From 5c785ad06e89e7e6c7a545df72b320938a4ddff9 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 14:27:55 +0000
Subject: [PATCH 01/10] Terraform occasionally recreating private endpoints
 Fixes #4452

---
 core/terraform/airlock/airlock_processor.tf   |  1 +
 core/terraform/appgateway/data.tf             |  3 +-
 core/terraform/appgateway/staticweb.tf        |  2 +-
 core/terraform/appgateway/variables.tf        |  3 ++
 core/terraform/data.tf                        |  5 ++++
 core/terraform/main.tf                        |  2 ++
 core/terraform/network/locals.tf              |  2 --
 core/terraform/network/outputs.tf             | 30 +++++++++----------
 .../resource_processor/vmss_porter/data.tf    |  5 ----
 .../resource_processor/vmss_porter/main.tf    |  4 +--
 .../vmss_porter/variables.tf                  |  5 ++++
 core/version.txt                              |  2 +-
 12 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
index b587fc756e..4b8dec39bf 100644
--- a/core/terraform/airlock/airlock_processor.tf
+++ b/core/terraform/airlock/airlock_processor.tf
@@ -63,6 +63,7 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   webdeploy_publish_basic_authentication_enabled = false
   storage_account_name                           = azurerm_storage_account.sa_airlock_processor_func_app.name
   storage_uses_managed_identity                  = true
+  vnet_image_pull_enabled                        = true
 
   tags = var.tre_core_tags
 
diff --git a/core/terraform/appgateway/data.tf b/core/terraform/appgateway/data.tf
index 702f013a59..94cdbc7a21 100644
--- a/core/terraform/appgateway/data.tf
+++ b/core/terraform/appgateway/data.tf
@@ -1,5 +1,4 @@
-data "azurerm_client_config" "deployer" {}
-
+# This causes terraform churn, can it be avoided?
 data "azurerm_monitor_diagnostic_categories" "agw" {
   resource_id = azurerm_application_gateway.agw.id
   depends_on = [
diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf
index 4fa50aa4ab..bbd51b8fb4 100644
--- a/core/terraform/appgateway/staticweb.tf
+++ b/core/terraform/appgateway/staticweb.tf
@@ -52,7 +52,7 @@ resource "azurerm_storage_account_static_website" "staticweb_site" {
 resource "azurerm_role_assignment" "stgwriter" {
   scope                = azurerm_storage_account.staticweb.id
   role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = data.azurerm_client_config.deployer.object_id
+  principal_id         = var.deployer_principal_id
 }
 
 resource "azurerm_private_endpoint" "webpe" {
diff --git a/core/terraform/appgateway/variables.tf b/core/terraform/appgateway/variables.tf
index 8124cdabcd..77c223ec2c 100644
--- a/core/terraform/appgateway/variables.tf
+++ b/core/terraform/appgateway/variables.tf
@@ -38,3 +38,6 @@ variable "enable_cmk_encryption" {
 variable "encryption_key_versionless_id" {
   type = string
 }
+variable "deployer_principal_id" {
+  type = string
+}
diff --git a/core/terraform/data.tf b/core/terraform/data.tf
index ece0a8e734..91509f888c 100644
--- a/core/terraform/data.tf
+++ b/core/terraform/data.tf
@@ -38,3 +38,8 @@ data "azurerm_monitor_diagnostic_categories" "sb" {
     azurerm_servicebus_namespace.sb
   ]
 }
+
+data "azurerm_storage_account" "mgmt_storage" {
+  name                = var.mgmt_storage_account_name
+  resource_group_name = var.mgmt_resource_group_name
+}
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
index 0da62c6306..f422e8415d 100644
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@@ -104,6 +104,7 @@ module "appgateway" {
   static_web_dns_zone_id     = module.network.static_web_dns_zone_id
   log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id
   app_gateway_sku            = var.app_gateway_sku
+  deployer_principal_id      = data.azurerm_client_config.current.object_id
 
