Skip to content

Commit

Permalink
Merge pull request #1821 from jemrobinson/1802-add-aci-dns
Browse files Browse the repository at this point in the history
Add local DNS for SRE identity server
  • Loading branch information
jemrobinson authored Apr 19, 2024
2 parents b2fa40e + 308b145 commit 432c07e
Show file tree
Hide file tree
Showing 11 changed files with 55 additions and 31 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ def __init__(
ttl=3600,
opts=child_opts,
)

# Redirect the public DNS to private DNS
network.RecordSet(
f"{self._name}_public_record_set",
Expand All @@ -62,3 +63,6 @@ def __init__(
child_opts, ResourceOptions(parent=private_dns_record_set)
),
)

# Register outputs
self.hostname = Output.concat(props.record_name, ".", props.base_fqdn)
9 changes: 6 additions & 3 deletions data_safe_haven/infrastructure/stacks/declarative_sre.py
Original file line number Diff line number Diff line change
Expand Up @@ -216,8 +216,11 @@ def run(self) -> None:
aad_application_name=f"sre-{self.sre_name}-apricot",
aad_auth_token=self.graph_api_token,
aad_tenant_id=self.cfg.shm.aad_tenant_id,
dns_resource_group_name=dns.resource_group.name,
location=self.cfg.azure.location,
networking_resource_group_name=networking.resource_group.name,
shm_fqdn=self.cfg.shm.fqdn,
sre_fqdn=networking.sre_fqdn,
storage_account_key=data.storage_account_data_configuration_key,
storage_account_name=data.storage_account_data_configuration_name,
storage_account_resource_group_name=data.resource_group_name,
Expand Down Expand Up @@ -255,7 +258,7 @@ def run(self) -> None:
dns_server_ip=dns.ip_address,
ldap_group_filter=ldap_group_filter,
ldap_group_search_base=ldap_group_search_base,
ldap_server_ip=identity.ip_address,
ldap_server_hostname=identity.hostname,
ldap_server_port=identity.server_port,
ldap_user_filter=ldap_user_filter,
ldap_user_search_base=ldap_user_search_base,
Expand All @@ -277,7 +280,7 @@ def run(self) -> None:
admin_password=data.password_workspace_admin,
ldap_group_filter=ldap_group_filter,
ldap_group_search_base=ldap_group_search_base,
ldap_server_ip=identity.ip_address,
ldap_server_hostname=identity.hostname,
ldap_server_port=identity.server_port,
ldap_user_filter=ldap_user_filter,
ldap_user_search_base=ldap_user_search_base,
Expand Down Expand Up @@ -315,7 +318,7 @@ def run(self) -> None:
dns_server_ip=dns.ip_address,
gitea_database_password=data.password_gitea_database_admin,
hedgedoc_database_password=data.password_hedgedoc_database_admin,
ldap_server_ip=identity.ip_address,
ldap_server_hostname=identity.hostname,
ldap_server_port=identity.server_port,
ldap_user_filter=ldap_user_filter,
ldap_username_attribute=ldap_username_attribute,
Expand Down
6 changes: 3 additions & 3 deletions data_safe_haven/infrastructure/stacks/sre/gitea_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def __init__(
database_subnet_id: Input[str],
dns_resource_group_name: Input[str],
dns_server_ip: Input[str],
ldap_server_ip: Input[str],
ldap_server_hostname: Input[str],
ldap_server_port: Input[int],
ldap_username_attribute: Input[str],
ldap_user_filter: Input[str],
Expand All @@ -51,7 +51,7 @@ def __init__(
)
self.dns_resource_group_name = dns_resource_group_name
self.dns_server_ip = dns_server_ip
self.ldap_server_ip = ldap_server_ip
self.ldap_server_hostname = ldap_server_hostname
self.ldap_server_port = ldap_server_port
self.ldap_username_attribute = ldap_username_attribute
self.ldap_user_filter = ldap_user_filter
Expand Down Expand Up @@ -130,7 +130,7 @@ def __init__(
admin_username="dshadmin",
ldap_username_attribute=props.ldap_username_attribute,
ldap_user_filter=props.ldap_user_filter,
ldap_server_ip=props.ldap_server_ip,
ldap_server_hostname=props.ldap_server_hostname,
ldap_server_port=props.ldap_server_port,
ldap_user_search_base=props.ldap_user_search_base,
).apply(
Expand Down
6 changes: 3 additions & 3 deletions data_safe_haven/infrastructure/stacks/sre/hedgedoc_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def __init__(
database_subnet_id: Input[str],
dns_resource_group_name: Input[str],
dns_server_ip: Input[str],
ldap_server_ip: Input[str],
ldap_server_hostname: Input[str],
ldap_server_port: Input[int],
ldap_user_filter: Input[str],
ldap_user_search_base: Input[str],
Expand All @@ -52,7 +52,7 @@ def __init__(
)
self.dns_resource_group_name = dns_resource_group_name
self.dns_server_ip = dns_server_ip
self.ldap_server_ip = ldap_server_ip
self.ldap_server_hostname = ldap_server_hostname
self.ldap_server_port = Output.from_input(ldap_server_port).apply(str)
self.ldap_user_filter = ldap_user_filter
self.ldap_user_search_base = ldap_user_search_base
Expand Down Expand Up @@ -225,7 +225,7 @@ def __init__(
name="CMD_LDAP_URL",
value=Output.concat(
"ldap://",
props.ldap_server_ip,
props.ldap_server_hostname,
":",
props.ldap_server_port,
),
Expand Down
25 changes: 24 additions & 1 deletion data_safe_haven/infrastructure/stacks/sre/identity.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
from data_safe_haven.infrastructure.components import (
AzureADApplication,
AzureADApplicationProps,
LocalDnsRecordComponent,
LocalDnsRecordProps,
)


