From ebbf3e1beeb6f7112ec9fb41eb8dc8c83671b227 Mon Sep 17 00:00:00 2001 From: JC-wk <196318169+JC-wk@users.noreply.github.com> Date: Fri, 14 Nov 2025 17:29:59 +0000 Subject: [PATCH 01/20] base workspace subnets --- CHANGELOG.md | 1 + templates/workspaces/base/porter.yaml | 2 +- templates/workspaces/base/terraform/network/network.tf | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd6bf7c8c1..1f84de1ecb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ **BREAKING CHANGES** ENHANCEMENTS: +disable default outbound access on subnets that don't require it ([#4706](https://github.com/microsoft/AzureTRE/issues/4706)) BUG FIXES: diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 2a357e2972..9fd970c1e6 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 2.7.0 +version: 2.7.1 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/network/network.tf b/templates/workspaces/base/terraform/network/network.tf index f743a2aac8..0854668fd3 100644 --- a/templates/workspaces/base/terraform/network/network.tf +++ b/templates/workspaces/base/terraform/network/network.tf @@ -16,6 +16,7 @@ resource "azurerm_subnet" "services" { # notice that private endpoints do not adhere to NSG rules private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true + default_outbound_access_enabled = false } resource "azurerm_subnet" "webapps" { @@ -26,6 +27,7 @@ resource "azurerm_subnet" "webapps" { # notice that private endpoints do not adhere to NSG rules private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true + default_outbound_access_enabled = false delegation { name = "delegation" From b6026c58c0fca376623e647a9c865bb84db3df1c Mon Sep 17 00:00:00 2001 From: JC-wk <196318169+JC-wk@users.noreply.github.com> Date: Fri, 14 Nov 2025 17:37:52 +0000 Subject: [PATCH 02/20] update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f84de1ecb..07aeb00144 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ **BREAKING CHANGES** ENHANCEMENTS: -disable default outbound access on subnets that don't require it ([#4706](https://github.com/microsoft/AzureTRE/issues/4706)) +* Specify default_outbound_access_enabled setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) BUG FIXES: From 068d136b79b69091944f4429fc2096eb6eff7341 Mon Sep 17 00:00:00 2001 From: JC-wk <196318169+JC-wk@users.noreply.github.com> Date: Fri, 21 Nov 2025 14:54:56 +0000 Subject: [PATCH 03/20] WIP need to check if some should be true/false --- .../databricks-auth/porter.yaml | 2 +- .../databricks-auth/terraform/network.tf | 18 ++++++++++-------- .../workspace_services/azureml/porter.yaml | 2 +- .../azureml/terraform/network.tf | 9 +++++---- .../workspace_services/databricks/porter.yaml | 2 +- .../databricks/terraform/network.tf | 18 ++++++++++-------- templates/workspace_services/ohdsi/porter.yaml | 2 +- .../ohdsi/terraform/atlas_database.tf | 9 +++++---- 8 files changed, 34 insertions(+), 28 deletions(-) diff --git a/templates/shared_services/databricks-auth/porter.yaml b/templates/shared_services/databricks-auth/porter.yaml index fc7ae06217..f7d34be8cc 100644 --- a/templates/shared_services/databricks-auth/porter.yaml +++ b/templates/shared_services/databricks-auth/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-databricks-private-auth -version: 0.1.13 +version: 0.1.14 description: "An Azure TRE shared service for Azure Databricks authentication." registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/databricks-auth/terraform/network.tf b/templates/shared_services/databricks-auth/terraform/network.tf index 90cc9d0304..bc3681600f 100644 --- a/templates/shared_services/databricks-auth/terraform/network.tf +++ b/templates/shared_services/databricks-auth/terraform/network.tf @@ -9,10 +9,11 @@ resource "azurerm_virtual_network" "ws" { } resource "azurerm_subnet" "host" { - name = local.host_subnet_name - resource_group_name = local.resource_group_name - virtual_network_name = azurerm_virtual_network.ws.name - address_prefixes = [local.host_subnet_address_space] + name = local.host_subnet_name + resource_group_name = local.resource_group_name + virtual_network_name = azurerm_virtual_network.ws.name + address_prefixes = [local.host_subnet_address_space] + default_outbound_access_enabled = true delegation { name = "db-host-vnet-integration" @@ -29,10 +30,11 @@ resource "azurerm_subnet" "host" { } resource "azurerm_subnet" "container" { - name = local.container_subnet_name - resource_group_name = local.resource_group_name - virtual_network_name = azurerm_virtual_network.ws.name - address_prefixes = [local.container_subnet_address_space] + name = local.container_subnet_name + resource_group_name = local.resource_group_name + virtual_network_name = azurerm_virtual_network.ws.name + address_prefixes = [local.container_subnet_address_space] + default_outbound_access_enabled = true delegation { name = "db-container-vnet-integration" diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index 0cf012d630..ff9c631345 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 0.10.0 +version: 0.10.1 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/azureml/terraform/network.tf b/templates/workspace_services/azureml/terraform/network.tf index 10b01aec26..00cab93b26 100644 --- a/templates/workspace_services/azureml/terraform/network.tf +++ b/templates/workspace_services/azureml/terraform/network.tf @@ -61,10 +61,11 @@ resource "azapi_resource" "aml_service_endpoint_policy" { } resource "azurerm_subnet" "aml" { - name = "AMLSubnet${local.short_service_id}" - virtual_network_name = data.azurerm_virtual_network.ws.name - resource_group_name = data.azurerm_virtual_network.ws.resource_group_name - address_prefixes = [var.address_space] + name = "AMLSubnet${local.short_service_id}" + virtual_network_name = data.azurerm_virtual_network.ws.name + resource_group_name = data.azurerm_virtual_network.ws.resource_group_name + address_prefixes = [var.address_space] + default_outbound_access_enabled = var.is_exposed_externally ? true : false # need to be disabled for AML private compute private_endpoint_network_policies = "Disabled" diff --git a/templates/workspace_services/databricks/porter.yaml b/templates/workspace_services/databricks/porter.yaml index 8fdffa2db8..e3222da2f5 100644 --- a/templates/workspace_services/databricks/porter.yaml +++ b/templates/workspace_services/databricks/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-databricks -version: 1.0.14 +version: 1.0.15 description: "An Azure TRE service for Azure Databricks." registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/databricks/terraform/network.tf b/templates/workspace_services/databricks/terraform/network.tf index 63edae00d0..366dd0f2d5 100644 --- a/templates/workspace_services/databricks/terraform/network.tf +++ b/templates/workspace_services/databricks/terraform/network.tf @@ -88,10 +88,11 @@ resource "azurerm_network_security_group" "nsg" { } resource "azurerm_subnet" "host" { - name = local.host_subnet_name - resource_group_name = data.azurerm_resource_group.ws.name - virtual_network_name = data.azurerm_virtual_network.ws.name - address_prefixes = [local.host_subnet_address_space] + name = local.host_subnet_name + resource_group_name = data.azurerm_resource_group.ws.name + virtual_network_name = data.azurerm_virtual_network.ws.name + address_prefixes = [local.host_subnet_address_space] + default_outbound_access_enabled = false delegation { name = "db-host-vnet-integration" @@ -108,10 +109,11 @@ resource "azurerm_subnet" "host" { } resource "azurerm_subnet" "container" { - name = local.container_subnet_name - resource_group_name = data.azurerm_resource_group.ws.name - virtual_network_name = data.azurerm_virtual_network.ws.name - address_prefixes = [local.container_subnet_address_space] + name = local.container_subnet_name + resource_group_name = data.azurerm_resource_group.ws.name + virtual_network_name = data.azurerm_virtual_network.ws.name + address_prefixes = [local.container_subnet_address_space] + default_outbound_access_enabled = false delegation { name = "db-container-vnet-integration" diff --git a/templates/workspace_services/ohdsi/porter.yaml b/templates/workspace_services/ohdsi/porter.yaml index 0c4451cade..0556063a0c 100644 --- a/templates/workspace_services/ohdsi/porter.yaml +++ b/templates/workspace_services/ohdsi/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-ohdsi -version: 0.3.4 +version: 0.3.5 description: "An OHDSI workspace service" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/ohdsi/terraform/atlas_database.tf b/templates/workspace_services/ohdsi/terraform/atlas_database.tf index 6dcd6c4b3a..f54f427c9a 100644 --- a/templates/workspace_services/ohdsi/terraform/atlas_database.tf +++ b/templates/workspace_services/ohdsi/terraform/atlas_database.tf @@ -100,10 +100,11 @@ resource "azurerm_network_security_group" "postgres" { } resource "azurerm_subnet" "postgres" { - name = "PostgreSQLSubnet${local.short_service_id}" - virtual_network_name = data.azurerm_virtual_network.ws.name - resource_group_name = data.azurerm_resource_group.ws.name - address_prefixes = [var.address_space] + name = "PostgreSQLSubnet${local.short_service_id}" + virtual_network_name = data.azurerm_virtual_network.ws.name + resource_group_name = data.azurerm_resource_group.ws.name + address_prefixes = [var.address_space] + default_outbound_access_enabled = true delegation { name = "psql-delegation" From 4a2810634692929f9b1f67341e436b04766ae585 Mon Sep 17 00:00:00 2001 From: JC-wk <196318169+JC-wk@users.noreply.github.com> Date: Fri, 21 Nov 2025 14:58:38 +0000 Subject: [PATCH 04/20] TODO Check and confirm true/false values --- core/terraform/network/network.tf | 28 +++++++++++++++++++--------- core/version.txt | 2 +- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf index 9e85be11ea..e63881730c 100644 --- a/core/terraform/network/network.tf +++ b/core/terraform/network/network.tf @@ -7,15 +7,17 @@ resource "azurerm_virtual_network" "core" { lifecycle { ignore_changes = [tags] } subnet { - name = "AzureBastionSubnet" - address_prefixes = [local.bastion_subnet_address_prefix] - security_group = azurerm_network_security_group.bastion.id + name = "AzureBastionSubnet" + address_prefixes = [local.bastion_subnet_address_prefix] + security_group = azurerm_network_security_group.bastion.id + default_outbound_access_enabled = true } subnet { - name = "AzureFirewallSubnet" - address_prefixes = [local.firewall_subnet_address_space] - route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null + name = "AzureFirewallSubnet" + address_prefixes = [local.firewall_subnet_address_space] + route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null + default_outbound_access_enabled = true } subnet { @@ -24,6 +26,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true security_group = azurerm_network_security_group.app_gw.id + default_outbound_access_enabled = true } subnet { @@ -33,6 +36,7 @@ resource "azurerm_virtual_network" "core" { private_link_service_network_policies_enabled = true security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = true delegation { name = "delegation" @@ -50,6 +54,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = true } subnet { @@ -58,6 +63,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false } subnet { @@ -66,6 +72,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false delegation { name = "delegation" @@ -84,7 +91,7 @@ resource "azurerm_virtual_network" "core" { address_prefixes = [local.airlock_notifications_subnet_address_prefix] private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id - + default_outbound_access_enabled = false delegation { name = "delegation" @@ -102,6 +109,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false } subnet { @@ -110,13 +118,15 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id + default_outbound_access_enabled = false service_endpoints = ["Microsoft.ServiceBus"] } subnet { - name = "AzureFirewallManagementSubnet" - address_prefixes = [local.firewall_management_subnet_address_prefix] + name = "AzureFirewallManagementSubnet" + address_prefixes = [local.firewall_management_subnet_address_prefix] + default_outbound_access_enabled = true } } diff --git a/core/version.txt b/core/version.txt index 690e6889e2..bac41ffe7b 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.16.10" +__version__ = "0.16.11" From 309a8cc716eed7f0f9ab01f2c374506c7d6c35a6 Mon Sep 17 00:00:00 2001 From: JC-wk <196318169+JC-wk@users.noreply.github.com> Date: Mon, 24 Nov 2025 15:24:46 +0000 Subject: [PATCH 05/20] set all default_outbound_access_enabled to false --- core/terraform/network/network.tf | 12 ++++++------ .../databricks-auth/terraform/network.tf | 4 ++-- .../ohdsi/terraform/atlas_database.tf | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf index e63881730c..7b81bb1fa9 100644 --- a/core/terraform/network/network.tf +++ b/core/terraform/network/network.tf @@ -10,14 +10,14 @@ resource "azurerm_virtual_network" "core" { name = "AzureBastionSubnet" address_prefixes = [local.bastion_subnet_address_prefix] security_group = azurerm_network_security_group.bastion.id - default_outbound_access_enabled = true + default_outbound_access_enabled = false } subnet { name = "AzureFirewallSubnet" address_prefixes = [local.firewall_subnet_address_space] route_table_id = var.firewall_force_tunnel_ip != "" ? azurerm_route_table.fw_tunnel_rt[0].id : null - default_outbound_access_enabled = true + default_outbound_access_enabled = false } subnet { @@ -26,7 +26,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true security_group = azurerm_network_security_group.app_gw.id - default_outbound_access_enabled = true + default_outbound_access_enabled = false } subnet { @@ -36,7 +36,7 @@ resource "azurerm_virtual_network" "core" { private_link_service_network_policies_enabled = true security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id - default_outbound_access_enabled = true + default_outbound_access_enabled = false delegation { name = "delegation" @@ -54,7 +54,7 @@ resource "azurerm_virtual_network" "core" { private_endpoint_network_policies = "Disabled" security_group = azurerm_network_security_group.default_rules.id route_table_id = azurerm_route_table.rt.id - default_outbound_access_enabled = true + default_outbound_access_enabled = false } subnet { @@ -126,7 +126,7 @@ resource "azurerm_virtual_network" "core" { subnet { name = "AzureFirewallManagementSubnet" address_prefixes = [local.firewall_management_subnet_address_prefix] - default_outbound_access_enabled = true + default_outbound_access_enabled = false } } diff --git a/templates/shared_services/databricks-auth/terraform/network.tf b/templates/shared_services/databricks-auth/terraform/network.tf index bc3681600f..705d2275cb 100644 --- a/templates/shared_services/databricks-auth/terraform/network.tf +++ b/templates/shared_services/databricks-auth/terraform/network.tf @@ -13,7 +13,7 @@ resource "azurerm_subnet" "host" { resource_group_name = local.resource_group_name virtual_network_name = azurerm_virtual_network.ws.name address_prefixes = [local.host_subnet_address_space] - default_outbound_access_enabled = true + default_outbound_access_enabled = false delegation { name = "db-host-vnet-integration" @@ -34,7 +34,7 @@ resource "azurerm_subnet" "container" { resource_group_name = local.resource_group_name virtual_network_name = azurerm_virtual_network.ws.name address_prefixes = [local.container_subnet_address_space] - default_outbound_access_enabled = true + default_outbound_access_enabled = false delegation { name = "db-container-vnet-integration" diff --git a/templates/workspace_services/ohdsi/terraform/atlas_database.tf b/templates/workspace_services/ohdsi/terraform/atlas_database.tf index f54f427c9a..7d26918705 100644 --- a/templates/workspace_services/ohdsi/terraform/atlas_database.tf +++ b/templates/workspace_services/ohdsi/terraform/atlas_database.tf @@ -104,7 +104,7 @@ resource "azurerm_subnet" "postgres" { virtual_network_name = data.azurerm_virtual_network.ws.name resource_group_name = data.azurerm_resource_group.ws.name address_prefixes = [var.address_space] - default_outbound_access_enabled = true + default_outbound_access_enabled = false delegation { name = "psql-delegation" From a68e84a768085a539f832d5571464df04a5b3b63 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Fri, 9 Jan 2026 10:23:50 +0000 Subject: [PATCH 06/20] bump version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index 24d361527f..ca7cbc127e 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.16.12" +__version__ = "0.16.13" From b26822d3910e2317c4363468040e7f61939af125 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Mon, 2 Feb 2026 16:17:29 +0000 Subject: [PATCH 07/20] azureml default_outbound_access_enabled = false --- templates/workspace_services/azureml/terraform/network.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/workspace_services/azureml/terraform/network.tf b/templates/workspace_services/azureml/terraform/network.tf index d9f1d31ec3..836fd3a3f1 100644 --- a/templates/workspace_services/azureml/terraform/network.tf +++ b/templates/workspace_services/azureml/terraform/network.tf @@ -65,7 +65,7 @@ resource "azurerm_subnet" "aml" { virtual_network_name = data.azurerm_virtual_network.ws.name resource_group_name = data.azurerm_virtual_network.ws.resource_group_name address_prefixes = [var.address_space] - default_outbound_access_enabled = var.is_exposed_externally ? true : false + default_outbound_access_enabled = false # need to be disabled for AML private compute private_endpoint_network_policies = "Disabled" From 103585f572802a9a14d8c7789a9a592376683e0d Mon Sep 17 00:00:00 2001 From: James Chapman Date: Mon, 2 Feb 2026 16:21:28 +0000 Subject: [PATCH 08/20] changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26a477c8df..c306c379ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ ENHANCEMENTS: -* Specify default_outbound_access_enabled setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) +* Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) * Upgrade Guacamole to v1.6.0 with Java 17 and other security updates ([#4754](https://github.com/microsoft/AzureTRE/pull/4754)) * API: Replace HTTP_422_UNPROCESSABLE_ENTITY response with HTTP_422_UNPROCESSABLE_CONTENT as per RFC 9110 ([#4742](https://github.com/microsoft/AzureTRE/issues/4742)) * Change Group.ReadWrite.All permission to Group.Create for AUTO_WORKSPACE_GROUP_CREATION ([#4772](https://github.com/microsoft/AzureTRE/issues/4772)) From 4448e3b3d761668de0543faf78ba82ee6bfbbb5e Mon Sep 17 00:00:00 2001 From: James Chapman Date: Mon, 2 Feb 2026 16:23:02 +0000 Subject: [PATCH 09/20] ohdsi ver --- templates/workspace_services/ohdsi/porter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/workspace_services/ohdsi/porter.yaml b/templates/workspace_services/ohdsi/porter.yaml index 64789cd14e..a2cf1f71d6 100644 --- a/templates/workspace_services/ohdsi/porter.yaml +++ b/templates/workspace_services/ohdsi/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-ohdsi -version: 0.3.5 +version: 0.3.6 description: "An OHDSI workspace service" registry: azuretre dockerfile: Dockerfile.tmpl From 328fa169bc9b4e977a2839ee4bf61fb29af584bf Mon Sep 17 00:00:00 2001 From: James Chapman Date: Mon, 2 Feb 2026 16:23:30 +0000 Subject: [PATCH 10/20] update ws version --- templates/workspaces/base/porter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index c970a581d9..a71c799ebe 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 2.8.1 +version: 2.8.2 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre From 6dea79c868092a4b8ed023d3bfd8f7b47873dd8d Mon Sep 17 00:00:00 2001 From: James Chapman Date: Tue, 3 Feb 2026 16:27:18 +0000 Subject: [PATCH 11/20] Fix Lint (add terraform lock file) --- core/terraform/network/.terraform.lock.hcl | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 core/terraform/network/.terraform.lock.hcl diff --git a/core/terraform/network/.terraform.lock.hcl b/core/terraform/network/.terraform.lock.hcl new file mode 100644 index 0000000000..edc354eda0 --- /dev/null +++ b/core/terraform/network/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "4.58.0" + constraints = ">= 4.27.0" + hashes = [ + "h1:MESGDsXHZy6+1pCObte7/WSXaIzH9FUFy/Vp8MPVxiI=", + "zh:041c2a778ab4dd5a9af174b1d6f75409e5aabfc359cb386dfea3fb09e3f32709", + "zh:0a302531a61e7383acf99a6202d7984b2ea559306f45021381665c827a830d46", + "zh:0c69f132c7609683d907e87b89210a298d84c5b0121b62278949931bc54ca952", + "zh:0cadf48e9d2d9daed43212a3c9d886d7faaf68787b6e955456cbe4f43e4a17ec", + "zh:35ef4293d7731f6ff1f8bcba2c4529f987b7fac243c1ac1c154bbc02c9703c25", + "zh:3cb2679e1d56865e0ee0cf4c5d1404dbad0db42d11425e7bf0580a026cc64287", + "zh:4e56411f5119042d4962acff5c6d64224a49a69154ba80e6df63fa57b1e6d284", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:ca4626411a111720c220f9849c7d2e1fcd5d380f56459e096d835a9dbf9e6e13", + "zh:d31c4e65dcb096974479b2d548fffb86fc9a5262aff1b01fe62ef442ce536c6b", + "zh:d9631602999c1853e53ee2c5aef7476e23c7787beddc3599c10dbaa4891ba166", + "zh:f31ba7c9341037ceb7d49467946c01b2b0930404ed1d5643c1451f734a613a03", + ] +} From 56c229dfaa1c0712c2acb84df151ceea39b5366b Mon Sep 17 00:00:00 2001 From: James Chapman Date: Tue, 3 Feb 2026 16:49:49 +0000 Subject: [PATCH 12/20] remove extra lock file --- core/terraform/network/.terraform.lock.hcl | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 core/terraform/network/.terraform.lock.hcl diff --git a/core/terraform/network/.terraform.lock.hcl b/core/terraform/network/.terraform.lock.hcl deleted file mode 100644 index edc354eda0..0000000000 --- a/core/terraform/network/.terraform.lock.hcl +++ /dev/null @@ -1,22 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.58.0" - constraints = ">= 4.27.0" - hashes = [ - "h1:MESGDsXHZy6+1pCObte7/WSXaIzH9FUFy/Vp8MPVxiI=", - "zh:041c2a778ab4dd5a9af174b1d6f75409e5aabfc359cb386dfea3fb09e3f32709", - "zh:0a302531a61e7383acf99a6202d7984b2ea559306f45021381665c827a830d46", - "zh:0c69f132c7609683d907e87b89210a298d84c5b0121b62278949931bc54ca952", - "zh:0cadf48e9d2d9daed43212a3c9d886d7faaf68787b6e955456cbe4f43e4a17ec", - "zh:35ef4293d7731f6ff1f8bcba2c4529f987b7fac243c1ac1c154bbc02c9703c25", - "zh:3cb2679e1d56865e0ee0cf4c5d1404dbad0db42d11425e7bf0580a026cc64287", - "zh:4e56411f5119042d4962acff5c6d64224a49a69154ba80e6df63fa57b1e6d284", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:ca4626411a111720c220f9849c7d2e1fcd5d380f56459e096d835a9dbf9e6e13", - "zh:d31c4e65dcb096974479b2d548fffb86fc9a5262aff1b01fe62ef442ce536c6b", - "zh:d9631602999c1853e53ee2c5aef7476e23c7787beddc3599c10dbaa4891ba166", - "zh:f31ba7c9341037ceb7d49467946c01b2b0930404ed1d5643c1451f734a613a03", - ] -} From 0c457358d1fc8a21b1474659a8de0cef466d38c4 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Tue, 3 Feb 2026 17:17:25 +0000 Subject: [PATCH 13/20] attempt fix for pipeline error --- .github/workflows/build_validation_develop.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index 8e725d48ca..efe3db8520 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -111,6 +111,18 @@ jobs: pip install -r docs/requirements.txt mkdocs build --strict + - name: Setup Terraform for Core + if: ${{ steps.filter.outputs.terraform_core == 'true' }} + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.14.3" + + - name: Init Core Terraform folders + if: ${{ steps.filter.outputs.terraform_core == 'true' }} + run: | + find core -type d -name 'terraform' -not -path '*cnab*' -print0 \ + | xargs -0 -I{} sh -c 'echo "***** Initializing: {} *****"; terraform -chdir={} init -backend=false' + - name: Core Tags if: ${{ steps.filter.outputs.terraform_core == 'true' }} uses: super-linter/super-linter/slim@v8.3.2 From 4896aa5472bb7450371fc880083d3c02675b6cb5 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Tue, 3 Feb 2026 17:32:30 +0000 Subject: [PATCH 14/20] update terraform_azurerm_environment_configuration --- .github/workflows/build_validation_develop.yml | 12 ------------ core/terraform/airlock/main.tf | 2 +- core/terraform/network/network.tf | 2 +- .../terraform/resource_processor/vmss_porter/main.tf | 2 +- 4 files changed, 3 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index efe3db8520..8e725d48ca 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -111,18 +111,6 @@ jobs: pip install -r docs/requirements.txt mkdocs build --strict - - name: Setup Terraform for Core - if: ${{ steps.filter.outputs.terraform_core == 'true' }} - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: "1.14.3" - - - name: Init Core Terraform folders - if: ${{ steps.filter.outputs.terraform_core == 'true' }} - run: | - find core -type d -name 'terraform' -not -path '*cnab*' -print0 \ - | xargs -0 -I{} sh -c 'echo "***** Initializing: {} *****"; terraform -chdir={} init -backend=false' - - name: Core Tags if: ${{ steps.filter.outputs.terraform_core == 'true' }} uses: super-linter/super-linter/slim@v8.3.2 diff --git a/core/terraform/airlock/main.tf b/core/terraform/airlock/main.tf index 6dcc6f8cf0..236f2c7615 100644 --- a/core/terraform/airlock/main.tf +++ b/core/terraform/airlock/main.tf @@ -17,6 +17,6 @@ terraform { } module "terraform_azurerm_environment_configuration" { - source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.7.0" arm_environment = var.arm_environment } diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf index 7b81bb1fa9..e6e340b78b 100644 --- a/core/terraform/network/network.tf +++ b/core/terraform/network/network.tf @@ -167,6 +167,6 @@ resource "azurerm_ip_group" "airlock_processor" { } module "terraform_azurerm_environment_configuration" { - source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.7.0" arm_environment = var.arm_environment } diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf index b84e52abbb..249aaf0099 100644 --- a/core/terraform/resource_processor/vmss_porter/main.tf +++ b/core/terraform/resource_processor/vmss_porter/main.tf @@ -246,6 +246,6 @@ resource "azurerm_private_endpoint" "mgmtblobpe" { } module "terraform_azurerm_environment_configuration" { - source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.7.0" arm_environment = var.arm_environment } From 6dfe022a2ed7319e075b359fa9f5f25f44084ab2 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Fri, 6 Feb 2026 17:01:26 +0000 Subject: [PATCH 15/20] revert accidental change --- core/terraform/airlock/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/terraform/airlock/main.tf b/core/terraform/airlock/main.tf index 236f2c7615..6dcc6f8cf0 100644 --- a/core/terraform/airlock/main.tf +++ b/core/terraform/airlock/main.tf @@ -17,6 +17,6 @@ terraform { } module "terraform_azurerm_environment_configuration" { - source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.7.0" + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" arm_environment = var.arm_environment } From fb3fa3ff30b69af532316a269654f89249f25f8b Mon Sep 17 00:00:00 2001 From: James Chapman Date: Fri, 6 Feb 2026 17:02:15 +0000 Subject: [PATCH 16/20] remove accidental commit --- core/terraform/resource_processor/vmss_porter/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf index 249aaf0099..b84e52abbb 100644 --- a/core/terraform/resource_processor/vmss_porter/main.tf +++ b/core/terraform/resource_processor/vmss_porter/main.tf @@ -246,6 +246,6 @@ resource "azurerm_private_endpoint" "mgmtblobpe" { } module "terraform_azurerm_environment_configuration" { - source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.7.0" + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" arm_environment = var.arm_environment } From 393e5ebc32da2b1ea5be111db5fa796c88f76028 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Fri, 6 Feb 2026 17:03:19 +0000 Subject: [PATCH 17/20] update changelog --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 367dbd843c..a7052c8bf0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ * _No changes yet_ ENHANCEMENTS: -* _No changes yet_ +* Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) BUG FIXES: * Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824)) @@ -20,7 +20,6 @@ BUG FIXES: ENHANCEMENTS: -* Specify default_outbound_access_enabled = false setting for all subnets ([#4757](https://github.com/microsoft/AzureTRE/pull/4757)) * Upgrade Guacamole to v1.6.0 with Java 17 and other security updates ([#4754](https://github.com/microsoft/AzureTRE/pull/4754)) * API: Replace HTTP_422_UNPROCESSABLE_ENTITY response with HTTP_422_UNPROCESSABLE_CONTENT as per RFC 9110 ([#4742](https://github.com/microsoft/AzureTRE/issues/4742)) * Change Group.ReadWrite.All permission to Group.Create for AUTO_WORKSPACE_GROUP_CREATION ([#4772](https://github.com/microsoft/AzureTRE/issues/4772)) From 33077293abbaa22ca3a4af0da17819188e0ea6b0 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Fri, 6 Feb 2026 17:09:17 +0000 Subject: [PATCH 18/20] core version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index ca7cbc127e..b27f61bc3c 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.16.13" +__version__ = "0.16.14" From b57cdabb00de3b2f9be572084dd7d9765f998372 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Fri, 6 Feb 2026 17:41:45 +0000 Subject: [PATCH 19/20] fix lint --- .github/linters/.tflint_workspaces.hcl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/linters/.tflint_workspaces.hcl b/.github/linters/.tflint_workspaces.hcl index bfb0c85e20..86862b463b 100644 --- a/.github/linters/.tflint_workspaces.hcl +++ b/.github/linters/.tflint_workspaces.hcl @@ -7,6 +7,8 @@ config { plugin "azurerm" { enabled = true + version = "0.30.0" + source = "github.com/terraform-linters/tflint-ruleset-azurerm" } rule "azurerm_resource_missing_tags" { From ea126540dc1cdebf5cb3cc261b8bd13d8e77bfa5 Mon Sep 17 00:00:00 2001 From: James Chapman Date: Wed, 11 Feb 2026 09:55:52 +0000 Subject: [PATCH 20/20] revert version change --- core/terraform/network/network.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf index e6e340b78b..7b81bb1fa9 100644 --- a/core/terraform/network/network.tf +++ b/core/terraform/network/network.tf @@ -167,6 +167,6 @@ resource "azurerm_ip_group" "airlock_processor" { } module "terraform_azurerm_environment_configuration" { - source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.7.0" + source = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0" arm_environment = var.arm_environment }