diff --git a/devops/scripts/control_tre.sh b/devops/scripts/control_tre.sh index 590fa84a82..aa7bd58372 100755 --- a/devops/scripts/control_tre.sh +++ b/devops/scripts/control_tre.sh @@ -106,7 +106,7 @@ elif [[ "$1" == *"stop"* ]]; then # deallocating all VMs in workspaces # RG is in uppercase here (which is odd). Checking both cases for future compatability. - az vm list --query "[?(starts_with(resourceGroup,'${core_rg_name}-ws') || starts_with(resourceGroup,'${core_rg_name^^}-WS')) && powerState=='VM running'][name, resourceGroup]" -o tsv | + az vm list -d --query "[?(starts_with(resourceGroup,'${core_rg_name}-ws') || starts_with(resourceGroup,'${core_rg_name^^}-WS')) && powerState=='VM running'][name, resourceGroup]" -o tsv | while read -r vm_name rg_name; do echo "Deallocating VM ${vm_name} in ${rg_name}" az vm deallocate --resource-group "${rg_name}" --name "${vm_name}" & diff --git a/docs/tre-templates/workspaces/unrestricted.md b/docs/tre-templates/workspaces/unrestricted.md new file mode 100644 index 0000000000..4a6299b067 --- /dev/null +++ b/docs/tre-templates/workspaces/unrestricted.md @@ -0,0 +1,5 @@ +# Unrestricted workspace + +The unrestricted workspace template is a workspace template that allows for unrestricted access to the Internet from inside the workspace virtual network. This is useful for working on open data sets where data exfiltration is not a concern. + +This workspace template builds upon the base workspace template by adding additional firewall rules and disabling the airlock. diff --git a/docs/using-tre/index.md b/docs/using-tre/index.md index 1f0174c139..24c13f02d4 100644 --- a/docs/using-tre/index.md +++ b/docs/using-tre/index.md @@ -27,9 +27,9 @@ To get started with AzureTRE follow the next steps: 1. Follow the steps in this [Github templates guide](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template) to set up the repo. 1. Having the project setup in your account, follow the next steps and guides to setup and extend AzureTRE in your environment: - - [Local development](docs/using-tre/local-development/index.md) - - Setup [CI/CD pipelines](docs/using-tre/pipelines/index.md) - - Add your [custom templates](docs/using-tre/templates/index.md) + - [Local Development](local-development/index.md) + - Setup [CI/CD pipelines](pipelines/index.md) + - Add your [custom templates](templates/index.md) ## How to Contribute to our Documentation diff --git a/mkdocs.yml b/mkdocs.yml index f564b5d67d..d777445679 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -64,6 +64,9 @@ nav: - Using the TRE for Research: # Documentation for users of the TRE - Introduction: using-tre/index.md - Terms and Definitions: using-tre/terms-definitions.md + - Local Development: using-tre/local-development/index.md + - CI/CD pipelines: using-tre/pipelines/index.md + - Custom Templates: using-tre/templates/index.md - Workspaces: - using-tre/wks/index.md # Documentation describing what a workspace is - Using Workspaces: using-tre/wks/using-wks.md # Interacting with workspaces (via the UI) @@ -74,6 +77,7 @@ nav: - tre-templates/index.md - Workspaces: - Base: tre-templates/workspaces/base.md + - Unrestricted: tre-templates/workspaces/unrestricted.md - Workspace Services: - Azure ML: tre-templates/workspace-services/azure-ml.md - Gitea: tre-templates/workspace-services/gitea.md diff --git a/templates/workspaces/README.md b/templates/workspaces/README.md index 15784e4dd0..ac44bf55c4 100644 --- a/templates/workspaces/README.md +++ b/templates/workspaces/README.md @@ -1,9 +1,5 @@ # Workspace Templates -Workspace Templates are located in this folder. These Templates are for the Composition Service to make instances of. - -| Template name | Description | -| --- | --- | -| [base](../../docs/workspace-templates/workspaces/base.md) | A base template that deploys a Resource Group, Virtual network, Subnets ... A good base to extend. | +Workspace Templates are located in this folder. To customize or author new Workspace Templates read the [Authoring Workspace Templates](../../docs/tre-workspace-authors/authoring-workspace-templates.md). diff --git a/templates/workspaces/unrestricted/.dockerignore b/templates/workspaces/unrestricted/.dockerignore new file mode 100644 index 0000000000..e2b7cb2a0e --- /dev/null +++ b/templates/workspaces/unrestricted/.dockerignore @@ -0,0 +1,9 @@ +# Local .terraform directories +**/.terraform/* + +# TF backend files +**/*_backend.tf + +Dockerfile.tmpl +terraform/deploy.sh +terraform/destroy.sh diff --git a/templates/workspaces/unrestricted/.env.sample b/templates/workspaces/unrestricted/.env.sample new file mode 100644 index 0000000000..e7793021f5 --- /dev/null +++ b/templates/workspaces/unrestricted/.env.sample @@ -0,0 +1,30 @@ +ARM_CLIENT_ID="__CHANGE_ME__" +ARM_CLIENT_SECRET="__CHANGE_ME__" +ARM_TENANT_ID="__CHANGE_ME__" +ARM_SUBSCRIPTION_ID="__CHANGE_ME__" +AUTH_TENANT_ID="__CHANGE_ME__" + +# These are passed in if Terraform will create the Workspace AAD Application +REGISTER_AAD_APPLICATION=true +AUTH_CLIENT_ID="__CHANGE_ME__" +AUTH_CLIENT_SECRET="__CHANGE_ME__" +WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" + +# These are passed in if you register the Workspace AAD Application before hand +# REGISTER_AAD_APPLICATION=false +# CLIENT_ID="__CHANGE_ME__" +# CLIENT_SECRET="__CHANGE_ME__" +# WORKSPACE_OWNER_OBJECT_ID="" + +# Used by Porter, aka TRE_RESOURCE_ID +ID="MadeUp123" +SP_ID="" +SCOPE_ID="api://ws_0001" +APP_ROLE_ID_WORKSPACE_OWNER="" +APP_ROLE_ID_WORKSPACE_RESEARCHER="" +APP_ROLE_ID_WORKSPACE_AIRLOCK_MANAGER="" +ADDRESS_SPACE="10.2.8.0/24" +SHARED_STORAGE_QUOTA=50 +ENABLE_LOCAL_DEBUGGING=true + +AAD_REDIRECT_URIS="W10=" diff --git a/templates/workspaces/unrestricted/Dockerfile.tmpl b/templates/workspaces/unrestricted/Dockerfile.tmpl new file mode 100644 index 0000000000..0aa5501ea0 --- /dev/null +++ b/templates/workspaces/unrestricted/Dockerfile.tmpl @@ -0,0 +1,40 @@ +# We need azurecli 2.37+ which doesn't exist for strech so the minimum is buster +FROM debian:buster-slim + +ARG BUNDLE_DIR + +ARG AZURE_TRE_VERSION="0.4.2" + +RUN apt-get update \ + && apt-get install --no-install-recommends jq ca-certificates curl -y \ + && apt-get clean -y && rm -rf /var/lib/apt/lists/* + +WORKDIR $BUNDLE_DIR + +RUN curl -o azuretre.tar.gz -L "https://github.com/microsoft/AzureTRE/archive/refs/tags/v${AZURE_TRE_VERSION}.tar.gz" \ + && tar -xzf azuretre.tar.gz "AzureTRE-${AZURE_TRE_VERSION}/templates/workspaces/base" --strip-components=4 --skip-old-files \ + && rm -rf azuretre.tar.gz + +# This is a template Dockerfile for the bundle's invocation image +# You can customize it to use different base images, install tools and copy configuration files. +# +# Porter will use it as a template and append lines to it for the mixins +# and to set the CMD appropriately for the CNAB specification. +# +# Add the following line to porter.yaml to instruct Porter to use this template +# dockerfile: Dockerfile.tmpl + +# You can control where the mixin's Dockerfile lines are inserted into this file by moving "# PORTER_MIXINS" line +# another location in this file. If you remove that line, the mixins generated content is appended to this file. +# PORTER_MIXINS + +# Use the BUNDLE_DIR build argument to copy files into the bundle + +COPY . $BUNDLE_DIR + +# Mirror plugins to prevent network access at runtime +# Remove when available from https://github.com/getporter/terraform-mixin/issues/90 +WORKDIR $BUNDLE_DIR/terraform +RUN terraform init -backend=false \ + && terraform providers mirror /usr/local/share/terraform/plugins + diff --git a/templates/workspaces/unrestricted/parameters.json b/templates/workspaces/unrestricted/parameters.json new file mode 100755 index 0000000000..42329886b4 --- /dev/null +++ b/templates/workspaces/unrestricted/parameters.json @@ -0,0 +1,134 @@ +{ + "schemaVersion": "1.0.0-DRAFT+TODO", + "name": "base", + "created": "2021-06-04T13:37:29.5071039+03:00", + "modified": "2021-06-04T13:37:29.5071039+03:00", + "parameters": [ + { + "name": "address_space", + "source": { + "env": "ADDRESS_SPACE" + } + }, + { + "name": "azure_location", + "source": { + "env": "LOCATION" + } + }, + { + "name": "tre_id", + "source": { + "env": "TRE_ID" + } + }, + { + "name": "id", + "source": { + "env": "ID" + } + }, + { + "name": "tfstate_container_name", + "source": { + "env": "TERRAFORM_STATE_CONTAINER_NAME" + } + }, + { + "name": "tfstate_resource_group_name", + "source": { + "env": "MGMT_RESOURCE_GROUP_NAME" + } + }, + { + "name": "tfstate_storage_account_name", + "source": { + "env": "MGMT_STORAGE_ACCOUNT_NAME" + } + }, + { + "name": "shared_storage_quota", + "source": { + "env": "SHARED_STORAGE_QUOTA" + } + }, + { + "name": "enable_local_debugging", + "source": { + "env": "ENABLE_LOCAL_DEBUGGING" + } + }, + { + "name": "register_aad_application", + "source": { + "env": "REGISTER_AAD_APPLICATION" + } + }, + { + "name": "client_id", + "source": { + "env": "CLIENT_ID" + } + }, + { + "name": "client_secret", + "source": { + "env": "CLIENT_SECRET" + } + }, + { + "name": "scope_id", + "source": { + "env": "SCOPE_ID" + } + }, + { + "name": "workspace_owner_object_id", + "source": { + "env": "WORKSPACE_OWNER_OBJECT_ID" + } + }, + { + "name": "sp_id", + "source": { + "env": "SP_ID" + } + }, + { + "name": "app_role_id_workspace_owner", + "source": { + "env": "APP_ROLE_ID_WORKSPACE_OWNER" + } + }, + { + "name": "app_role_id_workspace_researcher", + "source": { + "env": "APP_ROLE_ID_WORKSPACE_RESEARCHER" + } + }, + { + "name": "app_role_id_workspace_airlock_manager", + "source": { + "env": "APP_ROLE_ID_WORKSPACE_AIRLOCK_MANAGER" + } + }, + { + "name": "aad_redirect_uris", + "source": { + "env": "AAD_REDIRECT_URIS" + } + }, + { + "name": "app_service_plan_sku", + "source": { + "env": "APP_SERVICE_PLAN_SKU" + } + }, + { + "name": "enable_airlock", + "source": { + "env": "ENABLE_AIRLOCK" + } + } + ] +} diff --git a/templates/workspaces/unrestricted/porter.yaml b/templates/workspaces/unrestricted/porter.yaml new file mode 100644 index 0000000000..2e5489dc4e --- /dev/null +++ b/templates/workspaces/unrestricted/porter.yaml @@ -0,0 +1,261 @@ +--- +name: tre-workspace-unrestricted +version: 0.1.8 +description: "A base Azure TRE workspace" +dockerfile: Dockerfile.tmpl +registry: azuretre + +credentials: + # Credentials for interacting with the AAD Auth tenant + - name: auth_client_id + env: AUTH_CLIENT_ID + - name: auth_client_secret + env: AUTH_CLIENT_SECRET + - name: auth_tenant_id + env: AUTH_TENANT_ID + # Credentials for interacting with Azure + - name: azure_tenant_id + env: ARM_TENANT_ID + - name: azure_subscription_id + env: ARM_SUBSCRIPTION_ID + - name: azure_client_id + env: ARM_CLIENT_ID + - name: azure_client_secret + env: ARM_CLIENT_SECRET + +parameters: + - name: tre_id + type: string + description: "The ID of the parent TRE instance e.g., mytre-dev-3142" + - name: id + type: string + description: "the resource ID for this installation" + - name: azure_location + type: string + description: "Azure location (region) to deploy to" + - name: address_space + type: string + description: "VNet address space for the workspace services" + - name: tfstate_resource_group_name + type: string + description: "Resource group containing the Terraform state storage account" + - name: tfstate_storage_account_name + type: string + description: "The name of the Terraform state storage account" + - name: tfstate_container_name + type: string + default: "tfstate" + description: "The name of the Terraform state storage container" + - name: arm_use_msi + type: boolean + default: false + - name: shared_storage_quota + type: integer + default: 50 + - name: enable_local_debugging + type: boolean + default: false + - name: register_aad_application + type: boolean + default: false + description: "Whether this bundle should register the workspace in AAD" + - name: workspace_owner_object_id + type: string + description: "The object id of the user that will be granted WorkspaceOwner after it is created." + - name: client_id + type: string + description: + "The client id of the workspace in the identity provider. This value is typically provided to you + when you create the ws application" + - name: client_secret + type: string + description: + "The client secret of the workspace in the identity provider. This value is typically provided to you + when you create the ws application" + default: "" + - name: scope_id + type: string + default: "" + description: "The Service Principal Name or identifierUri (e.g. api://GUID" + - name: sp_id + type: string + default: "" + description: "The Service Principal in the Identity provider to be able to get claims" + - name: app_role_id_workspace_owner + type: string + default: "" + description: "The id of the application role WorkspaceOwner in the identity provider" + - name: app_role_id_workspace_researcher + type: string + default: "" + description: "The id of the application role WorkspaceResearcher in the identity provider" + - name: app_role_id_workspace_airlock_manager + type: string + default: "" + description: "The id of the application role AirlockManager in the identity provider" + - name: aad_redirect_uris + type: string + description: "List of redirect URIs in {name:value} format" + default: "W10=" # b64 for [] + - name: app_service_plan_sku + type: string + description: "The SKU used when deploying an Azure App Service Plan" + default: "P1v3" + - name: enable_airlock + type: boolean + default: false + +outputs: + - name: app_role_id_workspace_owner + type: string + applyTo: + - install + - name: app_role_id_workspace_researcher + type: string + applyTo: + - install + - name: app_role_id_workspace_airlock_manager + type: string + applyTo: + - install + - name: client_id + type: string + applyTo: + - install + - name: scope_id + type: string + applyTo: + - install + - name: sp_id + type: string + applyTo: + - install + +mixins: + - exec + - terraform: + clientVersion: 1.1.7 + - az + +install: + - terraform: + description: "Deploy workspace" + vars: + tre_id: "{{ bundle.parameters.tre_id }}" + tre_resource_id: "{{ bundle.parameters.id }}" + location: "{{ bundle.parameters.azure_location }}" + address_space: "{{ bundle.parameters.address_space }}" + shared_storage_quota: "{{ bundle.parameters.shared_storage_quota }}" + enable_local_debugging: "{{ bundle.parameters.enable_local_debugging }}" + register_aad_application: "{{ bundle.parameters.register_aad_application }}" + auth_client_id: "{{ bundle.credentials.auth_client_id }}" + auth_client_secret: "{{ bundle.credentials.auth_client_secret }}" + auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}" + workspace_owner_object_id: "{{ bundle.parameters.workspace_owner_object_id }}" + client_id: "{{ bundle.parameters.client_id }}" + client_secret: "{{ bundle.parameters.client_secret }}" + scope_id: "{{ bundle.parameters.scope_id }}" + sp_id: "{{ bundle.parameters.sp_id }}" + app_role_id_workspace_owner: "{{ bundle.parameters.app_role_id_workspace_owner }}" + app_role_id_workspace_researcher: "{{ bundle.parameters.app_role_id_workspace_researcher }}" + app_role_id_workspace_airlock_manager: "{{ bundle.parameters.app_role_id_workspace_airlock_manager }}" + aad_redirect_uris_b64: "{{ bundle.parameters.aad_redirect_uris }}" + app_service_plan_sku: "{{ bundle.parameters.app_service_plan_sku }}" + enable_airlock: "{{ bundle.parameters.enable_airlock }}" + backendConfig: + resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}" + storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}" + container_name: "{{ bundle.parameters.tfstate_container_name }}" + key: "{{ bundle.parameters.tre_id }}-ws-{{ bundle.parameters.id }}" + outputs: + - name: app_role_id_workspace_owner + - name: app_role_id_workspace_researcher + - name: app_role_id_workspace_airlock_manager + - name: client_id + - name: scope_id + - name: sp_id + +upgrade: + # TODO: fix with https://github.com/microsoft/AzureTRE/issues/2114 + # - terraform: + # description: "Upgrade workspace" + # vars: + # tre_id: "{{ bundle.parameters.tre_id }}" + # tre_resource_id: "{{ bundle.parameters.id }}" + # location: "{{ bundle.parameters.azure_location }}" + # address_space: "{{ bundle.parameters.address_space }}" + # shared_storage_quota: "{{ bundle.parameters.shared_storage_quota }}" + # enable_local_debugging: "{{ bundle.parameters.enable_local_debugging }}" + # register_aad_application: "{{ bundle.parameters.register_aad_application }}" + # auth_client_id: "{{ bundle.credentials.auth_client_id }}" + # auth_client_secret: "{{ bundle.credentials.auth_client_secret }}" + # auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}" + # workspace_owner_object_id: "{{ bundle.parameters.workspace_owner_object_id }}" + # client_id: "{{ bundle.parameters.client_id }}" + # client_secret: "{{ bundle.parameters.client_secret }}" + # scope_id: "{{ bundle.parameters.scope_id }}" + # sp_id: "{{ bundle.parameters.sp_id }}" + # app_role_id_workspace_owner: "{{ bundle.parameters.app_role_id_workspace_owner }}" + # app_role_id_workspace_researcher: "{{ bundle.parameters.app_role_id_workspace_researcher }}" + # aad_redirect_uris_b64: "{{ bundle.parameters.aad_redirect_uris }}" + # backendConfig: + # resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}" + # storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}" + # container_name: "{{ bundle.parameters.tfstate_container_name }}" + # key: "{{ bundle.parameters.tre_id }}-ws-{{ bundle.parameters.id }}" + # outputs: + # - name: app_role_id_workspace_owner + # - name: app_role_id_workspace_researcher + # - name: client_id + # - name: scope_id + # - name: sp_id + - az: + description: "AAD Application Admin Login" + arguments: + - login + flags: + service-principal: "" + username: "'{{bundle.credentials.auth_client_id}}'" + password: "'{{bundle.credentials.auth_client_secret}}'" + tenant: "'{{bundle.credentials.auth_tenant_id}}'" + allow-no-subscriptions: "" + - exec: + description: "Update workspace app redirect urls" + command: ./update_redirect_urls.sh + flags: + workspace-api-client-id: "{{ bundle.parameters.client_id }}" + aad-redirect-uris-b64: "{{ bundle.parameters.aad_redirect_uris }}" + # always update with the script since we don't run TF for upgrade + # might need to change when https://github.com/microsoft/AzureTRE/issues/2114 is resolved. + register-aad-application: "false" + # register-aad-application: "{{ bundle.parameters.register_aad_application }}" + +uninstall: + - terraform: + description: "Tear down workspace" + vars: + tre_id: "{{ bundle.parameters.tre_id }}" + tre_resource_id: "{{ bundle.parameters.id }}" + location: "{{ bundle.parameters.azure_location }}" + address_space: "{{ bundle.parameters.address_space }}" + shared_storage_quota: "{{ bundle.parameters.shared_storage_quota }}" + enable_local_debugging: "{{ bundle.parameters.enable_local_debugging }}" + register_aad_application: "{{ bundle.parameters.register_aad_application }}" + auth_client_id: "{{ bundle.credentials.auth_client_id }}" + auth_client_secret: "{{ bundle.credentials.auth_client_secret }}" + auth_tenant_id: "{{ bundle.credentials.auth_tenant_id }}" + workspace_owner_object_id: "{{ bundle.parameters.workspace_owner_object_id }}" + client_id: "{{ bundle.parameters.client_id }}" + scope_id: "{{ bundle.parameters.scope_id }}" + sp_id: "{{ bundle.parameters.sp_id }}" + app_role_id_workspace_owner: "{{ bundle.parameters.app_role_id_workspace_owner }}" + app_role_id_workspace_researcher: "{{ bundle.parameters.app_role_id_workspace_researcher }}" + app_role_id_workspace_airlock_manager: "{{ bundle.parameters.app_role_id_workspace_airlock_manager }}" + aad_redirect_uris_b64: "{{ bundle.parameters.aad_redirect_uris }}" + app_service_plan_sku: "{{ bundle.parameters.app_service_plan_sku }}" + enable_airlock: "{{ bundle.parameters.enable_airlock }}" + backendConfig: + resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}" + storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}" + container_name: "{{ bundle.parameters.tfstate_container_name }}" + key: "{{ bundle.parameters.tre_id }}-ws-{{ bundle.parameters.id }}" diff --git a/templates/workspaces/unrestricted/template_schema.json b/templates/workspaces/unrestricted/template_schema.json new file mode 100644 index 0000000000..1070883728 --- /dev/null +++ b/templates/workspaces/unrestricted/template_schema.json @@ -0,0 +1,179 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "$id": "https://github.com/microsoft/AzureTRE/templates/workspaces/base/template_schema.json", + "type": "object", + "title": "Unrestricted Workspace", + "description": "Workspace with unrestricted access to the Internet", + "required": [], + "properties": { + "shared_storage_quota": { + "$id": "#/properties/shared_storage_quota", + "type": "integer", + "title": "Shared Storage Quota", + "description": "Quota (in GB) to set for the VM Shared Storage." + }, + "aad_redirect_uris": { + "$id": "#/properties/aad_redirect_uris", + "type": "array", + "title": "AAD Redirect URIs", + "description": "Redirect URIs for the AAD app in auto_create mode", + "updateable": true, + "default": [], + "items": { + "title": "items", + "type": "object", + "required": [ + "name", + "value" + ], + "properties": { + "name": { + "title": "name", + "type": "string", + "description": "Redirect URI Name", + "examples": [ + "My Redirect URI" + ], + "pattern": "^.*$" + }, + "value": { + "title": "value", + "type": "string", + "description": "Redirect URI Value", + "examples": [ + "https://a-domain-name.com/oauth/" + ] + } + } + } + }, + "app_service_plan_sku": { + "$id": "#/properties/app_service_plan_sku", + "type": "string", + "enum": [ + "P1v3", + "P1v2", + "S1" + ], + "default": "P1v3", + "title": "App Service Plan SKU", + "description": "The SKU that will be used when deploying an Azure App Service Plan." + } + }, + "uiSchema": { + "aad_redirect_uris": { + "classNames": "tre-hidden" + } + }, + "pipeline": { + "install": [ + { + "stepId": "main" + }, + { + "stepId": "260421b3-7308-491f-b531-e007cdc0ff46", + "stepTitle": "Add network firewall rules for to allow all internt access", + "resourceTemplateName": "tre-shared-service-firewall", + "resourceType": "shared-service", + "resourceAction": "upgrade", + "properties": [ + { + "name": "network_rule_collections", + "type": "array", + "arraySubstitutionAction": "replace", + "arrayMatchField": "name", + "value": { + "name": "nrc_workspace_{{ resource.id }}", + "action": "Allow", + "rules": [ + { + "name": "AllowAll", + "description": "Unrestricted Access", + "source_addresses": [ + "{{ resource.properties.address_space }}" + ], + "destination_addresses": [ + "*" + ], + "destination_ports": [ + "*" + ], + "protocols": [ + "TCP", + "UDP" + ] + } + ] + } + } + ] + } + ], + "upgrade": [ + { + "stepId": "main" + }, + { + "stepId": "260421b3-7308-491f-b531-e007cdc0ff46", + "stepTitle": "Add network firewall rules for to allow all internt access", + "resourceTemplateName": "tre-shared-service-firewall", + "resourceType": "shared-service", + "resourceAction": "upgrade", + "properties": [ + { + "name": "network_rule_collections", + "type": "array", + "arraySubstitutionAction": "replace", + "arrayMatchField": "name", + "value": { + "name": "nrc_workspace_{{ resource.id }}", + "action": "Allow", + "rules": [ + { + "name": "AllowAll", + "description": "Unrestricted Access", + "source_addresses": [ + "{{ resource.properties.address_space }}" + ], + "destination_addresses": [ + "*" + ], + "destination_ports": [ + "*" + ], + "protocols": [ + "TCP", + "UDP" + ] + } + ] + } + } + ] + } + ], + "uninstall": [ + { + "stepId": "260421b3-7308-491f-b531-e007cdc0ff48", + "stepTitle": "remove network firewall rules", + "resourceTemplateName": "tre-shared-service-firewall", + "resourceType": "shared-service", + "resourceAction": "upgrade", + "properties": [ + { + "name": "network_rule_collections", + "type": "array", + "arraySubstitutionAction": "remove", + "arrayMatchField": "name", + "value": { + "name": "nrc_workspace_{{ resource.id }}" + } + } + ] + }, + { + "stepId": "main" + } + ] + } +} diff --git a/templates/workspaces/unrestricted/terraform/empty.txt b/templates/workspaces/unrestricted/terraform/empty.txt new file mode 100644 index 0000000000..c77897746a --- /dev/null +++ b/templates/workspaces/unrestricted/terraform/empty.txt @@ -0,0 +1 @@ +The porter terraform mixin requires this directory to exist in the local build context.