tvstre-prod-main-v0.23.1

HOT FIX

PR 4620 fixes issue in upstream repo, fix included in v0.24.0.

The previously used version of the gnupg2 package in the base image is no longer available in the Ubuntu Jammy apt repositories. As a result, apt install fails during the cloud-init process when the VMSS instance for the resource processor starts. This causes the instance to become unhealthy. This update ensures continued compatibility by switching to the latest available version in Jammy.

Tag built from the feature branch to incorporate our OUH specific changes alongside all the relevant updates from the upstream v0.23.1 release.

tvstre-prod-main-v0.23.0

TVSTRE TRE v0.23.0 - Based on upstream v0.23.0

Tag built from the tvstre-prod-main branch to incorporate our OUH specific changes alongside all the relevant updates from the upstream v0.23.0 release.

Checks completed

• All changes specific to TVS TRE and from our custom commits still in place
• Changes from v0.23.0 include a breaking change that we have a plan for

tvstre-prod-main-v0.22.0

TVSTRE TRE v0.22.0 - Based on upstream v0.22.0

Tag built from the tvstre-prod-main branch to incorporate our OUH specific changes alongside all the relevant updates from teh upstream v0.22.0 release.

Checks completed

• All changes specific to TVS TRE and from our custom commits still in place
• Changes from v0.22.0 do not introduce a breaking change

v0.21.1

Rubrik Tagging Policy for Backup and Archival
Fix for - distutils is deprecated with python 3.12 and strtobool is not available in the base docker image anymore.

tvstre-prod-main-v0.21.2

v0.21.1

Implement Rubrik Tagging Policy and RP Fix (#1)

• Enhance storage account tags with backup and archive attributes. Also bring in fix based on resource processor bug.

See issue 4557 on upstream repo.

• Fix: update storage account tags for import and export resources

• Fix: update lifecycle ignore_changes for export storage account and bump version to 0.12.9

• Fix from upstream - Required ahead of upgrade to 0.23.

Refactor: replace strtobool with custom parse_bool function for better readability and maintainability; update version to 0.8.4

tvstre-prod-main-v0.21.2

Repoint to new tag and new branch based on a required new branch strategy for the TRE.

https://github.com/tvs-sde/TVSTRE_admin_docs/blob/main/upgrade_tre/TVSTRE_Git_Management_Strategy.md

v0.21.0

0.21.0

BREAKING CHANGES & MIGRATIONS:

• Workspace bundle uses infrastructure encryption on shared storage which will recreate storage share. Major version increase will prevent upgrade, do not force the upgrade unless you are fully aware of the consequences.

ENHANCEMENTS:

• Core key vault firewall should not be set to "Allow public access from all networks" (#4250)
• Allow workspace App Service Plan SKU to be updated (#4331)
• Add core requests endpoint and UI to enable requests to be managed TRE wide. ([#2510])
• Remove public IP from TRE's firewall when forced tunneling is configured (#4346)
• Upgrade AzureRM Terraform provider from 3.117.0 to 4.14.0. ([#4255])
• Subnet definitions are now inline in the azurerm_virtual_network resource, and NSG associations are set using security_group in each subnet block (no separate azurerm_subnet_network_security_group_association needed). ([#4255])
• Azure Cosmos DB should disable public network access (#4322)
• Add bundle target to Makefile for handling different bundle types in single command (#4372)
• Migrate UI to Vite build engine and update dependencies (#4368)
• Add Windows image field to the Admin VM template (#4274)
• Update TLS to the latest version for web apps / function apps (#4351)
• Set stairlockp Airlock Processor storage account firewall to "Enabled from selected virtual networks and IP addresses" (#4386)

BUG FIXES:

• Fix upgrade when porter install has failed (#4338)
• Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state (#4294)
• Fix Cosmos DB local debugging configuration (#4340)
• Add firewall rules to upgrade steps for Guacamole service (#4343)

v0.20.0

Upgrade TRE

• See changes from Microsoft upstream repo below.
• See AzureTRE-deployment repo for details on Oxford specific changes

0.20.0 (Feburary 9, 2025)

