From cbaedabbc8783cb961e134baba31f461a13e5ba9 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 09:28:06 +0100 Subject: [PATCH 01/21] :memo: Fix argument name --- docs/source/deployment/setup_context.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/deployment/setup_context.md b/docs/source/deployment/setup_context.md index 19074f73b1..4b51ea626b 100644 --- a/docs/source/deployment/setup_context.md +++ b/docs/source/deployment/setup_context.md @@ -28,9 +28,9 @@ $ dsh context add --help - Run a command like the following to create your local context file. ```{code} shell -$ dsh context add --admin-group-name _AZURE_GROUP_CONTAINING_ALL_ADMINISTRATORS_ --name _CONTEXT_NAME_ --description _HUMAN_FRIENDLY_NAME_ --subscription _AZURE_SUBSCRIPTION_NAME_ +$ dsh context add --admin-group-name AZURE_GROUP_CONTAINING_ALL_ADMINISTRATORS --name CONTEXT_NAME --description HUMAN_FRIENDLY_NAME --subscription-name AZURE_SUBSCRIPTION_NAME ``` :::{note} -If you have multiple contexts defined, you can select which context you want to use with `dsh context switch _CONTEXT_NAME_`. +If you have multiple contexts defined, you can select which context you want to use with `dsh context switch CONTEXT_NAME`. ::: From 635ddb45f341ea308ad7ae40a60062f2e57c3873 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 09:30:58 +0100 Subject: [PATCH 02/21] :bug: Fix subscription name regex --- data_safe_haven/validators/validators.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data_safe_haven/validators/validators.py b/data_safe_haven/validators/validators.py index 521d51fcc7..073954d690 100644 --- a/data_safe_haven/validators/validators.py +++ b/data_safe_haven/validators/validators.py @@ -26,8 +26,8 @@ def azure_location(azure_location: str) -> str: def azure_subscription_name(subscription_name: str) -> str: # https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules - if not re.match(r"^[a-zA-Z][a-zA-Z0-9\- ]+[a-zA-Z0-9]$", subscription_name): - msg = "Azure subscription names can only contain alphanumeric characters and hyphens.\n They must start with a letter and end with an alphanumeric character." + if not re.match(r"^[a-zA-Z][a-zA-Z0-9\- \[\]]+[a-zA-Z0-9]$", subscription_name): + msg = "Azure subscription names can only contain alphanumeric characters, spaces and certain special characters.\nThey must start with a letter and end with an alphanumeric character." raise ValueError(msg) return subscription_name From d469bf277f311a6baca5d8a63b331d534945b0c6 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 09:32:50 +0100 Subject: [PATCH 03/21] :bug: Allow special characters at beginning and end of subscription name --- data_safe_haven/validators/validators.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data_safe_haven/validators/validators.py b/data_safe_haven/validators/validators.py index 073954d690..4258d7c9d7 100644 --- a/data_safe_haven/validators/validators.py +++ b/data_safe_haven/validators/validators.py @@ -26,8 +26,8 @@ def azure_location(azure_location: str) -> str: def azure_subscription_name(subscription_name: str) -> str: # https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules - if not re.match(r"^[a-zA-Z][a-zA-Z0-9\- \[\]]+[a-zA-Z0-9]$", subscription_name): - msg = "Azure subscription names can only contain alphanumeric characters, spaces and certain special characters.\nThey must start with a letter and end with an alphanumeric character." + if not re.match(r"[a-zA-Z0-9\- \[\]]+", subscription_name): + msg = "Azure subscription names can only contain alphanumeric characters, spaces and particular special characters." raise ValueError(msg) return subscription_name From fb24a181002b018e50938d0da74d99ba723c9404 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 09:47:30 +0100 Subject: [PATCH 04/21] :memo: Remove unnecessary underscores in example SHM command --- docs/source/deployment/deploy_shm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index 71d8742e3d..3e1d695acb 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -59,7 +59,7 @@ Before deploying the Safe Haven Management (SHM) infrastructure you need to deci Once you've decided on these, run the following command: [approx 5 minutes]: ```{code} shell -$ dsh shm deploy --entra-tenant-id _YOUR_ENTRA_TENANT_ID_ --fqdn _YOUR_DOMAIN_NAME_ --location _YOUR_LOCATION_ +$ dsh shm deploy --entra-tenant-id YOUR_ENTRA_TENANT_ID --fqdn YOUR_DOMAIN_NAME --location YOUR_LOCATION ``` :::{note} From bde85ecc73baf05abb0bd602108dace9d7ed7c52 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 11:29:26 +0100 Subject: [PATCH 05/21] :memo: Add hatch warning to each place where DSH code is run --- docs/source/deployment/deploy_shm.md | 13 +++++++++++++ docs/source/deployment/deploy_sre.md | 15 +++++++++++++++ docs/source/deployment/index.md | 8 ++------ 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index 3e1d695acb..3d55e24a7f 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -38,6 +38,19 @@ Follow the instructions [here](https://learn.microsoft.com/en-us/entra/fundament ## Deployment +::::{admonition} Ensure you are using a `hatch` shell +:class: dropdown important + +You must use a `hatch` shell to run any `dsh` commands. +From the project base directory run: + +:::{code} shell +$ hatch shell +::: + +This ensures that you are using the intended version of Data Safe Haven with the correct set of dependencies. +:::: + Before deploying the Safe Haven Management (SHM) infrastructure you need to decide on a few parameters: - `entra_tenant_id`: Tenant ID for the Entra ID used to manage TRE users diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index cb0c0629c6..a768d71ce6 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -2,6 +2,21 @@ # Deploy a Secure Research Environment +These instructions will deploy a new Secure Research Environment (SRE). + +::::{admonition} Ensure you are using a `hatch` shell +:class: dropdown important + +You must use a `hatch` shell to run any `dsh` commands. +From the project base directory run: + +:::{code} shell +$ hatch shell +::: + +This ensures