From f35484473ce134f4c462a1ca900c415fcd1176b2 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 21 Sep 2022 05:05:44 +0000
Subject: [PATCH 1/6] admin vm shared service

---
 CHANGELOG.md                                  |  1 +
 docs/tre-admins/environment-variables.md      |  1 -
 templates/core/.env.sample                    |  1 -
 .../terraform/admin-jumpbox-configure.ps1     | 32 -------
 templates/core/terraform/variables.tf         |  6 --
 templates/core/version.txt                    |  2 +-
 .../shared_services/admin-vm/.dockerignore    |  8 ++
 .../shared_services/admin-vm/Dockerfile.tmpl  | 26 ++++++
 .../shared_services/admin-vm/parameters.json  | 44 +++++++++
 .../shared_services/admin-vm/porter.yaml      | 90 +++++++++++++++++++
 .../admin-vm/template_schema.json             | 23 +++++
 .../admin-vm/terraform/.terraform.lock.hcl    | 42 +++++++++
 .../admin-vm}/terraform/admin-jumpbox.tf      | 43 ++-------
 .../admin-vm/terraform/data.tf                | 13 +++
 .../admin-vm/terraform/deploy.sh              | 13 +++
 .../admin-vm/terraform/destroy.sh             | 13 +++
 .../admin-vm/terraform/locals.tf              |  9 ++
 .../admin-vm/terraform/main.tf                | 32 +++++++
 .../admin-vm/terraform/variables.tf           | 13 +++
 19 files changed, 337 insertions(+), 75 deletions(-)
 delete mode 100644 templates/core/terraform/admin-jumpbox-configure.ps1
 create mode 100644 templates/shared_services/admin-vm/.dockerignore
 create mode 100644 templates/shared_services/admin-vm/Dockerfile.tmpl
 create mode 100755 templates/shared_services/admin-vm/parameters.json
 create mode 100644 templates/shared_services/admin-vm/porter.yaml
 create mode 100644 templates/shared_services/admin-vm/template_schema.json
 create mode 100644 templates/shared_services/admin-vm/terraform/.terraform.lock.hcl
 rename templates/{core => shared_services/admin-vm}/terraform/admin-jumpbox.tf (58%)
 create mode 100644 templates/shared_services/admin-vm/terraform/data.tf
 create mode 100755 templates/shared_services/admin-vm/terraform/deploy.sh
 create mode 100755 templates/shared_services/admin-vm/terraform/destroy.sh
 create mode 100644 templates/shared_services/admin-vm/terraform/locals.tf
 create mode 100644 templates/shared_services/admin-vm/terraform/main.tf
 create mode 100644 templates/shared_services/admin-vm/terraform/variables.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4dcb948cec..d59844f27e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ FEATURES:
 ENHANCEMENTS:
 
 * Cancelling an Airlock request triggers deletion of the request container and files ([#2584](https://github.com/microsoft/AzureTRE/pull/2584))
+* Move admin-vm from core to a shared service ([#TBD](https://github.com/microsoft/AzureTRE/pull/TBD))
 
 BUG FIXES:
 
diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
index 4f2ef755b6..32432d8226 100644
--- a/docs/tre-admins/environment-variables.md
+++ b/docs/tre-admins/environment-variables.md
@@ -33,5 +33,4 @@
 | `ENABLE_AIRLOCK_MALWARE_SCANNING` | If False, Airlock requests will skip the malware scanning stage. If set to True, Setting up a scanner manually is required! |
 | `ENABLE_LOCAL_DEBUGGING` | Set to `false` by default. Setting this to `true` will ensure that Azure resources are accessible from your local development machine. (e.g. ServiceBus and Cosmos) |
 | `PUBLIC_DEPLOYMENT_IP_ADDRESS` | The public IP address of the machine that is deploying TRE. (Your desktop or the build agents). In certain locations a dynamic script to retrieve this from [https://ipecho.net/plain](https://ipecho.net/plain) does not work. If this is the case, then you can 'hardcode' your IP. |
-| `ADMIN_JUMPBOX_VM_SKU` | The SKU of the VM to use for the admin jumpbox. |
 | `RESOURCE_PROCESSOR_VMSS_SKU` | The SKU of the VMMS to use for the resource processing VM. |
diff --git a/templates/core/.env.sample b/templates/core/.env.sample
index a485aec7c1..87f385f1d7 100644
--- a/templates/core/.env.sample
+++ b/templates/core/.env.sample
@@ -55,6 +55,5 @@ CORE_ADDRESS_SPACE="10.1.0.0/22"
 TRE_ADDRESS_SPACE="10.0.0.0/12"
 
 APP_SERVICE_PLAN_SKU="P1v2"
-ADMIN_JUMPBOX_VM_SKU="Standard_B2s"
 RESOURCE_PROCESSOR_VMSS_SKU="Standard_B2s"
 ENABLE_AIRLOCK_MALWARE_SCANNING=false
diff --git a/templates/core/terraform/admin-jumpbox-configure.ps1 b/templates/core/terraform/admin-jumpbox-configure.ps1
deleted file mode 100644
index 38855f2556..0000000000
--- a/templates/core/terraform/admin-jumpbox-configure.ps1
+++ /dev/null
@@ -1,32 +0,0 @@
-# Download Git For Windows
-# We use useBasicParsing to skip Internet Explorer's first launch configuration
-$GitVersion ="Git-2.35.1.2-64-bit"
-Invoke-WebRequest -UseBasicParsing "https://github.com/git-for-windows/git/releases/download/v2.35.1.windows.2/$GitVersion.exe" -OutFile "$env:windir/Temp/$GitVersion.exe"
-
-# Install Git
-&"$env:windir/temp/$GitVersion.exe" /VERYSILENT /NORESTART /NOCANCEL /SP- /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /COMPONENTS="icons,ext\reg\shellhere,assoc,assoc_sh"
-
-# Download Azure Cli
-Invoke-WebRequest -UseBasicParsing https://aka.ms/installazurecliwindows -OutFile $env:windir/temp/AzureCli.msi
-
-# Install Azure Cli
-Msiexec.exe /i "$env:windir\Temp\AzureCli.msi" /qn /L*v "$env:windir\Temp\AzureCLI-Install.log"
-
-# Download JQ
-Invoke-WebRequest -UseBasicParsing https://github.com/stedolan/jq/releases/latest/download/jq-win64.exe -OutFile "$env:ProgramFiles\Git\usr\bin\jq.exe"
-
-# Clone TRE repository on C:/AzureTRE
-cd $env:systemdrive/
-$installed = $false;
-for ($i = 0; $i -lt 6; $i++){
-	if ((test-path "$env:ProgramFiles\Git\usr\bin\mintty.exe")){
-		&"C:\Program Files\Git\usr\bin\mintty.exe" --exec "/bin/bash" --login -c "/cmd/git clone https://github.com/microsoft/AzureTRE.git"
-        $installed = $true;
-		break;
-	}
-    else{
-        sleep(10);
-    }
-}
-
-if(!$installed){"Something went wrong with GIT installation" >> post_install.log}
diff --git a/templates/core/terraform/variables.tf b/templates/core/terraform/variables.tf
index 2256b0ab1d..0dc605fd6d 100644
--- a/templates/core/terraform/variables.tf
+++ b/templates/core/terraform/variables.tf
@@ -118,12 +118,6 @@ variable "resource_processor_vmss_sku" {
   description = "The SKU of the resource processor VMSS."
 }
 
-variable "admin_jumpbox_vm_sku" {
-  type        = string
-  default     = "Standard_B2s"
-  description = "The SKU of the admin jumpbox VM."
-}
-
 variable "stateful_resources_locked" {
   type        = bool
   default     = true
diff --git a/templates/core/version.txt b/templates/core/version.txt
index 9c8003d454..6449cea9c6 100644
--- a/templates/core/version.txt
+++ b/templates/core/version.txt
@@ -1 +1 @@
-__version__ = "0.4.26"
+__version__ = "0.4.27"
diff --git a/templates/shared_services/admin-vm/.dockerignore b/templates/shared_services/admin-vm/.dockerignore
new file mode 100644
index 0000000000..c3bd260c59
--- /dev/null
+++ b/templates/shared_services/admin-vm/.dockerignore
@@ -0,0 +1,8 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Put files here that you don't want copied into your bundle's invocation image
+.gitignore
+**/.terraform/*
+**/*_backend.tf
+Dockerfile.tmpl
+terraform/deploy.sh
+terraform/destroy.sh
diff --git a/templates/shared_services/admin-vm/Dockerfile.tmpl b/templates/shared_services/admin-vm/Dockerfile.tmpl
new file mode 100644
index 0000000000..9e826e348d
--- /dev/null
+++ b/templates/shared_services/admin-vm/Dockerfile.tmpl
@@ -0,0 +1,26 @@
+FROM debian:buster-slim
+
+ARG BUNDLE_DIR
+
+# This is a template Dockerfile for the bundle's invocation image
+# You can customize it to use different base images, install tools and copy configuration files.
+#
+# Porter will use it as a template and append lines to it for the mixins
+# and to set the CMD appropriately for the CNAB specification.
+#
+# Add the following line to porter.yaml to instruct Porter to use this template
+# dockerfile: Dockerfile.tmpl
+
+# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line
+# another location in this file. If you remove that line, the mixins generated content is appended to this file.
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY . $BUNDLE_DIR
+
+# Mirror plugins to prevent network access at runtime
+# Remove when available from https://github.com/getporter/terraform-mixin/issues/90
+WORKDIR $BUNDLE_DIR/terraform
+RUN terraform init -backend=false \
+  && rm -fr $BUNDLE_DIR/terraform/.terraform/providers \
+  && terraform providers mirror /usr/local/share/terraform/plugins
diff --git a/templates/shared_services/admin-vm/parameters.json b/templates/shared_services/admin-vm/parameters.json
new file mode 100755
index 0000000000..0da340c125
--- /dev/null
+++ b/templates/shared_services/admin-vm/parameters.json
@@ -0,0 +1,44 @@
+{
+  "schemaVersion": "1.0.0-DRAFT+TODO",
+  "name": "base",
+  "created": "2021-06-04T13:37:29.5071039+03:00",
+  "modified": "2021-06-04T13:37:29.5071039+03:00",
+  "parameters": [
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "admin_jumpbox_vm_sku",
+      "source": {
+        "env": "ADMIN_JUMPBOX_VM_SKU"
+      }
+    }
+  ]
+}
diff --git a/templates/shared_services/admin-vm/porter.yaml b/templates/shared_services/admin-vm/porter.yaml
new file mode 100644
index 0000000000..04151601b5
--- /dev/null
+++ b/templates/shared_services/admin-vm/porter.yaml
@@ -0,0 +1,90 @@
+---
+name: tre-shared-service-admin-vm
+version: 0.1.1
+description: "An admin vm shared service"
+dockerfile: Dockerfile.tmpl
+registry: azuretre
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+parameters:
+  - name: tre_id
+    type: string
+    description: "The ID of the parent TRE instance e.g., mytre-dev-3142"
+  - name: id
+    type: string
+    description: "Resource ID"
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    type: boolean
+    default: false
+  - name: admin_jumpbox_vm_sku
+    env: ADMIN_JUMPBOX_VM_SKU
+    type: string
+    default: Standard_B2s
+
+mixins:
+  - terraform:
+      clientVersion: 1.2.9
+
+install:
+  - terraform:
+      description: "Deploy shared service"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+
+upgrade:
+  - terraform:
+      description: "Upgrade shared service"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
+      outputs:
+        - name: gitea_allowed_fqdns_list
+        - name: address_prefixes
+
+uninstall:
+  - terraform:
+      description: "Tear down shared service"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        admin_jumpbox_vm_sku: "{{ bundle.parameters.admin_jumpbox_vm_sku }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
diff --git a/templates/shared_services/admin-vm/template_schema.json b/templates/shared_services/admin-vm/template_schema.json
new file mode 100644
index 0000000000..d4659f6b55
--- /dev/null
+++ b/templates/shared_services/admin-vm/template_schema.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/shared_services/gitea/template_schema.json",
+  "type": "object",
+  "title": "Admin VM Shared Service",
+  "description": "Provides VM in the core network",
+  "required": [],
+  "properties": {
+    "admin_jumpbox_vm_sku": {
+      "$id": "#/properties/admin_jumpbox_vm_sku",
+      "type": "string",
+      "enum": [
+        "Standard_B2s",
+        "Standard_D2s_v3",
+        "Standard_D2s_v4",
+        "Standard_D2s_v5"
+      ],
+      "default": "Standard_B2s",
+      "title": "VM SKU",
+      "description": "The SKU of the VM that will be deployed."
+    }
+  }
+}
diff --git a/templates/shared_services/admin-vm/terraform/.terraform.lock.hcl b/templates/shared_services/admin-vm/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000000..aeef325d7f
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/.terraform.lock.hcl
@@ -0,0 +1,42 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.23.0"
+  constraints = "3.23.0"
+  hashes = [
+    "h1:gL/GB7M9xFNr8SxyalWCkTUaYach2k1/0voy6hAqA0A=",
+    "zh:5856ee393eea2c5807d71794020ec16492b6a219c50fec816376c9c4c50d964a",
+    "zh:58883757371208106ae56b591759a7c308d9a3fd74fb38aefaebe00fee4e380f",
+    "zh:69aca3a6929e629d6fe1dc0c0ff105ee943e5d0f95fe0d8abb89965d5dbc07ce",
+    "zh:6cf146b28a5b82da39ee9b5def88e649ed831824b4e669aa60884743d4b08200",
+    "zh:756dfe6d54e54879bed340f0e05e72a3882a7e8f8f2e783b2064d8c27c9fa1c1",
+    "zh:76ed418c25160fe0be9158c82c425375d79e2427f4a8adbac061d4540c56de79",
+    "zh:8c4f42f67157619fdd21525049f5daf9eb4eb3681b43603570a65bd5d52939ff",
+    "zh:ae15665e0ebe6cb40894cd6b7b7345fe4a7d46ca024fc209e03caee3dff6b51d",
+    "zh:ba21ef2d27e6f96fccfa234201151e0ad195ec798cb5486fa70664e0f707b48a",
+    "zh:d0d9b21b65c7b110e599b78abfdc90cec0bafe2d1b1e0bb36c3a3d5d12ad63b4",
+    "zh:ea02b2e6de9ea4184db300903d75871b16b7e240f6b38c46f8b149878f47c739",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.4.3"
+  constraints = "3.4.3"
+  hashes = [
+    "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=",
+    "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752",
+    "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b",
+    "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3",
+    "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5",
+    "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda",
+    "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6",
+    "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1",
+    "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d",
+    "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8",
+    "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93",
+  ]
+}
diff --git a/templates/core/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
similarity index 58%
rename from templates/core/terraform/admin-jumpbox.tf
rename to templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
index cd331423fa..9db1c0c24b 100644
--- a/templates/core/terraform/admin-jumpbox.tf
+++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
@@ -1,12 +1,12 @@
 resource "azurerm_network_interface" "jumpbox_nic" {
   name                = "nic-vm-${var.tre_id}"
-  resource_group_name = azurerm_resource_group.core.name
-  location            = azurerm_resource_group.core.location
-  tags                = local.tre_core_tags
+  resource_group_name = data.azurerm_resource_group.rg.name
+  location            = data.azurerm_resource_group.rg.location
+  tags                = local.tre_shared_service_tags
 
   ip_configuration {
     name                          = "internalIPConfig"
-    subnet_id                     = module.network.shared_subnet_id
+    subnet_id                     = data.azurerm_subnet.shared.id
     private_ip_address_allocation = "Dynamic"
   }
 }
@@ -26,16 +26,14 @@ resource "random_password" "password" {
 
 resource "azurerm_windows_virtual_machine" "jumpbox" {
   name                       = "vm-${var.tre_id}"
-  resource_group_name        = azurerm_resource_group.core.name
-  location                   = azurerm_resource_group.core.location
+  resource_group_name        = data.azurerm_resource_group.rg.name
+  location                   = data.azurerm_resource_group.rg.location
   network_interface_ids      = [azurerm_network_interface.jumpbox_nic.id]
   size                       = var.admin_jumpbox_vm_sku
   allow_extension_operations = true
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
-  tags                       = local.tre_core_tags
-
-  custom_data = base64encode(data.template_file.vm_config.rendered)
+  tags                       = local.tre_shared_service_tags
 
   source_image_reference {
     publisher = "MicrosoftWindowsDesktop"
@@ -43,41 +41,18 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
     sku       = "win10-21h2-pro-g2"
     version   = "latest"
   }
+
   os_disk {
     name                 = "vm-dsk-${var.tre_id}"
     caching              = "ReadWrite"
     storage_account_type = "Standard_LRS"
   }
-
-  identity {
-    type = "SystemAssigned"
-  }
 }
 
 resource "azurerm_key_vault_secret" "jumpbox_credentials" {
   name         = "${azurerm_windows_virtual_machine.jumpbox.name}-jumpbox-password"
   value        = random_password.password.result
-  key_vault_id = azurerm_key_vault.kv.id
-  depends_on = [
-    azurerm_key_vault_access_policy.deployer
-  ]
-}
-resource "azurerm_virtual_machine_extension" "config_script" {
-  name                 = "${azurerm_windows_virtual_machine.jumpbox.name}-vmextension"
-  virtual_machine_id   = azurerm_windows_virtual_machine.jumpbox.id
-  publisher            = "Microsoft.Compute"
-  type                 = "CustomScriptExtension"
-  type_handler_version = "1.10"
-
-  settings = <<SETTINGS
-    {
-      "commandToExecute": "powershell -ExecutionPolicy Unrestricted -NoProfile -NonInteractive -command \"cp c:/azuredata/customdata.bin c:/azuredata/configure.ps1; c:/azuredata/configure.ps1 \""
-    }
-SETTINGS
-}
-
-data "template_file" "vm_config" {
-  template = file("${path.module}/admin-jumpbox-configure.ps1")
+  key_vault_id = data.azurerm_key_vault.keyvault.id
 }
 
 resource "azurerm_virtual_machine_extension" "antimalware" {
diff --git a/templates/shared_services/admin-vm/terraform/data.tf b/templates/shared_services/admin-vm/terraform/data.tf
new file mode 100644
index 0000000000..69c133b06e
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/data.tf
@@ -0,0 +1,13 @@
+data "azurerm_subnet" "shared" {
+  resource_group_name  = local.core_resource_group_name
+  virtual_network_name = local.core_vnet
+  name                 = "SharedSubnet"
+}
+data "azurerm_key_vault" "keyvault" {
+  name                = local.keyvault_name
+  resource_group_name = local.core_resource_group_name
+}
+
+data "azurerm_resource_group" "rg" {
+  name = local.core_resource_group_name
+}
diff --git a/templates/shared_services/admin-vm/terraform/deploy.sh b/templates/shared_services/admin-vm/terraform/deploy.sh
new file mode 100755
index 0000000000..fb70897d72
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/deploy.sh
@@ -0,0 +1,13 @@
+export TF_VAR_docker_registry_server="$TF_VAR_acr_name.azurecr.io"
+export TF_VAR_docker_registry_username=$TF_VAR_acr_name
+export TF_VAR_docker_registry_password=$(az acr credential show --name ${TF_VAR_acr_name} --query passwords[0].value -o tsv | sed 's/"//g')
+
+export TF_LOG=""
+
+terraform init -input=false -backend=true -reconfigure \
+    -backend-config="resource_group_name=$TF_VAR_mgmt_resource_group_name" \
+    -backend-config="storage_account_name=$TF_VAR_mgmt_storage_account_name" \
+    -backend-config="container_name=$TF_VAR_terraform_state_container_name" \
+    -backend-config="key=${TRE_ID}-gitea"
+terraform plan
+terraform apply -auto-approve
diff --git a/templates/shared_services/admin-vm/terraform/destroy.sh b/templates/shared_services/admin-vm/terraform/destroy.sh
new file mode 100755
index 0000000000..1c22951ecd
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/destroy.sh
@@ -0,0 +1,13 @@
+export TF_VAR_docker_registry_server="$TF_VAR_acr_name.azurecr.io"
+export TF_VAR_docker_registry_username=$TF_VAR_acr_name
+export TF_VAR_docker_registry_password=$(az acr credential show --name ${TF_VAR_acr_name} --query passwords[0].value -o tsv | sed 's/"//g')
+
+export TF_LOG=""
+
+terraform init -input=false -backend=true -reconfigure \
+    -backend-config="resource_group_name=$TF_VAR_mgmt_resource_group_name" \
+    -backend-config="storage_account_name=$TF_VAR_mgmt_storage_account_name" \
+    -backend-config="container_name=$TF_VAR_terraform_state_container_name" \
+    -backend-config="key=${TRE_ID}-gitea"
+
+terraform destroy -auto-approve
diff --git a/templates/shared_services/admin-vm/terraform/locals.tf b/templates/shared_services/admin-vm/terraform/locals.tf
new file mode 100644
index 0000000000..f9ad84b852
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/locals.tf
@@ -0,0 +1,9 @@
+locals {
+  core_vnet                = "vnet-${var.tre_id}"
+  core_resource_group_name = "rg-${var.tre_id}"
+  keyvault_name            = "kv-${var.tre_id}"
+  tre_shared_service_tags = {
+    tre_id                = var.tre_id
+    tre_shared_service_id = var.tre_resource_id
+  }
+}
diff --git a/templates/shared_services/admin-vm/terraform/main.tf b/templates/shared_services/admin-vm/terraform/main.tf
new file mode 100644
index 0000000000..393dd7beb0
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/main.tf
@@ -0,0 +1,32 @@
+# Azure Provider source and version being used
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "=3.23.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "=3.4.3"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      # Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
+      purge_soft_delete_on_destroy               = false
+      purge_soft_deleted_secrets_on_destroy      = false
+      purge_soft_deleted_certificates_on_destroy = false
+      purge_soft_deleted_keys_on_destroy         = false
+      # When recreating an environment, recover any previously soft deleted secrets - set to true by default
+      recover_soft_deleted_key_vaults   = true
+      recover_soft_deleted_secrets      = true
+      recover_soft_deleted_certificates = true
+      recover_soft_deleted_keys         = true
+    }
+  }
+}
diff --git a/templates/shared_services/admin-vm/terraform/variables.tf b/templates/shared_services/admin-vm/terraform/variables.tf
new file mode 100644
index 0000000000..ebed808492
--- /dev/null
+++ b/templates/shared_services/admin-vm/terraform/variables.tf
@@ -0,0 +1,13 @@
+variable "tre_id" {
+  type        = string
+  description = "Unique TRE ID"
+}
+
+variable "tre_resource_id" {
+  type        = string
+  description = "Resource ID"
+}
+
+variable "admin_jumpbox_vm_sku" {
+  type        = string
+}

From 3d99bb704d744f8583353145fd3bde6e11c10fc3 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 21 Sep 2022 05:10:02 +0000
Subject: [PATCH 2/6] update changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d59844f27e..abdb51d651 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,7 @@ FEATURES:
 ENHANCEMENTS:
 
 * Cancelling an Airlock request triggers deletion of the request container and files ([#2584](https://github.com/microsoft/AzureTRE/pull/2584))
-* Move admin-vm from core to a shared service ([#TBD](https://github.com/microsoft/AzureTRE/pull/TBD))
+* Move admin-vm from core to a shared service ([#2624](https://github.com/microsoft/AzureTRE/pull/2624))
 
 BUG FIXES:
 

From 3a29f03a3ad3affc8266bbce09178db685b507a5 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 21 Sep 2022 05:12:47 +0000
Subject: [PATCH 3/6] tf formatting

---
 templates/shared_services/admin-vm/terraform/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/shared_services/admin-vm/terraform/variables.tf b/templates/shared_services/admin-vm/terraform/variables.tf
index ebed808492..b52d21ea1e 100644
--- a/templates/shared_services/admin-vm/terraform/variables.tf
+++ b/templates/shared_services/admin-vm/terraform/variables.tf
@@ -9,5 +9,5 @@ variable "tre_resource_id" {
 }
 
 variable "admin_jumpbox_vm_sku" {
-  type        = string
+  type = string
 }

From 04e941a94e826ca8db4a3f34cb9e49ed738ac0a5 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 21 Sep 2022 05:16:22 +0000
Subject: [PATCH 4/6] fix

---
 templates/shared_services/admin-vm/porter.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/templates/shared_services/admin-vm/porter.yaml b/templates/shared_services/admin-vm/porter.yaml
index 04151601b5..50ae58f944 100644
--- a/templates/shared_services/admin-vm/porter.yaml
+++ b/templates/shared_services/admin-vm/porter.yaml
@@ -1,6 +1,6 @@
 ---
 name: tre-shared-service-admin-vm
-version: 0.1.1
+version: 0.1.0
 description: "An admin vm shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -71,9 +71,6 @@ upgrade:
         storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
         container_name: "{{ bundle.parameters.tfstate_container_name }}"
         key: "{{ bundle.parameters.tre_id }}-shared-service-admin-vm"
-      outputs:
-        - name: gitea_allowed_fqdns_list
-        - name: address_prefixes
 
 uninstall:
   - terraform:

From 90d42e3ff4cb5d9ddc4471f98de5a140a27d71b3 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 21 Sep 2022 05:20:26 +0000
Subject: [PATCH 5/6] fix

---
 .../admin-vm/terraform/deploy.sh              | 22 ++++++++++++++++---
 .../admin-vm/terraform/destroy.sh             | 19 ++++++++++++++--
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/templates/shared_services/admin-vm/terraform/deploy.sh b/templates/shared_services/admin-vm/terraform/deploy.sh
index fb70897d72..f15ba8a684 100755
--- a/templates/shared_services/admin-vm/terraform/deploy.sh
+++ b/templates/shared_services/admin-vm/terraform/deploy.sh
@@ -1,13 +1,29 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+# Uncomment this line to see each command for debugging (careful: this will show secrets!)
+# set -o xtrace
+
+
+# This script assumes you have created an .env from the sample and the variables
+# will come from there.
+# shellcheck disable=SC2154
 export TF_VAR_docker_registry_server="$TF_VAR_acr_name.azurecr.io"
-export TF_VAR_docker_registry_username=$TF_VAR_acr_name
-export TF_VAR_docker_registry_password=$(az acr credential show --name ${TF_VAR_acr_name} --query passwords[0].value -o tsv | sed 's/"//g')
+export TF_VAR_docker_registry_username="${TF_VAR_acr_name}"
+TF_VAR_docker_registry_password=$(az acr credential show --name "${TF_VAR_acr_name}" --query passwords[0].value -o tsv | sed 's/"//g')
+export TF_VAR_docker_registry_password
 
 export TF_LOG=""
 
+# This script assumes you have created an .env from the sample and the variables
+# will come from there.
+# shellcheck disable=SC2154
 terraform init -input=false -backend=true -reconfigure \
     -backend-config="resource_group_name=$TF_VAR_mgmt_resource_group_name" \
     -backend-config="storage_account_name=$TF_VAR_mgmt_storage_account_name" \
     -backend-config="container_name=$TF_VAR_terraform_state_container_name" \
-    -backend-config="key=${TRE_ID}-gitea"
+    -backend-config="key=tre-workspace-service-gitea-$TF_VAR_id"
 terraform plan
 terraform apply -auto-approve
diff --git a/templates/shared_services/admin-vm/terraform/destroy.sh b/templates/shared_services/admin-vm/terraform/destroy.sh
index 1c22951ecd..8ae3e7a479 100755
--- a/templates/shared_services/admin-vm/terraform/destroy.sh
+++ b/templates/shared_services/admin-vm/terraform/destroy.sh
@@ -1,13 +1,28 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+set -o nounset
+# Uncomment this line to see each command for debugging (careful: this will show secrets!)
+# set -o xtrace
+
+# This script assumes you have created an .env from the sample and the variables
+# will come from there.
+# shellcheck disable=SC2154
 export TF_VAR_docker_registry_server="$TF_VAR_acr_name.azurecr.io"
 export TF_VAR_docker_registry_username=$TF_VAR_acr_name
-export TF_VAR_docker_registry_password=$(az acr credential show --name ${TF_VAR_acr_name} --query passwords[0].value -o tsv | sed 's/"//g')
+TF_VAR_docker_registry_password=$(az acr credential show --name "${TF_VAR_acr_name}" --query passwords[0].value -o tsv | sed 's/"//g')
+export TF_VAR_docker_registry_password
 
 export TF_LOG=""
 
+# This script assumes you have created an .env from the sample and the variables
+# will come from there.
+# shellcheck disable=SC2154
 terraform init -input=false -backend=true -reconfigure \
     -backend-config="resource_group_name=$TF_VAR_mgmt_resource_group_name" \
     -backend-config="storage_account_name=$TF_VAR_mgmt_storage_account_name" \
     -backend-config="container_name=$TF_VAR_terraform_state_container_name" \
-    -backend-config="key=${TRE_ID}-gitea"
+    -backend-config="key=tre-workspace-service-gitea-$TF_VAR_id"
 
 terraform destroy -auto-approve

From 7f2cde0753c984fd91f1f2c464a3ff9479133fde Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 21 Sep 2022 14:06:35 +0300
Subject: [PATCH 6/6] Update
 templates/shared_services/admin-vm/template_schema.json

Co-authored-by: Anat Balzam <13421451+anatbal@users.noreply.github.com>
---
 templates/shared_services/admin-vm/template_schema.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/shared_services/admin-vm/template_schema.json b/templates/shared_services/admin-vm/template_schema.json
index d4659f6b55..d644d49be7 100644
--- a/templates/shared_services/admin-vm/template_schema.json
+++ b/templates/shared_services/admin-vm/template_schema.json
@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema",
-  "$id": "https://github.com/microsoft/AzureTRE/templates/shared_services/gitea/template_schema.json",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/shared_services/admin-vm/template_schema.json",
   "type": "object",
   "title": "Admin VM Shared Service",
   "description": "Provides VM in the core network",