Enable deployment to Azure Government Cloud

[ms-mikerice]

Deployment fails immediately when attempting to deploy to Azure Gov regions because of the distinct endpoints hardcoded into TRE. Requesting assisting in removing hardcoded endpoints and allowing endpoints to be determined based on region. Anywhere the az libraries are used (so long as it is up to date) will use correct endpoints.

[marrobi]

Looks like for terraform need to run:

az cloud set --name AzureUSGovernment

Prior to any commands. This would likely need to be run in all the bundles too.

With options of:

➜  ~ az cloud list -o table
IsActive    Name               Profile
----------  -----------------  ---------
False       AzureCloud         latest
False       AzureChinaCloud    latest
True        AzureUSGovernment  latest
False       AzureGermanCloud   latest

Actually, looks like this - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#environment - might do it.

[marrobi]

Useful document: https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure

[marrobi]

This is also worth a check:

https://learn.microsoft.com/en-us/azure/private-link/availability

Not sure how accurate it is as doesn't call out Government cloud for App Service private endpoint - https://learn.microsoft.com/en-us/azure/private-link/availability#web

@ms-mikerice thoughts?

[marrobi]

Also useful - Private Link DNS - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#government

[tamirkamara]

Looks like for terraform need to run:

az cloud set --name AzureUSGovernment

Prior to any commands. This would likely need to be run in all the bundles too.

With options of:

➜  ~ az cloud list -o table
IsActive    Name               Profile
----------  -----------------  ---------
False       AzureCloud         latest
False       AzureChinaCloud    latest
True        AzureUSGovernment  latest
False       AzureGermanCloud   latest

Shame this can't be done in the AzureRM provider configuration from what I can see.

The provider does support non-global clouds:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#environment

[marrobi]

@tamirkamara you are too quick, just updated my post, although see some references on stack overflow where seems people have had to resort to the CLI!

[kevinpagliarulo]

Looks like for terraform need to run:
az cloud set --name AzureUSGovernment
Prior to any commands. This would likely need to be run in all the bundles too.
With options of:

➜  ~ az cloud list -o table
IsActive    Name               Profile
----------  -----------------  ---------
False       AzureCloud         latest
False       AzureChinaCloud    latest
True        AzureUSGovernment  latest
False       AzureGermanCloud   latest

Shame this can't be done in the AzureRM provider configuration from what I can see.

The provider does support non-global clouds: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#environment

Looks like for terraform need to run:
az cloud set --name AzureUSGovernment
Prior to any commands. This would likely need to be run in all the bundles too.
With options of:

➜  ~ az cloud list -o table
IsActive    Name               Profile
----------  -----------------  ---------
False       AzureCloud         latest
False       AzureChinaCloud    latest
True        AzureUSGovernment  latest
False       AzureGermanCloud   latest

Shame this can't be done in the AzureRM provider configuration from what I can see.

The provider does support non-global clouds: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#environment

The environment argument supports "usgovernment"

[tamirkamara]

Initial list of things to sort:

• TRE_URL can be used to deal with internal usage of https://${TRE_ID}.${LOCATION}.cloudapp.azure.com
• private dns zones
• azcli login - docs state one should use az cloud set... but we heard that setting the region to some-gov one might be enough. If it's not enough there's many places where we call cli commands directly (not tre setup) like in the RP but also in template actions.
• endpoints in firewall rules
• Probably Nexus/Certs will require special attention due to how they work with private dns
• Airlock - has assumptions around blob endpoints.

• Hardcoded vault url prevents usage in a gov cloud getporter/azure-plugins#57
• [GOV] Add support for US Gov cloud in porter azure plugin #3284
• [GOV] Remove hardcoded cloud endpoints  #3285
• [GOV] Firewall fqdns should be sourced from ServiceTags #3286
• [GOV] Authority passed to services should be dynamically sourced #3287
• [GOV] Azure credentials sourced based on the target cloud #3288
• [GOV] Management Clients use base_url and credential_scopes #3289
• [GOV] Use auth libraries to authenticate TRE cli  #3293
• [GOV] Source Microsoft Graph and Login endpoints in AAD scripts from cloud setting #3294
• [GOV] Use auth libraries to authenticate in E2E tests #3296
• [GOV] AAD instance should be configurable in the api app  #3297
• [GOV] az login should login to the right cloud #3298
• [GOV] Design and Adjust our CI/CD pipelines to support multiple clouds #3299
• [GOV] ACR url should be sourced from environment #3303
• [GOV] Application Gateway FQDN should be sourced dynamically #3304
• [GOV] Private dns zone names sourced dynamically #3305
• [GOV] Hardcoded servicebus url should be dynamically sourced #3306
• [GOV] Disable RuntimeAuditLogs and ApplicationMetricsLogs on Gov Cloud #3307
• [GOV] Porter should source keyvault uri #3308
• [GOV] Porter templates installation environment includes cloud type #3309
• [GOV] Design how to handle cloud type in a consistent way across the system #3310
• [GOV] Support Airlock in gov cloud #3311
• [GOV] Remove the usage of azure-cli-core #3385
• [GOV] Use Azure Environment to setup the cloud #3361
• [GOV] Acquire token if there was an issue getting it from cache #3333
• [GOV] Add documentation regarding the cloud #3362