Fix Azure Health Data Services deployment failure

CHANGELOG.md

@@ -35,6 +35,7 @@ ENHANCEMENTS:
 * Migrate GitHub Actions workflows to use ubuntu-slim runners for improved efficiency and reduced cost ([#4831](https://github.com/microsoft/AzureTRE/pull/4831))
 
 BUG FIXES:
+* Fix Azure Health Data Services deployment failures by upgrading AzureRM provider to 4.58.0, switching to RBAC group assignments, and adding workspace group parameter mappings ([#4844](https://github.com/microsoft/AzureTRE/issues/4844))
 * Replace deprecated `--username` flag with `--client-id` in `az login --identity` commands across all Porter bundles ([#4817](https://github.com/microsoft/AzureTRE/issues/4817))
 * Fix deleted workspaces still accessible via URL - get_*_by_id methods now filter out deleted resources ([#4785](https://github.com/microsoft/AzureTRE/issues/4785))
 * Fix circular dependancy in base workspace. ([#4756](https://github.com/microsoft/AzureTRE/pull/4756))

templates/workspace_services/health-services/porter.yaml

@@ -1,19 +1,12 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-health
-version: 0.2.13
+version: 0.3.4
 description: "An Azure Data Health Services workspace service"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
 
 credentials:
-  # Credentials for interacting with the AAD Auth tenant
-  - name: auth_client_id
-    env: AUTH_CLIENT_ID
-  - name: auth_client_secret
-    env: AUTH_CLIENT_SECRET
-  - name: auth_tenant_id
-    env: AUTH_TENANT_ID
   # Credentials for interacting with Azure
   - name: azure_tenant_id
     env: ARM_TENANT_ID
@@ -32,6 +25,12 @@ parameters:
   - name: aad_authority_url
     type: string
     default: "https://login.microsoftonline.com"
+  - name: workspace_owners_group_id
+    type: string
+    description: "Object ID of the workspace owners AAD group"
+  - name: workspace_researchers_group_id
+    type: string
+    description: "Object ID of the workspace researchers AAD group"
 
   # the following are added automatically by the resource processor
   - name: id
@@ -100,11 +99,10 @@ install:
         deploy_fhir: ${ bundle.parameters.deploy_fhir }
         deploy_dicom: ${ bundle.parameters.deploy_dicom }
         fhir_kind: ${ bundle.parameters.fhir_kind }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         aad_authority_url: ${ bundle.parameters.aad_authority_url }
         arm_environment: ${ bundle.parameters.arm_environment }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -127,11 +125,10 @@ upgrade:
         deploy_fhir: ${ bundle.parameters.deploy_fhir }
         deploy_dicom: ${ bundle.parameters.deploy_dicom }
         fhir_kind: ${ bundle.parameters.fhir_kind }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         aad_authority_url: ${ bundle.parameters.aad_authority_url }
         arm_environment: ${ bundle.parameters.arm_environment }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -154,11 +151,10 @@ uninstall:
         deploy_fhir: ${ bundle.parameters.deploy_fhir }
         deploy_dicom: ${ bundle.parameters.deploy_dicom }
         fhir_kind: ${ bundle.parameters.fhir_kind }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         aad_authority_url: ${ bundle.parameters.aad_authority_url }
         arm_environment: ${ bundle.parameters.arm_environment }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspace_services/health-services/template_schema.json

@@ -35,6 +35,26 @@
       "description": "Deploy FHIR instance",
       "updateable": true,
       "default": false
+    },
+    "workspace_owners_group_id": {
+      "$id": "#/properties/workspace_owners_group_id",
+      "type": "string",
+      "title": "Workspace Owners Group ID",
+      "description": "Object ID of the workspace owners AAD group"
+    },
+    "workspace_researchers_group_id": {
+      "$id": "#/properties/workspace_researchers_group_id",
+      "type": "string",
+      "title": "Workspace Researchers Group ID",
+      "description": "Object ID of the workspace researchers AAD group"
+    }
+  },
+  "uiSchema": {
+    "workspace_owners_group_id": {
+      "classNames": "tre-hidden"
+    },
+    "workspace_researchers_group_id": {
+      "classNames": "tre-hidden"
     }
   },
   "allOf": [
@@ -68,7 +88,19 @@
   "pipeline": {
     "install": [
       {
-        "stepId": "main"
+        "stepId": "main",
+        "properties": [
+          {
+            "name": "workspace_owners_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_owners_group_id }}"
+          },
+          {
+            "name": "workspace_researchers_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_researchers_group_id }}"
+          }
+        ]
       },
       {
         "stepId": "d5504764-94cd-11ed-a1eb-0242ac120002",

templates/workspace_services/health-services/terraform/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "= 3.117.0"
+      version = "= 4.58.0"
     }
     external = {
       source  = "hashicorp/external"

templates/workspace_services/health-services/terraform/roles.tf

@@ -1,18 +1,31 @@
+# Role assignments for workspace researchers group
+resource "azurerm_role_assignment" "researchers_fhir_contributor" {
+  count              = var.deploy_fhir && var.workspace_researchers_group_id != "" ? 1 : 0
+  scope              = azurerm_healthcare_fhir_service.fhir[0].id
+  role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id
+  principal_id       = var.workspace_researchers_group_id
+}
 
