Upgrade to AzureTRE v0.28.0 and implement OIDC authentication

.devcontainer/Dockerfile

@@ -24,7 +24,7 @@ ARG NODE_VERSION="lts/*"
 RUN su $USERNAME -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"
 
 # Install terraform
-ARG TERRAFORM_VERSION="1.9.8"
+ARG TERRAFORM_VERSION="1.14.3"
 COPY .devcontainer/scripts/terraform.sh /tmp/
 RUN bash /tmp/terraform.sh "${TERRAFORM_VERSION}" /usr/bin
 
@@ -33,10 +33,10 @@ COPY .devcontainer/scripts/docker-client.sh /tmp/
 RUN /tmp/docker-client.sh $USERNAME
 
 # Install Docker
-ARG DOCKER_CE_VERSION="5:27.4.1-1~debian.12~bookworm"
-ARG DOCKER_CE_CLI_VERSION="5:27.4.1-1~debian.12~bookworm"
-ARG DOCKER_COMPOSE_PLUGIN_VERSION="2.32.1-1~debian.12~bookworm"
-ARG DOCKER_CONTAINERD_VERSION="1.7.24-1"
+ARG DOCKER_CE_VERSION="5:29.1.3-1~debian.12~bookworm"
+ARG DOCKER_CE_CLI_VERSION="5:29.1.3-1~debian.12~bookworm"
+ARG DOCKER_CONTAINERD_VERSION="2.2.1-1~debian.12~bookworm"
+ARG DOCKER_COMPOSE_PLUGIN_VERSION="5.0.0-1~debian.12~bookworm"
 RUN apt-get update && apt-get install -y ca-certificates curl gnupg lsb-release --no-install-recommends \
     && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \
     && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
@@ -54,10 +54,10 @@ RUN if [ "${INTERACTIVE}" = "true" ]; then \
 
 # Install Porter, updates should be propagated to the RP.
 ARG PORTER_HOME_V1=/home/$USERNAME/.porter/
-ARG PORTER_VERSION=v1.2.1
-ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.5
-ARG PORTER_AZ_MIXIN_VERSION=v1.0.4
-ARG PORTER_AZURE_PLUGIN_VERSION=v1.2.3
+ARG PORTER_VERSION=v1.4.0
+ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.8
+ARG PORTER_AZ_MIXIN_VERSION=v1.0.7
+ARG PORTER_AZURE_PLUGIN_VERSION=v1.2.4
 COPY .devcontainer/scripts/porter-v1.sh /tmp/
 RUN export PORTER_VERSION=${PORTER_VERSION} \
     PORTER_TERRAFORM_MIXIN_VERSION=${PORTER_TERRAFORM_MIXIN_VERSION} \
@@ -66,15 +66,15 @@ RUN export PORTER_VERSION=${PORTER_VERSION} \
     PORTER_HOME=${PORTER_HOME_V1} \
     && /tmp/porter-v1.sh
 
-ENV PATH ${PORTER_HOME_V1}:$PATH
+ENV PATH=${PORTER_HOME_V1}:$PATH
 
 # Install azure-cli
-ARG AZURE_CLI_VERSION=2.67.0-1~bookworm
+ARG AZURE_CLI_VERSION=2.81.0-1~bookworm
 COPY .devcontainer/scripts/azure-cli.sh /tmp/
 RUN export AZURE_CLI_VERSION=${AZURE_CLI_VERSION} \
     && /tmp/azure-cli.sh
 
-ARG YQ_VERSION="v4.44.6"
+ARG YQ_VERSION="v4.49.2"
 RUN curl -L --fail -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" \
     && chmod +x /usr/local/bin/yq
 
@@ -98,6 +98,9 @@ RUN echo "export HISTFILE=$HOME/commandhistory/.bash_history" >> "$HOME/.bashrc"
 COPY ./.devcontainer/scripts/gh.sh /tmp/
 RUN if [ "${INTERACTIVE}" = "true" ]; then /tmp/gh.sh; fi
 
+# Build x86-64 docker images by default
+ENV DOCKER_DEFAULT_PLATFORM=amd64
+
 # Install AzureTRE OSS
 ARG UPSTREAM_REPO
 ARG UPSTREAM_REPO_VERSION

.devcontainer/devcontainer.json

@@ -18,7 +18,7 @@
       "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}",
       "INTERACTIVE": "true",
       "UPSTREAM_REPO": "microsoft/AzureTRE",
-      "UPSTREAM_REPO_VERSION": "v0.26.0",
+      "UPSTREAM_REPO_VERSION": "v0.28.0",
       "GITHUB_TOKEN": ""
     }
   },

