diff --git a/CHANGELOG.md b/CHANGELOG.md index 72a55a77b..79ed543bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ ENHANCEMENTS: * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)]) * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) +* Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235)) * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234)) BUG FIXES: diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf index 3adaae391..d1d92c565 100644 --- a/core/terraform/resource_processor/vmss_porter/main.tf +++ b/core/terraform/resource_processor/vmss_porter/main.tf @@ -82,6 +82,8 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" { encryption_at_host_enabled = false upgrade_mode = "Automatic" tags = local.tre_core_tags + secure_boot_enabled = true + vtpm_enabled = true extension { auto_upgrade_minor_version = true @@ -127,7 +129,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" { source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-server-jammy" - sku = "22_04-lts" + sku = "22_04-lts-gen2" version = "latest" } diff --git a/core/version.txt b/core/version.txt index d0f18418d..b663def5a 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.17" +__version__ = "0.11.18" diff --git a/templates/shared_services/admin-vm/porter.yaml b/templates/shared_services/admin-vm/porter.yaml index 4bab3df9c..8a967f7b5 100644 --- a/templates/shared_services/admin-vm/porter.yaml +++ b/templates/shared_services/admin-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-admin-vm -version: 0.5.1 +version: 0.5.2 description: "An admin vm shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf index e89ff0520..2d9a2047b 100644 --- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf +++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf @@ -36,6 +36,8 @@ resource "azurerm_windows_virtual_machine" "jumpbox" { admin_username = "adminuser" admin_password = random_password.password.result tags = local.tre_shared_service_tags + secure_boot_enabled = true + vtpm_enabled = true source_image_reference { publisher = "MicrosoftWindowsDesktop" @@ -51,7 +53,10 @@ resource "azurerm_windows_virtual_machine" "jumpbox" { disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.jumpbox_disk_encryption[0].id : null } - lifecycle { ignore_changes = [tags] } + # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive + # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed) + # + lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] } } resource "azurerm_disk_encryption_set" "jumpbox_disk_encryption" { diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index 31ab0a05e..526b8e5d6 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-sonatype-nexus -version: 3.3.1 +version: 3.3.2 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 7d3de0703..8bd6d3ff6 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -103,10 +103,15 @@ resource "azurerm_linux_virtual_machine" "nexus" { admin_username = "adminuser" admin_password = random_password.nexus_vm_password.result tags = local.tre_shared_service_tags + secure_boot_enabled = true + vtpm_enabled = true custom_data = data.template_cloudinit_config.nexus_config.rendered - lifecycle { ignore_changes = [tags] } + # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive + # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed) + # + lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] } source_image_reference { publisher = "Canonical" diff --git a/templates/workspace_services/guacamole/user_resources/README.md b/templates/workspace_services/guacamole/user_resources/README.md index 623098ad4..608509e00 100644 --- a/templates/workspace_services/guacamole/user_resources/README.md +++ b/templates/workspace_services/guacamole/user_resources/README.md @@ -37,10 +37,14 @@ custom: apt_sku: 22.04 install_ui: true conda_config: false + secure_boot_enabled: true + vtpm_enabled: true # "Custom Image From Gallery": # source_image_name: your-image # install_ui: true # conda_config: true + # secure_boot_enabled: true + # vtpm_enabled: true ``` The `vm_sizes` section is a map of a custom SKU description to the SKU identifier. @@ -55,6 +59,8 @@ Within the image definition in `image_options` there are a few properties that c | `source_image_reference` | Specify VM image to use by `publisher`, `offer`, `sku` & `version` (e.g. for Azure Marketplace images) | | `install_ui` | (Linux only) Set `true` to install desktop environment | | `conda_config` | Set true to configure conda | +| `secure_boot_enabled` | Set true to enable [Secure Boot](https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot). Requires a Requires a [Gen 2](https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2) VM image | +| `vtpm_enabled` | Set true to enable [Secure Boot](https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm). Requires a [Gen 2](https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2) VM image | When specifying images using `source_image_name`, the image must be stored in an [image gallery](https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery). To enable re-using built user resource templates across environments where the image may vary, the image gallery is configured via the `RP_BUNDLE_VALUES` environment variable when deploying the TRE. diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml index 08a2bdf9e..8a2fa4c0a 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-export-reviewvm -version: 0.2.1 +version: 0.2.2 description: "An Azure TRE User Resource Template for reviewing Airlock export requests" dockerfile: Dockerfile.tmpl registry: azuretre @@ -18,6 +18,8 @@ custom: sku: winserver-2019 version: latest conda_config: true + secure_boot_enabled: false # dsvm-win-2019 is not a gen2 image + vtpm_enabled: false credentials: - name: azure_tenant_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf index 1f3ac946b..33784b627 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf @@ -24,6 +24,8 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + secure_boot_enabled = lookup(local.selected_image, "secure_boot_enabled", false) + vtpm_enabled = lookup(local.selected_image, "vtpm_enabled", false) cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf index 318ff2976..84724fddb 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf @@ -124,6 +124,8 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { allow_extension_operations = true admin_username = random_string.username.result admin_password = random_password.password.result + secure_boot_enabled = local.secure_boot_enabled + vtpm_enabled = local.vtpm_enabled custom_data = base64encode(data.template_file.download_review_data_script.rendered) @@ -152,7 +154,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { tags = local.tre_user_resources_tags - lifecycle { ignore_changes = [tags] } + # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive + # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed) + # + lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] } } resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml index 3e362fc2e..871eb4d61 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-import-reviewvm -version: 0.3.1 +version: 0.3.2 description: "An Azure TRE User Resource Template for reviewing Airlock import requests" dockerfile: Dockerfile.tmpl registry: azuretre @@ -18,11 +18,15 @@ custom: sku: winserver-2019 version: latest conda_config: true + secure_boot_enabled: false # dsvm-win-2019 is not a gen2 image + vtpm_enabled: false # For information on using custom images, see README.me in the guacamole/user-resources folder # "Custom Image From Gallery": # source_image_name: sltestwin1 # source_image_reference: null, # conda_config: true + # secure_boot_enabled: false + # vtpm_enabled: false credentials: - name: azure_tenant_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf index 1f3ac946b..33784b627 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf @@ -24,6 +24,8 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + secure_boot_enabled = lookup(local.selected_image, "secure_boot_enabled", false) + vtpm_enabled = lookup(local.selected_image, "vtpm_enabled", false) cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf index a4d250b7f..e761cca22 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf @@ -45,6 +45,8 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { allow_extension_operations = true admin_username = random_string.username.result admin_password = random_password.password.result + secure_boot_enabled = local.secure_boot_enabled + vtpm_enabled = local.vtpm_enabled custom_data = base64encode(data.template_file.download_review_data_script.rendered) @@ -73,7 +75,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { tags = local.tre_user_resources_tags - lifecycle { ignore_changes = [tags] } + # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive + # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed) + # + lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] } } resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml index 30895442e..b8ecdc4c7 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-linuxvm -version: 1.2.3 +version: 1.2.4 description: "An Azure TRE User Resource Template for Guacamole (Linux)" dockerfile: Dockerfile.tmpl registry: azuretre @@ -23,11 +23,15 @@ custom: apt_sku: 22.04 install_ui: true conda_config: false + secure_boot_enabled: true + vtpm_enabled: true # For information on using custom images, see README.me in the guacamole/user-resources folder # "Custom Image From Gallery": # source_image_name: your-image # install_ui: true # conda_config: true + # secure_boot_enabled: false + # vtpm_enabled: false credentials: - name: azure_tenant_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf index fb2b0b4ce..ca407e318 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf @@ -44,6 +44,8 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { disable_password_authentication = false admin_username = random_string.username.result admin_password = random_password.password.result + secure_boot_enabled = local.secure_boot_enabled + vtpm_enabled = local.vtpm_enabled custom_data = data.template_cloudinit_config.config.rendered @@ -72,7 +74,10 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { tags = local.tre_user_resources_tags - lifecycle { ignore_changes = [tags] } + # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive + # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed) + # + lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] } } resource "azurerm_disk_encryption_set" "linuxvm_disk_encryption" { diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf index a7f326efc..073adc03a 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf @@ -25,6 +25,8 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + secure_boot_enabled = lookup(local.selected_image, "secure_boot_enabled", false) + vtpm_enabled = lookup(local.selected_image, "vtpm_enabled", false) apt_sku = local.selected_image_source_refs[0]["apt_sku"] cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml index e93de02f3..858798866 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-windowsvm -version: 1.2.3 +version: 1.2.4 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)" dockerfile: Dockerfile.tmpl registry: azuretre @@ -21,6 +21,8 @@ custom: sku: win10-22h2-pro-g2 version: latest conda_config: false + secure_boot_enabled: true + vtpm_enabled: true "Windows 11": source_image_reference: publisher: microsoftwindowsdesktop @@ -28,6 +30,8 @@ custom: sku: win11-24h2-pro version: latest conda_config: false + secure_boot_enabled: true + vtpm_enabled: true "Server 2019 Data Science VM": source_image_reference: publisher: microsoft-dsvm @@ -35,10 +39,14 @@ custom: sku: winserver-2019 version: latest conda_config: true + secure_boot_enabled: false # dsvm-win-2019 is not a gen2 image + vtpm_enabled: false # For information on using custom images, see README.me in the guacamole/user-resources folder # "Custom Image From Gallery": # source_image_name: your-image # conda_config: true + # secure_boot_enabled: false + # vtpm_enabled: false credentials: - name: azure_tenant_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf index 239e30477..d4b784f5d 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf @@ -26,6 +26,8 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + secure_boot_enabled = lookup(local.selected_image, "secure_boot_enabled", false) + vtpm_enabled = lookup(local.selected_image, "vtpm_enabled", false) cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf index 336293814..f0de36195 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf @@ -45,6 +45,8 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { allow_extension_operations = true admin_username = random_string.username.result admin_password = random_password.password.result + secure_boot_enabled = local.secure_boot_enabled + vtpm_enabled = local.vtpm_enabled custom_data = base64encode(templatefile( "${path.module}/vm_config.ps1", { @@ -83,7 +85,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { tags = local.tre_user_resources_tags - lifecycle { ignore_changes = [tags] } + # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive + # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed) + # + lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] } } resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" {