Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use custom DNS addresses when accessing internal resources from the external world (like guacamole) #3731

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions .github/actions/devcontainer_run_command/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,10 @@ inputs:
description: "JSON string containing key/value pairs to injet into the Resource Processor as ENV vars"
required: false
default: ""
TRE_URL:
description: "The URL of the TRE as registered in DNS, usually via a CNAME"
required: false
default: ""

runs:
using: composite
Expand All @@ -147,9 +151,13 @@ runs:
- name: Construct TRE_URL
shell: bash
run: |
source devops/scripts/construct_tre_url.sh
tre_url=$(construct_tre_url "${{ inputs.TRE_ID }}" "${{ inputs.LOCATION }}" "${{ env.AZURE_ENVIRONMENT }}")
echo "TRE_URL=$tre_url" >> $GITHUB_ENV
if [ "${{ inputs.TRE_URL}}" == '' ]; then
source devops/scripts/construct_tre_url.sh
tre_url=$(construct_tre_url "${{ inputs.TRE_ID }}" "${{ inputs.LOCATION }}" "${{ env.AZURE_ENVIRONMENT }}")
echo "TRE_URL=$tre_url" >> $GITHUB_ENV
else
echo "TRE_URL=${{ inputs.TRE_URL }}" >> $GITHUB_ENV
fi

- name: Construct ARM_ENVIRONMENT
shell: bash
Expand Down Expand Up @@ -211,6 +219,7 @@ runs:
-e TRE_ID="${{ inputs.TRE_ID }}" \
-e TF_VAR_tre_id="${{ inputs.TRE_ID }}" \
-e TRE_URL="${{ env.TRE_URL }}" \
-e TF_VAR_tre_url="${{ env.TRE_URL }}" \
-e TEST_WORKSPACE_APP_ID="${{ inputs.TEST_WORKSPACE_APP_ID }}" \
-e TEST_WORKSPACE_APP_SECRET="${{ inputs.TEST_WORKSPACE_APP_SECRET }}" \
-e TEST_APP_ID="${{ inputs.TEST_APP_ID }}" \
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/deploy_tre.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,4 @@ jobs:
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
TRE_ID: ${{ secrets.TRE_ID }}
CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
TRE_URL: ${{ secrets.TRE_URL }}
1 change: 1 addition & 0 deletions .github/workflows/deploy_tre_branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,4 @@ jobs:
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
TRE_ID: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }}
CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
TRE_URL: ${{ secrets.TRE_URL }}
31 changes: 31 additions & 0 deletions .github/workflows/deploy_tre_reusable.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ on: # yamllint disable-line rule:truthy
AZURE_CREDENTIALS:
description: ""
required: true
TRE_URL:
description: ""
required: true

# This will prevent multiple runs of this entire workflow.
# We should NOT cancel in progress runs as that can destabilize the environment.
Expand Down Expand Up @@ -353,6 +356,7 @@ jobs:
CORE_APP_SERVICE_PLAN_SKU: ${{ vars.CORE_APP_SERVICE_PLAN_SKU }}
RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE: ${{ vars.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE }}
RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
TRE_URL: "${{ secrets.TRE_URL }}"

- name: API Healthcheck
uses: ./.github/actions/devcontainer_run_command
Expand All @@ -364,6 +368,7 @@ jobs:
AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }}
TRE_ID: ${{ secrets.TRE_ID }}
LOCATION: ${{ vars.LOCATION }}
TRE_URL: "${{ secrets.TRE_URL }}"

publish_bundles:
name: Publish Bundles
Expand Down Expand Up @@ -436,6 +441,8 @@ jobs:
include:
- {BUNDLE_TYPE: "shared_service",
BUNDLE_DIR: "./templates/shared_services/firewall/"}
- {BUNDLE_TYPE: "shared_service",
BUNDLE_DIR: "./templates/shared_services/core-application-gateway"}
- {BUNDLE_TYPE: "shared_service",
BUNDLE_DIR: "./templates/shared_services/gitea/"}
- {BUNDLE_TYPE: "shared_service",
Expand Down Expand Up @@ -482,6 +489,8 @@ jobs:
include:
- {BUNDLE_TYPE: "shared_service",
BUNDLE_DIR: "./templates/shared_services/firewall"}
- {BUNDLE_TYPE: "shared_service",
BUNDLE_DIR: "./templates/shared_services/core-application-gateway"}
- {BUNDLE_TYPE: "shared_service",
BUNDLE_DIR: "./templates/shared_services/gitea"}
- {BUNDLE_TYPE: "shared_service",
Expand Down Expand Up @@ -666,6 +675,24 @@ jobs:
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
TRE_ID: ${{ secrets.TRE_ID }}
LOCATION: ${{ vars.LOCATION }}
TRE_URL: "${{ secrets.TRE_URL }}"