BREAKING CHANGES & MIGRATIONS:

• InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these workspace services they can be retrieved from release 0.19.1. (#4127)
• This release removed support for Porter v0.*. If you're upgrading from a much earlier version you can't go directly to this one. (#4228)

FEATURES:

• Add support for customer-managed keys encryption. Core support (#4141, #4144), Base workspace (#4161), other templates (#4145)

ENHANCEMENTS:

• Disable storage account cross tenant replication (#4116)
• Key Vaults should use RBAC instead of access policies for access control (#4000)
• Split log entries with [Log chunk X of Y] for better readability. (#3992)
• Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF (#4111)
• Update Terraform to use Azure AD authentication rather than storage account keys (#4103)
• Consolidate Terraform upgrade scripts (#4099)
• Storage accounts should use infrastructure encryption (#4001)
• Update obsolete Terraform properties (#4136)
• Update Guacamole version and dependencies (#4140)
• Update the Azure CLI version to 2.67.0 in dev container and vmss (#4157)
• Move Github PR bot commands into main documentation (#4167)
• Block Authentication with keys to CosmosDB SQL account (#4175)
• Change the way "inherited" workspaces retrieve the base workspace code (#4162)
• Add option to configure auto shutdown for Linux VM (#4186)
• Add ability to download VSCode Extensions ([#4187])
• Update Windows VM Images (#4198)
• Enhance DPI of Linux display ([#4200])
• Update Admin VM versions ([#4217])
• Update devcontainer/RP/API package versions: base image, docker, az cli, YQ (#4225)
• Purge container repos individually in when using make tre-destroy (#4230)
• Upgrade Python version from 3.8 to 3.12 (#3949)Upgrade Python version from 3.8 to 3.12 (microsoft#3949)
• Disable storage account key usage ([#4227])
• Update Guacamole dependencies ([#4232])
• Add option to force tunnel TRE's Firewall (#4237)
• Add EventGrid diagnostics to identify airlock issues (#4258)
• Disable local authentication in ServiceBus (#4259)
• Allow enablement of Secure Boot and vTPM for Guacamole VMs (#4235)
• Surface the server-layout parameter of Guacamole server-layout (#4234)
• Add encryption at host for VMs (#4263)
• Downgrade certs shared service App Gateway to Basic SKU (#4300)
• Airlock function host storage to use the user-assigned managed identity (#4276)
• Disable local authentication in EventGrid (#4254)

BUG FIXES:

• Update KeyVault references in API to use the version so Terraform cascades the update (#4112)
• Template images are showing CVEs (#4153)
• Fix Dockerfile 'as' casting (#4170)
• Create policy to allow all user to configure color profiles to remove auth dialog. (#4184)
• Pre configure VS code option to prevent script failure (#4185)
• Increase size of Nexus VM, and derive Java VM memory limits from machine size (#4074)
• Enable symlinks to work on Linux VM shared storage (#4180)
• Upgrade aiohttp version for security fixes (#4197)
• Fix failing tests, .env missing and storage logs (#4207)
• Unable to delete virtual machines, add skip_shutdown_and_force_delete = true (#4135)
• Bump terraform version in windows VM template (#4212)
• Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitigate storage account deployment issue (#4004)
• Fix VM actions where Workspace shared storage doesn't allow shared key access (#4222)
• Fix public exposure in Guacamole service ([#4199])
• Fix Azure ML network tags to use name rather than ID ([#4151])
• Windows R version must be 4.1.2 otherwise post install script doesn't update package mirror URL (#4288)
• Recreate tre_output.json if empty. ([#4292])
• Ensure R directory is present before attempting to update package mirror URL (#4332)

COMPONENTS:

name	version
devops	0.5.5
core	0.11.23
ui	0.6.3
tre-shared-service-databricks-private-auth	0.1.11
tre-shared-service-gitea	1.1.4
tre-shared-service-sonatype-nexus	3.3.2
tre-shared-service-firewall	1.3.0
tre-shared-service-admin-vm	0.5.2
tre-shared-service-certs	0.7.3
tre-shared-service-airlock-notifier	1.0.8
tre-shared-service-cyclecloud	0.7.2
tre-workspace-airlock-import-review	0.14.2
tre-workspace-base	1.9.2
tre-workspace-unrestricted	0.13.2
tre-workspace-service-gitea	1.2.2
tre-workspace-service-mysql	1.0.9
tre-workspace-service-health	0.2.11
tre-workspace-service-openai	1.0.6
tre-service-azureml	0.9.2
tre-user-resource-aml-compute-instance	0.5.11
tre-service-databricks	1.0.10
tre-workspace-service-azuresql	1.0.15
tre-service-guacamole	0.12.7
tre-service-guacamole-export-reviewvm	0.2.2
tre-service-guacamole-linuxvm	1.2.4
tre-service-guacamole-import-reviewvm	0.3.2
tre-service-guacamole-windowsvm	1.2.6
tre-workspace-service-ohdsi	0.3.2

v0.19.1

0.19.1

BREAKING CHANGES & MIGRATIONS:

• Workspace creation blocked due to Azure API depreciation (#4095)

ENHANCEMENTS:

• Update Unrestricted and Airlock Import Review workspaces to be built off the Base workspace 0.19.0 (#4087)
• Update Release Docs (part of #2727)
• Add info regarding workspace limit into docs (#3920)

BUG FIXES:

• Workspace creation blocked due to Azure API depreciation (#4095)

v0.19.0

0.19.0

FEATURES:

• Azure SQL Workspace Service (#3969)
• OpenAI Workspace Service (#3810)

ENHANCEMENTS:

• Add Case Study Docs (#1366)
• Ability to host TRE on a custom domain (#4014)
• Remove AppServiceFileAuditLogs diagnostic setting (#4033)
• Update to the Airlock Notifier Shared Service (#3909)

BUG FIXES:

• Removed 429 Error (Costs API) form presenting in UI (#3929)
• Fix numbering issue within bug_report.md template (#4028)
• Disable public network access to the API App Service (#3986)
• Fix Guacamole shared drive always enabled (#3885)
• Add Dependabot Security updates for July
• Update Docs to format emojis properly (#4027)
• Update API and Resource Processor opentelemetry versions (#4052)
• Fix broken links in new Case Study Docs
• Update Linux VM to stop screensaver locking out the user (#4065)
• Update .NET version on Linux VMs (#4067)

v0.18.0

Full Changelog: v0.17.0...v0.18.0

BREAKING CHANGES & MIGRATIONS:

• Update Core Terraform Provider versions (#3919)
• Introduction of config value enable_airlock_email_check, which defaults to false, this is a change in behaviour. If you require email addresses for users before an airlock request is created, set to true. (#3904)

FEATURES:

ENHANCEMENTS:

• Additional DataBrick IPs added (#3901)
• Add KeyVault Purge Protection Variable (#3922)
• Update Guacamole Windows 11 VM Image to 2Win11-23h2-pro (#3995)
• Make check for email addresses prior to an airlock request being created optional. (#3904)
• Add Firewall SKU variable (#3961)

BUG FIXES:

• Update Guacamole Linux VM Images to Ubuntu 22.04 LTS. Part of (#3523)
• Update Nexus Shared Service with new proxies. Part of (#3523)
• Update to Resource Processor Image, now using Ubuntu 22.04 (jammy). Part of (#3523)
• Remove TLS1.0/1.1 support from Application Gateway (#3914)
• GitHub Actions version updates. (#3847)
• Add workaround to avoid name clashes for storage accounts(#3863)
• Resource processor fails to deploy first workspace on fresh TRE deployment (#3950)
• Dependency and Vulnerability updates
• Fix Weak hashes (#3931)
• Add lifecycle rule to MySQL resources to stop them recreating on update (#3993)
• Fixes broken links on 'Using the Azure TRE -> Custom Templates' page of documentation ([#4003])
• Fix 'Renew Lets Encrypt Certificates' GitHub Action (#3978)
• Add lifecycle rule to the Gitea Shared Service template for the MySQL resource to stop it recreating on update (#4006)