Release 4.1.0 (2023-09-06)

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.X.Y SHM and want to upgrade to 4.1.0, please follow the steps below:

• Run ./deployment/safe_haven_management/setup/Setup_SHM_Networking.ps1 -shmId <your SHM ID>
• Restart the virtual machine at RG_SHM_<SHM name>_MONITORING/LINUX-UPDATES-SHM-<SHM name> in the Azure portal

Known Issues

Only phone call authentication works for MS RDS. This provides no on-screen MFA Prompt.

New Features

• Allow device authentication in SHM deployment #1378
• Add arrow CRAN package to Tier 3 core list #1391
• Update Python in SRD images #1421

Bug Fixes

• Update Powershell module requirements: #1368
• Update supported Powershell version to 7.3.6
• Prevent removal of backup data during dry run: #1383
• Better package name matching for Nexus: #1447
• Update SRD image: #1421
• Add new servicebus endpoints for self-service password reset: #1423 and #1466
• Modify location of requirements.txt in Dockerfile: #1469
• Fixes of the SRD build related to python packages: #1514 and #1537
• Fix allowlist generation: #1422
• Update badges: #1371
• Update caching in allowlists workflow: #1395
• Fix incorrect logic around automated PR creation: #1426
• Update Ubuntu apt server addresses #1548
• Add docker.io to allowed-FQDNs #1548
• Change cloud-init files to automatically select appropriate disk partition #1548
• Fix MS-SQL database deployment #1580
• Fix PyPi Tier 3 mirror failures #1581

Security Fixes

• Fix non-allowed CRAN packages beginning with allowed name being installable: #1447
• Update to firewall rules: #1519

Documentation Updates

• Add instructions for installing documentation build dependencies: #1370
• Add instructions to resize VMs: #1367
• Update user management guide to explain adding users to security group and changing a phone number: #1389
• Add instructions for GPU VM resizing: #1399
• Add note on NVIDIA GPU support: #1406
• Remove reference to unused System Administrators Security Group: #1407
• Remove egress steps not carried out by System Manager: #1434
• Update SRE user troubleshooting: #1435
• Move from GitHub pages to ReadTheDocs #1468
• Add Policy for software package requests: #1387
• Add deprecation warning for MSRDS #1542
• Add warning that MSRDS does not work with the Microsoft Authentication app. #1589
• Add step for adding SSL certificate in step-by-step instructions for Guacamole #1590

Full Changelog: v4.0.3...release-v4.1.0

Release 4.0.3 (2023-01-27)

Bug fixes

• Update maximum allowed Powershell version
• Fix disk mounting issue when upgrading SRDs

Documentation updates

• Minor fixes

Release 4.0.2 (2023-01-05)

Bug fixes

• Add missing Powershell module imports
• Fix -Upgrade option when adding new SRD
• Fix tensorflow installation in SRD base image
• Register Microsoft.DataProtection on subscriptions that an SRE will be deployed into
• Support cross-subscription role assignments for backup
• Switch to correct subscription before deploying update automation
• Update Powershell version requirements to avoid upstream bug
• Update SRD package versions
• Use process-scope when retrieving Graph authorization tokens with Connect-MgGraph

Security fixes

• Remove unnecessary information from deployment logging

Documentation updates

• Add link to teardown docs to deployment page
• Add a VSCode .devcontainer for use in deployment
• Clarify that IP addresses are required in SRE config file
• Consolidate MFA setup description
• Update documentation build triggers to also run on latest

Release 4.0.1 (2022-10-24)

Bug fixes

• Add additional modules to requirements checker
• Add check for non-existing AzureAD security group
• Switch CI tests from Travis to GitHub Actions

Documentation updates

• Updated issue templates
• Fix documentation building

Release 4.0.0 (2022-10-06)

New features

• Add apt update server
• Add backup for blob storage
• Add backup for VM disks
• Add DNS server capabilities to DC2
• Enable automated VM updates
• Relicence to BSD 3-Clause
• Simplify deployment configuration
• Simplify NPS setup
• Simplify Powershell modules
• Switch to using DSC when configuring domain controllers
• Unify deployment of repository mirrors/proxies

Bug fixes

• Fix AAD domain verification
• Fix database logic so that either 0,1 or 2 databases can be deployed in an SRE
• Fix DNS recursion on domain controllers
• Fix htmlproofer issues by version pinning
• Fix network/firewall rules that were stopping the installation of gitlab-ce
• Fix NSG rules that were blocking LDAP connections from webapps
• Fix SHM teardown failure
• Fix Tier-3 allowlist scripts
• Fix updating of Guacamole dashboard when reading users from LDAP
• Improve tear down scripts
• Make RDS cipher suite setting more robust
• Make template deployments more robust
• Modify SHM requirements script to optionally install missing modules
• Restrict repository updates to this SRE
• Set Az.Storage minimum version
• Update NVIDIA repository key
• Update QGIS repository key
• Update SRD package versions
• Update to SSIS 16.0 in lockdown script

Security fixes

• Add ClamAV to all Linux VMs
• Drop support for Atom text editor
• Drop support for sbt
• Switch storage to GRS

