From 389754a6854a3c20f8424a3d03c48f9359f2e851 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 10:14:36 +0000 Subject: [PATCH 1/9] Initial plan From 59b34763e4ecaf2cee881791da31d6f8872c2fb2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 10:24:06 +0000 Subject: [PATCH 2/9] Remove custom_domain setting and consolidate into tre_url Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- config.sample.yaml | 6 ++-- config_schema.json | 4 +-- core/terraform/scripts/letsencrypt.sh | 1 + devops/scripts/aad/create_api_application.sh | 29 ++++++++++++-------- devops/scripts/create_aad_assets.sh | 3 +- devops/scripts/extract_domain_from_url.sh | 19 +++++++++++++ devops/scripts/load_and_validate_env.sh | 17 +++++++++++- 7 files changed, 61 insertions(+), 18 deletions(-) create mode 100644 devops/scripts/extract_domain_from_url.sh diff --git a/config.sample.yaml b/config.sample.yaml index 1d27f4aa11..f521faee4d 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -66,8 +66,10 @@ tre: # allowed_dns: # - mydomain.com. - # Uncomment to deploy to a custom domain - # custom_domain: __CHANGE_ME__ + # Uncomment to deploy to a custom domain. If set, this should be the full TRE URL + # (e.g., https://mytre.example.com). If not set, the TRE URL will be constructed + # automatically based on tre_id and location. + # tre_url: __CHANGE_ME__ # Uncomment to enable vnet exception for the subnet to access private resources like TRE key vault and management storage account. # private_agent_subnet_id: __CHANGE_ME__ diff --git a/config_schema.json b/config_schema.json index 39b3f64f0a..175f70aa90 100644 --- a/config_schema.json +++ b/config_schema.json @@ -109,8 +109,8 @@ "description": "SKU of the Azure Bastion.", "type": "string" }, - "custom_domain": { - "description": "Custom domain name.", + "tre_url": { + "description": "Custom TRE URL (full URL including https://). If not specified, will be constructed automatically.", "type": "string" }, "enable_cmk_encryption": { diff --git a/core/terraform/scripts/letsencrypt.sh b/core/terraform/scripts/letsencrypt.sh index b29519f7dd..893978c054 100755 --- a/core/terraform/scripts/letsencrypt.sh +++ b/core/terraform/scripts/letsencrypt.sh @@ -69,6 +69,7 @@ ledir=$(pwd)/letsencrypt mkdir -p "${ledir}/logs" CERT_FQDN=$FQDN +# CUSTOM_DOMAIN is automatically extracted from TRE_URL by load_and_validate_env.sh if [[ -n "$CUSTOM_DOMAIN" ]]; then CERT_FQDN=$CUSTOM_DOMAIN fi diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index 024b086bc7..b76b46c968 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -5,6 +5,13 @@ set -euo pipefail # AZURE_CORE_OUTPUT=jsonc # force CLI output to JSON for the script (user can still change default for interactive usage in the dev container) +# Get the directory that this script is in +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +# Source the helper function for extracting domain from URL +# shellcheck disable=SC1091 +source "${SCRIPT_DIR}/../extract_domain_from_url.sh" + function show_usage() { cat << USAGE @@ -18,14 +25,15 @@ Usage: $0 -n [-r ] [-a] [-s] [--automation-account] Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One". -u,--tre-url TRE URL, used to construct auth redirection URLs for the UI and Swagger app. + If the URL contains a custom domain, it will be used automatically. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. Requires directory admin privileges to the Azure AD in question. -t,--automation-clientid Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 - -d,--custom-domain Optional, custom domain, used to construct auth redirection URLs (in addition to --tre-url) Examples: - 1. $0 -n TRE -r https://mytre.region.cloudapp.azure.com -a + 1. $0 -n TRE -u https://mytre.region.cloudapp.azure.com -a + 2. $0 -n TRE -u https://mytre.example.com -a (with custom domain) Using an Automation account 3. $0 --name 'TRE' --tre-url https://mytre.region.cloudapp.azure.com --admin-consent --automation-account @@ -84,10 +92,6 @@ while [[ $# -gt 0 ]]; do resetPassword=$2 shift 2 ;; - -d|--custom-domain) - customDomain=$2 - shift 2 - ;; *) echo "Invalid option: $1." show_usage @@ -249,11 +253,14 @@ redirectUris="\"http://localhost:8000/api/docs/oauth2-redirect\", \"http://local if [[ -n ${treUrl} ]]; then echo "Adding reply/redirect URL \"${treUrl}\" to \"${appName}\"" redirectUris="${redirectUris}, \"${treUrl}\", \"${treUrl}/api/docs/oauth2-redirect\"" -fi -if [[ -n ${customDomain} ]]; then - customDomainUrl="https://${customDomain}" - echo "Adding reply/redirect URL \"${customDomainUrl}\" to \"${appName}\"" - redirectUris="${redirectUris}, \"${customDomainUrl}\", \"${customDomainUrl}/api/docs/oauth2-redirect\"" + + # Check if this is a custom domain (not the default cloudapp.azure.com pattern) + # If so, we don't need to add it again as it's already the main URL + treUrlDomain=$(extract_domain_from_url "${treUrl}") + if [[ "${treUrlDomain}" != *".cloudapp.azure.com" && "${treUrlDomain}" != *".cloudapp.usgovcloudapi.net" ]]; then + echo "Detected custom domain in TRE URL: ${treUrlDomain}" + # The custom domain URL is already included as the main treUrl, no need to add separately + fi fi uxAppDefinition=$(jq -c . << JSON diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index f7c80f92ef..39513a3291 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -71,8 +71,7 @@ APPLICATION_PERMISSION=$(IFS=,; echo "${APPLICATION_PERMISSIONS[*]}") --name "${TRE_ID}" \ --tre-url "${TRE_URL}" \ --admin-consent --automation-clientid "${TEST_ACCOUNT_CLIENT_ID}" \ - --reset-password $RESET_PASSWORDS \ - --custom-domain "${CUSTOM_DOMAIN}" + --reset-password $RESET_PASSWORDS if [ "${AUTO_WORKSPACE_APP_REGISTRATION:=false}" == false ]; then # Load the new values back in diff --git a/devops/scripts/extract_domain_from_url.sh b/devops/scripts/extract_domain_from_url.sh new file mode 100644 index 0000000000..b48e1e32d3 --- /dev/null +++ b/devops/scripts/extract_domain_from_url.