- name: Deploy application gateway
uses: ./.github/actions/devcontainer_run_command
with:
COMMAND: "make deploy-shared-service DIR=./templates/shared_services/core-application-gateway/ BUNDLE_TYPE=shared_service"
DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }}
API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}"
AAD_TENANT_ID: "${{ secrets.AAD_TENANT_ID }}"
TEST_APP_ID: "${{ secrets.TEST_APP_ID }}"
TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}"
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
TRE_ID: ${{ secrets.TRE_ID }}
LOCATION: ${{ vars.LOCATION }}
TRE_URL: "${{ secrets.TRE_URL }}"

- name: State Store Migrations
uses: ./.github/actions/devcontainer_run_command
Expand All @@ -685,6 +712,7 @@ jobs:
TERRAFORM_STATE_CONTAINER_NAME: ${{ vars.TERRAFORM_STATE_CONTAINER_NAME }}
MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}
TRE_URL: "${{ secrets.TRE_URL }}"

deploy_ui:
name: Deploy UI
Expand Down Expand Up @@ -715,6 +743,7 @@ jobs:
MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}
SWAGGER_UI_CLIENT_ID: "${{ secrets.SWAGGER_UI_CLIENT_ID }}"
TRE_URL: "${{ secrets.TRE_URL }}"

e2e_tests_smoke:
name: "Run E2E Tests (Smoke)"
Expand Down Expand Up @@ -750,6 +779,7 @@ jobs:
TRE_ID: ${{ secrets.TRE_ID }}
IS_API_SECURED: false
WORKSPACE_APP_SERVICE_PLAN_SKU: ${{ vars.WORKSPACE_APP_SERVICE_PLAN_SKU }}
TRE_URL: "${{ secrets.TRE_URL }}"

- name: Upload Test Results
if: always()
Expand Down Expand Up @@ -794,6 +824,7 @@ jobs:
IS_API_SECURED: false
WORKSPACE_APP_SERVICE_PLAN_SKU: ${{ vars.WORKSPACE_APP_SERVICE_PLAN_SKU }}
E2E_TESTS_NUMBER_PROCESSES: ${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}
TRE_URL: "${{ secrets.TRE_URL }}"

- name: Upload Test Results
if: always()
Expand Down
6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ E2E_TESTS_NUMBER_PROCESSES_DEFAULT=4 # can be overridden in e2e_tests/.env
target_title = @echo -e "\n\e[34m»»» 🧩 \e[96m$(1)\e[0m..."

all: bootstrap mgmt-deploy images tre-deploy ## 🚀 Provision all the application resources from beginning to end
tre-deploy: deploy-core build-and-deploy-ui firewall-install db-migrate show-core-output ## 🚀 Provision TRE using existing images
tre-deploy: deploy-core build-and-deploy-ui firewall-install application-gateway-install db-migrate show-core-output ## 🚀 Provision TRE using existing images

images: build-and-push-api build-and-push-resource-processor build-and-push-airlock-processor ## 📦 Build and push all images
build-and-push-api: build-api-image push-api-image
Expand Down Expand Up @@ -305,6 +305,10 @@ firewall-install:
$(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service

application-gateway-install:
$(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
DIR=${MAKEFILE_DIR}/templates/shared_services/core-application-gateway/ BUNDLE_TYPE=shared_service

static-web-upload:
$(call target_title, "Uploading to static website") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
Expand Down
2 changes: 1 addition & 1 deletion core/terraform/appgateway/appgateway.tf
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ resource "azurerm_application_gateway" "agw" {
}

# We don't want Terraform to revert certificate cycle changes. We assume the certificate will be renewed in keyvault.
lifecycle { ignore_changes = [ssl_certificate, tags] }
lifecycle { ignore_changes = [ssl_certificate, tags, url_path_map, backend_http_settings, backend_address_pool, rewrite_rule_set] }

}

Expand Down
1 change: 1 addition & 0 deletions core/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ module "resource_processor_vmss_porter" {
resource_processor_vmss_sku = var.resource_processor_vmss_sku
arm_environment = var.arm_environment
rp_bundle_values = var.rp_bundle_values
tre_url = var.tre_url

depends_on = [
module.network,
Expand Down
4 changes: 4 additions & 0 deletions core/terraform/resource_processor/vmss_porter/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,8 @@ locals {
"public" = "AzureCloud"
"usgovernment" = "AzureUSGovernment"
}, var.arm_environment, "AzureCloud")

rp_bundle_values_all = merge(var.rp_bundle_values, { tre_url = var.tre_url })
rp_bundle_values_dic = [for key in keys(local.rp_bundle_values_all) : "RP_BUNDLE_${key}=${local.rp_bundle_values_all[key]}"]
rp_bundle_values_formatted = join("\n ", local.rp_bundle_values_dic)
}
4 changes: 2 additions & 2 deletions core/terraform/resource_processor/vmss_porter/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,6 @@ variable "rp_bundle_values" {
type = map(string)
}

locals {
rp_bundle_values_formatted = join("\n ", [for key in keys(var.rp_bundle_values) : "RP_BUNDLE_${key}=${var.rp_bundle_values[key]}"])
variable "tre_url" {
type = string
}
9 changes: 9 additions & 0 deletions core/terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -180,3 +180,12 @@ variable "is_cosmos_defined_throughput" {
type = bool
default = false
}

variable "tre_url" {
type = string
default = ""
validation {
condition = startswith(var.tre_url, "http") && length(var.tre_url) > 10
error_message = "Invalid tre_url. Must start with http or https."
}
}
2 changes: 1 addition & 1 deletion core/version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.8.9"
__version__ = "0.9.0"
9 changes: 6 additions & 3 deletions devops/scripts/load_and_validate_env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,14 @@ else

