Upgrade Terraform, AzureRM, Porter (microsoft#2501)

* update lock file script

* update lock files

* update timeout for gitea shared service e2e

* upgrade tf, tf-azurerm, porter

* native terraform vnet integration

* dump version

.devcontainer/Dockerfile

@@ -24,7 +24,7 @@ ARG NODE_VERSION="lts/*"
 RUN su $USERNAME -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"
 
 # Install terraform
-ARG TERRAFORM_VERSION="1.1.5"
+ARG TERRAFORM_VERSION="1.2.7"
 COPY .devcontainer/scripts/terraform.sh /tmp/
 RUN bash /tmp/terraform.sh "${TERRAFORM_VERSION}" /usr/bin
 
@@ -54,7 +54,7 @@ RUN apt-get update && apt-get install -y python3 python3-venv libaugeas0 --no-in
 # Not using the script from https://cdn.porter.sh/latest/install-linux.sh
 # as it installs things we don't need and duplicates the binary.
 ARG PORTER_MIRROR=https://cdn.porter.sh
-ARG PORTER_PERMALINK=v0.38.11
+ARG PORTER_PERMALINK=v0.38.12
 ARG PORTER_PKG_PERMALINK=latest
 ARG PORTER_HOME=/home/$USERNAME/.porter/
 COPY .devcontainer/scripts/porter.sh /tmp/
@@ -81,7 +81,7 @@ COPY .devcontainer/scripts/azure-cli.sh /tmp/
 RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \
     && /tmp/azure-cli.sh
 
-ARG YQ_VERSION="v4.13.0"
+ARG YQ_VERSION="v4.27.2"
 RUN curl -L --fail -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" \
     && chmod +x /usr/local/bin/yq
 

airlock_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.4.4"
+__version__ = "0.4.5"

airlock_processor/local.settings.json-sample

@@ -5,7 +5,6 @@
     "AIRLOCK_STATUS_CHANGED_QUEUE_NAME": "status_changed",
     "AIRLOCK_SCAN_RESULT_QUEUE_NAME": "scan_result",
     "SB_CONNECTION_STRING": "Endpoint=sb://XXXX.servicebus.windows.net/;SharedAccessKeyName=.....",
-    "AZURE_SUBSCRIPTION_ID": "",
     "BLOB_CREATED_TOPIC_NAME": "",
     "TOPIC_SUBSCRIPTION_NAME":"",
     "TRE_ID": "",

devops/scripts/setup_local_debugging.sh

@@ -8,25 +8,20 @@ set -e
 : "${COSMOSDB_ACCOUNT_NAME?"Check COSMOSDB_ACCOUNT_NAME is defined in ./templates/core/private.env"}"
 : "${AZURE_SUBSCRIPTION_ID?"Check AZURE_SUBSCRIPTION_ID is defined in ./templates/core/private.env"}"
 : "${EVENT_GRID_STATUS_CHANGED_TOPIC_RESOURCE_ID?"Check EVENT_GRID_STATUS_CHANGED_TOPIC_RESOURCE_ID is defined in ./templates/core/private.env"}"
-: "${EVENT_GRID_STATUS_CHANGED_TOPIC_ENDPOINT?"Check EVENT_GRID_STATUS_CHANGED_TOPIC_ENDPOINT is defined in ./templates/core/private.env"}"
-: "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_ENDPOINT?"Check EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_ENDPOINT is defined in ./templates/core/private.env"}"
 : "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID?"Check EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID is defined in ./templates/core/private.env"}"
 
 set -o pipefail
 set -o nounset
 # set -o xtrace
 
 SERVICE_BUS_NAMESPACE="sb-${TRE_ID}"
+
 if [[ -z ${PUBLIC_DEPLOYMENT_IP_ADDRESS:-} ]]; then
   IPADDR=$(curl ipecho.net/plain; echo)
 else
   IPADDR=${PUBLIC_DEPLOYMENT_IP_ADDRESS}
 fi
 
