Merge pull request #1765 from jemrobinson/deployment-fixes

Minor Pulumi deployment fixes

.gitignore

@@ -43,5 +43,8 @@ expanded.yaml
 # mypy cache
 .mypy_cache
 
+# ruff cache
+.pytest_cache
+
 # ruff cache
 .ruff_cache

data_safe_haven/external/api/azure_api.py

@@ -713,7 +713,7 @@ def get_storage_account_keys(
             if not isinstance(storage_keys, StorageAccountListKeysResult):
                 msg = f"Could not connect to {msg_sa} in {msg_rg}."
                 raise DataSafeHavenAzureError(msg)
-            keys: list[StorageAccountKey] = storage_keys.keys
+            keys = cast(list[StorageAccountKey], storage_keys.keys)
             if not keys or not isinstance(keys, list) or len(keys) == 0:
                 msg = f"No keys were retrieved for {msg_sa} in {msg_rg}."
                 raise DataSafeHavenAzureError(msg)
@@ -888,7 +888,7 @@ def remove_blob(
                 f"Removed file [green]{blob_name}[/] from blob storage.",
             )
         except Exception as exc:
-            msg = f"Blob file '{blob_name}' could not be removed from '{storage_account_name}'\n{exc}."
+            msg = f"Blob file [green]'{blob_name}'[/] could not be removed from [green]'{storage_account_name}'[/].\n{exc}"
             raise DataSafeHavenAzureError(msg) from exc
 
     def remove_dns_txt_record(

data_safe_haven/functions/strings.py

@@ -63,7 +63,7 @@ def replace_separators(input_string: str, separator: str = "") -> str:
 
 def seeded_uuid(seed: str) -> uuid.UUID:
     """Return a UUID seeded from a given string."""
-    generator = random.Random()
+    generator = random.Random()  # noqa: S311
     generator.seed(seed)
     return uuid.UUID(int=generator.getrandbits(128), version=4)
 

data_safe_haven/infrastructure/components/dynamic/ssl_certificate.py

@@ -1,5 +1,6 @@
 """Pulumi dynamic component for SSL certificates uploaded to an Azure KeyVault."""
 
+import time
 from contextlib import suppress
 from typing import Any
 
@@ -78,11 +79,9 @@ def create(self, props: dict[str, Any]) -> CreateResult:
             client.generate_csr()
             # Request DNS verification tokens and add them to the DNS record
             azure_api = AzureApi(props["subscription_name"], disable_logging=True)
-            for (
-                record_name,
-                record_values,
-            ) in client.request_verification_tokens().items():
-                azure_api.ensure_dns_txt_record(
+            verification_tokens = client.request_verification_tokens().items()
+            for record_name, record_values in verification_tokens:
+                record_set = azure_api.ensure_dns_txt_record(
                     record_name=record_name.replace(f".{props['domain_name']}", ""),
                     record_value=record_values[0],
                     resource_group_name=props["networking_resource_group_name"],
@@ -94,13 +93,19 @@ def create(self, props: dict[str, Any]) -> CreateResult:
             ):
                 msg = "DNS propagation failed"
                 raise DataSafeHavenSSLError(msg)
+            # Wait for the TTL for this record to expire to remove risk of caching
+            time.sleep(record_set.ttl or 30)
             # Request a signed certificate
             try:
                 certificate_bytes = client.request_certificate()
             except ValidationError as exc:
                 msg = "\n".join(
                     ["ACME validation error:"]
                     + [str(auth_error) for auth_error in exc.failed_authzrs]
+                    + [
+                        f"TXT record {record_name} is currently set to {record_values}"
+                        for (record_name, record_values) in verification_tokens
+                    ]
                 )
                 raise DataSafeHavenSSLError(msg) from exc
             # Although KeyVault will accept a PEM certificate (where we simply prepend

