Add Azure Virtual Desktop Workspace Service

[SvenAelterman]

#517

What is being addressed

This creates an Azure Virtual Desktop deployment in the workspace. Based on work from Paul Yu and @marrobi.

How is this addressed

• Add new workspace service folder with Porter bundle using Azure Bicep templates.

Pending work:

Additional work noted:

• Remove localAdminPassword param and generate a new unique value to be stored in the workspace's KV.
• Update to use latest AVD artifacts: https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_02-23-2022.zip
• Use the AVD ARM templates to deploy session hosts instead of recreating that in Bicep.
• Create an availability set for the session hosts.
• Output the needed hub firewall rules as rules_collection.
• Create unique ARM deployments by appending the service ID and the deployment timestamp.
• Update the connection_uri output from Bicep to a shortlink, or update to the April 2022 AVD endpoint URL.
• Fix the customRdpProperty on the hostpool for TRE purposes (disable drive redirection, disable clipboard)
• Attempt to configure the session hosts to disable drive redirection and clipboard with policy.
• Create a parameter for the friendly name of the workspace and the desktop application because those are user-facing. Provide reasonable defaults.
• Parameter for images. Using custom images might need to be a separate issue.
• Resolve MD linter errors.
• Use private endpoints for connection between session hosts and AVD.

[marrobi]

@SvenAelterman I've moved the pending work to here and closing my draft.

[marrobi]

@SvenAelterman adding a note here for anybody who might look to pick this up. I have discussed this PR with a couple of groups.

We are aware of a challenge when using AVD in a TRE scenario where users can access other "external" AVD environments from within a workspace. This due to the firewall rules required to enable AVD to operate and provides a potential route for data exfiltration.

[ukct]

@marrobi - A partial solution to the data exfiltration issue is to make use of windows firewall within the session host itself - this obviously relies on users being unable to modify those firewall rules due to local admin rights or privilege escalation exploits.
Add a new rule within the firewall to block the IP addresses used by the WindowsVirtualDesktop service tag, applied to local principal 'Everyone', except for 'system', 'local service' and 'network service'. This will prevent users from accessing an external AVD environment but still allow AVD itself to operate.

[SvenAelterman]

To anyone following this PR, the best solution to avoid the exfiltration issue is to use private endpoints for AVD, now GA.

I don't know when, but I would be open to restarting the work on providing an AVD workspace service template that leverages this. It would likely require a change to the TRE core so it deploys the required private DNS zone for this new private link service.

[marrobi]

This could also be a nice addition https://learn.microsoft.com/en-us/azure/virtual-desktop/uri-scheme

[SvenAelterman]

Use skip() instead of substring()

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 2eeac7d.