Azure CLI should login to the right cloud (#3336)

* add env var AZ_CLOUD_ENVIRONMENT to control the az cli environment with default value of AzureCloud * set Azure CLI cloud environment in the resource processor/vmss * set azure cloud environment in templates * set azure cloud in 'az login' of resource processor * remove az_cloud_environment from config.yaml - instead infer it from arm_environment * update template versions * update version * remove 'az cloud set' call and export AZ_CLOUD_ENVIRONMENT * bump patch version instead of minor version * add AZ_CLOUD_ENVIRONMENT to parameters.json * update version * update core version
2023-03-13 16:42:19 +02:00 · 2023-03-13 16:42:19 +02:00 · f0290b9f3c
--- a/config.sample.yaml
+++ b/config.sample.yaml
@ -3,7 +3,6 @@
 # run `make auth` to setup the Auth.
 tre_id: __CHANGE_ME__
 location: __CHANGE_ME__
-# Sets the Azure environment to be used. Possible values: public, usgovernment, china, german, stack
 # arm_environment: public
 management:
  mgmt_resource_group_name: __CHANGE_ME__
--- a/core/terraform/resource_processor/vmss_porter/cloud-config.yaml
+++ b/core/terraform/resource_processor/vmss_porter/cloud-config.yaml
@ -52,6 +52,7 @@ write_files:
      KEY_VAULT_NAME=${key_vault_name}
      KEY_VAULT_URL=${key_vault_url}
      ARM_ENVIRONMENT=${arm_environment}
+      AZ_CLOUD_ENVIRONMENT=${az_cloud_environment}
      ${rp_bundle_values}
  - path: /etc/cron.hourly/docker-prune
    # An hourly cron job to have docker free disk space. Running this frquently
@ -75,6 +76,7 @@ runcmd:
  - printf '\nalias rpstatus='\''tmux new-session -d "watch docker ps"; tmux split-window -p 100 -v "docker logs --since 1m --follow resource_processor1"; tmux split-window -v -p 90; tmux -2 attach-session -d'\''\n' >> /etc/bash.bashrc

  - export DEBIAN_FRONTEND=noninteractive
+  - az cloud set --name ${az_cloud_environment}
  - az login --identity -u ${vmss_msi_id}
  - az acr login --name ${docker_registry_server}
  - docker run -d -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock
--- a/core/terraform/resource_processor/vmss_porter/data.tf
+++ b/core/terraform/resource_processor/vmss_porter/data.tf
@ -26,6 +26,7 @@ data "template_file" "cloudconfig" {
    key_vault_name                                   = var.key_vault_name
    key_vault_url                                    = var.key_vault_url
    arm_environment                                  = var.arm_environment
+    az_cloud_environment                             = local.az_cloud_environment
    rp_bundle_values                                 = local.rp_bundle_values_formatted
  }
 }
--- a/core/terraform/resource_processor/vmss_porter/locals.tf
+++ b/core/terraform/resource_processor/vmss_porter/locals.tf
@ -6,4 +6,9 @@ locals {
  }

  rp_bundle_values_formatted = join("\n", [for key in keys(var.rp_bundle_values) : "RP_BUNDLE_${key}=${var.rp_bundle_values[key]}"])
+
+  az_cloud_environment = lookup({
+    "public"       = "AzureCloud"
+    "usgovernment" = "AzureUSGovernment"
+  }, var.arm_environment, "AzureCloud")
 }
--- a/core/version.txt
+++ b/core/version.txt
@ -1 +1 @@
-__version__ = "0.7.13"
+__version__ = "0.7.14"
--- a/devops/scripts/load_and_validate_env.sh
+++ b/devops/scripts/load_and_validate_env.sh
@ -65,8 +65,14 @@ else
    # Export as Terraform keys env vars
    # shellcheck disable=SC2046
    export $(yq e "$GET_LEAF_KEYS|$TF_KEYS| $FORMAT_FOR_ENV_EXPORT" config.yaml)
+
    TRE_URL=${TRE_URL:-https://${TRE_ID}.${LOCATION}.cloudapp.azure.com}
    export TRE_URL
+
+    # Set AZ_CLOUD_ENVIRONMENT based on the ARM_ENVIRONMENT env var
+    declare -A azure_environments=( ["public"]="AzureCloud" ["usgovernment"]="AzureUSGovernment")
+    export AZ_CLOUD_ENVIRONMENT="${azure_environments[${ARM_ENVIRONMENT}]}"
+
 fi

