Merge branch 'main' into marrobi/add-soft-delete

Author: marrobi

airlock_processor/BlobCreatedTrigger/__init__.py

@@ -32,7 +32,7 @@ def main(msg: func.ServiceBusMessage,
             logging.error("environment variable 'ENABLE_MALWARE_SCANNING' does not exists. Cannot continue.")
             raise
 
-        if enable_malware_scanning and constants.STORAGE_ACCOUNT_NAME_IMPORT_INPROGRESS in topic:
+        if enable_malware_scanning and (constants.STORAGE_ACCOUNT_NAME_IMPORT_INPROGRESS in topic or constants.STORAGE_ACCOUNT_NAME_EXPORT_INPROGRESS in topic):
             # If malware scanning is enabled, the fact that the blob was created can be dismissed.
             # It will be consumed by the malware scanning service
             logging.info('Malware scanning is enabled. no action to perform.')

airlock_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.8.3"
+__version__ = "0.8.4"

core/terraform/airlock/outputs.tf

@@ -17,3 +17,7 @@ output "event_grid_status_changed_topic_resource_id" {
 output "event_grid_airlock_notification_topic_resource_id" {
   value = azurerm_eventgrid_topic.airlock_notification.id
 }
+
+output "airlock_malware_scan_result_topic_name" {
+  value = local.scan_result_topic_name
+}

core/terraform/json-to-env.sh

@@ -113,6 +113,10 @@ jq -r '
         {
             "path": "event_grid_airlock_notification_topic_resource_id",
             "env_var": "EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID"
+        },
+        {
+            "path": "airlock_malware_scan_result_topic_name",
+            "env_var": "AIRLOCK_MALWARE_SCAN_RESULT_TOPIC_NAME"
         }
     ]
         as $env_vars_to_extract

core/terraform/main.tf

@@ -188,6 +188,8 @@ module "resource_processor_vmss_porter" {
   enable_cmk_encryption                            = var.enable_cmk_encryption
   key_store_id                                     = local.key_store_id
   kv_encryption_key_name                           = local.cmk_name
+  enable_airlock_malware_scanning                  = var.enable_airlock_malware_scanning
+  airlock_malware_scan_result_topic_name           = module.airlock_resources.airlock_malware_scan_result_topic_name
 
   depends_on = [
     module.network,

core/terraform/resource_processor/vmss_porter/locals.tf

@@ -13,9 +13,11 @@ locals {
   rp_bundle_values_all = merge(var.rp_bundle_values, {
     // Add any additional settings like ones from the config.yaml here
     // to make them available for bundles.
-    firewall_sku          = var.firewall_sku
-    enable_cmk_encryption = var.enable_cmk_encryption
-    key_store_id          = var.key_store_id
+    firewall_sku                           = var.firewall_sku
+    enable_cmk_encryption                  = var.enable_cmk_encryption
+    key_store_id                           = var.key_store_id
+    enable_airlock_malware_scanning        = var.enable_airlock_malware_scanning
+    airlock_malware_scan_result_topic_name = var.airlock_malware_scan_result_topic_name
   })
   rp_bundle_values_dic       = [for key in keys(local.rp_bundle_values_all) : "RP_BUNDLE_${key}=${local.rp_bundle_values_all[key]}"]
   rp_bundle_values_formatted = join("\n      ", local.rp_bundle_values_dic)

core/terraform/resource_processor/vmss_porter/variables.tf

@@ -93,3 +93,13 @@ variable "kv_encryption_key_name" {
   type        = string
   description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
 }
+
+variable "enable_airlock_malware_scanning" {
+  type        = bool
+  description = "If False, Airlock requests will skip the malware scanning stage"
+}
+
+variable "airlock_malware_scan_result_topic_name" {
+  type        = string
+  description = "Name of the topic to publish Airlock malware scan results to"
+}

core/version.txt

@@ -1 +1 @@
-__version__ = "0.12.10"
+__version__ = "0.12.11"

