Merge pull request #2115 from alan-turing-institute/ansible_vars_file

Add ansible vars file

data_safe_haven/infrastructure/common/ip_ranges.py

@@ -14,8 +14,8 @@ class SREIpRanges:
     apt_proxy_server = vnet.next_subnet(8)
     clamav_mirror = vnet.next_subnet(8)
     data_configuration = vnet.next_subnet(8)
-    data_desired_state = vnet.next_subnet(8)
     data_private = vnet.next_subnet(8)
+    desired_state = vnet.next_subnet(8)
     firewall = vnet.next_subnet(64)  # 64 address minimum
     firewall_management = vnet.next_subnet(64)  # 64 address minimum
     guacamole_containers = vnet.next_subnet(8)

data_safe_haven/infrastructure/components/__init__.py

@@ -4,6 +4,8 @@
     LocalDnsRecordProps,
     MicrosoftSQLDatabaseComponent,
     MicrosoftSQLDatabaseProps,
+    NFSV3BlobContainerComponent,
+    NFSV3BlobContainerProps,
     PostgresqlDatabaseComponent,
     PostgresqlDatabaseProps,
     VMComponent,
@@ -20,6 +22,7 @@
 )
 from .wrapped import (
     WrappedLogAnalyticsWorkspace,
+    WrappedNFSV3StorageAccount,
 )
 
 __all__ = [
@@ -34,6 +37,9 @@
     "LocalDnsRecordProps",
     "MicrosoftSQLDatabaseComponent",
     "MicrosoftSQLDatabaseProps",
+    "NFSV3BlobContainerComponent",
+    "NFSV3BlobContainerProps",
+    "WrappedNFSV3StorageAccount",
     "PostgresqlDatabaseComponent",
     "PostgresqlDatabaseProps",
     "SSLCertificate",

data_safe_haven/infrastructure/components/composite/__init__.py

@@ -3,6 +3,7 @@
     MicrosoftSQLDatabaseComponent,
     MicrosoftSQLDatabaseProps,
 )
+from .nfsv3_blob_container import NFSV3BlobContainerComponent, NFSV3BlobContainerProps
 from .postgresql_database import PostgresqlDatabaseComponent, PostgresqlDatabaseProps
 from .virtual_machine import LinuxVMComponentProps, VMComponent
 
@@ -12,6 +13,8 @@
     "LocalDnsRecordProps",
     "MicrosoftSQLDatabaseComponent",
     "MicrosoftSQLDatabaseProps",
+    "NFSV3BlobContainerComponent",
+    "NFSV3BlobContainerProps",
     "PostgresqlDatabaseComponent",
     "PostgresqlDatabaseProps",
     "VMComponent",

data_safe_haven/infrastructure/components/composite/nfsv3_blob_container.py

@@ -0,0 +1,75 @@
+from pulumi import ComponentResource, Input, ResourceOptions
+from pulumi_azure_native import storage
+
+from data_safe_haven.infrastructure.components.dynamic.blob_container_acl import (
+    BlobContainerAcl,
+    BlobContainerAclProps,
+)
+
+
+class NFSV3BlobContainerProps:
+    def __init__(
+        self,
+        acl_user: Input[str],
+        acl_group: Input[str],
+        acl_other: Input[str],
+        apply_default_permissions: Input[bool],
+        container_name: Input[str],
+        resource_group_name: Input[str],
+        storage_account: Input[storage.StorageAccount],
+        subscription_name: Input[str],
+    ):
+        self.acl_user = acl_user
+        self.acl_group = acl_group
+        self.acl_other = acl_other
+        self.apply_default_permissions = apply_default_permissions
+        self.container_name = container_name
+        self.resource_group_name = resource_group_name
+        self.storage_account = storage_account
+        self.subscription_name = subscription_name
+
+
+class NFSV3BlobContainerComponent(ComponentResource):
+    def __init__(
+        self,
+        name: str,
+        props: NFSV3BlobContainerProps,
+        opts: ResourceOptions | None = None,
+    ):
+        super().__init__("dsh:common:NFSV3BlobContainerComponent", name, {}, opts)
+        child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
+
+        storage_container = storage.BlobContainer(
+            f"{self._name}_blob_container_{props.container_name}",
+            account_name=props.storage_account.name,
+            container_name=props.container_name,
+            default_encryption_scope="$account-encryption-key",
+            deny_encryption_scope_override=False,
+            public_access=storage.PublicAccess.NONE,
+            resource_group_name=props.resource_group_name,
+            opts=ResourceOptions.merge(
+                child_opts,
+                ResourceOptions(parent=props.storage_account),
+            ),
+        )
+        BlobContainerAcl(
+            f"{storage_container._name}_acl",
+            BlobContainerAclProps(
+                acl_user=props.acl_user,
+                acl_group=props.acl_group,
+                acl_other=props.acl_other,
+                apply_default_permissions=props.apply_default_permissions,
+                container_name=storage_container.name,
+                resource_group_name=props.resource_group_name,
+                storage_account_name=props.storage_account.name,
+                subscription_name=props.subscription_name,
+            ),
+            opts=ResourceOptions.merge(
+                child_opts,
+                ResourceOptions(parent=props.storage_account),
+            ),
+        )
+
+        self.name = storage_container.name
+
+        self.register_outputs({})

