microsoft · yuvalyaron · Dec 25, 2022 · Dec 20, 2022 · Dec 20, 2022 · Dec 20, 2022
diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
@@ -51,6 +51,9 @@ inputs:
   TRE_ADDRESS_SPACE:
     description: "TRE address apace."
     required: false
+  ENABLE_SWAGGER:
+    description: "Determines whether the Swagger interface for the API will be available."
+    required: false
   SWAGGER_UI_CLIENT_ID:
     description: "The Swagger UI Client ID."
     required: false
@@ -154,6 +157,7 @@ runs:
           -e TF_VAR_application_admin_client_id="${{ inputs.APPLICATION_ADMIN_CLIENT_ID }}" \
           -e TF_VAR_application_admin_client_secret="${{ inputs.APPLICATION_ADMIN_CLIENT_SECRET }}" \
           -e TF_VAR_arm_subscription_id="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
+          -e ENABLE_SWAGGER="${{ inputs.ENABLE_SWAGGER }}" \
           -e SWAGGER_UI_CLIENT_ID="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
           -e TF_VAR_swagger_ui_client_id="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
           -e TF_VAR_core_address_space="${{ inputs.core_address_space }}" \

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ ENHANCEMENTS:
 * Update docker base images to bullseye ([#2946](https://github.com/microsoft/AzureTRE/pull/2946)
 * Support updating the firewall when installing via makefile/CICD ([#2942](https://github.com/microsoft/AzureTRE/pull/2942))
 * Airlock processor function and api app service work with http2
+* Added the option to disable Swagger ([#2981](https://github.com/microsoft/AzureTRE/pull/2981))
 
 BUG FIXES:
 * Private endpoints for AppInsights are now provisioning successfully and consistently ([#2841](https://github.com/microsoft/AzureTRE/pull/2841))

diff --git a/api_app/_version.py b/api_app/_version.py
@@ -1 +1 @@
-__version__ = "0.6.5"
+__version__ = "0.6.6"
diff --git a/api_app/api/routes/api.py b/api_app/api/routes/api.py
@@ -1,6 +1,9 @@
 from collections import defaultdict
 from typing import Any, DefaultDict, Dict, Optional
 
+from starlette.responses import PlainTextResponse
+from starlette.status import HTTP_403_FORBIDDEN
+
 from fastapi import APIRouter, Request, Depends
 from fastapi.openapi.docs import get_swagger_ui_html, get_swagger_ui_oauth2_redirect_html
 from fastapi.openapi.utils import get_openapi
@@ -90,8 +93,6 @@ async def get_swagger(request: Request):
 async def swagger_ui_redirect():
     return get_swagger_ui_oauth2_redirect_html()
 
-core_router.include_router(core_swagger_router)
-router.include_router(core_router)
 
 # Workspace API
 workspace_router = APIRouter(prefix=config.API_PREFIX)
@@ -157,5 +158,20 @@ async def get_workspace_swagger(workspace_id, request: Request, workspace_repo=D
 
     return swagger_ui_html
 
-workspace_router.include_router(workspace_swagger_router)
+
+swagger_disabled_router = APIRouter()
+
+
+@swagger_disabled_router.get("/docs", include_in_schema=False, name="swagger_disabled")
+async def get_disabled_swagger():
+    return PlainTextResponse("Swagger is disabled. Set 'ENABLE_SWAGGER' to true in order to access Swagger.", status_code=HTTP_403_FORBIDDEN)
+
+
+if config.ENABLE_SWAGGER:
+    core_router.include_router(core_swagger_router)
+    workspace_router.include_router(workspace_swagger_router)
+else:
+    core_router.include_router(swagger_disabled_router)
+
+router.include_router(core_router)
 router.include_router(workspace_router)
diff --git a/api_app/core/config.py b/api_app/core/config.py
@@ -8,6 +8,7 @@
 PROJECT_NAME: str = config("PROJECT_NAME", default="Azure TRE API")
 DEBUG: bool = config("DEBUG", cast=bool, default=False)
 ENABLE_LOCAL_DEBUGGING: bool = config("ENABLE_LOCAL_DEBUGGING", cast=bool, default=False)
+ENABLE_SWAGGER: bool = config("ENABLE_SWAGGER", cast=bool, default=False)
 VERSION = __version__
 API_DESCRIPTION = "Welcome to the Azure TRE API - for more information about templates and workspaces see the [Azure TRE documentation](https://microsoft.github.io/AzureTRE)"
 

diff --git a/config.sample.yaml b/config.sample.yaml
@@ -30,6 +30,7 @@ tre:
 
   core_app_service_plan_sku: P1v2
   resource_processor_vmss_sku: Standard_B2s
+  enable_swagger: true
   enable_airlock_malware_scanning: false
 
   # TODO: move to RP default with https://github.com/microsoft/AzureTRE/issues/2948

diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
@@ -25,6 +25,7 @@
 | `TRE_URL`| This will be generated for you by populating your `TRE_ID`. This is used so that you can automatically register bundles |
 | `CORE_ADDRESS_SPACE` | The address space for the Azure TRE core virtual network. `/22` or larger. |
 | `TRE_ADDRESS_SPACE` | The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. `10.0.0.0/12`|
+| `ENABLE_SWAGGER` | Determines whether the Swagger interface for the API will be available. |
 | `SWAGGER_UI_CLIENT_ID` | Generated when following [pre-deployment steps](./setup-instructions/setup-auth-entities.md) guide. Client ID for swagger client to make requests. |
 | `AAD_TENANT_ID` | Generated when following [pre-deployment steps](./setup-instructions/setup-auth-entities.md) guide. Tenant id against which auth is performed. |
 | `API_CLIENT_ID` | Generated when following [pre-deployment steps](./setup-instructions/setup-auth-entities.md) guide. Client id of the "TRE API". |

diff --git a/templates/core/terraform/api-webapp.tf b/templates/core/terraform/api-webapp.tf
@@ -44,6 +44,7 @@ resource "azurerm_linux_web_app" "api" {
     "MANAGED_IDENTITY_CLIENT_ID"                     = azurerm_user_assigned_identity.id.client_id
     "TRE_ID"                                         = var.tre_id
     "RESOURCE_LOCATION"                              = azurerm_resource_group.core.location
+    "ENABLE_SWAGGER"                                 = var.enable_swagger
     "SWAGGER_UI_CLIENT_ID"                           = var.swagger_ui_client_id
     "AAD_TENANT_ID"                                  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.auth_tenant_id.id})"
     "API_CLIENT_ID"                                  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.api_client_id.id})"

diff --git a/templates/core/terraform/variables.tf b/templates/core/terraform/variables.tf
@@ -65,6 +65,12 @@ variable "resource_processor_number_processes_per_instance" {
   description = "The number of CPU processes to run the RP on per VM instance"
 }
 
+variable "enable_swagger" {
+  type        = bool
+  description = "Determines whether the Swagger interface for the API will be available."
+  sensitive   = false
+}
+
 variable "swagger_ui_client_id" {
   type        = string
   description = "The client id (app id) of the registration in Azure AD for the Swagger UI"

diff --git a/templates/core/version.txt b/templates/core/version.txt
@@ -1 +1 @@
-__version__ = "0.4.48"
+__version__ = "0.4.49"