From a538225942800de10fadd07b415dbc29ce5abd66 Mon Sep 17 00:00:00 2001 From: marrobi Date: Wed, 21 Sep 2022 10:08:44 +0000 Subject: [PATCH 01/10] Add workspace owner as EA owner --- templates/workspaces/base/porter.yaml | 2 +- templates/workspaces/base/terraform/aad/aad.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 19939a80d9..224188cd37 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,6 +1,6 @@ --- name: tre-workspace-base -version: 0.3.31 +version: 0.3.32 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/aad/aad.tf b/templates/workspaces/base/terraform/aad/aad.tf index c18ed4b5b3..ca6c26b8af 100644 --- a/templates/workspaces/base/terraform/aad/aad.tf +++ b/templates/workspaces/base/terraform/aad/aad.tf @@ -94,7 +94,7 @@ resource "azuread_application" "workspace" { resource "azuread_service_principal" "workspace" { application_id = azuread_application.workspace.application_id app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] + owners = [data.azuread_client_config.current.object_id, var.workspace_owner_object_id] feature_tags { enterprise = true From 8129c7c2ede9610a1c94a41231de905fee4d4d39 Mon Sep 17 00:00:00 2001 From: marrobi Date: Wed, 21 Sep 2022 10:12:34 +0000 Subject: [PATCH 02/10] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dcb948cec..718995e704 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ FEATURES: ENHANCEMENTS: * Cancelling an Airlock request triggers deletion of the request container and files ([#2584](https://github.com/microsoft/AzureTRE/pull/2584)) +* Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)) BUG FIXES: From 83727c25939dda19f4b4cafb4aed0aeae8849c93 Mon Sep 17 00:00:00 2001 From: marrobi Date: Thu, 22 Sep 2022 11:25:25 +0000 Subject: [PATCH 03/10] Add required permission changes. --- CHANGELOG.md | 2 +- devops/scripts/create_aad_assets.sh | 2 +- docs/tre-admins/auth.md | 4 ++-- docs/tre-admins/identities/application_admin.md | 4 ++-- templates/core/.env.sample | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 718995e704..68ea988eb5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ **BREAKING CHANGES & MIGRATIONS**: * Firewall now blocks terraform/hasicorp domains ([#2590](https://github.com/microsoft/AzureTRE/pull/2590)). **Migration** is manual - update the templateVersion of `tre-shared-service-firewall` resource in Cosmos to `0.5.0`. Check the PR for more details. +* Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)). **Migration** if the `AUTO_WORKSPACE_APP_REGISTRATION` is set, the `Directory.Read.All` MS Graph API permission permission needs granting to the Application Registration identified by `APPLICATION_ADMIN_CLIENT_ID`. FEATURES: @@ -14,7 +15,6 @@ FEATURES: ENHANCEMENTS: * Cancelling an Airlock request triggers deletion of the request container and files ([#2584](https://github.com/microsoft/AzureTRE/pull/2584)) -* Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)) BUG FIXES: diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index a5dafe9e9b..a34f4fd875 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -26,7 +26,7 @@ fi APPLICATION_PERMISSION="Application.ReadWrite.OwnedBy" if [ "${AUTO_WORKSPACE_APP_REGISTRATION:-}" == true ]; then - APPLICATION_PERMISSION="Application.ReadWrite.All" + APPLICATION_PERMISSION="Application.ReadWrite.All,Directory.Read.All" fi if [ "${AUTO_WORKSPACE_GROUP_CREATION:-}" == true ]; then diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index e32131933b..e05af4cd62 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -14,8 +14,8 @@ The automation utilises a `make` command, which reads a few environment variable |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Directory.Read.All` and `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets You can build all of the Identity assets by running the following at the command line diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index 07bb469f14..a305361dc9 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -10,8 +10,8 @@ This application does not have any roles defined. | Name | Type* | Admin consent required | TRE usage | | --- | -- | -----| --------- | | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | -| Application.ReadWrite.All | Application | Yes | If the AAD Administrator has delegated AAD administrative operations to the TRE, then this user should be granted `Application.ReadWrite.All`. This will allow the user to create workspace applications and administer any applications in the tenant. There will be no need for the Tenant Admin to oversee the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is requried if Azure AD groups are to be created automatically by the TRE. | +| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. IThis is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | | Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. diff --git a/templates/core/.env.sample b/templates/core/.env.sample index a485aec7c1..8c038d49cb 100644 --- a/templates/core/.env.sample +++ b/templates/core/.env.sample @@ -9,12 +9,12 @@ AAD_TENANT_ID=__CHANGE_ME__ # Auth configuration #################################### # Setting AUTO_WORKSPACE_APP_REGISTRATION to false will create an identity with `Application.ReadWrite.OwnedBy`. -# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All`. +# Setting AUTO_WORKSPACE_APP_REGISTRATION to true will create an identity with `Application.ReadWrite.All` and `Directory.Read.All`. # When this is true, create Workspaces will also create an AAD Application automatically. # When this is false, the AAD Application will need creating manually. AUTO_WORKSPACE_APP_REGISTRATION=true -# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Directory.Read.All` and `Group.ReadWrite.All` +# Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All` AUTO_WORKSPACE_GROUP_CREATION=false # If your local machine/build agent cannot get the public IP From a2decd5be64059c4c64fa0c4fe53a7cb4ddd5d59 Mon Sep 17 00:00:00 2001 From: marrobi Date: Thu, 22 Sep 2022 13:00:44 +0000 Subject: [PATCH 04/10] up core version --- templates/core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/core/version.txt b/templates/core/version.txt index 6449cea9c6..4fef01e0d4 100644 --- a/templates/core/version.txt +++ b/templates/core/version.txt @@ -1 +1 @@ -__version__ = "0.4.27" +__version__ = "0.4.28" From d4c18892aae2860f9623a12d8f03e7a8d36d8691 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 12:31:08 +0100 Subject: [PATCH 05/10] Update CHANGELOG.md --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46f83246e5..20e5f91222 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,13 +6,13 @@ **BREAKING CHANGES & MIGRATIONS**: * Firewall now blocks terraform/hasicorp domains ([#2590](https://github.com/microsoft/AzureTRE/pull/2590)). **Migration** is manual - update the templateVersion of `tre-shared-service-firewall` resource in Cosmos to `0.5.0`. Check the PR for more details. +* Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654)) +* Align Github Action secret names. Existing Github environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655)) * Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)). **Migration** if the `AUTO_WORKSPACE_APP_REGISTRATION` is set, the `Directory.Read.All` MS Graph API permission permission needs granting to the Application Registration identified by `APPLICATION_ADMIN_CLIENT_ID`. FEATURES: * Add Airlock Manager Workspace ([#2505](https://github.com/microsoft/AzureTRE/pull/2505)) -* Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654)) -* Align Github Action secret names. Existing Github environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655)) * Add Import Review Workspace ([#2498](https://github.com/microsoft/AzureTRE/issues/2498)) * Restrict resource templates to specific roles ([#2600](https://github.com/microsoft/AzureTRE/issues/2600)) * Import review user resource template ([#2601](https://github.com/microsoft/AzureTRE/issues/2601)) From 1ddd991ee1d39d70a65b5143f3411ccc8006af2a Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 12:31:51 +0100 Subject: [PATCH 06/10] Update CHANGELOG.md --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20e5f91222..93d73828b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,6 @@ FEATURES: -* Add Airlock Manager Workspace ([#2505](https://github.com/microsoft/AzureTRE/pull/2505)) * Add Import Review Workspace ([#2498](https://github.com/microsoft/AzureTRE/issues/2498)) * Restrict resource templates to specific roles ([#2600](https://github.com/microsoft/AzureTRE/issues/2600)) * Import review user resource template ([#2601](https://github.com/microsoft/AzureTRE/issues/2601)) From df4f6591a390bd102771f83252bc26497d700a1b Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 12:32:39 +0100 Subject: [PATCH 07/10] Update CHANGELOG.md --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93d73828b3..11ff1e7652 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,6 @@ FEATURES: * Add Import Review Workspace ([#2498](https://github.com/microsoft/AzureTRE/issues/2498)) -* Restrict resource templates to specific roles ([#2600](https://github.com/microsoft/AzureTRE/issues/2600)) * Import review user resource template ([#2601](https://github.com/microsoft/AzureTRE/issues/2601)) * Airlock Manager can use user resources ([#2499](https://github.com/microsoft/AzureTRE/issues/2499)) * Users only see templates they are authorized to use ([#2640](https://github.com/microsoft/AzureTRE/issues/2640)) From adae4fb658cb7ea8475e338ed88b97cf8ff542bc Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 12:33:37 +0100 Subject: [PATCH 08/10] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11ff1e7652..4c88dad11b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ FEATURES: * Add Import Review Workspace ([#2498](https://github.com/microsoft/AzureTRE/issues/2498)) +* Restrict resource templates to specific roles ([#2623](https://github.com/microsoft/AzureTRE/pull/2623/)) * Import review user resource template ([#2601](https://github.com/microsoft/AzureTRE/issues/2601)) * Airlock Manager can use user resources ([#2499](https://github.com/microsoft/AzureTRE/issues/2499)) * Users only see templates they are authorized to use ([#2640](https://github.com/microsoft/AzureTRE/issues/2640)) @@ -21,7 +22,6 @@ ENHANCEMENTS: * Cancelling an Airlock request triggers deletion of the request container and files ([#2584](https://github.com/microsoft/AzureTRE/pull/2584)) * Move admin-vm from core to a shared service ([#2624](https://github.com/microsoft/AzureTRE/pull/2624)) -* Restrict resource templates to specific roles ([#2623](https://github.com/microsoft/AzureTRE/pull/2623/)) BUG FIXES: From ea02a8e493536f285d528151316a4c993b07929b Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 12:34:10 +0100 Subject: [PATCH 09/10] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c88dad11b..caaf8dd129 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ FEATURES: * Add Import Review Workspace ([#2498](https://github.com/microsoft/AzureTRE/issues/2498)) -* Restrict resource templates to specific roles ([#2623](https://github.com/microsoft/AzureTRE/pull/2623/)) +* Restrict resource templates to specific roles ([#2600](https://github.com/microsoft/AzureTRE/issues/2600)) * Import review user resource template ([#2601](https://github.com/microsoft/AzureTRE/issues/2601)) * Airlock Manager can use user resources ([#2499](https://github.com/microsoft/AzureTRE/issues/2499)) * Users only see templates they are authorized to use ([#2640](https://github.com/microsoft/AzureTRE/issues/2640)) From 9a81af36a60c1c24b14c2465c740043eb9373b6d Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Thu, 29 Sep 2022 12:35:46 +0100 Subject: [PATCH 10/10] Update application_admin.md --- docs/tre-admins/identities/application_admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index a305361dc9..85991a93a1 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -10,7 +10,7 @@ This application does not have any roles defined. | Name | Type* | Admin consent required | TRE usage | | --- | -- | -----| --------- | | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | -| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. IThis is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | +| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | | Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | | Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. |