New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add firewall to Pulumi #1375

Merged

jemrobinson merged 18 commits into alan-turing-institute:python-migration from jemrobinson:1374-add-firewall

Feb 16, 2023

Member

jemrobinson commented Feb 1, 2023 •

edited

Loading

✅ Checklist

You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
You are targeting the ~~develop~~ python-migration branch.
Your branch is up-to-date with the target branch (you probably started your branch from the target but it may have changed since then).
If-and-only-if your changes are not yet ready to merge, you have marked this pull request as a draft pull request and added '[WIP]' to the title.
If-and-only-if you have changed any Powershell code, you have run the code formatter. You can do this with ./tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory>.

⤴️ Summary

Add Azure firewall and associated rules to Pulumi
Add route table to redirect traffic to firewall
Add private DNS zones to allow access to automation account

🌂 Related issues

Closes #1374 . Closes #1376. Closes #1384.

🔬 Tests

Tested on a local deployment

jemrobinson requested review from JimMadge and craddm

February 1, 2023 17:01

jemrobinson marked this pull request as draft

February 1, 2023 18:14

JimMadge reviewed

View reviewed changes

data_safe_haven/pulumi/components/shm_firewall.py Outdated Show resolved Hide resolved

data_safe_haven/pulumi/components/shm_firewall.py Show resolved Hide resolved

data_safe_haven/pulumi/components/shm_firewall.py Outdated Show resolved Hide resolved

jemrobinson force-pushed the 1374-add-firewall branch 2 times, most recently from bdaedaa to 8841b9b Compare

February 2, 2023 22:44

jemrobinson mentioned this pull request

Pulumi: Missing domain admin password from keyvault #1384

Closed

jemrobinson force-pushed the 1374-add-firewall branch from 5242115 to 62bf1b3 Compare

February 15, 2023 14:50

jemrobinson added 2 commits

February 15, 2023 14:55


          ✨ Add firewall to SHM


          ✨ Add SHM route table

4123b45

jemrobinson force-pushed the 1374-add-firewall branch from 62bf1b3 to 0508d34 Compare

February 15, 2023 14:58

jemrobinson added 7 commits

February 15, 2023 15:14


          🔐 Add domain admin password to backend keyvault

6b8b1a0


          ✨ Add route table to direct traffic through the firewall. Add private…

1f8fe3e

… links to automation account.


          🐛 Allow route table to ignore added routes, preventing them from bein…

b6a53ad

…g removed on redeploy


          🚨 Mark ResourceOptions as Optional

f80f22a


          ✨ Add NAT rule to RDP to domain controller via firewall

f98594c


          ✨ Add subnet functionality to AzureIPv4Range

bfdeaec


          🚨 Fix typing issues

7e56241

jemrobinson force-pushed the 1374-add-firewall branch 3 times, most recently from 4f94b09 to de9b59e Compare

February 15, 2023 22:50

jemrobinson marked this pull request as ready for review

February 15, 2023 22:51

Member Author

jemrobinson commented Feb 15, 2023

I think I've addressed all of @JimMadge's comments. I've checked that creation/teardown of SHM and SRE work as expected. This involved adding a few additional cross-referenced dependencies to ensure that resources are created in the correct order. There are also some general type-hinting fixes that I added while debugging.

jemrobinson added 7 commits

February 15, 2023 22:58


          ♻️ Move subnet definitions out of SHM virtual network

aec7ed8


          🚨 Fix typing


          ♻️ Standardise subnet handling across SHM and SRE

f6b0950


          🐛 Allow PowershellDSC to reboot the VM during configuration

e173382


          ✨ Add public DNS address for domain controller (to be replaced in fut…

47ab234

…ure) and reboot DC during SHM deployment


          🐛 Fix secret overwriting when value is unchanged

fdf35e6


          ♻️ Refactor backend resource names

fe1a9b5

jemrobinson added 2 commits

February 15, 2023 22:58


          🔧 Allow raw.githubusercontent.com from domain controller for script d…

904c58e

…ownload


          🐛 Ensure that SHM DNS zone is delegated to SRE zone before trying to …

32ee60a

…create SSL certificate

jemrobinson force-pushed the 1374-add-firewall branch from de9b59e to 32ee60a Compare

February 15, 2023 22:58

jemrobinson merged commit 572be29 into alan-turing-institute:python-migration

JimMadge requested changes

View reviewed changes

Member

JimMadge left a comment •

edited

Loading

This already got merged 😮.

Routing the Pulumi Inputs/Outputs and dealing with promises adds code, but I'm pretty confident it is a better solution overall. Should be more robust and it offloads handling state to Pulumi.

I don't like all the places that typing.cast has been introduced. It feels like sidestepping validating/sanitising input. Which will be necessary because we can't guarantee what a user or API will give to the program.

data_safe_haven/commands/deploy_shm_command.py

@@ @@ -115,7 +121,7 @@ def handle(self) -> None: @@
                   def add_missing_values(self, config: Config) -> None:
                       """Request any missing config values and add them to the config"""
                       # Request FQDN if not provided
-                      fqdn = self.option("fqdn")
+                      fqdn = cast(str, self.option("fqdn"))

Member

JimMadge Feb 16, 2023

Does this just trick the type checker that the result of self.option("fqdn") is always a string?