data_safe_haven/infrastructure/components/wrapped/__init__.py

@@ -1,5 +1,7 @@
 from .log_analytics_workspace import WrappedLogAnalyticsWorkspace
+from .nfsv3_storage_account import WrappedNFSV3StorageAccount
 
 __all__ = [
+    "WrappedNFSV3StorageAccount",
     "WrappedLogAnalyticsWorkspace",
 ]

data_safe_haven/infrastructure/components/wrapped/nfsv3_storage_account.py

@@ -0,0 +1,68 @@
+from collections.abc import Mapping, Sequence
+
+from pulumi import Input, Output, ResourceOptions
+from pulumi_azure_native import storage
+
+from data_safe_haven.external import AzureIPv4Range
+
+
+class WrappedNFSV3StorageAccount(storage.StorageAccount):
+    encryption_args = storage.EncryptionArgs(
+        key_source=storage.KeySource.MICROSOFT_STORAGE,
+        services=storage.EncryptionServicesArgs(
+            blob=storage.EncryptionServiceArgs(
+                enabled=True, key_type=storage.KeyType.ACCOUNT
+            ),
+            file=storage.EncryptionServiceArgs(
+                enabled=True, key_type=storage.KeyType.ACCOUNT
+            ),
+        ),
+    )
+
+    def __init__(
+        self,
+        resource_name: str,
+        *,
+        account_name: Input[str],
+        allowed_ip_addresses: Input[Sequence[str]],
+        location: Input[str],
+        resource_group_name: Input[str],
+        subnet_id: Input[str],
+        opts: ResourceOptions,
+        tags: Input[Mapping[str, Input[str]]],
+    ):
+        self.resource_group_name_ = Output.from_input(resource_group_name)
+        super().__init__(
+            resource_name,
+            account_name=account_name,
+            enable_https_traffic_only=True,
+            enable_nfs_v3=True,
+            encryption=self.encryption_args,
+            is_hns_enabled=True,
+            kind=storage.Kind.BLOCK_BLOB_STORAGE,
+            location=location,
+            minimum_tls_version=storage.MinimumTlsVersion.TLS1_2,
+            network_rule_set=storage.NetworkRuleSetArgs(
+                bypass=storage.Bypass.AZURE_SERVICES,
+                default_action=storage.DefaultAction.DENY,
+                ip_rules=Output.from_input(allowed_ip_addresses).apply(
+                    lambda ip_ranges: [
+                        storage.IPRuleArgs(
+                            action=storage.Action.ALLOW,
+                            i_p_address_or_range=str(ip_address),
+                        )
+                        for ip_range in sorted(ip_ranges)
+                        for ip_address in AzureIPv4Range.from_cidr(ip_range).all_ips()
+                    ]
+                ),
+                virtual_network_rules=[
+                    storage.VirtualNetworkRuleArgs(
+                        virtual_network_resource_id=subnet_id,
+                    )
+                ],
+            ),
+            resource_group_name=resource_group_name,
+            sku=storage.SkuArgs(name=storage.SkuName.PREMIUM_ZRS),
+            opts=opts,
+            tags=tags,
+        )

data_safe_haven/infrastructure/programs/declarative_sre.py

@@ -15,6 +15,7 @@
 from .sre.backup import SREBackupComponent, SREBackupProps
 from .sre.clamav_mirror import SREClamAVMirrorComponent, SREClamAVMirrorProps
 from .sre.data import SREDataComponent, SREDataProps
+from .sre.desired_state import SREDesiredStateComponent, SREDesiredStateProps
 from .sre.dns_server import SREDnsServerComponent, SREDnsServerProps
 from .sre.firewall import SREFirewallComponent, SREFirewallProps
 from .sre.identity import SREIdentityComponent, SREIdentityProps
@@ -184,7 +185,6 @@ def __call__(self) -> None:
                 storage_quota_gb_home=self.config.sre.storage_quota_gb.home,
                 storage_quota_gb_shared=self.config.sre.storage_quota_gb.shared,
                 subnet_data_configuration=networking.subnet_data_configuration,
-                subnet_data_desired_state=networking.subnet_data_desired_state,
                 subnet_data_private=networking.subnet_data_private,
                 subscription_id=self.config.azure.subscription_id,
                 subscription_name=self.context.subscription_name,
@@ -338,17 +338,15 @@ def __call__(self) -> None:
             tags=self.tags,
         )
 
-        # Deploy workspaces
-        workspaces = SREWorkspacesComponent(
-            "sre_workspaces",
+        # Deploy desired state
+        desired_state = SREDesiredStateComponent(
+            "sre_desired_state",
             self.stack_name,
-            SREWorkspacesProps(
-                admin_password=data.password_workspace_admin,
-                apt_proxy_server_hostname=apt_proxy_server.hostname,
+            SREDesiredStateProps(
+                admin_ip_addresses=self.config.sre.admin_ip_addresses,
                 clamav_mirror_hostname=clamav_mirror.hostname,
-                data_collection_rule_id=monitoring.data_collection_rule_vms.id,
-                data_collection_endpoint_id=monitoring.data_collection_endpoint.id,
                 database_service_admin_password=data.password_database_service_admin,
+                dns_private_zones=dns.private_zones,
                 gitea_hostname=user_services.gitea_server.hostname,
                 hedgedoc_hostname=user_services.hedgedoc_server.hostname,
                 ldap_group_filter=ldap_group_filter,
@@ -358,11 +356,27 @@ def __call__(self) -> None:
                 ldap_user_filter=ldap_user_filter,
                 ldap_user_search_base=ldap_user_search_base,
                 location=self.config.azure.location,
+                resource_group=resource_group,
+                software_repository_hostname=user_services.software_repositories.hostname,
+                subnet_desired_state=networking.subnet_desired_state,
+                subscription_name=self.context.subscription_name,
+            ),
+        )
+
+        # Deploy workspaces
+        workspaces = SREWorkspacesComponent(
+            "sre_workspaces",
+            self.stack_name,
+            SREWorkspacesProps(
+                admin_password=data.password_workspace_admin,
+                apt_proxy_server_hostname=apt_proxy_server.hostname,
+                data_collection_rule_id=monitoring.data_collection_rule_vms.id,
+                data_collection_endpoint_id=monitoring.data_collection_endpoint.id,
+                location=self.config.azure.location,
                 maintenance_configuration_id=monitoring.maintenance_configuration.id,
                 resource_group_name=resource_group.name,
-                software_repository_hostname=user_services.software_repositories.hostname,
                 sre_name=self.config.name,
-                storage_account_data_desired_state_name=data.storage_account_data_desired_state_name,
+                storage_account_desired_state_name=desired_state.storage_account_name,
                 storage_account_data_private_user_name=data.storage_account_data_private_user_name,
                 storage_account_data_private_sensitive_name=data.storage_account_data_private_sensitive_name,
                 subnet_workspaces=networking.subnet_workspaces,