cran support in nexus (#2694)

* add cran support * linux vm config * linux vm config edit * Base type r * fix vm scripts * windows powershell edit * ps file content config * corrected naming for allowed workspace fqdns * edit to nexus firewall config * nsg fix and firewall config * moving firewall addition to workspace so that the rule is added on creation * fix references * revert base and add to nexus * alter output config * add acr parameter * source address to array missing output * porter version * fixing final issues * Final windows config changes * versions * remove mgmt_acr and certain CRLs * terraform configuration * TFlint fixes * outputs.tf Co-authored-by: Jaimie Withers <jaimie.withers@bdi.ox.ac.uk> Co-authored-by: David Moore <35696285+damoodamoo@users.noreply.github.com>
microsoft · Oct 18, 2022 · 8b47280 · 8b47280
1 parent 32533a6
commit 8b47280
Show file tree

Hide file tree

Showing 17 changed files with 285 additions and 50 deletions.
diff --git a/templates/shared_services/sonatype-nexus-vm/parameters.json b/templates/shared_services/sonatype-nexus-vm/parameters.json
@@ -16,6 +16,12 @@
         "env": "ID"
       }
     },
+    {
+      "name": "mgmt_acr_name",
+      "source": {
+        "env": "ACR_NAME"
+      }
+    },
     {
       "name": "tfstate_container_name",
       "source": {

diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml
@@ -1,9 +1,9 @@
 ---
 name: tre-shared-service-sonatype-nexus
-version: 2.2.0
+version: 2.2.1
 description: "A Sonatype Nexus shared service"
-registry: azuretre
 dockerfile: Dockerfile.tmpl
+registry: azuretre
 
 credentials:
   - name: azure_tenant_id
@@ -21,6 +21,9 @@ parameters:
   - name: id
     type: string
     description: "Resource ID"
+  - name: mgmt_acr_name
+    type: string
+    description: "The name of the Azure Container Registry"
   - name: tfstate_resource_group_name
     type: string
     description: "Resource group containing the Terraform state storage account"
@@ -39,6 +42,21 @@ parameters:
     type: string
     default: "nexus-ssl"
     description: "Name of the certificate for configuring Nexus SSL with (stored in the core KeyVault)"
+outputs:
+  - name: workspace_vm_allowed_fqdns_list
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: nexus_allowed_fqdns_list
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: shared_address_prefixes
+    applyTo:
+      - install
+      - upgrade
 
 mixins:
   - exec
@@ -54,17 +72,37 @@ install:
         tre_id: "{{ bundle.parameters.tre_id }}"
         tre_resource_id: "{{ bundle.parameters.id }}"
         ssl_cert_name: "{{ bundle.parameters.ssl_cert_name }}"
+        mgmt_resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
+
       backendConfig:
         resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
         storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
         container_name: "{{ bundle.parameters.tfstate_container_name }}"
         key: "{{ bundle.parameters.tre_id }}-shared-service-sonatype-nexus-vm"
+      outputs:
+        - name: workspace_vm_allowed_fqdns_list
+        - name: nexus_allowed_fqdns_list
+        - name: shared_address_prefixes
+
 upgrade:
-  - exec:
+  - terraform:
       description: "Upgrade shared service"
-      command: echo
-      arguments:
-        - "This shared service does not implement upgrade action"
+      input: false
+      vars:
+        tre_id: "{{ bundle.parameters.tre_id }}"
+        tre_resource_id: "{{ bundle.parameters.id }}"
+        mgmt_resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
+      backendConfig:
+        resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
+        container_name: "{{ bundle.parameters.tfstate_container_name }}"
+        key: "{{ bundle.parameters.tre_id }}-shared-service-sonatype-nexus-vm"
+      outputs:
+        - name: workspace_vm_allowed_fqdns_list
+        - name: nexus_allowed_fqdns_list
+        - name: shared_address_prefixes
 uninstall:
   - terraform:
       description: "Tear down shared service"
@@ -73,6 +111,8 @@ uninstall:
         tre_id: "{{ bundle.parameters.tre_id }}"
         tre_resource_id: "{{ bundle.parameters.id }}"
         ssl_cert_name: "{{ bundle.parameters.ssl_cert_name }}"
+        mgmt_resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
+        acr_name: "{{ bundle.parameters.mgmt_acr_name }}"
       backendConfig:
         resource_group_name: "{{ bundle.parameters.tfstate_resource_group_name }}"
         storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"

diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/cran_proxy_conf.json b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/cran_proxy_conf.json
@@ -0,0 +1,32 @@
+{
+  "name": "r-proxy",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true,
+    "write_policy": "ALLOW"
+  },
+  "proxy": {
+    "remoteUrl": "https://cran.r-project.org/",
+    "contentMaxAge": 1440,
+    "metadataMaxAge": 1440
+  },
+  "negativeCache": {
+    "enabled": true,
+    "timeToLive": 1440
+  },
+  "httpClient": {
+    "blocked": false,
+    "autoBlock": false,
+    "connection": {
+      "retries": 0,
+      "userAgentSuffix": "string",
+      "timeout": 60,
+      "enableCircularRedirects": false,
+      "enableCookies": false,
+      "useTrustStore": false
+    }
+  },
+  "baseType": "r",
+  "repoType": "proxy"
+}
diff --git a/templates/shared_services/sonatype-nexus-vm/template_schema.json b/templates/shared_services/sonatype-nexus-vm/template_schema.json
@@ -13,5 +13,146 @@
       "title": "SSL certificate name",
       "description": "The name of the certificate to use (located in the core KeyVault) for configuring Nexus SSL"
     }
+  },
+  "pipeline": {
+    "install": [
+      {
+        "stepId": "main"
+      },
+      {
+        "stepId": "42024559-3a88-4518-b1ea-713aebc91cfd",
+        "stepTitle": "Add Nexus rule collection to firewall",
+        "resourceTemplateName": "tre-shared-service-firewall",
+        "resourceType": "shared-service",
+        "resourceAction": "upgrade",
+        "properties": [
+          {
+            "name": "rule_collections",
+            "type": "array",
+            "arraySubstitutionAction": "replace",
+            "arrayMatchField": "name",
+            "value": {
+              "name": "shared_subnet_sonatype_nexus",
+              "action": "Allow",
+              "rules": [
+                {
+                  "name": "vm-crl",
+                  "description": "CRLs for workspaces",
+                  "protocols": [
+                    {
+                      "port": "443",
+                      "type": "Https"
+                    },
+                    {
+                      "port": "80",
+                      "type": "Http"
+                    }
+                  ],
+                  "target_fqdns": "{{ resource.properties.workspace_vm_allowed_fqdns_list }}",
+                  "source_addresses": ["*"]
+                },
+                {
+                  "name": "nexus-package-sources",
+                  "description": "Nexus Package Sources",
+                  "protocols": [
+                    {
+                      "port": "443",
+                      "type": "Https"
+                    },
+                    {
+                      "port": "80",
+                      "type": "Http"
+                    }
+                  ],
+                  "target_fqdns": "{{ resource.properties.nexus_allowed_fqdns_list }}",
+                  "source_addresses": "{{ resource.properties.shared_address_prefixes }}"
+                }
+              ]
+            }
+          }
+        ]
+      }
+    ],
+    "upgrade": [
+      {
+        "stepId": "main"
+      },
+      {
+        "stepId": "a794e818-0807-4012-90be-3e78f530383c",
+        "stepTitle": "Update Nexus rule collection in firewall",
+        "resourceTemplateName": "tre-shared-service-firewall",
+        "resourceType": "shared-service",
+        "resourceAction": "upgrade",
+        "properties": [
+          {
+            "name": "rule_collections",
+            "type": "array",
+            "arraySubstitutionAction": "replace",
+            "arrayMatchField": "name",
+            "value": {
+              "name": "shared_subnet_sonatype_nexus",
+              "action": "Allow",
+              "rules": [
+                {
+                  "name": "vm-crl",
+                  "description": "CRLs for workspaces",
+                  "protocols": [
+                    {
+                      "port": "443",
+                      "type": "Https"
+                    },
+                    {
+                      "port": "80",
+                      "type": "Http"
+                    }
+                  ],
+                  "target_fqdns": "{{ resource.properties.workspace_vm_allowed_fqdns_list }}",
+                  "source_addresses": ["*"]
+                },
+                {
+                  "name": "nexus-package-sources",
+                  "description": "Nexus Package Sources",
+                  "protocols": [
+                    {
+                      "port": "443",
+                      "type": "Https"
+                    },
+                    {
+                      "port": "80",
+                      "type": "Http"
+                    }
+                  ],
+                  "target_fqdns": "{{ resource.properties.nexus_allowed_fqdns_list }}",
+                  "source_addresses": "{{ resource.properties.shared_address_prefixes }}"
+                }
+              ]
+            }
+          }
+        ]
+      }
+    ],
+    "uninstall": [
+      {
+        "stepId": "c3f95f9f-d125-4937-9403-84e4957a26b8",
+        "stepTitle": "Remove Nexus rule collection from firewall",
+        "resourceTemplateName": "tre-shared-service-firewall",
+        "resourceType": "shared-service",
+        "resourceAction": "upgrade",
+        "properties": [
+          {
+            "name": "rule_collections",
+            "type": "array",
+            "arraySubstitutionAction": "remove",
+            "arrayMatchField": "name",
+            "value": {
+              "name": "shared_subnet_sonatype_nexus"
+            }
+          }
+        ]
+      },
+      {
+        "stepId": "main"
+      }
+    ]
   }
 }
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/data.tf b/templates/shared_services/sonatype-nexus-vm/terraform/data.tf
@@ -1,8 +1,3 @@
-data "azurerm_log_analytics_workspace" "tre" {
-  name                = "log-${var.tre_id}"
-  resource_group_name = local.core_resource_group_name
-}
-
 data "azurerm_virtual_network" "core" {
   name                = local.core_vnet
   resource_group_name = local.core_resource_group_name
@@ -14,11 +9,6 @@ data "azurerm_subnet" "shared" {
   name                 = "SharedSubnet"
 }
 