 set +o nounset
--- a/resource_processor/_version.py
+++ b/resource_processor/_version.py
@ -1 +1 @@
-__version__ = "0.5.8"
+__version__ = "0.5.9"
--- a/resource_processor/resources/commands.py
+++ b/resource_processor/resources/commands.py
@ -6,18 +6,20 @@ from shared.cloud import get_aad_authority_url, get_microsoft_graph_fqdn

 from resources.helpers import get_installation_id
 from shared.logging import shell_output_logger
-from shared.cloud import get_acr_domain_suffix
+from shared.cloud import get_acr_domain_suffix, get_cloud


 def azure_login_command(config):
+    set_cloud_command = f"az cloud set --name {get_cloud().name}"
+
    if config["vmss_msi_id"]:
        # Use the Managed Identity when in VMSS context
-        command = f"az login --identity -u {config['vmss_msi_id']}"
+        login_command = f"az login --identity -u {config['vmss_msi_id']}"
    else:
        # Use a Service Principal when running locally
-        command = f"az login --service-principal --username {config['arm_client_id']} --password {config['arm_client_secret']} --tenant {config['arm_tenant_id']}"
+        login_command = f"az login --service-principal --username {config['arm_client_id']} --password {config['arm_client_secret']} --tenant {config['arm_tenant_id']}"

-    return command
+    return f"{set_cloud_command} && {login_command}"


 def azure_acr_login_command(config):
@ -116,6 +118,8 @@ def get_special_porter_param_value(config, parameter_name: str, msg_body):
        return _get_acr_name(acr_fqdn=config['registry_server'])
    if parameter_name == "mgmt_resource_group_name":
        return config["tfstate_resource_group_name"]
+    if parameter_name == "az_cloud_environment":
+        return get_cloud().name
    if parameter_name == "workspace_id":
        return msg_body.get("workspaceId")  # not included in all messages
    if parameter_name == "parent_service_id":
--- a/resource_processor/run.sh
+++ b/resource_processor/run.sh
@ -33,6 +33,7 @@ EOF

 # TODO: Remove porter v0 https://github.com/microsoft/AzureTRE/issues/2990
 echo "Azure cli login..."
+az cloud set --name "${AZ_CLOUD_ENVIRONMENT}"
 az login --identity -u "${VMSS_MSI_ID}"

 echo "Checking if porter v0 state exists..."
--- a/templates/shared_services/airlock_notifier/parameters.json
+++ b/templates/shared_services/airlock_notifier/parameters.json
@ -63,6 +63,12 @@
      "source": {
        "env": "SMTP_FROM_EMAIL"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/shared_services/airlock_notifier/porter.yaml
+++ b/templates/shared_services/airlock_notifier/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-airlock-notifier
-version: 0.4.0
+version: 0.4.1
 description: "A shared service notifying on Airlock Operations"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -27,6 +27,10 @@ parameters:
  - name: id
    type: string
    description: "Resource ID"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: tfstate_resource_group_name
    type: string
    description: "Resource group containing the Terraform state storage account"
@ -82,6 +86,14 @@ install:
        - name: airlock_notifier_logic_app_name
        - name: airlock_notifier_logic_app_resource_group_name

