From ad9bc99b27c154e25e0a504ea29b32f4a8c8790d Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 15 May 2022 21:07:38 +0300 Subject: [PATCH 01/18] Airlock resources - tf scripts --- .../terraform/airlock/eventgrid_topics.tf | 102 ++++++++++++++++++ templates/core/terraform/airlock/locals.tf | 14 +++ templates/core/terraform/airlock/outputs.tf | 0 .../core/terraform/airlock/service-bus.tf | 71 ++++++++++++ .../terraform/airlock/storage_accounts.tf | 45 ++++++++ templates/core/terraform/airlock/variables.tf | 3 + templates/core/terraform/main.tf | 7 ++ .../terraform/airlock/eventgrid_topics.tf | 78 ++++++++++++++ .../base/terraform/airlock/locals.tf | 16 +++ .../base/terraform/airlock/outputs.tf | 0 .../terraform/airlock/storage_accounts.tf | 59 ++++++++++ .../base/terraform/airlock/variables.tf | 3 + 12 files changed, 398 insertions(+) create mode 100644 templates/core/terraform/airlock/eventgrid_topics.tf create mode 100644 templates/core/terraform/airlock/locals.tf create mode 100644 templates/core/terraform/airlock/outputs.tf create mode 100644 templates/core/terraform/airlock/service-bus.tf create mode 100644 templates/core/terraform/airlock/storage_accounts.tf create mode 100644 templates/core/terraform/airlock/variables.tf create mode 100644 templates/workspaces/base/terraform/airlock/eventgrid_topics.tf create mode 100644 templates/workspaces/base/terraform/airlock/locals.tf create mode 100644 templates/workspaces/base/terraform/airlock/outputs.tf create mode 100644 templates/workspaces/base/terraform/airlock/storage_accounts.tf create mode 100644 templates/workspaces/base/terraform/airlock/variables.tf diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf new file mode 100644 index 0000000000..55b2b0a536 --- /dev/null +++ b/templates/core/terraform/airlock/eventgrid_topics.tf @@ -0,0 +1,102 @@ +# Event grid topics +resource "azurerm_eventgrid_topic" "egt_update_status_topic" { + name = local.egt_update_status_topic_name + location = var.location + resource_group_name = var.resource_group_name + + tags = { + Publishers = "Airlock Orchestrator;" + } +} + +resource "azurerm_eventgrid_topic" "egt_status_changed_topic" { + name = local.egt_status_changed_topic_name + location = var.location + resource_group_name = var.resource_group_name + + tags = { + Publishers = "TRE API;" + } +} + +# System topic +resource "azurerm_eventgrid_system_topic" "inprogress_import_system_topic" { + name = local.egst_inprogress_import_sys_topic_name + location = var.location + resource_group_name = var.resource_group_name + source_arm_resource_id = azurerm_storage_account.sa_in-progress_import.id + topic_type = "Microsoft.Storage.StorageAccounts" + + tags = { + Publishers = "airlock;in-progress-import-sa" + } + + depends_on = [ + azurerm_storage_account.sa_in-progress_import + ] + + lifecycle { ignore_changes = [tags] } +} + + +resource "azurerm_eventgrid_system_topic" "rejected_import_system_topic" { + name = local.egst_rejected_import_sys_topic_name + location = var.location + resource_group_name = var.resource_group_name + source_arm_resource_id = azurerm_storage_account.sa_rejected_import.id + topic_type = "Microsoft.Storage.StorageAccounts" + + tags = { + Publishers = "airlock;rejected-import-sa" + } + + depends_on = [ + azurerm_storage_account.sa_rejected_import + ] + + lifecycle { ignore_changes = [tags] } +} + + +# Custom topic (for scanning) +resource "azurerm_eventgrid_topic" "scan_result_topic" { + name = local.egt_scan_result_topic_name + location = var.location + resource_group_name = var.resource_group_name + + tags = { + Publishers = "airlock;custom scanning service;" + } + + lifecycle { ignore_changes = [tags] } +} + +## Subscriptions + +resource "azurerm_eventgrid_event_subscription" "updated-status-subscription" { + name = "update-status" + scope = azurerm_eventgrid_topic.egt_update_status_topic.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.update_status_queue.id +} + +resource "azurerm_eventgrid_event_subscription" "status-changed-subscription" { + name = "status-changed" + scope = azurerm_eventgrid_topic.egt_status_changed_topic.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.status_changed_queue.id +} + +resource "azurerm_eventgrid_event_subscription" "inprogress-import-blob-created-subscription" { + name = "in-prog-import-blob-created" + scope = azurerm_storage_account.sa_in-progress_import.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.in_progress_import_queue.id +} + +resource "azurerm_eventgrid_event_subscription" "rejected-import-blob-created-subscription" { + name = "rejected-import-blob-created" + scope = azurerm_storage_account.sa_rejected_import.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import_queue.id +} diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf new file mode 100644 index 0000000000..60b6aacb15 --- /dev/null +++ b/templates/core/terraform/airlock/locals.tf @@ -0,0 +1,14 @@ +locals { + # STorage AirLock EXternal + airlock_external_storage_name = lower(replace("stalex${var.tre_id}", "-", "")) + # STorage AirLock InProgress IMport + airlock_in_progress_import_storage_name = lower(replace("stalipim${var.tre_id}", "-", "")) + # STorage AirLock REJected IMport + airlock_rejected_import_storage_name = lower(replace("stalrejim${var.tre_id}", "-", "")) + + egst_inprogress_import_sys_topic_name = "egst-in-prog-import-${var.tre_id}" + egst_rejected_import_sys_topic_name = "egst-rejected-import-${var.tre_id}" + egt_scan_result_topic_name = "egt-scan-res-${var.tre_id}" + egt_update_status_topic_name = "egt-update-status-${var.tre_id}" + egt_status_changed_topic_name = "egt-status-changed-${var.tre_id}" +} diff --git a/templates/core/terraform/airlock/outputs.tf b/templates/core/terraform/airlock/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/templates/core/terraform/airlock/service-bus.tf b/templates/core/terraform/airlock/service-bus.tf new file mode 100644 index 0000000000..77822f3842 --- /dev/null +++ b/templates/core/terraform/airlock/service-bus.tf @@ -0,0 +1,71 @@ +resource "azurerm_servicebus_namespace" "airlock_sb" { + name = "airlock-sb-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + sku = "Premium" + capacity = "1" + + lifecycle { ignore_changes = [tags] } +} + +resource "azurerm_servicebus_queue" "update_status_queue" { + name = "update_status_queue" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + +resource "azurerm_servicebus_queue" "status_changed_queue" { + name = "status_changed_queue" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + + +resource "azurerm_servicebus_queue" "in_progress_import_queue" { + name = "in_progress_import_blob_created_queue" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + + +resource "azurerm_servicebus_queue" "rejected_import_queue" { + name = "rejected_import_blob_created_queue" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + + +resource "azurerm_servicebus_queue" "scan_result_queue" { + name = "scan_result_queue" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + +resource "azurerm_servicebus_queue" "accepted_import" { + name = "accepted_import_blob_created" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + +resource "azurerm_servicebus_queue" "inprogress_export" { + name = "inprogress_export_blob_created" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + +resource "azurerm_servicebus_queue" "rejected_export" { + name = "rejected_export_blob_created" + namespace_id = azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + + + diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf new file mode 100644 index 0000000000..fa6603d87e --- /dev/null +++ b/templates/core/terraform/airlock/storage_accounts.tf @@ -0,0 +1,45 @@ +# 'External' storage account +resource "azurerm_storage_account" "sa_external_import" { + name = local.airlock_external_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;import;external" + } + + lifecycle { ignore_changes = [tags] } +} + +# 'In-Progress' storage account +resource "azurerm_storage_account" "sa_in-progress_import" { + name = local.airlock_in_progress_import_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;import;in-progress" + } + + lifecycle { ignore_changes = [tags] } +} + + +# 'Rejected' storage account +resource "azurerm_storage_account" "sa_rejected_import" { + name = local.airlock_rejected_import_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;import;rejected" + } + + lifecycle { ignore_changes = [tags] } +} diff --git a/templates/core/terraform/airlock/variables.tf b/templates/core/terraform/airlock/variables.tf new file mode 100644 index 0000000000..963bc71347 --- /dev/null +++ b/templates/core/terraform/airlock/variables.tf @@ -0,0 +1,3 @@ +variable "tre_id" {} +variable "location" {} +variable "resource_group_name" {} diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index 8012cc6e3a..de86660406 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -72,6 +72,13 @@ module "appgateway" { ] } +module "airlock_resources" { + source = "./airlock" + tre_id = var.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name +} + module "resource_processor_vmss_porter" { count = var.resource_processor_type == "vmss_porter" ? 1 : 0 source = "./resource_processor/vmss_porter" diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf new file mode 100644 index 0000000000..725c9edd10 --- /dev/null +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -0,0 +1,78 @@ +# System topics +resource "azurerm_eventgrid_system_topic" "accepted_import_blob_created_system_topic" { + name = local.egst_accepted_import_sys_topic_name + location = var.location + resource_group_name = var.resource_group_name + source_arm_resource_id = azurerm_storage_account.sa_accepted_import.id + topic_type = "Microsoft.Storage.StorageAccounts" + + tags = { + Publishers = "airlock;accepted-import-sa" + } + + depends_on = [ + azurerm_storage_account.sa_accepted_import + ] + + lifecycle { ignore_changes = [tags] } +} + +resource "azurerm_eventgrid_system_topic" "inprogress_export_blob_created_system_topic" { + name = local.egst_inprogress_export_sys_topic_name + location = var.location + resource_group_name = var.resource_group_name + source_arm_resource_id = azurerm_storage_account.sa_inprogress_export.id + topic_type = "Microsoft.Storage.StorageAccounts" + + tags = { + Publishers = "airlock;inprogress-export-sa" + } + + depends_on = [ + azurerm_storage_account.sa_inprogress_export + ] + + lifecycle { ignore_changes = [tags] } +} + + +resource "azurerm_eventgrid_system_topic" "rejected_export_blob_created_system_topic" { + name = local.egst_rejected_export_sys_topic_name + location = var.location + resource_group_name = var.resource_group_name + source_arm_resource_id = azurerm_storage_account.sa_rejected_export.id + topic_type = "Microsoft.Storage.StorageAccounts" + + tags = { + Publishers = "airlock;rejected-export-sa" + } + + depends_on = [ + azurerm_storage_account.sa_rejected_export + ] + + lifecycle { ignore_changes = [tags] } +} + +## Subscriptions +resource "azurerm_eventgrid_event_subscription" "accepted-blob-created-subscription" { + name = "accepted-import-blob-created-${var.workspace_resource_name_suffix}" + scope = azurerm_storage_account.sa_accepted_import.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.accepted_import.id +} + +resource "azurerm_eventgrid_event_subscription" "inprogress-export-blob-created-subscription" { + name = "inprogress-export-blob-created-${var.workspace_resource_name_suffix}" + scope = azurerm_storage_account.sa_inprogress_export.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.inprogress_import.id +} + +resource "azurerm_eventgrid_event_subscription" "rejected-export-blob-created-subscription" { + name = "rejected-export-blob-created-${var.workspace_resource_name_suffix}" + scope = azurerm_storage_account.sa_rejected_export.