microsoft · tamirkamara · Oct 2, 2022 · Sep 30, 2022 · Sep 30, 2022 · Sep 30, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,7 @@ ENHANCEMENTS:
 * Move admin-vm from core to a shared service ([#2624](https://github.com/microsoft/AzureTRE/pull/2624))
 * Remove obsolete docker environment variables ([#2675](https://github.com/microsoft/AzureTRE/pull/2675))
 * Using Porter's Terrform mixin 1.0.0-rc.1 where mirror in done internally ([#2677](https://github.com/microsoft/AzureTRE/pull/2677))
+* Airlock function internal storage is accessed with private endpoints ([#2679](https://github.com/microsoft/AzureTRE/pull/2679))
 
 BUG FIXES:
 

diff --git a/templates/core/terraform/.terraform.lock.hcl b/templates/core/terraform/.terraform.lock.hcl
diff --git a/templates/core/terraform/airlock/airlock_processor.tf b/templates/core/terraform/airlock/airlock_processor.tf
@@ -31,13 +31,14 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
 }
 
 resource "azurerm_linux_function_app" "airlock_function_app" {
-  name                       = local.airlock_function_app_name
-  resource_group_name        = var.resource_group_name
-  location                   = var.location
-  https_only                 = true
-  virtual_network_subnet_id  = var.airlock_processor_subnet_id
-  service_plan_id            = azurerm_service_plan.airlock_plan.id
-  storage_account_name       = azurerm_storage_account.sa_airlock_processor_func_app.name
+  name                      = local.airlock_function_app_name
+  resource_group_name       = var.resource_group_name
+  location                  = var.location
+  https_only                = true
+  virtual_network_subnet_id = var.airlock_processor_subnet_id
+  service_plan_id           = azurerm_service_plan.airlock_plan.id
+  storage_account_name      = azurerm_storage_account.sa_airlock_processor_func_app.name
+  # consider moving to a managed identity here
   storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key
   tags                       = var.tre_core_tags
 
@@ -112,3 +113,31 @@ resource "azurerm_monitor_diagnostic_setting" "airlock_function_app" {
     }
   }
 }
+
+resource "azurerm_private_endpoint" "function_storage" {
+  for_each = {
+    Blob  = var.blob_core_dns_zone_id
+    File  = var.file_core_dns_zone_id
+    Queue = var.queue_core_dns_zone_id
+    Table = var.table_core_dns_zone_id
+  }
+  name                = "pe-${local.airlock_function_sa_name}-${lower(each.key)}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.airlock_storage_subnet_id
+  tags                = var.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group-${local.airlock_function_sa_name}"
+    private_dns_zone_ids = [each.value]
+  }
+
+  private_service_connection {
+    name                           = "psc-${local.airlock_function_sa_name}"
+    private_connection_resource_id = azurerm_storage_account.sa_import_in_progress.id
+    is_manual_connection           = false
+    subresource_names              = [each.key]
+  }
+}
diff --git a/templates/core/terraform/airlock/locals.tf b/templates/core/terraform/airlock/locals.tf
@@ -41,7 +41,7 @@ locals {
   export_approved_eventgrid_subscription_name   = "evgs-airlock-export-approved-blob-created"
 
   airlock_function_app_name = "func-airlock-processor-${var.tre_id}"
-  airlock_function_sa_name  = lower(replace("saairlockp${var.tre_id}", "-", ""))
+  airlock_function_sa_name  = lower(replace("stairlockp${var.tre_id}", "-", ""))
 
   airlock_sa_blob_data_contributor = [
     azurerm_storage_account.sa_import_external.id,

diff --git a/templates/core/terraform/airlock/storage_accounts.tf b/templates/core/terraform/airlock/storage_accounts.tf
@@ -20,11 +20,6 @@ resource "azurerm_storage_account" "sa_import_external" {
   lifecycle { ignore_changes = [tags] }
 }
 
-data "azurerm_private_dns_zone" "blobcore" {
-  name                = "privatelink.blob.core.windows.net"
-  resource_group_name = var.resource_group_name
-}
-
 resource "azurerm_private_endpoint" "stg_import_external_pe" {
   name                = "stg-ex-import-blob-${var.tre_id}"
   location            = var.location
@@ -36,7 +31,7 @@ resource "azurerm_private_endpoint" "stg_import_external_pe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group-stg-export-app"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+    private_dns_zone_ids = [var.blob_core_dns_zone_id]
   }
 
   private_service_connection {
@@ -80,7 +75,7 @@ resource "azurerm_private_endpoint" "stg_export_approved_pe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group-stg-export-app"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+    private_dns_zone_ids = [var.blob_core_dns_zone_id]
   }
 
   private_service_connection {
@@ -127,7 +122,7 @@ resource "azurerm_private_endpoint" "stg_import_inprogress_pe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group-stg-import-ip"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+    private_dns_zone_ids = [var.blob_core_dns_zone_id]
   }
 
   private_service_connection {
@@ -172,7 +167,7 @@ resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group-stg-import-rej"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+    private_dns_zone_ids = [var.blob_core_dns_zone_id]
   }
 
   private_service_connection {
@@ -220,7 +215,7 @@ resource "azurerm_private_endpoint" "stg_import_blocked_pe" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group-stg-import-blocked"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.blobcore.id]
+    private_dns_zone_ids = [var.blob_core_dns_zone_id]
   }
 
   private_service_connection {

diff --git a/templates/core/terraform/airlock/variables.tf b/templates/core/terraform/airlock/variables.tf
@@ -28,12 +28,6 @@ variable "mgmt_acr_name" {
   description = "Management ACR name"
 }
 