-data "azurerm_firewall" "fw" {
-  name                = "fw-${var.tre_id}"
-  resource_group_name = local.core_resource_group_name
-}
-
 data "azurerm_key_vault" "kv" {
   name                = "kv-${var.tre_id}"
   resource_group_name = local.core_resource_group_name
@@ -47,3 +37,4 @@ data "azurerm_private_dns_zone" "nexus" {
   name                = "nexus-${var.tre_id}.${data.azurerm_resource_group.rg.location}.cloudapp.azure.com"
   resource_group_name = local.core_resource_group_name
 }
+
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/firewall.tf b/templates/shared_services/sonatype-nexus-vm/terraform/firewall.tf
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf
@@ -1,9 +1,11 @@
 locals {
-  core_vnet                = "vnet-${var.tre_id}"
-  core_resource_group_name = "rg-${var.tre_id}"
-  nexus_allowed_fqdns      = "*pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org"
-  nexus_allowed_fqdns_list = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", ""))))
-  storage_account_name     = lower(replace("stg-${var.tre_id}", "-", ""))
+  core_vnet                       = "vnet-${var.tre_id}"
+  core_resource_group_name        = "rg-${var.tre_id}"
+  nexus_allowed_fqdns             = "*pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org"
+  nexus_allowed_fqdns_list        = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", ""))))
+  workspace_vm_allowed_fqdns      = "r3.o.lencr.org,x1.c.lencr.org"
+  workspace_vm_allowed_fqdns_list = distinct(compact(split(",", replace(local.workspace_vm_allowed_fqdns, " ", ""))))
+  storage_account_name            = lower(replace("stg-${var.tre_id}", "-", ""))
   tre_shared_service_tags = {
     tre_id                = var.tre_id
     tre_shared_service_id = var.tre_resource_id

diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/output.tf b/templates/shared_services/sonatype-nexus-vm/terraform/output.tf
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf b/templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf
@@ -0,0 +1,16 @@
+output "nexus_fqdn" {
+  value = azurerm_private_dns_a_record.nexus_vm.fqdn
+}
+
+output "nexus_allowed_fqdns_list" {
+  value = jsonencode(local.nexus_allowed_fqdns_list)
+}
+
+output "shared_address_prefixes" {
+  value = jsonencode(data.azurerm_subnet.shared.address_prefixes)
+}
+
+output "workspace_vm_allowed_fqdns_list" {
+  value = jsonencode(local.workspace_vm_allowed_fqdns_list)
+}
+
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
@@ -122,8 +122,7 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   }
 
   depends_on = [
-    azurerm_key_vault_access_policy.nexus_msi,
-    azurerm_firewall_application_rule_collection.shared_subnet_sonatype_nexus
+    azurerm_key_vault_access_policy.nexus_msi
   ]
 
   connection {

diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml
@@ -1,6 +1,6 @@
 ---
 name: tre-service-guacamole-linuxvm
-version: 0.5.1
+version: 0.5.2
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/...orkspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh b/...orkspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh
@@ -90,3 +90,6 @@ sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plu
 jq -n --arg proxy "${NEXUS_PROXY_URL}:8083" '{"registry-mirrors": [$proxy]}' > /etc/docker/daemon.json
 sudo systemctl daemon-reload
 sudo systemctl restart docker
+
+# R config
+sudo echo -e "local({\n    r <- getOption(\"repos\")\n    r[\"Nexus\"] <- \"""${NEXUS_PROXY_URL}\"/repository/r-proxy/\"\n    options(repos = r)\n})" | sudo tee /etc/R/Rprofile.site