Assign FHIR and DICOM roles automatically (#3104)

* Assign fhir and dicom roles automatically * Add external provider * CR changes
microsoft · Jan 22, 2023 · 3540489 · 3540489
1 parent 16f130b
commit 3540489
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -68,7 +68,7 @@ COMPONENTS:
 | tre-service-guacamole-import-reviewvm | 0.2.0 |
 | tre-service-guacamole-linuxvm | 0.6.1 |
 | tre-service-guacamole-windowsvm | 0.6.0 |
-| tre-workspace-service-health | 4.1.9 |
+| tre-workspace-service-health | 0.1.0 |
 | tre-service-innereye | 0.5.0 |
 | tre-service-mlflow | 0.6.0 |
 | tre-workspace-service-mysql | 0.3.1 |

diff --git a/templates/workspace_services/health-services/Dockerfile.tmpl b/templates/workspace_services/health-services/Dockerfile.tmpl
@@ -2,7 +2,11 @@
 FROM debian:bullseye-slim
 
 # PORTER_INIT
-
+# Install jq
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update \
+    && apt-get install --no-install-recommends -y jq
+
 # PORTER_MIXINS
 
 # Use the BUNDLE_DIR build argument to copy files into the bundle

diff --git a/templates/workspace_services/health-services/porter.yaml b/templates/workspace_services/health-services/porter.yaml
@@ -1,12 +1,20 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-health
-version: 0.1.0
+version: 0.1.1
 description: "An Azure Data Health Services workspace service"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
 
 credentials:
+  # Credentials for interacting with the AAD Auth tenant
+  - name: auth_client_id
+    env: AUTH_CLIENT_ID
+  - name: auth_client_secret
+    env: AUTH_CLIENT_SECRET
+  - name: auth_tenant_id
+    env: AUTH_TENANT_ID
+  # Credentials for interacting with Azure
   - name: azure_tenant_id
     env: ARM_TENANT_ID
   - name: azure_subscription_id
@@ -68,9 +76,10 @@ outputs:
       - upgrade
 
 mixins:
-  - exec
   - terraform:
       clientVersion: 1.3.6
+  - az:
+      clientVersion: 2.37.0
 
 install:
   - terraform:
@@ -82,6 +91,9 @@ install:
         deploy_fhir: ${ bundle.parameters.deploy_fhir }
         deploy_dicom: ${ bundle.parameters.deploy_dicom }
         fhir_kind: ${ bundle.parameters.fhir_kind }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -102,6 +114,9 @@ upgrade:
         deploy_fhir: ${ bundle.parameters.deploy_fhir }
         deploy_dicom: ${ bundle.parameters.deploy_dicom }
         fhir_kind: ${ bundle.parameters.fhir_kind }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -122,6 +137,9 @@ uninstall:
         deploy_fhir: ${ bundle.parameters.deploy_fhir }
         deploy_dicom: ${ bundle.parameters.deploy_dicom }
         fhir_kind: ${ bundle.parameters.fhir_kind }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }

diff --git a/templates/workspace_services/health-services/terraform/get_app_role_members.sh b/templates/workspace_services/health-services/terraform/get_app_role_members.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -euo pipefail
+
+eval "$(jq -r '@sh "AUTH_CLIENT_ID=\(.auth_client_id) AUTH_CLIENT_SECRET=\(.auth_client_secret) AUTH_TENANT_ID=\(.auth_tenant_id) WORSKPACE_CLIENT_ID=\(.workspace_client_id)"')"
+
+az login --allow-no-subscriptions --service-principal --username "$AUTH_CLIENT_ID" --password "$AUTH_CLIENT_SECRET" --tenant "$AUTH_TENANT_ID" > /dev/null
+
+# get the service principal object id
+sp=$(az rest --method GET --uri "https://graph.microsoft.com/v1.0/serviceprincipals?\$filter=appid eq '${WORSKPACE_CLIENT_ID}'" -o json)
+spId=$(echo "$sp" | jq -r '.value[0].id')
+
+# filter to the Workspace Researcher Role
+workspaceResearcherRoleId=$(echo "$sp" | jq -r '.value[0].appRoles[] | select(.value == "WorkspaceResearcher") | .id')
+principals=$(az rest --method GET --uri "https://graph.microsoft.com/v1.0/serviceprincipals/${spId}/appRoleAssignedTo" -o json | jq -r --arg workspaceResearcherRoleId "${workspaceResearcherRoleId}" '.value[] | select(.appRoleId == $workspaceResearcherRoleId) | .principalId')
+
+jq -n --arg principals "$principals" '{"principals":$principals}'
diff --git a/templates/workspace_services/health-services/terraform/providers.tf b/templates/workspace_services/health-services/terraform/providers.tf
@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "3.37.0"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "=2.2.3"
+    }
   }
 
   backend "azurerm" {}

diff --git a/templates/workspace_services/health-services/terraform/roles.tf b/templates/workspace_services/health-services/terraform/roles.tf
@@ -0,0 +1,38 @@
+
+data "azurerm_key_vault_secret" "workspace_client_id" {
+  name         = "workspace-client-id"
+  key_vault_id = data.azurerm_key_vault.ws.id
+}
+
+data "external" "app_role_members" {
+  program = ["bash", "${path.module}/get_app_role_members.sh"]
+
+  query = {
+    auth_client_id      = var.auth_client_id
+    auth_client_secret  = var.auth_client_secret
+    auth_tenant_id      = var.auth_tenant_id
+    workspace_client_id = data.azurerm_key_vault_secret.workspace_client_id.value
+  }
+}
+
+data "azurerm_role_definition" "azure_fhir_contributor" {
+  name = "FHIR Data Contributor"
+}
+
+data "azurerm_role_definition" "azure_dicom_data_owner" {
+  name = "DICOM Data Owner"
+}
+
+resource "azurerm_role_assignment" "app_role_members_fhir_contributor" {
+  for_each           = !var.deploy_fhir || (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals))
+  scope              = azurerm_healthcare_fhir_service.fhir[0].id
+  role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id
+  principal_id       = each.value
+}
+
+resource "azurerm_role_assignment" "app_role_members_dicom_data_owner" {
+  for_each           = !var.deploy_dicom || (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals))
+  scope              = azurerm_healthcare_dicom_service.dicom[0].id
+  role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id
+  principal_id       = each.value
+}
diff --git a/templates/workspace_services/health-services/terraform/variables.tf b/templates/workspace_services/health-services/terraform/variables.tf
@@ -28,3 +28,17 @@ variable "deploy_dicom" {
   description = "Indicates if DICOM should be created in the Azure Health Data Services Workspace."
 }
 
+variable "auth_tenant_id" {
+  type        = string
+  description = "Used to authenticate into the AAD Tenant to get app role members"
+}
+
+variable "auth_client_id" {
+  type        = string
+  description = "Used to authenticate into the AAD Tenant to get app role members"
+}
+
+variable "auth_client_secret" {
+  type        = string
+  description = "Used to authenticate into the AAD Tenant to get app role members"
+}