Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Airlock Manager workspace #2505

Merged
merged 41 commits into from
Sep 15, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
2526bfc
Add Airlock Manager workspace
tanya-borisova Aug 25, 2022
800b607
Add Airlock Manager workspace
tanya-borisova Aug 25, 2022
505a2aa
Change descriptions
tanya-borisova Aug 25, 2022
628f8ae
remove unused module
tanya-borisova Aug 25, 2022
6acbc5e
Merge branch 'main' into tborisova/2498-template-for-review-workspace
tanya-borisova Sep 12, 2022
7fbebb2
WIP: reusing files from base workspace
tanya-borisova Sep 12, 2022
42e48ef
Add patch file
tanya-borisova Sep 12, 2022
acd50e9
wip
tanya-borisova Sep 12, 2022
f39fbd9
wip: add testing script
tanya-borisova Sep 12, 2022
c930577
wip: add testing makefile command
tanya-borisova Sep 12, 2022
062d43d
wip
tanya-borisova Sep 12, 2022
42e197a
Add empty terraform directory
tanya-borisova Sep 13, 2022
daa25a5
remove testing script
tanya-borisova Sep 13, 2022
5c5de76
revert makefile change
tanya-borisova Sep 13, 2022
f25918e
update to latest main
tanya-borisova Sep 13, 2022
7cb5c57
Merge branch 'main' into tborisova/2498-template-for-review-workspace
tanya-borisova Sep 13, 2022
d239789
Merge branch 'tborisova/2498-template-for-review-workspace' of github…
tanya-borisova Sep 13, 2022
6d9f171
remove references to shared storage
tanya-borisova Sep 13, 2022
c738bf1
Make mounting of shared storage optional depending on whether it's se…
tanya-borisova Sep 13, 2022
a109e5e
Merge branch 'main' into tborisova/2498-template-for-review-workspace
tanya-borisova Sep 13, 2022
75f21b0
Merge branch 'tborisova/2498-template-for-review-workspace' of github…
tanya-borisova Sep 13, 2022
d705a96
Merge branch 'main' into tborisova/2498-template-for-review-workspace
tanya-borisova Sep 14, 2022
42b26ce
Update linuxvm to not depend on shared storage
tanya-borisova Sep 14, 2022
cfcce77
Merge branch 'tborisova/2498-template-for-review-workspace' of github…
tanya-borisova Sep 14, 2022
04461a8
Merge branch 'main' into tborisova/2498-template-for-review-workspace
tanya-borisova Sep 14, 2022
3533858
wip: does not work
tanya-borisova Sep 14, 2022
60c1789
Revert "wip: does not work"
tanya-borisova Sep 14, 2022
fc527e8
Change type of parameter to bool
tanya-borisova Sep 14, 2022
4f4bd63
Add a forgotten private endpoint
tanya-borisova Sep 14, 2022
5ee9919
Revert "remove testing script"
tanya-borisova Sep 14, 2022
c3f91c4
fix diff
tanya-borisova Sep 14, 2022
d95c9c4
Merge branch 'main' into tborisova/2498-template-for-review-workspace
tanya-borisova Sep 14, 2022
226ef24
update diff
tanya-borisova Sep 14, 2022
e1bd50f
update diff
tanya-borisova Sep 14, 2022
97e2e43
Merge branch 'tborisova/2498-template-for-review-workspace' of github…
tanya-borisova Sep 15, 2022
25b9d81
remove test script
tanya-borisova Sep 15, 2022
160b8b9
fix linuxvm
tanya-borisova Sep 15, 2022
7dd0b27
revert makefile changes
tanya-borisova Sep 15, 2022
5891e1a
Remove update_redirect_urls.sh
tanya-borisova Sep 15, 2022
04b1b58
Update Dockerfile
tanya-borisova Sep 15, 2022
9744321
Add doc page
tanya-borisova Sep 15, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/tre-templates/workspaces/airlock_manager.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Airlock Manager workspace

**NOTE**: This feature is still in active development. More documentation will be added as the development progresses.

Airlock Manager workspace is used as part of Review workflow for [Airlock](../../azure-tre-overview/airlock.md).
It allows to review Airlock Data Import requests from, by providing a workspace to spin up VMs in that then can access the in-progress storage account.

The workspace is built upon the base workspace template. It adds a private endpoint to connect to import in-progress storage account, adds corresponding roles, and disables shared storage for VMs.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: tre-service-guacamole-linuxvm
version: 0.4.14
version: 0.4.15
description: "An Azure TRE User Resource Template for Guacamole (Linux)"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down Expand Up @@ -52,8 +52,8 @@ parameters:
type: string
default: "2 CPU | 8GB RAM"
- name: shared_storage_access
type: string
default: "true"
type: boolean
default: true
- name: shared_storage_name
type: string
default: "vm-shared-storage"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@
"16 CPU | 64GB RAM"
],
"updateable": true
},
"shared_storage_access": {
"$id": "#/properties/shared_storage_access",
"type": "boolean",
"title": "Shared storage",
"default": true,
"description": "Enable access to shared storage"
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ data "template_file" "vm_config" {
STORAGE_ACCOUNT_NAME = data.azurerm_storage_account.stg.name
STORAGE_ACCOUNT_KEY = data.azurerm_storage_account.stg.primary_access_key
HTTP_ENDPOINT = data.azurerm_storage_account.stg.primary_file_endpoint
FILESHARE_NAME = data.azurerm_storage_share.shared_storage.name
FILESHARE_NAME = var.shared_storage_access ? data.azurerm_storage_share.shared_storage[0].name : ""
NEXUS_PROXY_URL = local.nexus_proxy_url
CONDA_CONFIG = local.image_ref[var.image].conda_config ? 1 : 0
}
Expand Down Expand Up @@ -137,6 +137,7 @@ data "azurerm_storage_account" "stg" {
}

data "azurerm_storage_share" "shared_storage" {
count = var.shared_storage_access ? 1 : 0
name = var.shared_storage_name
storage_account_name = data.azurerm_storage_account.stg.name
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,7 @@ variable "parent_service_id" {}
variable "tre_resource_id" {}
variable "image" {}
variable "vm_size" {}
variable "shared_storage_access" {}
variable "shared_storage_access" {
type = bool
}
variable "shared_storage_name" {}
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: tre-service-guacamole-windowsvm
version: 0.4.8
version: 0.4.14
description: "An Azure TRE User Resource Template for Guacamole (Windows 10)"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down Expand Up @@ -50,8 +50,8 @@ parameters:
type: string
default: "2 CPU | 8GB RAM"
- name: shared_storage_access
type: string
default: "true"
type: boolean
default: true
- name: shared_storage_name
type: string
default: "vm-shared-storage"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@
"16 CPU | 64GB RAM"
],
"updateable": true
},
"shared_storage_access": {
"$id": "#/properties/shared_storage_access",
"type": "boolean",
"title": "Shared storage",
"default": true,
"description": "Enable access to shared storage"
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,7 @@ variable "parent_service_id" {}
variable "tre_resource_id" {}
variable "image" {}
variable "vm_size" {}
variable "shared_storage_access" {}
variable "shared_storage_access" {
type = bool
}
variable "shared_storage_name" {}
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,10 @@ data "template_file" "vm_config" {
template = file("${path.module}/vm_config.ps1")
vars = {
nexus_proxy_url = local.nexus_proxy_url
SharedStorageAccess = tobool(var.shared_storage_access) ? 1 : 0
SharedStorageAccess = var.shared_storage_access ? 1 : 0
StorageAccountName = data.azurerm_storage_account.stg.name
StorageAccountKey = data.azurerm_storage_account.stg.primary_access_key
FileShareName = data.azurerm_storage_share.shared_storage.name
FileShareName = var.shared_storage_access ? data.azurerm_storage_share.shared_storage[0].name : ""
tamirkamara marked this conversation as resolved.
Show resolved Hide resolved
CondaConfig = local.image_ref[var.image].conda_config ? 1 : 0
}
}
Expand All @@ -106,6 +106,7 @@ data "azurerm_storage_account" "stg" {
}

data "azurerm_storage_share" "shared_storage" {
count = var.shared_storage_access ? 1 : 0
name = var.shared_storage_name
storage_account_name = data.azurerm_storage_account.stg.name
}
9 changes: 9 additions & 0 deletions templates/workspaces/airlock_manager/.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Local .terraform directories
**/.terraform/*

# TF backend files
**/*_backend.tf

Dockerfile.tmpl
terraform/deploy.sh
terraform/destroy.sh
29 changes: 29 additions & 0 deletions templates/workspaces/airlock_manager/.env.sample
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
ARM_CLIENT_ID="__CHANGE_ME__"
ARM_CLIENT_SECRET="__CHANGE_ME__"
ARM_TENANT_ID="__CHANGE_ME__"
ARM_SUBSCRIPTION_ID="__CHANGE_ME__"
AUTH_TENANT_ID="__CHANGE_ME__"

# These are passed in if Terraform will create the Workspace AAD Application
REGISTER_AAD_APPLICATION=true
AUTH_CLIENT_ID="__CHANGE_ME__"
AUTH_CLIENT_SECRET="__CHANGE_ME__"
WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__"

# These are passed in if you register the Workspace AAD Application before hand
# REGISTER_AAD_APPLICATION=false
# CLIENT_ID="__CHANGE_ME__"
# CLIENT_SECRET="__CHANGE_ME__"
# WORKSPACE_OWNER_OBJECT_ID=""

# Used by Porter, aka TRE_RESOURCE_ID
ID="MadeUp123"
SP_ID=""
SCOPE_ID="api://ws_0001"
APP_ROLE_ID_WORKSPACE_OWNER=""
APP_ROLE_ID_WORKSPACE_RESEARCHER=""
APP_ROLE_ID_WORKSPACE_AIRLOCK_MANAGER=""
ADDRESS_SPACE="10.2.8.0/24"
ENABLE_LOCAL_DEBUGGING=true

