diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 587764f..c000cdb 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -24,7 +24,7 @@ ARG NODE_VERSION="lts/*" RUN su $USERNAME -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1" # Install terraform -ARG TERRAFORM_VERSION="1.9.8" +ARG TERRAFORM_VERSION="1.14.3" COPY .devcontainer/scripts/terraform.sh /tmp/ RUN bash /tmp/terraform.sh "${TERRAFORM_VERSION}" /usr/bin @@ -33,10 +33,10 @@ COPY .devcontainer/scripts/docker-client.sh /tmp/ RUN /tmp/docker-client.sh $USERNAME # Install Docker -ARG DOCKER_CE_VERSION="5:27.4.1-1~debian.12~bookworm" -ARG DOCKER_CE_CLI_VERSION="5:27.4.1-1~debian.12~bookworm" -ARG DOCKER_COMPOSE_PLUGIN_VERSION="2.32.1-1~debian.12~bookworm" -ARG DOCKER_CONTAINERD_VERSION="1.7.24-1" +ARG DOCKER_CE_VERSION="5:29.1.3-1~debian.12~bookworm" +ARG DOCKER_CE_CLI_VERSION="5:29.1.3-1~debian.12~bookworm" +ARG DOCKER_CONTAINERD_VERSION="2.2.1-1~debian.12~bookworm" +ARG DOCKER_COMPOSE_PLUGIN_VERSION="5.0.0-1~debian.12~bookworm" RUN apt-get update && apt-get install -y ca-certificates curl gnupg lsb-release --no-install-recommends \ && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \ && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" \ @@ -54,10 +54,10 @@ RUN if [ "${INTERACTIVE}" = "true" ]; then \ # Install Porter, updates should be propagated to the RP. ARG PORTER_HOME_V1=/home/$USERNAME/.porter/ -ARG PORTER_VERSION=v1.2.1 -ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.5 -ARG PORTER_AZ_MIXIN_VERSION=v1.0.4 -ARG PORTER_AZURE_PLUGIN_VERSION=v1.2.3 +ARG PORTER_VERSION=v1.4.0 +ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.8 +ARG PORTER_AZ_MIXIN_VERSION=v1.0.7 +ARG PORTER_AZURE_PLUGIN_VERSION=v1.2.4 COPY .devcontainer/scripts/porter-v1.sh /tmp/ RUN export PORTER_VERSION=${PORTER_VERSION} \ PORTER_TERRAFORM_MIXIN_VERSION=${PORTER_TERRAFORM_MIXIN_VERSION} \ @@ -66,15 +66,15 @@ RUN export PORTER_VERSION=${PORTER_VERSION} \ PORTER_HOME=${PORTER_HOME_V1} \ && /tmp/porter-v1.sh -ENV PATH ${PORTER_HOME_V1}:$PATH +ENV PATH=${PORTER_HOME_V1}:$PATH # Install azure-cli -ARG AZURE_CLI_VERSION=2.67.0-1~bookworm +ARG AZURE_CLI_VERSION=2.81.0-1~bookworm COPY .devcontainer/scripts/azure-cli.sh /tmp/ RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \ && /tmp/azure-cli.sh -ARG YQ_VERSION="v4.44.6" +ARG YQ_VERSION="v4.49.2" RUN curl -L --fail -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" \ && chmod +x /usr/local/bin/yq @@ -98,6 +98,9 @@ RUN echo "export HISTFILE=$HOME/commandhistory/.bash_history" >> "$HOME/.bashrc" COPY ./.devcontainer/scripts/gh.sh /tmp/ RUN if [ "${INTERACTIVE}" = "true" ]; then /tmp/gh.sh; fi +# Build x86-64 docker images by default +ENV DOCKER_DEFAULT_PLATFORM=amd64 + # Install AzureTRE OSS ARG UPSTREAM_REPO ARG UPSTREAM_REPO_VERSION diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index d3725d6..593b966 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -18,7 +18,7 @@ "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}", "INTERACTIVE": "true", "UPSTREAM_REPO": "microsoft/AzureTRE", - "UPSTREAM_REPO_VERSION": "v0.26.0", + "UPSTREAM_REPO_VERSION": "v0.28.0", "GITHUB_TOKEN": "" } }, diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index aec1ae3..fd0e992 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -1,7 +1,6 @@ --- name: "run_command" description: "Run a command in a devcontainer" -# yamllint disable rule:line-length inputs: COMMAND: description: "The command you want to run in the Devcontainer." @@ -9,8 +8,14 @@ inputs: DEVCONTAINER_TAG: description: "The container label to use when running the command." required: true - AZURE_CREDENTIALS: - description: "Credentials to access Azure." + AZURE_CLIENT_ID: + description: "The Azure Client ID for OIDC authentication" + required: true + AZURE_TENANT_ID: + description: "The Azure Tenant ID" + required: true + AZURE_SUBSCRIPTION_ID: + description: "The Azure Subscription ID" required: true AZURE_ENVIRONMENT: description: "Azure Cloud Environment" @@ -179,7 +184,9 @@ runs: uses: azure/login@v2 if: contains(inputs.COMMAND, 'make bootstrap') != true with: - creds: ${{ inputs.AZURE_CREDENTIALS }} + client-id: ${{ inputs.AZURE_CLIENT_ID }} + tenant-id: ${{ inputs.AZURE_TENANT_ID }} + subscription-id: ${{ inputs.AZURE_SUBSCRIPTION_ID }} environment: "${{ env.AZURE_ENVIRONMENT }}" - name: ACR Login @@ -223,6 +230,7 @@ runs: "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "./command.sh:/workspaces/tre/command.sh" \ + -v "$HOME/.azure:/home/vscode/.azure" \ --workdir /workspaces/tre \ --user vscode \ -e TF_INPUT="0" \ @@ -236,10 +244,12 @@ runs: -e LOCATION="${{ inputs.LOCATION }}" \ -e TF_VAR_location="${{ inputs.LOCATION }}" \ -e RESOURCE_LOCATION="${{ inputs.LOCATION }}" \ - -e ARM_CLIENT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientId }}" \ - -e ARM_CLIENT_SECRET="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientSecret }}" \ - -e ARM_TENANT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).tenantId }}" \ - -e ARM_SUBSCRIPTION_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \ + -e ARM_CLIENT_ID="${{ inputs.AZURE_CLIENT_ID }}" \ + -e ARM_TENANT_ID="${{ inputs.AZURE_TENANT_ID }}" \ + -e ARM_SUBSCRIPTION_ID="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \ + -e ARM_USE_OIDC="true" \ + -e ACTIONS_ID_TOKEN_REQUEST_URL \ + -e ACTIONS_ID_TOKEN_REQUEST_TOKEN \ -e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != '' && inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \ -e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \ @@ -251,7 +261,7 @@ runs: -e TF_VAR_api_client_secret="${{ inputs.API_CLIENT_SECRET }}" \ -e TF_VAR_application_admin_client_id="${{ inputs.APPLICATION_ADMIN_CLIENT_ID }}" \ -e TF_VAR_application_admin_client_secret="${{ inputs.APPLICATION_ADMIN_CLIENT_SECRET }}" \ - -e TF_VAR_arm_subscription_id="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \ + -e TF_VAR_arm_subscription_id="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \ -e TF_VAR_enable_swagger="${{ (inputs.ENABLE_SWAGGER != '' && inputs.ENABLE_SWAGGER) || 'false' }}" \ -e SWAGGER_UI_CLIENT_ID="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \ @@ -283,6 +293,7 @@ runs: -e UI_FOOTER_TEXT="${{ inputs.UI_FOOTER_TEXT }}" \ -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != '' && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \ + -e FIREWALL_SKU=${{ inputs.FIREWALL_SKU != '' && inputs.FIREWALL_SKU || 'Standard' }} \ -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU != '' && inputs.FIREWALL_SKU || 'Standard' }} \ -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \ -e TF_VAR_enable_cmk_encryption="${{ (inputs.ENABLE_CMK_ENCRYPTION != '' diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index 0c09d28..319ad05 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -28,7 +28,7 @@ jobs: - uses: hashicorp/setup-terraform@v3 with: - terraform_version: "1.9.8" + terraform_version: "1.14.3" - name: Terraform format check run: terraform fmt -check -recursive diff --git a/.github/workflows/clean_validation_envs.yml b/.github/workflows/clean_validation_envs.yml index e562e0e..0cae184 100644 --- a/.github/workflows/clean_validation_envs.yml +++ b/.github/workflows/clean_validation_envs.yml @@ -11,6 +11,9 @@ jobs: clean: name: Clean runs-on: ubuntu-latest + permissions: + id-token: write + contents: read environment: Dev timeout-minutes: 30 steps: @@ -23,7 +26,9 @@ jobs: - name: Azure Login uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} environment: ${{ (secrets.AZURE_ENVIRONMENT != '' && secrets.AZURE_ENVIRONMENT) || 'AzureCloud' }} - name: Run clean diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml index 71fdf4f..68f5fb5 100644 --- a/.github/workflows/deploy_tre.yml +++ b/.github/workflows/deploy_tre.yml @@ -30,6 +30,7 @@ jobs: checks: write contents: read pull-requests: write + id-token: write with: ciGitRef: ${{ github.ref }} e2eTestsCustomSelector: >- @@ -41,7 +42,9 @@ jobs: secrets: AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }} ACR_NAME: ${{ secrets.ACR_NAME }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }} API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }} APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }} diff --git a/.github/workflows/deploy_tre_branch.yml b/.github/workflows/deploy_tre_branch.yml index 7a7c905..29a02ba 100644 --- a/.github/workflows/deploy_tre_branch.yml +++ b/.github/workflows/deploy_tre_branch.yml @@ -62,6 +62,7 @@ jobs: checks: write contents: read pull-requests: write + id-token: write with: ciGitRef: ${{ github.ref }} prHeadSha: ${{ github.sha }} @@ -72,7 +73,9 @@ jobs: secrets: AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }} ACR_NAME: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }} API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }} APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }} diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml index 4ded2e2..143db6a 100644 --- a/.github/workflows/deploy_tre_reusable.yml +++ b/.github/workflows/deploy_tre_reusable.yml @@ -86,7 +86,13 @@ on: # yamllint disable-line rule:truthy CI_CACHE_ACR_NAME: description: "" required: false - AZURE_CREDENTIALS: + AZURE_CLIENT_ID: + description: "" + required: true + AZURE_TENANT_ID: + description: "" + required: true + AZURE_SUBSCRIPTION_ID: description: "" required: true ENCRYPTION_KV_NAME: @@ -110,6 +116,7 @@ jobs: permissions: checks: write contents: read + id-token: write environment: ${{ inputs.environmentName }} steps: - name: Show inputs @@ -161,8 +168,8 @@ jobs: if [ "${{ secrets.TRE_ID }}" == '' ]; then echo "Missing secret: TRE_ID" && exit 1 fi - if [ "${{ secrets.AZURE_CREDENTIALS }}" == '' ]; then - echo "Missing secret: AZURE_CREDENTIALS" && exit 1 + if [ "${{ secrets.AZURE_CLIENT_ID }}" == '' ]; then + echo "Missing secret: AZURE_CLIENT_ID" && exit 1 fi if [ "${{ inputs.DEVCONTAINER_TAG }}" == '' ]; then @@ -187,7 +194,9 @@ jobs: - name: Azure Login uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} - name: ACR Login @@ -227,7 +236,9 @@ jobs: COMMAND: "make bootstrap mgmt-deploy" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} TRE_ID: ${{ secrets.TRE_ID }} LOCATION: ${{ vars.LOCATION }} @@ -284,7 +295,9 @@ jobs: COMMAND: "make ${{ matrix.target }}" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} ACR_NAME: ${{ secrets.ACR_NAME }} @@ -308,7 +321,9 @@ jobs: COMMAND: "make tre-start" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} TRE_ID: ${{ secrets.TRE_ID }} @@ -332,7 +347,9 @@ jobs: COMMAND: "TF_VAR_ci_git_ref=${{ inputs.ciGitRef }} TF_LOG=${{ vars.TF_LOG }} make deploy-core" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" AAD_TENANT_ID: "${{ secrets.AAD_TENANT_ID }}" @@ -371,7 +388,9 @@ jobs: COMMAND: "make api-healthcheck" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} TRE_ID: ${{ secrets.TRE_ID }} LOCATION: ${{ vars.LOCATION }} @@ -439,7 +458,9 @@ jobs: # Exit with the last status code (exit \$ec) DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} ACR_NAME: ${{ secrets.ACR_NAME }} @@ -490,7 +511,9 @@ jobs: # Exit with the last status code (exit \$ec) DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} ACR_NAME: ${{ secrets.ACR_NAME }} @@ -540,7 +563,9 @@ jobs: (exit \$ec) DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} ACR_NAME: ${{ secrets.ACR_NAME }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" @@ -604,7 +629,9 @@ jobs: (exit \$ec) DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} ACR_NAME: ${{ secrets.ACR_NAME }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" @@ -658,7 +685,9 @@ jobs: (exit \$ec) DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} ACR_NAME: ${{ secrets.ACR_NAME }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" @@ -690,7 +719,9 @@ jobs: COMMAND: "make deploy-shared-service DIR=\\${AZURETRE_HOME}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" AAD_TENANT_ID: "${{ secrets.AAD_TENANT_ID }}" @@ -705,7 +736,9 @@ jobs: COMMAND: "make db-migrate" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" AAD_TENANT_ID: "${{ secrets.AAD_TENANT_ID }}" @@ -736,7 +769,9 @@ jobs: COMMAND: "make build-and-deploy-ui" DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }} CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} API_CLIENT_ID: "${{ secrets.API_CLIENT_ID }}" AAD_TENANT_ID: "${{ secrets.AAD_TENANT_ID }}" diff --git a/.github/workflows/register_tre_bundle.yml b/.github/workflows/register_tre_bundle.yml index 2c6a508..6c47f37 100644 --- a/.github/workflows/register_tre_bundle.yml +++ b/.github/workflows/register_tre_bundle.yml @@ -37,6 +37,7 @@ jobs: permissions: checks: write contents: read + id-token: write environment: ${{ inputs.environmentName || 'CICD'}} steps: - name: Show inputs @@ -83,8 +84,8 @@ jobs: if [ "${{ secrets.TRE_ID }}" == '' ]; then echo "Missing secret: TRE_ID" && exit 1 fi - if [ "${{ secrets.AZURE_CREDENTIALS }}" == '' ]; then - echo "Missing secret: AZURE_CREDENTIALS" && exit 1 + if [ "${{ secrets.AZURE_CLIENT_ID }}" == '' ]; then + echo "Missing secret: AZURE_CLIENT_ID" && exit 1 fi # if bundle_name is not set, exit with error @@ -127,7 +128,9 @@ jobs: - name: Azure Login uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} - name: ACR Login @@ -166,7 +169,9 @@ jobs: COMMAND: "make bootstrap mgmt-deploy" DEVCONTAINER_TAG: latest CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME}} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} TRE_ID: ${{ secrets.TRE_ID }} LOCATION: ${{ vars.LOCATION }} @@ -220,6 +225,7 @@ jobs: checks: write contents: read pull-requests: write + id-token: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -229,7 +235,9 @@ jobs: with: COMMAND: "make bundle BUNDLE=${{ inputs.bundle_name }} BUNDLE_TYPE=${{ inputs.bundle_type }} WORKSPACE_SERVICE=${{ inputs.workspace_service_name }}" DEVCONTAINER_TAG: 'latest' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }} CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME}} ACR_NAME: ${{ secrets.ACR_NAME }}