.github/actions/devcontainer_run_command/action.yml

@@ -1,16 +1,21 @@
 ---
 name: "run_command"
 description: "Run a command in a devcontainer"
-# yamllint disable rule:line-length
 inputs:
   COMMAND:
     description: "The command you want to run in the Devcontainer."
     required: true
   DEVCONTAINER_TAG:
     description: "The container label to use when running the command."
     required: true
-  AZURE_CREDENTIALS:
-    description: "Credentials to access Azure."
+  AZURE_CLIENT_ID:
+    description: "The Azure Client ID for OIDC authentication"
+    required: true
+  AZURE_TENANT_ID:
+    description: "The Azure Tenant ID"
+    required: true
+  AZURE_SUBSCRIPTION_ID:
+    description: "The Azure Subscription ID"
     required: true
   AZURE_ENVIRONMENT:
     description: "Azure Cloud Environment"
@@ -179,7 +184,9 @@ runs:
       uses: azure/login@v2
       if: contains(inputs.COMMAND, 'make bootstrap') != true
       with:
-        creds: ${{ inputs.AZURE_CREDENTIALS }}
+        client-id: ${{ inputs.AZURE_CLIENT_ID }}
+        tenant-id: ${{ inputs.AZURE_TENANT_ID }}
+        subscription-id: ${{ inputs.AZURE_SUBSCRIPTION_ID }}
         environment: "${{ env.AZURE_ENVIRONMENT }}"
 
     - name: ACR Login
@@ -223,6 +230,7 @@ runs:
           "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
           -v /var/run/docker.sock:/var/run/docker.sock \
           -v "./command.sh:/workspaces/tre/command.sh" \
+          -v "$HOME/.azure:/home/vscode/.azure" \
           --workdir /workspaces/tre \
           --user vscode \
           -e TF_INPUT="0" \
@@ -236,10 +244,12 @@ runs:
           -e LOCATION="${{ inputs.LOCATION }}" \
           -e TF_VAR_location="${{ inputs.LOCATION }}" \
           -e RESOURCE_LOCATION="${{ inputs.LOCATION }}" \
-          -e ARM_CLIENT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientId }}" \
-          -e ARM_CLIENT_SECRET="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientSecret }}" \
-          -e ARM_TENANT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).tenantId }}" \
-          -e ARM_SUBSCRIPTION_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
+          -e ARM_CLIENT_ID="${{ inputs.AZURE_CLIENT_ID }}" \
+          -e ARM_TENANT_ID="${{ inputs.AZURE_TENANT_ID }}" \
+          -e ARM_SUBSCRIPTION_ID="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \
+          -e ARM_USE_OIDC="true" \
+          -e ACTIONS_ID_TOKEN_REQUEST_URL \
+          -e ACTIONS_ID_TOKEN_REQUEST_TOKEN \
           -e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != ''
             && inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \
           -e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \
@@ -251,7 +261,7 @@ runs:
           -e TF_VAR_api_client_secret="${{ inputs.API_CLIENT_SECRET }}" \
           -e TF_VAR_application_admin_client_id="${{ inputs.APPLICATION_ADMIN_CLIENT_ID }}" \
           -e TF_VAR_application_admin_client_secret="${{ inputs.APPLICATION_ADMIN_CLIENT_SECRET }}" \
-          -e TF_VAR_arm_subscription_id="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
+          -e TF_VAR_arm_subscription_id="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \
           -e TF_VAR_enable_swagger="${{ (inputs.ENABLE_SWAGGER != ''
             && inputs.ENABLE_SWAGGER) || 'false' }}" \
           -e SWAGGER_UI_CLIENT_ID="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
@@ -283,6 +293,7 @@ runs:
           -e UI_FOOTER_TEXT="${{ inputs.UI_FOOTER_TEXT }}" \
           -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
             && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
+          -e FIREWALL_SKU=${{ inputs.FIREWALL_SKU != '' && inputs.FIREWALL_SKU || 'Standard' }} \
           -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU != '' && inputs.FIREWALL_SKU || 'Standard' }} \
           -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
           -e TF_VAR_enable_cmk_encryption="${{ (inputs.ENABLE_CMK_ENCRYPTION != ''

.github/workflows/build_validation_develop.yml

@@ -28,7 +28,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: "1.9.8"
+          terraform_version: "1.14.3"
       - name: Terraform format check
         run: terraform fmt -check -recursive
 

.github/workflows/clean_validation_envs.yml

@@ -11,6 +11,9 @@ jobs:
   clean:
     name: Clean
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     environment: Dev
     timeout-minutes: 30
     steps:
@@ -23,7 +26,9 @@ jobs:
       - name: Azure Login
         uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           environment: ${{ (secrets.AZURE_ENVIRONMENT != '' && secrets.AZURE_ENVIRONMENT) || 'AzureCloud' }}
 
       - name: Run clean

.github/workflows/deploy_tre.yml

@@ -30,6 +30,7 @@ jobs:
       checks: write
       contents: read
       pull-requests: write
+      id-token: write
     with:
       ciGitRef: ${{ github.ref }}
       e2eTestsCustomSelector: >-
@@ -41,7 +42,9 @@ jobs:
     secrets:
       AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
       ACR_NAME: ${{ secrets.ACR_NAME }}
-      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
       API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
       APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}

.github/workflows/deploy_tre_branch.yml

@@ -62,6 +62,7 @@ jobs:
       checks: write
       contents: read
       pull-requests: write
+      id-token: write
     with:
       ciGitRef: ${{ github.ref }}
       prHeadSha: ${{ github.sha }}
@@ -72,7 +73,9 @@ jobs:
     secrets:
       AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
       ACR_NAME: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }}
-      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
       API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
       APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}