Migrate Azure Firewall and route tables to core configuration #4342
Conversation
….com/microsoft/AzureTRE into marrobi/firewall-to-core
…robi/firewall-to-core
Unit Test Results0 tests 0 ✅ 0s ⏱️ Results for commit c61ee60. ♻️ This comment has been updated with latest results. |
|
@marrobi please update with |
marrobi
force-pushed
the
marrobi/firewall-to-core
branch
from
af6ed73 to
ff24de2
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR migrates the Azure Firewall deployment and associated route table configurations to the core configuration. Key changes include:
- Upgrading the version in the porter.yaml template.
- Removing firewall-related parameters and the tre_resource_id from the shared services deployment template.
- Updating the CHANGELOG with the new migration entry.
Reviewed Changes
Copilot reviewed 6 out of 24 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| templates/shared_services/firewall/porter.yaml | Updated version and removed firewall-related parameters and IDs. |
| CHANGELOG.md | Added a changelog entry for the migration of Azure Firewall configurations. |
Files not reviewed (18)
- Makefile: Language not supported
- core/terraform/.terraform.lock.hcl: Language not supported
- core/terraform/firewall/firewall.tf: Language not supported
- core/terraform/firewall/import_state.sh: Language not supported
- core/terraform/firewall/locals.tf: Language not supported
- core/terraform/firewall/main.tf: Language not supported
- core/terraform/firewall/outputs.tf: Language not supported
- core/terraform/firewall/remove_state.sh: Language not supported
- core/terraform/firewall/rules.tf: Language not supported
- core/terraform/firewall/variables.tf: Language not supported
- core/terraform/main.tf: Language not supported
- core/terraform/network/outputs.tf: Language not supported
- core/terraform/routetable.tf: Language not supported
- core/terraform/variables.tf: Language not supported
- core/version.txt: Language not supported
- templates/shared_services/firewall/template_schema.json: Language not supported
- templates/shared_services/firewall/terraform/data.tf: Language not supported
- templates/shared_services/firewall/terraform/import_state.sh: Language not supported
Comments suppressed due to low confidence (3)
templates/shared_services/firewall/porter.yaml:45
- The removal of firewall-related parameters is intended by the PR; however, please verify that all consumers of this template have been updated to use the new core configuration and no references to these parameters remain.
- - name: firewall_sku
templates/shared_services/firewall/porter.yaml:59
- Removing the tre_resource_id from the install/upgrade/uninstall sections requires confirmation that resource identification is now handled elsewhere; please ensure the new configuration covers this need.
- tre_resource_id: ${ bundle.parameters.id }
CHANGELOG.md:9
- [nitpick] Consider aligning the changelog entry with the PR title by using 'core configuration' instead of 'Core Terraform' for consistency.
+* Migrate Azure Firewall and Route Tables to Core Terraform ([#4342](https://github.com/microsoft/AzureTRE/pull/4342))
There was a problem hiding this comment.
Why do you import the state here if we usually do it in the migration script?
There was a problem hiding this comment.
Hmm, I moved the file over from the firewall bundle, from when we went the other way. I can move this to the migrate script.
| depends_on = [ | ||
| module.network, | ||
| ] |
There was a problem hiding this comment.
I think this is redundant.
There was a problem hiding this comment.
Does the FW really needs to be a module?
There was a problem hiding this comment.
The reason was to leave the option to have it conditional in the future. If we don't want to deploy it for a dev environment for example.
There was a problem hiding this comment.
Same here. I think it should be move to the migration script.
| @@ -1,7 +1,7 @@ | |||
| --- | |||
| schemaVersion: 1.0.0 | |||
| name: tre-shared-service-firewall | |||
| version: 1.3.3 | |||
| version: 1.4.0 | |||
| description: "An Azure TRE Firewall shared service" | |||
There was a problem hiding this comment.
I understand we can't change the name, but we can consider changing the description, template schema and docs to reflect the fact this is now just about managing the workspace level firewall policy rules.
There was a problem hiding this comment.
Yup, primarily wanted to see if thought this works as a change in principal. If agreed, will go through and fix up.
| tre_shared_service_tags = { | ||
| tre_id = var.tre_id | ||
| tre_shared_service_id = var.tre_resource_id | ||
| } | ||
|
|
||
| api_driven_application_rule_collection = jsondecode(base64decode(var.api_driven_rule_collections_b64)) | ||
| api_driven_network_rule_collection = jsondecode(base64decode(var.api_driven_network_rule_collections_b64)) | ||
|
|
||
| firewall_policy_name = "fw-policy-${var.tre_id}" |
There was a problem hiding this comment.
I think it is now quite easy to provide this at run time as since it is set in the core it should be provided from there as a bundle variable.
There was a problem hiding this comment.
Not sure what you mean? The policy name?
| name = rule.value.name | ||
| # description = rule.value.description | ||
| name = rule.value.name | ||
| description = rule.value.description |
There was a problem hiding this comment.
Is it confirmed that network rules now support a description?
There was a problem hiding this comment.
Will check. It deploys and works... can't remember why changed this.
Move Azure Firewall Deployment to Core
Why:
$ make tre-stop#3953 (comment) ).Had to modify GitHub workflow for linting. Can someone verify this is correct?
Tested upgrade a few times, more wouldn't hurt.