From f17e7a2295971fdd81938ef1ead2d230247a3089 Mon Sep 17 00:00:00 2001
From: James Chapman <james.chapman@necsu.onmicrosoft.com>
Date: Mon, 27 Apr 2026 13:19:02 +0000
Subject: [PATCH 1/4] update allowed urls in nexus

---
 .../sonatype-nexus-vm/porter.yaml              |  2 +-
 .../terraform/.terraform.lock.hcl              | 18 ++++++++++++++++++
 .../sonatype-nexus-vm/terraform/locals.tf      |  4 ++--
 .../sonatype-nexus-vm/terraform/main.tf        |  4 ++++
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml
index b4573514d..b9e11dd85 100644
--- a/templates/shared_services/sonatype-nexus-vm/porter.yaml
+++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 3.7.8
+version: 3.7.9
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl b/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl
index aa70e2662..2a2d6f7b4 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl
@@ -60,3 +60,21 @@ provider "registry.terraform.io/hashicorp/random" {
     "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/template" {
+  version     = "2.2.0"
+  constraints = "2.2.0"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
index be9698931..8c8f708e4 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
@@ -1,9 +1,9 @@
 locals {
   core_vnet                       = "vnet-${var.tre_id}"
   core_resource_group_name        = "rg-${var.tre_id}"
-  nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com"
+  nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com,docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com"
   nexus_allowed_fqdns_list        = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", ""))))
-  workspace_vm_allowed_fqdns      = "r3.o.lencr.org,x1.c.lencr.org"
+  workspace_vm_allowed_fqdns      = "r3.o.lencr.org,x1.c.lencr.org,e8.o.lencr.org,e8.i.lencr.org,e8.c.lencr.org"
   workspace_vm_allowed_fqdns_list = distinct(compact(split(",", replace(local.workspace_vm_allowed_fqdns, " ", ""))))
   storage_account_name            = lower(replace("stg-${var.tre_id}", "-", ""))
   tre_shared_service_tags = {
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/main.tf b/templates/shared_services/sonatype-nexus-vm/terraform/main.tf
index c8b18fd41..72006e680 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/main.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/main.tf
@@ -13,6 +13,10 @@ terraform {
       source  = "hashicorp/cloudinit"
       version = "= 2.3.5"
     }
+    template = {
+      source  = "hashicorp/template"
+      version = "= 2.2.0"
+    }
   }
 
   backend "azurerm" {}

From 4895fb83127d5d00bcad738e6a49f7a0791b0fc6 Mon Sep 17 00:00:00 2001
From: James Chapman <james.chapman@necsu.onmicrosoft.com>
Date: Mon, 27 Apr 2026 13:24:31 +0000
Subject: [PATCH 2/4] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5ab4bcb53..361de65db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ BUG FIXES:
 * Fix Mysql template ignored storage_mb ([#4846](https://github.com/microsoft/AzureTRE/issues/4846))
 * Fix duplicate `TOPIC_SUBSCRIPTION_NAME` in `core/terraform/airlock/airlock_processor.tf` ([#4847](https://github.com/microsoft/AzureTRE/pull/4847))
 * Fix Nexus repository access blocked by unaccepted EULA in Nexus 3.77+ Community Edition ([#4842](https://github.com/microsoft/AzureTRE/issues/4842))
+* Update allowed URLs in Nexus for docker and letsencrypt ([#4899](https://github.com/microsoft/AzureTRE/pull/4899))
 
 COMPONENTS:
 

From 29aac95cfb8175b13db5e641a22ef8ec4a46cb20 Mon Sep 17 00:00:00 2001
From: James Chapman <james.chapman@necsu.onmicrosoft.com>
Date: Mon, 27 Apr 2026 13:36:29 +0000
Subject: [PATCH 3/4] change to wildcard lencr urls

---
 templates/shared_services/sonatype-nexus-vm/terraform/locals.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
index 8c8f708e4..62e5e3987 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
@@ -3,7 +3,7 @@ locals {
   core_resource_group_name        = "rg-${var.tre_id}"
   nexus_allowed_fqdns             = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com,docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com"
   nexus_allowed_fqdns_list        = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", ""))))
-  workspace_vm_allowed_fqdns      = "r3.o.lencr.org,x1.c.lencr.org,e8.o.lencr.org,e8.i.lencr.org,e8.c.lencr.org"
+  workspace_vm_allowed_fqdns      = "*.o.lencr.org,*.c.lencr.org,*.i.lencr.org"
   workspace_vm_allowed_fqdns_list = distinct(compact(split(",", replace(local.workspace_vm_allowed_fqdns, " ", ""))))
   storage_account_name            = lower(replace("stg-${var.tre_id}", "-", ""))
   tre_shared_service_tags = {

From 397c3910dbd72aa0d0046db0cf99f295fb7454cf Mon Sep 17 00:00:00 2001
From: James Chapman <james.chapman@necsu.onmicrosoft.com>
Date: Tue, 28 Apr 2026 14:23:03 +0000
Subject: [PATCH 4/4] revert template module

---
 .../terraform/.terraform.lock.hcl              | 18 ------------------
 .../sonatype-nexus-vm/terraform/main.tf        |  4 ----
 2 files changed, 22 deletions(-)

diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl b/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl
index 2a2d6f7b4..aa70e2662 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl
@@ -60,21 +60,3 @@ provider "registry.terraform.io/hashicorp/random" {
     "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0",
   ]
 }
-
-provider "registry.terraform.io/hashicorp/template" {
-  version     = "2.2.0"
-  constraints = "2.2.0"
-  hashes = [
-    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
-    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
-    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
-    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
-    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
-    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
-    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
-    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
-    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
-    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
-    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
-  ]
-}
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/main.tf b/templates/shared_services/sonatype-nexus-vm/terraform/main.tf
index 72006e680..c8b18fd41 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/main.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/main.tf
@@ -13,10 +13,6 @@ terraform {
       source  = "hashicorp/cloudinit"
       version = "= 2.3.5"
     }
-    template = {
-      source  = "hashicorp/template"
-      version = "= 2.2.0"
-    }
   }
 
   backend "azurerm" {}