-# extract eventgrid topic name from endpoint
-EVENT_GRID_STATUS_CHANGED_TOPIC_NAME=$(echo "$EVENT_GRID_STATUS_CHANGED_TOPIC_ENDPOINT" | sed 's/https\?:\/\///'| awk -F"." '{print $1}')
-EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_NAME=$(echo "$EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_ENDPOINT" | sed 's/https\?:\/\///'| awk -F"." '{print $1}')
-
 echo "Adding local IP Address to ${COSMOSDB_ACCOUNT_NAME}. This may take a while . . . "
 az cosmosdb update \
   --name "${COSMOSDB_ACCOUNT_NAME}" \
@@ -40,20 +35,11 @@ az servicebus namespace network-rule add \
   --ip-address "${IPADDR}" \
   --action Allow
 
-echo "Adding local IP Address to ${EVENT_GRID_STATUS_CHANGED_TOPIC_NAME}."
+echo "Adding local IP Address to Event Grid Topics."
 az eventgrid topic update \
-  --resource-group "${RESOURCE_GROUP_NAME}" \
-  --name "${EVENT_GRID_STATUS_CHANGED_TOPIC_NAME}" \
   --public-network-access enabled \
-  --inbound-ip-rules "${IPADDR}" allow
-
-
-echo "Adding local IP Address to ${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_NAME}."
-az eventgrid topic update \
-  --resource-group "${RESOURCE_GROUP_NAME}" \
-  --name "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_NAME}" \
-  --public-network-access enabled \
-  --inbound-ip-rules "${IPADDR}" allow
+  --inbound-ip-rules "${IPADDR}" allow \
+  --ids "${EVENT_GRID_STATUS_CHANGED_TOPIC_RESOURCE_ID}" "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID}"
 
 
 # Get the object id of the currently logged-in identity
@@ -85,7 +71,6 @@ az role assignment create \
     --assignee "${LOGGED_IN_OBJECT_ID}" \
     --scope "${EVENT_GRID_STATUS_CHANGED_TOPIC_RESOURCE_ID}"
 
-
 az role assignment create \
     --role "EventGrid Data Sender" \
     --assignee "${LOGGED_IN_OBJECT_ID}" \

resource_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.4.2"
+__version__ = "0.4.3"

resource_processor/vmss_porter/Dockerfile

@@ -8,17 +8,9 @@ COPY scripts/azure-cli.sh /tmp/
 RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \
     && /tmp/azure-cli.sh
 
-# Install Terraform
-ARG TERRAFORM_VERSION="1.1.5"
-COPY ./scripts/terraform.sh /tmp/
-RUN apt-get update \
-    && apt-get -y install unzip="6.0-23+deb10u2" --no-install-recommends \
-    && bash /tmp/terraform.sh "${TERRAFORM_VERSION}" /usr/bin \
-    && apt-get clean -y && rm -rf /var/lib/apt/lists/*
-
 # Install Porter
 ARG PORTER_MIRROR=https://cdn.porter.sh
-ARG PORTER_PERMALINK=v0.38.11
+ARG PORTER_PERMALINK=v0.38.12
 ARG PORTER_PKG_PERMALINK=latest
 ARG PORTER_HOME=/root/.porter/
 COPY scripts/porter.sh /tmp/

templates/core/terraform/airlock/airlock_processor.tf

@@ -18,16 +18,6 @@ resource "azurerm_service_plan" "airlock_plan" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_app_service_virtual_network_swift_connection" "airlock_integrated_vnet" {
-  app_service_id = azurerm_linux_function_app.airlock_function_app.id
-  subnet_id      = var.airlock_processor_subnet_id
-}
-
-moved {
-  from = azurerm_app_service_virtual_network_swift_connection.airlock-integrated-vnet
-  to   = azurerm_app_service_virtual_network_swift_connection.airlock_integrated_vnet
-}
-
 resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   name                     = local.airlock_function_sa_name
   resource_group_name      = var.resource_group_name
@@ -40,13 +30,13 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
 }
 
 resource "azurerm_linux_function_app" "airlock_function_app" {
-  name                = local.airlock_function_app_name
-  resource_group_name = var.resource_group_name
-  location            = var.location
-
-  storage_account_name = azurerm_storage_account.sa_airlock_processor_func_app.name
-  service_plan_id      = azurerm_service_plan.airlock_plan.id
-
+  name                       = local.airlock_function_app_name
+  resource_group_name        = var.resource_group_name
+  location                   = var.location
+  https_only                 = true
+  virtual_network_subnet_id  = var.airlock_processor_subnet_id
+  service_plan_id            = azurerm_service_plan.airlock_plan.id
+  storage_account_name       = azurerm_storage_account.sa_airlock_processor_func_app.name
   storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key
   tags                       = var.tre_core_tags
 
