Remove need to provide client secret when creating workspace and remove Directory.Read.All Dependency from automation admin #4775
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…robi/issue2247
Unit Test Results669 tests 669 ✅ 8s ⏱️ Results for commit 6769d1a. ♻️ This comment has been updated with latest results. |
marrobi
changed the title
3 tasks
marrobi
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the requirement for users to provide a client secret when creating workspaces and eliminates the Directory.Read.All Microsoft Graph permission dependency from the automation admin identity. The changes introduce automatic workspace app provisioning/import via Terraform with built-in password rotation, simplify the API by removing the extract_workspace_auth_information function, and update all related documentation and scripts.
Key changes include:
- Terraform now provisions or imports the workspace Entra ID app automatically with dual password rotation using
azuread_application_passwordresources - API no longer requires Directory.Read.All permissions as workspace auth information is handled via Terraform outputs
- Major version bump for base workspace bundle (2.8.0 → 3.0.0) due to breaking changes
Reviewed changes
Copilot reviewed 37 out of 38 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/workspaces/base/terraform/workspace.tf | Adds import block for existing workspace apps and removes conditional AAD module creation |
| templates/workspaces/base/terraform/variables.tf | Removes register_aad_application and client_secret variables |
| templates/workspaces/base/terraform/providers.tf | Adds hashicorp/time provider for password rotation |
| templates/workspaces/base/terraform/outputs.tf | Simplifies outputs to always reference AAD module directly |
| templates/workspaces/base/terraform/keyvault.tf | Removes manual client_id and client_secret key vault secret resources |
| templates/workspaces/base/terraform/aad/variables.tf | Adds client_id variable, changes create_aad_groups type to bool |
| templates/workspaces/base/terraform/aad/providers.tf | Adds time provider requirement |
| templates/workspaces/base/terraform/aad/aad.tf | Implements dual password rotation with primary/secondary passwords and intelligent current password selection |
| templates/workspaces/base/terraform/.terraform.lock.hcl | Adds lock file entry for time provider v0.11.0 |
| templates/workspaces/base/template_schema.json | Removes client_secret from schema and moves create_aad_groups to top level |
| templates/workspaces/base/porter.yaml | Major version bump to 3.0.0, removes register_aad_application and client_secret parameters |
| api_app/services/authentication.py | Removes extract_auth_information function |
| api_app/services/access_service.py | Removes extract_workspace_auth_information abstract method |
| api_app/services/aad_authentication.py | Removes _get_app_auth_info and extract_workspace_auth_information implementation |
| api_app/db/repositories/workspaces.py | Removes auth_info parameter from create_workspace_item |
| api_app/api/routes/workspaces.py | Removes extract_auth_information call and auth_info parameter |
| api_app/_version.py | Minor version bump to 0.25.5 |
| api_app/tests_ma/test_services/test_aad_access_service.py | Removes tests for extract_workspace_auth_information |
| api_app/tests_ma/test_db/test_repositories/test_workpaces_repository.py | Updates test calls to remove auth_info parameter |
| api_app/tests_ma/test_api/test_routes/test_workspaces.py | Removes extract_auth_information mock patches |
| api_app/tests_ma/test_api/test_routes/test_workspace_users.py | Removes auth_info parameter from sample_workspace |
| docs/tre-developers/end-to-end-tests.md | Adds instructions for adding automation admin as workspace app owner |
| docs/tre-admins/setup-instructions/ui-install-base-workspace.md | Simplifies workspace app creation script usage |
| docs/tre-admins/setup-instructions/installing-base-workspace.md | Removes client_secret from workspace creation example |
| docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md | Removes TEST_WORKSPACE_APP_SECRET from required secrets |
| docs/tre-admins/identities/workspace.md | Removes client secret references and simplifies workspace app creation |
| docs/tre-admins/identities/application_admin.md | Updates required permissions from Directory.Read.All to Group.Read.All and User.ReadBasic.All |