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# This script is designed to be `source`d to create reusable helper functions + +function extract_domain_from_url() +{ + url=$1 + + # Remove protocol (http:// or https://) + domain=$(echo "$url" | sed -E 's|^https?://||') + + # Remove path and query parameters (everything after the first /) + domain=$(echo "$domain" | sed 's|/.*||') + + # Remove port if present (everything after the first :) + domain=$(echo "$domain" | sed 's|:.*||') + + echo "$domain" +} \ No newline at end of file diff --git a/devops/scripts/load_and_validate_env.sh b/devops/scripts/load_and_validate_env.sh index 92a56eaff6..dbdb267399 100755 --- a/devops/scripts/load_and_validate_env.sh +++ b/devops/scripts/load_and_validate_env.sh @@ -11,6 +11,8 @@ set -o nounset # shellcheck disable=SC1091 source "${DIR}"/construct_tre_url.sh # shellcheck disable=SC1091 +source "${DIR}"/extract_domain_from_url.sh +# shellcheck disable=SC1091 source "${DIR}"/convert_azure_env_to_arm_env.sh if [ ! -f "config.yaml" ]; then @@ -88,8 +90,21 @@ else export ARM_ENVIRONMENT export TF_VAR_arm_environment="${ARM_ENVIRONMENT}" - TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}") + # Set TRE_URL - either from config or constructed automatically + if [[ -n "${TRE_URL:-}" ]]; then + # TRE_URL was provided in config, use it as-is + echo "Using TRE_URL from config: ${TRE_URL}" + else + # Construct TRE_URL automatically + TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}") + echo "Constructed TRE_URL: ${TRE_URL}" + fi export TRE_URL + + # Set CUSTOM_DOMAIN by extracting domain from TRE_URL + # This maintains backward compatibility for scripts that expect CUSTOM_DOMAIN + CUSTOM_DOMAIN=$(extract_domain_from_url "${TRE_URL}") + export CUSTOM_DOMAIN fi # if local debugging is configured, then set vars required by ~/.porter/config.yaml From 51a2d65756947247fbe921c8ab68382ff28e7ebc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 10:27:04 +0000 Subject: [PATCH 3/9] Update documentation for custom_domain and tre_url consolidation Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- docs/tre-admins/custom-domain.md | 11 +++++++++-- docs/tre-admins/environment-variables.md | 4 ++-- .../setup-instructions/cicd-pre-deployment-steps.md | 2 +- docs/tre-admins/setup-instructions/workflows.md | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/tre-admins/custom-domain.md b/docs/tre-admins/custom-domain.md index 8fee96effc..cb4cb25f47 100644 --- a/docs/tre-admins/custom-domain.md +++ b/docs/tre-admins/custom-domain.md @@ -4,11 +4,18 @@ In order to use a custom domain name with the Azure TRE: 1. Register a domain name, and create a DNS entry for the domain name pointing to the FQDN of the Azure App Gateway, e.g. `mytre-domain-name.org. CNAME mytre.region.cloudapp.azure.com.` -2. Set the domain name in the `CUSTOM_DOMAIN` variable in `config.yaml` or create a GitHub Actions secret, depending on your deployment method. +2. Set the full custom URL in the `tre_url` setting in `config.yaml`. For example: + +```yaml +tre: + tre_url: https://mytre-domain-name.org +``` + +**Note:** The `CUSTOM_DOMAIN` environment variable has been deprecated. Use `tre_url` instead, which should contain the full URL including the protocol. 3. Update the *TRE UX* App Registration redirect URIs: - a. If you haven't deployed your TRE yet, this is done automatically for you using the `make auth` command. Refer to the setup instructions to deploy your TRE. + a. If you haven't deployed your TRE yet, this is done automatically for you using the `make auth` command. The script will automatically detect the custom domain from your `tre_url` setting and configure the redirect URIs accordingly. b. If your TRE has already been deployed, manually add the following redirect URIs in Entra ID > App Registrations > *TRE_ID UX* > Authentication > Single-page application Redirect URIs: diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 9513dbc6c1..2dd003f90c 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -24,7 +24,7 @@ |
Environment variable name
| Description | | ------------------------- | ----------- | | `TRE_ID` | A globally unique identifier. `TRE_ID` can be found in the resource names of the Azure TRE instance; for example, a `TRE_ID` of `mytre-dev` will result in a resource group name for Azure TRE instance of `rg-mytre-dev`. This must be less than 12 characters. Allowed characters: lowercase alphanumerics| -| `TRE_URL`| This will be generated for you by populating your `TRE_ID`. This is used so that you can automatically register bundles | +| `TRE_URL`| This will be generated for you based on your `TRE_ID` and `LOCATION`, or can be set to a custom URL (e.g., `https://mytre.example.com`) for custom domains. Used for automatic registration of bundles and authentication redirects. | | `CORE_ADDRESS_SPACE` | The address space for the Azure TRE core virtual network. `/22` or larger. | | `TRE_ADDRESS_SPACE` | The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. `10.0.0.0/12`| | `ENABLE_SWAGGER` | Determines whether the Swagger interface for the API will be available. | @@ -45,7 +45,7 @@ | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | | `DEPLOY_BASTION` | Optional. If set to `true`, an Azure Bastion instance will be deployed. Default value is `true`. | | `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Basic`. Allowed values [`Developer`, `Standard`, `Basic`, `Premium`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). | -| `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). | +| `CUSTOM_DOMAIN` | **Deprecated and automatically derived.** This is now automatically extracted from `TRE_URL`. Do not set this manually. | | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. | | `AUTO_WORKSPACE_APP_REGISTRATION`| Set to `false` by default. Setting this to `true` grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy` permission. [Further information on Application Admin can be found here](./identities/application_admin.md). | | `AUTO_WORKSPACE_GROUP_CREATION`| Set to `false` by default. Setting this to `true` grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a premium feature. [You can read mode about Group Assignment here](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). | diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md index 1217b40e08..574d659315 100644 --- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md +++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md @@ -86,7 +86,7 @@ Configure the following **variables** in your github environment: | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. | | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). | | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | -| `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). | +| `CUSTOM_DOMAIN` | **Deprecated.** Use `TRE_URL` instead. Custom domains are now specified as full URLs in the `tre_url` configuration setting. | | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. | ### Configure Authentication Secrets diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index eabc62332d..ebbffbc87d 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -127,7 +127,7 @@ Configure additional secrets used in the deployment workflow: | `MGMT_RESOURCE_GROUP_NAME` | The name of the shared resource group for all Azure TRE core resources. | | `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. E.g. `mystorageaccount`. | | `ACR_NAME` | A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images. | -| `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). | +| `CUSTOM_DOMAIN` | **Deprecated.** Use `TRE_URL` in the configuration instead. Custom domains are now specified as full URLs in the `tre_url` configuration setting. | ### Configure repository/environment variables From 054a60a34ee19c4e448235a813cc7096d5a6d4fc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 11:03:26 +0000 Subject: [PATCH 4/9] Address review feedback: remove duplicate tre_url, update changelog and increment core version Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- CHANGELOG.md | 3 ++- config.sample.yaml | 4 ---- core/version.txt | 2 +- docs/tre-admins/environment-variables.md | 1 - .../setup-instructions/cicd-pre-deployment-steps.md | 2 +- docs/tre-admins/setup-instructions/workflows.md | 2 +- 6 files changed, 5 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0f6a01e56..b17bec3b8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ## 0.25.0 (Unreleased) -* _No changes yet_ +**BREAKING CHANGES & MIGRATIONS**: +* Consolidated `custom_domain` and `tre_url` settings into single `tre_url` setting. The `custom_domain` configuration option has been removed. Users should update their `config.yaml` to use `tre_url` with full URLs instead (e.g., `tre_url: https://mytre.example.com`). The `CUSTOM_DOMAIN` environment variable is now automatically derived from `TRE_URL` for backward compatibility ([#4248](https://github.com/microsoft/AzureTRE/issues/4248)) ## 0.24.0 (July 16, 2025) diff --git a/config.sample.yaml b/config.sample.yaml index f521faee4d..bc58ac80f0 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -121,7 +121,3 @@ developer_settings: # Used by the API and Resource processor application to change log level # Can be "ERROR", "WARNING", "INFO", "DEBUG" # logging_level: "INFO" - -# If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider -# uncomment and set this variable -# tre_url: __CHANGE_ME__ diff --git a/core/version.txt b/core/version.txt index 755df9055f..fd86b3ee91 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.16.3" +__version__ = "0.17.0" diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 2dd003f90c..72fa7118b6 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -45,7 +45,6 @@ | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | | `DEPLOY_BASTION` | Optional. If set to `true`, an Azure Bastion instance will be deployed. Default value is `true`. | | `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Basic`. Allowed values [`Developer`, `Standard`, `Basic`, `Premium`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). | -| `CUSTOM_DOMAIN` | **Deprecated and automatically derived.