AppService plan SKU support in GitHub Actions

.github/actions/devcontainer_run_command/action.yml

@@ -95,6 +95,14 @@ inputs:
     description: "Log level for terraform - values are blank | DEBUG | TRACE"
     required: false
     default: ""
+  CORE_APP_SERVICE_PLAN_SKU:
+    description: "The AppService plan sku used in core resources"
+    required: false
+    default: ""
+  WORKSPACE_APP_SERVICE_PLAN_SKU:
+    description: "The AppService plan sku used by tests"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -162,5 +170,9 @@ runs:
           -e TF_VAR_stateful_resources_locked=${{ inputs.STATEFUL_RESOURCES_LOCKED }} \
           -e TF_VAR_enable_airlock_malware_scanning=${{ inputs.ENABLE_AIRLOCK_MALWARE_SCANNING }} \
           -e CI_CACHE_ACR_NAME="${{ inputs.CI_CACHE_ACR_NAME }}" \
+          -e TF_VAR_core_app_service_plan_sku="${{ (inputs.CORE_APP_SERVICE_PLAN_SKU != ''
+            && inputs.CORE_APP_SERVICE_PLAN_SKU) || 'P1v2' }}" \
+          -e WORKSPACE_APP_SERVICE_PLAN_SKU="${{ (inputs.WORKSPACE_APP_SERVICE_PLAN_SKU != ''
+            && inputs.WORKSPACE_APP_SERVICE_PLAN_SKU) || 'P1v2' }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}.azurecr.io/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c "${{ inputs.COMMAND }}"

.github/workflows/deploy_tre.yml

@@ -56,3 +56,5 @@ jobs:
       TRE_ADDRESS_SPACE: ${{ secrets.TRE_ADDRESS_SPACE }}
       TRE_ID: ${{ secrets.TRE_ID }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
+      CORE_APP_SERVICE_PLAN_SKU: ${{ secrets.CORE_APP_SERVICE_PLAN_SKU }}
+      WORKSPACE_APP_SERVICE_PLAN_SKU: ${{ secrets.WORKSPACE_APP_SERVICE_PLAN_SKU }}

.github/workflows/deploy_tre_branch.yml

@@ -83,3 +83,5 @@ jobs:
       TRE_ID: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
       TF_LOG: ${{ secrets.TF_LOG }}
+      CORE_APP_SERVICE_PLAN_SKU: ${{ secrets.CORE_APP_SERVICE_PLAN_SKU }}
+      WORKSPACE_APP_SERVICE_PLAN_SKU: ${{ secrets.WORKSPACE_APP_SERVICE_PLAN_SKU }}

.github/workflows/deploy_tre_reusable.yml

@@ -100,7 +100,12 @@ on:  # yamllint disable-line rule:truthy
       AZURE_CREDENTIALS:
         description: ""
         required: true
-
+      CORE_APP_SERVICE_PLAN_SKU:
+        description: ""
+        required: false
+      WORKSPACE_APP_SERVICE_PLAN_SKU:
+        description: ""
+        required: false
 
 # This will prevent multiple runs of this entire workflow.
 # We should NOT cancel in progress runs as that can destabilize the environment.
@@ -289,6 +294,7 @@ jobs:
           APPLICATION_ADMIN_CLIENT_ID: "${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}"
           APPLICATION_ADMIN_CLIENT_SECRET: "${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}"
           STATEFUL_RESOURCES_LOCKED: "${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"
+          CORE_APP_SERVICE_PLAN_SKU: ${{ secrets.CORE_APP_SERVICE_PLAN_SKU }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command
@@ -611,6 +617,7 @@ jobs:
           TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
           TRE_ID: "${{ secrets.TRE_ID }}"
           IS_API_SECURED: false
+          WORKSPACE_APP_SERVICE_PLAN_SKU: ${{ secrets.WORKSPACE_APP_SERVICE_PLAN_SKU }}
 