-data "azurerm_key_vault_secret" "workspace_client_id" {
-  name         = "workspace-client-id"
-  key_vault_id = data.azurerm_key_vault.ws.id
+resource "azurerm_role_assignment" "researchers_dicom_data_owner" {
+  count              = var.deploy_dicom && var.workspace_researchers_group_id != "" ? 1 : 0
+  scope              = azurerm_healthcare_dicom_service.dicom[0].id
+  role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id
+  principal_id       = var.workspace_researchers_group_id
 }
 
-data "external" "app_role_members" {
-  program = ["bash", "${path.module}/get_app_role_members.sh"]
+# Role assignments for workspace owners group
+resource "azurerm_role_assignment" "owners_fhir_contributor" {
+  count              = var.deploy_fhir && var.workspace_owners_group_id != "" ? 1 : 0
+  scope              = azurerm_healthcare_fhir_service.fhir[0].id
+  role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id
+  principal_id       = var.workspace_owners_group_id
+}
 
-  query = {
-    auth_client_id      = var.auth_client_id
-    auth_client_secret  = var.auth_client_secret
-    auth_tenant_id      = var.auth_tenant_id
-    workspace_client_id = data.azurerm_key_vault_secret.workspace_client_id.value
-  }
+resource "azurerm_role_assignment" "owners_dicom_data_owner" {
+  count              = var.deploy_dicom && var.workspace_owners_group_id != "" ? 1 : 0
+  scope              = azurerm_healthcare_dicom_service.dicom[0].id
+  role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id
+  principal_id       = var.workspace_owners_group_id
 }
 
 data "azurerm_role_definition" "azure_fhir_contributor" {
@@ -22,17 +35,3 @@ data "azurerm_role_definition" "azure_fhir_contributor" {
 data "azurerm_role_definition" "azure_dicom_data_owner" {
   name = "DICOM Data Owner"
 }
-
-resource "azurerm_role_assignment" "app_role_members_fhir_contributor" {
-  for_each           = !var.deploy_fhir || (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals))
-  scope              = azurerm_healthcare_fhir_service.fhir[0].id
-  role_definition_id = data.azurerm_role_definition.azure_fhir_contributor.id
-  principal_id       = each.value
-}
-
-resource "azurerm_role_assignment" "app_role_members_dicom_data_owner" {
-  for_each           = !var.deploy_dicom || (data.external.app_role_members.result.principals == "") ? [] : toset(split("\n", data.external.app_role_members.result.principals))
-  scope              = azurerm_healthcare_dicom_service.dicom[0].id
-  role_definition_id = data.azurerm_role_definition.azure_dicom_data_owner.id
-  principal_id       = each.value
-}

templates/workspace_services/health-services/terraform/variables.tf

@@ -33,20 +33,24 @@ variable "deploy_dicom" {
   description = "Indicates if DICOM should be created in the Azure Health Data Services Workspace."
 }
 
-variable "auth_tenant_id" {
+variable "workspace_owners_group_id" {
   type        = string
-  description = "Used to authenticate into the AAD Tenant to get app role members"
-}
+  description = "Object ID of the workspace owners AAD group"
 
-variable "auth_client_id" {
-  type        = string
-  description = "Used to authenticate into the AAD Tenant to get app role members"
+  validation {
+    condition     = length(trimspace(var.workspace_owners_group_id)) > 0
+    error_message = "workspace_owners_group_id must be provided; Entra ID workspace groups are required."
+  }
 }
 
-variable "auth_client_secret" {
+variable "workspace_researchers_group_id" {
   type        = string
-  sensitive   = true
-  description = "Used to authenticate into the AAD Tenant to get app role members"
+  description = "Object ID of the workspace researchers AAD group"
+
+  validation {
+    condition     = length(trimspace(var.workspace_researchers_group_id)) > 0
+    error_message = "workspace_researchers_group_id must be provided; Entra ID workspace groups are required."
+  }
 }
 
 variable "arm_environment" {