   enable_cmk_encryption         = var.enable_cmk_encryption
   encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null
@@ -174,6 +175,7 @@ module "resource_processor_vmss_porter" {
   service_bus_resource_request_queue               = azurerm_servicebus_queue.workspacequeue.name
   service_bus_deployment_status_update_queue       = azurerm_servicebus_queue.service_bus_deployment_status_update_queue.name
   mgmt_storage_account_name                        = var.mgmt_storage_account_name
+  mgmt_storage_account_id                          = data.azurerm_storage_account.mgmt_storage.id
   mgmt_resource_group_name                         = var.mgmt_resource_group_name
   terraform_state_container_name                   = var.terraform_state_container_name
   key_vault_name                                   = azurerm_key_vault.kv.name
diff --git a/core/terraform/network/locals.tf b/core/terraform/network/locals.tf
index 82ae26fb2d..aaa2aea7d1 100644
--- a/core/terraform/network/locals.tf
+++ b/core/terraform/network/locals.tf
@@ -32,6 +32,4 @@ locals {
     "privatelink.queue.core.windows.net",
     "privatelink.table.core.windows.net"
   ])
-
-  subnet_ids_map = { for subnet in azurerm_virtual_network.core.subnet : subnet.name => subnet.id }
 }
diff --git a/core/terraform/network/outputs.tf b/core/terraform/network/outputs.tf
index 4d2807f1d1..a2c09b0303 100644
--- a/core/terraform/network/outputs.tf
+++ b/core/terraform/network/outputs.tf
@@ -3,43 +3,43 @@ output "core_vnet_id" {
 }
 
 output "bastion_subnet_id" {
-  value = local.subnet_ids_map["AzureBastionSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/AzureBastionSubnet"
 }
 
 output "azure_firewall_subnet_id" {
-  value = local.subnet_ids_map["AzureFirewallSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/AzureFirewallSubnet"
 }
 
 output "app_gw_subnet_id" {
-  value = local.subnet_ids_map["AppGwSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/AppGwSubnet"
 }
 
 output "web_app_subnet_id" {
-  value = local.subnet_ids_map["WebAppSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/WebAppSubnet"
 }
 
 output "shared_subnet_id" {
-  value = local.subnet_ids_map["SharedSubnet"]
+  value = "${azurerm_virtual_network.core.id}/subnets/SharedSubnet"
 }
 
-output "airlock_processor_subnet_id" {
-  value = local.subnet_ids_map["AirlockProcessorSubnet"]
+output "resource_processor_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/ResourceProcessorSubnet"
 }
 
-output "airlock_storage_subnet_id" {
-  value = local.subnet_ids_map["AirlockStorageSubnet"]
+output "airlock_processor_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockProcessorSubnet"
 }
 
-output "airlock_events_subnet_id" {
-  value = local.subnet_ids_map["AirlockEventsSubnet"]
+output "airlock_notification_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockNotifiactionSubnet"
 }
 
-output "resource_processor_subnet_id" {
-  value = local.subnet_ids_map["ResourceProcessorSubnet"]
+output "airlock_storage_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockStorageSubnet"
 }
 
-output "airlock_notification_subnet_id" {
-  value = local.subnet_ids_map["AirlockNotifiactionSubnet"]
+output "airlock_events_subnet_id" {
+  value = "${azurerm_virtual_network.core.id}/subnets/AirlockEventsSubnet"
 }
 
