Merge branch 'main' into ubuntu-update

CHANGELOG.md

@@ -1,10 +1,21 @@
 <!-- markdownlint-disable MD041 -->
-## 0.17.0 (Unreleased)
+## 0.18.0 (Unreleased)
 
 **BREAKING CHANGES & MIGRATIONS**:
 
 FEATURES:
 
+ENHANCEMENTS:
+
+BUG FIXES:
+
+COMPONENTS:
+
+## 0.17.0
+
+**BREAKING CHANGES & MIGRATIONS**:
+* Update terraform MySQL resources to MySQL Flexible resources to fix depricating recources. ([#3892](https://github.com/microsoft/AzureTRE/pull/3892)) - Migration to new version of Gitea and MySQL, needs to be carried out manually, details to be included in a later release.
+
 ENHANCEMENTS:
 * Switch from OpenCensus to OpenTelemetry for logging ([#3762](https://github.com/microsoft/AzureTRE/pull/3762))
 * Extend PowerShell auto start script to start core VMs ([#3811](https://github.com/microsoft/AzureTRE/issues/3811))
@@ -19,8 +30,40 @@ BUG FIXES:
 * Airlock: Creating an import/export request causes a routing error ([#3830](https://github.com/microsoft/AzureTRE/issues/3830))
 * Fix registration of templates with no 'authorizedRoles' or 'required' defined ([#3849](https://github.com/microsoft/AzureTRE/pull/3849))
 * Update terraform for services bus to move network rules into namespace resource to avoid depreciation warning, and update setup_local_debugging.sh to use network_rule_sets ([#3858](https://github.com/microsoft/AzureTRE/pull/3858))
+* Update terraform MySQL resources to MySQL Flexible resources to fix depricating recources. ([#3892](https://github.com/microsoft/AzureTRE/pull/3892))
+* Fix issue with firewall failing to deploy on a new TRE deploy ([#3775](https://github.com/microsoft/AzureTRE/issues/3775))
 
 COMPONENTS:
+| name | version |
+| ----- | ----- |
+| devops | 0.5.1 |
+| core | 0.9.6 |
+| ui | 0.5.21 |
+| tre-service-guacamole-linuxvm | 0.6.9 |
+| tre-service-guacamole-import-reviewvm | 0.2.8 |
+| tre-service-guacamole-export-reviewvm | 0.1.8 |
+| tre-service-guacamole-windowsvm | 0.7.9 |
+| tre-service-guacamole | 0.10.6 |
+| tre-service-databricks | 1.0.3 |
+| tre-service-mlflow | 0.7.7 |
+| tre-service-innereye | 0.6.4 |
+| tre-workspace-service-ohdsi | 0.2.4 |
+| tre-workspace-service-gitea | 1.0.1 |
+| tre-workspace-service-mysql | 1.0.1 |
+| tre-user-resource-aml-compute-instance | 0.5.7 |
+| tre-service-azureml | 0.8.10 |
+| tre-workspace-service-health | 0.2.5 |
+| tre-workspace-airlock-import-review | 0.12.16 |
+| tre-workspace-unrestricted | 0.11.4 |
+| tre-workspace-base | 1.5.3 |
+| tre-shared-service-cyclecloud | 0.5.5 |
+| tre-shared-service-databricks-private-auth | 0.1.5 |
+| tre-shared-service-sonatype-nexus | 2.8.13 |
+| tre-shared-service-admin-vm | 0.4.3 |
+| tre-shared-service-firewall | 1.1.7 |
+| tre-shared-service-gitea | 1.0.1 |
+| tre-shared-service-certs | 0.5.1 |
+| tre-shared-service-airlock-notifier | 0.9.0 |
 
 ## 0.16.0 (December 1, 2023)
 

docs/tre-templates/shared-services/gitea.md

@@ -47,3 +47,7 @@ Gitea needs to be able to access the following resource outside the Azure TRE VN
 | AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. |
 | AzureContainerRegistry | Pull the Gitea container image, as it is located in Azure Container Registry.  |
 | (www.)github.com | Allows Gitea to mirror any repo on GitHub |
+
+## Upgrading to version 1.0.0
+
+Migrating existing Gitea services to the major version 1.0.0 is not currently supported. This is due to the breaking change in the Terraform to migrate from the deprecated mysql_server to the new mysql_flexible_server.

