Merge pull request #1805 from jemrobinson/1570-remove-shm-dc

Remove SHM DC

Author: jemrobinson

data_safe_haven/commands/deploy.py

@@ -8,7 +8,7 @@
 from data_safe_haven.exceptions import DataSafeHavenError
 from data_safe_haven.external import GraphApi
 from data_safe_haven.infrastructure import SHMStackManager, SREStackManager
-from data_safe_haven.provisioning import SHMProvisioningManager, SREProvisioningManager
+from data_safe_haven.provisioning import SREProvisioningManager
 from data_safe_haven.utility import LoggingSingleton
 
 deploy_command_group = typer.Typer()
@@ -73,13 +73,6 @@ def shm(
             config.shm.fqdn,
             stack.output("networking")["fqdn_nameservers"],
         )
-
-        # Provision SHM with anything that could not be done in Pulumi
-        manager = SHMProvisioningManager(
-            subscription_name=config.context.subscription_name,
-            stack=stack,
-        )
-        manager.run()
     except DataSafeHavenError as exc:
         msg = f"Could not deploy Data Safe Haven Management environment.\n{exc}"
         raise DataSafeHavenError(msg) from exc

data_safe_haven/infrastructure/stacks/declarative_shm.py

@@ -4,12 +4,7 @@
 
 from data_safe_haven.config import Config
 
-from .shm.bastion import SHMBastionComponent, SHMBastionProps
 from .shm.data import SHMDataComponent, SHMDataProps
-from .shm.domain_controllers import (
-    SHMDomainControllersComponent,
-    SHMDomainControllersProps,
-)
 from .shm.firewall import SHMFirewallComponent, SHMFirewallProps
 from .shm.monitoring import SHMMonitoringComponent, SHMMonitoringProps
 from .shm.networking import SHMNetworkingComponent, SHMNetworkingProps
@@ -49,30 +44,16 @@ def run(self) -> None:
             "shm_firewall",
             self.stack_name,
             SHMFirewallProps(
-                domain_controller_private_ip=networking.domain_controller_private_ip,
                 dns_zone=networking.dns_zone,
                 location=self.cfg.azure.location,
                 resource_group_name=networking.resource_group_name,
                 route_table_name=networking.route_table.name,
                 subnet_firewall=networking.subnet_firewall,
-                subnet_identity_servers=networking.subnet_identity_servers,
                 subnet_update_servers=networking.subnet_update_servers,
             ),
             tags=self.cfg.tags.model_dump(),
         )
 
-        # Deploy firewall and routing
-        SHMBastionComponent(
-            "shm_bastion",
-            self.stack_name,
-            SHMBastionProps(
-                location=self.cfg.azure.location,
-                resource_group_name=networking.resource_group_name,
-                subnet=networking.subnet_bastion,
-            ),
-            tags=self.cfg.tags.model_dump(),
-        )
-
         # Deploy data storage
         data = SHMDataComponent(
             "shm_data",
@@ -116,32 +97,7 @@ def run(self) -> None:
             tags=self.cfg.tags.model_dump(),
         )
 
-        # Deploy domain controllers
-        domain_controllers = SHMDomainControllersComponent(
-            "shm_domain_controllers",
-            self.stack_name,
-            SHMDomainControllersProps(
-                automation_account=monitoring.automation_account,
-                automation_account_modules=monitoring.automation_account_modules,
-                automation_account_private_dns=monitoring.automation_account_private_dns,
-                domain_fqdn=networking.dns_zone.name,
-                domain_netbios_name=self.shm_name.upper(),
-                location=self.cfg.azure.location,
-                log_analytics_workspace=monitoring.log_analytics_workspace,
-                password_domain_admin=data.password_domain_admin,
-                password_domain_azuread_connect=data.password_domain_azure_ad_connect,
-                password_domain_searcher=data.password_domain_searcher,
-                private_ip_address=networking.domain_controller_private_ip,
-                subnet_identity_servers=networking.subnet_identity_servers,
-                subscription_name=self.cfg.context.subscription_name,
-                virtual_network_name=networking.virtual_network.name,
-                virtual_network_resource_group_name=networking.resource_group_name,
-            ),
-            tags=self.cfg.tags.model_dump(),
-        )
-
         # Export values for later use
-        pulumi.export("domain_controllers", domain_controllers.exports)
         pulumi.export("firewall", firewall.exports)
         pulumi.export("monitoring", monitoring.exports)
         pulumi.export("networking", networking.exports)

data_safe_haven/infrastructure/stacks/shm/bastion.py

@@ -124,48 +124,6 @@ def __init__(
             tags=child_tags,
         )
 
-        # Secret: Domain admin password
-        password_domain_admin = pulumi_random.RandomPassword(
-            f"{self._name}_password_domain_admin",
-            length=20,
-            special=True,
-            opts=ResourceOptions.merge(child_opts, ResourceOptions(parent=key_vault)),
-        )
-        keyvault.Secret(
-            f"{self._name}_kvs_password_domain_admin",
-            properties=keyvault.SecretPropertiesArgs(
-                value=password_domain_admin.result
-            ),
-            resource_group_name=resource_group.name,
-            secret_name="password-domain-admin",
-            vault_name=key_vault.name,
-            opts=ResourceOptions.merge(
-                child_opts, ResourceOptions(parent=password_domain_admin)
-            ),
-            tags=child_tags,
-        )
-
-        # Secret: Azure ADConnect password
-        password_domain_azure_ad_connect = pulumi_random.RandomPassword(
-            f"{self._name}_password_domain_azure_ad_connect",
-            length=20,
-            special=True,
-            opts=ResourceOptions.merge(child_opts, ResourceOptions(parent=key_vault)),
-        )
-        keyvault.Secret(
-            f"{self._name}_kvs_password_domain_azure_ad_connect",
-            properties=keyvault.SecretPropertiesArgs(
-                value=password_domain_azure_ad_connect.result
-            ),
-            resource_group_name=resource_group.name,
-            secret_name="password-domain-azure-ad-connect",
-            vault_name=key_vault.name,
-            opts=ResourceOptions.merge(
-                child_opts, ResourceOptions(parent=password_domain_azure_ad_connect)
-            ),
-            tags=child_tags,
-        )
-
         # Secret: Linux update server admin password
         password_update_server_linux_admin = pulumi_random.RandomPassword(
             f"{self._name}_password_update_server_linux_admin",
@@ -243,10 +201,6 @@ def __init__(
         )
 
         # Register outputs
-        self.password_domain_admin = Output.secret(password_domain_admin.result)
-        self.password_domain_azure_ad_connect = Output.secret(
-            password_domain_azure_ad_connect.result
-        )
         self.password_update_server_linux_admin = Output.secret(
             password_update_server_linux_admin.result
         )