Skip to content

Environment variables

Info

The .tfvars file is intentionally not used. The .env file format is easier to parse, meaning we can use the values for bash scripts and other purposes.

For shared management resources in /config.yaml

Environment variable name
Description
LOCATION The Azure location (region) for all resources.
MGMT_RESOURCE_GROUP_NAME The shared resource group for all management resources, including the storage account.
MGMT_STORAGE_ACCOUNT_NAME The name of the storage account to hold the Terraform state and other deployment artifacts.
TERRAFORM_STATE_CONTAINER_NAME The name of the blob container to hold the Terraform state Default value is tfstate.
ACR_NAME A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images.
EXTERNAL_KEY_STORE_ID The ID of the external Key Vault to store CMKs in. Should not be set if ENCRYPTION_KV_NAME is set and only required if ENABLE_CMK_ENCRYPTION is true.
ENCRYPTION_KV_NAME The name of the Key Vault for encryption keys. Should not be set if EXTERNAL_KEY_STORE_ID is set and only required if ENABLE_CMK_ENCRYPTION is true.
ARM_SUBSCRIPTION_ID Optional for manual deployment. If not specified the az cli selected subscription will be used. The Azure subscription ID for all resources.
ARM_CLIENT_ID Optional for manual deployment without logged-in credentials. The client whose azure identity will be used to deploy the solution.
ARM_CLIENT_SECRET Optional for manual deployment without logged-in credentials. The password of the client defined in ARM_CLIENT_ID.
ARM_TENANT_ID Optional for manual deployment. If not specified the az cli selected subscription will be used. The Microsoft Entra ID tenant of the client defined in ARM_CLIENT_ID.

For Azure TRE instance in /config.yaml

Environment variable name
Description
TRE_ID A globally unique identifier. TRE_ID can be found in the resource names of the Azure TRE instance; for example, a TRE_ID of mytre-dev will result in a resource group name for Azure TRE instance of rg-mytre-dev. This must be less than 12 characters. Allowed characters: lowercase alphanumerics
TRE_URL This will be generated for you by populating your TRE_ID. This is used so that you can automatically register bundles
CORE_ADDRESS_SPACE The address space for the Azure TRE core virtual network. /22 or larger.
TRE_ADDRESS_SPACE The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. 10.0.0.0/12
ENABLE_SWAGGER Determines whether the Swagger interface for the API will be available.
SWAGGER_UI_CLIENT_ID Generated when following pre-deployment steps guide. Client ID for swagger client to make requests.
AAD_TENANT_ID Generated when following pre-deployment steps guide. Tenant id against which auth is performed.
API_CLIENT_ID Generated when following pre-deployment steps guide. Client id of the "TRE API".
API_CLIENT_SECRET Generated when following pre-deployment steps guide. Client secret of the "TRE API".
STATEFUL_RESOURCES_LOCKED If set to false locks on stateful resources won't be created. A recommended setting for developers.
KV_PURGE_PROTECTION_ENABLED If set to false the core Key Vault's purge protection will be disabled so it can be reused upon deletion. A recommended setting for developers.
ENABLE_AIRLOCK_MALWARE_SCANNING If False, Airlock requests will skip the malware scanning stage. If set to True, Defender for Storage will be enabled.
ENABLE_LOCAL_DEBUGGING Set to false by default. Setting this to true will ensure that Azure resources are accessible from your local development machine. (e.g. ServiceBus and Cosmos)
PUBLIC_DEPLOYMENT_IP_ADDRESS The public IP address of the machine that is deploying TRE. (Your desktop or the build agents). In certain locations a dynamic script to retrieve this from https://ipecho.net/plain does not work. If this is the case, then you can 'hardcode' your IP.
RESOURCE_PROCESSOR_VMSS_SKU The SKU of the VMMS to use for the resource processing VM.
CORE_APP_SERVICE_PLAN_SKU The SKU of AppService plans created for the core infrastructure.
WORKSPACE_APP_SERVICE_PLAN_SKU Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is P1v2.
RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to 5.
FIREWALL_SKU Optional. The SKU of the Azure Firewall instance. Default value is Standard. Allowed values [Basic, Standard, Premium]. See Azure Firewall SKU feature comparison.
APP_GATEWAY_SKU Optional. The SKU of the Application Gateway. Default value is Standard_v2. Allowed values [Standard_v2, WAF_v2]
DEPLOY_BASTION Optional. If set to true, an Azure Bastion instance will be deployed. Default value is true.
BASTION_SKU Optional. The SKU of the Azure Bastion instance. Default value is Basic. Allowed values [Developer, Standard, Basic, Premium]. See Azure Bastion SKU feature comparison.
CUSTOM_DOMAIN Optional. Custom domain name to access the Azure TRE portal. See Custom domain name.
ENABLE_CMK_ENCRYPTION Optional. Default is false, if set to true customer-managed key encryption will be enabled for all supported resources.
AUTO_WORKSPACE_APP_REGISTRATION Set to false by default. Setting this to true grants the Application.ReadWrite.All and Directory.Read.All permission to the Application Admin identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have Application.ReadWrite.OwnedBy permission. Further information on Application Admin can be found here.
AUTO_WORKSPACE_GROUP_CREATION Set to false by default. Setting this to true grants the Group.ReadWrite.All permission to the Application Admin identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a premium feature. You can read mode about Group Assignment here.
AUTO_GRANT_WORKSPACE_CONSENT Default of false. Setting this to true will remove the need for users to manually grant consent when creating new workspaces. The identity will be granted Application.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All permissions.
USER_MANAGEMENT_ENABLED If set to true, TRE Admins will be able to assign and de-assign users to workspaces via the UI (Requires Entra ID groups to be enabled on the workspace and the workspace template version to be 2.2.0 or greater).
PRIVATE_AGENT_SUBNET_ID Optional. Vnet exception is enabled for the provided runner agent subnet id, enabling access to private resources like TRE key vault.
UI_SITE_NAME Optional. Overrides the title text shown in top left corner of portal. Default value is: Azure TRE
UI_FOOTER_TEXT Optional. Overrides the footer text shown in the bottom left corner of the portal. Default value is Azure Trusted Research Environment

For authentication in /config.yaml

Variable Description
APPLICATION_ADMIN_CLIENT_ID This client will administer Microsoft Entra ID Applications for TRE
APPLICATION_ADMIN_CLIENT_SECRET This client will administer Microsoft Entra ID Applications for TRE
TEST_ACCOUNT_CLIENT_ID This will be created by default, but can be disabled by editing /devops/scripts/create_aad_assets.sh. This is the user that will run the tests for you
TEST_ACCOUNT_CLIENT_SECRET This will be created by default, but can be disabled by editing /devops/scripts/create_aad_assets.sh. This is the user that will run the tests for you
API_CLIENT_ID API application (client) ID.
API_CLIENT_SECRET API application client secret.
SWAGGER_UI_CLIENT_ID Swagger (OpenAPI) UI application (client) ID.
WORKSPACE_API_CLIENT_ID Each workspace is secured behind it's own AD Application
WORKSPACE_API_CLIENT_SECRET Each workspace is secured behind it's own AD Application. This is the secret for that application.

For CI/CD pipelines in github environment secrets

Variable Description
AZURE_CREDENTIALS Credentials used to authorize CI/CD workflows to provision resources for the TRE workspaces and workspace services. This is basically your ARM client credentials in json format. Read more about how to create it and its format here
MS_TEAMS_WEBHOOK_URI URI for the Teams channel webhook