Expose FIREWALL_SKU as environment variable & support start/stop of SKU Basic Firewall (#3975)

* Expose FIREWALL_SKU as environment variable & support start/stop of SKU Basic Firewall * Fix lint / build validation issues * Fix Lint issue & improve documentation on FIREWALL_SKU as per @marrobi * Fix build validation: update core build version number * #3975 Increment minor version numbers as per @tamirkamara review
2024-06-24 10:20:09 +01:00 · 2024-06-24 10:20:09 +01:00 · 63ee9358b8
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@ -125,6 +125,10 @@ inputs:
    description: "A boolean indicating if the purge protection will be enabled on the core keyvault."
    required: false
    default: "true"
+  FIREWALL_SKU:
+    description: "Firewall SKU"
+    required: false
+    default: ""

 runs:
  using: composite
@ -234,6 +238,7 @@ runs:
            && inputs.RP_BUNDLE_VALUES) || '{}' }}' \
          -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
            && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
+          -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
          -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
          '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
        bash -c "${{ inputs.COMMAND }}"
--- a/.github/workflows/deploy_tre_reusable.yml
+++ b/.github/workflows/deploy_tre_reusable.yml
@ -357,6 +357,7 @@ jobs:
          CORE_APP_SERVICE_PLAN_SKU: ${{ vars.CORE_APP_SERVICE_PLAN_SKU }}
          RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE: ${{ vars.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE }}
          RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
+          FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}

      - name: API Healthcheck
        uses: ./.github/actions/devcontainer_run_command
@ -666,6 +667,7 @@ jobs:
          TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
          TRE_ID: ${{ secrets.TRE_ID }}
          LOCATION: ${{ vars.LOCATION }}
+          FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}

      - name: State Store Migrations
        uses: ./.github/actions/devcontainer_run_command
--- a/config.sample.yaml
+++ b/config.sample.yaml
@ -41,6 +41,7 @@ tre:
  # If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider
  # uncomment and set this variable
  # tre_url: __CHANGE_ME__
+  firewall_sku: Standard

 authentication:
  aad_tenant_id: __CHANGE_ME__
--- a/config_schema.json
+++ b/config_schema.json
@ -85,6 +85,10 @@
          "description": "Url for the TRE environment.",
          "type": "string",
          "pattern": "^https?://"
+        },
+        "firewall_sku": {
+          "description": "SKU of the Azure Firewall.",
+          "type": "string"
        }
      }
    },
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@ -167,6 +167,7 @@ module "resource_processor_vmss_porter" {
  resource_processor_vmss_sku                      = var.resource_processor_vmss_sku
  arm_environment                                  = var.arm_environment
  logging_level                                    = var.logging_level
+  firewall_sku                                     = var.firewall_sku
  rp_bundle_values                                 = var.rp_bundle_values

  depends_on = [
--- a/core/terraform/resource_processor/vmss_porter/cloud-config.yaml
+++ b/core/terraform/resource_processor/vmss_porter/cloud-config.yaml
@ -57,6 +57,7 @@ write_files:
      AZURE_ENVIRONMENT=${azure_environment}
      AAD_AUTHORITY_URL=${aad_authority_url}
      MICROSOFT_GRAPH_FQDN=${microsoft_graph_fqdn}
+      FIREWALL_SKU=${firewall_sku}
      OTEL_RESOURCE_ATTRIBUTES=service.name=resource_processor,service.version=${resource_processor_vmss_porter_image_tag}
      OTEL_EXPERIMENTAL_RESOURCE_DETECTORS=azure_vm
      LOGGING_LEVEL=${logging_level}
--- a/core/terraform/resource_processor/vmss_porter/data.tf
+++ b/core/terraform/resource_processor/vmss_porter/data.tf
@ -29,6 +29,7 @@ data "template_file" "cloudconfig" {
    azure_environment                                = local.azure_environment
    aad_authority_url                                = module.terraform_azurerm_environment_configuration.active_directory_endpoint
    microsoft_graph_fqdn                             = regex("(?:(?P<scheme>[^:/?#]+):)?(?://(?P<fqdn>[^/?#:]*))?", module.terraform_azurerm_environment_configuration.microsoft_graph_endpoint).fqdn
+    firewall_sku                                     = var.firewall_sku
    logging_level                                    = var.logging_level
    rp_bundle_values                                 = local.rp_bundle_values_formatted
  }
--- a/core/terraform/resource_processor/vmss_porter/variables.tf
+++ b/core/terraform/resource_processor/vmss_porter/variables.tf
@ -69,6 +69,9 @@ variable "subscription_id" {
 variable "logging_level" {
  type = string
 }
+variable "firewall_sku" {
+  type = string
+}
 variable "rp_bundle_values" {
  type = map(string)
 }
--- a/core/terraform/variables.tf
+++ b/core/terraform/variables.tf
@ -174,6 +174,12 @@ variable "enable_airlock_malware_scanning" {
  description = "If False, Airlock requests will skip the malware scanning stage"
 }

