Remove need to provide client secret when creating workspace and remove Directory.Read.All Dependency from automation admin#4775
Conversation
…robi/issue2247
Unit Test Results672 tests 672 ✅ 8s ⏱️ Results for commit 25e3789. ♻️ This comment has been updated with latest results. |
marrobi
changed the title
marrobi
changed the title
There was a problem hiding this comment.
Pull request overview
This PR removes the requirement for users to provide a client secret when creating workspaces and eliminates the Directory.Read.All Microsoft Graph permission dependency from the automation admin identity. The changes introduce automatic workspace app provisioning/import via Terraform with built-in password rotation, simplify the API by removing the extract_workspace_auth_information function, and update all related documentation and scripts.
Key changes include:
- Terraform now provisions or imports the workspace Entra ID app automatically with dual password rotation using
azuread_application_passwordresources - API no longer requires Directory.Read.All permissions as workspace auth information is handled via Terraform outputs
- Major version bump for base workspace bundle (2.8.0 → 3.0.0) due to breaking changes
Reviewed changes
Copilot reviewed 37 out of 38 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/workspaces/base/terraform/workspace.tf | Adds import block for existing workspace apps and removes conditional AAD module creation |
| templates/workspaces/base/terraform/variables.tf | Removes register_aad_application and client_secret variables |
| templates/workspaces/base/terraform/providers.tf | Adds hashicorp/time provider for password rotation |
| templates/workspaces/base/terraform/outputs.tf | Simplifies outputs to always reference AAD module directly |
| templates/workspaces/base/terraform/keyvault.tf | Removes manual client_id and client_secret key vault secret resources |
| templates/workspaces/base/terraform/aad/variables.tf | Adds client_id variable, changes create_aad_groups type to bool |
| templates/workspaces/base/terraform/aad/providers.tf | Adds time provider requirement |
| templates/workspaces/base/terraform/aad/aad.tf | Implements dual password rotation with primary/secondary passwords and intelligent current password selection |
| templates/workspaces/base/terraform/.terraform.lock.hcl | Adds lock file entry for time provider v0.11.0 |
| templates/workspaces/base/template_schema.json | Removes client_secret from schema and moves create_aad_groups to top level |
| templates/workspaces/base/porter.yaml | Major version bump to 3.0.0, removes register_aad_application and client_secret parameters |
| api_app/services/authentication.py | Removes extract_auth_information function |
| api_app/services/access_service.py | Removes extract_workspace_auth_information abstract method |
| api_app/services/aad_authentication.py | Removes _get_app_auth_info and extract_workspace_auth_information implementation |
| api_app/db/repositories/workspaces.py | Removes auth_info parameter from create_workspace_item |
| api_app/api/routes/workspaces.py | Removes extract_auth_information call and auth_info parameter |
| api_app/_version.py | Minor version bump to 0.25.5 |
| api_app/tests_ma/test_services/test_aad_access_service.py | Removes tests for extract_workspace_auth_information |
| api_app/tests_ma/test_db/test_repositories/test_workpaces_repository.py | Updates test calls to remove auth_info parameter |
| api_app/tests_ma/test_api/test_routes/test_workspaces.py | Removes extract_auth_information mock patches |
| api_app/tests_ma/test_api/test_routes/test_workspace_users.py | Removes auth_info parameter from sample_workspace |
| docs/tre-developers/end-to-end-tests.md | Adds instructions for adding automation admin as workspace app owner |
| docs/tre-admins/setup-instructions/ui-install-base-workspace.md | Simplifies workspace app creation script usage |
| docs/tre-admins/setup-instructions/installing-base-workspace.md | Removes client_secret from workspace creation example |
| docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md | Removes TEST_WORKSPACE_APP_SECRET from required secrets |
| docs/tre-admins/identities/workspace.md | Removes client secret references and simplifies workspace app creation |
| docs/tre-admins/identities/application_admin.md | Updates required permissions from Directory.Read.All to Group.Read.All and User.ReadBasic.All |
| docs/tre-admins/environment-variables.md | Updates permission descriptions for auto workspace features |
