Merge pull request #1821 from jemrobinson/1802-add-aci-dns

jemrobinson · web-flow · commit 432c07eb7c81 · 2024-04-19T10:54:36.000+01:00
Add local DNS for SRE identity server
diff --git a/data_safe_haven/infrastructure/components/composite/local_dns_record.py b/data_safe_haven/infrastructure/components/composite/local_dns_record.py
@@ -47,6 +47,7 @@ def __init__(
             ttl=3600,
             opts=child_opts,
         )
+
         # Redirect the public DNS to private DNS
         network.RecordSet(
             f"{self._name}_public_record_set",
@@ -62,3 +63,6 @@ def __init__(
                 child_opts, ResourceOptions(parent=private_dns_record_set)
             ),
         )
+
+        # Register outputs
+        self.hostname = Output.concat(props.record_name, ".", props.base_fqdn)
diff --git a/data_safe_haven/infrastructure/stacks/declarative_sre.py b/data_safe_haven/infrastructure/stacks/declarative_sre.py
@@ -216,8 +216,11 @@ def run(self) -> None:
                 aad_application_name=f"sre-{self.sre_name}-apricot",
                 aad_auth_token=self.graph_api_token,
                 aad_tenant_id=self.cfg.shm.aad_tenant_id,
+                dns_resource_group_name=dns.resource_group.name,
                 location=self.cfg.azure.location,
+                networking_resource_group_name=networking.resource_group.name,
                 shm_fqdn=self.cfg.shm.fqdn,
+                sre_fqdn=networking.sre_fqdn,
                 storage_account_key=data.storage_account_data_configuration_key,
                 storage_account_name=data.storage_account_data_configuration_name,
                 storage_account_resource_group_name=data.resource_group_name,
@@ -255,7 +258,7 @@ def run(self) -> None:
                 dns_server_ip=dns.ip_address,
                 ldap_group_filter=ldap_group_filter,
                 ldap_group_search_base=ldap_group_search_base,
-                ldap_server_ip=identity.ip_address,
+                ldap_server_hostname=identity.hostname,
                 ldap_server_port=identity.server_port,
                 ldap_user_filter=ldap_user_filter,
                 ldap_user_search_base=ldap_user_search_base,
@@ -277,7 +280,7 @@ def run(self) -> None:
                 admin_password=data.password_workspace_admin,
                 ldap_group_filter=ldap_group_filter,
                 ldap_group_search_base=ldap_group_search_base,
-                ldap_server_ip=identity.ip_address,
+                ldap_server_hostname=identity.hostname,
                 ldap_server_port=identity.server_port,
                 ldap_user_filter=ldap_user_filter,
                 ldap_user_search_base=ldap_user_search_base,
@@ -315,7 +318,7 @@ def run(self) -> None:
                 dns_server_ip=dns.ip_address,
                 gitea_database_password=data.password_gitea_database_admin,
                 hedgedoc_database_password=data.password_hedgedoc_database_admin,
-                ldap_server_ip=identity.ip_address,
+                ldap_server_hostname=identity.hostname,
                 ldap_server_port=identity.server_port,
                 ldap_user_filter=ldap_user_filter,
                 ldap_username_attribute=ldap_username_attribute,
diff --git a/data_safe_haven/infrastructure/stacks/sre/gitea_server.py b/data_safe_haven/infrastructure/stacks/sre/gitea_server.py
@@ -28,7 +28,7 @@ def __init__(
         database_subnet_id: Input[str],
         dns_resource_group_name: Input[str],
         dns_server_ip: Input[str],
-        ldap_server_ip: Input[str],
+        ldap_server_hostname: Input[str],
         ldap_server_port: Input[int],
         ldap_username_attribute: Input[str],
         ldap_user_filter: Input[str],
@@ -51,7 +51,7 @@ def __init__(
         )
         self.dns_resource_group_name = dns_resource_group_name
         self.dns_server_ip = dns_server_ip
-        self.ldap_server_ip = ldap_server_ip
+        self.ldap_server_hostname = ldap_server_hostname
         self.ldap_server_port = ldap_server_port
         self.ldap_username_attribute = ldap_username_attribute
         self.ldap_user_filter = ldap_user_filter
@@ -130,7 +130,7 @@ def __init__(
             admin_username="dshadmin",
             ldap_username_attribute=props.ldap_username_attribute,
             ldap_user_filter=props.ldap_user_filter,
-            ldap_server_ip=props.ldap_server_ip,
+            ldap_server_hostname=props.ldap_server_hostname,
             ldap_server_port=props.ldap_server_port,
             ldap_user_search_base=props.ldap_user_search_base,
         ).apply(
diff --git a/data_safe_haven/infrastructure/stacks/sre/hedgedoc_server.py b/data_safe_haven/infrastructure/stacks/sre/hedgedoc_server.py
@@ -29,7 +29,7 @@ def __init__(
         database_subnet_id: Input[str],
         dns_resource_group_name: Input[str],
         dns_server_ip: Input[str],
-        ldap_server_ip: Input[str],
+        ldap_server_hostname: Input[str],
         ldap_server_port: Input[int],
         ldap_user_filter: Input[str],
         ldap_user_search_base: Input[str],
@@ -52,7 +52,7 @@ def __init__(
         )
         self.dns_resource_group_name = dns_resource_group_name
         self.dns_server_ip = dns_server_ip
-        self.ldap_server_ip = ldap_server_ip
+        self.ldap_server_hostname = ldap_server_hostname
         self.ldap_server_port = Output.from_input(ldap_server_port).apply(str)
         self.ldap_user_filter = ldap_user_filter
         self.ldap_user_search_base = ldap_user_search_base
@@ -225,7 +225,7 @@ def __init__(
                             name="CMD_LDAP_URL",
                             value=Output.concat(
                                 "ldap://",
-                                props.ldap_server_ip,
+                                props.ldap_server_hostname,
                                 ":",
                                 props.ldap_server_port,
                             ),
diff --git a/data_safe_haven/infrastructure/stacks/sre/identity.py b/data_safe_haven/infrastructure/stacks/sre/identity.py
@@ -11,6 +11,8 @@
 from data_safe_haven.infrastructure.components import (
     AzureADApplication,
     AzureADApplicationProps,
+    LocalDnsRecordComponent,
+    LocalDnsRecordProps,
 )
 
