Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change Key Vault to use RBAC instead of Access Policies #4115

Merged
merged 9 commits into from
Nov 8, 2024

Conversation

jonnyry
Copy link
Collaborator

@jonnyry jonnyry commented Oct 28, 2024

Resolves #4000

What is being addressed

Change Key Vaults used in the TRE to use RBAC instead of Access Policies.

How is this addressed

  • Changes the Key Vault in the TRE code, and Workspace Key Vaults to use RBAC for authorisation instead of Access Policies
  • Replaces Access Policies with RBAC Role Assignments:
    • 'Key Vault Administrator' role is used where full read/update/delete is required to key vaults - such as the deployment principal, and the resource processor
    • 'Key Vault Secrets User' is used where only read is required
  • The PR does not to attempt to migrate manually create Access Policies outside of the terraform code, for example locally created access given to specific users.
  • The following workspaces/shared services/workspace service templates have been updated:
    • Certificate shared service
    • Gitea shared service
    • Package Mirror (Sonatype Nexus) shared service
    • Gitea workspace service
    • Guacamole workspace service
    • ML Flow workspace service
    • OHDSI workspace service
    • Base workspace
    • Unrestricted workspace (TODO - see below)
    • Airlock import review workspace (TODO - see below)

Follow up change required to unrestricted & airlock-import-review workspaces

Because of the mechanism the unrestricted & airlock-import-review workspaces pull code from the previous version of the Azure TRE, they will not receive this change until a new version is tagged, and their code is updated to pull the tag.

Therefore these two workspace templates will fail with Key Vault permissions until this work is completed.

@github-actions github-actions bot added the external PR from an external contributor label Oct 28, 2024
@jonnyry jonnyry marked this pull request as ready for review October 28, 2024 11:18
Copy link

github-actions bot commented Nov 4, 2024

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 19c111b.

♻️ This comment has been updated with latest results.

@jonnyry
Copy link
Collaborator Author

jonnyry commented Nov 4, 2024

Fixed lint issues (terraform formatting)

@tim-p-allen
Copy link
Collaborator

/test-extended d5332c9

Copy link

github-actions bot commented Nov 4, 2024

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/11674140504 (with refid 034afc4a)

(in response to this comment from @tim-allen-ck)

Copy link
Collaborator

@tim-p-allen tim-p-allen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marrobi
Copy link
Member

marrobi commented Nov 7, 2024

@jonnyry This looks good, thank you. Has this been tested on an upgrade? Might be we should do that, can't see why it would cause any issues, but may do.

@jonnyry
Copy link
Collaborator Author

jonnyry commented Nov 7, 2024

@marrobi I haven't actually, only deployed to a fresh instance. Let me attempt an upgrade and report back.

@marrobi
Copy link
Member

marrobi commented Nov 8, 2024

@jonnyry did you get chance to try the upgrade? If not I can give it a go today.

@jonnyry
Copy link
Collaborator Author

jonnyry commented Nov 8, 2024

@marrobi yes please if you get chance. I didn't get round to it yesterday and not supposed to be working today :-D

Copy link
Member

@marrobi marrobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrade works, tested workspace and VM deployment, code looks good. Thanks, great PR.

@marrobi marrobi enabled auto-merge (squash) November 8, 2024 14:20
@marrobi
Copy link
Member

marrobi commented Nov 8, 2024

/test-force-approve

passed here - https://github.com/microsoft/AzureTRE/actions/runs/11674140504

Copy link

github-actions bot commented Nov 8, 2024

🤖 pr-bot 🤖

✅ Marking tests as complete (for commit 19c111b)

(in response to this comment from @marrobi)

@marrobi marrobi merged commit 07173fe into microsoft:main Nov 8, 2024
12 checks passed
@jonnyry jonnyry deleted the jr/upstream-main/69-key-vault-rbac branch November 8, 2024 14:49
@jonnyry
Copy link
Collaborator Author

jonnyry commented Nov 8, 2024

Thanks @marrobi

In order for unrestricted & airlock-import-review workspaces to pick up the change, will require a new version tagging and an update to those workspace templates. Happy to put in the PR to update this, though I'm not able to create the tag myself.

(change similar to this: nwsde@7dd1915 )

@marrobi
Copy link
Member

marrobi commented Nov 8, 2024

@tim-allen-ck @Danny-Cooke-CK can you help with creating a pre release tag? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
external PR from an external contributor
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Key Vaults should use RBAC instead of access policies for access control
3 participants