What if it is empty?
What if it isn't a string?

Member Author

jemrobinson Feb 16, 2023

This is a limitation in the type signature of Command.option. It returns dict[Unknown, Unknown] | Unknown | Any | Literal[False] which are all of the possibilities that cleo can coerce the command-line arguments into.

However, this isn't very useful for type checking. I'll have another think about this.

data_safe_haven/external/api/graph_api.py

@@ @@ -535,7 +540,7 @@ def delete_application( @@
                               f"Could not delete application '{application_name}'.\n{str(exc)}"
                           ) from exc
-                  def get_application_by_name(self, application_name: str) -> JSONType:
+                  def get_application_by_name(self, application_name: str) -> Dict[str, Any] | None:

Member

JimMadge Feb 16, 2023

Suggested change

      
                def get_application_by_name(self, application_name: str) -> Dict[str, Any] | None:
          
                def get_application_by_name(self, application_name: str) -> Optional[Dict[str, Any]]:

data_safe_haven/external/api/graph_api.py

                       except (DataSafeHavenMicrosoftGraphException, IndexError):
                           return None
-                  def get_id_from_application_name(self, application_name: str) -> str:
+                  def get_id_from_application_name(self, application_name: str) -> str | None:

Member

JimMadge Feb 16, 2023

Suggested change

      
                def get_id_from_application_name(self, application_name: str) -> str | None:
          
                def get_id_from_application_name(self, application_name: str) -> Optional[str]:

data_safe_haven/external/api/graph_api.py

                       except DataSafeHavenMicrosoftGraphException:
                           return None
-                  def get_id_from_groupname(self, group_name: str) -> str:
+                  def get_id_from_groupname(self, group_name: str) -> str | None:

Member

JimMadge Feb 16, 2023

Suggested change

      
                def get_id_from_groupname(self, group_name: str) -> str | None:
          
                def get_id_from_groupname(self, group_name: str) -> Optional[str]:

data_safe_haven/external/api/graph_api.py

@@ @@ -571,7 +581,7 @@ def get_id_from_groupname(self, group_name: str) -> str: @@
                       except (DataSafeHavenMicrosoftGraphException, IndexError):
                           return None
-                  def get_id_from_username(self, username: str) -> str:
+                  def get_id_from_username(self, username: str) -> str | None:

Member

JimMadge Feb 16, 2023

Suggested change

      
                def get_id_from_username(self, username: str) -> str | None:
          
                def get_id_from_username(self, username: str) -> Optional[str]:

data_safe_haven/external/api/graph_api.py

                               f"Could not execute POST request.\n{str(exc)}"
                           ) from exc
-                  def read_applications(self) -> JSONType:
+                  def read_applications(self) -> Sequence[Dict[str, Any]]:

Member

JimMadge Feb 16, 2023

Do we really not know what concrete collection is returned here?

data_safe_haven/external/interface/azure_ipv4_range.py

Comment on lines +41 to +56

+                  def next_subnet(self, number_of_addresses: int) -> "AzureIPv4Range":
+                      """Find the next unused subnet of a given size"""
+                      if not math.log2(number_of_addresses).is_integer():
+                          raise DataSafeHavenIPRangeException(
+                              f"Number of address '{number_of_addresses}' must be a power of 2"
+                          )
+                      ip_address_first = self[0]
+                      while True:
+                          ip_address_last = ip_address_first + int(number_of_addresses - 1)
+                          with suppress(DataSafeHavenIPRangeException):
+                              candidate = AzureIPv4Range(ip_address_first, ip_address_last)
+                              if not any(subnet.overlaps(candidate) for subnet in self.subnets):
+                                  self.subnets.append(candidate)
+                                  break
+                          ip_address_first = ip_address_first + number_of_addresses
+                      return candidate

Member

JimMadge Feb 16, 2023

This feels like an Advent of Code problem 😄.

Member Author

jemrobinson Feb 16, 2023

Yeah, sorry about that! If you think of a better alternative feel free to suggest one :)

data_safe_haven/pulumi/components/virtual_machine.py

                       self.vm_size = vm_size
                   @property
-                  def os_profile(self) -> compute.OSProfileArgs:
+                  def os_profile(self) -> compute.OSProfileArgs | None:

Member

JimMadge Feb 16, 2023

Suggested change

      
                def os_profile(self) -> compute.OSProfileArgs | None:
          
                def os_profile(self) -> Optional[compute.OSProfileArgs]:

data_safe_haven/pulumi/components/virtual_machine.py

                       return self.os_profile_args
                   @property
-                  def image_reference(self) -> compute.ImageReferenceArgs:
+                  def image_reference(self) -> compute.ImageReferenceArgs | None:

Member

JimMadge Feb 16, 2023

Suggested change

      
                def image_reference(self) -> compute.ImageReferenceArgs | None:
          
                def image_reference(self) -> Optional[compute.ImageReferenceArgs]:

jemrobinson mentioned this pull request

Add Python type-hinting throughout Pulumi codebase #1390

Merged

5 tasks

jemrobinson mentioned this pull request

Migrate deployment code to Python/Pulumi #1773

Merged

5 tasks

jemrobinson deleted the 1374-add-firewall branch

April 19, 2024 10:59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet