Remove need to provide client secret when creating workspace and remove Directory.Read.All Dependency from automation admin

[marrobi]

Summary

Removes the requirement for users to provide a client secret when creating workspaces and eliminates the Directory.Read.All Microsoft Graph permission from the automation admin identity.

Changes

• Base workspace bundle 3.0.0: Terraform now creates, imports, and manages workspace Microsoft Entra ID applications automatically, including secret rotation via azuread_application_password resources
• API simplification: Removed extract_workspace_auth_information function - workspace auth info is now handled through Terraform outputs
• Removed parameters: client_secret, register_aad_application, scope_id, sp_id, app_role_id_*
• New script: add_automation_admin_to_workspace_application.sh for adding automation admin as workspace app owner
• Permission reduction: Directory.Read.All no longer required; only Application.ReadWrite.All, Group.Create, Group.Read.All, User.ReadBasic.All, DelegatedPermissionGrant.ReadWrite.All (depending on configuration)

Migration

1. Existing workspaces continue to work without changes
2. Upgrading: Ensure Application Admin owns the workspace app, then run upgrade - Terraform will import and manage secrets automatically (needs testing)
3. New workspaces: No client_secret needed; optionally provide client_id to reuse an existing app

Closes #2247

[github-actions]

Unit Test Results

664 tests   664 ✅  7s ⏱️
  1 suites    0 💤
  1 files      0 ❌

Results for commit 1fb42ea.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

This PR removes the requirement for users to provide a client secret when creating workspaces and eliminates the Directory.Read.All Microsoft Graph permission dependency from the automation admin identity. The changes introduce automatic workspace app provisioning/import via Terraform with built-in password rotation, simplify the API by removing the extract_workspace_auth_information function, and update all related documentation and scripts.

Key changes include:

• Terraform now provisions or imports the workspace Entra ID app automatically with dual password rotation using azuread_application_password resources
• API no longer requires Directory.Read.All permissions as workspace auth information is handled via Terraform outputs
• Major version bump for base workspace bundle (2.8.0 → 3.0.0) due to breaking changes

Reviewed changes

Copilot reviewed 37 out of 38 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
templates/workspaces/base/terraform/workspace.tf	Adds import block for existing workspace apps and removes conditional AAD module creation
templates/workspaces/base/terraform/variables.tf	Removes register_aad_application and client_secret variables
templates/workspaces/base/terraform/providers.tf	Adds hashicorp/time provider for password rotation
templates/workspaces/base/terraform/outputs.tf	Simplifies outputs to always reference AAD module directly
templates/workspaces/base/terraform/keyvault.tf	Removes manual client_id and client_secret key vault secret resources
templates/workspaces/base/terraform/aad/variables.tf	Adds client_id variable, changes create_aad_groups type to bool
templates/workspaces/base/terraform/aad/providers.tf	Adds time provider requirement
templates/workspaces/base/terraform/aad/aad.tf	Implements dual password rotation with primary/secondary passwords and intelligent current password selection
templates/workspaces/base/terraform/.terraform.lock.hcl	Adds lock file entry for time provider v0.11.0
templates/workspaces/base/template_schema.json	Removes client_secret from schema and moves create_aad_groups to top level
templates/workspaces/base/porter.yaml	Major version bump to 3.0.0, removes register_aad_application and client_secret parameters
api_app/services/authentication.py	Removes extract_auth_information function
api_app/services/access_service.py	Removes extract_workspace_auth_information abstract method
api_app/services/aad_authentication.py	Removes _get_app_auth_info and extract_workspace_auth_information implementation
api_app/db/repositories/workspaces.py	Removes auth_info parameter from create_workspace_item
api_app/api/routes/workspaces.py	Removes extract_auth_information call and auth_info parameter
api_app/_version.py	Minor version bump to 0.25.5
api_app/tests_ma/test_services/test_aad_access_service.py	Removes tests for extract_workspace_auth_information
api_app/tests_ma/test_db/test_repositories/test_workpaces_repository.py	Updates test calls to remove auth_info parameter
api_app/tests_ma/test_api/test_routes/test_workspaces.py	Removes extract_auth_information mock patches
api_app/tests_ma/test_api/test_routes/test_workspace_users.py	Removes auth_info parameter from sample_workspace
docs/tre-developers/end-to-end-tests.md	Adds instructions for adding automation admin as workspace app owner
docs/tre-admins/setup-instructions/ui-install-base-workspace.md	Simplifies workspace app creation script usage
docs/tre-admins/setup-instructions/installing-base-workspace.md	Removes client_secret from workspace creation example
docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md	Removes TEST_WORKSPACE_APP_SECRET from required secrets
docs/tre-admins/identities/workspace.md	Removes client secret references and simplifies workspace app creation
docs/tre-admins/identities/application_admin.md	Updates required permissions from Directory.Read.All to Group.Read.All and User.ReadBasic.All
docs/tre-admins/environment-variables.md	Updates permission descriptions for auto workspace features
docs/tre-admins/auth.md	Updates permission descriptions and removes workspace_api_client_secret
devops/scripts/setup_local_debugging.sh	Removes TEST_WORKSPACE_APP_SECRET from environment setup
devops/scripts/create_aad_assets.sh	Removes Directory.Read.All from AUTO_WORKSPACE_APP_REGISTRATION permissions and removes automatic workspace app creation
devops/scripts/aad/wait_for_new_app_registration.sh	Minor cleanup removing echo statement
devops/scripts/aad/create_workspace_application.sh	Significantly simplified to only create minimal app registration without consent/permission setup
devops/scripts/aad/add_automation_admin_to_workspace_application.sh	New script for adding automation admin as workspace app owner
core/terraform/outputs.sh	Removes TEST_WORKSPACE_APP_SECRET from private.env
config_schema.json	Removes workspace_api_client_secret from schema
config.sample.yaml	Updates permission descriptions in comments

Files not reviewed (1)

• templates/workspaces/base/terraform/.terraform.lock.hcl: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 37 out of 38 changed files in this pull request and generated 6 comments.

Files not reviewed (1)

• templates/workspaces/base/terraform/.terraform.lock.hcl: Language not supported

[marrobi]

/test-extended 596a707

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/20993930675 (with refid 679d0163)

(in response to this comment from @marrobi)

[marrobi]

/test-extended 4442d7b

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21002948067 (with refid 679d0163)

(in response to this comment from @marrobi)

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21002948067 (with refid 679d0163)

(in response to this comment from @marrobi)

[marrobi]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21169627084 (with refid 679d0163)

(in response to this comment from @marrobi)

[marrobi]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21203529948 (with refid 679d0163)

(in response to this comment from @marrobi)

[marrobi]

/test-extended 0895032

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21247157779 (with refid 679d0163)

(in response to this comment from @marrobi)

[marrobi]

/test-extended 43e1600

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21251094929 (with refid 679d0163)

(in response to this comment from @marrobi)

[marrobi]

/test-extended 2aacf0e

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21255656238 (with refid 679d0163)

(in response to this comment from @marrobi)