Skip to content

Commit

Permalink
[WIP] Adding an extra flag to config-SRE
Browse files Browse the repository at this point in the history
  • Loading branch information
@cptanalatriste
cptanalatriste committed Nov 29, 2024
1 parent 60726e9 commit 2daf019
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 25 deletions.
1 change: 1 addition & 0 deletions data_safe_haven/config/config_sections.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ class ConfigSectionSRE(BaseModel, validate_assignment=True):
# https://docs.pydantic.dev/latest/concepts/models/#fields-with-non-hashable-default-values
admin_email_address: EmailAddress
admin_ip_addresses: list[IpAddress] = []
allow_workspace_internet: bool = False
databases: UniqueList[DatabaseSystem] = []
data_provider_ip_addresses: list[IpAddress] | AzureServiceTag = []
remote_desktop: ConfigSubsectionRemoteDesktopOpts
Expand Down
58 changes: 33 additions & 25 deletions data_safe_haven/infrastructure/programs/sre/firewall.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,38 @@ def __init__(
tags=child_tags,
)

# TODO: Check how to better implement this.
# Add allow_workspace_internet boolean config.
if props.allow_workspace_internet:
workspace_deny_firewall_collection = network.AzureFirewallApplicationRuleCollectionArgs(
action=network.AzureFirewallRCActionArgs(
type=network.AzureFirewallRCActionType.DENY
),
name="workspaces-deny",
priority=FirewallPriorities.SRE_WORKSPACES_DENY,
rules=[
network.AzureFirewallApplicationRuleArgs(
description="Deny external Ubuntu Snap Store upload and login access",
name="DenyUbuntuSnapcraft",
protocols=[
network.AzureFirewallApplicationRuleProtocolArgs(
port=int(Ports.HTTP),
protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTP,
),
network.AzureFirewallApplicationRuleProtocolArgs(
port=int(Ports.HTTPS),
protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTPS,
),
],
source_addresses=props.subnet_workspaces_prefixes,
target_fqdns=ForbiddenDomains.UBUNTU_SNAPCRAFT,
),
],
)
else:
workspace_deny_firewall_collection = None


# Deploy firewall
firewall = network.AzureFirewall(
f"{self._name}_firewall",
Expand Down Expand Up @@ -282,31 +314,7 @@ def __init__(
),
],
),
network.AzureFirewallApplicationRuleCollectionArgs(
action=network.AzureFirewallRCActionArgs(
type=network.AzureFirewallRCActionType.DENY
),
name="workspaces-deny",
priority=FirewallPriorities.SRE_WORKSPACES_DENY,
rules=[
network.AzureFirewallApplicationRuleArgs(
description="Deny external Ubuntu Snap Store upload and login access",
name="DenyUbuntuSnapcraft",
protocols=[
network.AzureFirewallApplicationRuleProtocolArgs(
port=int(Ports.HTTP),
protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTP,
),
network.AzureFirewallApplicationRuleProtocolArgs(
port=int(Ports.HTTPS),
protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTPS,
),
],
source_addresses=props.subnet_workspaces_prefixes,
target_fqdns=ForbiddenDomains.UBUNTU_SNAPCRAFT,
),
],
),
workspace_deny_firewall_collection,
],
azure_firewall_name=f"{stack_name}-firewall",
ip_configurations=[
Expand Down
1 change: 1 addition & 0 deletions tests/conftest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,7 @@ def sre_config_yaml(request):
admin_email_address: [email protected]
admin_ip_addresses:
- 1.2.3.4/32
allow_workspace_internet: false
data_provider_ip_addresses: []
databases: []
remote_desktop:
Expand Down

0 comments on commit 2daf019

Please sign in to comment.