[NWSDE #67] Azure SQL auditing

templates/workspace_services/azuresql-nwsde/.dockerignore

@@ -0,0 +1,7 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Put files here that you don't want copied into your bundle's invocation image
+.gitignore
+Dockerfile.tmpl
+
+# Local .terraform directories
+**/.terraform/*

templates/workspace_services/azuresql-nwsde/.gitignore

@@ -0,0 +1 @@
+.cnab/

templates/workspace_services/azuresql-nwsde/Dockerfile.tmpl

@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM --platform=linux/amd64 debian:bookworm-slim
+
+# PORTER_INIT
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+# Git is required for terraform_azurerm_environment_configuration
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && apt-get install -y git --no-install-recommends
+
+
+WORKDIR ${BUNDLE_DIR}
+
+
+# copy files from the base workspace (dir passed to porter via --build-context)
+# ignoring hadolint DL3022; for details see https://github.com/hadolint/hadolint/issues/830
+#
+# hadolint ignore=DL3022
+COPY --from=azuresql --link . ${BUNDLE_DIR}/
+
+# Copy and change the file extension of .terraform file to .tf
+COPY ./terraform/azuresql-auditing.terraform "${BUNDLE_DIR}"/terraform/azuresql-auditing.tf
+COPY ./terraform/azuresql_override.terraform "${BUNDLE_DIR}"/terraform/azuresql_override.tf
+
+# PORTER_MIXINS
+
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY --link . ${BUNDLE_DIR}/

templates/workspace_services/azuresql-nwsde/parameters.json

@@ -0,0 +1,68 @@
+{
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.1",
+  "namespace": "",
+  "name": "tre-workspace-service-azuresql-nwsde",
+  "parameters": [
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "sql_sku",
+      "source": {
+        "env": "SQL_SKU"
+      }
+    },
+    {
+      "name": "storage_gb",
+      "source": {
+        "env": "STORAGE_GB"
+      }
+    },
+    {
+      "name": "db_name",
+      "source": {
+        "env": "DB_NAME"
+      }
+    },
+    {
+      "name": "workspace_id",
+      "source": {
+        "env": "WORKSPACE_ID"
+      }
+    },
+    {
+      "name": "arm_environment",
+      "source": {
+        "env": "ARM_ENVIRONMENT"
+      }
+    }
+  ]
+}

templates/workspace_services/azuresql-nwsde/porter-build-context.env

@@ -0,0 +1,4 @@
+# Use this file to declare an additional build context to be passed to Porter
+# https://github.com/getporter/porter/blob/6f859710675cee5936a810ab654f205264f0feb2/docs/content/docs/references/cli/build.md?plain=1#L41
+
+export PORTER_BUILD_CONTEXT="azuresql=../azuresql"

templates/workspace_services/azuresql-nwsde/porter.yaml

@@ -0,0 +1,127 @@
+---
+schemaVersion: 1.0.0
+name: tre-workspace-service-azuresql-nwsde
+version: 1.0.5
+description: "An Azure SQL workspace service [nw]"
+registry: azuretre
+dockerfile: Dockerfile.tmpl
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+parameters:
+  - name: workspace_id
+    type: string
+  - name: tre_id
+    type: string
+
+  # the following are added automatically by the resource processor
+  - name: id
+    type: string
+    description: "Resource ID"
+    env: id
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    env: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    type: boolean
+    default: false
+  - name: arm_environment
+    env: ARM_ENVIRONMENT
+    type: string
+    default: "public"
+  - name: sql_sku
+    type: string
+    default: "S2 | 50 DTUs"
+  - name: storage_gb
+    type: integer
+    default: 5
+  - name: db_name
+    type: string
+    default: tredb
+
+mixins:
+  - exec
+  - terraform:
+      clientVersion: 1.9.8
+
+outputs:
+  - name: azuresql_fqdn
+    type: string
+    applyTo:
+      - install
+      - upgrade
+
+install:
+  - terraform:
+      description: "Deploy Azure SQL workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        sql_sku: ${ bundle.parameters.sql_sku }
+        storage_gb: ${ bundle.parameters.storage_gb }
+        db_name: ${ bundle.parameters.db_name }
+        arm_environment: ${ bundle.parameters.arm_environment }
+      backendConfig:
+        use_azuread_auth: "true"
+        use_oidc: "true"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-azuresql-${ bundle.parameters.id }
+      outputs:
+        - name: azuresql_fqdn
+upgrade:
+  - terraform:
+      description: "Upgrade Azure SQL workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        sql_sku: ${ bundle.parameters.sql_sku }
+        storage_gb: ${ bundle.parameters.storage_gb }
+        db_name: ${ bundle.parameters.db_name }
+        arm_environment: ${ bundle.parameters.arm_environment }
+      backendConfig:
+        use_azuread_auth: "true"
+        use_oidc: "true"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-azuresql-${ bundle.parameters.id }
+      outputs:
+        - name: azuresql_fqdn
+uninstall:
+  - terraform:
+      description: "Tear down Azure SQL workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        sql_sku: ${ bundle.parameters.sql_sku }
+        storage_gb: ${ bundle.parameters.storage_gb }
+        db_name: ${ bundle.parameters.db_name }
+        arm_environment: ${ bundle.parameters.arm_environment }
+      backendConfig:
+        use_azuread_auth: "true"
+        use_oidc: "true"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-azuresql-${ bundle.parameters.id }

templates/workspace_services/azuresql-nwsde/template_schema.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/azuresql-nwsde/template_schema.json",
+  "type": "object",
+  "title": "Azure SQL",
+  "description": "Provides Azure SQL within the workspace [nw]",
+  "required": [],
+  "properties": {
+    "sql_sku": {
+      "$id": "#/properties/sql_sku",
+      "type": "string",
+      "title": "Azure SQL SKU",
+      "description": "Azure SQL SKU",
+      "updateable": true,
+      "enum": [
+        "S1 | 20 DTUs",
+        "S2 | 50 DTUs",
+        "S3 | 100 DTUs",
+        "S4 | 200 DTUs",
+        "S6 | 400 DTUs"
+      ],
+      "default": "S2 | 50 DTUs"
+    },
+    "storage_gb": {
+      "$id": "#/properties/storage_gb",
+      "type": "number",
+      "title": "Max storage allowed for a database (GB)",
+      "description": "Max storage allowed for a database (GB)",
+      "default": 5
+    },
+    "db_name": {
+      "$id": "#/properties/db_name",
+      "type": "string",
+      "title": "Database name",
+      "description": "Database name",
+      "default": "tredb"
+    }
+  }
+}