Implement Rubrik Tagging Policy and RP Fix (#1)

* Enhance storage account tags with backup and archive attributes. Also bring in fix based on resource processor bug.

See issue 4557 on upstream repo.

* Fix: update storage account tags for import and export resources

* Fix: update lifecycle ignore_changes for export storage account and bump version to 0.12.9

* Fix from upstream - Required ahead of upgrade to 0.23.

Refactor: replace strtobool with custom parse_bool function for better readability and maintainability; update version to 0.8.4

---------

Co-authored-by: Jaimie Withers <jaimie.withers@bdi.ox.ac.uk>

Author: JaimieWi

airlock_processor/BlobCreatedTrigger/__init__.py

@@ -1,4 +1,3 @@
-from distutils.util import strtobool
 import logging
 import datetime
 import uuid
@@ -8,7 +7,7 @@
 
 import azure.functions as func
 
-from shared_code import constants
+from shared_code import constants, parsers
 from shared_code.blob_operations import get_blob_info_from_topic_and_subject, get_blob_client_from_blob_info
 
 
@@ -27,7 +26,7 @@ def main(msg: func.ServiceBusMessage,
     # message originated from in-progress blob creation
     if constants.STORAGE_ACCOUNT_NAME_IMPORT_INPROGRESS in topic or constants.STORAGE_ACCOUNT_NAME_EXPORT_INPROGRESS in topic:
         try:
-            enable_malware_scanning = strtobool(os.environ["ENABLE_MALWARE_SCANNING"])
+            enable_malware_scanning = parsers.parse_bool(os.environ["ENABLE_MALWARE_SCANNING"])
         except KeyError:
             logging.error("environment variable 'ENABLE_MALWARE_SCANNING' does not exists. Cannot continue.")
             raise

airlock_processor/ScanResultTrigger/__init__.py

@@ -1,12 +1,11 @@
-from distutils.util import strtobool
 import logging
 
 import azure.functions as func
 import datetime
 import uuid
 import json
 import os
-from shared_code import constants, blob_operations
+from shared_code import constants, blob_operations, parsers
 
 
 def main(msg: func.ServiceBusMessage,
@@ -18,7 +17,7 @@ def main(msg: func.ServiceBusMessage,
     status_message = None
 
     try:
-        enable_malware_scanning = strtobool(os.environ["ENABLE_MALWARE_SCANNING"])
+        enable_malware_scanning = parsers.parse_bool(os.environ["ENABLE_MALWARE_SCANNING"])
     except KeyError as e:
         logging.error("environment variable 'ENABLE_MALWARE_SCANNING' does not exists. cannot continue.")
         raise e

airlock_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.8.3"
+__version__ = "0.8.4"

airlock_processor/shared_code/parsers.py

@@ -0,0 +1,8 @@
+def parse_bool(val: str) -> bool:
+    """Convert a string representation of a boolean to a bool."""
+    val = val.lower()
+    if val in ('true', 't', 'yes', 'y', 'on', '1'):
+        return True
+    elif val in ('false', 'f', 'no', 'n', 'off', '0'):
+        return False
+    raise ValueError(f"Invalid boolean value: {val}")

core/terraform/airlock/storage_accounts.tf

@@ -107,10 +107,12 @@ resource "azurerm_storage_account" "sa_export_approved" {
   }
 
   tags = merge(var.tre_core_tags, {
-    description = "airlock;export;approved"
+    description = "airlock;export;approved",
+    backup      = "true",
+    archive     = "false"
   })
 
-  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled] }
 }
 
 resource "azurerm_private_endpoint" "stg_export_approved_pe" {

core/terraform/resource_processor/vmss_porter/cloud-config.yaml

@@ -87,7 +87,7 @@ runcmd:
   - printf '\nalias rpstatus='\''tmux new-session -d "watch docker ps"; tmux split-window -p 100 -v "docker logs --since 1m --follow resource_processor1"; tmux split-window -v -p 90; tmux -2 attach-session -d'\''\n' >> /etc/bash.bashrc
   - export DEBIAN_FRONTEND=noninteractive
   - az cloud set --name ${azure_environment}
-  - az login --identity -u ${vmss_msi_id}
+  - az login --identity --client-id ${vmss_msi_id}
   - az acr login --name ${docker_registry_server}
   - docker run -d -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock
     --restart always --env-file .env

core/version.txt

@@ -1 +1 @@
-__version__ = "0.12.7"
+__version__ = "0.12.9"

templates/workspaces/base/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 2.0.0
+version: 2.0.1
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspaces/base/terraform/airlock/storage_accounts.tf

@@ -43,7 +43,9 @@ resource "azurerm_storage_account" "sa_import_approved" {
   tags = merge(
     var.tre_workspace_tags,
     {
-      description = "airlock;import;approved"
+      description = "airlock;import;approved",
+      backup      = "true",
+      archive     = "false"
     }
   )