Disable EventGrid local auth

microsoft · Jan 19, 2025 · bc88cbe · bc88cbe
1 parent 92d47e7
commit bc88cbe
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -36,6 +36,7 @@ ENHANCEMENTS:
 * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
 * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
 * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
+* Disable local authentication in EventGrid ([[#4254](https://github.com/microsoft/AzureTRE/issues/4254)])
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json
@@ -11,15 +11,13 @@
     {
       "type": "eventGrid",
       "name": "stepResultEvent",
-      "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING",
-      "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING",
+      "connection": "EVENT_GRID_STEP_RESULT_CONNECTION",
       "direction": "out"
     },
     {
       "type": "eventGrid",
       "name": "dataDeletionEvent",
-      "topicEndpointUri": "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING",
-      "topicKeySetting": "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING",
+      "connection": "EVENT_GRID_DATA_DELETION_CONNECTION",
       "direction": "out"
     }
   ]

diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py
@@ -1 +1 @@
-__version__ = "0.8.0"
+__version__ = "0.8.3"
diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -69,10 +69,6 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
     "SB_CONNECTION_STRING"                       = var.airlock_servicebus.default_primary_connection_string
     "BLOB_CREATED_TOPIC_NAME"                    = azurerm_servicebus_topic.blob_created.name
     "TOPIC_SUBSCRIPTION_NAME"                    = azurerm_servicebus_subscription.airlock_processor.name
-    "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING"   = azurerm_eventgrid_topic.step_result.endpoint
-    "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING"   = azurerm_eventgrid_topic.step_result.primary_access_key
-    "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint
-    "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key
     "WEBSITES_ENABLE_APP_SERVICE_STORAGE"        = false
     "AIRLOCK_STATUS_CHANGED_QUEUE_NAME"          = local.status_changed_queue_name
     "AIRLOCK_SCAN_RESULT_QUEUE_NAME"             = local.scan_result_queue_name
@@ -85,6 +81,16 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
     "STORAGE_ENDPOINT_SUFFIX"                    = module.terraform_azurerm_environment_configuration.storage_suffix
     "AzureWebJobsStorage__clientId"              = azurerm_user_assigned_identity.airlock_id.client_id
     "AzureWebJobsStorage__credential"            = "managedidentity"
+
+    "EVENT_GRID_STEP_RESULT_CONNECTION"                           = local.step_result_eventgrid_connection
+    "${local.step_result_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.step_result.endpoint
+    "${local.step_result_eventgrid_connection}__credential"       = "managedidentity"
+    "${local.step_result_eventgrid_connection}__clientId"         = azurerm_user_assigned_identity.airlock_id.client_id
+
+    "EVENT_GRID_DATA_DELETION_CONNECTION"                           = local.data_deletion_eventgrid_connection
+    "${local.data_deletion_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.data_deletion.endpoint
+    "${local.data_deletion_eventgrid_connection}__credential"       = "managedidentity"
+    "${local.data_deletion_eventgrid_connection}__clientId"         = azurerm_user_assigned_identity.airlock_id.client_id
   }
 
   site_config {

diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf
@@ -6,6 +6,7 @@ resource "azurerm_eventgrid_topic" "step_result" {
   location                      = var.location
   resource_group_name           = var.resource_group_name
   public_network_access_enabled = var.enable_local_debugging
+  local_auth_enabled            = false
 
   identity {
     type = "SystemAssigned"
@@ -60,6 +61,7 @@ resource "azurerm_eventgrid_topic" "status_changed" {
   location                      = var.location
   resource_group_name           = var.resource_group_name
   public_network_access_enabled = var.enable_local_debugging
+  local_auth_enabled            = false
 
   identity {
     type = "SystemAssigned"
@@ -113,6 +115,7 @@ resource "azurerm_eventgrid_topic" "data_deletion" {
   location                      = var.location
   resource_group_name           = var.resource_group_name
   public_network_access_enabled = var.enable_local_debugging
+  local_auth_enabled            = false
 
   identity {
     type = "SystemAssigned"
@@ -163,6 +166,7 @@ resource "azurerm_eventgrid_topic" "scan_result" {
   resource_group_name = var.resource_group_name
   # This is mandatory for the scan result to be published since private networks are not supported yet
   public_network_access_enabled = true
+  local_auth_enabled            = false
 
   identity {
     type = "SystemAssigned"
@@ -323,6 +327,7 @@ resource "azurerm_eventgrid_topic" "airlock_notification" {
   location                      = var.location
   resource_group_name           = var.resource_group_name
   public_network_access_enabled = var.enable_local_debugging
+  local_auth_enabled            = false
 
   identity {
     type = "SystemAssigned"

diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf
@@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "servicebus_receiver" {
   principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
 }
 
-resource "azurerm_role_assignment" "eventgrid_data_sender" {
+resource "azurerm_role_assignment" "eventgrid_data_sender_status_changed" {
   scope                = azurerm_eventgrid_topic.status_changed.id
   role_definition_name = "EventGrid Data Sender"
   principal_id         = var.api_principal_id
@@ -37,6 +37,18 @@ resource "azurerm_role_assignment" "eventgrid_data_sender_notification" {
   principal_id         = var.api_principal_id
 }
 
+resource "azurerm_role_assignment" "eventgrid_data_sender_step_result" {
+  scope                = azurerm_eventgrid_topic.step_result.id
+  role_definition_name = "EventGrid Data Sender"
+  principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
+}
+
+resource "azurerm_role_assignment" "eventgrid_data_sender_data_deletion" {
+  scope                = azurerm_eventgrid_topic.data_deletion.id
+  role_definition_name = "EventGrid Data Sender"
+  principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
+}
+
 resource "azurerm_role_assignment" "airlock_blob_data_contributor" {
   count                = length(local.airlock_sa_blob_data_contributor)
   scope                = local.airlock_sa_blob_data_contributor[count.index]

diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf
@@ -60,4 +60,7 @@ locals {
     azurerm_storage_account.sa_import_in_progress.id,
     azurerm_storage_account.sa_export_approved.id
   ]
+
+  step_result_eventgrid_connection = "EVENT_GRID_STEP_RESULT_CONNECTION"
+  data_deletion_eventgrid_connection = "EVENT_GRID_DATA_DELETION_CONNECTION"
 }
diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.18"
+__version__ = "0.11.19"