Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create groups for AAD app reg roles #2532

Merged
merged 18 commits into from
Sep 14, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ ENHANCEMENTS:
* Gitea shared service support app-service standard SKUs ([#2523](https://github.com/microsoft/AzureTRE/pull/2523))
* Keyvault diagnostic settings in base workspace ([#2521](https://github.com/microsoft/AzureTRE/pull/2521))
* Airlock requests contain a field with information about the files that were submitted ([#2504](https://github.com/microsoft/AzureTRE/pull/2504))
* Add ability to automatically create Azure AD groups for each application role. Requires API version 0.4.30 or later

BUG FIXES:

Expand Down
2 changes: 1 addition & 1 deletion api_app/_version.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.4.24"
__version__ = "0.4.30"
46 changes: 26 additions & 20 deletions api_app/schemas/azuread.json
Original file line number Diff line number Diff line change
@@ -1,23 +1,29 @@
{
"$schema": "http://json-schema.org/draft-07/schema",
"$id": "https://github.com/microsoft/AzureTRE/schema/azuread.json",
"type": "object",
"title": "Azure AD Authorisation Schema",
"default": {},
"required": [
"client_id"
],
"properties": {
"client_id": {
"type": "string",
"title": "Application (Client) ID",
"description": "The AAD Application Registration ID for the workspace. Use 'auto_create' if you wish TRE to create this."
},
"client_secret": {
"type": "string",
"title": "Application (Client) Secret",
"description": "The AAD Application Registration secret for the workspace. Leave blank if using `auto_create` above. This value will be stored in the Workspace Key Vault.",
"sensitive": true
}
"$schema": "http://json-schema.org/draft-07/schema",
"$id": "https://github.com/microsoft/AzureTRE/schema/azuread.json",
"type": "object",
"title": "Azure AD Authorisation Schema",
"default": {},
"required": [
"client_id"
],
"properties": {
"client_id": {
"type": "string",
"title": "Application (Client) ID",
"description": "The AAD Application Registration ID for the workspace. Use 'auto_create' if you wish TRE to create this."
},
"client_secret": {
"type": "string",
"title": "Application (Client) Secret",
"description": "The AAD Application Registration secret for the workspace. Leave blank if using `auto_create` above. This value will be stored in the Workspace Key Vault.",
"sensitive": true
},
"create_aad_groups": {
marrobi marked this conversation as resolved.
Show resolved Hide resolved
"type": "boolean",
"title": "Create AAD Groups for each worksapce role",
"description": "Create AAD Groups for the workspace roles, requires `auto_create`. If this is set to true, the workspace will create new AAD Groups.",
"default": false
}
}
marrobi marked this conversation as resolved.
Show resolved Hide resolved
}
6 changes: 6 additions & 0 deletions templates/workspaces/base/porter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,10 @@ parameters:
type: boolean
default: false
description: "Whether this bundle should register the workspace in AAD"
- name: create_aad_groups
type: boolean
default: false
description: "Whether this bundle should create AAD groups for the workspace app roles"
- name: workspace_owner_object_id
type: string
description: "The object id of the user that will be granted WorkspaceOwner after it is created."
Expand Down Expand Up @@ -148,6 +152,7 @@ install:
shared_storage_quota: "{{ bundle.parameters.shared_storage_quota }}"
enable_local_debugging: "{{ bundle.parameters.enable_local_debugging }}"
register_aad_application: "{{ bundle.parameters.register_aad_application }}"
create_aad_groups: "{{ bundle.parameters.create_aad_groups }}"
auth_client_id: "{{ bundle.credentials.auth_client_id }}"
auth_client_secret: "{{ bundle.credentials.auth_client_secret }}"
auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}"
Expand Down Expand Up @@ -241,6 +246,7 @@ uninstall:
shared_storage_quota: "{{ bundle.parameters.shared_storage_quota }}"
enable_local_debugging: "{{ bundle.parameters.enable_local_debugging }}"
register_aad_application: "{{ bundle.parameters.register_aad_application }}"
create_aad_groups: "{{ bundle.parameters.create_aad_groups }}"
auth_client_id: "{{ bundle.credentials.auth_client_id }}"
auth_client_secret: "{{ bundle.credentials.auth_client_secret }}"
auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}"
Expand Down
22 changes: 22 additions & 0 deletions templates/workspaces/base/terraform/aad/aad.tf
Original file line number Diff line number Diff line change
Expand Up @@ -124,3 +124,25 @@ resource "azuread_app_role_assignment" "workspace_owner" {
principal_object_id = var.workspace_owner_object_id
resource_object_id = azuread_service_principal.workspace.object_id
}

resource "azuread_group" "workspace_owners" {
count = var.create_aad_groups ? 1 : 0
display_name = "${var.workspace_resource_name_suffix} Workspace Owners"
marrobi marked this conversation as resolved.
Show resolved Hide resolved
owners = [var.workspace_owner_object_id]
}

resource "azuread_group" "workspace_researchers" {
count = var.create_aad_groups ? 1 : 0
display_name = "${var.workspace_resource_name_suffix} Workspace Researchers"
owners = [var.workspace_owner_object_id]
}
resource "azuread_group" "workspace_researchers" {
count = var.create_aad_groups ? 1 : 0
display_name = "${var.workspace_resource_name_suffix} Airlock Managers"
owners = [var.workspace_owner_object_id]
}
resource "azuread_group_member" "workspace_owner" {
count = var.create_aad_groups ? 1 : 0
group_object_id = azuread_group.workspace_owners.id
member_object_id = var.workspace_owner_object_id
}
1 change: 1 addition & 0 deletions templates/workspaces/base/terraform/aad/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ variable "tre_workspace_tags" {}
variable "aad_redirect_uris_b64" {
type = string # list of objects like [{"name": "my uri 1", "value": "https://..."}, {}]
}
variable "create_aad_groups" {}
6 changes: 6 additions & 0 deletions templates/workspaces/base/terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@ variable "register_aad_application" {
description = "Create an AAD application automatically for the Workspace."
}

variable "create_aad_groups" {
type = bool
default = false
description = "Create AAD groups automatically for the Workspace Application Roles."
}

variable "enable_airlock" {
type = bool
description = "Controls the deployment of Airlock resources in the workspace."
Expand Down
2 changes: 2 additions & 0 deletions templates/workspaces/base/terraform/workspace.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ module "aad" {
workspace_resource_name_suffix = local.workspace_resource_name_suffix
workspace_owner_object_id = var.workspace_owner_object_id
aad_redirect_uris_b64 = var.aad_redirect_uris_b64
create_aad_groups = var.create_aad_groups

depends_on = [
azurerm_key_vault_access_policy.deployer,
azurerm_key_vault_access_policy.resource_processor,
Expand Down