Expand All @@ -22,8 +24,11 @@ def __init__(
aad_application_name: Input[str],
aad_auth_token: Input[str],
aad_tenant_id: Input[str],
dns_resource_group_name: Input[str],
location: Input[str],
networking_resource_group_name: Input[str],
shm_fqdn: Input[str],
sre_fqdn: Input[str],
storage_account_key: Input[str],
storage_account_name: Input[str],
storage_account_resource_group_name: Input[str],
Expand All @@ -32,8 +37,11 @@ def __init__(
self.aad_application_name = aad_application_name
self.aad_auth_token = aad_auth_token
self.aad_tenant_id = aad_tenant_id
self.dns_resource_group_name = dns_resource_group_name
self.location = location
self.networking_resource_group_name = networking_resource_group_name
self.shm_fqdn = shm_fqdn
self.sre_fqdn = sre_fqdn
self.storage_account_key = storage_account_key
self.storage_account_name = storage_account_name
self.storage_account_resource_group_name = storage_account_resource_group_name
Expand Down Expand Up @@ -220,5 +228,20 @@ def __init__(
tags=child_tags,
)

# Register the container group in the SRE DNS zone
local_dns = LocalDnsRecordComponent(
f"{self._name}_dns_record_set",
LocalDnsRecordProps(
base_fqdn=props.sre_fqdn,
public_dns_resource_group_name=props.networking_resource_group_name,
private_dns_resource_group_name=props.dns_resource_group_name,
private_ip_address=get_ip_address_from_container_group(container_group),
record_name="identity",
),
opts=ResourceOptions.merge(
child_opts, ResourceOptions(parent=container_group)
),
)