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import.id +} + diff --git a/templates/workspaces/base/terraform/airlock/locals.tf b/templates/workspaces/base/terraform/airlock/locals.tf new file mode 100644 index 0000000000..bf95869181 --- /dev/null +++ b/templates/workspaces/base/terraform/airlock/locals.tf @@ -0,0 +1,16 @@ +locals { + workspace_resource_name_suffix = "${var.tre_id}-ws-${local.short_workspace_id}" + + egst_accepted_import_sys_topic_name = "egst-accepted-imp-${var.workspace_resource_name_suffix}" + egst_inprogress_export_sys_topic_name = "egst-inprog-exp-${var.workspace_resource_name_suffix}" + egst_rejected_export_sys_topic_name = "egst-rejected-exp-${var.workspace_resource_name_suffix}" + + # STorage AirLock ACCepted + airlock_accepted_import_storage_name = lower(replace("stalacc${var.workspace_resource_name_suffix}", "-", "")) + # STorage AirLock INTernal EXport + airlock_internal_export_storage_name = lower(replace("stalintex${var.workspace_resource_name_suffix}", "-", "")) + # STorage AirLock InProgress EXport + airlock_inprogress_export_storage_name = lower(replace("stalipex${var.workspace_resource_name_suffix}", "-", "")) + # STorage AirLock REJected EXport + airlock_rejected_export_storage_name = lower(replace("stalrejex${var.workspace_resource_name_suffix}", "-", "")) +} diff --git a/templates/workspaces/base/terraform/airlock/outputs.tf b/templates/workspaces/base/terraform/airlock/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf new file mode 100644 index 0000000000..a41a7d3edb --- /dev/null +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -0,0 +1,59 @@ +# 'Accepted' storage account +resource "azurerm_storage_account" "sa_accepted_import" { + name = local.airlock_accepted_import_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;import;accepted" + } + + lifecycle { ignore_changes = [tags] } +} + +# 'Drop' location for export +resource "azurerm_storage_account" "sa_internal_export" { + name = local.airlock_internal_export_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;export;internal" + } + + lifecycle { ignore_changes = [tags] } +} + +# 'In-progress' location for export +resource "azurerm_storage_account" "sa_inprogress_export" { + name = local.airlock_inprogress_export_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;export;inprogress" + } + + lifecycle { ignore_changes = [tags] } +} + +# 'Rejected' location for export +resource "azurerm_storage_account" "sa_rejected_export" { + name = local.airlock_rejected_export_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + description = "airlock;export;rejected" + } + + lifecycle { ignore_changes = [tags] } +} diff --git a/templates/workspaces/base/terraform/airlock/variables.tf b/templates/workspaces/base/terraform/airlock/variables.tf new file mode 100644 index 0000000000..3d1f9e2489 --- /dev/null +++ b/templates/workspaces/base/terraform/airlock/variables.tf @@ -0,0 +1,3 @@ +variable "location" {} +variable "tre_id" {} +variable "ws_resource_group_name" {} From 7a4e67ce85f4285515208fe6d7bb5fbfdd27dcdd Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Thu, 19 May 2022 16:51:32 +0300 Subject: [PATCH 02/18] reusing the existing sb + adding network rules bug fixes --- .../terraform/airlock/eventgrid_topics.tf | 36 ++++- templates/core/terraform/airlock/locals.tf | 5 +- .../core/terraform/airlock/service-bus.tf | 51 ++++--- .../terraform/airlock/storage_accounts.tf | 88 ++++++++++- templates/core/terraform/airlock/variables.tf | 2 + .../core/terraform/appgateway/staticweb.tf | 2 +- templates/core/terraform/main.tf | 15 +- templates/core/terraform/network/network.tf | 3 + .../terraform/airlock/eventgrid_topics.tf | 42 ++++-- .../base/terraform/airlock/locals.tf | 19 +-- .../terraform/airlock/storage_accounts.tf | 137 +++++++++++++++--- .../base/terraform/airlock/variables.tf | 3 + .../base/terraform/network/network.tf | 2 + .../workspaces/base/terraform/workspace.tf | 14 ++ 14 files changed, 343 insertions(+), 76 deletions(-) diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf index 55b2b0a536..cf68c76990 100644 --- a/templates/core/terraform/airlock/eventgrid_topics.tf +++ b/templates/core/terraform/airlock/eventgrid_topics.tf @@ -24,7 +24,7 @@ resource "azurerm_eventgrid_system_topic" "inprogress_import_system_topic" { name = local.egst_inprogress_import_sys_topic_name location = var.location resource_group_name = var.resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_in-progress_import.id + source_arm_resource_id = azurerm_storage_account.sa_in_progress_import.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { @@ -32,7 +32,7 @@ resource "azurerm_eventgrid_system_topic" "inprogress_import_system_topic" { } depends_on = [ - azurerm_storage_account.sa_in-progress_import + azurerm_storage_account.sa_in_progress_import ] lifecycle { ignore_changes = [tags] } @@ -57,6 +57,24 @@ resource "azurerm_eventgrid_system_topic" "rejected_import_system_topic" { lifecycle { ignore_changes = [tags] } } +resource "azurerm_eventgrid_system_topic" "accepted_export_system_topic" { + name = local.egst_accepted_export_sys_topic_name + location = var.location + resource_group_name = var.resource_group_name + source_arm_resource_id = azurerm_storage_account.sa_accepted_export.id + topic_type = "Microsoft.Storage.StorageAccounts" + + tags = { + Publishers = "airlock;accepted-export-sa" + } + + depends_on = [ + azurerm_storage_account.sa_accepted_export + ] + + lifecycle { ignore_changes = [tags] } +} + # Custom topic (for scanning) resource "azurerm_eventgrid_topic" "scan_result_topic" { @@ -89,14 +107,22 @@ resource "azurerm_eventgrid_event_subscription" "status-changed-subscription" { resource "azurerm_eventgrid_event_subscription" "inprogress-import-blob-created-subscription" { name = "in-prog-import-blob-created" - scope = azurerm_storage_account.sa_in-progress_import.id + scope = azurerm_storage_account.sa_in_progress_import.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.in_progress_import_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.in_progress_import_blob_created_queue.id } resource "azurerm_eventgrid_event_subscription" "rejected-import-blob-created-subscription" { name = "rejected-import-blob-created" scope = azurerm_storage_account.sa_rejected_import.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import_blob_created_queue.id } + +resource "azurerm_eventgrid_event_subscription" "accepted-export-blob-created-subscription" { + name = "accepted-export-blob-created" + scope = azurerm_storage_account.sa_accepted_export.id + + service_bus_queue_endpoint_id = azurerm_servicebus_queue.accepted_export_blob_created_queue.id +} + diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index 60b6aacb15..5de5c95871 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -1,13 +1,16 @@ locals { # STorage AirLock EXternal - airlock_external_storage_name = lower(replace("stalex${var.tre_id}", "-", "")) + airlock_external_import_storage_name = lower(replace("stalexim${var.tre_id}", "-", "")) # STorage AirLock InProgress IMport airlock_in_progress_import_storage_name = lower(replace("stalipim${var.tre_id}", "-", "")) # STorage AirLock REJected IMport airlock_rejected_import_storage_name = lower(replace("stalrejim${var.tre_id}", "-", "")) + # STorage AirLock ACCepted EXPort + airlock_accepted_export_storage_name = lower(replace("stalaccexp${var.tre_id}", "-", "")) egst_inprogress_import_sys_topic_name = "egst-in-prog-import-${var.tre_id}" egst_rejected_import_sys_topic_name = "egst-rejected-import-${var.tre_id}" + egst_accepted_export_sys_topic_name = "egst-accepted-export-${var.tre_id}" egt_scan_result_topic_name = "egt-scan-res-${var.tre_id}" egt_update_status_topic_name = "egt-update-status-${var.tre_id}" egt_status_changed_topic_name = "egt-status-changed-${var.tre_id}" diff --git a/templates/core/terraform/airlock/service-bus.tf b/templates/core/terraform/airlock/service-bus.tf index 77822f3842..1555692318 100644 --- a/templates/core/terraform/airlock/service-bus.tf +++ b/templates/core/terraform/airlock/service-bus.tf @@ -1,39 +1,36 @@ -resource "azurerm_servicebus_namespace" "airlock_sb" { - name = "airlock-sb-${var.tre_id}" - location = var.location +# Utilize the existing service bus - add new queue +data "azurerm_servicebus_namespace" "airlock_sb" { + name = "sb-${var.tre_id}" resource_group_name = var.resource_group_name - sku = "Premium" - capacity = "1" - lifecycle { ignore_changes = [tags] } } resource "azurerm_servicebus_queue" "update_status_queue" { - name = "update_status_queue" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id + name = "update_status" + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } resource "azurerm_servicebus_queue" "status_changed_queue" { - name = "status_changed_queue" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id + name = "status_changed" + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "in_progress_import_queue" { - name = "in_progress_import_blob_created_queue" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id +resource "azurerm_servicebus_queue" "in_progress_import_blob_created_queue" { + name = "in_progress_import_blob_created" + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "rejected_import_queue" { - name = "rejected_import_blob_created_queue" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id +resource "azurerm_servicebus_queue" "rejected_import_blob_created_queue" { + name = "rejected_import_blob_created" + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } @@ -41,28 +38,36 @@ resource "azurerm_servicebus_queue" "rejected_import_queue" { resource "azurerm_servicebus_queue" "scan_result_queue" { name = "scan_result_queue" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "accepted_import" { +resource "azurerm_servicebus_queue" "accepted_import_blob_created_queue" { name = "accepted_import_blob_created" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "inprogress_export" { +resource "azurerm_servicebus_queue" "in_progress_export_blob_created_queue" { name = "inprogress_export_blob_created" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "rejected_export" { +resource "azurerm_servicebus_queue" "rejected_export_blob_created_queue" { name = "rejected_export_blob_created" - namespace_id = azurerm_servicebus_namespace.airlock_sb.id + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id + + enable_partitioning = false +} + +# Accepted export +resource "azurerm_servicebus_queue" "accepted_export_blob_created_queue" { + name = "accepted_export_blob_created" + namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf index fa6603d87e..8d0e8ecdb7 100644 --- a/templates/core/terraform/airlock/storage_accounts.tf +++ b/templates/core/terraform/airlock/storage_accounts.tf @@ -1,11 +1,14 @@ -# 'External' storage account +# 'External' storage account - drop location for import resource "azurerm_storage_account" "sa_external_import" { - name = local.airlock_external_storage_name + name = local.airlock_external_import_storage_name location = var.location resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "GRS" + # Don't allow anonymous access (unrelated to the 'public' networking rules) + allow_blob_public_access = false + tags = { description = "airlock;import;external" } @@ -13,19 +16,69 @@ resource "azurerm_storage_account" "sa_external_import" { lifecycle { ignore_changes = [tags] } } +# 'Accepted' export +resource "azurerm_storage_account" "sa_accepted_export" { + name = local.airlock_accepted_export_storage_name + location = var.location + resource_group_name = var.resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + + # Don't allow anonymous access (unrelated to the 'public' networking rules) + allow_blob_public_access = false + + tags = { + description = "airlock;export;accepted" + } + + lifecycle { ignore_changes = [tags] } +} + # 'In-Progress' storage account -resource "azurerm_storage_account" "sa_in-progress_import" { +resource "azurerm_storage_account" "sa_in_progress_import" { name = local.airlock_in_progress_import_storage_name location = var.location resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "GRS" + allow_blob_public_access = false tags = { description = "airlock;import;in-progress" } + network_rules { + default_action = var.enable_local_debugging ? "Allow" : "Deny" + bypass = ["AzureServices"] + } + + lifecycle { ignore_changes = [tags] } +} + +data "azurerm_private_dns_zone" "blobcore" { + name = "privatelink.blob.core.windows.net" + resource_group_name = var.resource_group_name +} + +resource "azurerm_private_endpoint" "stg_ip_import_pe" { + name = "stgipimport-blob-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.shared_subnet_id + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-stg-ip-import" + private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + } + + private_service_connection { + name = "psc-stgipimport-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_in_progress_import.id + is_manual_connection = false + subresource_names = ["Blob"] + } } @@ -36,10 +89,39 @@ resource "azurerm_storage_account" "sa_rejected_import" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "GRS" + allow_blob_public_access = false tags = { description = "airlock;import;rejected" } + network_rules { + default_action = var.enable_local_debugging ? "Allow" : "Deny" + bypass = ["AzureServices"] + virtual_network_subnet_ids = [var.shared_subnet_id] + + } + + lifecycle { ignore_changes = [tags] } +} + +resource "azurerm_private_endpoint" "stgipimportpe" { + name = "stg-rej-import-blob-${var.tre_id}" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.shared_subnet_id + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-stg-rej-import" + private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + } + + private_service_connection { + name = "psc-stg-rej-import-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_rejected_import.id + is_manual_connection = false + subresource_names = ["Blob"] + } } diff --git a/templates/core/terraform/airlock/variables.tf b/templates/core/terraform/airlock/variables.tf index 963bc71347..850cb96e1f 100644 --- a/templates/core/terraform/airlock/variables.tf +++ b/templates/core/terraform/airlock/variables.tf @@ -1,3 +1,5 @@ variable "tre_id" {} variable "location" {} variable "resource_group_name" {} +variable "shared_subnet_id" {} +variable "enable_local_debugging" {} diff --git a/templates/core/terraform/appgateway/staticweb.tf b/templates/core/terraform/appgateway/staticweb.tf index 7cc7d91c31..328df618d1 100644 --- a/templates/core/terraform/appgateway/staticweb.tf +++ b/templates/core/terraform/appgateway/staticweb.tf @@ -48,7 +48,7 @@ resource "azurerm_private_endpoint" "webpe" { } private_service_connection { - name = "psc-web--${local.staticweb_storage_name}" + name = "psc-web-${local.staticweb_storage_name}" private_connection_resource_id = azurerm_storage_account.staticweb.id is_manual_connection = false subresource_names = ["web"] diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index de86660406..0eebb15722 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -73,10 +73,17 @@ module "appgateway" { } module "airlock_resources" { - source = "./airlock" - tre_id = var.tre_id - location = var.location - resource_group_name = azurerm_resource_group.core.name + source = "./airlock" + tre_id = var.tre_id + location = var.location + resource_group_name = azurerm_resource_group.core.name + shared_subnet_id = module.network.shared_subnet_id + enable_local_debugging = var.enable_local_debugging + + depends_on = [ + azurerm_servicebus_namespace.sb, + module.network + ] } module "resource_processor_vmss_porter" { diff --git a/templates/core/terraform/network/network.tf b/templates/core/terraform/network/network.tf index a4aeb9deee..abb3769ee7 100644 --- a/templates/core/terraform/network/network.tf +++ b/templates/core/terraform/network/network.tf @@ -55,6 +55,9 @@ resource "azurerm_subnet" "shared" { address_prefixes = [local.shared_services_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules enforce_private_link_endpoint_network_policies = true + + service_endpoints = ["Microsoft.Storage"] + } resource "azurerm_subnet" "resource_processor" { diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf index 725c9edd10..2826aad659 100644 --- a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -2,7 +2,7 @@ resource "azurerm_eventgrid_system_topic" "accepted_import_blob_created_system_topic" { name = local.egst_accepted_import_sys_topic_name location = var.location - resource_group_name = var.resource_group_name + resource_group_name = var.ws_resource_group_name source_arm_resource_id = azurerm_storage_account.sa_accepted_import.id topic_type = "Microsoft.Storage.StorageAccounts" @@ -20,7 +20,7 @@ resource "azurerm_eventgrid_system_topic" "accepted_import_blob_created_system_t resource "azurerm_eventgrid_system_topic" "inprogress_export_blob_created_system_topic" { name = local.egst_inprogress_export_sys_topic_name location = var.location - resource_group_name = var.resource_group_name + resource_group_name = var.ws_resource_group_name source_arm_resource_id = azurerm_storage_account.sa_inprogress_export.id topic_type = "Microsoft.Storage.StorageAccounts" @@ -39,7 +39,7 @@ resource "azurerm_eventgrid_system_topic" "inprogress_export_blob_created_system resource "azurerm_eventgrid_system_topic" "rejected_export_blob_created_system_topic" { name = local.egst_rejected_export_sys_topic_name location = var.location - resource_group_name = var.resource_group_name + resource_group_name = var.ws_resource_group_name source_arm_resource_id = azurerm_storage_account.sa_rejected_export.id topic_type = "Microsoft.Storage.StorageAccounts" @@ -54,25 +54,47 @@ resource "azurerm_eventgrid_system_topic" "rejected_export_blob_created_system_t lifecycle { ignore_changes = [tags] } } +data "azurerm_servicebus_namespace" "airlock_sb" { + name = "sb-${var.tre_id}" + resource_group_name = local.core_resource_group_name +} + +data "azurerm_servicebus_queue" "accepted_import_blob_created_queue" { + name = "accepted_import_blob_created" + resource_group_name = local.core_resource_group_name + namespace_name = "sb-${var.tre_id}" +} + +data "azurerm_servicebus_queue" "in_progress_export_blob_created_queue" { + name = "inprogress_export_blob_created" + resource_group_name = local.core_resource_group_name + namespace_name = "sb-${var.tre_id}" +} + +data "azurerm_servicebus_queue" "rejected_export_blob_created_queue" { + name = "rejected_export_blob_created" + resource_group_name = local.core_resource_group_name + namespace_name = "sb-${var.tre_id}" +} + ## Subscriptions resource "azurerm_eventgrid_event_subscription" "accepted-blob-created-subscription" { - name = "accepted-import-blob-created-${var.workspace_resource_name_suffix}" + name = "accepted-import-blob-created-${local.workspace_resource_name_suffix}" scope = azurerm_storage_account.sa_accepted_import.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.accepted_import.id + service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.accepted_import_blob_created_queue.id } resource "azurerm_eventgrid_event_subscription" "inprogress-export-blob-created-subscription" { - name = "inprogress-export-blob-created-${var.workspace_resource_name_suffix}" + name = "inprogress-export-blob-created-${local.workspace_resource_name_suffix}" scope = azurerm_storage_account.sa_inprogress_export.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.inprogress_import.id + service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.in_progress_export_blob_created_queue.id } resource "azurerm_eventgrid_event_subscription" "rejected-export-blob-created-subscription" { - name = "rejected-export-blob-created-${var.workspace_resource_name_suffix}" + name = "rejected-export-blob-created-${local.workspace_resource_name_suffix}" scope = azurerm_storage_account.sa_rejected_export.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import.id + service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.rejected_export_blob_created_queue.id } - diff --git a/templates/workspaces/base/terraform/airlock/locals.tf b/templates/workspaces/base/terraform/airlock/locals.tf index bf95869181..3c2910ded6 100644 --- a/templates/workspaces/base/terraform/airlock/locals.tf +++ b/templates/workspaces/base/terraform/airlock/locals.tf @@ -1,16 +1,17 @@ locals { - workspace_resource_name_suffix = "${var.tre_id}-ws-${local.short_workspace_id}" + core_resource_group_name = "rg-${var.tre_id}" + workspace_resource_name_suffix = "${var.tre_id}-ws-${var.short_workspace_id}" - egst_accepted_import_sys_topic_name = "egst-accepted-imp-${var.workspace_resource_name_suffix}" - egst_inprogress_export_sys_topic_name = "egst-inprog-exp-${var.workspace_resource_name_suffix}" - egst_rejected_export_sys_topic_name = "egst-rejected-exp-${var.workspace_resource_name_suffix}" + egst_accepted_import_sys_topic_name = "egst-accepted-imp-${local.workspace_resource_name_suffix}" + egst_inprogress_export_sys_topic_name = "egst-inprog-exp-${local.workspace_resource_name_suffix}" + egst_rejected_export_sys_topic_name = "egst-rejected-exp-${local.workspace_resource_name_suffix}" - # STorage AirLock ACCepted - airlock_accepted_import_storage_name = lower(replace("stalacc${var.workspace_resource_name_suffix}", "-", "")) + # STorage AirLock ACCepted IMport + airlock_accepted_import_storage_name = lower(replace("stalaccim${local.workspace_resource_name_suffix}", "-", "")) # STorage AirLock INTernal EXport - airlock_internal_export_storage_name = lower(replace("stalintex${var.workspace_resource_name_suffix}", "-", "")) + airlock_internal_export_storage_name = lower(replace("stalintex${local.workspace_resource_name_suffix}", "-", "")) # STorage AirLock InProgress EXport - airlock_inprogress_export_storage_name = lower(replace("stalipex${var.workspace_resource_name_suffix}", "-", "")) + airlock_inprogress_export_storage_name = lower(replace("stalipex${local.workspace_resource_name_suffix}", "-", "")) # STorage AirLock REJected EXport - airlock_rejected_export_storage_name = lower(replace("stalrejex${var.workspace_resource_name_suffix}", "-", "")) + airlock_rejected_export_storage_name = lower(replace("stalrejex${local.workspace_resource_name_suffix}", "-", "")) } diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index a41a7d3edb..b4088a89f3 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -1,10 +1,11 @@ # 'Accepted' storage account resource "azurerm_storage_account" "sa_accepted_import" { - name = local.airlock_accepted_import_storage_name - location = var.location - resource_group_name = var.resource_group_name - account_tier = "Standard" - account_replication_type = "GRS" + name = local.airlock_accepted_import_storage_name + location = var.location + resource_group_name = var.ws_resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + allow_nested_items_to_be_public = false tags = { description = "airlock;import;accepted" @@ -13,13 +14,41 @@ resource "azurerm_storage_account" "sa_accepted_import" { lifecycle { ignore_changes = [tags] } } +data "azurerm_private_dns_zone" "blobcore" { + name = "privatelink.blob.core.windows.net" + resource_group_name = local.core_resource_group_name +} + +resource "azurerm_private_endpoint" "stg_acc_import_pe" { + name = "stg-acc-import-blob-${var.tre_id}" + location = var.location + resource_group_name = var.ws_resource_group_name + subnet_id = var.services_subnet_id + + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-stg-acc-import" + private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + } + + private_service_connection { + name = "psc-stg-acc-import-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_accepted_import.id + is_manual_connection = false + subresource_names = ["Blob"] + } +} + + # 'Drop' location for export resource "azurerm_storage_account" "sa_internal_export" { - name = local.airlock_internal_export_storage_name - location = var.location - resource_group_name = var.resource_group_name - account_tier = "Standard" - account_replication_type = "GRS" + name = local.airlock_internal_export_storage_name + location = var.location + resource_group_name = var.ws_resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + allow_nested_items_to_be_public = false tags = { description = "airlock;export;internal" @@ -28,13 +57,36 @@ resource "azurerm_storage_account" "sa_internal_export" { lifecycle { ignore_changes = [tags] } } + +resource "azurerm_private_endpoint" "stg_int_export_pe" { + name = "stg-int-export-blob-${var.tre_id}" + location = var.location + resource_group_name = var.ws_resource_group_name + subnet_id = var.services_subnet_id + + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-stg-int-export" + private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + } + + private_service_connection { + name = "psc-stg-int-export-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_internal_export.id + is_manual_connection = false + subresource_names = ["Blob"] + } +} + # 'In-progress' location for export resource "azurerm_storage_account" "sa_inprogress_export" { - name = local.airlock_inprogress_export_storage_name - location = var.location - resource_group_name = var.resource_group_name - account_tier = "Standard" - account_replication_type = "GRS" + name = local.airlock_inprogress_export_storage_name + location = var.location + resource_group_name = var.ws_resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + allow_nested_items_to_be_public = false tags = { description = "airlock;export;inprogress" @@ -43,13 +95,36 @@ resource "azurerm_storage_account" "sa_inprogress_export" { lifecycle { ignore_changes = [tags] } } + +resource "azurerm_private_endpoint" "stg_ip_export_pe" { + name = "stg-ip-export-blob-${var.tre_id}" + location = var.location + resource_group_name = var.ws_resource_group_name + subnet_id = var.services_subnet_id + + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-stg-ip-export" + private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + } + + private_service_connection { + name = "psc-stg-ip-export-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_inprogress_export.id + is_manual_connection = false + subresource_names = ["Blob"] + } +} + # 'Rejected' location for export resource "azurerm_storage_account" "sa_rejected_export" { - name = local.airlock_rejected_export_storage_name - location = var.location - resource_group_name = var.resource_group_name - account_tier = "Standard" - account_replication_type = "GRS" + name = local.airlock_rejected_export_storage_name + location = var.location + resource_group_name = var.ws_resource_group_name + account_tier = "Standard" + account_replication_type = "GRS" + allow_nested_items_to_be_public = false tags = { description = "airlock;export;rejected" @@ -57,3 +132,25 @@ resource "azurerm_storage_account" "sa_rejected_export" { lifecycle { ignore_changes = [tags] } } + + +resource "azurerm_private_endpoint" "stg_rej_export_pe" { + name = "stg-rej-export-blob-${var.tre_id}" + location = var.location + resource_group_name = var.ws_resource_group_name + subnet_id = var.services_subnet_id + + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-stg-rej-export" + private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + } + + private_service_connection { + name = "psc-stg-rej-export-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_rejected_export.id + is_manual_connection = false + subresource_names = ["Blob"] + } +} diff --git a/templates/workspaces/base/terraform/airlock/variables.tf b/templates/workspaces/base/terraform/airlock/variables.tf index 3d1f9e2489..7c9affab48 100644 --- a/templates/workspaces/base/terraform/airlock/variables.tf +++ b/templates/workspaces/base/terraform/airlock/variables.tf @@ -1,3 +1,6 @@ variable "location" {} variable "tre_id" {} variable "ws_resource_group_name" {} +variable "enable_local_debugging" {} +variable "services_subnet_id" {} +variable "short_workspace_id" {} diff --git a/templates/workspaces/base/terraform/network/network.tf b/templates/workspaces/base/terraform/network/network.tf index b08697ffce..b415c95854 100644 --- a/templates/workspaces/base/terraform/network/network.tf +++ b/templates/workspaces/base/terraform/network/network.tf @@ -26,6 +26,8 @@ resource "azurerm_subnet" "webapps" { enforce_private_link_endpoint_network_policies = true enforce_private_link_service_network_policies = true + service_endpoints = ["Microsoft.Storage"] + delegation { name = "delegation" diff --git a/templates/workspaces/base/terraform/workspace.tf b/templates/workspaces/base/terraform/workspace.tf index 45f8a84f30..76885bf653 100644 --- a/templates/workspaces/base/terraform/workspace.tf +++ b/templates/workspaces/base/terraform/workspace.tf @@ -34,3 +34,17 @@ module "aad" { azurerm_private_endpoint.kvpe ] } + +module "airlock" { + source = "./airlock" + location = var.location + tre_id = var.tre_id + ws_resource_group_name = azurerm_resource_group.ws.name + enable_local_debugging = true + services_subnet_id = module.network.services_subnet_id + short_workspace_id = local.short_workspace_id + + depends_on = [ + module.network, + ] +} From 94fa0ff5ac2ff73ec1b5e2e6dbf30d153a2431b7 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Wed, 25 May 2022 09:14:18 +0300 Subject: [PATCH 03/18] removing redundant output.tf file --- templates/core/terraform/airlock/outputs.tf | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 templates/core/terraform/airlock/outputs.tf diff --git a/templates/core/terraform/airlock/outputs.tf b/templates/core/terraform/airlock/outputs.tf deleted file mode 100644 index e69de29bb2..0000000000 From 493b1c0c342beffdbc49101b17f6727419e62790 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Wed, 25 May 2022 09:25:14 +0300 Subject: [PATCH 04/18] removing redundant output.tf file --- templates/workspaces/base/terraform/airlock/outputs.tf | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 templates/workspaces/base/terraform/airlock/outputs.tf diff --git a/templates/workspaces/base/terraform/airlock/outputs.tf b/templates/workspaces/base/terraform/airlock/outputs.tf deleted file mode 100644 index e69de29bb2..0000000000 From c424df3c638453fe357e84c901a93c1fd60330b1 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Wed, 25 May 2022 12:15:11 +0300 Subject: [PATCH 05/18] fix linter --- .github/workflows/build_validation_develop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index f01e02f34a..e188a7c19d 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -48,7 +48,7 @@ jobs: - name: Lint code base # the slim image is 2GB smaller and we don't use the extra stuff # Moved this after the Terraform checks above due something similar to this issue: https://github.com/github/super-linter/issues/2433 - uses: github/super-linter/slim@v4 + uses: github/super-linter/slim@v4.9.2 env: VALIDATE_ALL_CODEBASE: false DEFAULT_BRANCH: main From d43631f0ba1945db0fc75afa14a3ae000f6fe69d Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Wed, 25 May 2022 20:29:59 +0300 Subject: [PATCH 06/18] Revert "fix linter" This reverts commit c424df3c638453fe357e84c901a93c1fd60330b1. --- .github/workflows/build_validation_develop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index e188a7c19d..f01e02f34a 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -48,7 +48,7 @@ jobs: - name: Lint code base # the slim image is 2GB smaller and we don't use the extra stuff # Moved this after the Terraform checks above due something similar to this issue: https://github.com/github/super-linter/issues/2433 - uses: github/super-linter/slim@v4.9.2 + uses: github/super-linter/slim@v4 env: VALIDATE_ALL_CODEBASE: false DEFAULT_BRANCH: main From 82191f2241fb6373b3a8c91c516e5a3bfa01cd56 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 13:29:23 +0300 Subject: [PATCH 07/18] refactor names --- .../terraform/airlock/eventgrid_topics.tf | 82 +++++++++---------- templates/core/terraform/airlock/locals.tf | 41 +++++++--- .../core/terraform/airlock/service-bus.tf | 38 ++++----- .../terraform/airlock/storage_accounts.tf | 38 ++++----- templates/core/terraform/network/network.tf | 3 - .../terraform/airlock/eventgrid_topics.tf | 60 +++++++------- .../base/terraform/airlock/locals.tf | 16 ++-- .../terraform/airlock/storage_accounts.tf | 58 ++++++------- .../base/terraform/network/network.tf | 2 - 9 files changed, 175 insertions(+), 163 deletions(-) diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf index cf68c76990..0a4eed416d 100644 --- a/templates/core/terraform/airlock/eventgrid_topics.tf +++ b/templates/core/terraform/airlock/eventgrid_topics.tf @@ -1,6 +1,6 @@ # Event grid topics -resource "azurerm_eventgrid_topic" "egt_update_status_topic" { - name = local.egt_update_status_topic_name +resource "azurerm_eventgrid_topic" "update_status" { + name = local.update_status_topic_name location = var.location resource_group_name = var.resource_group_name @@ -9,8 +9,8 @@ resource "azurerm_eventgrid_topic" "egt_update_status_topic" { } } -resource "azurerm_eventgrid_topic" "egt_status_changed_topic" { - name = local.egt_status_changed_topic_name +resource "azurerm_eventgrid_topic" "status_changed" { + name = local.status_changed_topic_name location = var.location resource_group_name = var.resource_group_name @@ -20,56 +20,56 @@ resource "azurerm_eventgrid_topic" "egt_status_changed_topic" { } # System topic -resource "azurerm_eventgrid_system_topic" "inprogress_import_system_topic" { - name = local.egst_inprogress_import_sys_topic_name +resource "azurerm_eventgrid_system_topic" "import_inprogress_blob_created" { + name = local.import_inprogress_sys_topic_name location = var.location resource_group_name = var.resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_in_progress_import.id + source_arm_resource_id = azurerm_storage_account.sa_import_in_progress.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { - Publishers = "airlock;in-progress-import-sa" + Publishers = "airlock;import-in-progress-sa" } depends_on = [ - azurerm_storage_account.sa_in_progress_import + azurerm_storage_account.sa_import_in_progress ] lifecycle { ignore_changes = [tags] } } -resource "azurerm_eventgrid_system_topic" "rejected_import_system_topic" { - name = local.egst_rejected_import_sys_topic_name +resource "azurerm_eventgrid_system_topic" "import_rejected_blob_created" { + name = local.import_rejected_sys_topic_name location = var.location resource_group_name = var.resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_rejected_import.id + source_arm_resource_id = azurerm_storage_account.sa_import_rejected.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { - Publishers = "airlock;rejected-import-sa" + Publishers = "airlock;import-rejected-sa" } depends_on = [ - azurerm_storage_account.sa_rejected_import + azurerm_storage_account.sa_import_rejected ] lifecycle { ignore_changes = [tags] } } -resource "azurerm_eventgrid_system_topic" "accepted_export_system_topic" { - name = local.egst_accepted_export_sys_topic_name +resource "azurerm_eventgrid_system_topic" "export_approved_blob_created" { + name = local.export_approved_sys_topic_name location = var.location resource_group_name = var.resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_accepted_export.id + source_arm_resource_id = azurerm_storage_account.sa_export_approved.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { - Publishers = "airlock;accepted-export-sa" + Publishers = "airlock;export-approved-sa" } depends_on = [ - azurerm_storage_account.sa_accepted_export + azurerm_storage_account.sa_export_approved ] lifecycle { ignore_changes = [tags] } @@ -77,8 +77,8 @@ resource "azurerm_eventgrid_system_topic" "accepted_export_system_topic" { # Custom topic (for scanning) -resource "azurerm_eventgrid_topic" "scan_result_topic" { - name = local.egt_scan_result_topic_name +resource "azurerm_eventgrid_topic" "scan_result" { + name = local.scan_result_topic_name location = var.location resource_group_name = var.resource_group_name @@ -91,38 +91,38 @@ resource "azurerm_eventgrid_topic" "scan_result_topic" { ## Subscriptions -resource "azurerm_eventgrid_event_subscription" "updated-status-subscription" { - name = "update-status" - scope = azurerm_eventgrid_topic.egt_update_status_topic.id +resource "azurerm_eventgrid_event_subscription" "updated_status" { + name = local.update_status_eventgrid_subscription_name + scope = azurerm_eventgrid_topic.update_status.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.update_status_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.update_status.id } -resource "azurerm_eventgrid_event_subscription" "status-changed-subscription" { - name = "status-changed" - scope = azurerm_eventgrid_topic.egt_status_changed_topic.id +resource "azurerm_eventgrid_event_subscription" "status_changed" { + name = local.status_changed_eventgrid_subscription_name + scope = azurerm_eventgrid_topic.status_changed.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.status_changed_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.status_changed.id } -resource "azurerm_eventgrid_event_subscription" "inprogress-import-blob-created-subscription" { - name = "in-prog-import-blob-created" - scope = azurerm_storage_account.sa_in_progress_import.id +resource "azurerm_eventgrid_event_subscription" "import_inprogress_blob_created" { + name = local.import_inprogress_eventgrid_subscription_name + scope = azurerm_storage_account.sa_import_in_progress.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.in_progress_import_blob_created_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.import_in_progress_blob_created.id } -resource "azurerm_eventgrid_event_subscription" "rejected-import-blob-created-subscription" { - name = "rejected-import-blob-created" - scope = azurerm_storage_account.sa_rejected_import.id +resource "azurerm_eventgrid_event_subscription" "import_rejected_blob_created" { + name = local.import_rejected_eventgrid_subscription_name + scope = azurerm_storage_account.sa_import_rejected.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.rejected_import_blob_created_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.import_rejected_blob_created.id } -resource "azurerm_eventgrid_event_subscription" "accepted-export-blob-created-subscription" { - name = "accepted-export-blob-created" - scope = azurerm_storage_account.sa_accepted_export.id +resource "azurerm_eventgrid_event_subscription" "export_approved_blob_created" { + name = local.export_approved_eventgrid_subscription_name + scope = azurerm_storage_account.sa_export_approved.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.accepted_export_blob_created_queue.