Skip to content

Commit

Permalink
Merge pull request #2014 from jemrobinson/simplify-sre-resource-groups
Browse files Browse the repository at this point in the history 
Use a single resource group for all SRE resources
  • Loading branch information
@jemrobinson
jemrobinson authored Jul 23, 2024
2 parents 52034c9 + 5edced4 commit 2fd9134
Show file tree
Hide file tree
Showing 16 changed files with 197 additions and 338 deletions.
10 changes: 4 additions & 6 deletions data_safe_haven/infrastructure/components/composite/local_dns_record.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,14 @@ class LocalDnsRecordProps:
def __init__(
self,
base_fqdn: Input[str],
public_dns_resource_group_name: Input[str],
private_dns_resource_group_name: Input[str],
private_ip_address: Input[str],
record_name: Input[str],
resource_group_name: Input[str],
) -> None:
self.base_fqdn = base_fqdn
self.public_dns_resource_group_name = public_dns_resource_group_name
self.private_dns_resource_group_name = private_dns_resource_group_name
self.private_ip_address = private_ip_address
self.record_name = record_name
self.resource_group_name = resource_group_name


class LocalDnsRecordComponent(ComponentResource):
Expand All @@ -43,7 +41,7 @@ def __init__(
private_zone_name=Output.concat("privatelink.", props.base_fqdn),
record_type="A",
relative_record_set_name=props.record_name,
resource_group_name=props.private_dns_resource_group_name,
resource_group_name=props.resource_group_name,
ttl=30,
opts=child_opts,
)
Expand All @@ -56,7 +54,7 @@ def __init__(
),
record_type="CNAME",
relative_record_set_name=props.record_name,
resource_group_name=props.public_dns_resource_group_name,
resource_group_name=props.resource_group_name,
ttl=3600,
zone_name=props.base_fqdn,
opts=ResourceOptions.merge(
Expand Down
36 changes: 21 additions & 15 deletions data_safe_haven/infrastructure/programs/declarative_sre.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
"""Pulumi declarative program"""

import pulumi
from pulumi_azure_native import resources

from data_safe_haven.config import Context, SREConfig
from data_safe_haven.infrastructure.common import DockerHubCredentials
Expand Down Expand Up @@ -128,13 +129,22 @@ def __call__(self) -> None:
]
)

# Deploy resource group
resource_group = resources.ResourceGroup(
"sre_resource_group",
location=self.config.azure.location,
resource_group_name=f"{self.stack_name}-rg",
tags=self.tags,
)