that you are using the intended version of Data Safe Haven with the correct set of dependencies. +:::: + ## Configuration Each project will have its own dedicated Secure Research Environment (SRE). diff --git a/docs/source/deployment/index.md b/docs/source/deployment/index.md index e009b02b5f..67d05f4f5e 100644 --- a/docs/source/deployment/index.md +++ b/docs/source/deployment/index.md @@ -44,12 +44,8 @@ Download or checkout this code from GitHub. Please contact the development team in case of any problems. ::: -Enter the base directory and start a new `hatch` environment by doing the following: +Enter the base directory and install Python dependencies with `hatch` by doing the following: ```{code} shell -$ hatch shell +$ hatch run true ``` - -:::{hint} -Using a hatch environment this way ensures that you are using the intended version of Data Safe Haven with the correct set of dependencies. -::: From 677ee4a613f04f76063b4f44e31a79bd24c8e221 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 11:30:15 +0100 Subject: [PATCH 06/21] :memo: Add subscription argument to call --- docs/source/deployment/deploy_sre.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index a768d71ce6..31346df3c7 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -19,12 +19,12 @@ This ensures that you are using the intended version of Data Safe Haven with the ## Configuration -Each project will have its own dedicated Secure Research Environment (SRE). +Each project will have its own dedicated SRE. - Create a configuration file ```console -> dsh config template --file config.yaml +> dsh config template --file PATH_YOU_WANT_TO_SAVE_TO.yaml ``` - Edit this file in your favourite text editor, replacing the placeholder text with appropriate values for your setup. @@ -66,7 +66,7 @@ $ dsh config upload config.yaml As private endpoints for flexible PostgreSQL are still in preview, the following command is currently needed: ```{code} shell -$ az feature register --name "enablePrivateEndpoint" --namespace "Microsoft.DBforPostgreSQL" +$ az feature register --name "enablePrivateEndpoint" --namespace "Microsoft.DBforPostgreSQL" --subscription NAME_OR_ID_OF_YOUR_SUBSCRIPTION ``` ::: From f6d9ef3f8a8a6a015e11b075168f207d2cb73490 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 14:13:09 +0100 Subject: [PATCH 07/21] :sparkles: Add an explicit list of Azure locations --- data_safe_haven/validators/validators.py | 61 +++++++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) diff --git a/data_safe_haven/validators/validators.py b/data_safe_haven/validators/validators.py index 4258d7c9d7..5df4ae3192 100644 --- a/data_safe_haven/validators/validators.py +++ b/data_safe_haven/validators/validators.py @@ -18,7 +18,66 @@ def aad_guid(aad_guid: str) -> str: def azure_location(azure_location: str) -> str: - if not re.match(r"^[a-z]+[0-9]?[a-z]*$", azure_location): + # Generate a list of locations with the following command: + # `az account list-locations --query "[?metadata.regionType == 'Physical'].name"` + locations = [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "brazilsoutheast", + "brazilus", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centraluseuap", + "eastasia", + "eastus", + "eastus2", + "eastus2euap", + "eastusstg", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "israelcentral", + "italynorth", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "koreacentral", + "koreasouth", + "mexicocentral", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "polandcentral", + "qatarcentral", + "southafricanorth", + "southafricawest", + "southcentralus", + "southeastasia", + "southindia", + "spaincentral", + "swedencentral", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus3", + ] + if azure_location not in locations: msg = "Expected valid Azure location, for example 'uksouth'." raise ValueError(msg) return azure_location From 294f5d42768a9d42592795908aa90e20c841033d Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 14:54:54 +0100 Subject: [PATCH 08/21] :bug: Ensure that stack name only contains '-' as a separator --- data_safe_haven/infrastructure/programs/declarative_sre.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data_safe_haven/infrastructure/programs/declarative_sre.py b/data_safe_haven/infrastructure/programs/declarative_sre.py index 1698be923b..48c2f2105d 100644 --- a/data_safe_haven/infrastructure/programs/declarative_sre.py +++ b/data_safe_haven/infrastructure/programs/declarative_sre.py @@ -4,6 +4,7 @@ from pulumi_azure_native import resources from data_safe_haven.config import Context, SREConfig +from data_safe_haven.functions import replace_separators from data_safe_haven.infrastructure.common import DockerHubCredentials from .sre.application_gateway import ( @@ -65,7 +66,7 @@ def __init__( self.context = context self.config = config self.graph_api_token = graph_api_token - self.stack_name = f"shm-{context.name}-sre-{config.name}" + self.stack_name = replace_separators(f"shm-{context.name}-sre-{config.name}", "-") self.tags = {"component": f"SRE {config.name}"} | context.tags def __call__(self) -> None: From 3fc10cbb3c8478ac28dfe818d9bd4e29b067b45b Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 15:35:40 +0100 Subject: [PATCH 09/21] :memo: Better explanation of phone format --- docs/source/management/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/management/index.md b/docs/source/management/index.md index 782bf1c79c..86f3834574 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -17,8 +17,8 @@ $ dsh users add :::{warning} -- the phone number must be in full international format. -- the country code is the two letter ISO 3166-1 Alpha-2 code. +- the phone number must be in [E.123 international format](https://en.wikipedia.org/wiki/E.123). +- the country code is the two letter [ISO 3166-1 Alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements) code. ::: From 86552585024954d07578192b89b4ebae43a9404d Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 15:43:08 +0100 Subject: [PATCH 10/21] :memo: Update syntax in management docs page --- docs/source/deployment/deploy_sre.md | 10 +++++++--- docs/source/management/index.md | 24 ++++++++++++++---------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index 31346df3c7..95e029c580 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -24,7 +24,7 @@ Each project will have its own dedicated SRE. - Create a configuration file ```console -> dsh config template --file PATH_YOU_WANT_TO_SAVE_TO.yaml +> dsh config template --file PATH_WHERE_YOU_WANT_TO_SAVE_YOUR_YAML_FILE ``` - Edit this file in your favourite text editor, replacing the placeholder text with appropriate values for your setup. @@ -57,9 +57,13 @@ sre: - Upload the config to Azure. This will validate your file and report any problems. ```{code} shell -$ dsh config upload config.yaml +$ dsh config upload PATH_TO_YOUR_EDITED_YAML_FILE ``` +:::{hint} +If you want to make changes to the config, edit this file and then run `dsh config upload` again +::: + ## Requirements :::{important} @@ -76,5 +80,5 @@ $ az feature register --name "enablePrivateEndpoint" --namespace "Microsoft.DBfo - Deploy each SRE individually [approx 30 minutes]: ```{code} shell -$ dsh sre deploy _YOUR_SRE_NAME_ +$ dsh sre deploy YOUR_SRE_NAME ``` diff --git a/docs/source/management/index.md b/docs/source/management/index.md index 86f3834574..c873e7a622 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -12,7 +12,7 @@ You will need a full name, phone number, email address and country for each user - (Optional) you can provide a `Domain` column if you like but this will otherwise default to the domain of your SHM ```{code} shell -$ dsh users add +$ dsh users add PATH_TO_MY_CSV_FILE ``` :::{warning} @@ -29,23 +29,27 @@ $ dsh users add 2. Alternatively, you can add multiple users from the command line: ```{code} shell -$ dsh users register -u -u +$ dsh users register YOUR_SRE_NAME -u USERNAME_1 -u USERNAME_2 ``` where you must specify the usernames for each user you want to add to this SRE. :::{note} -Usernames are of the format `.` and do not include the Entra ID domain. +Usernames are of the format _GIVEN-NAME_._SURNAME_ and do not include the Entra ID domain. ::: ## Listing available users -1. You can do this in your Entra tenant by browsing to `Entra ID > Groups > Data Safe Haven SRE Users > Members`. +- You can do this from the [Microsoft Entra admin centre](https://entra.microsoft.com/) -2. You can do this at the command line by running the following command: + 1. Browse to **{menuselection}`Groups --> All Groups` + 2. Click on the group named **Data Safe Haven SRE _SRE-NAME_ Users** + 3. Browse to **{menuselection}`Manage --> Members`** from the secondary menu on the left side + +- You can do this at the command line by running the following command: ```{code} shell -$ dsh users list +$ dsh users list YOUR_SRE_NAME ``` ## Manually register users for self-service password reset @@ -60,17 +64,17 @@ If you have manually created a user and want to enable SSPR, do the following - Browse to **Users > All Users** from the menu on the left side - Select the user you want to enable SSPR for - On the **Manage > Authentication Methods** page fill out their contact info as follows: - - Phone: add the user's phone number with a space between the country code and the rest of the number (_e.g._ `+44 7700900000`) - - Email: enter the user's email address here + - **Phone:** add the user's phone number with a space between the country code and the rest of the number (_e.g._ +44 7700900000) + - **Email:** enter the user's email address here - Ensure that you have registered **both** a phone number and an email address - - Click the `Save` icon in the top panel + - Click the **{guilabel}`Save`** icon in the top panel ## Removing a deployed Data Safe Haven - Run the following if you want to teardown a deployed SRE: ```{code} shell -$ dsh sre teardown +$ dsh sre teardown YOUR_SRE_NAME ``` - Run the following if you want to teardown the deployed SHM: From 0c4e5b91a0aadf13fa69af6a0c26f9457f2813fc Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 16:02:42 +0100 Subject: [PATCH 11/21] :memo: Simplify add-user documentation --- docs/source/management/index.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/source/management/index.md b/docs/source/management/index.md index c873e7a622..67ade94877 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -10,18 +10,23 @@ You will need a full name, phone number, email address and country for each user 2. Alternatively, you can add multiple users from a CSV file with columns named (`GivenName`, `Surname`, `Phone`, `Email`, `CountryCode`). - (Optional) you can provide a `Domain` column if you like but this will otherwise default to the domain of your SHM + - {{warning}} **Phone** must be in [E.123 international format](https://en.wikipedia.org/wiki/E.123) + - {{warning}} **CountryCode** is the two letter [ISO 3166-1 Alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements) code + +::::{admonition} Example CSV user file +:class: dropdown tip + +:::{code} text +GivenName;Surname;Phone;Email;CountryCode +Sherlock;Holmes;+44800456456;sherlock@bakerst.london;GB +John;Watson;+18005550100;john@nhs.uk;US +::: +:::: ```{code} shell $ dsh users add PATH_TO_MY_CSV_FILE ``` -:::{warning} - -- the phone number must be in [E.123 international format](https://en.wikipedia.org/wiki/E.123). -- the country code is the two letter [ISO 3166-1 Alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements) code. - -::: - ## Assign existing users to an SRE 1. You can do this directly in your Entra tenant by adding them to the `Data Safe Haven SRE ` group, following the instructions [here](https://learn.microsoft.com/en-us/entra/fundamentals/groups-view-azure-portal#add-a-group-member). From f3052debd2267cd952f0c416d0115bc1db6c6fe3 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 16:37:59 +0100 Subject: [PATCH 12/21] :loud_sound: Fix log message --- data_safe_haven/external/api/graph_api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data_safe_haven/external/api/graph_api.py b/data_safe_haven/external/api/graph_api.py index 4a99dc04c4..c4a7eccb59 100644 --- a/data_safe_haven/external/api/graph_api.py +++ b/data_safe_haven/external/api/graph_api.py @@ -435,7 +435,7 @@ def create_user( json={"emailAddress": email_address}, ) except DataSafeHavenMicrosoftGraphError as exc: - msg = f"Failed to add authentication email address'{email_address}'." + msg = f"Failed to add authentication email address '{email_address}'." raise DataSafeHavenMicrosoftGraphError(msg) from exc # Set the authentication phone number From efa0a4c7f97919698bd4cb17f61d5879813dd30b Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 22:20:38 +0100 Subject: [PATCH 13/21] :bug: Update validation of Azure subscription names which can accept a wider range of characters than previously thought --- data_safe_haven/infrastructure/programs/declarative_sre.py | 4 +++- data_safe_haven/validators/validators.py | 2 +- tests/commands/test_context.py | 2 +- tests/validators/test_typer_validators.py | 6 +++--- tests/validators/test_validators.py | 6 +++--- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/data_safe_haven/infrastructure/programs/declarative_sre.py b/data_safe_haven/infrastructure/programs/declarative_sre.py index 48c2f2105d..3ac95676ab 100644 --- a/data_safe_haven/infrastructure/programs/declarative_sre.py +++ b/data_safe_haven/infrastructure/programs/declarative_sre.py @@ -66,7 +66,9 @@ def __init__( self.context = context self.config = config self.graph_api_token = graph_api_token - self.stack_name = replace_separators(f"shm-{context.name}-sre-{config.name}", "-") + self.stack_name = replace_separators( + f"shm-{context.name}-sre-{config.name}", "-" + ) self.tags = {"component": f"SRE {config.name}"} | context.tags def __call__(self) -> None: diff --git a/data_safe_haven/validators/validators.py b/data_safe_haven/validators/validators.py index 5df4ae3192..dd4458ec57 100644 --- a/data_safe_haven/validators/validators.py +++ b/data_safe_haven/validators/validators.py @@ -85,7 +85,7 @@ def azure_location(azure_location: str) -> str: def azure_subscription_name(subscription_name: str) -> str: # https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules - if not re.match(r"[a-zA-Z0-9\- \[\]]+", subscription_name): + if not re.match(r"^[a-zA-Z0-9\- \[\]]+$", subscription_name): msg = "Azure subscription names can only contain alphanumeric characters, spaces and particular special characters." raise ValueError(msg) return subscription_name diff --git a/tests/commands/test_context.py b/tests/commands/test_context.py index 1bdc6c0257..03cad5b547 100644 --- a/tests/commands/test_context.py +++ b/tests/commands/test_context.py @@ -130,7 +130,7 @@ def test_add_invalid_subscription_name(self, runner): "--name", "example", "--subscription-name", - "Invalid Subscription Name ", + "Invalid Subscription Name ^$", ], ) assert result.exit_code == 2 diff --git a/tests/validators/test_typer_validators.py b/tests/validators/test_typer_validators.py index a53544c98d..f2dabc619b 100644 --- a/tests/validators/test_typer_validators.py +++ b/tests/validators/test_typer_validators.py @@ -48,10 +48,10 @@ def test_typer_subscription_name(self, subscription_name): @pytest.mark.parametrize( "subscription_name", [ - "My_Subscription", - "Your Subscription ", + "My!Subscription", + "", "%^*", - "1A subscription", + "1@ subscription", "sΓΌbscrΓ­ptΓ¬Ε‘n", "πŸ™‚", ], diff --git a/tests/validators/test_validators.py b/tests/validators/test_validators.py index b99d726a1b..1c38e551f8 100644 --- a/tests/validators/test_validators.py +++ b/tests/validators/test_validators.py @@ -44,10 +44,10 @@ def test_subscription_name(self, subscription_name): @pytest.mark.parametrize( "subscription_name", [ - "My_Subscription", - "Your Subscription ", + "My!Subscription", + "", "%^*", - "1A subscription", + "1@ subscription", "sΓΌbscrΓ­ptΓ¬Ε‘n", "πŸ™‚", ], From 193382604650fc8e4817e71552bda5475401a83f Mon Sep 17 00:00:00 2001 From: James Robinson Date: Wed, 31 Jul 2024 22:33:57 +0100 Subject: [PATCH 14/21] :rotating_light: Fix indentation --- docs/source/management/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/management/index.md b/docs/source/management/index.md index 67ade94877..56a716cb88 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -47,9 +47,9 @@ Usernames are of the format _GIVEN-NAME_._SURNAME_ and do not include the Entra - You can do this from the [Microsoft Entra admin centre](https://entra.microsoft.com/) - 1. Browse to **{menuselection}`Groups --> All Groups` - 2. Click on the group named **Data Safe Haven SRE _SRE-NAME_ Users** - 3. Browse to **{menuselection}`Manage --> Members`** from the secondary menu on the left side + 1. Browse to **{menuselection}`Groups --> All Groups` + 2. Click on the group named **Data Safe Haven SRE _SRE-NAME_ Users** + 3. Browse to **{menuselection}`Manage --> Members`** from the secondary menu on the left side - You can do this at the command line by running the following command: From c03bb1556690383559053f42629d6e6480fe2a63 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 1 Aug 2024 11:51:12 +0100 Subject: [PATCH 15/21] :memo: Replace backticks with bold as appropriate --- docs/source/deployment/configure_entra_id.md | 2 +- docs/source/deployment/deploy_shm.md | 6 +++--- docs/source/deployment/deploy_sre.md | 4 ++-- .../design/security/reference_configuration.md | 8 ++++---- docs/source/design/security/technical_controls.md | 4 ++-- docs/source/management/index.md | 12 +++--------- docs/source/overview/sensitivity_tiers.md | 4 ++-- 7 files changed, 17 insertions(+), 23 deletions(-) diff --git a/docs/source/deployment/configure_entra_id.md b/docs/source/deployment/configure_entra_id.md index 354e400be5..3551c0bea8 100644 --- a/docs/source/deployment/configure_entra_id.md +++ b/docs/source/deployment/configure_entra_id.md @@ -37,7 +37,7 @@ This is necessary both to secure logins and to allow users to set their own pass - Sign in to the [Microsoft Entra admin centre](https://entra.microsoft.com/) - Browse to **{menuselection}`Protection --> Authentication methods`** from the menu on the left side - Browse to **{menuselection}`Manage --> Policies`** from the secondary menu on the left side -- For each of **Microsoft Authenticator**, **SMS**, **Third-party software OATH tokens**, **Voice call** and **Email OTP** click on the method name +- For each of **Microsoft Authenticator**, **SMS**, **Voice call** and **Email OTP** click on the method name - Ensure the slider is set to **Enable** and the target to **All users** - Click the **{guilabel}`Save`** button diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index 3d55e24a7f..e41565f6f3 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -38,7 +38,7 @@ Follow the instructions [here](https://learn.microsoft.com/en-us/entra/fundament ## Deployment -::::{admonition} Ensure you are using a `hatch` shell +::::{admonition} Ensure you are using a hatch shell :class: dropdown important You must use a `hatch` shell to run any `dsh` commands. @@ -86,7 +86,7 @@ You will be prompted to log in to the Azure CLI and to the Graph API. :::{important} You may be asked to delegate your domain name to Azure. To do this, you'll need to know details about the parent domain. For example, if you are deploying to `dsh.example.com` then the parent name is `example.com`. -- Follow [this tutorial](https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns#delegate-the-domain) if the parent domain is hosted outside Azure -- Follow [this tutorial](https://learn.microsoft.com/en-us/azure/dns/tutorial-public-dns-zones-child#verify-the-child-dns-zone) if the parent domain is hosted in Azure +- Follow [this tutorial](https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns#delegate-the-domain) if the parent domain is hosted **outside Azure** +- Follow [this tutorial](https://learn.microsoft.com/en-us/azure/dns/tutorial-public-dns-zones-child#verify-the-child-dns-zone) if the parent domain is hosted **in Azure** ::: diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index 95e029c580..28c3de4e9b 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -4,7 +4,7 @@ These instructions will deploy a new Secure Research Environment (SRE). -::::{admonition} Ensure you are using a `hatch` shell +::::{admonition} Ensure you are using a hatch shell :class: dropdown important You must use a `hatch` shell to run any `dsh` commands. @@ -24,7 +24,7 @@ Each project will have its own dedicated SRE. - Create a configuration file ```console -> dsh config template --file PATH_WHERE_YOU_WANT_TO_SAVE_YOUR_YAML_FILE +$ dsh config template --file PATH_YOU_WANT_TO_SAVE_YOUR_YAML_FILE_TO ``` - Edit this file in your favourite text editor, replacing the placeholder text with appropriate values for your setup. diff --git a/docs/source/design/security/reference_configuration.md b/docs/source/design/security/reference_configuration.md index 8e8a751bb3..5d508cdebd 100644 --- a/docs/source/design/security/reference_configuration.md +++ b/docs/source/design/security/reference_configuration.md @@ -35,7 +35,7 @@ The set of controls applied at the Alan Turing Institute are discussed here, tog ### Turing configuration setting: - Managed devices must be provided by an approved organisation and the user must not have administrator access to them. -- Network rules for higher tier environments permit access only from IP ranges corresponding to `Restricted` networks that only permit managed devices to connect. +- Network rules for higher tier environments permit access only from IP ranges corresponding to **Restricted** networks that only permit managed devices to connect. ### Implication: @@ -49,7 +49,7 @@ The set of controls applied at the Alan Turing Institute are discussed here, tog - Medium security research spaces control the possibility of unauthorised viewing. - Card access or other means of restricting entry to only known researchers (such as the signing in of guests on a known list) is required. - Screen adaptations or desk partitions should be adopted in open-plan spaces if there is a high risk of unauthorised people viewing the user's screen. -- Firewall rules for the SREs only permit access from `Restricted` network IP ranges corresponding to these research spaces. +- Firewall rules for the SREs only permit access from **Restricted** network IP ranges corresponding to these research spaces. ### Implication: @@ -103,7 +103,7 @@ To minimise the risk of unauthorised access to the dataset while the ingress vol ### Turing configuration setting:: - Users can write to the `/output` volume. -- A {ref}`role_system_manager` can view and download data in the `/output` volume via `Azure Storage Explorer`. +- A {ref}`role_system_manager` can view and download data in the `/output` volume via **Azure Storage Explorer**. ### Implication: @@ -147,7 +147,7 @@ To minimise the risk of unauthorised access to the dataset while the ingress vol ### Turing configuration setting: -- An `Azure Firewall` ensures that all VMs within the safe haven have the minimal level of internet access required to function. +- An **Azure Firewall** ensures that all VMs within the safe haven have the minimal level of internet access required to function. ### Implication: diff --git a/docs/source/design/security/technical_controls.md b/docs/source/design/security/technical_controls.md index 83065079c6..404e269375 100644 --- a/docs/source/design/security/technical_controls.md +++ b/docs/source/design/security/technical_controls.md @@ -109,6 +109,6 @@ Note that this means that eg. password managers cannot be used to autofill a {re ### Python/R package availability: -- **{ref}`policy_tier_3`:** A pre-agreed allowlist of packages from `CRAN` and `PyPI` (via proxy or local mirror). -- **{ref}`policy_tier_2`:** Anything on `CRAN` or `PyPI` (via proxy or local mirror). +- **{ref}`policy_tier_3`:** A pre-agreed allowlist of packages from **CRAN** and **PyPI** (via proxy or local mirror). +- **{ref}`policy_tier_2`:** Anything on **CRAN** or **PyPI** (via proxy or local mirror). - **{ref}`policy_tier_0` and {ref}`policy_tier_1`:** Direct access to any package