** This is now automatically extracted from `TRE_URL`. Do not set this manually. | | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. | | `AUTO_WORKSPACE_APP_REGISTRATION`| Set to `false` by default. Setting this to `true` grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy` permission. [Further information on Application Admin can be found here](./identities/application_admin.md). | | `AUTO_WORKSPACE_GROUP_CREATION`| Set to `false` by default. Setting this to `true` grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a premium feature. [You can read mode about Group Assignment here](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). | diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md index 574d659315..68b6a66f1e 100644 --- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md +++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md @@ -86,7 +86,7 @@ Configure the following **variables** in your github environment: | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. | | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). | | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | -| `CUSTOM_DOMAIN` | **Deprecated.** Use `TRE_URL` instead. Custom domains are now specified as full URLs in the `tre_url` configuration setting. | +| `TRE_URL` | Optional. Specify a custom URL for the TRE instance (e.g., `https://mytre.example.com`). If not set, the TRE URL will be constructed automatically based on `TRE_ID` and location. Can be configured in `config.yaml` as `tre_url`. | | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. | ### Configure Authentication Secrets diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index ebbffbc87d..2ff3282ace 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -127,7 +127,7 @@ Configure additional secrets used in the deployment workflow: | `MGMT_RESOURCE_GROUP_NAME` | The name of the shared resource group for all Azure TRE core resources. | | `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. E.g. `mystorageaccount`. | | `ACR_NAME` | A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images. | -| `CUSTOM_DOMAIN` | **Deprecated.** Use `TRE_URL` in the configuration instead. Custom domains are now specified as full URLs in the `tre_url` configuration setting. | +| `TRE_URL` | Optional. Specify a custom URL for the TRE instance (e.g., `https://mytre.example.com`). If not set, the TRE URL will be constructed automatically based on `TRE_ID` and location. Can be configured in `config.yaml` as `tre_url`. | ### Configure repository/environment variables From d51066a5e8d2d197241519ac8331778b67b87907 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 11:43:29 +0000 Subject: [PATCH 5/9] Fix yamllint violations in config.sample.yaml by wrapping long lines Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- config.sample.yaml | 60 ++++++++++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/config.sample.yaml b/config.sample.yaml index bc58ac80f0..95b08a5c46 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -10,15 +10,18 @@ management: acr_name: __CHANGE_ME__ # Set this to true if you want to disable public access to mgmt acr disable_acr_public_access: true - # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true) + # ID of external Key Vault to store CMKs in + # (only required if enable_cmk_encryption is true) # external_key_store_id: __CHANGE_ME__ - # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set + # Name of Key Vault for encryption, required if enable_cmk_encryption is true + # and external_key_store_id is not set # encryption_kv_name: __CHANGE_ME__ # Azure Resource Manager credentials used for CI/CD pipelines arm_subscription_id: __CHANGE_ME__ # If you want to override the currently signed in credentials - # You would do this if running commands like `make terraform-install DIR=./templates/workspaces/base` + # You would do this if running commands like + # `make terraform-install DIR=./templates/workspaces/base` # arm_tenant_id: __CHANGE_ME__ # arm_client_id: __CHANGE_ME__ # arm_client_secret: __CHANGE_ME__ @@ -39,11 +42,13 @@ tre: enable_swagger: true enable_airlock_malware_scanning: true - # Set to true if want to ensure users have an email address before airlock request is created + # Set to true if want to ensure users have an email address before airlock + # request is created # Used if rely on email notifications for governance purposes # enable_airlock_email_check: true - # TODO: move to RP default with https://github.com/microsoft/AzureTRE/issues/2948 + # TODO: move to RP default with + # https://github.com/microsoft/AzureTRE/issues/2948 workspace_app_service_plan_sku: P1v2 # The TRE Web UI is deployed by default. # Uncomment the following to disable deployment of the Web UI. @@ -56,45 +61,56 @@ tre: # Set to Basic if wish to connect to VMs in workspaces. bastion_sku: Basic - # Set to true if TreAdmins should be able to assign and de-assign users to workspaces via the UI + # Set to true if TreAdmins should be able to assign and de-assign users to + # workspaces via the UI user_management_enabled: false - # Uncomment to enable DNS Security policy on the system, and add any known DNS names that you need to allow - # DNS queries on, in addition to those in the core list in core/terraform/allowed-dns.json + # Uncomment to enable DNS Security policy on the system, and add any known + # DNS names that you need to allow + # DNS queries on, in addition to those in the core list in + # core/terraform/allowed-dns.json # Note, these need to be fully qualified, i.e. they end in a dot(.) # enable_dns_policy: true # allowed_dns: # - mydomain.com. - # Uncomment to deploy