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.export_approved_blob_created.id } diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index 5de5c95871..043fad97b9 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -1,17 +1,36 @@ locals { # STorage AirLock EXternal - airlock_external_import_storage_name = lower(replace("stalexim${var.tre_id}", "-", "")) + import_external_storage_name = lower(replace("stalexim${var.tre_id}", "-", "")) # STorage AirLock InProgress IMport - airlock_in_progress_import_storage_name = lower(replace("stalipim${var.tre_id}", "-", "")) + import_in_progress_storage_name = lower(replace("stalipim${var.tre_id}", "-", "")) # STorage AirLock REJected IMport - airlock_rejected_import_storage_name = lower(replace("stalrejim${var.tre_id}", "-", "")) - # STorage AirLock ACCepted EXPort - airlock_accepted_export_storage_name = lower(replace("stalaccexp${var.tre_id}", "-", "")) + import_rejected_storage_name = lower(replace("stalrejim${var.tre_id}", "-", "")) + # STorage AirLock APProved EXPort + export_approved_storage_name = lower(replace("stalappexp${var.tre_id}", "-", "")) + + import_inprogress_sys_topic_name = "evgt-airlock-in-progress-import-${var.tre_id}" + import_rejected_sys_topic_name = "evgt-airlock-rejected-import-${var.tre_id}" + export_approved_sys_topic_name = "evgt-airlock-approved-export-${var.tre_id}" + + scan_result_topic_name = "evgt-airlock-scan-result-${var.tre_id}" + update_status_topic_name = "evgt-airlock-update-status-${var.tre_id}" + status_changed_topic_name = "evgt-airlock-status-changed-${var.tre_id}" + + update_status_queue_name = "airlock-update-status" + status_changed_queue_name = "airlock-status-changed" + scan_result_queue_name = "airlock-scan-result" + import_inprogress_queue_name = "airlock-import-in-progress-blob-created" + import_rejected_queue_name = "airlock-import-rejected-blob-created" + + import_approved_queue_name = "airlock-import-approved-blob-created" + export_inprogress_queue_name = "airlock-inprogress-export-blob-created" + export_rejected_queue_name = "airlock-export-rejected-blob-created" + export_approved_queue_name = "airlock-export-approved-blob-created" + + update_status_eventgrid_subscription_name = "airlock-update-status" + status_changed_eventgrid_subscription_name = "airlock-status-changed" + import_inprogress_eventgrid_subscription_name = "airlock-import-in_progress-blob-created" + import_rejected_eventgrid_subscription_name = "airlock-import-rejected-blob-created" + export_approved_eventgrid_subscription_name = "airlock-export-approved-blob-created" - egst_inprogress_import_sys_topic_name = "egst-in-prog-import-${var.tre_id}" - egst_rejected_import_sys_topic_name = "egst-rejected-import-${var.tre_id}" - egst_accepted_export_sys_topic_name = "egst-accepted-export-${var.tre_id}" - egt_scan_result_topic_name = "egt-scan-res-${var.tre_id}" - egt_update_status_topic_name = "egt-update-status-${var.tre_id}" - egt_status_changed_topic_name = "egt-status-changed-${var.tre_id}" } diff --git a/templates/core/terraform/airlock/service-bus.tf b/templates/core/terraform/airlock/service-bus.tf index 1555692318..29b25cfb6c 100644 --- a/templates/core/terraform/airlock/service-bus.tf +++ b/templates/core/terraform/airlock/service-bus.tf @@ -5,68 +5,68 @@ data "azurerm_servicebus_namespace" "airlock_sb" { } -resource "azurerm_servicebus_queue" "update_status_queue" { - name = "update_status" +resource "azurerm_servicebus_queue" "update_status" { + name = local.update_status_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "status_changed_queue" { - name = "status_changed" +resource "azurerm_servicebus_queue" "status_changed" { + name = local.status_changed_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "in_progress_import_blob_created_queue" { - name = "in_progress_import_blob_created" +resource "azurerm_servicebus_queue" "import_in_progress_blob_created" { + name = local.import_inprogress_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "rejected_import_blob_created_queue" { - name = "rejected_import_blob_created" +resource "azurerm_servicebus_queue" "import_rejected_blob_created" { + name = local.import_rejected_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "scan_result_queue" { - name = "scan_result_queue" +resource "azurerm_servicebus_queue" "scan_result" { + name = local.scan_result_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "accepted_import_blob_created_queue" { - name = "accepted_import_blob_created" +resource "azurerm_servicebus_queue" "import_approved_blob_created" { + name = local.import_approved_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "in_progress_export_blob_created_queue" { - name = "inprogress_export_blob_created" +resource "azurerm_servicebus_queue" "export_in_progress_blob_created" { + name = local.export_inprogress_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -resource "azurerm_servicebus_queue" "rejected_export_blob_created_queue" { - name = "rejected_export_blob_created" +resource "azurerm_servicebus_queue" "export_rejected_blob_created" { + name = local.export_rejected_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false } -# Accepted export -resource "azurerm_servicebus_queue" "accepted_export_blob_created_queue" { - name = "accepted_export_blob_created" +# Approved export +resource "azurerm_servicebus_queue" "export_approved_blob_created" { + name = local.export_approved_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf index 8d0e8ecdb7..2199daabec 100644 --- a/templates/core/terraform/airlock/storage_accounts.tf +++ b/templates/core/terraform/airlock/storage_accounts.tf @@ -1,6 +1,6 @@ # 'External' storage account - drop location for import resource "azurerm_storage_account" "sa_external_import" { - name = local.airlock_external_import_storage_name + name = local.import_external_storage_name location = var.location resource_group_name = var.resource_group_name account_tier = "Standard" @@ -16,9 +16,9 @@ resource "azurerm_storage_account" "sa_external_import" { lifecycle { ignore_changes = [tags] } } -# 'Accepted' export -resource "azurerm_storage_account" "sa_accepted_export" { - name = local.airlock_accepted_export_storage_name +# 'Approved' export +resource "azurerm_storage_account" "sa_export_approved" { + name = local.export_approved_storage_name location = var.location resource_group_name = var.resource_group_name account_tier = "Standard" @@ -28,15 +28,15 @@ resource "azurerm_storage_account" "sa_accepted_export" { allow_blob_public_access = false tags = { - description = "airlock;export;accepted" + description = "airlock;export;approved" } lifecycle { ignore_changes = [tags] } } # 'In-Progress' storage account -resource "azurerm_storage_account" "sa_in_progress_import" { - name = local.airlock_in_progress_import_storage_name +resource "azurerm_storage_account" "sa_import_in_progress" { + name = local.import_in_progress_storage_name location = var.location resource_group_name = var.resource_group_name account_tier = "Standard" @@ -61,7 +61,7 @@ data "azurerm_private_dns_zone" "blobcore" { } resource "azurerm_private_endpoint" "stg_ip_import_pe" { - name = "stgipimport-blob-${var.tre_id}" + name = "stg-ip-import-blob-${var.tre_id}" location = var.location resource_group_name = var.resource_group_name subnet_id = var.shared_subnet_id @@ -69,13 +69,13 @@ resource "azurerm_private_endpoint" "stg_ip_import_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-ip-import" + name = "private-dns-zone-group-stg-import-ip" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { name = "psc-stgipimport-${var.tre_id}" - private_connection_resource_id = azurerm_storage_account.sa_in_progress_import.id + private_connection_resource_id = azurerm_storage_account.sa_import_in_progress.id is_manual_connection = false subresource_names = ["Blob"] } @@ -83,8 +83,8 @@ resource "azurerm_private_endpoint" "stg_ip_import_pe" { # 'Rejected' storage account -resource "azurerm_storage_account" "sa_rejected_import" { - name = local.airlock_rejected_import_storage_name +resource "azurerm_storage_account" "sa_import_rejected" { + name = local.import_rejected_storage_name location = var.location resource_group_name = var.resource_group_name account_tier = "Standard" @@ -96,17 +96,15 @@ resource "azurerm_storage_account" "sa_rejected_import" { } network_rules { - default_action = var.enable_local_debugging ? "Allow" : "Deny" - bypass = ["AzureServices"] - virtual_network_subnet_ids = [var.shared_subnet_id] - + default_action = var.enable_local_debugging ? "Allow" : "Deny" + bypass = ["AzureServices"] } lifecycle { ignore_changes = [tags] } } resource "azurerm_private_endpoint" "stgipimportpe" { - name = "stg-rej-import-blob-${var.tre_id}" + name = "stg-import-rej-blob-${var.tre_id}" location = var.location resource_group_name = var.resource_group_name subnet_id = var.shared_subnet_id @@ -114,13 +112,13 @@ resource "azurerm_private_endpoint" "stgipimportpe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-rej-import" + name = "private-dns-zone-group-stg-import-rej" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-rej-import-${var.tre_id}" - private_connection_resource_id = azurerm_storage_account.sa_rejected_import.id + name = "psc-stg-import-rej-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_import_rejected.id is_manual_connection = false subresource_names = ["Blob"] } diff --git a/templates/core/terraform/network/network.tf b/templates/core/terraform/network/network.tf index abb3769ee7..a4aeb9deee 100644 --- a/templates/core/terraform/network/network.tf +++ b/templates/core/terraform/network/network.tf @@ -55,9 +55,6 @@ resource "azurerm_subnet" "shared" { address_prefixes = [local.shared_services_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules enforce_private_link_endpoint_network_policies = true - - service_endpoints = ["Microsoft.Storage"] - } resource "azurerm_subnet" "resource_processor" { diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf index 2826aad659..5b5dc56795 100644 --- a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -1,9 +1,9 @@ # System topics -resource "azurerm_eventgrid_system_topic" "accepted_import_blob_created_system_topic" { - name = local.egst_accepted_import_sys_topic_name +resource "azurerm_eventgrid_system_topic" "import_approved_blob_created" { + name = local.import_approved_sys_topic_name location = var.location resource_group_name = var.ws_resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_accepted_import.id + source_arm_resource_id = azurerm_storage_account.sa_import_approved.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { @@ -11,17 +11,17 @@ resource "azurerm_eventgrid_system_topic" "accepted_import_blob_created_system_t } depends_on = [ - azurerm_storage_account.sa_accepted_import + azurerm_storage_account.sa_import_approved ] lifecycle { ignore_changes = [tags] } } -resource "azurerm_eventgrid_system_topic" "inprogress_export_blob_created_system_topic" { - name = local.egst_inprogress_export_sys_topic_name +resource "azurerm_eventgrid_system_topic" "export_inprogress_blob_created" { + name = local.export_inprogress_sys_topic_name location = var.location resource_group_name = var.ws_resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_inprogress_export.id + source_arm_resource_id = azurerm_storage_account.sa_export_inprogress.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { @@ -29,18 +29,18 @@ resource "azurerm_eventgrid_system_topic" "inprogress_export_blob_created_system } depends_on = [ - azurerm_storage_account.sa_inprogress_export + azurerm_storage_account.sa_export_inprogress ] lifecycle { ignore_changes = [tags] } } -resource "azurerm_eventgrid_system_topic" "rejected_export_blob_created_system_topic" { - name = local.egst_rejected_export_sys_topic_name +resource "azurerm_eventgrid_system_topic" "export_rejected_blob_created" { + name = local.export_rejected_sys_topic_name location = var.location resource_group_name = var.ws_resource_group_name - source_arm_resource_id = azurerm_storage_account.sa_rejected_export.id + source_arm_resource_id = azurerm_storage_account.sa_export_rejected.id topic_type = "Microsoft.Storage.StorageAccounts" tags = { @@ -48,7 +48,7 @@ resource "azurerm_eventgrid_system_topic" "rejected_export_blob_created_system_t } depends_on = [ - azurerm_storage_account.sa_rejected_export + azurerm_storage_account.sa_export_rejected ] lifecycle { ignore_changes = [tags] } @@ -59,42 +59,42 @@ data "azurerm_servicebus_namespace" "airlock_sb" { resource_group_name = local.core_resource_group_name } -data "azurerm_servicebus_queue" "accepted_import_blob_created_queue" { - name = "accepted_import_blob_created" +data "azurerm_servicebus_queue" "import_approved_blob_created" { + name = "import_approved_blob_created" resource_group_name = local.core_resource_group_name namespace_name = "sb-${var.tre_id}" } -data "azurerm_servicebus_queue" "in_progress_export_blob_created_queue" { - name = "inprogress_export_blob_created" +data "azurerm_servicebus_queue" "export_in_progress_blob_created" { + name = "export_inprogress_blob_created" resource_group_name = local.core_resource_group_name namespace_name = "sb-${var.tre_id}" } -data "azurerm_servicebus_queue" "rejected_export_blob_created_queue" { - name = "rejected_export_blob_created" +data "azurerm_servicebus_queue" "export_rejected_blob_created" { + name = "export_rejected_blob_created" resource_group_name = local.core_resource_group_name namespace_name = "sb-${var.tre_id}" } ## Subscriptions -resource "azurerm_eventgrid_event_subscription" "accepted-blob-created-subscription" { - name = "accepted-import-blob-created-${local.workspace_resource_name_suffix}" - scope = azurerm_storage_account.sa_accepted_import.id +resource "azurerm_eventgrid_event_subscription" "approved_blob_created" { + name = "import-approved-blob-created-${local.workspace_resource_name_suffix}" + scope = azurerm_storage_account.sa_import_approved.id - service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.accepted_import_blob_created_queue.id + service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.import_approved_blob_created.id } -resource "azurerm_eventgrid_event_subscription" "inprogress-export-blob-created-subscription" { - name = "inprogress-export-blob-created-${local.workspace_resource_name_suffix}" - scope = azurerm_storage_account.sa_inprogress_export.id +resource "azurerm_eventgrid_event_subscription" "export_inprogress_blob_created" { + name = "export-inprogress-blob-created-${local.workspace_resource_name_suffix}" + scope = azurerm_storage_account.sa_export_inprogress.id - service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.in_progress_export_blob_created_queue.id + service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_in_progress_blob_created.id } -resource "azurerm_eventgrid_event_subscription" "rejected-export-blob-created-subscription" { - name = "rejected-export-blob-created-${local.workspace_resource_name_suffix}" - scope = azurerm_storage_account.sa_rejected_export.id +resource "azurerm_eventgrid_event_subscription" "export_rejected_blob_created" { + name = "export_rejected_blob_created-${local.workspace_resource_name_suffix}" + scope = azurerm_storage_account.sa_export_rejected.id - service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.rejected_export_blob_created_queue.id + service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_rejected_blob_created.id } diff --git a/templates/workspaces/base/terraform/airlock/locals.tf b/templates/workspaces/base/terraform/airlock/locals.tf index 3c2910ded6..d52b81e729 100644 --- a/templates/workspaces/base/terraform/airlock/locals.tf +++ b/templates/workspaces/base/terraform/airlock/locals.tf @@ -2,16 +2,16 @@ locals { core_resource_group_name = "rg-${var.tre_id}" workspace_resource_name_suffix = "${var.tre_id}-ws-${var.short_workspace_id}" - egst_accepted_import_sys_topic_name = "egst-accepted-imp-${local.workspace_resource_name_suffix}" - egst_inprogress_export_sys_topic_name = "egst-inprog-exp-${local.workspace_resource_name_suffix}" - egst_rejected_export_sys_topic_name = "egst-rejected-exp-${local.workspace_resource_name_suffix}" + import_approved_sys_topic_name = "evgt-airlock-import-approved-${local.workspace_resource_name_suffix}" + export_inprogress_sys_topic_name = "evgt-airlock-export-inprog-${local.workspace_resource_name_suffix}" + export_rejected_sys_topic_name = "evgt-airlock-export-rejected-${local.workspace_resource_name_suffix}" - # STorage AirLock ACCepted IMport - airlock_accepted_import_storage_name = lower(replace("stalaccim${local.workspace_resource_name_suffix}", "-", "")) + # STorage AirLock APProved IMport + import_approved_storage_name = lower(replace("stalimapp${local.workspace_resource_name_suffix}", "-", "")) # STorage AirLock INTernal EXport - airlock_internal_export_storage_name = lower(replace("stalintex${local.workspace_resource_name_suffix}", "-", "")) + export_internal_storage_name = lower(replace("stalexint${local.workspace_resource_name_suffix}", "-", "")) # STorage AirLock InProgress EXport - airlock_inprogress_export_storage_name = lower(replace("stalipex${local.workspace_resource_name_suffix}", "-", "")) + export_inprogress_storage_name = lower(replace("stalexip${local.workspace_resource_name_suffix}", "-", "")) # STorage AirLock REJected EXport - airlock_rejected_export_storage_name = lower(replace("stalrejex${local.workspace_resource_name_suffix}", "-", "")) + export_rejected_storage_name = lower(replace("stalexrej${local.workspace_resource_name_suffix}", "-", "")) } diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index b4088a89f3..5efe755c2e 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -1,6 +1,6 @@ -# 'Accepted' storage account -resource "azurerm_storage_account" "sa_accepted_import" { - name = local.airlock_accepted_import_storage_name +# 'Approved' storage account +resource "azurerm_storage_account" "sa_import_approved" { + name = local.import_approved_storage_name location = var.location resource_group_name = var.ws_resource_group_name account_tier = "Standard" @@ -8,7 +8,7 @@ resource "azurerm_storage_account" "sa_accepted_import" { allow_nested_items_to_be_public = false tags = { - description = "airlock;import;accepted" + description = "airlock;import;approved" } lifecycle { ignore_changes = [tags] } @@ -19,8 +19,8 @@ data "azurerm_private_dns_zone" "blobcore" { resource_group_name = local.core_resource_group_name } -resource "azurerm_private_endpoint" "stg_acc_import_pe" { - name = "stg-acc-import-blob-${var.tre_id}" +resource "azurerm_private_endpoint" "import_approved_pe" { + name = "stg-import-approved-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -28,13 +28,13 @@ resource "azurerm_private_endpoint" "stg_acc_import_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-acc-import" + name = "private-dns-zone-group-stg-import-approved" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-acc-import-${var.tre_id}" - private_connection_resource_id = azurerm_storage_account.sa_accepted_import.id + name = "psc-stg-import-approved-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_import_approved.id is_manual_connection = false subresource_names = ["Blob"] } @@ -42,8 +42,8 @@ resource "azurerm_private_endpoint" "stg_acc_import_pe" { # 'Drop' location for export -resource "azurerm_storage_account" "sa_internal_export" { - name = local.airlock_internal_export_storage_name +resource "azurerm_storage_account" "sa_export_internal" { + name = local.export_internal_storage_name location = var.location resource_group_name = var.ws_resource_group_name account_tier = "Standard" @@ -58,8 +58,8 @@ resource "azurerm_storage_account" "sa_internal_export" { } -resource "azurerm_private_endpoint" "stg_int_export_pe" { - name = "stg-int-export-blob-${var.tre_id}" +resource "azurerm_private_endpoint" "export_internal_pe" { + name = "stg-export-int-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -67,21 +67,21 @@ resource "azurerm_private_endpoint" "stg_int_export_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-int-export" + name = "private-dns-zone-group-stg-export-int" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-int-export-${var.tre_id}" - private_connection_resource_id = azurerm_storage_account.sa_internal_export.id + name = "psc-stg-export-int-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_export_internal.id is_manual_connection = false subresource_names = ["Blob"] } } # 'In-progress' location for export -resource "azurerm_storage_account" "sa_inprogress_export" { - name = local.airlock_inprogress_export_storage_name +resource "azurerm_storage_account" "sa_export_inprogress" { + name = local.export_inprogress_storage_name location = var.location resource_group_name = var.ws_resource_group_name account_tier = "Standard" @@ -96,7 +96,7 @@ resource "azurerm_storage_account" "sa_inprogress_export" { } -resource "azurerm_private_endpoint" "stg_ip_export_pe" { +resource "azurerm_private_endpoint" "export_inprogress_pe" { name = "stg-ip-export-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name @@ -105,21 +105,21 @@ resource "azurerm_private_endpoint" "stg_ip_export_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-ip-export" + name = "private-dns-zone-group-stg-export-ip" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-ip-export-${var.tre_id}" - private_connection_resource_id = azurerm_storage_account.sa_inprogress_export.id + name = "psc-stg-export-ip-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_export_inprogress.id is_manual_connection = false subresource_names = ["Blob"] } } # 'Rejected' location for export -resource "azurerm_storage_account" "sa_rejected_export" { - name = local.airlock_rejected_export_storage_name +resource "azurerm_storage_account" "sa_export_rejected" { + name = local.export_rejected_storage_name location = var.location resource_group_name = var.ws_resource_group_name account_tier = "Standard" @@ -134,8 +134,8 @@ resource "azurerm_storage_account" "sa_rejected_export" { } -resource "azurerm_private_endpoint" "stg_rej_export_pe" { - name = "stg-rej-export-blob-${var.tre_id}" +resource "azurerm_private_endpoint" "export_rejected_pe" { + name = "stg-export-rej-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -143,13 +143,13 @@ resource "azurerm_private_endpoint" "stg_rej_export_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-rej-export" + name = "private-dns-zone-group-stg-export-rej" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-rej-export-${var.tre_id}" - private_connection_resource_id = azurerm_storage_account.sa_rejected_export.id + name = "psc-stg-export-rej-${var.tre_id}" + private_connection_resource_id = azurerm_storage_account.sa_export_rejected.id is_manual_connection = false subresource_names = ["Blob"] } diff --git a/templates/workspaces/base/terraform/network/network.tf b/templates/workspaces/base/terraform/network/network.tf index b415c95854..b08697ffce 100644 --- a/templates/workspaces/base/terraform/network/network.tf +++ b/templates/workspaces/base/terraform/network/network.tf @@ -26,8 +26,6 @@ resource "azurerm_subnet" "webapps" { enforce_private_link_endpoint_network_policies = true enforce_private_link_service_network_policies = true - service_endpoints = ["Microsoft.Storage"] - delegation { name = "delegation" From fdbd96c9b7723db2b4e3db4b8bb40577e6028523 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 11:19:20 +0000 Subject: [PATCH 08/18] minor fixes --- .../terraform/airlock/eventgrid_topics.tf | 20 +++++++++++++++++++ templates/core/terraform/airlock/locals.tf | 2 +- .../terraform/airlock/eventgrid_topics.tf | 14 ++++++++++++- 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf index 0a4eed416d..b8346abbbd 100644 --- a/templates/core/terraform/airlock/eventgrid_topics.tf +++ b/templates/core/terraform/airlock/eventgrid_topics.tf @@ -96,6 +96,10 @@ resource "azurerm_eventgrid_event_subscription" "updated_status" { scope = azurerm_eventgrid_topic.update_status.id service_bus_queue_endpoint_id = azurerm_servicebus_queue.update_status.id + + depends_on = [ + azurerm_eventgrid_topic.update_status + ] } resource "azurerm_eventgrid_event_subscription" "status_changed" { @@ -103,6 +107,10 @@ resource "azurerm_eventgrid_event_subscription" "status_changed" { scope = azurerm_eventgrid_topic.status_changed.id service_bus_queue_endpoint_id = azurerm_servicebus_queue.status_changed.id + + depends_on = [ + azurerm_eventgrid_topic.status_changed + ] } resource "azurerm_eventgrid_event_subscription" "import_inprogress_blob_created" { @@ -110,6 +118,10 @@ resource "azurerm_eventgrid_event_subscription" "import_inprogress_blob_created" scope = azurerm_storage_account.sa_import_in_progress.id service_bus_queue_endpoint_id = azurerm_servicebus_queue.import_in_progress_blob_created.id + + depends_on = [ + azurerm_eventgrid_system_topic.import_inprogress_blob_created + ] } resource "azurerm_eventgrid_event_subscription" "import_rejected_blob_created" { @@ -117,6 +129,10 @@ resource "azurerm_eventgrid_event_subscription" "import_rejected_blob_created" { scope = azurerm_storage_account.sa_import_rejected.id service_bus_queue_endpoint_id = azurerm_servicebus_queue.import_rejected_blob_created.id + + depends_on = [ + azurerm_eventgrid_system_topic.import_rejected_blob_created + ] } resource "azurerm_eventgrid_event_subscription" "export_approved_blob_created" { @@ -124,5 +140,9 @@ resource "azurerm_eventgrid_event_subscription" "export_approved_blob_created" { scope = azurerm_storage_account.sa_export_approved.id service_bus_queue_endpoint_id = azurerm_servicebus_queue.export_approved_blob_created.id + + depends_on = [ + azurerm_eventgrid_system_topic.export_approved_blob_created + ] } diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index 043fad97b9..6d6e45464b 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -29,7 +29,7 @@ locals { update_status_eventgrid_subscription_name = "airlock-update-status" status_changed_eventgrid_subscription_name = "airlock-status-changed" - import_inprogress_eventgrid_subscription_name = "airlock-import-in_progress-blob-created" + import_inprogress_eventgrid_subscription_name = "airlock-import-in-progress-blob-created" import_rejected_eventgrid_subscription_name = "airlock-import-rejected-blob-created" export_approved_eventgrid_subscription_name = "airlock-export-approved-blob-created" diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf index 5b5dc56795..49aa63f16b 100644 --- a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -78,11 +78,15 @@ data "azurerm_servicebus_queue" "export_rejected_blob_created" { } ## Subscriptions -resource "azurerm_eventgrid_event_subscription" "approved_blob_created" { +resource "azurerm_eventgrid_event_subscription" "import_approved_blob_created" { name = "import-approved-blob-created-${local.workspace_resource_name_suffix}" scope = azurerm_storage_account.sa_import_approved.