diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b9e4d2c95..352558f017 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,11 @@ ## 0.27.0 (Unreleased) **BREAKING CHANGES** +* Azure ML workspace service now requires auto group creation for RBAC; legacy service-principal role assignment fallback has been removed. ([#4687](https://github.com/microsoft/AzureTRE/pull/4687)) * Fix missing arguments for airlock manager requests - change in API contract ([#4544](https://github.com/microsoft/AzureTRE/issues/4544)) * Clarify cost label time period and aggregation scope in UI tooltips ([#4607](https://github.com/microsoft/AzureTRE/pull/4607)) + ENHANCEMENTS: * Upgrade Guacamole to v1.6.0 with Java 17 and other security updates ([#4754](https://github.com/microsoft/AzureTRE/pull/4754)) * API: Replace HTTP_422_UNPROCESSABLE_ENTITY response with HTTP_422_UNPROCESSABLE_CONTENT as per RFC 9110 ([#4742](https://github.com/microsoft/AzureTRE/issues/4742)) @@ -21,6 +23,8 @@ BUG FIXES: * Fix R configuration with incorrect quotes preventing package installation on Linux VMs ([#4657](https://github.com/microsoft/AzureTRE/issues/4657)) * Add timeouts to Graph requests in API ([#4723](https://github.com/microsoft/AzureTRE/issues/4723)) * Fix missing metastoreDomains for Databricks, which caused metastore outages for some domains ([#4779](https://github.com/microsoft/AzureTRE/issues/4779)) +* Fix data exfiltration vulnerability in Azure ML workspace service by removing unrestricted AzureMachineLearning service tag access and enforcing RBAC-based storage access ([#4660](https://github.com/microsoft/AzureTRE/issues/4660)) + COMPONENTS: diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index 0cf012d630..ee98b376ba 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,19 +1,12 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 0.10.0 +version: 1.1.2 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl credentials: - # Credentials for interacting with the AAD Auth tenant - - name: auth_client_id - env: AUTH_CLIENT_ID - - name: auth_client_secret - env: AUTH_CLIENT_SECRET - - name: auth_tenant_id - env: AUTH_TENANT_ID # Credentials for interacting with Azure - name: azure_tenant_id env: ARM_TENANT_ID @@ -61,8 +54,6 @@ parameters: default: false - name: arm_environment env: ARM_ENVIRONMENT - - name: azure_environment - env: AZURE_ENVIRONMENT - name: enable_cmk_encryption type: boolean default: false @@ -71,6 +62,12 @@ parameters: default: "" - name: log_analytics_workspace_name type: string + - name: workspace_owners_group_id + type: string + description: "Object ID of the workspace owners AAD group" + - name: workspace_researchers_group_id + type: string + description: "Object ID of the workspace researchers AAD group" outputs: - name: azureml_workspace_name @@ -142,14 +139,12 @@ install: address_space: ${ bundle.parameters.address_space } is_exposed_externally: ${ bundle.parameters.is_exposed_externally } arm_tenant_id: ${ bundle.credentials.azure_tenant_id } - auth_client_id: ${ bundle.credentials.auth_client_id } - auth_client_secret: ${ bundle.credentials.auth_client_secret } - auth_tenant_id: ${ bundle.credentials.auth_tenant_id } arm_environment: ${ bundle.parameters.arm_environment } - azure_environment: ${ bundle.parameters.azure_environment } enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } key_store_id: ${ bundle.parameters.key_store_id } log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name } + workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id } + workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -181,14 +176,12 @@ upgrade: address_space: ${ bundle.parameters.address_space } is_exposed_externally: ${ bundle.parameters.is_exposed_externally } arm_tenant_id: ${ bundle.credentials.azure_tenant_id } - auth_client_id: ${ bundle.credentials.auth_client_id } - auth_client_secret: ${ bundle.credentials.auth_client_secret } - auth_tenant_id: ${ bundle.credentials.auth_tenant_id } arm_environment: ${ bundle.parameters.arm_environment } - azure_environment: ${ bundle.parameters.azure_environment } enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } key_store_id: ${ bundle.parameters.key_store_id } log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name } + workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id } + workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -220,14 +213,12 @@ uninstall: address_space: ${ bundle.parameters.address_space } is_exposed_externally: ${ bundle.parameters.is_exposed_externally } arm_tenant_id: ${ bundle.credentials.azure_tenant_id } - auth_client_id: ${ bundle.credentials.auth_client_id } - auth_client_secret: ${ bundle.credentials.auth_client_secret } - auth_tenant_id: ${ bundle.credentials.auth_tenant_id } arm_environment: ${ bundle.parameters.arm_environment } - azure_environment: ${ bundle.parameters.azure_environment } enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } key_store_id: ${ bundle.parameters.key_store_id } log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name } + workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id } + workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/azureml/template_schema.json b/templates/workspace_services/azureml/template_schema.json index 581b8993df..905bc72b3f 100644 --- a/templates/workspace_services/azureml/template_schema.json +++ b/templates/workspace_services/azureml/template_schema.json @@ -44,6 +44,18 @@ "$id": "#/properties/log_analytics_workspace_name", "type": "string", "title": "Log Analytics Workspace Name" + }, + "workspace_owners_group_id": { + "$id": "#/properties/workspace_owners_group_id", + "type": "string", + "title": "Workspace Owners Group ID", + "description": "Object ID of the workspace owners AAD group" + }, + "workspace_researchers_group_id": { + "$id": "#/properties/workspace_researchers_group_id", + "type": "string", + "title": "Workspace Researchers Group ID", + "description": "Object ID of the workspace researchers AAD group" } }, "uiSchema": { @@ -52,6 +64,12 @@ }, "log_analytics_workspace_name": { "classNames": "tre-hidden" + }, + "workspace_owners_group_id": { + "classNames": "tre-hidden" + }, + "workspace_researchers_group_id": { + "classNames": "tre-hidden" } }, "pipeline": { @@ -70,6 +88,16 @@ "name": "log_analytics_workspace_name", "type": "string", "value": "{{ resource.parent.properties.log_analytics_workspace_name }}" + }, + { + "name": "workspace_owners_group_id", + "type": "string", + "value": "{{ resource.parent.properties.workspace_owners_group_id }}" + }, + { + "name": "workspace_researchers_group_id", + "type": "string", + "value": "{{ resource.parent.properties.workspace_researchers_group_id }}" } ] }, @@ -150,22 +178,6 @@ "TCP" ] }, - { - "name": "AzureML_Client", - "description": "AzureML Client", - "source_addresses": "{{ resource.properties.workspace_address_spaces }}", - "destination_addresses": [ - "AzureActiveDirectory", - "AzureResourceManager", - "AzureMachineLearning" - ], - "destination_ports": [ - "443" - ], - "protocols": [ - "TCP" - ] - }, { "name": "AzureML_Storage", "description": "AzureML Storage", @@ -296,22 +308,6 @@ "TCP" ] }, - { - "name": "AzureML_Client", - "description": "AzureML Client", - "source_addresses": "{{ resource.properties.workspace_address_spaces }}", - "destination_addresses": [ - "AzureActiveDirectory", - "AzureResourceManager", - "AzureMachineLearning" - ], - "destination_ports": [ - "443" - ], - "protocols": [ - "TCP" - ] - }, { "name": "AzureML_Storage", "description": "AzureML Storage", diff --git a/templates/workspace_services/azureml/terraform/.terraform.lock.hcl b/templates/workspace_services/azureml/terraform/.terraform.lock.hcl index 5c6f02ffc7..b2a82e4f87 100644 --- a/templates/workspace_services/azureml/terraform/.terraform.lock.hcl +++ b/templates/workspace_services/azureml/terraform/.terraform.lock.hcl @@ -22,42 +22,22 @@ provider "registry.terraform.io/azure/azapi" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.117.0" - constraints = "3.117.0" + version = "4.54.0" + constraints = "4.54.0" hashes = [ - "h1:Ynfg+Iy7x6K8M6W1AhqXCe3wkoiqIQhROlca7C3KC3w=", - "zh:2e25f47492366821a786762369f0e0921cc9452d64bfd5075f6fdfcf1a9c6d70", - "zh:41eb34f2f7469bf3eb1019dfb0e7fc28256f809824016f4f8b9d691bf473b2ac", - "zh:48bb9c87b3d928da1abc1d3db75453c9725de4674c612daf3800160cc7145d30", - "zh:5d6b0de0bbd78943fcc65c53944ef4496329e247f434c6eab86ed051c5cea67b", - "zh:78c9f6fdb1206a89cf0e6706b4f46178169a93b6c964a4cad8a321058ccbd9b4", - "zh:793b702c352589d4360b580d4a1cf654a7439d2ad6bdb7bfea91de07bc4b0fac", - "zh:7ed687ff0a5509463a592f97431863574fe5cc80a34e395be06766215b8c6285", - "zh:955ba18789bd15592824eb426a8d0f38595bd09fffc6939c1c58933489c1a71e", - "zh:bf5949a55be0714cd9c8815d472eae4baa48ba06d0f6bf2b96775869acda8a54", - "zh:da5d31f635abd2c645ffc76d6176d73f646128e73720cc368247cc424975c127", - "zh:eed5a66d59883c9c56729b0a964a2b60d758ea7489ef3e920a6fbd48518ce5f5", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.5" - constraints = "2.3.5" - hashes = [ - "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", - "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", + "h1:uYLSLApU3bG/q6nxNb2N5FV0YddZxsg6Jlq27hDmPOA=", + "zh:0adda2cfb2ae9ec394943164cbd5ab1f1fac89a0125ad3966a97363b06b1bd11", + "zh:23dcc71a1586c2b8644476ccd3b4d4d22aa651d6ceb03d32f801bb7ecb09c84f", + "zh:4573833c692a87df167e3adf71c4291879e1a5d2e430ba5255509d3510c7a2f5", + "zh:49132e138bb28b02aa36a00fdcfcf818c4a6d150e3b5148e4d910efac5aaf1bf", + "zh:5dda12ad7f69f91847b99365f66b8dfb1d6ea913d2d06fadbabcea236cc1b346", + "zh:6e45c59dbc54c56c1255f4bb45db15a2ec75dcb2a9125adfa812a667132b332a", + "zh:76802f69f1fa8e894e9c96d6f7098698d1f9c036f30b46a40207fce5ed373ef0", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", - "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", - "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", - "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", - "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", - "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", - "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", - "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", - "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", - "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", + "zh:846e7222bdeee0150830d82cd2f09619e2239347eba1d05f0409c78a684502d8", + "zh:8822918829f89354ab65b1d588d3185191bbd81e3479510dcbec801d3e3617b0", + "zh:901074c726047a141e256e3229f3e55a5dd4033fec57f889c0118b71e818331b", + "zh:a240979f94f50d2f6ceda2651e5146652468f312f03691f0949876524d160a9d", ] } diff --git a/templates/workspace_services/azureml/terraform/acr.tf b/templates/workspace_services/azureml/terraform/acr.tf index 7fc9295e9a..cf091a5a55 100644 --- a/templates/workspace_services/azureml/terraform/acr.tf +++ b/templates/workspace_services/azureml/terraform/acr.tf @@ -20,7 +20,6 @@ resource "azurerm_container_registry" "acr" { dynamic "encryption" { for_each = var.enable_cmk_encryption ? [1] : [] content { - enabled = true key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].id identity_client_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].client_id } diff --git a/templates/workspace_services/azureml/terraform/get_app_role_members.sh b/templates/workspace_services/azureml/terraform/get_app_role_members.sh deleted file mode 100755 index 0618df27d0..0000000000 --- a/templates/workspace_services/azureml/terraform/get_app_role_members.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -eval "$(jq -r '@sh "AUTH_CLIENT_ID=\(.auth_client_id) AUTH_CLIENT_SECRET=\(.auth_client_secret) AUTH_TENANT_ID=\(.auth_tenant_id) WORSKPACE_CLIENT_ID=\(.workspace_client_id)"')" - -az cloud set --name "$AZURE_ENVIRONMENT" - -az login --allow-no-subscriptions --service-principal --username "$AUTH_CLIENT_ID" --password "$AUTH_CLIENT_SECRET" --tenant "$AUTH_TENANT_ID" > /dev/null - -msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" - -# get the service principal object id -sp=$(az rest --method GET --uri "${msGraphUri}/serviceprincipals?\$filter=appid eq '${WORSKPACE_CLIENT_ID}'" -o json) -spId=$(echo "$sp" | jq -r '.value[0].id') - -# filter to the Workspace Researcher Role -workspaceResearcherRoleId=$(echo "$sp" | jq -r '.value[0].appRoles[] | select(.value == "WorkspaceResearcher") | .id') -principals=$(az rest --method GET --uri "${msGraphUri}/serviceprincipals/${spId}/appRoleAssignedTo" -o json | jq -r --arg workspaceResearcherRoleId "${workspaceResearcherRoleId}" '.value[] | select(.appRoleId == $workspaceResearcherRoleId) | .principalId') - -jq -n --arg principals "$principals" '{"principals":$principals}' diff --git a/templates/workspace_services/azureml/terraform/network.tf b/templates/workspace_services/azureml/terraform/network.tf index 10b01aec26..4e822a60c1 100644 --- a/templates/workspace_services/azureml/terraform/network.tf +++ b/templates/workspace_services/azureml/terraform/network.tf @@ -170,61 +170,7 @@ resource "azurerm_network_security_rule" "allow_outbound_to_internet" { source_port_range = "*" } -resource "azurerm_network_security_rule" "allow_outbound_to_aml_udp_5831" { - access = "Allow" - destination_address_prefix = "AzureMachineLearning" - destination_port_range = "5831" - direction = "Outbound" - name = "to-aml-udp" - network_security_group_name = azurerm_network_security_group.aml.name - priority = 106 - protocol = "Udp" - resource_group_name = data.azurerm_resource_group.ws.name - source_address_prefix = "*" - source_port_range = "*" -} - -resource "azurerm_network_security_rule" "allow_outbound_to_aml_tcp_443" { - access = "Allow" - destination_address_prefix = "AzureMachineLearning" - destination_port_range = "443" - direction = "Outbound" - name = "to-aml-tcp-443" - network_security_group_name = azurerm_network_security_group.aml.name - priority = 107 - protocol = "Tcp" - resource_group_name = data.azurerm_resource_group.ws.name - source_address_prefix = "*" - source_port_range = "*" -} -resource "azurerm_network_security_rule" "allow_outbound_to_aml_tcp_8787" { - access = "Allow" - destination_address_prefix = "AzureMachineLearning" - destination_port_range = "8787" - direction = "Outbound" - name = "to-aml-tcp-8787-rstudio" - network_security_group_name = azurerm_network_security_group.aml.name - priority = 108 - protocol = "Tcp" - resource_group_name = data.azurerm_resource_group.ws.name - source_address_prefix = "*" - source_port_range = "*" -} - -resource "azurerm_network_security_rule" "allow_outbound_to_aml_tcp_18881" { - access = "Allow" - destination_address_prefix = "AzureMachineLearning" - destination_port_range = "18881" - direction = "Outbound" - name = "to-aml-tcp-18881-language-server" - network_security_group_name = azurerm_network_security_group.aml.name - priority = 109 - protocol = "Tcp" - resource_group_name = data.azurerm_resource_group.ws.name - source_address_prefix = "*" - source_port_range = "*" -} resource "azurerm_network_security_rule" "allow_outbound_within_workspace_vnet" { access = "Allow" diff --git a/templates/workspace_services/azureml/terraform/providers.tf b/templates/workspace_services/azureml/terraform/providers.tf index e7930b458a..c707b99b5d 100644 --- a/templates/workspace_services/azureml/terraform/providers.tf +++ b/templates/workspace_services/azureml/terraform/providers.tf @@ -2,16 +2,12 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=3.117.0" + version = "=4.54.0" } azapi = { source = "Azure/azapi" version = "= 2.3.0" } - external = { - source = "hashicorp/external" - version = "= 2.3.5" - } random = { source = "hashicorp/random" version = "= 3.7.2" diff --git a/templates/workspace_services/azureml/terraform/roles.tf b/templates/workspace_services/azureml/terraform/roles.tf index 3d8c91d325..b9b62e4f83 100644 --- a/templates/workspace_services/azureml/terraform/roles.tf +++ b/templates/workspace_services/azureml/terraform/roles.tf @@ -1,49 +1,62 @@ -data "azurerm_key_vault_secret" "workspace_client_id" { - name = "workspace-client-id" - key_vault_id = data.azurerm_key_vault.ws.id +# Role assignments for workspace researchers group +resource "azurerm_role_assignment" "researchers_aml_data_scientist" { + count = var.workspace_researchers_group_id != "" ? 1 : 0 + scope = azapi_resource.aml_workspace.output.id + role_definition_id = data.azurerm_role_definition.azure_ml_data_scientist.id + principal_id = var.workspace_researchers_group_id } -data "external" "app_role_members" { - program = ["bash", "${path.module}/get_app_role_members.sh"] +resource "azurerm_role_assignment" "researchers_reader" { + count = var.workspace_researchers_group_id != "" ? 1 : 0 + scope = azapi_resource.aml_workspace.output.id + role_definition_id = data.azurerm_role_definition.reader.id + principal_id = var.workspace_researchers_group_id +} - query = { - auth_client_id = var.auth_client_id - auth_client_secret = var.auth_client_secret - auth_tenant_id = var.auth_tenant_id - workspace_client_id = data.azurerm_key_vault_secret.workspace_client_id.value - azure_environment = var.azure_environment - } +resource "azurerm_role_assignment" "researchers_storage_blob_data_contributor" { + count = var.workspace_researchers_group_id != "" ? 1 : 0 + scope = azurerm_storage_account.aml.id + role_definition_id = data.azurerm_role_definition.storage_blob_data_contributor.id + principal_id = var.workspace_researchers_group_id } -data "azurerm_role_definition" "azure_ml_data_scientist" { - name = "AzureML Data Scientist" +resource "azurerm_role_assignment" "researchers_storage_file_data_contributor" { + count = var.workspace_researchers_group_id != "" ? 