       - name: Upload Test Results
         if: always()
@@ -658,6 +665,7 @@ jobs:
           TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
           TRE_ID: "${{ secrets.TRE_ID }}"
           IS_API_SECURED: false
+          WORKSPACE_APP_SERVICE_PLAN_SKU: ${{ secrets.WORKSPACE_APP_SERVICE_PLAN_SKU }}
 
       - name: Upload Test Results
         if: always()
@@ -697,8 +705,13 @@ jobs:
           details_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
       - name: Notify teams channel
+        env:
+          MS_TEAMS_WEBHOOK_URI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
         # notify only if failure
-        if: env.WORKFLOW_CONCLUSION == 'failure' && (github.ref == 'refs/heads/main' && inputs.prRef == '')
+        if: |
+          env.WORKFLOW_CONCLUSION == 'failure' &&
+          env.MS_TEAMS_WEBHOOK_URI != '' &&
+          (github.ref == 'refs/heads/main' && inputs.prRef == '')
         uses: sachinkundu/ms-teams-notification@1.4
         with:
           github-token: ${{ github.token }}

CHANGELOG.md

@@ -9,6 +9,7 @@
 * Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654))
 * Align Github Action secret names. Existing Github environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655))
 * Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)). **Migration** if the `AUTO_WORKSPACE_APP_REGISTRATION` is set, the `Directory.Read.All` MS Graph API permission permission needs granting to the Application Registration identified by `APPLICATION_ADMIN_CLIENT_ID`.
+* Add support for setting AppService plan SKU in GitHub Actions. Previous environment variable names of `API_APP_SERVICE_PLAN_SKU_SIZE` and `APP_SERVICE_PLAN_SKU` have been renamed to `CORE_APP_SERVICE_PLAN_SKU` and `WORKSPACE_APP_SERVICE_PLAN_SKU` ([#2684](https://github.com/microsoft/AzureTRE/pull/2684))
 
 FEATURES:
 

docs/azure-tre-overview/architecture.md

@@ -15,9 +15,6 @@ The Azure TRE core plane consists of two groups of components:
 - API & Composition Service
 - Shared Services
 
-!!! todo
-    The Shared Services [#23](https://github.com/microsoft/AzureTRE/issues/23) and Firewall Shared Service [#882](https://github.com/microsoft/AzureTRE/issues/882) are still work in progress.
-
 The TRE API is a service that users can interact with to request changes to workspaces e.g., to create, update, delete workspaces and workspace services inside each workspace. The Composition Service is doing the actual work of mutating the state of each Workspace including the Workspace Services.
 
 Ingress/egress components governs all inbound and outbound traffic from the public Internet to and from Azure TRE including the Workspaces. The Firewall Service is managing the egress rules of the Firewall.

docs/azure-tre-overview/user-roles.md

@@ -20,6 +20,9 @@ While we have defined 8 different user roles for the Azure TRE solution, not all
 | Data engineer | Move data to and potentially from the TRE | |
 | Information security officer | Validate and sign-off TRE deployment | |
 
+!!! info
+    More granular RBAC information is available [here](../tre-developers/api-permissions-map.md).
+
 ## Azure administrator
 
 Provisions the Azure TRE solution in an Azure subscription and performs tasks that require knowledge of Azure operations and has access to the Azure subscription.

docs/tre-admins/environment-variables.md

@@ -34,3 +34,5 @@
 | `ENABLE_LOCAL_DEBUGGING` | Set to `false` by default. Setting this to `true` will ensure that Azure resources are accessible from your local development machine. (e.g. ServiceBus and Cosmos) |
 | `PUBLIC_DEPLOYMENT_IP_ADDRESS` | The public IP address of the machine that is deploying TRE. (Your desktop or the build agents). In certain locations a dynamic script to retrieve this from [https://ipecho.net/plain](https://ipecho.net/plain) does not work. If this is the case, then you can 'hardcode' your IP. |
 | `RESOURCE_PROCESSOR_VMSS_SKU` | The SKU of the VMMS to use for the resource processing VM. |
+| `CORE_APP_SERVICE_PLAN_SKU` | The SKU of AppService plans created for the core infrastructure. |
+| `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |

docs/tre-admins/setup-instructions/workflows.md

@@ -6,7 +6,7 @@ Deployment is done using the `/.github/workflows/deploy_tre.yml` workflow. This
 