@@ -69,7 +59,6 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
     "AIRLOCK_TO_DELETE_QUEUE_NAME"             = local.to_delete_queue_name
     "ENABLE_MALWARE_SCANNING"                  = var.enable_malware_scanning
     "MANAGED_IDENTITY_CLIENT_ID"               = azurerm_user_assigned_identity.airlock_id.client_id
-    "AZURE_SUBSCRIPTION_ID"                    = var.arm_subscription_id
     "TRE_ID"                                   = var.tre_id
     "WEBSITE_CONTENTOVERVNET"                  = 1
   }

templates/core/terraform/airlock/eventgrid_topics.tf

@@ -10,7 +10,7 @@ resource "azurerm_eventgrid_topic" "step_result" {
   name                          = local.step_result_topic_name
   location                      = var.location
   resource_group_name           = var.resource_group_name
-  public_network_access_enabled = false
+  public_network_access_enabled = var.enable_local_debugging
 
   identity {
     type = "SystemAssigned"
@@ -64,7 +64,7 @@ resource "azurerm_eventgrid_topic" "status_changed" {
   name                          = local.status_changed_topic_name
   location                      = var.location
   resource_group_name           = var.resource_group_name
-  public_network_access_enabled = false
+  public_network_access_enabled = var.enable_local_debugging
 
   identity {
     type = "SystemAssigned"
@@ -117,7 +117,7 @@ resource "azurerm_eventgrid_topic" "to_delete" {
   name                          = local.to_delete_topic_name
   location                      = var.location
   resource_group_name           = var.resource_group_name
-  public_network_access_enabled = false
+  public_network_access_enabled = var.enable_local_debugging
 
   identity {
     type = "SystemAssigned"
@@ -297,7 +297,7 @@ resource "azurerm_eventgrid_topic" "airlock_notification" {
   name                          = local.notification_topic_name
   location                      = var.location
   resource_group_name           = var.resource_group_name
-  public_network_access_enabled = false
+  public_network_access_enabled = var.enable_local_debugging
 
   identity {
     type = "SystemAssigned"

templates/core/terraform/airlock/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.8"
+      version = ">= 3.16"
     }
     local = {
       source  = "hashicorp/local"

templates/core/terraform/api-webapp.tf

@@ -24,6 +24,7 @@ resource "azurerm_linux_web_app" "api" {
   service_plan_id                 = azurerm_service_plan.core.id
   https_only                      = true
   key_vault_reference_identity_id = azurerm_user_assigned_identity.id.id
+  virtual_network_subnet_id       = module.network.web_app_subnet_id
   tags                            = local.tre_core_tags
 
   app_settings = {
@@ -61,9 +62,6 @@ resource "azurerm_linux_web_app" "api" {
   lifecycle {
     ignore_changes = [
       tags,
-
-      # Required since we're setting with azurerm_app_service_virtual_network_swift_connection below.
-      virtual_network_subnet_id,
     ]
   }
 
@@ -126,18 +124,6 @@ resource "azurerm_private_endpoint" "api_private_endpoint" {
   }
 }
 
-# Kept to be backward compatible with existing deployments despite the ability
-# to set through azurerm_linux_web_app.virtual_network_subnet_id
-resource "azurerm_app_service_virtual_network_swift_connection" "api_integrated_vnet" {
-  app_service_id = azurerm_linux_web_app.api.id
-  subnet_id      = module.network.web_app_subnet_id
-}
-
-moved {
-  from = azurerm_app_service_virtual_network_swift_connection.api-integrated-vnet
-  to   = azurerm_app_service_virtual_network_swift_connection.api_integrated_vnet
-}
-
 resource "azurerm_monitor_diagnostic_setting" "webapp_api" {
   name                       = "diag-${var.tre_id}"
   target_resource_id         = azurerm_linux_web_app.api.id