# The ARM Environment is required by terraform to indicate the destination cloud.
ARM_ENVIRONMENT=$(convert_azure_env_to_arm_env "${AZURE_ENVIRONMENT}")
export ARM_ENVIRONMENT
export ARM_ENVIRONMENT #TODO: isn't used by scripts, right?
export TF_VAR_arm_environment="${ARM_ENVIRONMENT}"

TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}")
export TRE_URL
if [ -z "${TRE_URL:-}" ]; then
TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}")
export TRE_URL
fi
export TF_VAR_tre_url="${TRE_URL}"
fi

set +o nounset
1 change: 1 addition & 0 deletions docs/tre-admins/environment-variables.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
| `CORE_APP_SERVICE_PLAN_SKU` | The SKU of AppService plans created for the core infrastructure. |
| `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |
| `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
| `TRE_URL` | Optional. A custom URL for the TRE as registered in the DNS. Defaults to the DNS name used by Azure Application Gateway.|

## For authentication in `/config.yaml`

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ Configure the following secrets in your github environment:
| `MGMT_RESOURCE_GROUP_NAME` | The name of the shared resource group for all Azure TRE core resources. |
| `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. E.g. `mystorageaccount`. |
| `ACR_NAME` | A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images. |
| `TRE_URL` | An optional custom URL for the TRE as registered in the DNS. |


### Configure Core Variables
Expand Down
1 change: 1 addition & 0 deletions docs/tre-admins/setup-instructions/workflows.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ Configure variables used in the deployment workflow:
| `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests. Default value is `P1v2`. |
| `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
| `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
| `TRE_URL` | Optional. A custom URL for the TRE as registered in the DNS. Defaults to the DNS name used by Azure Application Gateway.|


### Deploy the TRE using the workflow
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
# Put files here that you don't want copied into your bundle's invocation image
.gitignore
**/.terraform/*
**/*_backend.tf
Dockerfile.tmpl
terraform/import_state.sh
terraform/remove_state.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# syntax=docker/dockerfile-upstream:1.4.0
FROM debian:bullseye-slim

# PORTER_INIT

# PORTER_MIXINS

# Use the BUNDLE_DIR build argument to copy files into the bundle
COPY --link . ${BUNDLE_DIR}/
63 changes: 63 additions & 0 deletions templates/shared_services/core-application-gateway/import.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/bin/bash

set -o errexit
set -o pipefail
set +o nounset

while [ "$1" != "" ]; do
case $1 in
--mgmt_resource_group_name)
shift
mgmt_resource_group_name=$1
;;
--mgmt_storage_account_name)
shift
mgmt_storage_account_name=$1
;;
--container_name)
shift
container_name=$1
;;
--key)
shift
key=$1
;;


--tre_id)
shift
tre_id=$1
;;
--azure_subscription_id)
shift
azure_subscription_id=$1
;;
*)
echo "Unexpected argument: '$1'"
usage
;;
esac

if [[ -z "$2" ]]; then
# if no more args then stop processing
break
fi

shift # remove the current value for `$1` and use the next
done

set -o nounset

core_resource_group_name="rg-${tre_id}"
application_gateway_name="agw-${tre_id}"

terraform -chdir=terraform init -input=false -backend=true -reconfigure \
-backend-config="resource_group_name=${mgmt_resource_group_name}" \
-backend-config="storage_account_name=${mgmt_storage_account_name}" \
-backend-config="container_name=${container_name}" \
-backend-config="key=${key}"

terraform -chdir=terraform import \
-var "tre_id=${tre_id}" \
azurerm_application_gateway.agw \
"/subscriptions/${azure_subscription_id}/resourceGroups/${core_resource_group_name}/providers/Microsoft.Network/applicationGateways/${application_gateway_name}"
44 changes: 44 additions & 0 deletions templates/shared_services/core-application-gateway/parameters.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"schemaType": "ParameterSet",
"schemaVersion": "1.0.1",
"namespace": "",
"name": "tre-shared-service-application-gateway",
"parameters": [
{
"name": "tre_id",
"source": {
"env": "TRE_ID"
}
},
{
"name": "id",
"source": {
"env": "ID"
}
},
{
"name": "tfstate_container_name",
"source": {
"env": "TERRAFORM_STATE_CONTAINER_NAME"
}
},
{
"name": "tfstate_resource_group_name",
"source": {
"env": "MGMT_RESOURCE_GROUP_NAME"
}
},
{
"name": "tfstate_storage_account_name",
"source": {
"env": "MGMT_STORAGE_ACCOUNT_NAME"
}
},
{
"name": "arm_environment",
"source": {
"env": "ARM_ENVIRONMENT"
}
}
]
}
Loading