+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
+
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/shared_services/certs/parameters.json
+++ b/templates/shared_services/certs/parameters.json
@ -45,6 +45,12 @@
      "source": {
        "env": "ID"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/shared_services/certs/porter.yaml
+++ b/templates/shared_services/certs/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-certs
-version: 0.4.0
+version: 0.4.1
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -20,6 +20,10 @@ parameters:
  - name: tre_id
    type: string
    description: "The ID of the parent TRE instance e.g., mytre-dev-3142"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: tfstate_resource_group_name
    type: string
    description: "Resource group containing the Terraform state storage account"
@ -70,6 +74,13 @@ install:
        - name: storage_account_name
        - name: resource_group_name
        - name: keyvault_name
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -137,6 +148,13 @@ renew:
        - name: storage_account_name
        - name: resource_group_name
        - name: keyvault_name
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/shared_services/cyclecloud/parameters.json
+++ b/templates/shared_services/cyclecloud/parameters.json
@ -33,6 +33,12 @@
      "source": {
        "env": "ID"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/shared_services/cyclecloud/porter.yaml
+++ b/templates/shared_services/cyclecloud/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-cyclecloud
-version: 0.4.0
+version: 0.4.1
 description: "An Azure TRE Shared Service Template for Azure Cyclecloud"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -23,6 +23,10 @@ parameters:
    type: string
    description: "An Id for this installation"
    env: id
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: tfstate_resource_group_name
    type: string
    description: "Resource group containing the Terraform state storage account"
@ -117,6 +121,13 @@ start:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -144,6 +155,13 @@ stop:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json
@ -63,6 +63,12 @@
      "source": {
        "env": "airlock_request_sas_url"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-export-reviewvm
-version: 0.1.2
+version: 0.1.3
 description: "An Azure TRE User Resource Template for reviewing Airlock export requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -41,6 +41,10 @@ parameters:
  - name: id
    type: string
    description: "An Id for this installation"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
    env: id
  - name: tfstate_resource_group_name
    type: string
@ -178,6 +182,13 @@ start:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -205,6 +216,13 @@ stop:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -235,6 +253,13 @@ reset_password:
        - name: vm_username
        - name: vm_password_secret_name
        - name: keyvault_name
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json
@ -69,6 +69,12 @@
      "source": {
        "env": "airlock_request_sas_url"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-import-reviewvm
-version: 0.2.2
+version: 0.2.3
 description: "An Azure TRE User Resource Template for reviewing Airlock import requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -50,6 +50,10 @@ parameters:
  - name: id
    type: string
    description: "An Id for this installation"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
    env: id
  - name: tfstate_resource_group_name
    type: string
@ -190,6 +194,13 @@ start:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -217,6 +228,13 @@ stop:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -247,6 +265,13 @@ reset_password:
        - name: vm_username
        - name: vm_password_secret_name
        - name: keyvault_name
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json
@ -75,6 +75,12 @@
      "source": {
        "env": "IMAGE_GALLERY_ID"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-linuxvm
-version: 0.6.2
+version: 0.6.3
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -52,6 +52,10 @@ parameters:
    type: string
  - name: tre_id
    type: string
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: parent_service_id
    type: string
    description: "Resource group containing the shared ACR"
@ -210,6 +214,13 @@ start:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -237,6 +248,13 @@ stop:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -267,6 +285,13 @@ reset_password:
        - name: vm_username
        - name: vm_password_secret_name
        - name: keyvault_name
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json
@ -75,6 +75,12 @@
      "source": {
        "env": "IMAGE_GALLERY_ID"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-windowsvm
-version: 0.7.2
+version: 0.7.3
 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -66,6 +66,10 @@ parameters:
  - name: id
    type: string
    description: "An Id for this installation"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
    env: id
  - name: tfstate_resource_group_name
    type: string
@ -211,6 +215,13 @@ start:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -238,6 +249,13 @@ stop:
        key: ${ bundle.parameters.id }
      outputs:
        - name: azure_resource_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
@ -268,6 +286,13 @@ reset_password:
        - name: vm_username
        - name: vm_password_secret_name
        - name: keyvault_name
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "Login to Azure"
      arguments:
--- a/templates/workspace_services/innereye/parameters.json
+++ b/templates/workspace_services/innereye/parameters.json
@ -57,6 +57,12 @@
      "source": {
        "env": "MGMT_STORAGE_ACCOUNT_NAME"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspace_services/innereye/porter.yaml
+++ b/templates/workspace_services/innereye/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-innereye
-version: 0.5.0
+version: 0.5.1
 description: "An Azure TRE service for InnerEye Deep Learning"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@ -24,6 +24,10 @@ parameters:
  - name: id
    type: string
    description: "An Id for this installation"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: inference_sp_client_id
    type: string
  - name: inference_sp_client_secret
@ -58,6 +62,13 @@ mixins:
      clientVersion: 1.3.6

