Environment variables
Info
The .tfvars
file is intentionally not used. The .env
file format is easier to parse, meaning we can use the values for bash scripts and other purposes.
For shared management resources in /config.yaml
Environment variable name |
Description |
---|---|
LOCATION |
The Azure location (region) for all resources. |
MGMT_RESOURCE_GROUP_NAME |
The shared resource group for all management resources, including the storage account. |
MGMT_STORAGE_ACCOUNT_NAME |
The name of the storage account to hold the Terraform state and other deployment artifacts. |
TERRAFORM_STATE_CONTAINER_NAME |
The name of the blob container to hold the Terraform state Default value is tfstate . |
ACR_NAME |
A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images. |
EXTERNAL_KEY_STORE_ID |
The ID of the external Key Vault to store CMKs in. Should not be set if ENCRYPTION_KV_NAME is set and only required if ENABLE_CMK_ENCRYPTION is true. |
ENCRYPTION_KV_NAME |
The name of the Key Vault for encryption keys. Should not be set if EXTERNAL_KEY_STORE_ID is set and only required if ENABLE_CMK_ENCRYPTION is true. |
ARM_SUBSCRIPTION_ID |
Optional for manual deployment. If not specified the az cli selected subscription will be used. The Azure subscription ID for all resources. |
ARM_CLIENT_ID |
Optional for manual deployment without logged-in credentials. The client whose azure identity will be used to deploy the solution. |
ARM_CLIENT_SECRET |
Optional for manual deployment without logged-in credentials. The password of the client defined in ARM_CLIENT_ID . |
ARM_TENANT_ID |
Optional for manual deployment. If not specified the az cli selected subscription will be used. The Microsoft Entra ID tenant of the client defined in ARM_CLIENT_ID . |
For Azure TRE instance in /config.yaml
Environment variable name |
Description |
---|---|
TRE_ID |
A globally unique identifier. TRE_ID can be found in the resource names of the Azure TRE instance; for example, a TRE_ID of mytre-dev will result in a resource group name for Azure TRE instance of rg-mytre-dev . This must be less than 12 characters. Allowed characters: lowercase alphanumerics |
TRE_URL |
This will be generated for you by populating your TRE_ID . This is used so that you can automatically register bundles |
CORE_ADDRESS_SPACE |
The address space for the Azure TRE core virtual network. /22 or larger. |
TRE_ADDRESS_SPACE |
The address space for the whole TRE environment virtual network where workspaces networks will be created (can include the core network as well). E.g. 10.0.0.0/12 |
ENABLE_SWAGGER |
Determines whether the Swagger interface for the API will be available. |
SWAGGER_UI_CLIENT_ID |
Generated when following pre-deployment steps guide. Client ID for swagger client to make requests. |
AAD_TENANT_ID |
Generated when following pre-deployment steps guide. Tenant id against which auth is performed. |
API_CLIENT_ID |
Generated when following pre-deployment steps guide. Client id of the "TRE API". |
API_CLIENT_SECRET |
Generated when following pre-deployment steps guide. Client secret of the "TRE API". |
STATEFUL_RESOURCES_LOCKED |
If set to false locks on stateful resources won't be created. A recommended setting for developers. |
KV_PURGE_PROTECTION_ENABLED |
If set to false the core Key Vault's purge protection will be disabled so it can be reused upon deletion. A recommended setting for developers. |
ENABLE_AIRLOCK_MALWARE_SCANNING |
If False, Airlock requests will skip the malware scanning stage. If set to True, Defender for Storage will be enabled. |
ENABLE_LOCAL_DEBUGGING |
Set to false by default. Setting this to true will ensure that Azure resources are accessible from your local development machine. (e.g. ServiceBus and Cosmos) |
PUBLIC_DEPLOYMENT_IP_ADDRESS |
The public IP address of the machine that is deploying TRE. (Your desktop or the build agents). In certain locations a dynamic script to retrieve this from https://ipecho.net/plain does not work. If this is the case, then you can 'hardcode' your IP. |
RESOURCE_PROCESSOR_VMSS_SKU |
The SKU of the VMMS to use for the resource processing VM. |
CORE_APP_SERVICE_PLAN_SKU |
