Update unrestricted workspace to align with base - missing log_analytics_workspace_name output

[Copilot]

Resolves #4746

What is being addressed

Azure Machine Learning workspace deployment fails in unrestricted workspaces with workspace ID parsing error. The error occurs because workspace services expect outputs that are present in base workspace but missing in unrestricted workspace, specifically log_analytics_workspace_name.

How is this addressed

Aligned unrestricted workspace template with base workspace:

• Added missing outputs to porter.yaml:

  • log_analytics_workspace_name (critical - resolves the parsing error)
  • backup_vault_name
  • vm_backup_policy_id
  • fileshare_backup_policy_id

• Added missing parameters to porter.yaml:

  • workspace_subscription_id
  • storage_account_redundancy
  • enable_backup
  • enable_dns_policy (kept in porter.yaml with default false, not exposed in UI)

• Updated all terraform sections (install/upgrade/uninstall) to pass new parameters and capture new outputs

• Updated template_schema.json:

  • Added corresponding properties and conditional logic for workspace_subscription_id
  • Removed enable_airlock property and all associated airlock-related fields (configure_review_vms, airlock_review_config) as airlock functionality is not applicable to unrestricted workspaces
  • Removed enable_dns_policy from user-facing options (DNS protections not needed for unrestricted workspaces)

• Incremented version from 0.13.5 to 0.13.6 (patch version per versioning guidelines)

• Updated CHANGELOG.md with bug fix entry

Preserved unrestricted workspace specifics:

• enable_airlock defaults to false in porter.yaml
• Pipeline steps for unrestricted internet access remain unchanged
• All airlock-related functionality completely removed from UI (enable_airlock, configure_review_vms, airlock_review_config)
• DNS policy and airlock malware scanning parameters excluded from UI (not applicable to unrestricted workspaces)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Azure Machine Learning Deployment Fails in Unrestricted Workspace Due to Workspace ID Parsing Error</issue_title>
<issue_description>Describe the bug
When deploying an Azure Machine Learning workspace in an unrestricted workspace using UI, The deployment fails with a Workspace ID parsing error.

Note:

1. Same steps works successfully in restricted workspace / base workspace.
2. Tried both with expose externally enabled and disabled
3. Same results for eastus2 and switzerlandnorth region.

The parsed Resource ID was missing a value for the segment at position 7
(which should be the user specified value for this workspace [for example "workspaceValue"]).

Error: parsing "/subscriptions/*******/resourceGroups/rg-tre-ws/providers/Microsoft.OperationalInsights/workspaces/": parsing the Workspace ID: the segment at position 7 didn't match

Expected a Workspace ID that matched:

/subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.OperationalInsights/workspaces/workspaceValue

However this value was provided:

/subscriptions/*******/resourceGroups/rg-tre-ws/providers/Microsoft.OperationalInsights/workspaces/

The parsed Resource ID was missing a value for the segment at position 7
(which should be the user specified value for this workspace [for example "workspaceValue"]).

with azurerm_application_insights.ai,
on main.tf line 94, in resource "azurerm_application_insights" "ai":
94: workspace_id = data.azurerm_log_analytics_workspace.ws.id

Steps to reproduce

1. Create Azure Machine Learning Workspace Services in Unrestricted Workspace
2. Deployment fails with error "workspace-service is updating_failed"

Error: parsing "/subscriptions/<subscription_id>/resourceGroups/rg-tre/providers/Microsoft.OperationalInsights/workspaces/": parsing the Workspace ID: the segment at position 7 didn't match
Expected a Workspace ID that matched:

/subscriptions/<example_subscription_id>/resourceGroups/example-resource-group/providers/Microsoft.OperationalInsights/workspaces/workspaceValue
However this value was provided:
/subscriptions/<subscription_id>/resourceGroups/rg-tre/providers/Microsoft.OperationalInsights/workspaces/
The parsed Resource ID was missing a value for the segment at position 7 (which should be the user-specified value for this workspace [for example "workspaceValue"]).
with azurerm_application_insights.ai, on main.tf line 94, in resource "azurerm_application_insights" "ai":
94: workspace_id = data.azurerm_log_analytics_workspace.ws.id

Azure TRE release version (main):