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.import_approved_blob_created.id + + depends_on = [ + azurerm_eventgrid_system_topic.import_approved_blob_created + ] } resource "azurerm_eventgrid_event_subscription" "export_inprogress_blob_created" { @@ -90,6 +94,10 @@ resource "azurerm_eventgrid_event_subscription" "export_inprogress_blob_created" scope = azurerm_storage_account.sa_export_inprogress.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_in_progress_blob_created.id + + depends_on = [ + azurerm_eventgrid_system_topic.export_inprogress_blob_created + ] } resource "azurerm_eventgrid_event_subscription" "export_rejected_blob_created" { @@ -97,4 +105,8 @@ resource "azurerm_eventgrid_event_subscription" "export_rejected_blob_created" { scope = azurerm_storage_account.sa_export_rejected.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_rejected_blob_created.id + + depends_on = [ + azurerm_eventgrid_system_topic.export_rejected_blob_created + ] } From 58f8493465c72e787c55af92755946421dae558b Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 14:26:19 +0300 Subject: [PATCH 09/18] name changes --- templates/core/terraform/airlock/locals.tf | 8 ++++---- .../base/terraform/airlock/storage_accounts.tf | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index 6d6e45464b..2928f1a672 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -8,9 +8,9 @@ locals { # STorage AirLock APProved EXPort export_approved_storage_name = lower(replace("stalappexp${var.tre_id}", "-", "")) - import_inprogress_sys_topic_name = "evgt-airlock-in-progress-import-${var.tre_id}" - import_rejected_sys_topic_name = "evgt-airlock-rejected-import-${var.tre_id}" - export_approved_sys_topic_name = "evgt-airlock-approved-export-${var.tre_id}" + import_inprogress_sys_topic_name = "evgt-airlock-import-in-progress-import-${var.tre_id}" + import_rejected_sys_topic_name = "evgt-airlock-import-rejected-${var.tre_id}" + export_approved_sys_topic_name = "evgt-airlock-export-approved-${var.tre_id}" scan_result_topic_name = "evgt-airlock-scan-result-${var.tre_id}" update_status_topic_name = "evgt-airlock-update-status-${var.tre_id}" @@ -23,7 +23,7 @@ locals { import_rejected_queue_name = "airlock-import-rejected-blob-created" import_approved_queue_name = "airlock-import-approved-blob-created" - export_inprogress_queue_name = "airlock-inprogress-export-blob-created" + export_inprogress_queue_name = "airlock-export-inprogress-blob-created" export_rejected_queue_name = "airlock-export-rejected-blob-created" export_approved_queue_name = "airlock-export-approved-blob-created" diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index 5efe755c2e..e66cc30a74 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -97,7 +97,7 @@ resource "azurerm_storage_account" "sa_export_inprogress" { resource "azurerm_private_endpoint" "export_inprogress_pe" { - name = "stg-ip-export-blob-${var.tre_id}" + name = "pe-sa-ip-export-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -105,12 +105,12 @@ resource "azurerm_private_endpoint" "export_inprogress_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-export-ip" + name = "private-dns-zone-group-sa-export-ip" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-export-ip-${var.tre_id}" + name = "psc-sa-export-ip-${var.tre_id}" private_connection_resource_id = azurerm_storage_account.sa_export_inprogress.id is_manual_connection = false subresource_names = ["Blob"] @@ -135,7 +135,7 @@ resource "azurerm_storage_account" "sa_export_rejected" { resource "azurerm_private_endpoint" "export_rejected_pe" { - name = "stg-export-rej-blob-${var.tre_id}" + name = "pe-sa-export-rej-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -143,12 +143,12 @@ resource "azurerm_private_endpoint" "export_rejected_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-export-rej" + name = "private-dns-zone-group-sa-export-rej" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-export-rej-${var.tre_id}" + name = "psc-sa-export-rej-${var.tre_id}" private_connection_resource_id = azurerm_storage_account.sa_export_rejected.id is_manual_connection = false subresource_names = ["Blob"] From c3463feaed52b1fbab5f6af909c5c1bdbc3ec298 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 14:35:47 +0300 Subject: [PATCH 10/18] name change --- .../base/terraform/airlock/storage_accounts.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index e66cc30a74..92cf1376de 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -20,7 +20,7 @@ data "azurerm_private_dns_zone" "blobcore" { } resource "azurerm_private_endpoint" "import_approved_pe" { - name = "stg-import-approved-blob-${var.tre_id}" + name = "pe-sa-import-approved-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -28,12 +28,12 @@ resource "azurerm_private_endpoint" "import_approved_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-import-approved" + name = "private-dns-zone-group-sa-import-approved" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-import-approved-${var.tre_id}" + name = "psc-sa-import-approved-${var.tre_id}" private_connection_resource_id = azurerm_storage_account.sa_import_approved.id is_manual_connection = false subresource_names = ["Blob"] @@ -59,7 +59,7 @@ resource "azurerm_storage_account" "sa_export_internal" { resource "azurerm_private_endpoint" "export_internal_pe" { - name = "stg-export-int-blob-${var.tre_id}" + name = "pe-sa-export-int-blob-${var.tre_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -67,12 +67,12 @@ resource "azurerm_private_endpoint" "export_internal_pe" { lifecycle { ignore_changes = [tags] } private_dns_zone_group { - name = "private-dns-zone-group-stg-export-int" + name = "private-dns-zone-group-sa-export-int" private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] } private_service_connection { - name = "psc-stg-export-int-${var.tre_id}" + name = "psc-sa-export-int-${var.tre_id}" private_connection_resource_id = azurerm_storage_account.sa_export_internal.id is_manual_connection = false subresource_names = ["Blob"] From 9be8ed31b6dfab76fed496d24f9e496bae52313f Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 17:10:59 +0300 Subject: [PATCH 11/18] hns false and update porter version --- .../core/terraform/airlock/storage_accounts.tf | 16 ++++++++++++++++ templates/workspaces/base/porter.yaml | 2 +- .../base/terraform/airlock/storage_accounts.tf | 16 ++++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf index 2199daabec..4ddd07d9ea 100644 --- a/templates/core/terraform/airlock/storage_accounts.tf +++ b/templates/core/terraform/airlock/storage_accounts.tf @@ -9,6 +9,10 @@ resource "azurerm_storage_account" "sa_external_import" { # Don't allow anonymous access (unrelated to the 'public' networking rules) allow_blob_public_access = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;import;external" } @@ -27,6 +31,10 @@ resource "azurerm_storage_account" "sa_export_approved" { # Don't allow anonymous access (unrelated to the 'public' networking rules) allow_blob_public_access = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;export;approved" } @@ -43,6 +51,10 @@ resource "azurerm_storage_account" "sa_import_in_progress" { account_replication_type = "GRS" allow_blob_public_access = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;import;in-progress" } @@ -91,6 +103,10 @@ resource "azurerm_storage_account" "sa_import_rejected" { account_replication_type = "GRS" allow_blob_public_access = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;import;rejected" } diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index ab33b1912f..b5c077e387 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,6 +1,6 @@ --- name: tre-workspace-base -version: 0.3.3 +version: 0.3.4 description: "A base Azure TRE workspace" registry: azuretre diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index 92cf1376de..894701044d 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -7,6 +7,10 @@ resource "azurerm_storage_account" "sa_import_approved" { account_replication_type = "GRS" allow_nested_items_to_be_public = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;import;approved" } @@ -50,6 +54,10 @@ resource "azurerm_storage_account" "sa_export_internal" { account_replication_type = "GRS" allow_nested_items_to_be_public = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;export;internal" } @@ -88,6 +96,10 @@ resource "azurerm_storage_account" "sa_export_inprogress" { account_replication_type = "GRS" allow_nested_items_to_be_public = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;export;inprogress" } @@ -126,6 +138,10 @@ resource "azurerm_storage_account" "sa_export_rejected" { account_replication_type = "GRS" allow_nested_items_to_be_public = false + # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done. + # This is true ONLY when Hierarchical Namespace is DISABLED + is_hns_enabled = false + tags = { description = "airlock;export;rejected" } From c16e4c1154c1a2e845dc1255e05788a15ac94552 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 14:34:16 +0000 Subject: [PATCH 12/18] renaming --- .../core/terraform/airlock/eventgrid_topics.tf | 14 +++++++------- templates/core/terraform/airlock/locals.tf | 16 ++++++++-------- templates/core/terraform/airlock/service-bus.tf | 4 ++-- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/templates/core/terraform/airlock/eventgrid_topics.tf b/templates/core/terraform/airlock/eventgrid_topics.tf index b8346abbbd..0ef1d82141 100644 --- a/templates/core/terraform/airlock/eventgrid_topics.tf +++ b/templates/core/terraform/airlock/eventgrid_topics.tf @@ -1,6 +1,6 @@ # Event grid topics -resource "azurerm_eventgrid_topic" "update_status" { - name = local.update_status_topic_name +resource "azurerm_eventgrid_topic" "step_result" { + name = local.step_result_topic_name location = var.location resource_group_name = var.resource_group_name @@ -91,14 +91,14 @@ resource "azurerm_eventgrid_topic" "scan_result" { ## Subscriptions -resource "azurerm_eventgrid_event_subscription" "updated_status" { - name = local.update_status_eventgrid_subscription_name - scope = azurerm_eventgrid_topic.update_status.id +resource "azurerm_eventgrid_event_subscription" "step_result" { + name = local.step_result_eventgrid_subscription_name + scope = azurerm_eventgrid_topic.step_result.id - service_bus_queue_endpoint_id = azurerm_servicebus_queue.update_status.id + service_bus_queue_endpoint_id = azurerm_servicebus_queue.step_result.id depends_on = [ - azurerm_eventgrid_topic.update_status + azurerm_eventgrid_topic.step_result ] } diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index 2928f1a672..4b1ff48df1 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -8,15 +8,15 @@ locals { # STorage AirLock APProved EXPort export_approved_storage_name = lower(replace("stalappexp${var.tre_id}", "-", "")) - import_inprogress_sys_topic_name = "evgt-airlock-import-in-progress-import-${var.tre_id}" + import_inprogress_sys_topic_name = "evgt-airlock-import-in-progress-${var.tre_id}" import_rejected_sys_topic_name = "evgt-airlock-import-rejected-${var.tre_id}" export_approved_sys_topic_name = "evgt-airlock-export-approved-${var.tre_id}" scan_result_topic_name = "evgt-airlock-scan-result-${var.tre_id}" - update_status_topic_name = "evgt-airlock-update-status-${var.tre_id}" + step_result_topic_name = "evgt-airlock-step-result-${var.tre_id}" status_changed_topic_name = "evgt-airlock-status-changed-${var.tre_id}" - update_status_queue_name = "airlock-update-status" + step_result_queue_name = "airlock-step-result" status_changed_queue_name = "airlock-status-changed" scan_result_queue_name = "airlock-scan-result" import_inprogress_queue_name = "airlock-import-in-progress-blob-created" @@ -27,10 +27,10 @@ locals { export_rejected_queue_name = "airlock-export-rejected-blob-created" export_approved_queue_name = "airlock-export-approved-blob-created" - update_status_eventgrid_subscription_name = "airlock-update-status" - status_changed_eventgrid_subscription_name = "airlock-status-changed" - import_inprogress_eventgrid_subscription_name = "airlock-import-in-progress-blob-created" - import_rejected_eventgrid_subscription_name = "airlock-import-rejected-blob-created" - export_approved_eventgrid_subscription_name = "airlock-export-approved-blob-created" + airlock_step_result_eventgrid_subscription_name = "evgs-airlock-update-status" + airlock_status_changed_eventgrid_subscription_name = "evgs-airlock-status-changed" + import_inprogress_eventgrid_subscription_name = "evgs-airlock-import-in-progress-blob-created" + import_rejected_eventgrid_subscription_name = "evgs-airlock-import-rejected-blob-created" + export_approved_eventgrid_subscription_name = "evgs-airlock-export-approved-blob-created" } diff --git a/templates/core/terraform/airlock/service-bus.tf b/templates/core/terraform/airlock/service-bus.tf index 29b25cfb6c..580ccb4bba 100644 --- a/templates/core/terraform/airlock/service-bus.tf +++ b/templates/core/terraform/airlock/service-bus.tf @@ -5,8 +5,8 @@ data "azurerm_servicebus_namespace" "airlock_sb" { } -resource "azurerm_servicebus_queue" "update_status" { - name = local.update_status_queue_name +resource "azurerm_servicebus_queue" "step_result" { + name = local.step_result_queue_name namespace_id = data.azurerm_servicebus_namespace.airlock_sb.id enable_partitioning = false From 5184643f5ed2c886f809eb2c7b85e6c505ca92d3 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 17:55:46 +0000 Subject: [PATCH 13/18] fix --- templates/core/terraform/airlock/locals.