From 0df13fd7da937eaa8c6f8a6735ea0081c5e2da0f Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 14:09:05 +0100 Subject: [PATCH] Add initial workspace creator as workspace enterprise app owner (#2627) --- CHANGELOG.md | 1 + devops/scripts/create_aad_assets.sh | 2 +- docs/tre-admins/auth.md | 4 ++-- docs/tre-admins/identities/application_admin.md | 4 ++-- templates/core/.env.sample | 4 ++-- templates/core/version.txt | 2 +- templates/workspaces/base/porter.yaml | 2 +- templates/workspaces/base/terraform/aad/aad.tf | 2 +- 8 files changed, 11 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 828842da06..caaf8dd129 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Firewall now blocks terraform/hasicorp domains ([#2590](https://github.com/microsoft/AzureTRE/pull/2590)). **Migration** is manual - update the templateVersion of `tre-shared-service-firewall` resource in Cosmos to `0.5.0`. Check the PR for more details. * Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654)) * Align Github Action secret names. Existing Github environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655)) +* Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)). **Migration** if the `AUTO_WORKSPACE_APP_REGISTRATION` is set, the `Directory.Read.All` MS Graph API permission permission needs granting to the Application Registration identified by `APPLICATION_ADMIN_CLIENT_ID`. FEATURES: diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index a5dafe9e9b..a34f4fd875 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -26,7 +26,7 @@ fi APPLICATION_PERMISSION="Application.ReadWrite.OwnedBy" if [ "${AUTO_WORKSPACE_APP_REGISTRATION:-}" == true ]; then - APPLICATION_PERMISSION="Application.ReadWrite.All" + APPLICATION_PERMISSION="Application.ReadWrite.All,Directory.Read.All" fi if [ "${AUTO_WORKSPACE_GROUP_CREATION:-}" == true ]; then diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index e32131933b..e05af4cd62 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -14,8 +14,8 @@ The automation utilises a `make` command, which reads a few environment variable |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Directory.Read.All` and `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets You can build all of the Identity assets by running the following at the command line diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index 07bb469f14..85991a93a1 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -10,8 +10,8 @@ This application does not have any roles defined. | Name | Type* | Admin consent required | TRE usage | | --- | -- | -----| --------- | | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | -| Application.ReadWrite.All | Application | Yes | If the AAD Administrator has delegated AAD administrative operations to the TRE, then this user should be granted `Application.ReadWrite.All`. This will allow the user to create workspace applications and administer any applications in the tenant. There will be no need for the Tenant Admin to oversee the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is requried if Azure AD groups are to be created automatically by the TRE. | +| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | | Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. diff --git a/templates/core/.env.sample b/templates/core/.env.sample index 87f385f1d7..e602adbc22 100644 --- a/templates/core/.env.sample +++ b/templates/core/.env.sample @@ -9,12 +9,12 @@ AAD_TENANT_ID=__CHANGE_ME__ # Auth configuration #################################### # Setting AUTO_WORKSPACE_APP_REGISTRATION to false will create an identity with `Application.ReadWrite.OwnedBy`. -# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All`. +# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All` and `Directory.Read.All`. # When this is true, create Workspaces will also create an AAD Application automatically. # When this is false, the AAD Application will need creating manually. AUTO_WORKSPACE_APP_REGISTRATION=true -# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Directory.Read.All` and `Group.ReadWrite.All` +# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All` AUTO_WORKSPACE_GROUP_CREATION=false # If your local machine/build agent cannot get the public IP diff --git a/templates/core/version.txt b/templates/core/version.txt index 6449cea9c6..4fef01e0d4 100644 --- a/templates/core/version.txt +++ b/templates/core/version.txt @@ -1 +1 @@ -__version__ = "0.4.27" +__version__ = "0.4.28" diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 19939a80d9..224188cd37 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,6 +1,6 @@ --- name: tre-workspace-base -version: 0.3.31 +version: 0.3.32 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/aad/aad.tf b/templates/workspaces/base/terraform/aad/aad.tf index c18ed4b5b3..ca6c26b8af 100644 --- a/templates/workspaces/base/terraform/aad/aad.tf +++ b/templates/workspaces/base/terraform/aad/aad.tf @@ -94,7 +94,7 @@ resource "azuread_application" "workspace" { resource "azuread_service_principal" "workspace" { application_id = azuread_application.workspace.application_id app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] + owners = [data.azuread_client_config.current.object_id, var.workspace_owner_object_id] feature_tags { enterprise = true