Azure TRE
UI Version:
0.8.15
API Version:
0.24.5

Deployed Azure TRE components - click the (i) in the UI:
Restricted Workspace
Base Workspace
Airlock Import Review Workspace

Restricted Workspace workspace services deployed:
Azure Machine Learning
Apache Guacamole - Virtual Desktop Service

</issue_description>

<agent_instructions>Ensure the unrestricted workspace template files - templates/workspaces/unrestricted/porter.yaml and templates/workspaces/unrestricted/template_schema.json - are aligned with the base workspace template's corresponding files. So this is inputs and outputs. The only difference is that unrestricted should not have airlock enabled and has additional pipepline steps to remove firewall rules "Add network firewall rules for to allow all internet access"</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@marrobi Hi @rahulhanumantchavan thanks for raising this, is it just when in an unrestricted workspace?

I'll try to give it a test, but have been working on this PR - #4687 so will maybe try and fix as part of that.</comment_new>
<comment_new>@marrobi
Ok, I can see this is down to the unrestricted workspace template missing a number of outputs.

       - name: backup_vault_name
        - name: vm_backup_policy_id
        - name: fileshare_backup_policy_id
        - name: log_analytics_workspace_name

the last being the issue reported.</comment_new>

• Fixes Azure Machine Learning Deployment Fails in Unrestricted Workspace Due to Workspace ID Parsing Error #4746

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[marrobi]

@copilot please address my comments

[marrobi]

@copilot can we remove:

"enable_airlock": {
  "type": "boolean",
  "title": "Enable Airlock",
  "description": "Allow safe import and export to the workspace",
  "default": true,
  "updateable": true
},

and associated fields.

As the airlock should not be available in the unrestricted workspace.

[Copilot]

@copilot can we remove:

"enable_airlock": {

...

Removed enable_airlock property and all associated fields from template_schema.json:

• Removed enable_airlock property
• Removed conditional section for configure_review_vms
• Removed conditional section for airlock_review_config (including import/export VM settings)
• Removed enable_airlock, configure_review_vms, and airlock_review_config from uiSchema order

(78ea2d7)

[marrobi]

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit f89ba97.

♻️ This comment has been updated with latest results.

[marrobi]

/test-force-approve b67cc07

Builds locally and tested. Not covered other than build in e2e.

[github-actions]

🤖 pr-bot 🤖

✅ Marking tests as complete (for commit b67cc07)

(in response to this comment from @marrobi)

[james-annages]

LGTM

[jonnyry]

LGTM

[Copilot]

Pull request overview

This PR fixes Azure Machine Learning workspace deployment failures in unrestricted workspaces by aligning the unrestricted workspace template with the base workspace template. The root cause was missing outputs (particularly log_analytics_workspace_name) that workspace services depend on for proper deployment.

Key changes:

• Added four critical missing outputs: log_analytics_workspace_name, backup_vault_name, vm_backup_policy_id, and fileshare_backup_policy_id
• Added supporting parameters for backup configuration (enable_backup, storage_account_redundancy) and multi-subscription deployments (workspace_subscription_id, deploy_to_another_subscription)
• Removed airlock-related UI properties from template_schema.json (airlock is disabled by default for unrestricted workspaces)
• Incremented version from 0.13.5 to 0.13.6 following semantic versioning guidelines for backward-compatible bug fixes

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
templates/workspaces/unrestricted/porter.yaml	Added missing parameters (workspace_subscription_id, storage_account_redundancy, enable_backup, enable_dns_policy) and outputs (backup_vault_name, vm_backup_policy_id, fileshare_backup_policy_id, log_analytics_workspace_name); updated version to 0.13.6; ensured parameters are consistently passed to all terraform actions
templates/workspaces/unrestricted/template_schema.json	Added new user-facing properties (storage_account_redundancy, enable_backup, deploy_to_another_subscription); removed airlock-related properties and conditional logic; added conditional logic for workspace_subscription_id; updated ui_order array
CHANGELOG.md	Added bug fix entry for #4768 and component version update for unrestricted workspace v0.13.6

[tamirkamara]

/test-force-approve f89ba97

[github-actions]

🤖 pr-bot 🤖

✅ Marking tests as complete (for commit f89ba97)

(in response to this comment from @tamirkamara)

[JC-wk]

@marrobi This should resolve #4746 not #4768?