 # DNS Zones
diff --git a/core/terraform/resource_processor/vmss_porter/data.tf b/core/terraform/resource_processor/vmss_porter/data.tf
index e77a94c2de..1eee168d04 100644
--- a/core/terraform/resource_processor/vmss_porter/data.tf
+++ b/core/terraform/resource_processor/vmss_porter/data.tf
@@ -49,8 +49,3 @@ data "azurerm_key_vault_key" "tre_encryption" {
   name         = var.kv_encryption_key_name
   key_vault_id = var.key_store_id
 }
-
-data "azurerm_storage_account" "mgmt_storage" {
-  name                = var.mgmt_storage_account_name
-  resource_group_name = var.mgmt_resource_group_name
-}
diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf
index bdd93ed9c6..5a1d2ae36c 100644
--- a/core/terraform/resource_processor/vmss_porter/main.tf
+++ b/core/terraform/resource_processor/vmss_porter/main.tf
@@ -174,7 +174,7 @@ resource "terraform_data" "vm_linux_reimage" {
 }
 
 resource "azurerm_role_assignment" "mgmt_storage_account_blob_contributor" {
-  scope                = data.azurerm_storage_account.mgmt_storage.id
+  scope                = var.mgmt_storage_account_id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.vmss_msi.principal_id
 }
@@ -239,7 +239,7 @@ resource "azurerm_private_endpoint" "mgmtblobpe" {
 
   private_service_connection {
     name                           = "psc-mgmt-${var.tre_id}"
-    private_connection_resource_id = data.azurerm_storage_account.mgmt_storage.id
+    private_connection_resource_id = var.mgmt_storage_account_id
     is_manual_connection           = false
     subresource_names              = ["Blob"]
   }
diff --git a/core/terraform/resource_processor/vmss_porter/variables.tf b/core/terraform/resource_processor/vmss_porter/variables.tf
index 9c322fcb27..a87b3cd3c2 100644
--- a/core/terraform/resource_processor/vmss_porter/variables.tf
+++ b/core/terraform/resource_processor/vmss_porter/variables.tf
@@ -117,3 +117,8 @@ variable "airlock_malware_scan_result_topic_name" {
   type        = string
   description = "Name of the topic to publish Airlock malware scan results to"
 }
+
+variable "mgmt_storage_account_id" {
+  type        = string
+  description = "ID of the management storage account"
+}
diff --git a/core/version.txt b/core/version.txt
index 9e78220f94..224f1fb749 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.14.0"
+__version__ = "0.14.4"

From 298ea80a96d57aa22bdf5b9caee2b6ffc7bcb233 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 14:30:07 +0000
Subject: [PATCH 02/10] Remove redundant az api call.

---
 core/terraform/airlock/airlock_processor.tf | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
index 4b8dec39bf..7b8ccea2ba 100644
--- a/core/terraform/airlock/airlock_processor.tf
+++ b/core/terraform/airlock/airlock_processor.tf
@@ -138,21 +138,6 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   depends_on = [azurerm_private_endpoint.function_storage]
 }
 
-resource "azapi_update_resource" "airlock_vnet_container_pull_routing" {
-  resource_id = azurerm_linux_function_app.airlock_function_app.id
-  type        = "Microsoft.Web/sites@2022-09-01"
-
-  body = jsonencode({
-    properties = {
-      vnetImagePullEnabled : true
-    }
-  })
-
-  depends_on = [
-    azurerm_linux_function_app.airlock_function_app
-  ]
-}
-
 resource "azapi_resource_action" "restart_airlock_function_app" {
   type        = "Microsoft.Web/sites@2022-09-01"
   resource_id = azurerm_linux_function_app.airlock_function_app.id

From 1dcb2ab095a55a3a644136bdbff03015a0879683 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 14:36:37 +0000
Subject: [PATCH 03/10] remove reference

---
 core/terraform/airlock/airlock_processor.tf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
index 7b8ccea2ba..af2ac609cf 100644
--- a/core/terraform/airlock/airlock_processor.tf
+++ b/core/terraform/airlock/airlock_processor.tf
@@ -143,10 +143,6 @@ resource "azapi_resource_action" "restart_airlock_function_app" {
   resource_id = azurerm_linux_function_app.airlock_function_app.id
   method      = "POST"
   action      = "restart"
-
-  depends_on = [
-    azapi_update_resource.airlock_vnet_container_pull_routing
-  ]
 }
 
 resource "azurerm_monitor_diagnostic_setting" "airlock_function_app" {

From cca5e4d8dd16a0fe8f50e04f3c8ff08d3abf7376 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 19:10:37 +0000
Subject: [PATCH 04/10] Terraform occasionally recreating private endpoints
 Fixes #4452