 
@@ -22,8 +24,11 @@ def __init__(
         aad_application_name: Input[str],
         aad_auth_token: Input[str],
         aad_tenant_id: Input[str],
+        dns_resource_group_name: Input[str],
         location: Input[str],
+        networking_resource_group_name: Input[str],
         shm_fqdn: Input[str],
+        sre_fqdn: Input[str],
         storage_account_key: Input[str],
         storage_account_name: Input[str],
         storage_account_resource_group_name: Input[str],
@@ -32,8 +37,11 @@ def __init__(
         self.aad_application_name = aad_application_name
         self.aad_auth_token = aad_auth_token
         self.aad_tenant_id = aad_tenant_id
+        self.dns_resource_group_name = dns_resource_group_name
         self.location = location
+        self.networking_resource_group_name = networking_resource_group_name
         self.shm_fqdn = shm_fqdn
+        self.sre_fqdn = sre_fqdn
         self.storage_account_key = storage_account_key
         self.storage_account_name = storage_account_name
         self.storage_account_resource_group_name = storage_account_resource_group_name
@@ -220,5 +228,20 @@ def __init__(
             tags=child_tags,
         )
 
+        # Register the container group in the SRE DNS zone
+        local_dns = LocalDnsRecordComponent(
+            f"{self._name}_dns_record_set",
+            LocalDnsRecordProps(
+                base_fqdn=props.sre_fqdn,
+                public_dns_resource_group_name=props.networking_resource_group_name,
+                private_dns_resource_group_name=props.dns_resource_group_name,
+                private_ip_address=get_ip_address_from_container_group(container_group),
+                record_name="identity",
+            ),
+            opts=ResourceOptions.merge(
+                child_opts, ResourceOptions(parent=container_group)
+            ),
+        )
+
         # Register outputs
-        self.ip_address = get_ip_address_from_container_group(container_group)
+        self.hostname = local_dns.hostname
diff --git a/data_safe_haven/infrastructure/stacks/sre/remote_desktop.py b/data_safe_haven/infrastructure/stacks/sre/remote_desktop.py
@@ -13,7 +13,6 @@
 from data_safe_haven.external import AzureIPv4Range
 from data_safe_haven.infrastructure.common import (
     get_id_from_subnet,
-    get_ip_address_from_container_group,
 )
 from data_safe_haven.infrastructure.components import (
     AzureADApplication,
@@ -42,7 +41,7 @@ def __init__(
         dns_server_ip: Input[str],
         ldap_group_filter: Input[str],
         ldap_group_search_base: Input[str],
-        ldap_server_ip: Input[str],
+        ldap_server_hostname: Input[str],
         ldap_server_port: Input[int],
         ldap_user_filter: Input[str],
         ldap_user_search_base: Input[str],
@@ -67,7 +66,7 @@ def __init__(
         self.dns_server_ip = dns_server_ip
         self.ldap_group_filter = ldap_group_filter
         self.ldap_group_search_base = ldap_group_search_base
-        self.ldap_server_ip = ldap_server_ip
+        self.ldap_server_hostname = ldap_server_hostname
         self.ldap_server_port = ldap_server_port
         self.ldap_user_filter = ldap_user_filter
         self.ldap_user_search_base = ldap_user_search_base
@@ -324,7 +323,7 @@ def __init__(
                         ),
                         containerinstance.EnvironmentVariableArgs(
                             name="LDAP_HOST",
-                            value=props.ldap_server_ip,
+                            value=props.ldap_server_hostname,
                         ),
                         containerinstance.EnvironmentVariableArgs(
                             name="LDAP_PORT",
@@ -421,9 +420,6 @@ def __init__(
             "connection_db_name": db_guacamole_connections,
             "connection_db_server_name": db_server_guacamole.db_server.name,
             "container_group_name": container_group.name,
-            "container_ip_address": get_ip_address_from_container_group(
-                container_group
-            ),
             "disable_copy": props.disable_copy,
             "disable_paste": props.disable_paste,
             "resource_group_name": resource_group.name,
diff --git a/data_safe_haven/infrastructure/stacks/sre/user_services.py b/data_safe_haven/infrastructure/stacks/sre/user_services.py
@@ -26,7 +26,7 @@ def __init__(
         dns_server_ip: Input[str],
         gitea_database_password: Input[str],
         hedgedoc_database_password: Input[str],
-        ldap_server_ip: Input[str],
+        ldap_server_hostname: Input[str],
         ldap_server_port: Input[int],
         ldap_username_attribute: Input[str],
         ldap_user_filter: Input[str],
@@ -51,7 +51,7 @@ def __init__(
         self.dns_server_ip = dns_server_ip
         self.gitea_database_password = gitea_database_password
         self.hedgedoc_database_password = hedgedoc_database_password
-        self.ldap_server_ip = ldap_server_ip
+        self.ldap_server_hostname = ldap_server_hostname
         self.ldap_server_port = ldap_server_port
         self.ldap_username_attribute = ldap_username_attribute
         self.ldap_user_filter = ldap_user_filter
@@ -113,7 +113,7 @@ def __init__(
                 database_password=props.gitea_database_password,
                 dns_resource_group_name=props.dns_resource_group_name,
                 dns_server_ip=props.dns_server_ip,
-                ldap_server_ip=props.ldap_server_ip,
+                ldap_server_hostname=props.ldap_server_hostname,
                 ldap_server_port=props.ldap_server_port,
                 ldap_username_attribute=props.ldap_username_attribute,
                 ldap_user_filter=props.ldap_user_filter,
@@ -141,7 +141,7 @@ def __init__(
                 database_subnet_id=props.subnet_containers_support_id,
                 dns_resource_group_name=props.dns_resource_group_name,
                 dns_server_ip=props.dns_server_ip,
-                ldap_server_ip=props.ldap_server_ip,
+                ldap_server_hostname=props.ldap_server_hostname,
                 ldap_server_port=props.ldap_server_port,
                 ldap_username_attribute=props.ldap_username_attribute,
                 ldap_user_filter=props.ldap_user_filter,
diff --git a/data_safe_haven/infrastructure/stacks/sre/workspaces.py b/data_safe_haven/infrastructure/stacks/sre/workspaces.py
@@ -32,7 +32,7 @@ def __init__(
         admin_password: Input[str],
         ldap_group_filter: Input[str],
         ldap_group_search_base: Input[str],
-        ldap_server_ip: Input[str],
+        ldap_server_hostname: Input[str],
         ldap_server_port: Input[int],
         ldap_user_filter: Input[str],
         ldap_user_search_base: Input[str],
@@ -54,7 +54,7 @@ def __init__(
         self.admin_username = "dshadmin"
         self.ldap_group_filter = ldap_group_filter
         self.ldap_group_search_base = ldap_group_search_base
-        self.ldap_server_ip = ldap_server_ip
+        self.ldap_server_hostname = ldap_server_hostname
         self.ldap_server_port = Output.from_input(ldap_server_port).apply(str)
         self.ldap_user_filter = ldap_user_filter
         self.ldap_user_search_base = ldap_user_search_base
@@ -123,7 +123,7 @@ def __init__(
         b64cloudinit = Output.all(
             ldap_group_filter=props.ldap_group_filter,
             ldap_group_search_base=props.ldap_group_search_base,
-            ldap_server_ip=props.ldap_server_ip,
+            ldap_server_hostname=props.ldap_server_hostname,
             ldap_server_port=props.ldap_server_port,
             ldap_user_filter=props.ldap_user_filter,
             ldap_user_search_base=props.ldap_user_search_base,
@@ -212,7 +212,7 @@ def read_cloudinit(
         self,
         ldap_group_filter: str,
         ldap_group_search_base: str,
-        ldap_server_ip: str,
+        ldap_server_hostname: str,
         ldap_server_port: str,
         ldap_user_filter: str,
         ldap_user_search_base: str,
@@ -228,7 +228,7 @@ def read_cloudinit(
             mustache_values = {
                 "ldap_group_filter": ldap_group_filter,
                 "ldap_group_search_base": ldap_group_search_base,
-                "ldap_server_ip": ldap_server_ip,
+                "ldap_server_hostname": ldap_server_hostname,
                 "ldap_server_port": ldap_server_port,
                 "ldap_user_filter": ldap_user_filter,
                 "ldap_user_search_base": ldap_user_search_base,
diff --git a/data_safe_haven/provisioning/sre_provisioning_manager.py b/data_safe_haven/provisioning/sre_provisioning_manager.py
@@ -84,9 +84,7 @@ def restart_remote_desktop_containers(self) -> None:
             self.remote_desktop_params["resource_group_name"],
             self.subscription_name,
         )
-        guacamole_provisioner.restart(
-            self.remote_desktop_params["container_ip_address"]
-        )
+        guacamole_provisioner.restart()
 