templates/core/terraform/locals.tf

@@ -1,5 +1,5 @@
 locals {
-  myip = var.public_deployment_ip_address != "" ? var.public_deployment_ip_address : chomp(data.http.myip[0].body)
+  myip = var.public_deployment_ip_address != "" ? var.public_deployment_ip_address : chomp(data.http.myip[0].response_body)
   tre_core_tags = {
     tre_id              = var.tre_id
     tre_core_service_id = var.tre_id

templates/core/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.12.0"
+      version = "=3.19.1"
     }
     random = {
       source  = "hashicorp/random"
@@ -19,7 +19,7 @@ terraform {
     }
     http = {
       source  = "hashicorp/http"
-      version = "~> 2.2.0"
+      version = "~> 3.0.0"
     }
   }
 
@@ -113,7 +113,6 @@ module "airlock_resources" {
   mgmt_resource_group_name              = var.mgmt_resource_group_name
   mgmt_acr_name                         = var.acr_name
   api_principal_id                      = azurerm_user_assigned_identity.id.principal_id
-  arm_subscription_id                   = var.arm_subscription_id
   airlock_app_service_plan_sku_size     = var.api_app_service_plan_sku_size
   airlock_processor_subnet_id           = module.network.airlock_processor_subnet_id
   airlock_servicebus                    = azurerm_servicebus_namespace.sb

templates/core/terraform/migrate.sh

@@ -109,4 +109,48 @@ if [ -n "${app_insights_byo_storage}" ]; then
   terraform state rm module.azure_monitor.azurerm_resource_group_template_deployment.app_insights_byo_storage
 fi
 
+# airlock inline vnet integration (instead of via swift)
+airlock_vnet_integration=$(echo "${terraform_show_json}" \
+  | jq -r 'select(.values.root_module.child_modules != null) .values.root_module.child_modules[] | select (.address=="module.airlock_resources") | .resources[] | select(.address=="module.airlock_resources.azurerm_app_service_virtual_network_swift_connection.airlock_integrated_vnet") | .values.id')
+if [ -n "${airlock_vnet_integration}" ]; then
+  echo "Migrating ${airlock_vnet_integration}"
+
+  PLAN_FILE="tfplan$$"
+  TS=$(date +"%s")
+  LOG_FILE="${TS}-tre-core-migrate.log"
+
+  # This variables are loaded in for us
+  # shellcheck disable=SC2154
+  ../../../devops/scripts/terraform_wrapper.sh \
+    -g "${TF_VAR_mgmt_resource_group_name}" \
+    -s "${TF_VAR_mgmt_storage_account_name}" \
+    -n "${TF_VAR_terraform_state_container_name}" \
+    -k "${TRE_ID}" \
+    -l "${LOG_FILE}" \
+    -c "terraform plan -target module.airlock_resources.azurerm_app_service_virtual_network_swift_connection.airlock_integrated_vnet -out ${PLAN_FILE} && \
+    terraform apply -input=false -auto-approve ${PLAN_FILE}"
+fi
+
+# api inline vnet integration (instead of via swift)
+api_vnet_integration=$(echo "${terraform_show_json}" \
+  | jq -r 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_app_service_virtual_network_swift_connection.api_integrated_vnet") | .values.id')
+if [ -n "${api_vnet_integration}" ]; then
+  echo "Migrating ${api_vnet_integration}"
+
+  PLAN_FILE="tfplan$$"
+  TS=$(date +"%s")
+  LOG_FILE="${TS}-tre-core-migrate.log"
+
+  # This variables are loaded in for us
+  # shellcheck disable=SC2154
+  ../../../devops/scripts/terraform_wrapper.sh \
+    -g "${TF_VAR_mgmt_resource_group_name}" \
+    -s "${TF_VAR_mgmt_storage_account_name}" \
+    -n "${TF_VAR_terraform_state_container_name}" \
+    -k "${TRE_ID}" \
+    -l "${LOG_FILE}" \
+    -c "terraform plan -target azurerm_app_service_virtual_network_swift_connection.api_integrated_vnet -out ${PLAN_FILE} && \
+    terraform apply -input=false -auto-approve ${PLAN_FILE}"
+fi
+
 echo "Migration is done."