Enable malware scanner - Defender for Storage

[anatbal]

Resolves #3768

What is being addressed

Since Defender for storage has become publicly available, it required many changes to the existing airlock import infra in order to make it work. This PR automates the process, but here is a complete description of the process in order for customers that are already using it can enable it themselves.

1. First, in the config.yaml, enable_airlock_malware_scanning: true must be set.
2. The Microsoft Defender for Cloud should be enabled on "in progress" storage account, stalimip.
3. When enabling it, set the settings as the following:
   
   it's important to notice the event grid custom topic is publicly accessed since currently the scan results cannot be delivered over private endpoint.
4. If you decide to create the custom event grid manually, there must be a subscription for a service bus queue that is called "scan-result". This will trigger the azure function to act upon the scanner results.

• This solution was tested on a clean deployment and verified for both import and export
  @migldasilva, let me know if it's clear

[github-actions]

Unit Test Results

21 tests   21 ✔️  0s ⏱️
  1 suites    0 💤
  1 files      0 ❌

Results for commit 70267e9.

♻️ This comment has been updated with latest results.

[anatbal]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6822525447 (with refid e718abc7)

(in response to this comment from @anatbal)

[migldasilva]

@anatbal I have just reviewed the code and observed that a private endpoint is not being created for Scanresult eventgrid topic. Is there a specific reason for that?

[tamirkamara]

Thanks for adding this. Just a few comments I think we need to sort.

[anatbal]

@anatbal I have just reviewed the code and observed that a private endpoint is not being created for Scanresult eventgrid topic. Is there a specific reason for that?

Hey @migldasilva. Yes, since the scan result publishing is not supported over private endpoints

[anatbal]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6848039669 (with refid e718abc7)

(in response to this comment from @anatbal)

[migldasilva]

@anatbal I have just deployed the this code and observed a small change in the overall behavior. After testing the whole import cycle, the blob container created inside stalimex<MY_ENVIRONMENT> is not deleted. Is not such containers expected to be deleted after moving files?

[anatbal]

@anatbal I have just deployed the this code and observed a small change in the overall behavior. After testing the whole import cycle, the blob container created inside stalimex<MY_ENVIRONMENT> is not deleted. Is not such containers expected to be deleted after moving files?

You are right. I will dig into it and provide a code fix for that as well.

[marrobi]

LGTM in principal, will try find time to test it out.

Can you update the docs to describe the setting and malware scanning setting etc where appropriate? Thanks.

[anatbal]

@migldasilva I have fixed the deletion problem, the final version of this PR is also deleting the container as it should, and was tested.
@marrobi I added additional documentation where it was needed

[anatbal]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6921189385 (with refid e718abc7)

(in response to this comment from @anatbal)

[anatbal]

/test-destroy-env

[github-actions]

Destroying PR test environment (RG: rg-tree718abc7)... (run: https://github.com/microsoft/AzureTRE/actions/runs/6921229057)

[github-actions]

PR test environment destroy complete (RG: rg-tree718abc7)

[github-actions]

Destroying branch test environment (RG: rg-tre015d31d4)... (run: https://github.com/microsoft/AzureTRE/actions/runs/6921229057)

[github-actions]

Branch test environment destroy complete (RG: rg-tre015d31d4)

[anatbal]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6921236648 (with refid e718abc7)

(in response to this comment from @anatbal)

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6921236648 (with refid e718abc7)

(in response to this comment from @anatbal)

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6921236648 (with refid e718abc7)

(in response to this comment from @anatbal)

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/6921236648 (with refid e718abc7)

(in response to this comment from @anatbal)

[migldasilva]

I have tested this version and it's triggering a runtime error. The blob storage inside stalimip<TRE_ID> is being deleted twice. I could stop getting such errors moving this line to a if statement. Something like this:

if event_type is None or event_type != 'Microsoft.Storage.BlobDeleted':
    send_delete_event(dataDeletionEvent, json_body, request_id)
return

A few lines above I checked if eventType is in the json_body, and if so, I assigned it the value store in the json_body.

I believe the deletion occur because, 1) the file is moved from storage account stalimip<TRE_ID> to a storage account inside the workspace, and it's the last blob in the storage account, and 2) the request status changed (I couldn't identify the correct order of execution).

[anatbal]

@migldasilva I will test this in a separate PR. Will try to reproduce on my end, since this shouldnt be triggered from a 'Blob.Deleted' event....

[marrobi]

/test-destroy-env

[github-actions]

Destroying branch test environment (RG: rg-tre015d31d4)... (run: https://github.com/microsoft/AzureTRE/actions/runs/7180394756)

[github-actions]

Branch test environment destroy complete (RG: rg-tre015d31d4)

[github-actions]

Destroying PR test environment (RG: rg-tree718abc7)... (run: https://github.com/microsoft/AzureTRE/actions/runs/7180394756)

[github-actions]

PR test environment destroy complete (RG: rg-tree718abc7)