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a655b6657f..835066453f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ ENHANCEMENTS:
 * Ability to customise UI header and footer text ([#4201](https://github.com/microsoft/AzureTRE/issues/4201))
 * Allow AUTO_GRANT_WORKSPACE_CONSENT config variable to set be set via CI/CD ([#4533](https://github.com/microsoft/AzureTRE/pull/4533))
 * Delete old database migrations ([#4168](https://github.com/microsoft/AzureTRE/issues/4168))
+* Update terraform to reduce recreation of private endpoints and other resources ([#4539](https://github.com/microsoft/AzureTRE/pull/4539))
 
 BUG FIXES:
 * Letsencrypt.yml fails with "Invalid reference in variable validation" ([#4506](https://github.com/microsoft/AzureTRE/4506))

From c74874fd857b81e8a5c9882879566c770e97c6c4 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 19:11:20 +0000
Subject: [PATCH 05/10] remove comment

---
 core/terraform/appgateway/data.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/terraform/appgateway/data.tf b/core/terraform/appgateway/data.tf
index 94cdbc7a21..74dd56ee4b 100644
--- a/core/terraform/appgateway/data.tf
+++ b/core/terraform/appgateway/data.tf
@@ -1,4 +1,3 @@
-# This causes terraform churn, can it be avoided?
 data "azurerm_monitor_diagnostic_categories" "agw" {
   resource_id = azurerm_application_gateway.agw.id
   depends_on = [

From f1bdf5e4ef8369f57bd99695be4cfd31101cf36e Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 19:44:05 +0000
Subject: [PATCH 06/10] Move ACR data block out of child module

---
 core/terraform/airlock/data.tf      | 5 -----
 core/terraform/airlock/identity.tf  | 2 +-
 core/terraform/airlock/variables.tf | 5 +++++
 core/terraform/data.tf              | 5 +++++
 core/terraform/main.tf              | 1 +
 5 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/core/terraform/airlock/data.tf b/core/terraform/airlock/data.tf
index 73915e6b6a..89da7fb118 100644
--- a/core/terraform/airlock/data.tf
+++ b/core/terraform/airlock/data.tf
@@ -7,11 +7,6 @@ data "azurerm_private_dns_zone" "eventgrid" {
   resource_group_name = var.resource_group_name
 }
 
-data "azurerm_container_registry" "mgmt_acr" {
-  name                = var.mgmt_acr_name
-  resource_group_name = var.mgmt_resource_group_name
-}
-
 data "azurerm_monitor_diagnostic_categories" "eventgrid_custom_topics" {
   resource_id = azurerm_eventgrid_topic.airlock_notification.id
 }
diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf
index a21a26f562..b4e272c144 100644
--- a/core/terraform/airlock/identity.tf
+++ b/core/terraform/airlock/identity.tf
@@ -8,7 +8,7 @@ resource "azurerm_user_assigned_identity" "airlock_id" {
 }
 
 resource "azurerm_role_assignment" "acrpull_role" {
-  scope                = data.azurerm_container_registry.mgmt_acr.id
+  scope                = var.acr_id
   role_definition_name = "AcrPull"
   principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
 }
diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
index bb0fad04df..f30416caf6 100644
--- a/core/terraform/airlock/variables.tf
+++ b/core/terraform/airlock/variables.tf
@@ -44,6 +44,11 @@ variable "mgmt_acr_name" {
   description = "Management ACR name"
 }
 
+variable "acr_id" {
+  type        = string
+  description = "ACR ID"
+}
+
 variable "airlock_app_service_plan_sku" {
   type    = string
   default = "P1v3"
diff --git a/core/terraform/data.tf b/core/terraform/data.tf
index 91509f888c..1fc5e5e634 100644
--- a/core/terraform/data.tf
+++ b/core/terraform/data.tf
@@ -43,3 +43,8 @@ data "azurerm_storage_account" "mgmt_storage" {
   name                = var.mgmt_storage_account_name
   resource_group_name = var.mgmt_resource_group_name
 }
+
+data "azurerm_container_registry" "acr" {
+  name                = var.acr_name
+  resource_group_name = var.mgmt_resource_group_name
+}
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
index f422e8415d..a01f266870 100644
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@@ -129,6 +129,7 @@ module "airlock_resources" {
   docker_registry_server                = local.docker_registry_server
   mgmt_resource_group_name              = var.mgmt_resource_group_name
   mgmt_acr_name                         = var.acr_name
+  acr_id                                = data.azurerm_container_registry.acr.id
   api_principal_id                      = azurerm_user_assigned_identity.id.principal_id
   airlock_app_service_plan_sku          = var.core_app_service_plan_sku
   airlock_processor_subnet_id           = module.network.airlock_processor_subnet_id

From fb1c3517859818055679f7a9469b1ff1550762e4 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 19:52:52 +0000
Subject: [PATCH 07/10] remove unused var

---
 core/terraform/airlock/variables.tf | 5 -----
 core/terraform/main.tf              | 1 -
 2 files changed, 6 deletions(-)

diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
index f30416caf6..41bb81682c 100644
--- a/core/terraform/airlock/variables.tf
+++ b/core/terraform/airlock/variables.tf
@@ -39,11 +39,6 @@ variable "mgmt_resource_group_name" {
   description = "Shared management resource group"
 }
 
-variable "mgmt_acr_name" {
-  type        = string
-  description = "Management ACR name"
-}
-
 variable "acr_id" {
   type        = string
   description = "ACR ID"
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
index a01f266870..670cb0da5f 100644
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@@ -128,7 +128,6 @@ module "airlock_resources" {
   airlock_events_subnet_id              = module.network.airlock_events_subnet_id
   docker_registry_server                = local.docker_registry_server
   mgmt_resource_group_name              = var.mgmt_resource_group_name
-  mgmt_acr_name                         = var.acr_name
   acr_id                                = data.azurerm_container_registry.acr.id
   api_principal_id                      = azurerm_user_assigned_identity.id.principal_id
   airlock_app_service_plan_sku          = var.core_app_service_plan_sku

From 4e498695998acb40bdc158b9d19ca08fb2f7ebb2 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 20:22:37 +0000
Subject: [PATCH 08/10] move event grid dns data out of module

---
 core/terraform/airlock/data.tf             | 5 -----
 core/terraform/airlock/eventgrid_topics.tf | 8 ++++----
 core/terraform/airlock/variables.tf        | 3 +++
 core/terraform/main.tf                     | 1 +
 core/terraform/network/outputs.tf          | 3 +++
 5 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/core/terraform/airlock/data.tf b/core/terraform/airlock/data.tf
index 89da7fb118..dbec1db64c 100644
--- a/core/terraform/airlock/data.tf
+++ b/core/terraform/airlock/data.tf
@@ -2,11 +2,6 @@ data "local_file" "airlock_processor_version" {
   filename = "${path.root}/../../airlock_processor/_version.py"
 }
 
-data "azurerm_private_dns_zone" "eventgrid" {
-  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.eventgrid.azure.net"]
-  resource_group_name = var.resource_group_name
-}
-
 data "azurerm_monitor_diagnostic_categories" "eventgrid_custom_topics" {
   resource_id = azurerm_eventgrid_topic.airlock_notification.id
 }
diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf
index d9faaef013..bc38addfae 100644
--- a/core/terraform/airlock/eventgrid_topics.tf
+++ b/core/terraform/airlock/eventgrid_topics.tf
@@ -44,7 +44,7 @@ resource "azurerm_private_endpoint" "eg_step_result" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
@@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "eg_status_changed" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
@@ -148,7 +148,7 @@ resource "azurerm_private_endpoint" "eg_data_deletion" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
@@ -365,7 +365,7 @@ resource "azurerm_private_endpoint" "eg_airlock_notification" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.eventgrid.id]
+    private_dns_zone_ids = [var.eventgrid_private_dns_zone_id]
   }
 
   private_service_connection {
diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
index 41bb81682c..be8fb751dd 100644
--- a/core/terraform/airlock/variables.tf
+++ b/core/terraform/airlock/variables.tf
@@ -94,6 +94,9 @@ variable "queue_core_dns_zone_id" {
 variable "table_core_dns_zone_id" {
   type = string
 }
+variable "eventgrid_private_dns_zone_id" {
+  type = string
+}
 
 variable "encryption_identity_id" {
   type        = string
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
index 670cb0da5f..b9c6aae17b 100644
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@@ -143,6 +143,7 @@ module "airlock_resources" {
   file_core_dns_zone_id                 = module.network.file_core_dns_zone_id
   queue_core_dns_zone_id                = module.network.queue_core_dns_zone_id
   table_core_dns_zone_id                = module.network.table_core_dns_zone_id
+  eventgrid_private_dns_zone_id         = module.network.eventgrid_private_dns_zone_id
 
   enable_local_debugging        = var.enable_local_debugging
   myip                          = local.myip
diff --git a/core/terraform/network/outputs.tf b/core/terraform/network/outputs.tf
index a2c09b0303..001af6aad1 100644
--- a/core/terraform/network/outputs.tf
+++ b/core/terraform/network/outputs.tf
@@ -84,6 +84,9 @@ output "table_core_dns_zone_id" {
   value = azurerm_private_dns_zone.private_dns_zones["privatelink.table.core.windows.net"].id
 }
 
+output "eventgrid_private_dns_zone_id" {
+  value = azurerm_private_dns_zone.eventgrid.id
+}
 
 output "azurecr_dns_zone_id" {
   value = azurerm_private_dns_zone.azurecr.id

From 484951dbd8339780b40f42a8fb5d167c93fa2fc4 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 20:27:23 +0000
Subject: [PATCH 09/10] remove unused var

---
 core/terraform/airlock/variables.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
index be8fb751dd..69888118d0 100644
--- a/core/terraform/airlock/variables.tf
+++ b/core/terraform/airlock/variables.tf
@@ -34,11 +34,6 @@ variable "airlock_processor_image_repository" {
   default     = "microsoft/azuretre/airlock-processor"
 }
 
-variable "mgmt_resource_group_name" {
-  type        = string
-  description = "Shared management resource group"
-}
-
 variable "acr_id" {
   type        = string
   description = "ACR ID"

From 724fe5bfffc206f6fd85c4690be718d216781a47 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Tue, 13 May 2025 20:38:16 +0000
Subject: [PATCH 10/10] remove property

---
 core/terraform/main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/terraform/main.tf b/core/terraform/main.tf
index b9c6aae17b..38d68047b5 100644
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@@ -127,7 +127,6 @@ module "airlock_resources" {
   airlock_storage_subnet_id             = module.network.airlock_storage_subnet_id
   airlock_events_subnet_id              = module.network.airlock_events_subnet_id
   docker_registry_server                = local.docker_registry_server
-  mgmt_resource_group_name              = var.mgmt_resource_group_name
   acr_id                                = data.azurerm_container_registry.acr.id
   api_principal_id                      = azurerm_user_assigned_identity.id.principal_id
   airlock_app_service_plan_sku          = var.core_app_service_plan_sku