| docs/tre-admins/auth.md | Updates permission descriptions and removes workspace_api_client_secret |
| devops/scripts/setup_local_debugging.sh | Removes TEST_WORKSPACE_APP_SECRET from environment setup |
| devops/scripts/create_aad_assets.sh | Removes Directory.Read.All from AUTO_WORKSPACE_APP_REGISTRATION permissions and removes automatic workspace app creation |
| devops/scripts/aad/wait_for_new_app_registration.sh | Minor cleanup removing echo statement |
| devops/scripts/aad/create_workspace_application.sh | Significantly simplified to only create minimal app registration without consent/permission setup |
| devops/scripts/aad/add_automation_admin_to_workspace_application.sh | New script for adding automation admin as workspace app owner |
| core/terraform/outputs.sh | Removes TEST_WORKSPACE_APP_SECRET from private.env |
| config_schema.json | Removes workspace_api_client_secret from schema |
| config.sample.yaml | Updates permission descriptions in comments |
Files not reviewed (1)
- templates/workspaces/base/terraform/.terraform.lock.hcl: Language not supported
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21351779214 (with refid (in response to this comment from @marrobi) |
|
/test-extended 1cac0eb |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21354756330 (with refid (in response to this comment from @marrobi) |
|
/test-extended 6769d1a |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21377968136 (with refid (in response to this comment from @marrobi) |
# Conflicts: # .github/linters/.tflint.hcl # .github/linters/.tflint_workspaces.hcl # CHANGELOG.md # api_app/_version.py # core/version.txt # docs/tre-admins/auth.md # docs/tre-admins/environment-variables.md # docs/tre-admins/identities/application_admin.md # docs/tre-admins/identities/workspace.md # docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md # docs/tre-admins/setup-instructions/workflows.md # docs/tre-developers/end-to-end-tests.md # docs/tre-templates/workspaces/base.md # templates/workspaces/airlock-import-review/porter.yaml # templates/workspaces/base/porter.yaml # templates/workspaces/unrestricted/porter.yaml
…ror handling; remove deprecated redirect URL update script.
…fiers and improve role ID imports
|
/test-extended ec8d3a9 |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/22956322878 (with refid (in response to this comment from @marrobi) |
1 similar comment
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/22956322878 (with refid (in response to this comment from @marrobi) |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/22956322878 (with refid (in response to this comment from @marrobi) |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 75 out of 76 changed files in this pull request and generated 5 comments.
Files not reviewed (1)
- templates/workspaces/base/terraform/.terraform.lock.hcl: Language not supported
Comments suppressed due to low confidence (1)
api_app/services/aad_authentication.py:604
- The comment above
_get_app_auth_infosaysauth_type=Manual"requires Directory.Read.All", but the code path is Graph application/service principal lookup and the PR explicitly removesDirectory.Read.Allfrom required permissions. Please update this comment to reflect the actual permission dependency (e.g.,Application.Read.All/Application.ReadWrite.All) to avoid misleading operators.
# DEPRECATED: Remove when workspace base bundles < 3.0.0 are no longer supported.
# This method is only needed for auth_type=Manual which requires Directory.Read.All.
def _get_app_auth_info(self, client_id: str) -> dict:
graph_data = self._get_app_sp_graph_data(client_id)
if 'value' not in graph_data or len(graph_data['value']) == 0:
logger.debug(graph_data)
raise AuthConfigValidationError(f"{strings.ACCESS_UNABLE_TO_GET_INFO_FOR_APP} {client_id}")
| if [ "${AUTO_WORKSPACE_APP_REGISTRATION:-}" == true ]; then | ||
| APPLICATION_PERMISSIONS+=("Application.ReadWrite.All" "Directory.Read.All") | ||
| APPLICATION_PERMISSIONS+=("Application.ReadWrite.All") | ||
| fi | ||
|
|
||
| if [ "${AUTO_WORKSPACE_GROUP_CREATION:-}" == true ]; then | ||
| APPLICATION_PERMISSIONS+=("Group.Create") | ||
| APPLICATION_PERMISSIONS+=("Group.Create" "Group.Read.All" "User.ReadBasic.All") | ||
| fi | ||
|
|
||
| if [ "${AUTO_GRANT_WORKSPACE_CONSENT:-}" == true ]; then | ||
| APPLICATION_PERMISSIONS+=("Application.ReadWrite.All" "DelegatedPermissionGrant.ReadWrite.All") | ||
| APPLICATION_PERMISSIONS+=("DelegatedPermissionGrant.ReadWrite.All") | ||
| fi |
There was a problem hiding this comment.