+variable "firewall_sku" {
+  description = "Azure Firewall SKU"
+  type        = string
+  default     = ""
+}
+
 variable "rp_bundle_values" {
  description = "Additional environment values to set on the resource processor that can be supplied to template bundles"
  type        = map(string)
--- a/core/version.txt
+++ b/core/version.txt
@ -1 +1 @@
-__version__ = "0.9.11"
+__version__ = "0.10.0"
--- a/devops/scripts/control_tre.sh
+++ b/devops/scripts/control_tre.sh
@ -12,6 +12,8 @@ fi
 core_rg_name="rg-${TRE_ID}"
 fw_name="fw-${TRE_ID}"
 agw_name="agw-$TRE_ID"
+fw_pip_name="pip-${fw_name}"
+vnet_name="vnet-${TRE_ID}"

 # if the resource group doesn't exist, no need to continue this script.
 # most likely this is an automated execution before calling make tre-deploy.
@ -27,8 +29,14 @@ if [[ "$1" == *"start"* ]]; then
  if [[ $(az network firewall list --output json --query "[?resourceGroup=='${core_rg_name}'&&name=='${fw_name}'] | length(@)") != 0 ]]; then
    CURRENT_PUBLIC_IP=$(az network firewall ip-config list -f "${fw_name}" -g "${core_rg_name}" --query "[0].publicIpAddress" -o tsv)
    if [ -z "$CURRENT_PUBLIC_IP" ]; then
-      echo "Starting Firewall - creating ip-config"
-      az network firewall ip-config create -f "${fw_name}" -g "${core_rg_name}" -n "fw-ip-configuration" --public-ip-address "pip-${fw_name}" --vnet-name "vnet-$TRE_ID" > /dev/null &
+      FW_SKU_TIER=$(az network firewall show --n "${fw_name}" -g "${core_rg_name}" --query "sku.tier" -o tsv)
+      if [ "$FW_SKU_TIER" == "Basic" ]; then
+        echo "Starting Firewall (Basic SKU) - creating ip-config and management-ip-config"
+        az network firewall ip-config create -f "${fw_name}" -g "${core_rg_name}" -n "fw-ip-configuration" --public-ip-address "${fw_pip_name}" --vnet-name "${vnet_name}" --m-name "fw-management-ip-configuration" --m-public-ip-address "pip-fw-management-$TRE_ID" --m-vnet-name "${vnet_name}"> /dev/null &
+      else
+        echo "Starting Firewall - creating ip-config"
+        az network firewall ip-config create -f "${fw_name}" -g "${core_rg_name}" -n "fw-ip-configuration" --public-ip-address "${fw_pip_name}" --vnet-name "${vnet_name}" > /dev/null &
+      fi
    else
      echo "Firewall ip-config already exists"
    fi
@ -66,14 +74,13 @@ if [[ "$1" == *"start"* ]]; then

 elif [[ "$1" == *"stop"* ]]; then
  if [[ $(az network firewall list --output json --query "[?resourceGroup=='${core_rg_name}'&&name=='${fw_name}'] | length(@)") != 0 ]]; then
-    fw_sku=$(az network firewall show -n "${fw_name}" -g "${core_rg_name}" --query "sku.tier" -o tsv)
    IPCONFIG_NAME=$(az network firewall ip-config list -f "${fw_name}" -g "${core_rg_name}" --query "[0].name" -o tsv)

