev-42`. This must be less than 12 characters. Allowed characters: Alphanumeric and underscores. |
| `LOCATION` | The Azure location (region) for all resources. E.g. `westeurope` |
### Create app registrations for API authentication

2
docs/tre-developers/api.md
Просмотреть файл

@ -106,7 +106,7 @@ For security, the API is by default configured to not show detailed error messag
You can enable debugging via one of the two ways:
1. Set `DEBUG=true` in `templates/core/.env` file (see [])
1. Set `debug=true` under developer_settings section in your`config.yaml` file (see [])
To enable debugging on an already running instance:

4
docs/tre-developers/end-to-end-tests.md
Просмотреть файл

@ -21,6 +21,6 @@ make prepare-for-e2e
Use the "Run and Debug" panel within Visual Studio Code, select "E2E Extended", "E2E Smoke" or "E2E Performance" in the drop down box and click play.
- This will copy /workspaces/AzureTRE/templates/core/.env to /workspaces/AzureTRE/e2e_tests/.env for you which supplies your authentciation details
- This will copy `config.yaml` settings to `/workspaces/AzureTRE/e2e_tests/.env` for you which supplies your authentciation details
- This will also use /workspaces/AzureTRE/templates/core/private.env file for other values.
- This will also use `/workspaces/AzureTRE/templates/core/private.env` file for other values.

2
docs/tre-developers/ui.md
Просмотреть файл

@ -49,7 +49,7 @@ Hooks are used throughout the project, and a couple of custom hooks were written
- `useComponentManager`: This hook subscribes to changes broadcast from the Notifications panel, via the context. A component can simply add this hook to start subscribing to changes and react accordingly.
## Deployment
The UI is deployed as part of the `tre-deploy` make target (unless you set `DEPLOY_UI=false` in your `./templates/core/.env` file).
The UI is deployed as part of the `tre-deploy` make target (unless you set `deploy_ui=false` under tre defaults section in your `config.yaml` file).
To re-deploy _just_ the UI (after an initial deploy), run `make build-and-deploy-ui` from the root of the dev container. This will:
- Use the environment variables from your deployment to create a `config.json` file for the UI

2
e2e_tests/.env.sample
Просмотреть файл

@ -3,7 +3,7 @@
# These keys should be copied into /workspaces/AzureTRE/e2e_tests/.env for you
# TRE_ID=cse-msr-dev
# AAD_TENANT_ID=<auth tenant id>
# API_CLIENT_ID=<Client id of the API app. This is defined here - /workspaces/AzureTRE/templates/core/.env>
# API_CLIENT_ID=<Client id of the API app. This is defined here - /workspaces/AzureTRE/config.yaml>
# TEST_ACCOUNT_CLIENT_ID=<test user>
# TEST_ACCOUNT_CLIENT_SECRET=<test user password>

2
e2e_tests/test_performance.py
Просмотреть файл

@ -56,7 +56,7 @@ async def test_bulk_updates_to_ensure_each_resource_updated_in_series(verify) ->
number_vms = 5
number_updates = 5
# To avoid creating + deleting a workspace + service in this test, set the vars for existing ones in ./templates/core/.env
# To avoid creating + deleting a workspace + service in this test, set the vars for existing ones in ./config_yaml
# PERF_TEST_WORKSPACE_ID | PERF_TEST_WORKSPACE_SERVICE_ID
workspace_id = config.PERF_TEST_WORKSPACE_ID

69
templates/core/.env.sample
Просмотреть файл

@ -1,69 +0,0 @@
# Used for TRE deployment
# After you have replaced the __CHANGE_ME__ values, you need to
# run `make auth` to setup the Auth.
TRE_ID=__CHANGE_ME__
AAD_TENANT_ID=__CHANGE_ME__
# RP_BUNDLE_VALUES provides a way to pass environment values to the resource processor to use as a source of bundle parameter values
# For example, to specify your image_gallery_id for use in VM user resources with custom VM images:
# RP_BUNDLE_VALUES='{"image_gallery_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/<your-rg>/providers/Microsoft.Compute/galleries/<your-gallery-name>"}'
####################################
# Auth configuration
####################################
# Setting AUTO_WORKSPACE_APP_REGISTRATION to false will create an identity with `Application.ReadWrite.OwnedBy`.
# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All` and `Directory.Read.All`.
# When this is true, create Workspaces will also create an AAD Application automatically.
# When this is false, the AAD Application will need creating manually.
AUTO_WORKSPACE_APP_REGISTRATION=true
# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All`
AUTO_WORKSPACE_GROUP_CREATION=false
# If your local machine/build agent cannot get the public IP
# address from https://ipecho.net/plain, then you can circumvent
# this by setting this Environment variable. This blockage can
# be caused by trying to deploy TRE in an Office environment where
# this website is blocked. This value is the public facing IP
# address of the deploying machine.
# PUBLIC_DEPLOYMENT_IP_ADDRESS=__CHANGE_ME__
# Uncomment to disable the UI provided as part of this repo
# DEPLOY_UI=false
####################################
# Useful developer settings
####################################
# Locks will not be added to stateful resources so they can be easily removed
# stateful_resources_locked=false
# If you want to use TRE_URL to point to your local TRE API instance,
# uncomment and set this variable
# TRE_URL=__CHANGE_ME__
# This setting will enable your local machine to be able to
# communicate with Service Bus and Cosmos. It will also allow deploying
# the base workspace.
# ENABLE_LOCAL_DEBUGGING=true
# Used by the API and Resource processor application to change log level
# DEBUG=true
####################################
# Default settings
####################################
CORE_ADDRESS_SPACE="10.1.0.0/22"
TRE_ADDRESS_SPACE="10.0.0.0/12"
CORE_APP_SERVICE_PLAN_SKU="P1v2"
RESOURCE_PROCESSOR_VMSS_SKU="Standard_B2s"
ENABLE_AIRLOCK_MALWARE_SCANNING=false
# TODO: move to RP default with https://github.com/microsoft/AzureTRE/pull/2634
WORKSPACE_APP_SERVICE_PLAN_SKU="P1v2"
# The number of processes to start in the resource processor VMSS image
# RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE=5

2
templates/core/version.txt
Просмотреть файл

@ -1 +1 @@
__version__ = "0.4.45"
__version__ = "0.4.46"

2
ui/README.md
Просмотреть файл

@ -5,7 +5,7 @@ Please see the docs for a full overview and deployment instructions.
The UI was built using Create React App and Microsoft Fluent UI. Further details on this in the ./app/README.
## Run the UI
- Ensure `DEPLOY_UI=false` is not set in your `./templates/core/.env` file
- Ensure `deploy_ui=false` is not set in your `./config.yaml` file
- In the root of the repo, run `make tre-deploy`. This will provision the necessary resources in Azure, build and deploy the UI to Azure blob storage, behind the App Gateway used for the API. The deployment process will also create the necessary `config.json`, using the `config.source.json` as a template.
- In Azure AD, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for:
- `http://localhost:3000` (if wanting to run locally)