-variable "arm_subscription_id" {
-  description = "The TRE subscription id."
-  type        = string
-  default     = ""
-}
-
 variable "airlock_app_service_plan_sku_size" {
   type    = string
   default = "P1v3"
@@ -51,3 +45,8 @@ variable "enable_malware_scanning" {
 }
 
 variable "log_analytics_workspace_id" {}
+
+variable "blob_core_dns_zone_id" {}
+variable "file_core_dns_zone_id" {}
+variable "queue_core_dns_zone_id" {}
+variable "table_core_dns_zone_id" {}
diff --git a/templates/core/terraform/main.tf b/templates/core/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.19.1"
+      version = "=3.22.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -116,6 +116,10 @@ module "airlock_resources" {
   enable_malware_scanning               = var.enable_airlock_malware_scanning
   tre_core_tags                         = local.tre_core_tags
   log_analytics_workspace_id            = module.azure_monitor.log_analytics_workspace_id
+  blob_core_dns_zone_id                 = module.network.blob_core_dns_zone_id
+  file_core_dns_zone_id                 = module.network.file_core_dns_zone_id
+  queue_core_dns_zone_id                = module.network.queue_core_dns_zone_id
+  table_core_dns_zone_id                = module.network.table_core_dns_zone_id
 
   enable_local_debugging = var.enable_local_debugging
   myip                   = local.myip

diff --git a/templates/core/terraform/network/dns_zones.tf b/templates/core/terraform/network/dns_zones.tf
@@ -256,3 +256,23 @@ resource "azurerm_private_dns_zone_virtual_network_link" "eventgridlink" {
 
   lifecycle { ignore_changes = [tags] }
 }
+
+resource "azurerm_private_dns_zone" "private_dns_zones" {
+  for_each            = local.private_dns_zone_names
+  name                = each.key
+  resource_group_name = var.resource_group_name
+  tags                = local.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "private_dns_zone_links" {
+  for_each              = azurerm_private_dns_zone.private_dns_zones
+  name                  = each.value.name
+  resource_group_name   = var.resource_group_name
+  private_dns_zone_name = each.value.name
+  virtual_network_id    = azurerm_virtual_network.core.id
+  tags                  = local.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
diff --git a/templates/core/terraform/network/locals.tf b/templates/core/terraform/network/locals.tf
@@ -22,4 +22,9 @@ locals {
     tre_id              = var.tre_id
     tre_core_service_id = var.tre_id
   }
+
+  private_dns_zone_names = toset([
+    "privatelink.queue.core.windows.net",
+    "privatelink.table.core.windows.net",
+  ])
 }
diff --git a/templates/core/terraform/network/outputs.tf b/templates/core/terraform/network/outputs.tf
@@ -34,18 +34,16 @@ output "airlock_events_subnet_id" {
   value = azurerm_subnet.airlock_events.id
 }
 
-output "private_dns_zone_azurewebsites_id" {
-  value = azurerm_private_dns_zone.azurewebsites.id
+output "resource_processor_subnet_id" {
+  value = azurerm_subnet.resource_processor.id
 }
 
+# DNS Zones
+
 output "private_dns_zone_mysql_id" {
   value = azurerm_private_dns_zone.mysql.id
 }
 
-output "resource_processor_subnet_id" {
-  value = azurerm_subnet.resource_processor.id
-}
-
 output "azure_monitor_dns_zone_id" {
   value = azurerm_private_dns_zone.azure_monitor.id
 }
@@ -73,3 +71,15 @@ output "azurewebsites_dns_zone_id" {
 output "static_web_dns_zone_id" {
   value = azurerm_private_dns_zone.static_web.id
 }
+
+output "file_core_dns_zone_id" {
+  value = azurerm_private_dns_zone.filecore.id
+}
+
+output "queue_core_dns_zone_id" {
+  value = azurerm_private_dns_zone.private_dns_zones["privatelink.queue.core.windows.net"].id
+}
+
+output "table_core_dns_zone_id" {
+  value = azurerm_private_dns_zone.private_dns_zones["privatelink.table.core.windows.net"].id
+}
diff --git a/templates/core/version.txt b/templates/core/version.txt
@@ -1 +1 @@
-__version__ = "0.4.30"
+__version__ = "0.4.31"