-    if [ -n "$IPCONFIG_NAME" ] && [ "${fw_sku}" != "Basic" ]; then
-      echo "Deleting Firewall ip-config: $IPCONFIG_NAME"
-      az network firewall ip-config delete -f "${fw_name}" -n "$IPCONFIG_NAME" -g "${core_rg_name}" &
+    if [ -n "$IPCONFIG_NAME" ]; then
+      echo "Deleting Firewall ip-config"
+      az network firewall update --name "${fw_name}" --resource-group "${core_rg_name}" --remove ipConfigurations --remove managementIpConfiguration &
    else
-      echo "No Firewall ip-config found or SKU (${fw_sku}) doesn't allow deallocation"
+      echo "No Firewall ip-config found"
    fi
  fi

--- a/docs/tre-admins/environment-variables.md
+++ b/docs/tre-admins/environment-variables.md
@ -39,6 +39,8 @@
 | `CORE_APP_SERVICE_PLAN_SKU` | The SKU of AppService plans created for the core infrastructure. |
 | `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
+| `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+

 ## For authentication in `/config.yaml`

--- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
+++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
@ -83,6 +83,7 @@ Configure the following **variables** in your github environment:
 | `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests. Default value is `P1v2`. |
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
+| `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |


 ### Configure Authentication Secrets
--- a/docs/tre-admins/setup-instructions/workflows.md
+++ b/docs/tre-admins/setup-instructions/workflows.md
@ -144,6 +144,7 @@ Configure variables used in the deployment workflow:
 | `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests. Default value is `P1v2`. |
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
+| `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |


 ### Deploy the TRE using the workflow
--- a/docs/tre-admins/start-stop.md
+++ b/docs/tre-admins/start-stop.md
@ -161,7 +161,9 @@ foreach ($Group in $ResourceGroups) {
        # Find the firewall's public IP and virtual network
        $pip = Get-AzPublicIpAddress -ResourceGroupName $Group.ResourceGroupName -Name "pip-fw-$azureTreId"
        $vnet = Get-AzVirtualNetwork -ResourceGroupName $Group.ResourceGroupName -Name "vnet-$azureTreId"
-        $Firewall.Allocate($vnet, $pip)
+        # Find the firewall's public management IP - note this will only be present for a firewall with a Basic SKU
+        $mgmtPip = Get-AzPublicIpAddress -ResourceGroupName "rg-$azureTreId" -Name "pip-fw-management-$azureTreId" -ErrorAction SilentlyContinue
+        $Firewall.Allocate($vnet, $pip, $mgmtPip)
        Write-Output "Allocating Firewall '$($Firewall.Name)' with public IP '$($pip.Name)'"
        Set-AzFirewall -AzureFirewall $Firewall
    }
--- a/resource_processor/_version.py
+++ b/resource_processor/_version.py
@ -1 +1 @@
-__version__ = "0.8.6"
+__version__ = "0.9.0"
--- a/resource_processor/shared/config.py
+++ b/resource_processor/shared/config.py
@ -24,6 +24,7 @@ def get_config() -> dict:
        config["azure_environment"] = os.environ.get("AZURE_ENVIRONMENT", "AzureCloud")
        config["aad_authority_url"] = os.environ.get("AAD_AUTHORITY_URL", "https://login.microsoftonline.com")
        config["microsoft_graph_fqdn"] = os.environ.get("MICROSOFT_GRAPH_FQDN", "graph.microsoft.com")
+        config["firewall_sku"] = os.environ.get("FIREWALL_SKU", "")