to a custom domain. If set, this should be the full TRE URL - # (e.g., https://mytre.example.com). If not set, the TRE URL will be constructed - # automatically based on tre_id and location. + # Uncomment to deploy to a custom domain. If set, this should be the full + # TRE URL (e.g., https://mytre.example.com). If not set, the TRE URL will be + # constructed automatically based on tre_id and location. # tre_url: __CHANGE_ME__ - # Uncomment to enable vnet exception for the subnet to access private resources like TRE key vault and management storage account. + # Uncomment to enable vnet exception for the subnet to access private + # resources like TRE key vault and management storage account. # private_agent_subnet_id: __CHANGE_ME__ authentication: aad_tenant_id: __CHANGE_ME__ # Setting AUTO_WORKSPACE_APP_REGISTRATION to false will: # create an identity with `Application.ReadWrite.OwnedBy`. # Setting AUTO_WORKSPACE_APP_REGISTRATION to true will: - # create an identity with `Application.ReadWrite.All` and `Directory.Read.All`. - # When this is true, create Workspaces will also create an AAD Application automatically. + # create an identity with `Application.ReadWrite.All` and + # `Directory.Read.All`. + # When this is true, create Workspaces will also create an AAD Application + # automatically. # When this is false, the AAD Application will need creating manually. auto_workspace_app_registration: true - # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All` + # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with + # `Group.ReadWrite.All` auto_workspace_group_creation: false - # Setting this to true will remove the need for users to manually grant consent when creating new workspaces. - # The identity will be granted Application.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All permissions. + # Setting this to true will remove the need for users to manually grant + # consent when creating new workspaces. + # The identity will be granted Application.ReadWrite.All and + # DelegatedPermissionGrant.ReadWrite.All permissions. auto_grant_workspace_consent: false resource_processor: # The number of processes to start in the resource processor VMSS image resource_processor_number_processes_per_instance: 5 -# This setting provides a way to pass environment values to the resource processor +# This setting provides a way to pass environment values to the resource +# processor # to use as a source of bundle parameter values -# For example, to specify your image_gallery_id for use in VM user resources with custom VM images: +# For example, to specify your image_gallery_id for use in VM user resources +# with custom VM images: # yamllint disable-line rule:line-length # rp_bundle_values: '{"custom_key_1":"custom_value_1","image_gallery_id":"/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries/"}' @@ -107,7 +123,8 @@ ui_config: developer_settings: # Locks will not be added to stateful resources so they can be easily removed # stateful_resources_locked: false -# TRE Core Key Vault purge protection will be disabled so it can be reused upon deletion +# TRE Core Key Vault purge protection will be disabled so it can be reused +# upon deletion # kv_purge_protection_enabled: false # This setting will enable your local machine to be able to @@ -115,7 +132,8 @@ developer_settings: # the base workspace. # enable_local_debugging: true -# This setting enables customer-managed key encryption for all supported resources +# This setting enables customer-managed key encryption for all supported +# resources # enable_cmk_encryption: true # Used by the API and Resource processor application to change log level From b459ddcc3354cbd20effdcb67159e562517ecb9a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 12:02:10 +0000 Subject: [PATCH 6/9] Fix shellcheck violations and make extract_domain_from_url.sh executable Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- devops/scripts/extract_domain_from_url.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100644 => 100755 devops/scripts/extract_domain_from_url.sh diff --git a/devops/scripts/extract_domain_from_url.sh b/devops/scripts/extract_domain_from_url.sh old mode 100644 new mode 100755 index b48e1e32d3..ceee3cf8b3 --- a/devops/scripts/extract_domain_from_url.sh +++ b/devops/scripts/extract_domain_from_url.sh @@ -10,10 +10,10 @@ function extract_domain_from_url() domain=$(echo "$url" | sed -E 's|^https?://||') # Remove path and query parameters (everything after the first /) - domain=$(echo "$domain" | sed 's|/.*||') + domain=${domain%%/*} # Remove port if present (everything after the first :) - domain=$(echo "$domain" | sed 's|:.*||') + domain=${domain%%:*} echo "$domain" } \ No newline at end of file From 647e65718915d9bac2444a6091e5a2eef584b21e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 17 Jul 2025 13:05:06 +0000 Subject: [PATCH 7/9] Remove unused customDomain variable to fix shellcheck warning Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- devops/scripts/aad/create_api_application.