1 : 0 + scope = azurerm_storage_account.aml.id + role_definition_id = data.azurerm_role_definition.storage_file_data_contributor.id + principal_id = var.workspace_researchers_group_id } -resource "azurerm_role_assignment" "app_role_members_aml_data_scientist" { - for_each = (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals)) +# Role assignments for workspace owners group +resource "azurerm_role_assignment" "owners_aml_data_scientist" { + count = var.workspace_owners_group_id != "" ? 1 : 0 scope = azapi_resource.aml_workspace.output.id role_definition_id = data.azurerm_role_definition.azure_ml_data_scientist.id - principal_id = each.value + principal_id = var.workspace_owners_group_id } -resource "azurerm_role_assignment" "app_role_members_reader" { - for_each = (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals)) +resource "azurerm_role_assignment" "owners_reader" { + count = var.workspace_owners_group_id != "" ? 1 : 0 scope = azapi_resource.aml_workspace.output.id role_definition_id = data.azurerm_role_definition.reader.id - principal_id = each.value + principal_id = var.workspace_owners_group_id } -resource "azurerm_role_assignment" "app_role_members_storage_blob_data_contributor" { - for_each = (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals)) +resource "azurerm_role_assignment" "owners_storage_blob_data_contributor" { + count = var.workspace_owners_group_id != "" ? 1 : 0 scope = azurerm_storage_account.aml.id role_definition_id = data.azurerm_role_definition.storage_blob_data_contributor.id - principal_id = each.value + principal_id = var.workspace_owners_group_id } -resource "azurerm_role_assignment" "app_role_members_storage_file_data_contributor" { - for_each = (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals)) +resource "azurerm_role_assignment" "owners_storage_file_data_contributor" { + count = var.workspace_owners_group_id != "" ? 1 : 0 scope = azurerm_storage_account.aml.id role_definition_id = data.azurerm_role_definition.storage_file_data_contributor.id - principal_id = each.value + principal_id = var.workspace_owners_group_id +} + +data "azurerm_role_definition" "azure_ml_data_scientist" { + name = "AzureML Data Scientist" } diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf index 42ba38b5d6..9c115e374f 100644 --- a/templates/workspace_services/azureml/terraform/storage.tf +++ b/templates/workspace_services/azureml/terraform/storage.tf @@ -7,6 +7,7 @@ resource "azurerm_storage_account" "aml" { table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false + shared_access_key_enabled = false tags = local.tre_workspace_service_tags network_rules { default_action = "Deny" diff --git a/templates/workspace_services/azureml/terraform/variables.tf b/templates/workspace_services/azureml/terraform/variables.tf index 66d82055d1..85af151c99 100644 --- a/templates/workspace_services/azureml/terraform/variables.tf +++ b/templates/workspace_services/azureml/terraform/variables.tf @@ -22,25 +22,9 @@ variable "address_space" { variable "arm_tenant_id" { type = string } -variable "auth_tenant_id" { - type = string - description = "Used to authenticate into the AAD Tenant to get app role members" -} -variable "auth_client_id" { - type = string - description = "Used to authenticate into the AAD Tenant to get app role members" -} -variable "auth_client_secret" { - type = string - sensitive = true - description = "Used to authenticate into the AAD Tenant to get app role members" -} variable "arm_environment" { type = string } -variable "azure_environment" { - type = string -} variable "enable_cmk_encryption" { type = bool default = false @@ -51,3 +35,21 @@ variable "key_store_id" { variable "log_analytics_workspace_name" { type = string } +variable "workspace_owners_group_id" { + type = string + description = "Object ID of the workspace owners AAD group" + + validation { + condition = length(trimspace(var.workspace_owners_group_id)) > 0 + error_message = "workspace_owners_group_id must be provided; Entra ID workspace groups are required." + } +} +variable "workspace_researchers_group_id" { + type = string + description = "Object ID of the workspace researchers AAD group" + + validation { + condition = length(trimspace(var.workspace_researchers_group_id)) > 0 + error_message = "workspace_researchers_group_id must be provided; Entra ID workspace groups are required." + } +}