The SKU of AppService plans created for the core infrastructure. |
WORKSPACE_APP_SERVICE_PLAN_SKU |
Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is P1v2 . |
RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE |
Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to 5 . |
FIREWALL_SKU |
Optional. The SKU of the Azure Firewall instance. Default value is Standard . Allowed values [Basic , Standard , Premium ]. See Azure Firewall SKU feature comparison. |
APP_GATEWAY_SKU |
Optional. The SKU of the Application Gateway. Default value is Standard_v2 . Allowed values [Standard_v2 , WAF_v2 ] |
DEPLOY_BASTION |
Optional. If set to true , an Azure Bastion instance will be deployed. Default value is true . |
BASTION_SKU |
Optional. The SKU of the Azure Bastion instance. Default value is Basic . Allowed values [Developer , Standard , Basic , Premium ]. See Azure Bastion SKU feature comparison. |
CUSTOM_DOMAIN |
Optional. Custom domain name to access the Azure TRE portal. See Custom domain name. |
ENABLE_CMK_ENCRYPTION |
Optional. Default is false , if set to true customer-managed key encryption will be enabled for all supported resources. |
AUTO_WORKSPACE_APP_REGISTRATION |
Set to false by default. Setting this to true grants the Application.ReadWrite.All and Directory.Read.All permission to the Application Admin identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have Application.ReadWrite.OwnedBy permission. Further information on Application Admin can be found here. |
AUTO_WORKSPACE_GROUP_CREATION |
Set to false by default. Setting this to true grants the Group.ReadWrite.All permission to the Application Admin identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a premium feature. You can read mode about Group Assignment here. |
AUTO_GRANT_WORKSPACE_CONSENT |
Default of false . Setting this to true will remove the need for users to manually grant consent when creating new workspaces. The identity will be granted Application.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All permissions. |
USER_MANAGEMENT_ENABLED |
If set to true , TRE Admins will be able to assign and de-assign users to workspaces via the UI (Requires Entra ID groups to be enabled on the workspace and the workspace template version to be 2.2.0 or greater). |
PRIVATE_AGENT_SUBNET_ID |
Optional. Vnet exception is enabled for the provided runner agent subnet id, enabling access to private resources like TRE key vault. |
UI_SITE_NAME |
Optional. Overrides the title text shown in top left corner of portal. Default value is: Azure TRE |
UI_FOOTER_TEXT |
Optional. Overrides the footer text shown in the bottom left corner of the portal. Default value is Azure Trusted Research Environment |
For authentication in /config.yaml
Variable | Description |
---|---|
APPLICATION_ADMIN_CLIENT_ID |
This client will administer Microsoft Entra ID Applications for TRE |
APPLICATION_ADMIN_CLIENT_SECRET |
This client will administer Microsoft Entra ID Applications for TRE |
TEST_ACCOUNT_CLIENT_ID |
This will be created by default, but can be disabled by editing /devops/scripts/create_aad_assets.sh . This is the user that will run the tests for you |
TEST_ACCOUNT_CLIENT_SECRET |
This will be created by default, but can be disabled by editing /devops/scripts/create_aad_assets.sh . This is the user that will run the tests for you |
API_CLIENT_ID |
API application (client) ID. |
API_CLIENT_SECRET |
API application client secret. |
SWAGGER_UI_CLIENT_ID |
Swagger (OpenAPI) UI application (client) ID. |
WORKSPACE_API_CLIENT_ID |
Each workspace is secured behind it's own AD Application |
WORKSPACE_API_CLIENT_SECRET |
Each workspace is secured behind it's own AD Application. This is the secret for that application. |
For CI/CD pipelines in github environment secrets
Variable | Description |
---|---|
AZURE_CREDENTIALS |
Credentials used to authorize CI/CD workflows to provision resources for the TRE workspaces and workspace services. This is basically your ARM client credentials in json format. Read more about how to create it and its format here |
MS_TEAMS_WEBHOOK_URI |
URI for the Teams channel webhook |