Airlock container creation

[bwiseman]

This may be related to #3664

Initial problem was that new airlock requests sit in 'submitted' but do not progress to 'in review'

Some time working with marrobi today fixing other issues and I'm finding now that import/export requests are failing to upload to the storage account. I can't remember what action caused it to fail completely but maybe trying to deploy-core?

I think the request should create a new container in the storage account? Checking the firewall logs and storage account logs are not showing where/what the error is though. I may not be looking in the correct places though.

Trying the suggested fix for #3664

• it is not obvious what the outgoing ip of the func-airlock-processor-azuretre1 app is. The json for the app had a list of possible outgoing ip addresses but I think it should be an ip within my TRE workspace? The list looked odd. As before, I don't see anything useful in firewall logs to identify it. Maybe a noddy pointer to what logs to search through.

• I tried an ip subnet listed in the ipg-resource-processor, opening that up in the TRE firewall dialog. Ran a make deploy-core again.

The uploads into the storage account for import exports fail. The storage explorer azcopy looks like below. If the container is meant to be "4339a5da-ed2e-423a-9566-5a38b07d2a83" then it doesn't exist in that storage account.

Transfer of 'XXX' to '4339a5da-ed2e-423a-9566-5a38b07d2a83/' failed: 0 items transferred (used SAS, discovery completed) Started at: 09/08/2023 19:58, Duration: 4 seconds
------------------
$env:AZCOPY_CRED_TYPE = "Anonymous";
$env:AZCOPY_CONCURRENCY_VALUE = "AUTO";
./azcopy.exe copy "XXXX" "https://stalimexXXX.blob.core.windows.net/4339a5da-ed2e-423a-9566-5a38b07d2a83/p11.jpg?se=2023-08-09T19%3A48%3A20Z&sp=rwdl&sv=2021-12-02&sr=c&skoid=0bfb0d59-bc69-46bb-9211-d759eb6dc249&sktid=9ba93357-e6b1-49f2-a6f5-73ffd5dce3c6&skt=2023-08-09T18%3A48%3A20Z&ske=2023-08-09T19%3A48%3A20Z&sks=b&skv=2021-12-02&sig=eWGneH19EmN1cvP390NT9PyQnQv3i7mWJQsI1WFx9wQ%3D" --overwrite=prompt --from-to=LocalBlob --blob-type Detect --follow-symlinks --check-length=true --put-md5 --follow-symlinks --disable-auto-decoding=false --recursive --log-level=INFO;
$env:AZCOPY_CRED_TYPE = "";

$env:AZCOPY_CONCURRENCY_VALUE = "";

[marrobi]

So I think the issue with the status not moving/container not being created is malware scanning, so need to try with this set to false.

The firewall rule that needs adding as per #3664 is from the AirlockProcessorSubnet to functionscdn.azureedge.net.

[bwiseman]

Malware scan is off and core was deployed

Firewall rule... I've tried editing via the TRE Shared Firewall, in the Azure TRE firewall resource... various combinations of entries. Imports and exports failing to upload.

[marrobi]

Best to track in #3664 as its the same issue. Hopefully we will have a PR soon.

[bwiseman]

Is not being able to upload to the import or export storage account really linked to the status change issue?

[marrobi]

This fix is now merged in #3682 .