| docs/tre-admins/environment-variables.md | Updates permission descriptions for auto workspace features |
| docs/tre-admins/auth.md | Updates permission descriptions and removes workspace_api_client_secret |
| devops/scripts/setup_local_debugging.sh | Removes TEST_WORKSPACE_APP_SECRET from environment setup |
| devops/scripts/create_aad_assets.sh | Removes Directory.Read.All from AUTO_WORKSPACE_APP_REGISTRATION permissions and removes automatic workspace app creation |
| devops/scripts/aad/wait_for_new_app_registration.sh | Minor cleanup removing echo statement |
| devops/scripts/aad/create_workspace_application.sh | Significantly simplified to only create minimal app registration without consent/permission setup |
| devops/scripts/aad/add_automation_admin_to_workspace_application.sh | New script for adding automation admin as workspace app owner |
| core/terraform/outputs.sh | Removes TEST_WORKSPACE_APP_SECRET from private.env |
| config_schema.json | Removes workspace_api_client_secret from schema |
| config.sample.yaml | Updates permission descriptions in comments |
Files not reviewed (1)
- templates/workspaces/base/terraform/.terraform.lock.hcl: Language not supported
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Member
Author
|
/test-extended be1b46c |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21281770962 (with refid (in response to this comment from @marrobi) |
Member
Author
|
/test-extended aa72c7a |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21286771080 (with refid (in response to this comment from @marrobi) |
- Use Application Admin credentials for direct app role assignment via Graph API - Application Admin owns workspace service principals and can assign roles immediately - Direct assignment bypasses AAD group propagation delays (5-15+ min) - Revert _is_user_in_role to user-only (service principal support not needed for API) - Simplify _add_user_to_group by using _ms_graph_query helper - Update unit tests to match current implementation - Remove unused _get_assignable_user_id function and global cache
Member
Author
|
/test-extended 49518a5 |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21294548197 (with refid (in response to this comment from @marrobi) |
- Use Application Admin credentials for direct app role assignment via Graph API - Application Admin owns workspace service principals and can assign roles immediately - Direct assignment bypasses AAD group propagation delays (5-15+ min) - Revert _is_user_in_role to user-only (service principal support not needed for API) - Simplify _add_user_to_group by using _ms_graph_query helper - Update unit tests to match current implementation - Remove unused _get_assignable_user_id function and global cache
… into marrobi/issue2247
- Add APPLICATION_ADMIN_CLIENT_ID and APPLICATION_ADMIN_CLIENT_SECRET env vars to devcontainer action - Pass APPLICATION_ADMIN secrets to E2E test steps in deploy_tre_reusable.yml
Member
Author
|
/test-extended 5b371c5 |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21300416465 (with refid (in response to this comment from @marrobi) |
Member
Author
|
/test-extended 5b371c5 |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21351779214 (with refid (in response to this comment from @marrobi) |
Member
Author
|
/test-extended 1cac0eb |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21354756330 (with refid (in response to this comment from @marrobi) |
Member
Author
|
/test-extended 6769d1a |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21377968136 (with refid (in response to this comment from @marrobi) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Removes the requirement for users to provide a client secret when creating workspaces and eliminates the
Directory.Read.AllMicrosoft Graph permission from the automation admin identity.Changes
azuread_application_passwordresourcesextract_workspace_auth_informationfunction - workspace auth info is now handled through Terraform outputsclient_secret,register_aad_application,scope_id,sp_id,app_role_id_*add_automation_admin_to_workspace_application.shfor adding automation admin as workspace app ownerDirectory.Read.Allno longer required; onlyApplication.ReadWrite.All,Group.Create,Group.Read.All,User.ReadBasic.All,DelegatedPermissionGrant.ReadWrite.All(depending on configuration)Migration
client_secretneeded; optionally provideclient_idto reuse an existing appCloses #2247