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index b76b46c968..0f269dc601 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -67,7 +67,6 @@ declare automationAppId="" declare automationAppObjectId="" declare msGraphUri="" declare spPassword="" -declare customDomain="" # Initialize parameters specified from command line while [[ $# -gt 0 ]]; do From 9896552fc5fa5b2618d68c5afb0268eafa1233d1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:03:24 +0000 Subject: [PATCH 8/9] Reverse approach: keep custom_domain, remove non-functional tre_url from config Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- CHANGELOG.md | 4 +-- config.sample.yaml | 6 ++-- config_schema.json | 4 +-- core/terraform/scripts/letsencrypt.sh | 1 - devops/scripts/aad/create_api_application.sh | 30 ++++++++----------- devops/scripts/create_aad_assets.sh | 3 +- devops/scripts/extract_domain_from_url.sh | 19 ------------ devops/scripts/load_and_validate_env.sh | 17 +---------- docs/tre-admins/custom-domain.md | 11 ++----- docs/tre-admins/environment-variables.md | 3 +- .../cicd-pre-deployment-steps.md | 2 +- .../setup-instructions/workflows.md | 2 +- 12 files changed, 27 insertions(+), 75 deletions(-) delete mode 100755 devops/scripts/extract_domain_from_url.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index b17bec3b8e..78a8193f27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ ## 0.25.0 (Unreleased) -**BREAKING CHANGES & MIGRATIONS**: -* Consolidated `custom_domain` and `tre_url` settings into single `tre_url` setting. The `custom_domain` configuration option has been removed. Users should update their `config.yaml` to use `tre_url` with full URLs instead (e.g., `tre_url: https://mytre.example.com`). The `CUSTOM_DOMAIN` environment variable is now automatically derived from `TRE_URL` for backward compatibility ([#4248](https://github.com/microsoft/AzureTRE/issues/4248)) +ENHANCEMENTS: +* Remove non-functional `tre_url` setting from `developer_settings` in `config.yaml`. Use `custom_domain` under `tre:` to configure a custom domain name for your TRE ([#4248](https://github.com/microsoft/AzureTRE/issues/4248)) ## 0.24.0 (July 16, 2025) diff --git a/config.sample.yaml b/config.sample.yaml index 95b08a5c46..19b3e78154 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -74,10 +74,8 @@ tre: # allowed_dns: # - mydomain.com. - # Uncomment to deploy to a custom domain. If set, this should be the full - # TRE URL (e.g., https://mytre.example.com). If not set, the TRE URL will be - # constructed automatically based on tre_id and location. - # tre_url: __CHANGE_ME__ + # Uncomment to deploy to a custom domain + # custom_domain: __CHANGE_ME__ # Uncomment to enable vnet exception for the subnet to access private # resources like TRE key vault and management storage account. diff --git a/config_schema.json b/config_schema.json index 175f70aa90..39b3f64f0a 100644 --- a/config_schema.json +++ b/config_schema.json @@ -109,8 +109,8 @@ "description": "SKU of the Azure Bastion.", "type": "string" }, - "tre_url": { - "description": "Custom TRE URL (full URL including https://). If not specified, will be constructed automatically.", + "custom_domain": { + "description": "Custom domain name.", "type": "string" }, "enable_cmk_encryption": { diff --git a/core/terraform/scripts/letsencrypt.sh b/core/terraform/scripts/letsencrypt.sh index 893978c054..b29519f7dd 100755 --- a/core/terraform/scripts/letsencrypt.sh +++ b/core/terraform/scripts/letsencrypt.sh @@ -69,7 +69,6 @@ ledir=$(pwd)/letsencrypt mkdir -p "${ledir}/logs" CERT_FQDN=$FQDN -# CUSTOM_DOMAIN is automatically extracted from TRE_URL by load_and_validate_env.sh if [[ -n "$CUSTOM_DOMAIN" ]]; then CERT_FQDN=$CUSTOM_DOMAIN fi diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index 0f269dc601..00a1bdc2e1 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -5,13 +5,6 @@ set -euo pipefail # AZURE_CORE_OUTPUT=jsonc # force CLI output to JSON for the script (user can still change default for interactive usage in the dev container) -# Get the directory that this script is in -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" - -# Source the helper function for extracting domain from URL -# shellcheck disable=SC1091 -source "${SCRIPT_DIR}/../extract_domain_from_url.sh" - function show_usage() { cat << USAGE @@ -20,20 +13,19 @@ Utility script for creating app registrations required by Azure TRE. This script Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application. You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. -Usage: $0 -n [-r ] [-a] [-s] [--automation-account] +Usage: $0 -n [-u ] [-a] [-d ] [--automation-account] Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One". -u,--tre-url TRE URL, used to construct auth redirection URLs for the UI and Swagger app. - If the URL contains a custom domain, it will be used automatically. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. Requires directory admin privileges to the Azure AD in question. -t,--automation-clientid Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 + -d,--custom-domain Optional, custom domain, used to construct auth redirection URLs (in addition to --tre-url) Examples: 1. $0 -n TRE -u https://mytre.region.cloudapp.azure.com -a - 2. $0 -n TRE -u https://mytre.example.com -a (with custom domain) Using an Automation account 3. $0 --name 'TRE' --tre-url https://mytre.region.cloudapp.azure.com --admin-consent --automation-account @@ -67,6 +59,7 @@ declare automationAppId="" declare automationAppObjectId="" declare msGraphUri="" declare spPassword="" +declare customDomain="" # Initialize parameters specified from command line while [[ $# -gt 0 ]]; do @@ -91,6 +84,10 @@ while [[ $# -gt 0 ]]; do resetPassword=$2 shift 2 ;; + -d|--custom-domain) + customDomain=$2 + shift 2 + ;; *) echo "Invalid option: $1." show_usage @@ -252,14 +249,11 @@ redirectUris="\"http://localhost:8000/api/docs/oauth2-redirect\", \"http://local if [[ -n ${treUrl} ]]; then echo "Adding reply/redirect URL \"${treUrl}\" to \"${appName}\"" redirectUris="${redirectUris}, \"${treUrl}\", \"${treUrl}/api/docs/oauth2-redirect\"" - - # Check if this is a custom domain (not the default cloudapp.azure.com pattern) - # If so, we don't need to add it again as it's already the main URL - treUrlDomain=$(extract_domain_from_url "${treUrl}") - if [[ "${treUrlDomain}" != *".cloudapp.azure.com" && "${treUrlDomain}" != *".cloudapp.usgovcloudapi.net" ]]; then - echo "Detected custom domain in TRE URL: ${treUrlDomain}" - # The custom domain URL is already included as the main treUrl, no need to add separately - fi +fi +if [[ -n ${customDomain} ]]; then + customDomainUrl="https://${customDomain}" + echo "Adding reply/redirect URL \"${customDomainUrl}\" to \"${appName}\"" + redirectUris="${redirectUris}, \"${customDomainUrl}\", \"${customDomainUrl}/api/docs/oauth2-redirect\"" fi uxAppDefinition=$(jq -c . << JSON diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index 39513a3291..2d7b29db69 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -71,7 +71,8 @@ APPLICATION_PERMISSION=$(IFS=,; echo "${APPLICATION_PERMISSIONS[*]}") --name "${TRE_ID}" \ --tre-url "${TRE_URL}" \ --admin-consent --automation-clientid "${TEST_ACCOUNT_CLIENT_ID}" \ - --reset-password $RESET_PASSWORDS + --reset-password $RESET_PASSWORDS \ + --custom-domain "${CUSTOM_DOMAIN:-}" if [ "${AUTO_WORKSPACE_APP_REGISTRATION:=false}" == false ]; then # Load the new values back in diff --git a/devops/scripts/extract_domain_from_url.sh b/devops/scripts/extract_domain_from_url.sh deleted file mode 100755 index ceee3cf8b3..0000000000 --- a/devops/scripts/extract_domain_from_url.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# This script is designed to be `source`d to create reusable helper functions - -function extract_domain_from_url() -{ - url=$1 - - # Remove protocol (http:// or https://) - domain=$(echo "$url" | sed -E 's|^https?://||') - - # Remove path and query parameters (everything after the first /) - domain=${domain%%/*} - - # Remove port if present (everything after the first :) - domain=${domain%%:*} - - echo "$domain" -} \ No newline at end of file diff --git a/devops/scripts/load_and_validate_env.sh b/devops/scripts/load_and_validate_env.sh index dbdb267399..92a56eaff6 100755 --- a/devops/scripts/load_and_validate_env.sh +++ b/devops/scripts/load_and_validate_env.sh @@ -11,8 +11,6 @@ set -o nounset # shellcheck disable=SC1091 source "${DIR}"/construct_tre_url.sh # shellcheck disable=SC1091 -source "${DIR}"/extract_domain_from_url.sh -# shellcheck disable=SC1091 source "${DIR}"/convert_azure_env_to_arm_env.sh if [ ! -f "config.yaml" ]; then @@ -90,21 +88,8 @@ else export ARM_ENVIRONMENT export TF_VAR_arm_environment="${ARM_ENVIRONMENT}" - # Set TRE_URL - either from config or constructed automatically - if [[ -n "${TRE_URL:-}" ]]; then - # TRE_URL was provided in config, use it as-is - echo "Using TRE_URL from config: ${TRE_URL}" - else - # Construct TRE_URL automatically - TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}") - echo "Constructed TRE_URL: ${TRE_URL}" - fi + TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}") export TRE_URL - - # Set CUSTOM_DOMAIN by extracting domain from TRE_URL - # This maintains backward compatibility for scripts that expect CUSTOM_DOMAIN - CUSTOM_DOMAIN=$(extract_domain_from_url "${TRE_URL}") - export CUSTOM_DOMAIN fi # if local debugging is configured, then set vars required by ~/.porter/config.yaml diff --git a/docs/tre-admins/custom-domain.md b/docs/tre-admins/custom-domain.md index cb4cb25f47..8fee96effc 100644 --- a/docs/tre-admins/custom-domain.md +++ b/docs/tre-admins/custom-domain.md @@ -4,18 +4,11 @@ In order to use a custom domain name with the Azure TRE: 1. Register a domain name, and create a DNS entry for the domain name pointing to the FQDN of the Azure App Gateway, e.g. `mytre-domain-name.org. CNAME mytre.region.cloudapp.azure.com.` -2. Set the full custom URL in the `tre_url` setting in `config.yaml`. For example: - -```yaml -tre: - tre_url: https://mytre-domain-name.org -``` - -**Note:** The `CUSTOM_DOMAIN` environment variable has been deprecated. Use `tre_url` instead, which should contain the full URL including the protocol. +2. Set the domain name in the `CUSTOM_DOMAIN` variable in `config.yaml` or create a GitHub Actions secret, depending on your deployment method. 3. Update the *TRE UX* App Registration redirect URIs: - a. If you haven't deployed your TRE yet, this is done automatically for you using the `make auth` command. The script will automatically detect the custom domain from your `tre_url` setting and configure the redirect URIs accordingly. + a. If you haven't deployed your TRE yet, this is done automatically for you using the `make auth` command. Refer to the setup instructions to deploy your TRE. b. If your TRE has already been deployed, manually add the following redirect URIs in Entra ID > App Registrations > *TRE_ID UX* > Authentication > Single-page application Redirect URIs: diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 72fa7118b6..9513dbc6c1 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -24,7 +24,7 @@ |
Environment variable name
| Description | | ------------------------- | ----------- | | `TRE_ID` | A globally unique identifier. `TRE_ID` can be found in the resource names of the Azure TRE instance; for example, a `TRE_ID` of `mytre-dev` will result in a resource group name for Azure TRE instance of `rg-mytre-dev`. This must be less than 12 characters. Allowed characters: lowercase alphanumerics| -| `TRE_URL`| This will be generated for you based on your `TRE_ID` and `LOCATION`, or can be set to a custom URL (e.g., `https://mytre.example.com`) for custom domains. Used for automatic registration of bundles and authentication redirects. | +| `TRE_URL`| This will be generated for you by populating your `TRE_ID`. This is used so that you can automatically register bundles | | `CORE_ADDRESS_SPACE` | The address space for the Azure TRE core virtual network. `/22` or larger. | | `TRE_ADDRESS_SPACE` | The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. `10.0.0.0/12`| | `ENABLE_SWAGGER` | Determines whether the Swagger interface for the API will be available. | @@ -45,6 +45,7 @@ | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | | `DEPLOY_BASTION` | Optional. If set to `true`, an Azure Bastion instance will be deployed. Default value is `true`. | | `BASTION_SKU` | Optional. The SKU of the Azure Bastion instance. Default value is `Basic`. Allowed values [`Developer`, `Standard`, `Basic`, `Premium`]. See [Azure Bastion SKU feature comparison](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku). | +| `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). | | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. | | `AUTO_WORKSPACE_APP_REGISTRATION`| Set to `false` by default. Setting this to `true` grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy` permission. [Further information on Application Admin can be found here](./identities/application_admin.md). | | `AUTO_WORKSPACE_GROUP_CREATION`| Set to `false` by default. Setting this to `true` grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a premium feature. [You can read mode about Group Assignment here](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). | diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md index 68b6a66f1e..1217b40e08 100644 --- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md +++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md @@ -86,7 +86,7 @@ Configure the following **variables** in your github environment: | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. | | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). | | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] | -| `TRE_URL` | Optional. Specify a custom URL for the TRE instance (e.g., `https://mytre.example.com`). If not set, the TRE URL will be constructed automatically based on `TRE_ID` and location. Can be configured in `config.yaml` as `tre_url`. | +| `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). | | `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. | ### Configure Authentication Secrets diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index 2ff3282ace..eabc62332d 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -127,7 +127,7 @@ Configure additional secrets used in the deployment workflow: | `MGMT_RESOURCE_GROUP_NAME` | The name of the shared resource group for all Azure TRE core resources. | | `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. E.g. `mystorageaccount`. | | `ACR_NAME` | A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images. | -| `TRE_URL` | Optional. Specify a custom URL for the TRE instance (e.g., `https://mytre.example.com`). If not set, the TRE URL will be constructed automatically based on `TRE_ID` and location. Can be configured in `config.yaml` as `tre_url`. | +| `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). | ### Configure repository/environment variables From a8b2ac311eb1e86de90265d254fd6ce992a88cd6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 10:29:01 +0000 Subject: [PATCH 9/9] Fix show_usage: remove non-existent --automation-account flag, use --automation-clientid Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com> --- devops/scripts/aad/create_api_application.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index 00a1bdc2e1..61eb398939 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -13,14 +13,14 @@ Utility script for creating app registrations required by Azure TRE. This script Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application. You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. -Usage: $0 -n [-u ] [-a] [-d ] [--automation-account] +Usage: $0 -n [-u ] [-a] [-d ] [-t ] Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One". -u,--tre-url TRE URL, used to construct auth redirection URLs for the UI and Swagger app. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. Requires directory admin privileges to the Azure AD in question. - -t,--automation-clientid Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace. + -t,--automation-clientid Optional, the client ID of the automation account to add to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 -d,--custom-domain Optional, custom domain, used to construct auth redirection URLs (in addition to --tre-url) @@ -28,7 +28,7 @@ Examples: 1. $0 -n TRE -u https://mytre.region.cloudapp.azure.com -a Using an Automation account - 3. $0 --name 'TRE' --tre-url https://mytre.region.cloudapp.azure.com --admin-consent --automation-account + 2. $0 --name 'TRE' --tre-url https://mytre.region.cloudapp.azure.com --admin-consent --automation-clientid USAGE exit 2