        try:
            config["number_processes_int"] = int(config["number_processes"])
--- a/templates/shared_services/firewall/parameters.json
+++ b/templates/shared_services/firewall/parameters.json
@ -47,9 +47,9 @@
      }
    },
    {
-      "name": "sku_tier",
+      "name": "firewall_sku",
      "source": {
-        "env": "SKU_TIER"
+        "env": "FIREWALL_SKU"
      }
    },
    {
--- a/templates/shared_services/firewall/porter.yaml
+++ b/templates/shared_services/firewall/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-firewall
-version: 1.1.7
+version: 1.2.0
 description: "An Azure TRE Firewall shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -45,7 +45,7 @@ parameters:
    type: string
    default: "W10=" # b64 for []
    description: "Network rule collection array"
-  - name: sku_tier
+  - name: firewall_sku
    type: string
    default: Standard
    description: The firewall and its policy SKU tier
@ -67,7 +67,7 @@ install:
        tre_resource_id: ${ bundle.parameters.id }
        api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections }
        api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
-        sku_tier: ${ bundle.parameters.sku_tier }
+        firewall_sku: ${ bundle.parameters.firewall_sku }
        microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
      backendConfig:
        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
@ -83,7 +83,7 @@ upgrade:
        tre_resource_id: ${ bundle.parameters.id }
        api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections }
        api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
-        sku_tier: ${ bundle.parameters.sku_tier }
+        firewall_sku: ${ bundle.parameters.firewall_sku }
        microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
      backendConfig:
        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
@ -99,7 +99,7 @@ uninstall:
        tre_resource_id: ${ bundle.parameters.id }
        api_driven_rule_collections_b64: ${ bundle.parameters.rule_collections }
        api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
-        sku_tier: ${ bundle.parameters.sku_tier }
+        firewall_sku: ${ bundle.parameters.firewall_sku }
        microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
      backendConfig:
        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
--- a/templates/shared_services/firewall/terraform/firewall.tf
+++ b/templates/shared_services/firewall/terraform/firewall.tf
@ -15,7 +15,7 @@ moved {
 }

 resource "azurerm_public_ip" "fwmanagement" {
-  count               = var.sku_tier == "Basic" ? 1 : 0
+  count               = local.effective_firewall_sku == "Basic" ? 1 : 0
  name                = "pip-fw-management-${var.tre_id}"
  resource_group_name = local.core_resource_group_name
  location            = data.azurerm_resource_group.rg.location
@ -31,7 +31,7 @@ resource "azurerm_firewall" "fw" {
  name                = local.firewall_name
  resource_group_name = local.core_resource_group_name
  location            = data.azurerm_resource_group.rg.location
-  sku_tier            = var.sku_tier
+  sku_tier            = local.effective_firewall_sku
  sku_name            = "AZFW_VNet"
  firewall_policy_id  = azurerm_firewall_policy.root.id
  tags                = local.tre_shared_service_tags
@ -42,7 +42,7 @@ resource "azurerm_firewall" "fw" {
  }

  dynamic "management_ip_configuration" {
-    for_each = var.sku_tier == "Basic" ? [1] : []
+    for_each = local.effective_firewall_sku == "Basic" ? [1] : []
    content {
      name                 = "mgmtconfig"
      subnet_id            = data.azurerm_subnet.firewall_management.id
@ -80,7 +80,7 @@ resource "azurerm_firewall_policy" "root" {
  name                = local.firewall_policy_name
  resource_group_name = local.core_resource_group_name
  location            = data.azurerm_resource_group.rg.location
-  sku                 = var.sku_tier
+  sku                 = local.effective_firewall_sku
  tags                = local.tre_shared_service_tags

  lifecycle { ignore_changes = [tags] }
--- a/templates/shared_services/firewall/terraform/locals.tf
+++ b/templates/shared_services/firewall/terraform/locals.tf
@ -15,4 +15,7 @@ locals {
  api_driven_network_rule_collection     = jsondecode(base64decode(var.api_driven_network_rule_collections_b64))

  firewall_policy_name = "fw-policy-${var.tre_id}"
+
+  default_firewall_sku   = "Standard"
+  effective_firewall_sku = coalesce(var.firewall_sku, local.default_firewall_sku)
 }
--- a/templates/shared_services/firewall/terraform/variables.tf
+++ b/templates/shared_services/firewall/terraform/variables.tf
@ -23,7 +23,7 @@ variable "api_driven_network_rule_collections_b64" {
  default = "W10=" #b64 for []
 }

-variable "sku_tier" {
+variable "firewall_sku" {
  type    = string
-  default = "Standard"
+  default = ""
 }