# Register outputs
self.ip_address = get_ip_address_from_container_group(container_group)
self.hostname = local_dns.hostname
10 changes: 3 additions & 7 deletions data_safe_haven/infrastructure/stacks/sre/remote_desktop.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
from data_safe_haven.external import AzureIPv4Range
from data_safe_haven.infrastructure.common import (
get_id_from_subnet,
get_ip_address_from_container_group,
)
from data_safe_haven.infrastructure.components import (
AzureADApplication,
Expand Down Expand Up @@ -42,7 +41,7 @@ def __init__(
dns_server_ip: Input[str],
ldap_group_filter: Input[str],
ldap_group_search_base: Input[str],
ldap_server_ip: Input[str],
ldap_server_hostname: Input[str],
ldap_server_port: Input[int],
ldap_user_filter: Input[str],
ldap_user_search_base: Input[str],
Expand All @@ -67,7 +66,7 @@ def __init__(
self.dns_server_ip = dns_server_ip
self.ldap_group_filter = ldap_group_filter
self.ldap_group_search_base = ldap_group_search_base
self.ldap_server_ip = ldap_server_ip
self.ldap_server_hostname = ldap_server_hostname
self.ldap_server_port = ldap_server_port
self.ldap_user_filter = ldap_user_filter
self.ldap_user_search_base = ldap_user_search_base
Expand Down Expand Up @@ -324,7 +323,7 @@ def __init__(
),
containerinstance.EnvironmentVariableArgs(
name="LDAP_HOST",
value=props.ldap_server_ip,
value=props.ldap_server_hostname,
),
containerinstance.EnvironmentVariableArgs(
name="LDAP_PORT",
Expand Down Expand Up @@ -421,9 +420,6 @@ def __init__(
"connection_db_name": db_guacamole_connections,
"connection_db_server_name": db_server_guacamole.db_server.name,
"container_group_name": container_group.name,
"container_ip_address": get_ip_address_from_container_group(
container_group
),
"disable_copy": props.disable_copy,
"disable_paste": props.disable_paste,
"resource_group_name": resource_group.name,
Expand Down
8 changes: 4 additions & 4 deletions data_safe_haven/infrastructure/stacks/sre/user_services.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ def __init__(
dns_server_ip: Input[str],
gitea_database_password: Input[str],
hedgedoc_database_password: Input[str],
ldap_server_ip: Input[str],
ldap_server_hostname: Input[str],
ldap_server_port: Input[int],
ldap_username_attribute: Input[str],
ldap_user_filter: Input[str],
Expand All @@ -51,7 +51,7 @@ def __init__(
self.dns_server_ip = dns_server_ip
self.gitea_database_password = gitea_database_password
self.hedgedoc_database_password = hedgedoc_database_password
self.ldap_server_ip = ldap_server_ip
self.ldap_server_hostname = ldap_server_hostname
self.ldap_server_port = ldap_server_port
self.ldap_username_attribute = ldap_username_attribute
self.ldap_user_filter = ldap_user_filter
Expand Down Expand Up @@ -113,7 +113,7 @@ def __init__(
database_password=props.gitea_database_password,
dns_resource_group_name=props.dns_resource_group_name,
dns_server_ip=props.dns_server_ip,
ldap_server_ip=props.ldap_server_ip,
ldap_server_hostname=props.ldap_server_hostname,
ldap_server_port=props.ldap_server_port,
ldap_username_attribute=props.ldap_username_attribute,
ldap_user_filter=props.ldap_user_filter,
Expand Down Expand Up @@ -141,7 +141,7 @@ def __init__(
database_subnet_id=props.subnet_containers_support_id,
dns_resource_group_name=props.dns_resource_group_name,
dns_server_ip=props.dns_server_ip,
ldap_server_ip=props.ldap_server_ip,
ldap_server_hostname=props.ldap_server_hostname,
ldap_server_port=props.ldap_server_port,
ldap_username_attribute=props.ldap_username_attribute,
ldap_user_filter=props.ldap_user_filter,
Expand Down
10 changes: 5 additions & 5 deletions data_safe_haven/infrastructure/stacks/sre/workspaces.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def __init__(
admin_password: Input[str],
ldap_group_filter: Input[str],
ldap_group_search_base: Input[str],
ldap_server_ip: Input[str],
ldap_server_hostname: Input[str],
ldap_server_port: Input[int],
ldap_user_filter: Input[str],
ldap_user_search_base: Input[str],
Expand All @@ -54,7 +54,7 @@ def __init__(
self.admin_username = "dshadmin"
self.ldap_group_filter = ldap_group_filter
self.ldap_group_search_base = ldap_group_search_base
self.ldap_server_ip = ldap_server_ip
self.ldap_server_hostname = ldap_server_hostname
self.ldap_server_port = Output.from_input(ldap_server_port).apply(str)
self.ldap_user_filter = ldap_user_filter
self.ldap_user_search_base = ldap_user_search_base
Expand Down Expand Up @@ -123,7 +123,7 @@ def __init__(
b64cloudinit = Output.all(
ldap_group_filter=props.ldap_group_filter,
ldap_group_search_base=props.ldap_group_search_base,
ldap_server_ip=props.ldap_server_ip,
ldap_server_hostname=props.ldap_server_hostname,
ldap_server_port=props.ldap_server_port,
ldap_user_filter=props.ldap_user_filter,
ldap_user_search_base=props.ldap_user_search_base,
Expand Down Expand Up @@ -212,7 +212,7 @@ def read_cloudinit(
self,
ldap_group_filter: str,
ldap_group_search_base: str,
ldap_server_ip: str,
ldap_server_hostname: str,
ldap_server_port: str,
ldap_user_filter: str,
ldap_user_search_base: str,
Expand All @@ -228,7 +228,7 @@ def read_cloudinit(
mustache_values = {
"ldap_group_filter": ldap_group_filter,
"ldap_group_search_base": ldap_group_search_base,
"ldap_server_ip": ldap_server_ip,
"ldap_server_hostname": ldap_server_hostname,
"ldap_server_port": ldap_server_port,
"ldap_user_filter": ldap_user_filter,
"ldap_user_search_base": ldap_user_search_base,
Expand Down
4 changes: 1 addition & 3 deletions data_safe_haven/provisioning/sre_provisioning_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,7 @@ def restart_remote_desktop_containers(self) -> None:
self.remote_desktop_params["resource_group_name"],
self.subscription_name,
)
guacamole_provisioner.restart(
self.remote_desktop_params["container_ip_address"]
)
guacamole_provisioner.restart()

def update_remote_desktop_connections(self) -> None:
"""Update connection information on the Guacamole PostgreSQL server"""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ until su-exec "$USER" /usr/local/bin/gitea admin auth list | grep "DataSafeHaven
su-exec "$USER" /usr/local/bin/gitea admin auth add-ldap \
--name DataSafeHavenLDAP \
--security-protocol "unencrypted" \
--host "{{ldap_server_ip}}" \
--host "{{ldap_server_hostname}}" \
--port "{{ldap_server_port}}" \
--user-search-base "{{ldap_user_search_base}}" \
--user-filter "(&{{{ldap_user_filter}}}({{ldap_username_attribute}}=%[1]s))" \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ write_files:
nss_min_uid 2000
# General connection options
uri ldap://{{ldap_server_ip}}:{{ldap_server_port}}
uri ldap://{{ldap_server_hostname}}:{{ldap_server_port}}
# Search/mapping options
base {{ldap_user_search_base}}
Expand Down

0 comments on commit 432c07e

Please sign in to comment.