AAD_REDIRECT_URIS="W10="
43 changes: 43 additions & 0 deletions templates/workspaces/airlock_manager/Dockerfile.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# We need azurecli 2.37+ which doesn't exist for strech so the minimum is buster
FROM debian:buster-slim

ARG BUNDLE_DIR

ARG AZURE_TRE_VERSION="0.4.3"

RUN apt-get update \
&& apt-get install --no-install-recommends jq ca-certificates curl patch -y \
&& apt-get clean -y && rm -rf /var/lib/apt/lists/*

WORKDIR $BUNDLE_DIR

# Copy all files from base workspace (note: some of them will be overwritten with the following COPY command)
RUN curl -o azuretre.tar.gz -L "https://github.com/microsoft/AzureTRE/archive/refs/tags/v${AZURE_TRE_VERSION}.tar.gz" \
&& tar -xzf azuretre.tar.gz "AzureTRE-${AZURE_TRE_VERSION}/templates/workspaces/base" --strip-components=4 --skip-old-files \
&& rm -rf azuretre.tar.gz

# This is a template Dockerfile for the bundle's invocation image
# You can customize it to use different base images, install tools and copy configuration files.
#
# Porter will use it as a template and append lines to it for the mixins
# and to set the CMD appropriately for the CNAB specification.
#
# Add the following line to porter.yaml to instruct Porter to use this template
# dockerfile: Dockerfile.tmpl

# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
# another location in this file. If you remove that line, the mixins generated content is appended to this file.
# PORTER_MIXINS

# Use the BUNDLE_DIR build argument to copy files into the bundle
COPY . $BUNDLE_DIR

# Apply patch with the difference from the base workspace
RUN patch -p0 < $BUNDLE_DIR/workspace_base.diff

# Mirror plugins to prevent network access at runtime
# Remove when available from https://github.com/getporter/terraform-mixin/issues/90
WORKDIR $BUNDLE_DIR/terraform
RUN terraform init -backend=false \
&& rm -fr $BUNDLE_DIR/terraform/.terraform/providers \
&& terraform providers mirror /usr/local/share/terraform/plugins
128 changes: 128 additions & 0 deletions templates/workspaces/airlock_manager/parameters.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
{
"schemaVersion": "1.0.0-DRAFT+TODO",
"name": "airlock_manager",
"created": "2021-06-04T13:37:29.5071039+03:00",
"modified": "2021-06-04T13:37:29.5071039+03:00",
"parameters": [
{
"name": "address_space",
"source": {
"env": "ADDRESS_SPACE"
}
},
{
"name": "azure_location",
"source": {
"env": "LOCATION"
}
},
{
"name": "tre_id",
"source": {
"env": "TRE_ID"
}
},
{
"name": "id",
"source": {
"env": "ID"
}
},
{
"name": "tfstate_container_name",
"source": {
"env": "TERRAFORM_STATE_CONTAINER_NAME"
}
},
{
"name": "tfstate_resource_group_name",
"source": {
"env": "MGMT_RESOURCE_GROUP_NAME"
}
},
{
"name": "tfstate_storage_account_name",
"source": {
"env": "MGMT_STORAGE_ACCOUNT_NAME"
}
},
{
"name": "enable_local_debugging",
"source": {
"env": "ENABLE_LOCAL_DEBUGGING"
}
},
{
"name": "register_aad_application",
"source": {
"env": "REGISTER_AAD_APPLICATION"
}
},
{
"name": "client_id",
"source": {
"env": "CLIENT_ID"
}
},
{
"name": "client_secret",
"source": {
"env": "CLIENT_SECRET"
}
},
{
"name": "scope_id",
"source": {
"env": "SCOPE_ID"
}
},
{
"name": "workspace_owner_object_id",
"source": {
"env": "WORKSPACE_OWNER_OBJECT_ID"
}
},
{
"name": "sp_id",
"source": {
"env": "SP_ID"
}
},
{
"name": "app_role_id_workspace_owner",
"source": {
"env": "APP_ROLE_ID_WORKSPACE_OWNER"
}
},
{
"name": "app_role_id_workspace_researcher",
"source": {
"env": "APP_ROLE_ID_WORKSPACE_RESEARCHER"
}
},
{
"name": "app_role_id_workspace_airlock_manager",
"source": {
"env": "APP_ROLE_ID_WORKSPACE_AIRLOCK_MANAGER"
}
},
{
"name": "aad_redirect_uris",
"source": {
"env": "AAD_REDIRECT_URIS"
}
},
{
"name": "app_service_plan_sku",
"source": {
"env": "APP_SERVICE_PLAN_SKU"
}
},
{
"name": "enable_airlock",
"source": {
"env": "ENABLE_AIRLOCK"
}
}
]
}
Loading