templates/workspaces/base/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 2.1.1
+version: 2.1.2
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -126,6 +126,14 @@ parameters:
     type: string
     default: "GRS"
     description: "The redundancy option for the storage account in the workspace: GRS (Geo-Redundant Storage) or ZRS (Zone-Redundant Storage)."
+  - name: enable_airlock_malware_scanning
+    type: boolean
+    default: false
+    description: "Enable malware scanning on the workspace storage account"
+  - name: airlock_malware_scan_result_topic_name
+    type: string
+    default: ""
+    description: "The name of the topic to publish scan results to"
 
 outputs:
   - name: app_role_id_workspace_owner
@@ -196,6 +204,8 @@ install:
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
+        enable_airlock_malware_scanning: ${ bundle.parameters.enable_airlock_malware_scanning }
+        airlock_malware_scan_result_topic_name: ${ bundle.parameters.airlock_malware_scan_result_topic_name }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -241,6 +251,8 @@ upgrade:
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
+        enable_airlock_malware_scanning: ${ bundle.parameters.enable_airlock_malware_scanning }
+        airlock_malware_scan_result_topic_name: ${ bundle.parameters.airlock_malware_scan_result_topic_name }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -309,6 +321,8 @@ uninstall:
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
+        enable_airlock_malware_scanning: ${ bundle.parameters.enable_airlock_malware_scanning }
+        airlock_malware_scan_result_topic_name: ${ bundle.parameters.airlock_malware_scan_result_topic_name }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspaces/base/terraform/airlock/data.tf

@@ -23,3 +23,9 @@ data "azurerm_servicebus_topic" "blob_created" {
   resource_group_name = local.core_resource_group_name
   namespace_name      = data.azurerm_servicebus_namespace.airlock_sb.name
 }
+
+data "azurerm_eventgrid_topic" "scan_result" {
+  count               = var.enable_airlock_malware_scanning ? 1 : 0
+  name                = local.airlock_malware_scan_result_topic_name
+  resource_group_name = local.core_resource_group_name
+}

templates/workspaces/base/terraform/airlock/eventgrid_topics.tf

@@ -142,7 +142,6 @@ resource "azurerm_role_assignment" "servicebus_sender_export_blocked_blob_create
   ]
 }
 
-
 ## Subscriptions
 resource "azurerm_eventgrid_event_subscription" "import_approved_blob_created" {
   name  = "import-approved-blob-created-${var.short_workspace_id}"

templates/workspaces/base/terraform/airlock/locals.tf

@@ -7,7 +7,8 @@ locals {
   export_rejected_sys_topic_name   = "evgt-airlock-export-rejected-${local.workspace_resource_name_suffix}"
   export_blocked_sys_topic_name    = "evgt-airlock-export-blocked-${local.workspace_resource_name_suffix}"
 
-  blob_created_topic_name = "airlock-blob-created"
+  blob_created_topic_name                = "airlock-blob-created"
+  airlock_malware_scan_result_topic_name = var.airlock_malware_scan_result_topic_name
 
   # STorage AirLock IMport APProved
   import_approved_storage_name = lower(replace("stalimapp${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", ""))

templates/workspaces/base/terraform/airlock/providers.tf

@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = ">= 3.117.0"
     }
+    azapi = {
+      source  = "Azure/azapi"
+      version = ">= 1.15.0"
+    }
   }
 }
 

templates/workspaces/base/terraform/airlock/storage_accounts.tf

@@ -162,7 +162,7 @@ resource "azurerm_storage_account" "sa_export_inprogress" {
   shared_access_key_enabled        = false
   local_user_enabled               = false
 
-  # Important! we rely on the fact that the blob craeted events are issued when the creation of the blobs are done.
+  # Important! we rely on the fact that the blob created events are issued when the creation of the blobs are done.
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
@@ -207,7 +207,6 @@ resource "azurerm_storage_account_network_rules" "sa_export_inprogress_rules" {
   bypass         = ["AzureServices"]
 }
 
-
 resource "azurerm_private_endpoint" "export_inprogress_pe" {
   name                = "pe-sa-export-ip-blob-${var.short_workspace_id}"
   location            = var.location
@@ -230,6 +229,31 @@ resource "azurerm_private_endpoint" "export_inprogress_pe" {
   }
 }
 
+# Enable Airlock Malware Scanning on Core TRE for Export In-Progress
+resource "azapi_resource_action" "enable_defender_for_storage_export" {
+  count       = var.enable_airlock_malware_scanning ? 1 : 0
+  type        = "Microsoft.Security/defenderForStorageSettings@2022-12-01-preview"
+  resource_id = "${azurerm_storage_account.sa_export_inprogress.id}/providers/Microsoft.Security/defenderForStorageSettings/current"
+  method      = "PUT"
+
+  body = jsonencode({
+    properties = {
+      isEnabled = true
+      malwareScanning = {
+        onUpload = {
+          isEnabled     = true
+          capGBPerMonth = 5000
+        },
+        scanResultsEventGridTopicResourceId = data.azurerm_eventgrid_topic.scan_result[0].id
+      }
+      sensitiveDataDiscovery = {
+        isEnabled = false
+      }
+      overrideSubscriptionLevelSettings = true
+    }
+  })
+}
+
 # 'Rejected' location for export
 resource "azurerm_storage_account" "sa_export_rejected" {
   name                             = local.export_rejected_storage_name

templates/workspaces/base/terraform/airlock/variables.tf

@@ -34,3 +34,9 @@ variable "encryption_identity_id" {
 variable "encryption_key_versionless_id" {
   type = string
 }
+variable "enable_airlock_malware_scanning" {
+  type = bool
+}
+variable "airlock_malware_scan_result_topic_name" {
+  type = string
+}

templates/workspaces/base/terraform/variables.tf

@@ -139,3 +139,15 @@ variable "storage_account_redundancy" {
   default     = "GRS"
   description = "The redundancy option for the storage account in the workspace: GRS (Geo-Redundant Storage) or ZRS (Zone-Redundant Storage)."
 }
+
+variable "enable_airlock_malware_scanning" {
+  type        = bool
+  default     = false
+  description = "Enable Airlock malware scanning for the workspace"
+}
+
+variable "airlock_malware_scan_result_topic_name" {
+  type        = string
+  description = "The name of the topic to publish scan results to"
+  default     = null
+}

templates/workspaces/base/terraform/workspace.tf

@@ -45,20 +45,22 @@ module "aad" {
 }
 
 module "airlock" {
-  count                         = var.enable_airlock ? 1 : 0
-  source                        = "./airlock"
-  location                      = var.location
-  tre_id                        = var.tre_id
-  tre_workspace_tags            = local.tre_workspace_tags
-  ws_resource_group_name        = azurerm_resource_group.ws.name
-  enable_local_debugging        = var.enable_local_debugging
-  services_subnet_id            = module.network.services_subnet_id
-  short_workspace_id            = local.short_workspace_id
-  airlock_processor_subnet_id   = module.network.airlock_processor_subnet_id
-  arm_environment               = var.arm_environment
-  enable_cmk_encryption         = var.enable_cmk_encryption
-  encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.encryption_key[0].versionless_id : null
-  encryption_identity_id        = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption_identity[0].id : null
+  count                                  = var.enable_airlock ? 1 : 0
+  source                                 = "./airlock"
+  location                               = var.location
+  tre_id                                 = var.tre_id
+  tre_workspace_tags                     = local.tre_workspace_tags
+  ws_resource_group_name                 = azurerm_resource_group.ws.name
+  enable_local_debugging                 = var.enable_local_debugging
+  services_subnet_id                     = module.network.services_subnet_id
+  short_workspace_id                     = local.short_workspace_id
+  airlock_processor_subnet_id            = module.network.airlock_processor_subnet_id
+  arm_environment                        = var.arm_environment
+  enable_cmk_encryption                  = var.enable_cmk_encryption
+  encryption_key_versionless_id          = var.enable_cmk_encryption ? azurerm_key_vault_key.encryption_key[0].versionless_id : null
+  encryption_identity_id                 = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption_identity[0].id : null
+  enable_airlock_malware_scanning        = var.enable_airlock_malware_scanning
+  airlock_malware_scan_result_topic_name = var.enable_airlock_malware_scanning ? var.airlock_malware_scan_result_topic_name : null
   depends_on = [
     module.network,
   ]