docs/tre-templates/workspace-services/gitea.md

@@ -24,3 +24,7 @@ The Gitea worskpace service opens outbound access to:
 3. Click sign in with OpenID button and sign in with the same credentials used to access the workspace.
 4. Once succesfully signed in choose a username.
 5. Navigate to the user settings and under the account tab set a password for your account( `https://<gitea_url>/user/settings/account` ). This username and passowrd should be used to authenticate against Gitea when carrying out git operations.
+
+## Upgrading to version 1.0.0
+
+Migrating existing Gitea services to the major version 1.0.0 is not currently supported. This is due to the breaking change in the Terraform to migrate from the deprecated mysql_server to the new mysql_flexible_server.

docs/tre-templates/workspace-services/mysql.md

@@ -0,0 +1,22 @@
+# MySQL Workspace Service
+
+See: [MySQL Azure](https://learn.microsoft.com/en-GB/azure/mysql/)
+
+## Prerequisites
+
+- [A base workspace deployed](../workspaces/base.md)
+
+- The MySQL workspace service container image needs building and pushing:
+
+  `make workspace_service_bundle BUNDLE=mysql`
+
+## Authenticating to MySQL
+
+1. Navigate to the MySQL workspace service using the `Mysql fqdn` from the details tab.
+2. Using the Password found in Key Vault and the Username `mysqladmin`
+3. Connect to the MySQL server on a VM with the following command shown below
+   `mysql -h [fqdn] -u [username] -p [password]`
+
+## Upgrading to version 1.0.0
+
+Migrating existing MySQL services to the major version 1.0.0 is not currently supported. This is due to the breaking change in the Terraform to migrate from the deprecated mysql_server to the new mysql_flexible_server.

templates/shared_services/firewall/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-firewall
-version: 1.1.6
+version: 1.1.7
 description: "An Azure TRE Firewall shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/firewall/terraform/routetable.tf

@@ -18,6 +18,13 @@ resource "azurerm_route_table" "rt" {
 resource "azurerm_subnet_route_table_association" "rt_shared_subnet_association" {
   subnet_id      = data.azurerm_subnet.shared.id
   route_table_id = azurerm_route_table.rt.id
+
+  depends_on = [
+    azurerm_firewall.fw,
+    azurerm_firewall_policy_rule_collection_group.core,
+    azurerm_firewall_policy_rule_collection_group.dynamic_network,
+    azurerm_firewall_policy_rule_collection_group.dynamic_application
+  ]
 }
 
 resource "azurerm_subnet_route_table_association" "rt_resource_processor_subnet_association" {
@@ -28,25 +35,55 @@ resource "azurerm_subnet_route_table_association" "rt_resource_processor_subnet_
   depends_on = [
     azurerm_firewall.fw,
     azurerm_firewall_policy_rule_collection_group.core,
+    azurerm_firewall_policy_rule_collection_group.dynamic_network,
+    azurerm_firewall_policy_rule_collection_group.dynamic_application
   ]
 }
 
 resource "azurerm_subnet_route_table_association" "rt_web_app_subnet_association" {
   subnet_id      = data.azurerm_subnet.web_app.id
   route_table_id = azurerm_route_table.rt.id
+
+  depends_on = [
+    azurerm_firewall.fw,
+    azurerm_firewall_policy_rule_collection_group.core,
+    azurerm_firewall_policy_rule_collection_group.dynamic_network,
+    azurerm_firewall_policy_rule_collection_group.dynamic_application
+  ]
 }
 
 resource "azurerm_subnet_route_table_association" "rt_airlock_processor_subnet_association" {
   subnet_id      = data.azurerm_subnet.airlock_processor.id
   route_table_id = azurerm_route_table.rt.id
+
+  depends_on = [
+    azurerm_firewall.fw,
+    azurerm_firewall_policy_rule_collection_group.core,
+    azurerm_firewall_policy_rule_collection_group.dynamic_network,
+    azurerm_firewall_policy_rule_collection_group.dynamic_application
+  ]
 }
 
 resource "azurerm_subnet_route_table_association" "rt_airlock_storage_subnet_association" {
   subnet_id      = data.azurerm_subnet.airlock_storage.id
   route_table_id = azurerm_route_table.rt.id
+
+  depends_on = [
+    azurerm_firewall.fw,
+    azurerm_firewall_policy_rule_collection_group.core,
+    azurerm_firewall_policy_rule_collection_group.dynamic_network,
+    azurerm_firewall_policy_rule_collection_group.dynamic_application
+  ]
 }
 
