diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a6d7a953ca..50fd380866 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -75,7 +75,7 @@ COPY ["airlock_processor/requirements.txt", "/tmp/pip-tmp/airlock_processor/"] RUN pip3 --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt # Install azure-cli -ARG AZURE_CLI_VERSION=2.57.0-1~bullseye +ARG AZURE_CLI_VERSION=2.67.0-1~bullseye COPY .devcontainer/scripts/azure-cli.sh /tmp/ RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \ && /tmp/azure-cli.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 775914429a..e4fc3443bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ ENHANCEMENTS: * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103)) * Update obsolete Terraform properties ([#4136](https://github.com/microsoft/AzureTRE/issues/4136)) * Update Guacamole version and dependencies ([#4140](https://github.com/microsoft/AzureTRE/issues/4140)) -* Add partial (core resources only) support for customer managed keys ([#4141](https://github.com/microsoft/AzureTRE/issues/4142)) +* Add partial (core resources only) support for customer managed keys ([#4141](https://github.com/microsoft/AzureTRE/issues/4142), [#4144](https://github.com/microsoft/AzureTRE/issues/4144)) BUG FIXES: - Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl index bc7c2d0508..482b86714e 100644 --- a/core/terraform/.terraform.lock.hcl +++ b/core/terraform/.terraform.lock.hcl @@ -82,6 +82,25 @@ provider "registry.terraform.io/hashicorp/local" { ] } +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + hashes = [ + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + provider "registry.terraform.io/hashicorp/random" { version = "3.6.3" constraints = ">= 3.0.0, ~> 3.6" diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf index 904424ccaf..a99c0e083a 100644 --- a/core/terraform/cosmos_mongo.tf +++ b/core/terraform/cosmos_mongo.tf @@ -35,11 +35,38 @@ resource "azurerm_cosmosdb_account" "mongo" { failover_priority = 0 } + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.encryption[0].id] + } + } + + default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null + tags = local.tre_core_tags - lifecycle { ignore_changes = [tags] } + # since key_vault_key_id is created by the 'mongo_enable_cmk' null_resource, terraform forces re-creation of the resource + lifecycle { ignore_changes = [tags, key_vault_key_id] } +} + +# Using the az CLI command since terraform forces a re-creation of the resource +# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781 +resource "null_resource" "mongo_enable_cmk" { + count = var.enable_cmk_encryption ? 1 : 0 + + provisioner "local-exec" { + command = "az cosmosdb update --name ${azurerm_cosmosdb_account.mongo.name} --resource-group ${azurerm_cosmosdb_account.mongo.resource_group_name} --key-uri ${data.azurerm_key_vault_key.encryption_key[0].versionless_id}" + } + + depends_on = [ + azurerm_cosmosdb_account.mongo, + azurerm_role_assignment.kv_encryption_key_user[0] + ] } + resource "azurerm_cosmosdb_mongo_database" "mongo" { name = "porter" resource_group_name = azurerm_resource_group.core.name diff --git a/core/terraform/data.tf b/core/terraform/data.tf index ec18987993..d7d110ad18 100644 --- a/core/terraform/data.tf +++ b/core/terraform/data.tf @@ -19,6 +19,12 @@ data "azurerm_key_vault" "encryption_kv" { resource_group_name = var.mgmt_resource_group_name } +data "azurerm_key_vault_key" "encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = var.kv_encryption_key_name + key_vault_id = local.key_store_id +} + data "http" "myip" { count = var.public_deployment_ip_address == "" ? 1 : 0 url = "https://ipecho.net/plain" diff --git a/core/terraform/main.tf b/core/terraform/main.tf index bfdf5e168a..6a554f9ff8 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -21,6 +21,10 @@ terraform { source = "Azure/azapi" version = "~> 1.15.0" } + null = { + source = "hashicorp/null" + version = "~> 3.2" + } } backend "azurerm" {} diff --git a/core/terraform/statestore.tf b/core/terraform/statestore.tf index fa7a9eca9f..a613a955c4 100644 --- a/core/terraform/statestore.tf +++ b/core/terraform/statestore.tf @@ -16,6 +16,16 @@ resource "azurerm_cosmosdb_account" "tre_db_account" { } } + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.encryption[0].id] + } + } + + default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null + consistency_policy { consistency_level = "BoundedStaleness" max_interval_in_seconds = 10 @@ -27,7 +37,8 @@ resource "azurerm_cosmosdb_account" "tre_db_account" { failover_priority = 0 } - lifecycle { ignore_changes = [tags] } + # since key_vault_key_id is created by the 'tre_db_account_enable_cmk' null_resource, terraform forces re-creation of the resource + lifecycle { ignore_changes = [tags, key_vault_key_id] } } moved { @@ -95,3 +106,18 @@ resource "azurerm_private_endpoint" "sspe" { subresource_names = ["Sql"] } } + +# Using the az CLI command since terraform forces a re-creation of the resource +# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781 +resource "null_resource" "tre_db_account_enable_cmk" { + count = var.enable_cmk_encryption ? 1 : 0 + + provisioner "local-exec" { + command = "az cosmosdb update --name ${azurerm_cosmosdb_account.tre_db_account.name} --resource-group ${azurerm_cosmosdb_account.tre_db_account.resource_group_name} --key-uri ${data.azurerm_key_vault_key.encryption_key[0].versionless_id}" + } + + depends_on = [ + azurerm_cosmosdb_account.tre_db_account, + azurerm_role_assignment.kv_encryption_key_user[0] + ] +} diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf index ee49178c9f..e58930be9f 100644 --- a/core/terraform/storage.tf +++ b/core/terraform/storage.tf @@ -7,7 +7,6 @@ resource "azurerm_storage_account" "stg" { allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false - dynamic "identity" { for_each = var.enable_cmk_encryption ? [1] : [] content { diff --git a/core/version.txt b/core/version.txt index 1bebb74e80..350cbe9d6a 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.3" +__version__ = "0.11.4"