Documentation updates

• Add administrator documentation for backups
• Add backup test to security checklist
• Add citation file
• Add disclaimer text to main repository README
• Add instructions to remove Conditional Access policies when reusing an AzureAD
• Add user backup instructions
• Fix various typographical errors in the documentation
• Make deployment instructions more visible
• Make documentation less prescriptive
• Update GitHub issue templates
• Update password writeback instructions
• Update SHM deployment instructions
• Update user guide

Release 3.4.0 (2022-02-26)

New features

• Whitelisted SSL Labs for analysing remote desktop entrypage.
• Updated SRD image with new packages and increased automation.
• Re-organised and standardised NSG rules
• Added tier 3 support for Nexus repositories

Bug fixes

• Fixed CoCalc NSG rules.
• Updated PyPI and CRAN allow lists.
• Switched to Mustache for all templating.
• Ensured that allow list generation does not time out.
• Replaced SHM networking ARM template.
• Switched from AzureAD.Standard preview to mainline version.
• Switched from AzureAD.Standard to Microsoft.Graph.
• Deprecated use of Write-Host.
• Ensured that pyenv virtual environment work correctly.
• Standarised NSG rule naming.
• Fixed overlapping IP ranges in example configs.
• Tidied up cloud-init files, moving scripts into dedicated files where appropriate.
• Switched Guacamole Docker deployment to use a non-root user.
• Simplified domain joining logic.
• Fixed check for tensorflow so that it is only applied if on the required package list.
• Fixed check for CoCalc deployment termination
• Set correct Graph permissions for changing user passwords

Documentation updates

• Fixed broken data classification flowchart.
• Added HTML checker to CI.
• Renamed DSVM to SRD throughout.
• Updated GitHub issue templates.
• Switched to GitHub discussions where relevant.
• Fixed GitHub Actions PR generation.
• Warned against using special characters in usernames.
• Added a Jupyter notebook for interactive testing, together with updates to the documentation.
• Fixed GitHub Actions cron jobs.

Release 3.3.1 (2021-12-10)

Bug fixes

• Allow Tier 0/1 SREs to access the internet as expected
• Correct NSG rule to allow connection to webapps from dashboard
• Ensure that CoCalc VM can connect to the package repositories

Documentation

• Fixed a broken link in the code of conduct

View and clone the repository at this version

Release 3.3.0 (2021-06-16)

New features

• Added support for Guacamole remote desktop
• Added single-script SRE deployment (for Guacamole only)
• Added CoCalc webapp
• Added support for more Mustache features when expanding templates
• Added syslog collection for Linux hosts
• Added instructions for migrating users from one SHM to another

Bug fixes

• Allow VMs that were stopped due to lack of credit to be restarted
• Ensure that parameters are passed to remote scripts in a consistent way
• Work-around when using "allow" in the AzurePlatformDNS NSG rule
• Better method of identifying resource groups when tearing down SHM/SRE

Documentation

• Improved style and clarity of deployment documentation
• Improved documentation around image building
• First draft of DSPT documentation
• Better documentation for ingress/egress
• Changed some names to be more inclusive
• Updated security checklist
• Switched to GitFlow and added some explanatory text
• Added automated documentation building

View and clone the repository at this version

Release 3.2.0 (2021-03-24)

New features

• Added diagnostic script for DSVM drive mounts
• Added new packages to DSVM
• Added Nexus option for tier-2 mirrors
• Added Powershell code style tests to CI
• Added scripts for deploying a standalone tier1 with CUDA support
• Added support for NFS blob storage for local data
• Added support for SMB blob storage for data ingress
• Dropped support for Python 2.7
• Ensured consistent NTP server across VMs
• Stopped serialising full config files to disk
• Switched to pyenv for installing python

Security

• Blocked DNS tunnelling for DSVMs
• Disabled legacy TLS on RDS Gateway
• Stopped using FQDN tags in firewall rules

Bug fixes

• Added missing tags to resource group names
• Added missing logging resource group creation
• Allowed VM deployment after network lockdown
• Ensured firewall is started when updated and when SHM VMs are started
• Fixed SHM certificate generation
• Fixed SHM networking deployment
• Fixed SRE naming convention
• Pinned version of bandersnatch as newer versions are not working
• Refactored networking functions
• Refactored VM startup, shutdown and resize scripts
• Removed hard-coded rule on which IP addresses can connect to the SHM
• Removed multiple references to RDS
• Simplified AzureAD disconnect
• Simplified webapp deployment
• Updated Disconnect_AD to work with firewall

Documentation

• Added design decision documents
• Added documentation of database option
• Added initial draft of DSPT certification answers
• Added issue templates and improve GitHub labels
• Improved the Safe Haven deployment documentation
• Updated release and versioning table

View and clone the repository at this version

Release 3.1.0 (2020-07-13)

New features

• Added Azure Firewall with rules to support Windows updates and Azure logging.
• Gather initial set of logs from VMs to centralised Azure Log Analytics workspace.

View and clone the repository at this version