 resource "azurerm_subnet_route_table_association" "rt_airlock_events_subnet_association" {
   subnet_id      = data.azurerm_subnet.airlock_events.id
   route_table_id = azurerm_route_table.rt.id
+
+  depends_on = [
+    azurerm_firewall.fw,
+    azurerm_firewall_policy_rule_collection_group.core,
+    azurerm_firewall_policy_rule_collection_group.dynamic_network,
+    azurerm_firewall_policy_rule_collection_group.dynamic_application
+  ]
 }

templates/shared_services/gitea/parameters.json

@@ -45,6 +45,12 @@
       "source": {
         "env": "ARM_ENVIRONMENT"
       }
+    },
+    {
+      "name": "sql_sku",
+      "source": {
+        "env": "SQL_SKU"
+      }
     }
   ]
 }

templates/shared_services/gitea/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-gitea
-version: 0.6.10
+version: 1.0.1
 description: "A Gitea shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -51,6 +51,9 @@ parameters:
     env: ARM_ENVIRONMENT
     type: string
     default: "public"
+  - name: sql_sku
+    type: string
+    default: "B | 4GB 2vCores"
 
 mixins:
   - terraform:
@@ -89,6 +92,7 @@ install:
         mgmt_resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         acr_name: ${ bundle.parameters.mgmt_acr_name }
         arm_environment: ${ bundle.parameters.arm_environment }
+        sql_sku: ${ bundle.parameters.sql_sku }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -109,6 +113,7 @@ upgrade:
         mgmt_resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         acr_name: ${ bundle.parameters.mgmt_acr_name }
         arm_environment: ${ bundle.parameters.arm_environment }
+        sql_sku: ${ bundle.parameters.sql_sku }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -129,6 +134,7 @@ uninstall:
         mgmt_resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         acr_name: ${ bundle.parameters.mgmt_acr_name }
         arm_environment: ${ bundle.parameters.arm_environment }
+        sql_sku: ${ bundle.parameters.sql_sku }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }

templates/shared_services/gitea/template_schema.json

@@ -27,6 +27,19 @@
       "default": "The Gitea shared service is used for mirroring external Git repositories. For instructions on how to create Git mirrors see [https://docs.gitea.com/usage/repo-mirror](https://docs.gitea.com/usage/repo-mirror).",
       "updateable": true
     },
+    "sql_sku": {
+      "$id": "#/properties/sql_sku",
+      "type": "string",
+      "title": "MySQL server SKU",
+      "description": "MySQL server SKU",
+      "updateable": true,
+      "enum": [
+        "B | 4GB 2vCores",
+        "GP | 8GB 2vCores",
+        "BC | 16GB 2vCores"
+      ],
+      "default": "B | 4GB 2vCores"
+    },
     "is_exposed_externally": {
       "$id": "#/properties/is_exposed_externally",
       "type": "boolean",

templates/shared_services/gitea/terraform/gitea-webapp.tf

@@ -46,9 +46,9 @@ resource "azurerm_linux_web_app" "gitea" {
 
     GITEA__database__SSL_MODE = "true"
     GITEA__database__DB_TYPE  = "mysql"
-    GITEA__database__HOST     = azurerm_mysql_server.gitea.fqdn
-    GITEA__database__NAME     = azurerm_mysql_database.gitea.name
-    GITEA__database__USER     = "${azurerm_mysql_server.gitea.administrator_login}@${azurerm_mysql_server.gitea.fqdn}"
+    GITEA__database__HOST     = azurerm_mysql_flexible_server.gitea.fqdn
+    GITEA__database__NAME     = azurerm_mysql_flexible_database.gitea.name
+    GITEA__database__USER     = azurerm_mysql_flexible_server.gitea.administrator_login
     GITEA__database__PASSWD   = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_password.id})"
   }
 

templates/shared_services/gitea/terraform/locals.tf

@@ -6,6 +6,11 @@ locals {
   keyvault_name            = "kv-${var.tre_id}"
   version                  = replace(replace(replace(data.local_file.version.content, "__version__ = \"", ""), "\"", ""), "\n", "")
   gitea_allowed_fqdns_list = distinct(compact(split(",", replace(var.gitea_allowed_fqdns, " ", ""))))
+  sql_sku = {
+    "B | 4GB 2vCores"   = { value = "B_Standard_B2s" },
+    "GP | 8GB 2vCores"  = { value = "GP_Standard_D2ds_v4" },
+    "BC | 16GB 2vCores" = { value = "MO_Standard_E2ds_v4" }
+  }
   tre_shared_service_tags = {
     tre_id                = var.tre_id
     tre_shared_service_id = var.tre_resource_id

templates/shared_services/gitea/terraform/mysql.tf

@@ -6,31 +6,25 @@ resource "random_password" "password" {
   min_special = 2
 }
 
-resource "azurerm_mysql_server" "gitea" {
-  name                              = "mysql-${var.tre_id}"
-  resource_group_name               = local.core_resource_group_name
-  location                          = data.azurerm_resource_group.rg.location
-  administrator_login               = "mysqladmin"
-  administrator_login_password      = random_password.password.result
-  sku_name                          = "GP_Gen5_2"
-  storage_mb                        = 5120
-  version                           = "8.0"
-  auto_grow_enabled                 = true
-  backup_retention_days             = 7
-  geo_redundant_backup_enabled      = false
-  infrastructure_encryption_enabled = false
-  public_network_access_enabled     = false
-  ssl_enforcement_enabled           = true
-  ssl_minimal_tls_version_enforced  = "TLS1_2"
-  tags                              = local.tre_shared_service_tags
+resource "azurerm_mysql_flexible_server" "gitea" {
+  name                         = "mysql-${var.tre_id}"
+  resource_group_name          = local.core_resource_group_name
+  location                     = data.azurerm_resource_group.rg.location
+  administrator_login          = "mysqladmin"
+  administrator_password       = random_password.password.result
+  sku_name                     = local.sql_sku[var.sql_sku].value
+  version                      = "8.0.21"
+  backup_retention_days        = 7
+  geo_redundant_backup_enabled = false
+  tags                         = local.tre_shared_service_tags
 
-  lifecycle { ignore_changes = [tags, threat_detection_policy] }
+  lifecycle { ignore_changes = [tags, zone] }
 }
 
-resource "azurerm_mysql_database" "gitea" {
+resource "azurerm_mysql_flexible_database" "gitea" {
   name                = "gitea"
   resource_group_name = local.core_resource_group_name
-  server_name         = azurerm_mysql_server.gitea.name
+  server_name         = azurerm_mysql_flexible_server.gitea.name
   charset             = "utf8"
   collation           = "utf8_unicode_ci"
 }
@@ -41,15 +35,15 @@ moved {
 }
 
 resource "azurerm_private_endpoint" "private_endpoint" {
-  name                = "pe-${azurerm_mysql_server.gitea.name}"
+  name                = "pe-${azurerm_mysql_flexible_server.gitea.name}"
   location            = data.azurerm_resource_group.rg.location
   resource_group_name = local.core_resource_group_name
   subnet_id           = data.azurerm_subnet.shared.id
   tags                = local.tre_shared_service_tags
 
   private_service_connection {
-    private_connection_resource_id = azurerm_mysql_server.gitea.id
-    name                           = "psc-${azurerm_mysql_server.gitea.name}"
+    private_connection_resource_id = azurerm_mysql_flexible_server.gitea.id
+    name                           = "psc-${azurerm_mysql_flexible_server.gitea.name}"
     subresource_names              = ["mysqlServer"]
     is_manual_connection           = false
   }
@@ -63,7 +57,7 @@ resource "azurerm_private_endpoint" "private_endpoint" {
 }
 
 resource "azurerm_key_vault_secret" "db_password" {
-  name         = "${azurerm_mysql_server.gitea.name}-administrator-password"
+  name         = "${azurerm_mysql_flexible_server.gitea.name}-administrator-password"
   value        = random_password.password.result
   key_vault_id = data.azurerm_key_vault.keyvault.id
   tags         = local.tre_shared_service_tags

templates/shared_services/gitea/terraform/variables.tf

@@ -33,3 +33,7 @@ variable "acr_name" {
 variable "arm_environment" {
   type = string
 }
+
+variable "sql_sku" {
+  type = string
+}

templates/workspace_services/gitea/parameters.json

@@ -63,6 +63,12 @@
       "source": {
         "env": "ARM_ENVIRONMENT"
       }
+    },
+    {
+      "name": "sql_sku",
+      "source": {
+        "env": "SQL_SKU"
+      }
     }
   ]
 }