# Deploy SRE DNS server
dns = SREDnsServerComponent(
"sre_dns_server",
self.stack_name,
SREDnsServerProps(
dockerhub_credentials=dockerhub_credentials,
location=self.config.azure.location,
resource_group_name=resource_group.name,
shm_fqdn=shm_fqdn,
),
tags=self.tags,
Expand All @@ -146,10 +156,10 @@ def __call__(self) -> None:
self.stack_name,
SRENetworkingProps(
dns_private_zones=dns.private_zones,
dns_resource_group_name=dns.resource_group.name,
dns_server_ip=dns.ip_address,
dns_virtual_network=dns.virtual_network,
location=self.config.azure.location,
resource_group_name=resource_group.name,
shm_fqdn=shm_fqdn,
shm_resource_group_name=self.context.resource_group_name,
shm_zone_name=shm_fqdn,
Expand All @@ -165,7 +175,7 @@ def __call__(self) -> None:
self.stack_name,
SREFirewallProps(
location=self.config.azure.location,
resource_group_name=networking.resource_group.name,
resource_group_name=resource_group.name,
route_table_name=networking.route_table_name,
subnet_apt_proxy_server=networking.subnet_apt_proxy_server,
subnet_firewall=networking.subnet_firewall,
Expand All @@ -191,7 +201,7 @@ def __call__(self) -> None:
dns_record=networking.shm_ns_record,
dns_server_admin_password=dns.password_admin,
location=self.config.azure.location,
networking_resource_group=networking.resource_group,
resource_group=resource_group,
sre_fqdn=networking.sre_fqdn,
subnet_data_configuration=networking.subnet_data_configuration,
subnet_data_desired_state=networking.subnet_data_desired_state,
Expand All @@ -209,14 +219,12 @@ def __call__(self) -> None:
self.stack_name,
SREAptProxyServerProps(
containers_subnet=networking.subnet_apt_proxy_server,
dns_resource_group_name=dns.resource_group.name,
dns_server_ip=dns.ip_address,
location=self.config.azure.location,
networking_resource_group_name=networking.resource_group.name,
resource_group_name=resource_group.name,
sre_fqdn=networking.sre_fqdn,
storage_account_key=data.storage_account_data_configuration_key,
storage_account_name=data.storage_account_data_configuration_name,
storage_account_resource_group_name=data.resource_group_name,
),
tags=self.tags,
)
Expand All @@ -226,19 +234,17 @@ def __call__(self) -> None:
"sre_identity",
self.stack_name,
SREIdentityProps(
dns_resource_group_name=dns.resource_group.name,
dns_server_ip=dns.ip_address,
dockerhub_credentials=dockerhub_credentials,
entra_application_name=f"sre-{self.config.name}-apricot",
entra_auth_token=self.graph_api_token,
entra_tenant_id=shm_entra_tenant_id,
location=self.config.azure.location,
networking_resource_group_name=networking.resource_group.name,
resource_group_name=resource_group.name,
shm_fqdn=shm_fqdn,
sre_fqdn=networking.sre_fqdn,
storage_account_key=data.storage_account_data_configuration_key,
storage_account_name=data.storage_account_data_configuration_name,
storage_account_resource_group_name=data.resource_group_name,
subnet_containers=networking.subnet_identity_containers,
),
tags=self.tags,
Expand All @@ -252,7 +258,7 @@ def __call__(self) -> None:
key_vault_certificate_id=data.sre_fqdn_certificate_secret_id,
key_vault_identity=data.managed_identity,
location=self.config.azure.location,
resource_group=networking.resource_group,
resource_group=resource_group,
subnet_application_gateway=networking.subnet_application_gateway,
subnet_guacamole_containers=networking.subnet_guacamole_containers,
sre_fqdn=networking.sre_fqdn,
Expand Down Expand Up @@ -281,9 +287,9 @@ def __call__(self) -> None:
ldap_user_filter=ldap_user_filter,
ldap_user_search_base=ldap_user_search_base,
location=self.config.azure.location,
resource_group_name=resource_group.name,
storage_account_key=data.storage_account_data_configuration_key,
storage_account_name=data.storage_account_data_configuration_name,
storage_account_resource_group_name=data.resource_group_name,
subnet_guacamole_containers_support=networking.subnet_guacamole_containers_support,
subnet_guacamole_containers=networking.subnet_guacamole_containers,
),
Expand All @@ -297,7 +303,6 @@ def __call__(self) -> None:
SREUserServicesProps(
database_service_admin_password=data.password_database_service_admin,
databases=self.config.sre.databases,
dns_resource_group_name=dns.resource_group.name,
dns_server_ip=dns.ip_address,
dockerhub_credentials=dockerhub_credentials,
gitea_database_password=data.password_gitea_database_admin,
Expand All @@ -308,13 +313,12 @@ def __call__(self) -> None:
ldap_username_attribute=ldap_username_attribute,
ldap_user_search_base=ldap_user_search_base,
location=self.config.azure.location,
networking_resource_group_name=networking.resource_group.name,
nexus_admin_password=data.password_nexus_admin,
resource_group_name=resource_group.name,
software_packages=self.config.sre.software_packages,
sre_fqdn=networking.sre_fqdn,
storage_account_key=data.storage_account_data_configuration_key,
storage_account_name=data.storage_account_data_configuration_name,
storage_account_resource_group_name=data.resource_group_name,
subnet_containers=networking.subnet_user_services_containers,
subnet_containers_support=networking.subnet_user_services_containers_support,
subnet_databases=networking.subnet_user_services_databases,
Expand All @@ -330,6 +334,7 @@ def __call__(self) -> None:
SREMonitoringProps(
dns_private_zones=dns.private_zones,
location=self.config.azure.location,
resource_group_name=resource_group.name,
subnet=networking.subnet_monitoring,
timezone=self.config.sre.timezone,
),
Expand All @@ -353,14 +358,14 @@ def __call__(self) -> None:
ldap_user_search_base=ldap_user_search_base,
location=self.config.azure.location,
maintenance_configuration_id=monitoring.maintenance_configuration.id,
resource_group_name=resource_group.name,
software_repository_hostname=user_services.software_repositories.hostname,
sre_name=self.config.name,
storage_account_data_desired_state_name=data.storage_account_data_desired_state_name,
storage_account_data_private_user_name=data.storage_account_data_private_user_name,
storage_account_data_private_sensitive_name=data.storage_account_data_private_sensitive_name,
subnet_workspaces=networking.subnet_workspaces,
subscription_name=self.context.subscription_name,
virtual_network_resource_group=networking.resource_group,
virtual_network=networking.virtual_network,
vm_details=list(enumerate(self.config.sre.workspace_skus)),
),
Expand All @@ -373,6 +378,7 @@ def __call__(self) -> None:
self.stack_name,
SREBackupProps(
location=self.config.azure.location,
resource_group_name=resource_group.name,
storage_account_data_private_sensitive_id=data.storage_account_data_private_sensitive_id,
storage_account_data_private_sensitive_name=data.storage_account_data_private_sensitive_name,
),
Expand Down
26 changes: 6 additions & 20 deletions data_safe_haven/infrastructure/programs/sre/apt_proxy_server.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from collections.abc import Mapping

from pulumi import ComponentResource, Input, Output, ResourceOptions
from pulumi_azure_native import containerinstance, resources, storage
from pulumi_azure_native import containerinstance, storage

from data_safe_haven.infrastructure.common import (
get_id_from_subnet,
Expand All @@ -22,26 +22,22 @@ class SREAptProxyServerProps:
def __init__(
self,
containers_subnet: Input[str],
dns_resource_group_name: Input[str],
dns_server_ip: Input[str],
location: Input[str],
networking_resource_group_name: Input[str],
resource_group_name: Input[str],
sre_fqdn: Input[str],
storage_account_key: Input[str],
storage_account_name: Input[str],
storage_account_resource_group_name: Input[str],
) -> None:
self.containers_subnet_id = Output.from_input(containers_subnet).apply(
get_id_from_subnet
)
self.dns_resource_group_name = dns_resource_group_name
self.dns_server_ip = dns_server_ip
self.location = location
self.networking_resource_group_name = networking_resource_group_name
self.resource_group_name = resource_group_name
self.sre_fqdn = sre_fqdn
self.storage_account_key = storage_account_key
self.storage_account_name = storage_account_name
self.storage_account_resource_group_name = storage_account_resource_group_name


class SREAptProxyServerComponent(ComponentResource):
Expand All @@ -59,21 +55,12 @@ def __init__(
child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
child_tags = tags if tags else {}

# Deploy resource group
resource_group = resources.ResourceGroup(
f"{self._name}_resource_group",
location=props.location,
resource_group_name=f"{stack_name}-rg-apt-proxy-server",
opts=child_opts,
tags=child_tags,
)

# Define configuration file shares
file_share_apt_proxy_server = storage.FileShare(
f"{self._name}_file_share_apt_proxy_server",
access_tier=storage.ShareAccessTier.COOL,
account_name=props.storage_account_name,
resource_group_name=props.storage_account_resource_group_name,
resource_group_name=props.resource_group_name,
share_name="apt-proxy-server",
share_quota=1,
signed_identifiers=[],
Expand Down Expand Up @@ -150,7 +137,7 @@ def __init__(
),
location=props.location,
os_type=containerinstance.OperatingSystemTypes.LINUX,
resource_group_name=resource_group.name,
resource_group_name=props.resource_group_name,
restart_policy=containerinstance.ContainerGroupRestartPolicy.ALWAYS,
sku=containerinstance.ContainerGroupSku.STANDARD,
subnet_ids=[
Expand Down Expand Up @@ -187,10 +174,9 @@ def __init__(
f"{self._name}_apt_proxy_server_dns_record_set",
LocalDnsRecordProps(
base_fqdn=props.sre_fqdn,
public_dns_resource_group_name=props.networking_resource_group_name,
private_dns_resource_group_name=props.dns_resource_group_name,
private_ip_address=get_ip_address_from_container_group(container_group),
record_name="apt",
resource_group_name=props.resource_group_name,
),
opts=ResourceOptions.merge(
child_opts, ResourceOptions(parent=container_group)
Expand Down
21 changes: 7 additions & 14 deletions data_safe_haven/infrastructure/programs/sre/backup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
from collections.abc import Mapping

from pulumi import ComponentResource, Input, ResourceOptions
from pulumi_azure_native import dataprotection, resources
from pulumi_azure_native import dataprotection


class SREBackupProps:
Expand All @@ -12,10 +12,12 @@ class SREBackupProps:
def __init__(
self,
location: Input[str],
resource_group_name: Input[str],
storage_account_data_private_sensitive_id: Input[str],
storage_account_data_private_sensitive_name: Input[str],
) -> None:
self.location = location
self.resource_group_name = resource_group_name
self.storage_account_data_private_sensitive_id = (
storage_account_data_private_sensitive_id
)
Expand All @@ -39,15 +41,6 @@ def __init__(
child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
child_tags = tags if tags else {}

# Deploy resource group
resource_group = resources.ResourceGroup(
f"{self._name}_resource_group",
location=props.location,
resource_group_name=f"{stack_name}-rg-backup",
opts=child_opts,
tags=child_tags,
)

# Deploy backup vault
backup_vault = dataprotection.BackupVault(
f"{self._name}_backup_vault",
Expand All @@ -63,7 +56,7 @@ def __init__(
)
],
),
resource_group_name=resource_group.name,
resource_group_name=props.resource_group_name,
vault_name=f"{stack_name}-bv-backup",
opts=child_opts,
tags=child_tags,
Expand Down Expand Up @@ -97,7 +90,7 @@ def __init__(
),
],
),
resource_group_name=resource_group.name,
resource_group_name=props.resource_group_name,
vault_name=backup_vault.name,
opts=ResourceOptions.merge(
child_opts, ResourceOptions(parent=backup_vault)
Expand Down Expand Up @@ -162,7 +155,7 @@ def __init__(
),
],
),
resource_group_name=resource_group.name,
resource_group_name=props.resource_group_name,
vault_name=backup_vault.name,
opts=ResourceOptions.merge(
child_opts, ResourceOptions(parent=backup_vault)
Expand All @@ -189,7 +182,7 @@ def __init__(
),
friendly_name="BlobBackupSensitiveData",
),
resource_group_name=resource_group.name,
resource_group_name=props.resource_group_name,
vault_name=backup_vault.name,
opts=ResourceOptions.merge(
child_opts, ResourceOptions(parent=backup_policy_blobs)
Expand Down
Loading

0 comments on commit 2fd9134

Please sign in to comment.