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index 4b1ff48df1..080b0e05d5 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -27,10 +27,10 @@ locals { export_rejected_queue_name = "airlock-export-rejected-blob-created" export_approved_queue_name = "airlock-export-approved-blob-created" - airlock_step_result_eventgrid_subscription_name = "evgs-airlock-update-status" - airlock_status_changed_eventgrid_subscription_name = "evgs-airlock-status-changed" - import_inprogress_eventgrid_subscription_name = "evgs-airlock-import-in-progress-blob-created" - import_rejected_eventgrid_subscription_name = "evgs-airlock-import-rejected-blob-created" - export_approved_eventgrid_subscription_name = "evgs-airlock-export-approved-blob-created" + step_result_eventgrid_subscription_name = "evgs-airlock-update-status" + status_changed_eventgrid_subscription_name = "evgs-airlock-status-changed" + import_inprogress_eventgrid_subscription_name = "evgs-airlock-import-in-progress-blob-created" + import_rejected_eventgrid_subscription_name = "evgs-airlock-import-rejected-blob-created" + export_approved_eventgrid_subscription_name = "evgs-airlock-export-approved-blob-created" } From 0cb4e62b6444b70408190bbf4bbdf662c8d80799 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 21:46:39 +0300 Subject: [PATCH 14/18] rename file --- .../core/terraform/airlock/{service-bus.tf => service_bus.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename templates/core/terraform/airlock/{service-bus.tf => service_bus.tf} (100%) diff --git a/templates/core/terraform/airlock/service-bus.tf b/templates/core/terraform/airlock/service_bus.tf similarity index 100% rename from templates/core/terraform/airlock/service-bus.tf rename to templates/core/terraform/airlock/service_bus.tf From 0338c6446ff7410fe2a00c3296d4c17df317d9d5 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 22:31:00 +0300 Subject: [PATCH 15/18] fix storage name --- templates/workspaces/base/terraform/airlock/locals.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/workspaces/base/terraform/airlock/locals.tf b/templates/workspaces/base/terraform/airlock/locals.tf index d52b81e729..c5cb0e19f6 100644 --- a/templates/workspaces/base/terraform/airlock/locals.tf +++ b/templates/workspaces/base/terraform/airlock/locals.tf @@ -7,11 +7,11 @@ locals { export_rejected_sys_topic_name = "evgt-airlock-export-rejected-${local.workspace_resource_name_suffix}" # STorage AirLock APProved IMport - import_approved_storage_name = lower(replace("stalimapp${local.workspace_resource_name_suffix}", "-", "")) + import_approved_storage_name = lower(replace("stalimapp${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", "")) # STorage AirLock INTernal EXport - export_internal_storage_name = lower(replace("stalexint${local.workspace_resource_name_suffix}", "-", "")) + export_internal_storage_name = lower(replace("stalexint${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", "")) # STorage AirLock InProgress EXport - export_inprogress_storage_name = lower(replace("stalexip${local.workspace_resource_name_suffix}", "-", "")) + export_inprogress_storage_name = lower(replace("stalexip${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", "")) # STorage AirLock REJected EXport - export_rejected_storage_name = lower(replace("stalexrej${local.workspace_resource_name_suffix}", "-", "")) + export_rejected_storage_name = lower(replace("stalexrej${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", "")) } From fe4e43d1568cd9d28224e07e23dfb475a7d5f2f6 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 23:04:52 +0300 Subject: [PATCH 16/18] fix --- .../base/terraform/airlock/eventgrid_topics.tf | 6 +++--- .../base/terraform/airlock/storage_accounts.tf | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf index 49aa63f16b..1d46efe369 100644 --- a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -79,7 +79,7 @@ data "azurerm_servicebus_queue" "export_rejected_blob_created" { ## Subscriptions resource "azurerm_eventgrid_event_subscription" "import_approved_blob_created" { - name = "import-approved-blob-created-${local.workspace_resource_name_suffix}" + name = "import-approved-blob-created-${var.short_workspace_id}" scope = azurerm_storage_account.sa_import_approved.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.import_approved_blob_created.id @@ -90,7 +90,7 @@ resource "azurerm_eventgrid_event_subscription" "import_approved_blob_created" { } resource "azurerm_eventgrid_event_subscription" "export_inprogress_blob_created" { - name = "export-inprogress-blob-created-${local.workspace_resource_name_suffix}" + name = "export-inprogress-blob-created-${var.short_workspace_id}" scope = azurerm_storage_account.sa_export_inprogress.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_in_progress_blob_created.id @@ -101,7 +101,7 @@ resource "azurerm_eventgrid_event_subscription" "export_inprogress_blob_created" } resource "azurerm_eventgrid_event_subscription" "export_rejected_blob_created" { - name = "export_rejected_blob_created-${local.workspace_resource_name_suffix}" + name = "export_rejected_blob_created-${var.short_workspace_id}" scope = azurerm_storage_account.sa_export_rejected.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_rejected_blob_created.id diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index 894701044d..bd50a9056c 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -24,7 +24,7 @@ data "azurerm_private_dns_zone" "blobcore" { } resource "azurerm_private_endpoint" "import_approved_pe" { - name = "pe-sa-import-approved-blob-${var.tre_id}" + name = "pe-sa-import-approved-blob-${var.short_workspace_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -37,7 +37,7 @@ resource "azurerm_private_endpoint" "import_approved_pe" { } private_service_connection { - name = "psc-sa-import-approved-${var.tre_id}" + name = "psc-sa-import-approved-${var.short_workspace_id}" private_connection_resource_id = azurerm_storage_account.sa_import_approved.id is_manual_connection = false subresource_names = ["Blob"] @@ -67,7 +67,7 @@ resource "azurerm_storage_account" "sa_export_internal" { resource "azurerm_private_endpoint" "export_internal_pe" { - name = "pe-sa-export-int-blob-${var.tre_id}" + name = "pe-sa-export-int-blob-${var.short_workspace_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -80,7 +80,7 @@ resource "azurerm_private_endpoint" "export_internal_pe" { } private_service_connection { - name = "psc-sa-export-int-${var.tre_id}" + name = "psc-sa-export-int-${var.short_workspace_id}" private_connection_resource_id = azurerm_storage_account.sa_export_internal.id is_manual_connection = false subresource_names = ["Blob"] @@ -109,7 +109,7 @@ resource "azurerm_storage_account" "sa_export_inprogress" { resource "azurerm_private_endpoint" "export_inprogress_pe" { - name = "pe-sa-ip-export-blob-${var.tre_id}" + name = "pe-sa-ip-export-blob-${var.short_workspace_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -122,7 +122,7 @@ resource "azurerm_private_endpoint" "export_inprogress_pe" { } private_service_connection { - name = "psc-sa-export-ip-${var.tre_id}" + name = "psc-sa-export-ip-${var.short_workspace_id}" private_connection_resource_id = azurerm_storage_account.sa_export_inprogress.id is_manual_connection = false subresource_names = ["Blob"] @@ -151,7 +151,7 @@ resource "azurerm_storage_account" "sa_export_rejected" { resource "azurerm_private_endpoint" "export_rejected_pe" { - name = "pe-sa-export-rej-blob-${var.tre_id}" + name = "pe-sa-export-rej-blob-${var.short_workspace_id}" location = var.location resource_group_name = var.ws_resource_group_name subnet_id = var.services_subnet_id @@ -164,7 +164,7 @@ resource "azurerm_private_endpoint" "export_rejected_pe" { } private_service_connection { - name = "psc-sa-export-rej-${var.tre_id}" + name = "psc-sa-export-rej-${var.short_workspace_id}" private_connection_resource_id = azurerm_storage_account.sa_export_rejected.id is_manual_connection = false subresource_names = ["Blob"] From 83d365f9f343441d9eb40e2fbabd4f5c24698e8d Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 23:21:09 +0300 Subject: [PATCH 17/18] fix --- templates/workspaces/base/terraform/airlock/eventgrid_topics.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf index 1d46efe369..df326c1705 100644 --- a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -101,7 +101,7 @@ resource "azurerm_eventgrid_event_subscription" "export_inprogress_blob_created" } resource "azurerm_eventgrid_event_subscription" "export_rejected_blob_created" { - name = "export_rejected_blob_created-${var.short_workspace_id}" + name = "export-rejected-blob-created-${var.short_workspace_id}" scope = azurerm_storage_account.sa_export_rejected.id service_bus_queue_endpoint_id = data.azurerm_servicebus_queue.export_rejected_blob_created.id From 5d0177f90dbe4adeb4c2ff388728c7784f0275a5 Mon Sep 17 00:00:00 2001 From: Elad <13205761+eladiw@users.noreply.github.com> Date: Sun, 29 May 2022 23:49:39 +0300 Subject: [PATCH 18/18] fix --- .../workspaces/base/terraform/airlock/eventgrid_topics.tf | 6 +++--- templates/workspaces/base/terraform/airlock/locals.tf | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf index df326c1705..44ccf97b36 100644 --- a/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf +++ b/templates/workspaces/base/terraform/airlock/eventgrid_topics.tf @@ -60,19 +60,19 @@ data "azurerm_servicebus_namespace" "airlock_sb" { } data "azurerm_servicebus_queue" "import_approved_blob_created" { - name = "import_approved_blob_created" + name = local.import_approved_queue_name resource_group_name = local.core_resource_group_name namespace_name = "sb-${var.tre_id}" } data "azurerm_servicebus_queue" "export_in_progress_blob_created" { - name = "export_inprogress_blob_created" + name = local.export_inprogress_queue_name resource_group_name = local.core_resource_group_name namespace_name = "sb-${var.tre_id}" } data "azurerm_servicebus_queue" "export_rejected_blob_created" { - name = "export_rejected_blob_created" + name = local.export_rejected_queue_name resource_group_name = local.core_resource_group_name namespace_name = "sb-${var.tre_id}" } diff --git a/templates/workspaces/base/terraform/airlock/locals.tf b/templates/workspaces/base/terraform/airlock/locals.tf index c5cb0e19f6..698effb384 100644 --- a/templates/workspaces/base/terraform/airlock/locals.tf +++ b/templates/workspaces/base/terraform/airlock/locals.tf @@ -6,6 +6,10 @@ locals { export_inprogress_sys_topic_name = "evgt-airlock-export-inprog-${local.workspace_resource_name_suffix}" export_rejected_sys_topic_name = "evgt-airlock-export-rejected-${local.workspace_resource_name_suffix}" + export_rejected_queue_name = "airlock-export-rejected-blob-created" + import_approved_queue_name = "airlock-import-approved-blob-created" + export_inprogress_queue_name = "airlock-export-inprogress-blob-created" + # STorage AirLock APProved IMport import_approved_storage_name = lower(replace("stalimapp${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", "")) # STorage AirLock INTernal EXport