repository. diff --git a/docs/source/management/index.md b/docs/source/management/index.md index 56a716cb88..2ec9c60101 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -69,9 +69,9 @@ If you have manually created a user and want to enable SSPR, do the following - Browse to **Users > All Users** from the menu on the left side - Select the user you want to enable SSPR for - On the **Manage > Authentication Methods** page fill out their contact info as follows: - - **Phone:** add the user's phone number with a space between the country code and the rest of the number (_e.g._ +44 7700900000) - - **Email:** enter the user's email address here - - Ensure that you have registered **both** a phone number and an email address + - Ensure that you register **both** a phone number and an email address + - **Phone:** add the user's phone number with a space between the country code and the rest of the number (_e.g._ +44 7700900000) + - **Email:** enter the user's email address here - Click the **{guilabel}`Save`** icon in the top panel ## Removing a deployed Data Safe Haven @@ -87,9 +87,3 @@ $ dsh sre teardown YOUR_SRE_NAME ```{code} shell $ dsh shm teardown ``` - -- Run the following if you want to teardown the deployed Data Safe Haven context: - -```{code} shell -$ dsh context teardown -``` diff --git a/docs/source/overview/sensitivity_tiers.md b/docs/source/overview/sensitivity_tiers.md index 26d669bac5..4aef9a32fe 100644 --- a/docs/source/overview/sensitivity_tiers.md +++ b/docs/source/overview/sensitivity_tiers.md @@ -54,7 +54,7 @@ Non-technical restrictions related to information governance procedures may also Non-technical restrictions related to information governance procedures may also be applied according to your organisation's needs. ```{admonition} Organisational networks -At the Turing connections to Tier 2 environments are only permitted from `Organisational` networks managed by the Turing or one of its organisational partners. +At the Turing connections to Tier 2 environments are only permitted from **Organisational** networks managed by the Turing or one of its organisational partners. ``` (policy_tier_3)= @@ -68,7 +68,7 @@ At the Turing connections to Tier 2 environments are only permitted from `Organi Non-technical restrictions related to information governance procedures may also be applied according to your organisation's needs. ```{admonition} Restricted networks -At the Turing connections to Tier 3 environments are only permitted from `Restricted` networks that are only accessible by known researchers. +At the Turing connections to Tier 3 environments are only permitted from **Restricted** networks that are only accessible by known researchers. ``` ```{admonition} Physical spaces From b723c986f79ca22163bd4da9841f91ee7d6afc3e Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 1 Aug 2024 11:52:24 +0100 Subject: [PATCH 16/21] :memo: Better explanation of SHM command line options --- docs/source/deployment/deploy_shm.md | 37 +++++++++++++++++++--------- docs/source/management/index.md | 6 ++--- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index e41565f6f3..678536653f 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -53,21 +53,34 @@ This ensures that you are using the intended version of Data Safe Haven with the Before deploying the Safe Haven Management (SHM) infrastructure you need to decide on a few parameters: -- `entra_tenant_id`: Tenant ID for the Entra ID used to manage TRE users -- `fqdn`: Fully-qualified domain you want your users to belong to and to access your TRE from -- `location`: Azure location where you want your resources deployed +**entra_tenant_id** +: Tenant ID for the Entra ID used to manage TRE users -:::{admonition} How to find your Microsoft Entra Tenant ID -:class: dropdown note + :::{admonition} How to find your Microsoft Entra Tenant ID + :class: dropdown hint -- Go to the [Microsoft Entra admin centre](https://entra.microsoft.com/) -- Click on your username / profile icon in the top right -- Click **{guilabel}`Switch directory`** in the dropdown menu -- Ensure that you have selected the directory you chose above -- Browse to **{menuselection}`Identity --> Overview`** from the menu on the left side. -- Take note of the `Tenant ID` + - Go to the [Microsoft Entra admin centre](https://entra.microsoft.com/) + - Click on your username / profile icon in the top right + - Click **{guilabel}`Switch directory`** in the dropdown menu + - Ensure that you have selected the directory you chose above + - Browse to **{menuselection}`Identity --> Overview`** from the menu on the left side. + - Take note of the `Tenant ID` -::: + ::: + +**fqdn** +: Domain name that your TRE users will belong to. + + :::{hint} + Use a domain that you own! If you use _e.g._ `bakerst.london` here your users will be given usernames like `sherlock.holmes@bakerst.london` + ::: + +**location** +: Azure location where you want your resources deployed. + + :::{hint} + Use the short name without spaces, _e.g._ **uksouth** not **UK South** + ::: Once you've decided on these, run the following command: [approx 5 minutes]: diff --git a/docs/source/management/index.md b/docs/source/management/index.md index 2ec9c60101..632f1a8378 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -11,15 +11,15 @@ You will need a full name, phone number, email address and country for each user 2. Alternatively, you can add multiple users from a CSV file with columns named (`GivenName`, `Surname`, `Phone`, `Email`, `CountryCode`). - (Optional) you can provide a `Domain` column if you like but this will otherwise default to the domain of your SHM - {{warning}} **Phone** must be in [E.123 international format](https://en.wikipedia.org/wiki/E.123) - - {{warning}} **CountryCode** is the two letter [ISO 3166-1 Alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements) code + - {{warning}} **CountryCode** is the two letter [ISO 3166-1 Alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements) code for the country where the user is based ::::{admonition} Example CSV user file :class: dropdown tip :::{code} text GivenName;Surname;Phone;Email;CountryCode -Sherlock;Holmes;+44800456456;sherlock@bakerst.london;GB -John;Watson;+18005550100;john@nhs.uk;US +Sherlock;Holmes;+44800456456;sherlock@holmes.me;GB +John;Watson;+18005550100;john.watson@nhs.uk;GB ::: :::: From 8be7cdd447a2ed63988dd99108311de598b3dfcf Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 1 Aug 2024 11:52:45 +0100 Subject: [PATCH 17/21] :memo: Split long command line expressions --- docs/source/deployment/deploy_shm.md | 4 +++- docs/source/deployment/deploy_sre.md | 4 +++- docs/source/deployment/setup_context.md | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index 678536653f..006364868b 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -85,7 +85,9 @@ Before deploying the Safe Haven Management (SHM) infrastructure you need to deci Once you've decided on these, run the following command: [approx 5 minutes]: ```{code} shell -$ dsh shm deploy --entra-tenant-id YOUR_ENTRA_TENANT_ID --fqdn YOUR_DOMAIN_NAME --location YOUR_LOCATION +$ dsh shm deploy --entra-tenant-id YOUR_ENTRA_TENANT_ID \ + --fqdn YOUR_DOMAIN_NAME \ + --location YOUR_LOCATION ``` :::{note} diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index 28c3de4e9b..134175f2f1 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -70,7 +70,9 @@ If you want to make changes to the config, edit this file and then run `dsh conf As private endpoints for flexible PostgreSQL are still in preview, the following command is currently needed: ```{code} shell -$ az feature register --name "enablePrivateEndpoint" --namespace "Microsoft.DBforPostgreSQL" --subscription NAME_OR_ID_OF_YOUR_SUBSCRIPTION +$ az feature register --name "enablePrivateEndpoint" \ + --namespace "Microsoft.DBforPostgreSQL" \ + --subscription NAME_OR_ID_OF_YOUR_SUBSCRIPTION ``` ::: diff --git a/docs/source/deployment/setup_context.md b/docs/source/deployment/setup_context.md index 4b51ea626b..eee62f2f3d 100644 --- a/docs/source/deployment/setup_context.md +++ b/docs/source/deployment/setup_context.md @@ -28,7 +28,10 @@ $ dsh context add --help - Run a command like the following to create your local context file. ```{code} shell -$ dsh context add --admin-group-name AZURE_GROUP_CONTAINING_ALL_ADMINISTRATORS --name CONTEXT_NAME --description HUMAN_FRIENDLY_NAME --subscription-name AZURE_SUBSCRIPTION_NAME +$ dsh context add --admin-group-name AZURE_SECURITY_GROUP_CONTAINING_ALL_ADMINISTRATORS \ + --name NAME_WITH_ONLY_LETTERS_NUMBERS_AND_UNDERSCORES \ + --description HUMAN_FRIENDLY_DESCRIPTION_OF_YOUR_TRE \ + --subscription-name AZURE_SUBSCRIPTION_NAME ``` :::{note} From 00bc34f355b159277ea6d28074de4745f4e7740d Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 1 Aug 2024 11:53:10 +0100 Subject: [PATCH 18/21] :memo: Reorder and expand docs on user management --- docs/source/management/index.md | 51 +++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/docs/source/management/index.md b/docs/source/management/index.md index 632f1a8378..363e306165 100644 --- a/docs/source/management/index.md +++ b/docs/source/management/index.md @@ -27,35 +27,48 @@ John;Watson;+18005550100;john.watson@nhs.uk;GB $ dsh users add PATH_TO_MY_CSV_FILE ``` -## Assign existing users to an SRE +## Listing available users -1. You can do this directly in your Entra tenant by adding them to the `Data Safe Haven SRE ` group, following the instructions [here](https://learn.microsoft.com/en-us/entra/fundamentals/groups-view-azure-portal#add-a-group-member). +- You can do this from the [Microsoft Entra admin centre](https://entra.microsoft.com/) -2. Alternatively, you can add multiple users from the command line: + 1. Browse to **{menuselection}`Groups --> All Groups`** + 2. Click on the group named **Data Safe Haven SRE _SRE-NAME_ Users** + 3. Browse to **{menuselection}`Manage --> Members`** from the secondary menu on the left side -```{code} shell -$ dsh users register YOUR_SRE_NAME -u USERNAME_1 -u USERNAME_2 -``` +- You can do this at the command line by running the following command: -where you must specify the usernames for each user you want to add to this SRE. + ```{code} shell + $ dsh users list YOUR_SRE_NAME + ``` -:::{note} -Usernames are of the format _GIVEN-NAME_._SURNAME_ and do not include the Entra ID domain. -::: + which will give output like the following -## Listing available users + ``` + ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┓ + ┃ username ┃ Entra ID ┃ SRE YOUR_SRE_NAME ┃ + ┑━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━┩ + β”‚ ada.lovelace β”‚ x β”‚ β”‚ + β”‚ grace.hopper β”‚ x β”‚ β”‚ + β”‚ sherlock.holmes β”‚ x β”‚ x β”‚ + β”‚ john.watson β”‚ x β”‚ x β”‚ + β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ + ``` -- You can do this from the [Microsoft Entra admin centre](https://entra.microsoft.com/) +## Assign existing users to an SRE - 1. Browse to **{menuselection}`Groups --> All Groups` - 2. Click on the group named **Data Safe Haven SRE _SRE-NAME_ Users** - 3. Browse to **{menuselection}`Manage --> Members`** from the secondary menu on the left side +1. You can do this directly in your Entra tenant by adding them to the **Data Safe Haven SRE _YOUR\_SRE\_NAME_ Users** group, following the instructions [here](https://learn.microsoft.com/en-us/entra/fundamentals/groups-view-azure-portal#add-a-group-member). -- You can do this at the command line by running the following command: +2. Alternatively, you can add multiple users from the command line: -```{code} shell -$ dsh users list YOUR_SRE_NAME -``` + ```{code} shell + $ dsh users register YOUR_SRE_NAME -u USERNAME_1 -u USERNAME_2 + ``` + + where you must specify the usernames for each user you want to add to this SRE. + + :::{important} + Do not include the Entra ID domain part of the username, just the part before the @. + ::: ## Manually register users for self-service password reset From db22ba716d3f52b2764cc9ddd962b76106404870 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 1 Aug 2024 12:05:43 +0100 Subject: [PATCH 19/21] :memo: Replace backticks