BREAKING CHANGES & MIGRATIONS:

• Workspace bundle uses infrastructure encryption on shared storage which will recreate storage share. Major version increase will prevent upgrade, do not force the upgrade unless you are fully aware of the consequences.

ENHANCEMENTS:

• Core key vault firewall should not be set to "Allow public access from all networks" (#4250)
• Allow workspace App Service Plan SKU to be updated (#4331)
• Add core requests endpoint and UI to enable requests to be managed TRE wide. ([#2510])
• Remove public IP from TRE's firewall when forced tunneling is configured (#4346)
• Upgrade AzureRM Terraform provider from 3.117.0 to 4.14.0. ([#4255])
• Subnet definitions are now inline in the azurerm_virtual_network resource, and NSG associations are set using security_group in each subnet block (no separate azurerm_subnet_network_security_group_association needed). ([#4255])
• Azure Cosmos DB should disable public network access (#4322)
• Add bundle target to Makefile for handling different bundle types in single command (#4372)
• Migrate UI to Vite build engine and update dependencies (#4368)
• Add Windows image field to the Admin VM template (#4274)
• Update TLS to the latest version for web apps / function apps (#4351)

BUG FIXES:

• Fix upgrade when porter install has failed (#4338)
• Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state (#4294)
• Fix Cosmos DB local debugging configuration (#4340)
• Add firewall rules to upgrade steps for Guacamole service (#4343)

COMPONENTS:

0.20.0 (Feburary 9, 2025) - Pulled Release

BREAKING CHANGES & MIGRATIONS:

• InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these workspace services they can be retrieved from release 0.19.1. (#4127)
• This release removed support for Porter v0.*. If you're upgrading from a much earlier version you can't go directly to this one. (#4228)

FEATURES:

• Add support for customer-managed keys encryption. Core support (#4141, #4144), Base workspace (#4161), other templates (#4145)

ENHANCEMENTS:

• Disable storage account cross tenant replication (#4116)
• Key Vaults should use RBAC instead of access policies for access control (#4000)
• Split log entries with [Log chunk X of Y] for better readability. (#3992)
• Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF (#4111)
• Update Terraform to use Azure AD authentication rather than storage account keys (#4103)
• Consolidate Terraform upgrade scripts (#4099)
• Storage accounts should use infrastructure encryption (#4001)
• Update obsolete Terraform properties (#4136)
• Update Guacamole version and dependencies (#4140)
• Update the Azure CLI version to 2.67.0 in dev container and vmss (#4157)
• Move Github PR bot commands into main documentation (#4167)
• Block Authentication with keys to CosmosDB SQL account (#4175)
• Change the way "inherited" workspaces retrieve the base workspace code (#4162)
• Add option to configure auto shutdown for Linux VM (#4186)
• Add ability to download VSCode Extensions ([#4187])
• Update Windows VM Images (#4198)
• Enhance DPI of Linux display ([#4200])
• Update Admin VM versions ([#4217])
• Update devcontainer/RP/API package versions: base image, docker, az cli, YQ (#4225)
• Purge container repos individually in when using make tre-destroy (#4230)
• Upgrade Python version from 3.8 to 3.12 (#3949)Upgrade Python version from 3.8 to 3.12 (#3949)
• Disable storage account key usage ([#4227])
• Update Guacamole dependencies ([#4232])
• Add option to force tunnel TRE's Firewall (#4237)
• Add EventGrid diagnostics to identify airlock issues (#4258)
• Disable local authentication in ServiceBus (#4259)
• Allow enablement of Secure Boot and vTPM for Guacamole VMs (#4235)
• Surface the server-layout parameter of Guacamole server-layout (#4234)
• Add encryption at host for VMs (#4263)
• Downgrade certs shared service App Gateway to Basic SKU (#4300)
• Airlock function host storage to use the user-assigned managed identity (#4276)
• Disable local authentication in EventGrid (#4254)
• Use user username as VM username rather than random ID (#4333)

BUG FIXES:

• Update KeyVault references in API to use the version so Terraform cascades the update (#4112)
• Template images are showing CVEs (#4153)
• Fix Dockerfile 'as' casting (#4170)
• Create policy to allow all user to configure color profiles to remove auth dialog. (#4184)
• Pre configure VS code option to prevent script failure (#4185)
• Increase size of Nexus VM, and derive Java VM memory limits from machine size (#4074)
• Enable symlinks to work on Linux VM shared storage (#4180)
• Upgrade aiohttp version for security fixes (#4197)
• Fix failing tests, .env missing and storage logs (#4207)
• Unable to delete virtual machines, add skip_shutdown_and_force_delete = true (#4135)
• Bump terraform version in windows VM template (#4212)
• Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitigate storage account deployment issue (#4004)
• Fix VM actions where Workspace shared storage doesn't allow shared key access (#4222)
• Fix public exposure in Guacamole service ([#4199])
• Fix Azure ML network tags to use name rather than ID ([#4151])
• Windows R version must be 4.1.2 otherwise post install script doesn't update package mirror URL (#4288)
• Recreate tre_output.json if empty. ([#4292])
• Ensure R directory is present before attempting to update package mirror URL (#4332)

COMPONENTS:

Full Changelog: v0.19.1...v0.21.0