Fix Azure ML data exfiltration vulnerability by removing AzureMachineLearning service tag access and enforcing RBAC

.github/linters/.tflint.hcl

@@ -1,5 +1,5 @@
 config {
-  call_module_type = "all"
+  call_module_type = "local"
   force = false
 }
 
@@ -36,3 +36,7 @@ rule "terraform_standard_module_structure" {
 rule "terraform_required_version" {
   enabled = false
 }
+
+rule "azurerm_resources_missing_prevent_destroy" {
+  enabled = false
+}

.github/linters/.tflint_workspace_services.hcl

@@ -1,7 +1,7 @@
 # This is used for TRE tags validation only.
 
 config {
-  call_module_type = "all"
+  call_module_type = "local"
   force = false
 }
 
@@ -13,3 +13,7 @@ rule "azurerm_resource_missing_tags" {
   enabled = true
   tags = ["tre_id", "tre_workspace_id", "tre_workspace_service_id"]
 }
+
+rule "azurerm_resources_missing_prevent_destroy" {
+  enabled = false
+}

CHANGELOG.md

@@ -1,10 +1,12 @@
 <!-- markdownlint-disable MD041 -->
 ## 0.27.0 (Unreleased)
 **BREAKING CHANGES**
+* Azure ML workspace service now requires auto group creation for RBAC; legacy service-principal role assignment fallback has been removed. ([#4687](https://github.com/microsoft/AzureTRE/pull/4687))
 * Fix missing arguments for airlock manager requests - change in API contract  ([#4544](https://github.com/microsoft/AzureTRE/issues/4544))
 * Clarify cost label time period and aggregation scope in UI tooltips ([#4607](https://github.com/microsoft/AzureTRE/pull/4607))
 * Transition GitHub Actions to use federated credentials. You should replace the `AZURE_CREDENTIALS` secret as described in the [cicd pre steps](https://microsoft.github.io/AzureTRE/latest/tre-admins/setup-instructions/cicd-pre-deployment-steps/). ([#4822](https://github.com/microsoft/AzureTRE/pull/4822))
 
+
 ENHANCEMENTS:
 * Upgrade Guacamole to v1.6.0 with Java 17 and other security updates ([#4754](https://github.com/microsoft/AzureTRE/pull/4754))
 * API: Replace HTTP_422_UNPROCESSABLE_ENTITY response with HTTP_422_UNPROCESSABLE_CONTENT as per RFC 9110 ([#4742](https://github.com/microsoft/AzureTRE/issues/4742))
@@ -29,6 +31,7 @@ BUG FIXES:
 * Fix R configuration with incorrect quotes preventing package installation on Linux VMs ([#4657](https://github.com/microsoft/AzureTRE/issues/4657))
 * Add timeouts to Graph requests in API ([#4723](https://github.com/microsoft/AzureTRE/issues/4723))
 * Fix missing metastoreDomains for Databricks, which caused metastore outages for some domains ([#4779](https://github.com/microsoft/AzureTRE/issues/4779))
+* Fix data exfiltration vulnerability in Azure ML workspace service by removing unrestricted AzureMachineLearning service tag access and enforcing RBAC-based storage access ([#4660](https://github.com/microsoft/AzureTRE/issues/4660))
 * Fix cost display duplication when user resource is deleted - UI incorrectly reused cost data for remaining resources ([#4783](https://github.com/microsoft/AzureTRE/issues/4783))
 * Delete npm package lock file ([#4810](https://github.com/microsoft/AzureTRE/issues/4810))
 

templates/workspace_services/azureml/porter.yaml

@@ -1,19 +1,12 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-azureml
-version: 0.10.0
+version: 1.1.2
 description: "An Azure TRE service for Azure Machine Learning"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
 
 credentials:
-  # Credentials for interacting with the AAD Auth tenant
-  - name: auth_client_id
-    env: AUTH_CLIENT_ID
-  - name: auth_client_secret
-    env: AUTH_CLIENT_SECRET
-  - name: auth_tenant_id
-    env: AUTH_TENANT_ID
   # Credentials for interacting with Azure
   - name: azure_tenant_id
     env: ARM_TENANT_ID
@@ -61,8 +54,6 @@ parameters:
     default: false
   - name: arm_environment
     env: ARM_ENVIRONMENT
-  - name: azure_environment
-    env: AZURE_ENVIRONMENT
   - name: enable_cmk_encryption
     type: boolean
     default: false
@@ -71,6 +62,12 @@ parameters:
     default: ""
   - name: log_analytics_workspace_name
     type: string
+  - name: workspace_owners_group_id
+    type: string
+    description: "Object ID of the workspace owners AAD group"
+  - name: workspace_researchers_group_id
+    type: string
+    description: "Object ID of the workspace researchers AAD group"
 
 outputs:
   - name: azureml_workspace_name
@@ -142,14 +139,12 @@ install:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         arm_environment: ${ bundle.parameters.arm_environment }
-        azure_environment: ${ bundle.parameters.azure_environment }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -181,14 +176,12 @@ upgrade:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         arm_environment: ${ bundle.parameters.arm_environment }
-        azure_environment: ${ bundle.parameters.azure_environment }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -220,14 +213,12 @@ uninstall:
         address_space: ${ bundle.parameters.address_space }
         is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
         arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
-        auth_client_id: ${ bundle.credentials.auth_client_id }
-        auth_client_secret: ${ bundle.credentials.auth_client_secret }
-        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
         arm_environment: ${ bundle.parameters.arm_environment }
-        azure_environment: ${ bundle.parameters.azure_environment }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         log_analytics_workspace_name: ${ bundle.parameters.log_analytics_workspace_name }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspace_services/azureml/template_schema.json