 ## Setup instructions
 
-Before you can run the `deploy_tre.yml` pipeline there are some one-time configuration steps that we need to do, similar to the Pre-deployment steps for manual deployment.
+Before you can run the `deploy_tre.yml` workflow there are some one-time configuration steps that we need to do, similar to the Pre-deployment steps for manual deployment.
 
 !!! tip
     In some of the steps below, you are asked to configure repository secrets. Follow the [GitHub guide](https://docs.github.com/en/actions/security-guides/encrypted-secrets) on creating repository secrets if you are unfamiliar with this step.
@@ -107,7 +107,7 @@ Configure the TEST_WORKSPACE_APP_ID repository secret
 The `deploy_tre.yml` workflow sends a notification to a Microsoft Teams channel when it finishes running.
 
 !!! note
-    If you don't want to notify a channel, you can also remove the **Notify dedicated teams channel** steps in the pipeline
+    If you don't want to notify a channel, you can also remove the **Notify dedicated teams channel** steps in the workflow
 
 1. Follow the [Microsoft Docs](https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook) to create a webhook for your channel
 
@@ -119,7 +119,7 @@ The `deploy_tre.yml` workflow sends a notification to a Microsoft Teams channel
 
 ### Configure repository secrets
 
-Configure additional repository secrets used in the deployment pipeline
+Configure additional repository secrets used in the deployment workflow
 
 | <div style="width: 230px">Secret name</div> | Description |
 | ----------- | ----------- |
@@ -129,6 +129,8 @@ Configure additional repository secrets used in the deployment pipeline
 | `CORE_ADDRESS_SPACE` |  The address space for the Azure TRE core virtual network. E.g. `10.1.0.0/22`. Recommended `/22` or larger.  |
 | `TRE_ADDRESS_SPACE` | The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. `10.0.0.0/12`|
 | `TERRAFORM_STATE_CONTAINER_NAME` | Optional. The name of the blob container to hold the Terraform state. Default value is `tfstate`. |
+| `CORE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan for core infrastructure. Default value is `P1v2`. |
+| `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests. Default value is `P1v2`. |
 
 ### Deploy the TRE using the workflow
 

docs/tre-admins/start-stop.md

@@ -96,20 +96,14 @@ foreach ($Group in $ResourceGroups)
   foreach ($item in $VMSS)
   {
     Write-Output "Stopping $($item.Name)"
-    # Native command will generate an error when run in automation
-    # Stop-AzVmss -ResourceGroupName $item.ResourceGroupName -VMScaleSetName $item.Name
-    $restUri='https://management.azure.com/subscriptions/'+$azContext.Subscription.Id+'/resourceGroups/'+$Group.ResourceGroupName+'/providers/Microsoft.Compute/virtualMachineScaleSets/'+$item.Name+'/deallocate?api-version=2022-03-01'
-    $response = Invoke-RestMethod -Uri $restUri -Method POST -Headers $authHeader
+    Stop-AzVmss -ResourceGroupName $item.ResourceGroupName -VMScaleSetName $item.Name -Force
   }
 
   $VM = Get-AzVM -ResourceGroupName $Group.ResourceGroupName
   foreach ($item in $VM)
   {
     Write-Output "Stopping $($item.Name)"
-    # Native command will generate an error when run in automation
-    # Stop-AzVm -ResourceGroupName $item.ResourceGroupName -Name $item.Name
-    $restUri='https://management.azure.com/subscriptions/'+$azContext.Subscription.Id+'/resourceGroups/'+$Group.ResourceGroupName+'/providers/Microsoft.Compute/virtualMachines/'+$item.Name+'/deallocate?api-version=2022-03-01'
-    $response = Invoke-RestMethod -Uri $restUri -Method POST -Headers $authHeader
+    Stop-AzVm -ResourceGroupName $item.ResourceGroupName -Name $item.Name -Force
   }
 
