Admin vm shared service (#2624)

* admin vm shared service

* update changelog

* tf formatting

* fix

* fix

CHANGELOG.md

@@ -14,6 +14,7 @@ FEATURES:
 ENHANCEMENTS:
 
 * Cancelling an Airlock request triggers deletion of the request container and files ([#2584](https://github.com/microsoft/AzureTRE/pull/2584))
+* Move admin-vm from core to a shared service ([#2624](https://github.com/microsoft/AzureTRE/pull/2624))
 
 BUG FIXES:
 

docs/tre-admins/environment-variables.md

@@ -33,5 +33,4 @@
 | `ENABLE_AIRLOCK_MALWARE_SCANNING` | If False, Airlock requests will skip the malware scanning stage. If set to True, Setting up a scanner manually is required! |
 | `ENABLE_LOCAL_DEBUGGING` | Set to `false` by default. Setting this to `true` will ensure that Azure resources are accessible from your local development machine. (e.g. ServiceBus and Cosmos) |
 | `PUBLIC_DEPLOYMENT_IP_ADDRESS` | The public IP address of the machine that is deploying TRE. (Your desktop or the build agents). In certain locations a dynamic script to retrieve this from [https://ipecho.net/plain](https://ipecho.net/plain) does not work. If this is the case, then you can 'hardcode' your IP. |
-| `ADMIN_JUMPBOX_VM_SKU` | The SKU of the VM to use for the admin jumpbox. |
 | `RESOURCE_PROCESSOR_VMSS_SKU` | The SKU of the VMMS to use for the resource processing VM. |

templates/core/.env.sample

@@ -55,6 +55,5 @@ CORE_ADDRESS_SPACE="10.1.0.0/22"
 TRE_ADDRESS_SPACE="10.0.0.0/12"
 
 APP_SERVICE_PLAN_SKU="P1v2"
-ADMIN_JUMPBOX_VM_SKU="Standard_B2s"
 RESOURCE_PROCESSOR_VMSS_SKU="Standard_B2s"
 ENABLE_AIRLOCK_MALWARE_SCANNING=false

templates/core/terraform/variables.tf

@@ -118,12 +118,6 @@ variable "resource_processor_vmss_sku" {
   description = "The SKU of the resource processor VMSS."
 }
 
-variable "admin_jumpbox_vm_sku" {
-  type        = string
-  default     = "Standard_B2s"
-  description = "The SKU of the admin jumpbox VM."
-}
-
 variable "stateful_resources_locked" {
   type        = bool
   default     = true

templates/core/version.txt

@@ -1 +1 @@
-__version__ = "0.4.26"
+__version__ = "0.4.27"

templates/shared_services/admin-vm/.dockerignore

@@ -0,0 +1,8 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Put files here that you don't want copied into your bundle's invocation image
+.gitignore
+**/.terraform/*
+**/*_backend.tf
+Dockerfile.tmpl
+terraform/deploy.sh
+terraform/destroy.sh

templates/shared_services/admin-vm/Dockerfile.tmpl

@@ -0,0 +1,26 @@
+FROM debian:buster-slim
+
+ARG BUNDLE_DIR
+
+# This is a template Dockerfile for the bundle's invocation image
+# You can customize it to use different base images, install tools and copy configuration files.
+#
+# Porter will use it as a template and append lines to it for the mixins
+# and to set the CMD appropriately for the CNAB specification.
+#
+# Add the following line to porter.yaml to instruct Porter to use this template
+# dockerfile: Dockerfile.tmpl
+
+# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
+# another location in this file. If you remove that line, the mixins generated content is appended to this file.
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY . $BUNDLE_DIR
+
+# Mirror plugins to prevent network access at runtime
+# Remove when available from https://github.com/getporter/terraform-mixin/issues/90
+WORKDIR $BUNDLE_DIR/terraform
+RUN terraform init -backend=false \
+  && rm -fr $BUNDLE_DIR/terraform/.terraform/providers \
+  && terraform providers mirror /usr/local/share/terraform/plugins

templates/shared_services/admin-vm/parameters.json

@@ -0,0 +1,44 @@
+{
+  "schemaVersion": "1.0.0-DRAFT+TODO",
+  "name": "base",
+  "created": "2021-06-04T13:37:29.5071039+03:00",
+  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "parameters": [
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "admin_jumpbox_vm_sku",
+      "source": {
+        "env": "ADMIN_JUMPBOX_VM_SKU"
+      }
+    }
+  ]
+}

templates/shared_services/admin-vm/porter.yaml

@@ -0,0 +1,87 @@
+---
+name: tre-shared-service-admin-vm
+version: 0.1.0
+description: "An admin vm shared service"
+dockerfile: Dockerfile.tmpl
+registry: azuretre
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+parameters:
+  - name: tre_id
+    type: string
+    description: "The ID of the parent TRE instance e.g., mytre-dev-3142"
+  - name: id
+    type: string
+    description: "Resource ID"
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    type: boolean
+    default: false
+  - name: admin_jumpbox_vm_sku
+    env: ADMIN_JUMPBOX_VM_SKU
+    type: string
+    default: Standard_B2s
+
+mixins:
+  - terraform:
+      clientVersion: 1.2.9
+
+install:
+  - terraform:
+      description: "Deploy shared service"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+
+upgrade:
+  - terraform:
+      description: "Upgrade shared service"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+
+uninstall:
+  - terraform:
+      description: "Tear down shared service"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"

templates/shared_services/admin-vm/template_schema.json

@@ -0,0 +1,23 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/shared_services/admin-vm/template_schema.json",
+  "type": "object",
+  "title": "Admin VM Shared Service",
+  "description": "Provides VM in the core network",
+  "required": [],
+  "properties": {
+    "admin_jumpbox_vm_sku": {
+      "$id": "#/properties/admin_jumpbox_vm_sku",
+      "type": "string",
+      "enum": [
+        "Standard_B2s",
+        "Standard_D2s_v3",
+        "Standard_D2s_v4",
+        "Standard_D2s_v5"
+      ],
+      "default": "Standard_B2s",
+      "title": "VM SKU",
+      "description": "The SKU of the VM that will be deployed."
+    }
+  }
+}

templates/core/terraform/admin-jumpbox.tf → templates/shared_services/admin-vm/terraform/admin-jumpbox.tf

@@ -1,12 +1,12 @@
 resource "azurerm_network_interface" "jumpbox_nic" {
   name                = "nic-vm-${var.tre_id}"
-  resource_group_name = azurerm_resource_group.core.name
-  location            = azurerm_resource_group.core.location
-  tags                = local.tre_core_tags
+  resource_group_name = data.azurerm_resource_group.rg.name
+  location            = data.azurerm_resource_group.rg.location
+  tags                = local.tre_shared_service_tags
 
   ip_configuration {
     name                          = "internalIPConfig"
-    subnet_id                     = module.network.shared_subnet_id
+    subnet_id                     = data.azurerm_subnet.shared.id
     private_ip_address_allocation = "Dynamic"
   }
 }
@@ -26,58 +26,33 @@ resource "random_password" "password" {
 
 resource "azurerm_windows_virtual_machine" "jumpbox" {
   name                       = "vm-${var.tre_id}"
-  resource_group_name        = azurerm_resource_group.core.name
-  location                   = azurerm_resource_group.core.location
+  resource_group_name        = data.azurerm_resource_group.rg.name
+  location                   = data.azurerm_resource_group.rg.location
   network_interface_ids      = [azurerm_network_interface.jumpbox_nic.id]
   size                       = var.admin_jumpbox_vm_sku
   allow_extension_operations = true
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
-  tags                       = local.tre_core_tags
-
-  custom_data = base64encode(data.template_file.vm_config.rendered)
+  tags                       = local.tre_shared_service_tags
 
   source_image_reference {
     publisher = "MicrosoftWindowsDesktop"
     offer     = "windows-10"
     sku       = "win10-21h2-pro-g2"
     version   = "latest"
   }
+
   os_disk {
     name                 = "vm-dsk-${var.tre_id}"
     caching              = "ReadWrite"
     storage_account_type = "Standard_LRS"
   }
-
-  identity {
-    type = "SystemAssigned"
-  }
 }
 
 resource "azurerm_key_vault_secret" "jumpbox_credentials" {
   name         = "${azurerm_windows_virtual_machine.jumpbox.name}-jumpbox-password"
   value        = random_password.password.result
-  key_vault_id = azurerm_key_vault.kv.id
-  depends_on = [
-    azurerm_key_vault_access_policy.deployer
-  ]
-}
-resource "azurerm_virtual_machine_extension" "config_script" {
-  name                 = "${azurerm_windows_virtual_machine.jumpbox.name}-vmextension"
-  virtual_machine_id   = azurerm_windows_virtual_machine.jumpbox.id
-  publisher            = "Microsoft.Compute"
-  type                 = "CustomScriptExtension"
-  type_handler_version = "1.10"
-
-  settings = <<SETTINGS
-    {
-      "commandToExecute": "powershell -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -command \"cp c:/azuredata/customdata.bin c:/azuredata/configure.ps1; c:/azuredata/configure.ps1 \""
-    }
-SETTINGS
-}
-
-data "template_file" "vm_config" {
-  template = file("${path.module}/admin-jumpbox-configure.ps1")
+  key_vault_id = data.azurerm_key_vault.keyvault.id
 }
 
 resource "azurerm_virtual_machine_extension" "antimalware" {