 install:
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "az login"
      arguments:
--- a/templates/workspaces/airlock-import-review/parameters.json
+++ b/templates/workspaces/airlock-import-review/parameters.json
@ -123,6 +123,12 @@
      "source": {
        "env": "WORKSPACE_APP_SERVICE_PLAN_SKU"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspaces/airlock-import-review/porter.yaml
+++ b/templates/workspaces/airlock-import-review/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-airlock-import-review
-version: 0.9.0
+version: 0.9.1
 description: "A workspace to do Airlock Data Import Reviews for Azure TRE"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -34,6 +34,10 @@ parameters:
  - name: azure_location
    type: string
    description: "Azure location (region) to deploy to"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: address_spaces
    type: string
    description: "VNet address space for the workspace services"
@ -221,6 +225,13 @@ upgrade:
        - name: client_id
        - name: scope_id
        - name: sp_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "AAD Application Admin Login"
      arguments:
--- a/templates/workspaces/base/parameters.json
+++ b/templates/workspaces/base/parameters.json
@ -135,6 +135,12 @@
      "source": {
        "env": "ENABLE_AIRLOCK"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspaces/base/porter.yaml
+++ b/templates/workspaces/base/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.1.0
+version: 1.1.1
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -31,6 +31,10 @@ parameters:
  - name: id
    type: string
    description: "the resource ID for this installation"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: azure_location
    type: string
    description: "Azure location (region) to deploy to"
@ -229,6 +233,13 @@ upgrade:
        - name: client_id
        - name: scope_id
        - name: sp_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "AAD Application Admin Login"
      arguments:
--- a/templates/workspaces/unrestricted/parameters.json
+++ b/templates/workspaces/unrestricted/parameters.json
@ -135,6 +135,12 @@
      "source": {
        "env": "ENABLE_AIRLOCK"
      }
+    },
+    {
+      "name": "az_cloud_environment",
+      "source": {
+        "env": "AZ_CLOUD_ENVIRONMENT"
+      }
    }
  ]
 }
--- a/templates/workspaces/unrestricted/porter.yaml
+++ b/templates/workspaces/unrestricted/porter.yaml
@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-unrestricted
-version: 0.8.1
+version: 0.8.2
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@ -31,6 +31,10 @@ parameters:
  - name: id
    type: string
    description: "the resource ID for this installation"
+  - name: az_cloud_environment
+    type: string
+    default: "AzureCloud"
+    description: "Used by Azure CLI to set the Azure environment"
  - name: azure_location
    type: string
    description: "Azure location (region) to deploy to"
@ -229,6 +233,13 @@ upgrade:
        - name: client_id
        - name: scope_id
        - name: sp_id
+  - az:
+      description: "Set Azure Cloud Environment"
+      arguments:
+        - cloud
+        - set
+      flags:
+        name: ${ bundle.parameters.az_cloud_environment }
  - az:
      description: "AAD Application Admin Login"
      arguments: