diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ae7e65f5c..3ea419da2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ ENHANCEMENTS: * Move admin-vm from core to a shared service ([#2624](https://github.com/microsoft/AzureTRE/pull/2624)) * Remove obsolete docker environment variables ([#2675](https://github.com/microsoft/AzureTRE/pull/2675)) * Using Porter's Terrform mixin 1.0.0-rc.1 where mirror in done internally ([#2677](https://github.com/microsoft/AzureTRE/pull/2677)) +* Airlock function internal storage is accessed with private endpoints ([#2679](https://github.com/microsoft/AzureTRE/pull/2679)) BUG FIXES: diff --git a/templates/core/terraform/.terraform.lock.hcl b/templates/core/terraform/.terraform.lock.hcl index 0244cb279e..932eb9f5c7 100644 --- a/templates/core/terraform/.terraform.lock.hcl +++ b/templates/core/terraform/.terraform.lock.hcl @@ -2,21 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.19.1" - constraints = ">= 3.8.0, >= 3.16.0, 3.19.1" + version = "3.22.0" + constraints = ">= 3.8.0, >= 3.16.0, 3.22.0" hashes = [ - "h1:S50prXRxznk1Mk+SAUUsuDTGS96uxJMXVYHYlAYwYXk=", - "zh:0f3be13c20832d64f587e44e2aa461d6573d9ee4d870e9cfdb1f9e41a5f0ebcc", - "zh:17dcf38e9cc9b930c4f2f653ec71125e7ec5da72749f950234afb65a9d8bbb89", - "zh:2c8f949aec006afecd9286e9193f2894b036759fa8583e01e28eadd39b4a805b", - "zh:3a07630c200c09416dcfcbafdf535718cee54367c3b4dde6f7a92d98b43455b5", - "zh:422d8dc6a625927a04fc6c0f8e050ff92e3165e213b2db7ff1b6d78da0c2cb8b", - "zh:5bd44982a537906aea8dda96437dc4f98a39cc3e0b7ee52e87e1a7cda8d2ebf3", - "zh:91a75e8306947e58b58f0906f1540f3197426c993844cfc9504caa7aff9c62a4", - "zh:9e46d8baf67f97af34904de29b2c83c1fa7d1dc1f618f22c137ea15504f0562b", - "zh:bc13b3fced8df07c43b0a04fb3a88ae1b95ee9932b46b1a3d487f0d549ff9714", - "zh:bd10e9a68247951a7b5045b35f9058f1d11b8178c33e8323bf201f2339c9d0e2", - "zh:f41fe475fa54050fa3cae8b2cbb1bf350028acac4a129455cf018b5f7a666e00", + "h1:bxkMviG7vvNV2aPZQPall0mdIGOojsYeJvKbscPCZeM=", + "zh:03441438f73965fef3a60582573dc9137baf3142d157f16a8c187f7995bf968e", + "zh:1a45946e3ad479745e01eb28283beba4b7c63a94d29ccd3afa3adb8aac41ffa7", + "zh:457352525d3744a9f5d809a68e61ba51ad022fa012d0f092f04e31730700977d", + "zh:48c4ac83fbf5c7295ffe9b8f6a2f3e25d40361b53a8c77f1516973c714862805", + "zh:48c503892d780977405b4ef23db55d1216bbe96a592de63769f827cf3d5e092a", + "zh:5d5935681f91af8a44772262d7f6f1ed0a4b4e113236cc166559ff57b2c936c4", + "zh:61377b5edefdfe96b160a10b1b86b6faef02b813ea7d3d9cbcd8bc664c3293ed", + "zh:73b0696146afd6ff360138425973b3349cb2a45f13094a861d9c162c23e0d796", + "zh:8b2178ca3e1618107a7d5d68f57ca239c68b70a60cdae1c0a3e3ba867282ba25", + "zh:a4021c34ee777863f032425774485adab1d4aba10ce38eb415b5c3a3179423a4", + "zh:c66daaf59d5750b1e49706ffa052cb4467280b0cb481fdd4f7618bb8b9d1edb1", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/templates/core/terraform/airlock/airlock_processor.tf b/templates/core/terraform/airlock/airlock_processor.tf index b7ec9bb62a..957ab8d9a5 100644 --- a/templates/core/terraform/airlock/airlock_processor.tf +++ b/templates/core/terraform/airlock/airlock_processor.tf @@ -31,13 +31,14 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" { } resource "azurerm_linux_function_app" "airlock_function_app" { - name = local.airlock_function_app_name - resource_group_name = var.resource_group_name - location = var.location - https_only = true - virtual_network_subnet_id = var.airlock_processor_subnet_id - service_plan_id = azurerm_service_plan.airlock_plan.id - storage_account_name = azurerm_storage_account.sa_airlock_processor_func_app.name + name = local.airlock_function_app_name + resource_group_name = var.resource_group_name + location = var.location + https_only = true + virtual_network_subnet_id = var.airlock_processor_subnet_id + service_plan_id = azurerm_service_plan.airlock_plan.id + storage_account_name = azurerm_storage_account.sa_airlock_processor_func_app.name + # consider moving to a managed identity here storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key tags = var.tre_core_tags @@ -112,3 +113,31 @@ resource "azurerm_monitor_diagnostic_setting" "airlock_function_app" { } } } + +resource "azurerm_private_endpoint" "function_storage" { + for_each = { + Blob = var.blob_core_dns_zone_id + File = var.file_core_dns_zone_id + Queue = var.queue_core_dns_zone_id + Table = var.table_core_dns_zone_id + } + name = "pe-${local.airlock_function_sa_name}-${lower(each.key)}" + location = var.location + resource_group_name = var.resource_group_name + subnet_id = var.airlock_storage_subnet_id + tags = var.tre_core_tags + + lifecycle { ignore_changes = [tags] } + + private_dns_zone_group { + name = "private-dns-zone-group-${local.airlock_function_sa_name}" + private_dns_zone_ids = [each.value] + } + + private_service_connection { + name = "psc-${local.airlock_function_sa_name}" + private_connection_resource_id = azurerm_storage_account.sa_import_in_progress.id + is_manual_connection = false + subresource_names = [each.key] + } +} diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf index b288c50bfb..6a108f79a9 100644 --- a/templates/core/terraform/airlock/locals.tf +++ b/templates/core/terraform/airlock/locals.tf @@ -41,7 +41,7 @@ locals { export_approved_eventgrid_subscription_name = "evgs-airlock-export-approved-blob-created" airlock_function_app_name = "func-airlock-processor-${var.tre_id}" - airlock_function_sa_name = lower(replace("saairlockp${var.tre_id}", "-", "")) + airlock_function_sa_name = lower(replace("stairlockp${var.tre_id}", "-", "")) airlock_sa_blob_data_contributor = [ azurerm_storage_account.sa_import_external.id, diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf index dbb4d3175b..08f9f37ed8 100644 --- a/templates/core/terraform/airlock/storage_accounts.tf +++ b/templates/core/terraform/airlock/storage_accounts.tf @@ -20,11 +20,6 @@ resource "azurerm_storage_account" "sa_import_external" { lifecycle { ignore_changes = [tags] } } -data "azurerm_private_dns_zone" "blobcore" { - name = "privatelink.blob.core.windows.net" - resource_group_name = var.resource_group_name -} - resource "azurerm_private_endpoint" "stg_import_external_pe" { name = "stg-ex-import-blob-${var.tre_id}" location = var.location @@ -36,7 +31,7 @@ resource "azurerm_private_endpoint" "stg_import_external_pe" { private_dns_zone_group { name = "private-dns-zone-group-stg-export-app" - private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + private_dns_zone_ids = [var.blob_core_dns_zone_id] } private_service_connection { @@ -80,7 +75,7 @@ resource "azurerm_private_endpoint" "stg_export_approved_pe" { private_dns_zone_group { name = "private-dns-zone-group-stg-export-app" - private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + private_dns_zone_ids = [var.blob_core_dns_zone_id] } private_service_connection { @@ -127,7 +122,7 @@ resource "azurerm_private_endpoint" "stg_import_inprogress_pe" { private_dns_zone_group { name = "private-dns-zone-group-stg-import-ip" - private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + private_dns_zone_ids = [var.blob_core_dns_zone_id] } private_service_connection { @@ -172,7 +167,7 @@ resource "azurerm_private_endpoint" "stg_import_rejected_pe" { private_dns_zone_group { name = "private-dns-zone-group-stg-import-rej" - private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + private_dns_zone_ids = [var.blob_core_dns_zone_id] } private_service_connection { @@ -220,7 +215,7 @@ resource "azurerm_private_endpoint" "stg_import_blocked_pe" { private_dns_zone_group { name = "private-dns-zone-group-stg-import-blocked" - private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id] + private_dns_zone_ids = [var.blob_core_dns_zone_id] } private_service_connection { diff --git a/templates/core/terraform/airlock/variables.tf b/templates/core/terraform/airlock/variables.tf index 79d95f8088..adfa8f0a08 100644 --- a/templates/core/terraform/airlock/variables.tf +++ b/templates/core/terraform/airlock/variables.tf @@ -28,12 +28,6 @@ variable "mgmt_acr_name" { description = "Management ACR name" } -variable "arm_subscription_id" { - description = "The TRE subscription id." - type = string - default = "" -} - variable "airlock_app_service_plan_sku_size" { type = string default = "P1v3" @@ -51,3 +45,8 @@ variable "enable_malware_scanning" { } variable "log_analytics_workspace_id" {} + +variable "blob_core_dns_zone_id" {} +variable "file_core_dns_zone_id" {} +variable "queue_core_dns_zone_id" {} +variable "table_core_dns_zone_id" {} diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf index 91f82b938b..9b88109736 100644 --- a/templates/core/terraform/main.tf +++ b/templates/core/terraform/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=3.19.1" + version = "=3.22.0" } random = { source = "hashicorp/random" @@ -116,6 +116,10 @@ module "airlock_resources" { enable_malware_scanning = var.enable_airlock_malware_scanning tre_core_tags = local.tre_core_tags log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id + blob_core_dns_zone_id = module.network.blob_core_dns_zone_id + file_core_dns_zone_id = module.network.file_core_dns_zone_id + queue_core_dns_zone_id = module.network.queue_core_dns_zone_id + table_core_dns_zone_id = module.network.table_core_dns_zone_id enable_local_debugging = var.enable_local_debugging myip = local.myip diff --git a/templates/core/terraform/network/dns_zones.tf b/templates/core/terraform/network/dns_zones.tf index 497a977fc0..1684e45a9d 100644 --- a/templates/core/terraform/network/dns_zones.tf +++ b/templates/core/terraform/network/dns_zones.tf @@ -256,3 +256,23 @@ resource "azurerm_private_dns_zone_virtual_network_link" "eventgridlink" { lifecycle { ignore_changes = [tags] } } + +resource "azurerm_private_dns_zone" "private_dns_zones" { + for_each = local.private_dns_zone_names + name = each.key + resource_group_name = var.resource_group_name + tags = local.tre_core_tags + + lifecycle { ignore_changes = [tags] } +} + +resource "azurerm_private_dns_zone_virtual_network_link" "private_dns_zone_links" { + for_each = azurerm_private_dns_zone.private_dns_zones + name = each.value.name + resource_group_name = var.resource_group_name + private_dns_zone_name = each.value.name + virtual_network_id = azurerm_virtual_network.core.id + tags = local.tre_core_tags + + lifecycle { ignore_changes = [tags] } +} diff --git a/templates/core/terraform/network/locals.tf b/templates/core/terraform/network/locals.tf index 97cdeb4ef1..286de4d67f 100644 --- a/templates/core/terraform/network/locals.tf +++ b/templates/core/terraform/network/locals.tf @@ -22,4 +22,9 @@ locals { tre_id = var.tre_id tre_core_service_id = var.tre_id } + + private_dns_zone_names = toset([ + "privatelink.queue.core.windows.net", + "privatelink.table.core.windows.net", + ]) } diff --git a/templates/core/terraform/network/outputs.tf b/templates/core/terraform/network/outputs.tf index f018fe75a9..752cfb0a05 100644 --- a/templates/core/terraform/network/outputs.tf +++ b/templates/core/terraform/network/outputs.tf @@ -34,18 +34,16 @@ output "airlock_events_subnet_id" { value = azurerm_subnet.airlock_events.id } -output "private_dns_zone_azurewebsites_id" { - value = azurerm_private_dns_zone.azurewebsites.id +output "resource_processor_subnet_id" { + value = azurerm_subnet.resource_processor.id } +# DNS Zones + output "private_dns_zone_mysql_id" { value = azurerm_private_dns_zone.mysql.id } -output "resource_processor_subnet_id" { - value = azurerm_subnet.resource_processor.id -} - output "azure_monitor_dns_zone_id" { value = azurerm_private_dns_zone.azure_monitor.id } @@ -73,3 +71,15 @@ output "azurewebsites_dns_zone_id" { output "static_web_dns_zone_id" { value = azurerm_private_dns_zone.static_web.id } + +output "file_core_dns_zone_id" { + value = azurerm_private_dns_zone.filecore.id +} + +output "queue_core_dns_zone_id" { + value = azurerm_private_dns_zone.private_dns_zones["privatelink.queue.core.windows.net"].id +} + +output "table_core_dns_zone_id" { + value = azurerm_private_dns_zone.private_dns_zones["privatelink.table.core.windows.net"].id +} diff --git a/templates/core/version.txt b/templates/core/version.txt index b6f65f35da..e2b01a98c0 100644 --- a/templates/core/version.txt +++ b/templates/core/version.txt @@ -1 +1 @@ -__version__ = "0.4.30" +__version__ = "0.4.31"