   $WorkspaceResourceGroups = Get-AzResourceGroup -Name "$($Group.ResourceGroupName)-ws-*"
@@ -119,10 +113,7 @@ foreach ($Group in $ResourceGroups)
     foreach ($item in $VM)
     {
       Write-Output "Stopping $($item.Name)"
-      # Native command will generate an error when run in automation
-      # Stop-AzVm -ResourceGroupName $item.ResourceGroupName -Name $item.Name
-      $restUri='https://management.azure.com/subscriptions/'+$azContext.Subscription.Id+'/resourceGroups/'+$Group.ResourceGroupName+'/providers/Microsoft.Compute/virtualMachines/'+$item.Name+'/deallocate?api-version=2022-03-01'
-      $response = Invoke-RestMethod -Uri $restUri -Method POST -Headers $authHeader
+      Stop-AzVm -ResourceGroupName $item.ResourceGroupName -Name $item.Name -Force
     }
   }
 }

e2e_tests/.env.sample

@@ -13,3 +13,6 @@ TEST_USER_NAME=<username for custom e2e tester user>
 TEST_USER_PASSWORD=<password for custom e2e tester user>
 TEST_WORKSPACE_APP_ID=<workspace app registration client id>
 TEST_WORKSPACE_APP_SECRET=<workspace app registration client secret>
+
+# TODO: move to RP default with https://github.com/microsoft/AzureTRE/pull/2634
+WORKSPACE_APP_SERVICE_PLAN_SKU="P1v2"

e2e_tests/airlock/request.py

@@ -99,7 +99,7 @@ async def wait_for_status(
             break
 
         LOGGER.info(f"Waiting for request status: {request_status}, current status is {current_status}")
-        await asyncio.sleep(2)
+        await asyncio.sleep(5)
 
 
 def is_final_status(status):

e2e_tests/config.py

@@ -16,7 +16,7 @@
 TEST_ACCOUNT_CLIENT_SECRET: str = config("TEST_ACCOUNT_CLIENT_SECRET", default="")
 TEST_WORKSPACE_APP_ID: str = config("TEST_WORKSPACE_APP_ID", default="")
 TEST_WORKSPACE_APP_SECRET: str = config("TEST_WORKSPACE_APP_SECRET", default="")
-TEST_WORKSPACE_APP_PLAN: str = config("APP_SERVICE_PLAN_SKU", default="")
+TEST_WORKSPACE_APP_PLAN: str = config("WORKSPACE_APP_SERVICE_PLAN_SKU", default="")
 
 # Perf test env vars - set these in private.env if you want to run perf tests and use an existing
 # workspace + workspace service for quicker execution. If they're blank the perf test will create + delete them.

e2e_tests/test_airlock.py

@@ -23,7 +23,7 @@
 
 @pytest.mark.airlock
 @pytest.mark.extended
-@pytest.mark.timeout(2000)
+@pytest.mark.timeout(30 * 60)
 async def test_airlock_import_flow(verify) -> None:
 
     admin_token = await get_admin_token(verify)

templates/core/.env.sample

@@ -23,7 +23,7 @@ AUTO_WORKSPACE_GROUP_CREATION=false
 # be caused by trying to deploy TRE in an Office environment where
 # this website is blocked. This value is the public facing IP
 # address of the deploying machine.
-#PUBLIC_DEPLOYMENT_IP_ADDRESS=__CHANGE_ME__
+# PUBLIC_DEPLOYMENT_IP_ADDRESS=__CHANGE_ME__
 
 # Uncomment to disable the UI provided as part of this repo
 # DEPLOY_UI=false
@@ -54,6 +54,9 @@ AUTO_WORKSPACE_GROUP_CREATION=false
 CORE_ADDRESS_SPACE="10.1.0.0/22"
 TRE_ADDRESS_SPACE="10.0.0.0/12"
 
-APP_SERVICE_PLAN_SKU="P1v2"
+CORE_APP_SERVICE_PLAN_SKU="P1v2"
 RESOURCE_PROCESSOR_VMSS_SKU="Standard_B2s"
 ENABLE_AIRLOCK_MALWARE_SCANNING=false
+
+# TODO: move to RP default with https://github.com/microsoft/AzureTRE/pull/2634
+WORKSPACE_APP_SERVICE_PLAN_SKU="P1v2"

templates/core/terraform/airlock/airlock_processor.tf

@@ -11,7 +11,7 @@ resource "azurerm_service_plan" "airlock_plan" {
   resource_group_name = var.resource_group_name
   location            = var.location
   os_type             = "Linux"
-  sku_name            = var.airlock_app_service_plan_sku_size
+  sku_name            = var.airlock_app_service_plan_sku
   tags                = var.tre_core_tags
   worker_count        = 1
 

templates/core/terraform/airlock/variables.tf

@@ -28,7 +28,7 @@ variable "mgmt_acr_name" {
   description = "Management ACR name"
 }
 
-variable "airlock_app_service_plan_sku_size" {
+variable "airlock_app_service_plan_sku" {
   type    = string
   default = "P1v3"
 }

templates/core/terraform/api-webapp.tf

@@ -11,7 +11,7 @@ resource "azurerm_service_plan" "core" {
   resource_group_name = azurerm_resource_group.core.name
   location            = azurerm_resource_group.core.location
   os_type             = "Linux"
-  sku_name            = var.api_app_service_plan_sku_size
+  sku_name            = var.core_app_service_plan_sku
   tags                = local.tre_core_tags
   worker_count        = 1
   lifecycle { ignore_changes = [tags] }

templates/core/terraform/main.tf

@@ -109,7 +109,7 @@ module "airlock_resources" {
   mgmt_resource_group_name              = var.mgmt_resource_group_name
   mgmt_acr_name                         = var.acr_name
   api_principal_id                      = azurerm_user_assigned_identity.id.principal_id
-  airlock_app_service_plan_sku_size     = var.api_app_service_plan_sku_size
+  airlock_app_service_plan_sku          = var.core_app_service_plan_sku
   airlock_processor_subnet_id           = module.network.airlock_processor_subnet_id
   airlock_servicebus                    = azurerm_servicebus_namespace.sb
   applicationinsights_connection_string = module.azure_monitor.app_insights_connection_string

templates/core/terraform/variables.tf

@@ -33,7 +33,7 @@ variable "api_image_repository" {
   default     = "microsoft/azuretre/api"
 }
 
-variable "api_app_service_plan_sku_size" {
+variable "core_app_service_plan_sku" {
   type    = string
   default = "P1v3"
 }

templates/core/version.txt

@@ -1 +1 @@
-__version__ = "0.4.31"
+__version__ = "0.4.32"

templates/workspaces/airlock-import-review/parameters.json

@@ -115,7 +115,7 @@
     {
       "name": "app_service_plan_sku",
       "source": {
-        "env": "APP_SERVICE_PLAN_SKU"
+        "env": "WORKSPACE_APP_SERVICE_PLAN_SKU"
       }
     },
     {

templates/workspaces/base/parameters.json

@@ -127,7 +127,7 @@
     {
       "name": "app_service_plan_sku",
       "source": {
-        "env": "APP_SERVICE_PLAN_SKU"
+        "env": "WORKSPACE_APP_SERVICE_PLAN_SKU"
       }
     },
     {

templates/workspaces/unrestricted/parameters.json

@@ -121,7 +121,7 @@
     {
       "name": "app_service_plan_sku",
       "source": {
-        "env": "APP_SERVICE_PLAN_SKU"
+        "env": "WORKSPACE_APP_SERVICE_PLAN_SKU"
       }
     },
     {