data_safe_haven/infrastructure/stacks/shm/domain_controllers.py

@@ -171,13 +171,7 @@ def __init__(
             ),
             opts=ResourceOptions.merge(
                 child_opts,
-                ResourceOptions(
-                    depends_on=[
-                        primary_domain_controller,
-                        primary_domain_controller_dsc_node,
-                    ],
-                    parent=primary_domain_controller_dsc_node,
-                ),
+                ResourceOptions(parent=primary_domain_controller_dsc_node),
             ),
         )
 

data_safe_haven/infrastructure/stacks/sre/data.py

@@ -691,6 +691,7 @@ def __init__(
             root_squash=storage.RootSquashType.NO_ROOT_SQUASH,
             share_name="home",
             share_quota=1024,
+            signed_identifiers=[],
             opts=ResourceOptions.merge(
                 child_opts, ResourceOptions(parent=storage_account_data_private_user)
             ),
@@ -704,6 +705,7 @@ def __init__(
             root_squash=storage.RootSquashType.ROOT_SQUASH,
             share_name="shared",
             share_quota=1024,
+            signed_identifiers=[],
             opts=ResourceOptions.merge(
                 child_opts, ResourceOptions(parent=storage_account_data_private_user)
             ),

data_safe_haven/infrastructure/stacks/sre/gitea_server.py

@@ -91,6 +91,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="gitea-caddy",
             share_quota=1,
+            signed_identifiers=[],
             opts=child_opts,
         )
         file_share_gitea_gitea = storage.FileShare(
@@ -100,6 +101,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="gitea-gitea",
             share_quota=1,
+            signed_identifiers=[],
             opts=child_opts,
         )
 

data_safe_haven/infrastructure/stacks/sre/hedgedoc_server.py

@@ -104,6 +104,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="hedgedoc-caddy",
             share_quota=1,
+            signed_identifiers=[],
             opts=child_opts,
         )
 

data_safe_haven/infrastructure/stacks/sre/remote_desktop.py

@@ -150,6 +150,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="remote-desktop-caddy",
             share_quota=1,
+            signed_identifiers=[],
             opts=child_opts,
         )
 

data_safe_haven/infrastructure/stacks/sre/software_repositories.py

@@ -65,7 +65,7 @@ def __init__(
         opts: ResourceOptions | None = None,
         tags: Input[Mapping[str, Input[str]]] | None = None,
     ) -> None:
-        super().__init__("dsh:sre:SRESoftwareRepositoriesComponent", name, {}, opts)
+        super().__init__("dsh:sre:SoftwareRepositoriesComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
         child_tags = tags if tags else {}
 
@@ -77,6 +77,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="software-repositories-caddy",
             share_quota=1,
+            signed_identifiers=[],
             opts=child_opts,
         )
         file_share_nexus = storage.FileShare(
@@ -86,6 +87,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="software-repositories-nexus",
             share_quota=5120,
+            signed_identifiers=[],
             opts=child_opts,
         )
         file_share_nexus_allowlists = storage.FileShare(
@@ -95,6 +97,7 @@ def __init__(
             resource_group_name=props.storage_account_resource_group_name,
             share_name="software-repositories-nexus-allowlists",
             share_quota=1,
+            signed_identifiers=[],
             opts=child_opts,
         )
 

pyproject.toml

@@ -65,7 +65,7 @@ dependencies = [
   "black>=24.1.0",
   "mypy>=1.0.0",
   "pydantic>=2.4",
-  "ruff>=0.2.0",
+  "ruff>=0.3.4",
   "types-appdirs>=1.4.3.5",
   "types-chevron>=0.14.2.5",
   "types-pytz>=2023.3.0.0",
@@ -77,7 +77,7 @@ dependencies = [
 typing = "mypy {args:data_safe_haven}"
 
 style = [
-  "ruff {args:data_safe_haven tests_}",
+  "ruff check {args:data_safe_haven tests_}",
   "black --check --diff {args:data_safe_haven tests_}",
 ]
 fmt = [