diff --git a/.github/linters/.tflint_workspaces.hcl b/.github/linters/.tflint_workspaces.hcl index bfb0c85e20..86862b463b 100644 --- a/.github/linters/.tflint_workspaces.hcl +++ b/.github/linters/.tflint_workspaces.hcl @@ -7,6 +7,8 @@ config { plugin "azurerm" { enabled = true + version = "0.30.0" + source = "github.com/terraform-linters/tflint-ruleset-azurerm" } rule "azurerm_resource_missing_tags" { diff --git a/CHANGELOG.md b/CHANGELOG.md index e9da0f3fda..e89223aeea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Sonatype Nexus shared service now requires explicit EULA acceptance (`accept_nexus_eula: true`) when deploying. This ensures compliance with Sonatype Nexus Community Edition licensing. ([#4842](https://github.com/microsoft/AzureTRE/issues/4842)) ENHANCEMENTS: +* Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) * Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856)) * Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863)) * Pass OIDC vars directly to the devcontainer ([#4871](https://github.com/microsoft/AzureTRE/issues/4871)) diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf index 9e85be11ea..7b81bb1fa9 100644 --- a/core/terraform/network/network.tf +++ b/core/terraform/network/network.tf @@ -7,15 +7,17 @@ resource "azurerm_virtual_network" "core" { lifecycle { ignore_changes = [tags] } subnet { - name = "AzureBastionSubnet" - address_prefixes = [local.bastion_subnet_address_prefix] - security_group = azurerm_network_security_group.bastion.id + name = "AzureBastionSubnet" + address_prefixes = [local.bastion_subnet_address_prefix] + security_group = azurerm_network_security_group.bastion.id + default_outbound_access_enabled = false } subnet { - name = "AzureFirewallSubnet" - address_prefixes = [local.firewall_subnet_address_space] - route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null + name = "AzureFirewallSubnet" + address_prefixes = [local.firewall_subnet_address_space] + route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null + default_outbound_access_enabled = false } subnet { @@ -24,6 +26,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true security_group = azurerm_network_security_group.app_gw.id + default_outbound_access_enabled = false } subnet { @@ -33,6 +36,7 @@ resource "azurerm_virtual_network" "core" { private_link_service_network_policies_enabled = true security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false delegation { name = "delegation" @@ -50,6 +54,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false } subnet { @@ -58,6 +63,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false } subnet { @@ -66,6 +72,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false delegation { name = "delegation" @@ -84,7 +91,7 @@ resource "azurerm_virtual_network" "core" { address_prefixes = [local.airlock_notifications_subnet_address_prefix] private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id - + default_outbound_access_enabled = false delegation { name = "delegation" @@ -102,6 +109,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false } subnet { @@ -110,13 +118,15 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false service_endpoints = ["Microsoft.ServiceBus"] } subnet { - name = "AzureFirewallManagementSubnet" - address_prefixes = [local.firewall_management_subnet_address_prefix] + name = "AzureFirewallManagementSubnet" + address_prefixes = [local.firewall_management_subnet_address_prefix] + default_outbound_access_enabled = false } } diff --git a/templates/shared_services/databricks-auth/porter.yaml b/templates/shared_services/databricks-auth/porter.yaml index fc7ae06217..f7d34be8cc 100644 --- a/templates/shared_services/databricks-auth/porter.yaml +++ b/templates/shared_services/databricks-auth/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-databricks-private-auth -version: 0.1.13 +version: 0.1.14 description: "An Azure TRE shared service for Azure Databricks authentication." registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/databricks-auth/terraform/network.tf b/templates/shared_services/databricks-auth/terraform/network.tf index 90cc9d0304..705d2275cb 100644 --- a/templates/shared_services/databricks-auth/terraform/network.tf +++ b/templates/shared_services/databricks-auth/terraform/network.tf @@ -9,10 +9,11 @@ resource "azurerm_virtual_network" "ws" { } resource "azurerm_subnet" "host" { - name = local.host_subnet_name - resource_group_name = local.resource_group_name - virtual_network_name = azurerm_virtual_network.ws.name - address_prefixes = [local.host_subnet_address_space] + name = local.host_subnet_name + resource_group_name = local.resource_group_name + virtual_network_name = azurerm_virtual_network.ws.name + address_prefixes = [local.host_subnet_address_space] + default_outbound_access_enabled = false delegation { name = "db-host-vnet-integration" @@ -29,10 +30,11 @@ resource "azurerm_subnet" "host" { } resource "azurerm_subnet" "container" { - name = local.container_subnet_name - resource_group_name = local.resource_group_name - virtual_network_name = azurerm_virtual_network.ws.name - address_prefixes = [local.container_subnet_address_space] + name = local.container_subnet_name + resource_group_name = local.resource_group_name + virtual_network_name = azurerm_virtual_network.ws.name + address_prefixes = [local.container_subnet_address_space] + default_outbound_access_enabled = false delegation { name = "db-container-vnet-integration" diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index ee98b376ba..d4dd7164de 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 1.1.2 +version: 1.1.3 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/azureml/terraform/network.tf b/templates/workspace_services/azureml/terraform/network.tf index 4e822a60c1..836fd3a3f1 100644 --- a/templates/workspace_services/azureml/terraform/network.tf +++ b/templates/workspace_services/azureml/terraform/network.tf @@ -61,10 +61,11 @@ resource "azapi_resource" "aml_service_endpoint_policy" { } resource "azurerm_subnet" "aml" { - name = "AMLSubnet${local.short_service_id}" - virtual_network_name = data.azurerm_virtual_network.ws.name - resource_group_name = data.azurerm_virtual_network.ws.resource_group_name - address_prefixes = [var.address_space] + name = "AMLSubnet${local.short_service_id}" + virtual_network_name = data.azurerm_virtual_network.ws.name + resource_group_name = data.azurerm_virtual_network.ws.resource_group_name + address_prefixes = [var.address_space] + default_outbound_access_enabled = false # need to be disabled for AML private compute private_endpoint_network_policies = "Disabled" diff --git a/templates/workspace_services/databricks/porter.yaml b/templates/workspace_services/databricks/porter.yaml index 8fdffa2db8..e3222da2f5 100644 --- a/templates/workspace_services/databricks/porter.yaml +++ b/templates/workspace_services/databricks/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-databricks -version: 1.0.14 +version: 1.0.15 description: "An Azure TRE service for Azure Databricks." registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/databricks/terraform/network.tf b/templates/workspace_services/databricks/terraform/network.tf index 63edae00d0..366dd0f2d5 100644 --- a/templates/workspace_services/databricks/terraform/network.tf +++ b/templates/workspace_services/databricks/terraform/network.tf @@ -88,10 +88,11 @@ resource "azurerm_network_security_group" "nsg" { } resource "azurerm_subnet" "host" { - name = local.host_subnet_name - resource_group_name = data.azurerm_resource_group.ws.name - virtual_network_name = data.azurerm_virtual_network.ws.name - address_prefixes = [local.host_subnet_address_space] + name = local.host_subnet_name + resource_group_name = data.azurerm_resource_group.ws.name + virtual_network_name = data.azurerm_virtual_network.ws.name + address_prefixes = [local.host_subnet_address_space] + default_outbound_access_enabled = false delegation { name = "db-host-vnet-integration" @@ -108,10 +109,11 @@ resource "azurerm_subnet" "host" { } resource "azurerm_subnet" "container" { - name = local.container_subnet_name - resource_group_name = data.azurerm_resource_group.ws.name - virtual_network_name = data.azurerm_virtual_network.ws.name - address_prefixes = [local.container_subnet_address_space] + name = local.container_subnet_name + resource_group_name = data.azurerm_resource_group.ws.name + virtual_network_name = data.azurerm_virtual_network.ws.name + address_prefixes = [local.container_subnet_address_space] + default_outbound_access_enabled = false delegation { name = "db-container-vnet-integration" diff --git a/templates/workspace_services/ohdsi/porter.yaml b/templates/workspace_services/ohdsi/porter.yaml index 64789cd14e..a2cf1f71d6 100644 --- a/templates/workspace_services/ohdsi/porter.yaml +++ b/templates/workspace_services/ohdsi/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-ohdsi -version: 0.3.5 +version: 0.3.6 description: "An OHDSI workspace service" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/ohdsi/terraform/atlas_database.tf b/templates/workspace_services/ohdsi/terraform/atlas_database.tf index 6dcd6c4b3a..7d26918705 100644 --- a/templates/workspace_services/ohdsi/terraform/atlas_database.tf +++ b/templates/workspace_services/ohdsi/terraform/atlas_database.tf @@ -100,10 +100,11 @@ resource "azurerm_network_security_group" "postgres" { } resource "azurerm_subnet" "postgres" { - name = "PostgreSQLSubnet${local.short_service_id}" - virtual_network_name = data.azurerm_virtual_network.ws.name - resource_group_name = data.azurerm_resource_group.ws.name - address_prefixes = [var.address_space] + name = "PostgreSQLSubnet${local.short_service_id}" + virtual_network_name = data.azurerm_virtual_network.ws.name + resource_group_name = data.azurerm_resource_group.ws.name + address_prefixes = [var.address_space] + default_outbound_access_enabled = false delegation { name = "psql-delegation" diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index c970a581d9..a71c799ebe 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 2.8.1 +version: 2.8.2 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/network/network.tf b/templates/workspaces/base/terraform/network/network.tf index f743a2aac8..0854668fd3 100644 --- a/templates/workspaces/base/terraform/network/network.tf +++ b/templates/workspaces/base/terraform/network/network.tf @@ -16,6 +16,7 @@ resource "azurerm_subnet" "services" { # notice that private endpoints do not adhere to NSG rules private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true + default_outbound_access_enabled = false } resource "azurerm_subnet" "webapps" { @@ -26,6 +27,7 @@ resource "azurerm_subnet" "webapps" { # notice that private endpoints do not adhere to NSG rules private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true + default_outbound_access_enabled = false delegation { name = "delegation"