with colons --- docs/source/deployment/deploy_shm.md | 4 ++-- docs/source/deployment/deploy_sre.md | 25 +++++++++++++++---------- docs/source/deployment/index.md | 8 ++++---- docs/source/deployment/setup_context.md | 8 ++++---- 4 files changed, 25 insertions(+), 20 deletions(-) diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index 006364868b..f597b94e5f 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -84,11 +84,11 @@ Before deploying the Safe Haven Management (SHM) infrastructure you need to deci Once you've decided on these, run the following command: [approx 5 minutes]: -```{code} shell +:::{code} shell $ dsh shm deploy --entra-tenant-id YOUR_ENTRA_TENANT_ID \ --fqdn YOUR_DOMAIN_NAME \ --location YOUR_LOCATION -``` +::: :::{note} You will be prompted to log in to the Azure CLI and to the Graph API. diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index 134175f2f1..27d9be8a0e 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -23,13 +23,16 @@ Each project will have its own dedicated SRE. - Create a configuration file -```console +:::{code} shell $ dsh config template --file PATH_YOU_WANT_TO_SAVE_YOUR_YAML_FILE_TO -``` +::: - Edit this file in your favourite text editor, replacing the placeholder text with appropriate values for your setup. -```yaml +::::{admonition} Example YAML configuration file +:class: dropdown tip + +:::{code} yaml azure: subscription_id: # ID of the Azure subscription that the TRE will be deployed to tenant_id: # Home tenant for the Azure account used to deploy infrastructure: `az account show` @@ -50,15 +53,17 @@ sre: software_packages: # any/pre-approved/none: which packages from external repositories to allow timezone: # Timezone in pytz format (eg. Europe/London) workspace_skus: # List of Azure VM SKUs - see cloudprice.net for list of valid SKUs -``` +::: + +:::: ## Upload the configuration file - Upload the config to Azure. This will validate your file and report any problems. -```{code} shell +:::{code} shell $ dsh config upload PATH_TO_YOUR_EDITED_YAML_FILE -``` +::: :::{hint} If you want to make changes to the config, edit this file and then run `dsh config upload` again @@ -69,11 +74,11 @@ If you want to make changes to the config, edit this file and then run `dsh conf :::{important} As private endpoints for flexible PostgreSQL are still in preview, the following command is currently needed: -```{code} shell +:::{code} shell $ az feature register --name "enablePrivateEndpoint" \ --namespace "Microsoft.DBforPostgreSQL" \ --subscription NAME_OR_ID_OF_YOUR_SUBSCRIPTION -``` +::: ::: @@ -81,6 +86,6 @@ $ az feature register --name "enablePrivateEndpoint" \ - Deploy each SRE individually [approx 30 minutes]: -```{code} shell +:::{code} shell $ dsh sre deploy YOUR_SRE_NAME -``` +::: diff --git a/docs/source/deployment/index.md b/docs/source/deployment/index.md index 67d05f4f5e..b68acba545 100644 --- a/docs/source/deployment/index.md +++ b/docs/source/deployment/index.md @@ -1,13 +1,13 @@ # Deployment -```{toctree} +:::{toctree} :hidden: setup_context.md deploy_shm.md configure_entra_id.md deploy_sre.md -``` +::: Deploying an instance of the Data Safe Haven involves the following steps: @@ -46,6 +46,6 @@ Please contact the development team in case of any problems. Enter the base directory and install Python dependencies with `hatch` by doing the following: -```{code} shell +:::{code} shell $ hatch run true -``` +::: diff --git a/docs/source/deployment/setup_context.md b/docs/source/deployment/setup_context.md index eee62f2f3d..fb159b82a7 100644 --- a/docs/source/deployment/setup_context.md +++ b/docs/source/deployment/setup_context.md @@ -21,18 +21,18 @@ You can specify the directory where your context configuration (`context.yaml`) - You will need to provide some options to set up your DSH context. You can see what these are by running the following: -```{code} shell +:::{code} shell $ dsh context add --help -``` +::: - Run a command like the following to create your local context file. -```{code} shell +:::{code} shell $ dsh context add --admin-group-name AZURE_SECURITY_GROUP_CONTAINING_ALL_ADMINISTRATORS \ --name NAME_WITH_ONLY_LETTERS_NUMBERS_AND_UNDERSCORES \ --description HUMAN_FRIENDLY_DESCRIPTION_OF_YOUR_TRE \ --subscription-name AZURE_SUBSCRIPTION_NAME -``` +::: :::{note} If you have multiple contexts defined, you can select which context you want to use with `dsh context switch CONTEXT_NAME`. From 7fdd2b3e42b1a785c044621ffa2ae86e80acea71 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 2 Aug 2024 13:31:24 +0100 Subject: [PATCH 20/21] :memo: Apply suggestions from code review Co-authored-by: Matt Craddock --- docs/source/deployment/deploy_sre.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index 27d9be8a0e..e71472c12d 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -2,7 +2,7 @@ # Deploy a Secure Research Environment -These instructions will deploy a new Secure Research Environment (SRE). +These instructions will deploy a new Secure Research Environment (SRE). ::::{admonition} Ensure you are using a hatch shell :class: dropdown important From 50412e69f9756af61318e060cca5fa84b203451a Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 2 Aug 2024 14:35:52 +0100 Subject: [PATCH 21/21] :coffin: Drop private endpoint section as this does not seem to be needed any more --- docs/source/deployment/deploy_sre.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index e71472c12d..5ebeaa61a0 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -69,19 +69,6 @@ $ dsh config upload PATH_TO_YOUR_EDITED_YAML_FILE If you want to make changes to the config, edit this file and then run `dsh config upload` again ::: -## Requirements - -:::{important} -As private endpoints for flexible PostgreSQL are still in preview, the following command is currently needed: - -:::{code} shell -$ az feature register --name "enablePrivateEndpoint" \ - --namespace "Microsoft.DBforPostgreSQL" \ - --subscription NAME_OR_ID_OF_YOUR_SUBSCRIPTION -::: - -::: - ## Deployment - Deploy each SRE individually [approx 30 minutes]: