diff --git a/CHANGELOG.md b/CHANGELOG.md index e9da0f3fda..cf7dc03ad2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ ENHANCEMENTS: * Migrate GitHub Actions workflows to use ubuntu-slim runners for improved efficiency and reduced cost ([#4831](https://github.com/microsoft/AzureTRE/pull/4831)) BUG FIXES: +* Fix Azure Health Data Services deployment failures by upgrading AzureRM provider to 4.58.0, switching to RBAC group assignments, and adding workspace group parameter mappings ([#4844](https://github.com/microsoft/AzureTRE/issues/4844)) * Replace deprecated `--username` flag with `--client-id` in `az login --identity` commands across all Porter bundles ([#4817](https://github.com/microsoft/AzureTRE/issues/4817)) * Fix deleted workspaces still accessible via URL - get_*_by_id methods now filter out deleted resources ([#4785](https://github.com/microsoft/AzureTRE/issues/4785)) * Fix circular dependancy in base workspace. ([#4756](https://github.com/microsoft/AzureTRE/pull/4756)) diff --git a/templates/workspace_services/health-services/porter.yaml b/templates/workspace_services/health-services/porter.yaml index e68c73e9f3..d15ecd2d93 100644 --- a/templates/workspace_services/health-services/porter.yaml +++ b/templates/workspace_services/health-services/porter.yaml @@ -1,19 +1,12 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-health -version: 0.2.13 +version: 0.3.4 description: "An Azure Data Health Services workspace service" registry: azuretre dockerfile: Dockerfile.tmpl credentials: - # Credentials for interacting with the AAD Auth tenant - - name: auth_client_id - env: AUTH_CLIENT_ID - - name: auth_client_secret - env: AUTH_CLIENT_SECRET - - name: auth_tenant_id - env: AUTH_TENANT_ID # Credentials for interacting with Azure - name: azure_tenant_id env: ARM_TENANT_ID @@ -32,6 +25,12 @@ parameters: - name: aad_authority_url type: string default: "https://login.microsoftonline.com" + - name: workspace_owners_group_id + type: string + description: "Object ID of the workspace owners AAD group" + - name: workspace_researchers_group_id + type: string + description: "Object ID of the workspace researchers AAD group" # the following are added automatically by the resource processor - name: id @@ -100,11 +99,10 @@ install: deploy_fhir: ${ bundle.parameters.deploy_fhir } deploy_dicom: ${ bundle.parameters.deploy_dicom } fhir_kind: ${ bundle.parameters.fhir_kind } - auth_client_id: ${ bundle.credentials.auth_client_id } - auth_client_secret: ${ bundle.credentials.auth_client_secret } - auth_tenant_id: ${ bundle.credentials.auth_tenant_id } aad_authority_url: ${ bundle.parameters.aad_authority_url } arm_environment: ${ bundle.parameters.arm_environment } + workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id } + workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -127,11 +125,10 @@ upgrade: deploy_fhir: ${ bundle.parameters.deploy_fhir } deploy_dicom: ${ bundle.parameters.deploy_dicom } fhir_kind: ${ bundle.parameters.fhir_kind } - auth_client_id: ${ bundle.credentials.auth_client_id } - auth_client_secret: ${ bundle.credentials.auth_client_secret } - auth_tenant_id: ${ bundle.credentials.auth_tenant_id } aad_authority_url: ${ bundle.parameters.aad_authority_url } arm_environment: ${ bundle.parameters.arm_environment } + workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id } + workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -154,11 +151,10 @@ uninstall: deploy_fhir: ${ bundle.parameters.deploy_fhir } deploy_dicom: ${ bundle.parameters.deploy_dicom } fhir_kind: ${ bundle.parameters.fhir_kind } - auth_client_id: ${ bundle.credentials.auth_client_id } - auth_client_secret: ${ bundle.credentials.auth_client_secret } - auth_tenant_id: ${ bundle.credentials.auth_tenant_id } aad_authority_url: ${ bundle.parameters.aad_authority_url } arm_environment: ${ bundle.parameters.arm_environment } + workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id } + workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/health-services/template_schema.json b/templates/workspace_services/health-services/template_schema.json index 290b8e5b4c..98e5061de0 100644 --- a/templates/workspace_services/health-services/template_schema.json +++ b/templates/workspace_services/health-services/template_schema.json @@ -35,6 +35,26 @@ "description": "Deploy FHIR instance", "updateable": true, "default": false + }, + "workspace_owners_group_id": { + "$id": "#/properties/workspace_owners_group_id", + "type": "string", + "title": "Workspace Owners Group ID", + "description": "Object ID of the workspace owners AAD group" + }, + "workspace_researchers_group_id": { + "$id": "#/properties/workspace_researchers_group_id", + "type": "string", + "title": "Workspace Researchers Group ID", + "description": "Object ID of the workspace researchers AAD group" + } + }, + "uiSchema": { + "workspace_owners_group_id": { + "classNames": "tre-hidden" + }, + "workspace_researchers_group_id": { + "classNames": "tre-hidden" } }, "allOf": [ @@ -68,7 +88,19 @@ "pipeline": { "install": [ { - "stepId": "main" + "stepId": "main", + "properties": [ + { + "name": "workspace_owners_group_id", + "type": "string", + "value": "{{ resource.parent.properties.workspace_owners_group_id }}" + }, + { + "name": "workspace_researchers_group_id", + "type": "string", + "value": "{{ resource.parent.properties.workspace_researchers_group_id }}" + } + ] }, { "stepId": "d5504764-94cd-11ed-a1eb-0242ac120002", diff --git a/templates/workspace_services/health-services/terraform/.terraform.lock.hcl b/templates/workspace_services/health-services/terraform/.terraform.lock.hcl index 17bbd6e5c8..80913233fb 100644 --- a/templates/workspace_services/health-services/terraform/.terraform.lock.hcl +++ b/templates/workspace_services/health-services/terraform/.terraform.lock.hcl @@ -2,22 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.117.0" - constraints = "3.117.0" + version = "4.58.0" + constraints = "4.58.0" hashes = [ - "h1:Ynfg+Iy7x6K8M6W1AhqXCe3wkoiqIQhROlca7C3KC3w=", - "zh:2e25f47492366821a786762369f0e0921cc9452d64bfd5075f6fdfcf1a9c6d70", - "zh:41eb34f2f7469bf3eb1019dfb0e7fc28256f809824016f4f8b9d691bf473b2ac", - "zh:48bb9c87b3d928da1abc1d3db75453c9725de4674c612daf3800160cc7145d30", - "zh:5d6b0de0bbd78943fcc65c53944ef4496329e247f434c6eab86ed051c5cea67b", - "zh:78c9f6fdb1206a89cf0e6706b4f46178169a93b6c964a4cad8a321058ccbd9b4", - "zh:793b702c352589d4360b580d4a1cf654a7439d2ad6bdb7bfea91de07bc4b0fac", - "zh:7ed687ff0a5509463a592f97431863574fe5cc80a34e395be06766215b8c6285", - "zh:955ba18789bd15592824eb426a8d0f38595bd09fffc6939c1c58933489c1a71e", - "zh:bf5949a55be0714cd9c8815d472eae4baa48ba06d0f6bf2b96775869acda8a54", - "zh:da5d31f635abd2c645ffc76d6176d73f646128e73720cc368247cc424975c127", - "zh:eed5a66d59883c9c56729b0a964a2b60d758ea7489ef3e920a6fbd48518ce5f5", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "h1:6lb8gT8vG3vgraxqjePXVqOUUxP6OVOPzz1CxI2Kbj8=", + "h1:MESGDsXHZy6+1pCObte7/WSXaIzH9FUFy/Vp8MPVxiI=", + "h1:bPPD3lFdhTksJqlZlo+piO7OhuX5v9PgCSvWyQRlgPg=", + "zh:041c2a778ab4dd5a9af174b1d6f75409e5aabfc359cb386dfea3fb09e3f32709", + "zh:0a302531a61e7383acf99a6202d7984b2ea559306f45021381665c827a830d46", + "zh:0c69f132c7609683d907e87b89210a298d84c5b0121b62278949931bc54ca952", + "zh:0cadf48e9d2d9daed43212a3c9d886d7faaf68787b6e955456cbe4f43e4a17ec", + "zh:35ef4293d7731f6ff1f8bcba2c4529f987b7fac243c1ac1c154bbc02c9703c25", + "zh:3cb2679e1d56865e0ee0cf4c5d1404dbad0db42d11425e7bf0580a026cc64287", + "zh:4e56411f5119042d4962acff5c6d64224a49a69154ba80e6df63fa57b1e6d284", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:ca4626411a111720c220f9849c7d2e1fcd5d380f56459e096d835a9dbf9e6e13", + "zh:d31c4e65dcb096974479b2d548fffb86fc9a5262aff1b01fe62ef442ce536c6b", + "zh:d9631602999c1853e53ee2c5aef7476e23c7787beddc3599c10dbaa4891ba166", + "zh:f31ba7c9341037ceb7d49467946c01b2b0930404ed1d5643c1451f734a613a03", ] } diff --git a/templates/workspace_services/health-services/terraform/providers.tf b/templates/workspace_services/health-services/terraform/providers.tf index a009aca748..15abc23fc4 100644 --- a/templates/workspace_services/health-services/terraform/providers.tf +++ b/templates/workspace_services/health-services/terraform/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "= 3.117.0" + version = "= 4.58.0" } external = { source = "hashicorp/external" diff --git a/templates/workspace_services/health-services/terraform/roles.tf b/templates/workspace_services/health-services/terraform/roles.tf index 4c41537201..8af1f03ed3 100644 --- a/templates/workspace_services/health-services/terraform/roles.tf +++ b/templates/workspace_services/health-services/terraform/roles.tf @@ -1,18 +1,31 @@ +# Role assignments for workspace researchers group +resource "azurerm_role_assignment" "researchers_fhir_contributor" { + count = var.deploy_fhir && var.workspace_researchers_group_id != "" ? 1 : 0 + scope = azurerm_healthcare_fhir_service.fhir[0].id + role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id + principal_id = var.workspace_researchers_group_id +} -data "azurerm_key_vault_secret" "workspace_client_id" { - name = "workspace-client-id" - key_vault_id = data.azurerm_key_vault.ws.id +resource "azurerm_role_assignment" "researchers_dicom_data_owner" { + count = var.deploy_dicom && var.workspace_researchers_group_id != "" ? 1 : 0 + scope = azurerm_healthcare_dicom_service.dicom[0].id + role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id + principal_id = var.workspace_researchers_group_id } -data "external" "app_role_members" { - program = ["bash", "${path.module}/get_app_role_members.sh"] +# Role assignments for workspace owners group +resource "azurerm_role_assignment" "owners_fhir_contributor" { + count = var.deploy_fhir && var.workspace_owners_group_id != "" ? 1 : 0 + scope = azurerm_healthcare_fhir_service.fhir[0].id + role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id + principal_id = var.workspace_owners_group_id +} - query = { - auth_client_id = var.auth_client_id - auth_client_secret = var.auth_client_secret - auth_tenant_id = var.auth_tenant_id - workspace_client_id = data.azurerm_key_vault_secret.workspace_client_id.value - } +resource "azurerm_role_assignment" "owners_dicom_data_owner" { + count = var.deploy_dicom && var.workspace_owners_group_id != "" ? 1 : 0 + scope = azurerm_healthcare_dicom_service.dicom[0].id + role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id + principal_id = var.workspace_owners_group_id } data "azurerm_role_definition" "azure_fhir_contributor" { @@ -22,17 +35,3 @@ data "azurerm_role_definition" "azure_fhir_contributor" { data "azurerm_role_definition" "azure_dicom_data_owner" { name = "DICOM Data Owner" } - -resource "azurerm_role_assignment" "app_role_members_fhir_contributor" { - for_each = !var.deploy_fhir || (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals)) - scope = azurerm_healthcare_fhir_service.fhir[0].id - role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id - principal_id = each.value -} - -resource "azurerm_role_assignment" "app_role_members_dicom_data_owner" { - for_each = !var.deploy_dicom || (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals)) - scope = azurerm_healthcare_dicom_service.dicom[0].id - role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id - principal_id = each.value -} diff --git a/templates/workspace_services/health-services/terraform/variables.tf b/templates/workspace_services/health-services/terraform/variables.tf index 9ff5cc6688..312ad9b424 100644 --- a/templates/workspace_services/health-services/terraform/variables.tf +++ b/templates/workspace_services/health-services/terraform/variables.tf @@ -33,20 +33,24 @@ variable "deploy_dicom" { description = "Indicates if DICOM should be created in the Azure Health Data Services Workspace." } -variable "auth_tenant_id" { +variable "workspace_owners_group_id" { type = string - description = "Used to authenticate into the AAD Tenant to get app role members" -} + description = "Object ID of the workspace owners AAD group" -variable "auth_client_id" { - type = string - description = "Used to authenticate into the AAD Tenant to get app role members" + validation { + condition = length(trimspace(var.workspace_owners_group_id)) > 0 + error_message = "workspace_owners_group_id must be provided; Entra ID workspace groups are required." + } } -variable "auth_client_secret" { +variable "workspace_researchers_group_id" { type = string - sensitive = true - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Object ID of the workspace researchers AAD group" + + validation { + condition = length(trimspace(var.workspace_researchers_group_id)) > 0 + error_message = "workspace_researchers_group_id must be provided; Entra ID workspace groups are required." + } } variable "arm_environment" {