create_aad_assets.sh no longer adds Application.ReadWrite.All when AUTO_GRANT_WORKSPACE_CONSENT=true (it only adds DelegatedPermissionGrant.ReadWrite.All). Several docs/comments in this PR still state that enabling auto-grant consent grants both permissions, and setups with consent enabled but auto workspace app registration disabled may now be missing required permissions. Either update the docs/comments to match the new behavior or add Application.ReadWrite.All in this branch to keep the documented contract.
| ## Manually created workspace application for targeted tests | ||
|
|
||
| Most E2E suites now rely on automatically created workspace applications, so you no longer need to provision a manual app registration for standard runs. | ||
|
|
||
| The `test_manually_created_application_owner_token` test (included in the `extended` marker set) exercises the manual-authentication flow. Its fixture automatically runs `devops/scripts/aad/create_workspace_application.sh` to create or reuse a workspace application before deploying the test workspace. | ||
|
|
||
| Ensure `az` CLI is installed, you are logged in to the correct tenant (`az login -t <tenant>`), and `APPLICATION_ADMIN_CLIENT_ID` (the application admin app registration) is configured so the script can add the necessary owner. | ||
|
|
||
| Run `make test-e2e-custom SELECTOR='manual_app'` to exercise the same flow. |
There was a problem hiding this comment.
This section references a test_manually_created_application_owner_token test in the extended marker set, but the PR adds e2e_tests/test_manual_workspace.py::test_manually_created_application_workspace marked with @pytest.mark.manual_app (and the new /test-manual-app command). Please update the doc to match the actual test name/marker so contributors can run the right suite.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| }, | ||
| { | ||
| "name": "client_secret", | ||
| "source": { | ||
| "env": "CLIENT_SECRET" | ||
| } | ||
| }, |
There was a problem hiding this comment.
parameters.json still defines a client_secret parameter sourced from CLIENT_SECRET, but the workspace bundles removed the client_secret parameter from porter.yaml/template schema. This mismatch is likely to cause Porter to fail bundle execution due to an unknown parameter. Remove the client_secret entry from this parameter set (and any related env var wiring) to match the new bundle interface.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
Remove auth_type field entirely from template_schema.json. The new approach makes client_id an always-visible optional top-level field - if provided, Terraform imports the existing AAD app; if empty, Terraform creates one automatically. This eliminates the deprecated API-side Graph validation that blocked workspace creation with bare app registrations. Also moves aad_redirect_uris and create_aad_groups to regular top-level properties (no longer conditional on auth_type). Fixes microsoft#2247
Summary
Removes the requirement for users to provide a client secret when creating workspaces and eliminates the
Directory.Read.AllMicrosoft Graph permission from the automation admin identity.Changes
azuread_application_passwordresourcesextract_workspace_auth_informationfunction - workspace auth info is now handled through Terraform outputsclient_secret,register_aad_application,scope_id,sp_id,app_role_id_*add_automation_admin_to_workspace_application.shfor adding automation admin as workspace app ownerDirectory.Read.Allno longer required; onlyApplication.ReadWrite.All,Group.Create,Group.Read.All,User.ReadBasic.All,DelegatedPermissionGrant.ReadWrite.All(depending on configuration)Migration
client_secretneeded; optionally provideclient_idto reuse an existing appCloses #2247