     def update_remote_desktop_connections(self) -> None:
         """Update connection information on the Guacamole PostgreSQL server"""
diff --git a/data_safe_haven/resources/gitea/gitea/configure.mustache.sh b/data_safe_haven/resources/gitea/gitea/configure.mustache.sh
@@ -13,7 +13,7 @@ until su-exec "$USER" /usr/local/bin/gitea admin auth list | grep "DataSafeHaven
     su-exec "$USER" /usr/local/bin/gitea admin auth add-ldap \
         --name DataSafeHavenLDAP \
         --security-protocol "unencrypted" \
-        --host "{{ldap_server_ip}}" \
+        --host "{{ldap_server_hostname}}" \
         --port "{{ldap_server_port}}" \
         --user-search-base "{{ldap_user_search_base}}" \
         --user-filter "(&{{{ldap_user_filter}}}({{ldap_username_attribute}}=%[1]s))" \
diff --git a/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml b/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml
@@ -22,7 +22,7 @@ write_files:
       nss_min_uid 2000
 
       # General connection options
-      uri ldap://{{ldap_server_ip}}:{{ldap_server_port}}
+      uri ldap://{{ldap_server_hostname}}:{{ldap_server_port}}
 
       # Search/mapping options
       base {{ldap_user_search_base}}

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ def __init__(`
`47`	`47`	`ttl=3600,`
`48`	`48`	`opts=child_opts,`
`49`	`49`	`)`
	`50`	`+`
`50`	`51`	`# Redirect the public DNS to private DNS`
`51`	`52`	`network.RecordSet(`
`52`	`53`	`f"{self._name}_public_record_set",`
`@@ -62,3 +63,6 @@ def __init__(`
`62`	`63`	`child_opts, ResourceOptions(parent=private_dns_record_set)`
`63`	`64`	`),`
`64`	`65`	`)`
	`66`	`+`
	`67`	`+ # Register outputs`
	`68`	`+ self.hostname = Output.concat(props.record_name, ".", props.base_fqdn)`