@@ -44,6 +44,18 @@
       "$id": "#/properties/log_analytics_workspace_name",
       "type": "string",
       "title": "Log Analytics Workspace Name"
+    },
+    "workspace_owners_group_id": {
+      "$id": "#/properties/workspace_owners_group_id",
+      "type": "string",
+      "title": "Workspace Owners Group ID",
+      "description": "Object ID of the workspace owners AAD group"
+    },
+    "workspace_researchers_group_id": {
+      "$id": "#/properties/workspace_researchers_group_id",
+      "type": "string",
+      "title": "Workspace Researchers Group ID",
+      "description": "Object ID of the workspace researchers AAD group"
     }
   },
   "uiSchema": {
@@ -52,6 +64,12 @@
     },
     "log_analytics_workspace_name": {
       "classNames": "tre-hidden"
+    },
+    "workspace_owners_group_id": {
+      "classNames": "tre-hidden"
+    },
+    "workspace_researchers_group_id": {
+      "classNames": "tre-hidden"
     }
   },
   "pipeline": {
@@ -70,6 +88,16 @@
             "name": "log_analytics_workspace_name",
             "type": "string",
             "value": "{{ resource.parent.properties.log_analytics_workspace_name }}"
+          },
+          {
+            "name": "workspace_owners_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_owners_group_id }}"
+          },
+          {
+            "name": "workspace_researchers_group_id",
+            "type": "string",
+            "value": "{{ resource.parent.properties.workspace_researchers_group_id }}"
           }
         ]
       },
@@ -151,31 +179,30 @@
                   ]
                 },
                 {
-                  "name": "AzureML_Client",
-                  "description": "AzureML Client",
-                  "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
+                  "name": "AzureML_Storage",
+                  "description": "AzureML Storage",
+                  "source_addresses": "{{ resource.properties.aml_subnet_address_prefixes }}",
                   "destination_addresses": [
-                    "AzureActiveDirectory",
-                    "AzureResourceManager",
-                    "AzureMachineLearning"
+                    "{{ resource.properties.storage_tag }}"
                   ],
                   "destination_ports": [
-                    "443"
+                    "443",
+                    "445"
                   ],
                   "protocols": [
                     "TCP"
                   ]
                 },
                 {
-                  "name": "AzureML_Storage",
-                  "description": "AzureML Storage",
-                  "source_addresses": "{{ resource.properties.aml_subnet_address_prefixes }}",
+                  "name": "Workspace_Authentication",
+                  "description": "Workspace VM Authentication",
+                  "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
                   "destination_addresses": [
-                    "{{ resource.properties.storage_tag }}"
+                    "AzureActiveDirectory",
+                    "AzureResourceManager"
                   ],
                   "destination_ports": [
-                    "443",
-                    "445"
+                    "443"
                   ],
                   "protocols": [
                     "TCP"
@@ -297,31 +324,30 @@
                   ]
                 },
                 {
-                  "name": "AzureML_Client",
-                  "description": "AzureML Client",
-                  "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
+                  "name": "AzureML_Storage",
+                  "description": "AzureML Storage",
+                  "source_addresses": "{{ resource.properties.aml_subnet_address_prefixes }}",
                   "destination_addresses": [
-                    "AzureActiveDirectory",
-                    "AzureResourceManager",
-                    "AzureMachineLearning"
+                    "{{ resource.properties.storage_tag }}"
                   ],
                   "destination_ports": [
-                    "443"
+                    "443",
+                    "445"
                   ],
                   "protocols": [
                     "TCP"
                   ]
                 },
                 {
-                  "name": "AzureML_Storage",
-                  "description": "AzureML Storage",
-                  "source_addresses": "{{ resource.properties.aml_subnet_address_prefixes }}",
+                  "name": "Workspace_Authentication",
+                  "description": "Workspace VM Authentication",
+                  "source_addresses": "{{ resource.properties.workspace_address_spaces }}",
                   "destination_addresses": [
-                    "{{ resource.properties.storage_tag }}"
+                    "AzureActiveDirectory",
+                    "AzureResourceManager"
                   ],
                   "destination_ports": [
-                    "443",
-                    "445"
+                    "443"
                   ],
                   "protocols": [
                     "TCP"

templates/workspace_services/azureml/terraform/acr.tf

@@ -20,7 +20,6 @@ resource "azurerm_container_registry" "acr" {
   dynamic "encryption" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
-      enabled            = true
       key_vault_key_id   = data.azurerm_key_vault_key.ws_encryption_key[0].id
       identity_client_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].client_id
     }

templates/workspace_services/azureml/terraform/data.tf

@@ -66,3 +66,7 @@ data "azurerm_role_definition" "storage_blob_data_contributor" {
 data "azurerm_role_definition" "storage_file_data_contributor" {
   name = "Storage File Data Privileged Contributor"
 }
+
+data "azurerm_role_definition" "azureml_compute_operator" {
+  name = "AzureML Compute Operator"
+}