diff --git a/data_safe_haven/config/config.py b/data_safe_haven/config/config.py index c751651667..bd2bc9fa94 100644 --- a/data_safe_haven/config/config.py +++ b/data_safe_haven/config/config.py @@ -7,10 +7,8 @@ from pydantic import ( BaseModel, Field, - field_validator, ) -from data_safe_haven import validators from data_safe_haven.exceptions import DataSafeHavenConfigError from data_safe_haven.serialisers import AzureSerialisableModel from data_safe_haven.types import ( @@ -124,7 +122,6 @@ class ConfigSectionSRE(BaseModel, validate_assignment=True): data_provider_ip_addresses: list[IpAddress] = Field( ..., default_factory=list[IpAddress] ) - index: int = Field(..., ge=1, le=256) remote_desktop: ConfigSubsectionRemoteDesktopOpts = Field( ..., default_factory=ConfigSubsectionRemoteDesktopOpts ) @@ -194,15 +191,6 @@ class Config(AzureSerialisableModel): ..., default_factory=dict[str, ConfigSectionSRE] ) - @field_validator("sres") - @classmethod - def all_sre_indices_must_be_unique( - cls, v: dict[str, ConfigSectionSRE] - ) -> dict[str, ConfigSectionSRE]: - indices = [s.index for s in v.values()] - validators.unique_list(indices) - return v - @property def sre_names(self) -> list[str]: """Names of all SREs""" @@ -247,7 +235,6 @@ def template(cls) -> Config: "example": ConfigSectionSRE.model_construct( databases=["List of database systems to enable"], data_provider_ip_addresses=["Data provider IP addresses"], - index="Unique index integer for this SRE", remote_desktop=ConfigSubsectionRemoteDesktopOpts.model_construct( allow_copy="Whether to allow copying text out of the environment", allow_paste="Whether to allow pasting text into the environment", diff --git a/data_safe_haven/external/interface/azure_ipv4_range.py b/data_safe_haven/external/interface/azure_ipv4_range.py index 7160919a53..fdebce774f 100644 --- a/data_safe_haven/external/interface/azure_ipv4_range.py +++ b/data_safe_haven/external/interface/azure_ipv4_range.py @@ -30,6 +30,10 @@ def from_cidr(cls, ip_cidr: str) -> "AzureIPv4Range": network = ipaddress.IPv4Network(ip_cidr) return cls(network[0], network[-1]) + @property + def prefix(self) -> str: + return str(self) + def all_ips(self) -> list[ipaddress.IPv4Address]: """All IP addresses in the range""" return list(self.hosts()) diff --git a/data_safe_haven/infrastructure/common/ip_ranges.py b/data_safe_haven/infrastructure/common/ip_ranges.py index 51694832a3..b0aa1a4376 100644 --- a/data_safe_haven/infrastructure/common/ip_ranges.py +++ b/data_safe_haven/infrastructure/common/ip_ranges.py @@ -1,40 +1,34 @@ """Calculate SRE IP address ranges for a given SRE index""" -from data_safe_haven.exceptions import DataSafeHavenParameterError +from dataclasses import dataclass + from data_safe_haven.external import AzureIPv4Range +@dataclass(frozen=True) class SREIpRanges: """Calculate SRE IP address ranges for a given SRE index""" - max_index = 256 - - def __init__(self, index: int) -> None: - """Constructor""" - if index < 1 or index > self.max_index: - msg = f"Index '{index}' must be between 1 and {self.max_index}" - raise DataSafeHavenParameterError(msg) - self.vnet = AzureIPv4Range(f"10.{index}.0.0", f"10.{index}.255.255") - self.application_gateway = self.vnet.next_subnet(256) - self.apt_proxy_server = self.vnet.next_subnet(8) - self.data_configuration = self.vnet.next_subnet(8) - self.data_private = self.vnet.next_subnet(8) - self.firewall = self.vnet.next_subnet(64) # 64 address minimum - self.firewall_management = self.vnet.next_subnet(64) # 64 address minimum - self.guacamole_containers = self.vnet.next_subnet(8) - self.guacamole_containers_support = self.vnet.next_subnet(8) - self.identity_containers = self.vnet.next_subnet(8) - self.monitoring = self.vnet.next_subnet(32) - self.user_services_containers = self.vnet.next_subnet(8) - self.user_services_containers_support = self.vnet.next_subnet(8) - self.user_services_databases = self.vnet.next_subnet(8) - self.user_services_software_repositories = self.vnet.next_subnet(8) - self.workspaces = self.vnet.next_subnet(256) - - + vnet = AzureIPv4Range("10.0.0.0", "10.0.255.255") + application_gateway = vnet.next_subnet(256) + apt_proxy_server = vnet.next_subnet(8) + data_configuration = vnet.next_subnet(8) + data_private = vnet.next_subnet(8) + firewall = vnet.next_subnet(64) # 64 address minimum + firewall_management = vnet.next_subnet(64) # 64 address minimum + guacamole_containers = vnet.next_subnet(8) + guacamole_containers_support = vnet.next_subnet(8) + identity_containers = vnet.next_subnet(8) + monitoring = vnet.next_subnet(32) + user_services_containers = vnet.next_subnet(8) + user_services_containers_support = vnet.next_subnet(8) + user_services_databases = vnet.next_subnet(8) + user_services_software_repositories = vnet.next_subnet(8) + workspaces = vnet.next_subnet(256) + + +@dataclass(frozen=True) class SREDnsIpRanges: """Calculate SRE DNS IP address ranges.""" - def __init__(self) -> None: - """Constructor""" - self.vnet = AzureIPv4Range("192.168.0.0", "192.168.0.7") + vnet = AzureIPv4Range("192.168.0.0", "192.168.0.7") diff --git a/data_safe_haven/infrastructure/programs/declarative_sre.py b/data_safe_haven/infrastructure/programs/declarative_sre.py index 41991bc8c4..44fa10a4c6 100644 --- a/data_safe_haven/infrastructure/programs/declarative_sre.py +++ b/data_safe_haven/infrastructure/programs/declarative_sre.py @@ -133,7 +133,6 @@ def __call__(self) -> None: shm_networking_resource_group_name=self.pulumi_opts.require( "shm-networking-resource_group_name" ), - sre_index=self.cfg.sre(self.sre_name).index, ), tags=self.tags, ) @@ -153,7 +152,6 @@ def __call__(self) -> None: "shm-networking-resource_group_name" ), shm_zone_name=self.cfg.shm.fqdn, - sre_index=self.cfg.sre(self.sre_name).index, sre_name=self.sre_name, user_public_ip_ranges=self.cfg.sre( self.sre_name diff --git a/data_safe_haven/infrastructure/programs/sre/dns_server.py b/data_safe_haven/infrastructure/programs/sre/dns_server.py index 2b031799a5..0d1f60d9a1 100644 --- a/data_safe_haven/infrastructure/programs/sre/dns_server.py +++ b/data_safe_haven/infrastructure/programs/sre/dns_server.py @@ -30,15 +30,11 @@ def __init__( location: Input[str], shm_fqdn: Input[str], shm_networking_resource_group_name: Input[str], - sre_index: Input[int], ) -> None: - subnet_ranges = Output.from_input(sre_index).apply(lambda idx: SREIpRanges(idx)) self.admin_username = "dshadmin" - self.ip_range_prefix = str(SREDnsIpRanges().vnet) self.location = location self.shm_fqdn = shm_fqdn self.shm_networking_resource_group_name = shm_networking_resource_group_name - self.sre_vnet_prefix = subnet_ranges.apply(lambda r: str(r.vnet)) class SREDnsServerComponent(ComponentResource): @@ -110,13 +106,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from attached.", - destination_address_prefix=props.ip_range_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.INBOUND, name="AllowSREInbound", priority=NetworkingPriorities.INTERNAL_SRE_ANY, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=props.sre_vnet_prefix, + source_address_prefix=SREIpRanges.vnet.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -141,7 +137,7 @@ def __init__( name="AllowDnsInternetOutbound", priority=NetworkingPriorities.EXTERNAL_INTERNET, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=props.ip_range_prefix, + source_address_prefix=SREDnsIpRanges.vnet.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -166,13 +162,13 @@ def __init__( virtual_network = network.VirtualNetwork( f"{self._name}_virtual_network", address_space=network.AddressSpaceArgs( - address_prefixes=[props.ip_range_prefix], + address_prefixes=[SREDnsIpRanges.vnet.prefix], ), resource_group_name=resource_group.name, subnets=[ # Note that we define subnets inline to avoid creation order issues # DNS subnet network.SubnetArgs( - address_prefix=props.ip_range_prefix, + address_prefix=SREDnsIpRanges.vnet.prefix, delegations=[ network.DelegationArgs( name="SubnetDelegationContainerGroups", diff --git a/data_safe_haven/infrastructure/programs/sre/networking.py b/data_safe_haven/infrastructure/programs/sre/networking.py index 0657f72904..d0a93d8f79 100644 --- a/data_safe_haven/infrastructure/programs/sre/networking.py +++ b/data_safe_haven/infrastructure/programs/sre/networking.py @@ -31,51 +31,9 @@ def __init__( shm_fqdn: Input[str], shm_networking_resource_group_name: Input[str], shm_zone_name: Input[str], - sre_index: Input[int], sre_name: Input[str], user_public_ip_ranges: Input[list[str]], ) -> None: - # Virtual network and subnet IP ranges - subnet_ranges = Output.from_input(sre_index).apply(lambda idx: SREIpRanges(idx)) - self.dns_servers_iprange = SREDnsIpRanges().vnet - self.vnet_iprange = subnet_ranges.apply(lambda s: s.vnet) - self.subnet_application_gateway_iprange = subnet_ranges.apply( - lambda s: s.application_gateway - ) - self.subnet_apt_proxy_server_iprange = subnet_ranges.apply( - lambda s: s.apt_proxy_server - ) - self.subnet_data_configuration_iprange = subnet_ranges.apply( - lambda s: s.data_configuration - ) - self.subnet_data_private_iprange = subnet_ranges.apply(lambda s: s.data_private) - self.subnet_firewall_iprange = subnet_ranges.apply(lambda s: s.firewall) - self.subnet_firewall_management_iprange = subnet_ranges.apply( - lambda s: s.firewall_management - ) - self.subnet_guacamole_containers_iprange = subnet_ranges.apply( - lambda s: s.guacamole_containers - ) - self.subnet_guacamole_containers_support_iprange = subnet_ranges.apply( - lambda s: s.guacamole_containers_support - ) - self.subnet_identity_containers_iprange = subnet_ranges.apply( - lambda s: s.identity_containers - ) - self.subnet_monitoring_iprange = subnet_ranges.apply(lambda s: s.monitoring) - self.subnet_user_services_containers_iprange = subnet_ranges.apply( - lambda s: s.user_services_containers - ) - self.subnet_user_services_containers_support_iprange = subnet_ranges.apply( - lambda s: s.user_services_containers_support - ) - self.subnet_user_services_databases_iprange = subnet_ranges.apply( - lambda s: s.user_services_databases - ) - self.subnet_user_services_software_repositories_iprange = subnet_ranges.apply( - lambda s: s.user_services_software_repositories - ) - self.subnet_workspaces_iprange = subnet_ranges.apply(lambda s: s.workspaces) # Other variables self.dns_private_zones = dns_private_zones self.dns_resource_group_name = dns_resource_group_name @@ -134,46 +92,6 @@ def __init__( tags=child_tags, ) - # Set address prefixes from ranges - dns_servers_prefix = str(props.dns_servers_iprange) - subnet_application_gateway_prefix = ( - props.subnet_application_gateway_iprange.apply(str) - ) - subnet_apt_proxy_server_prefix = props.subnet_apt_proxy_server_iprange.apply( - str - ) - subnet_data_configuration_prefix = ( - props.subnet_data_configuration_iprange.apply(str) - ) - subnet_data_private_prefix = props.subnet_data_private_iprange.apply(str) - subnet_firewall_prefix = props.subnet_firewall_iprange.apply(str) - subnet_firewall_management_prefix = ( - props.subnet_firewall_management_iprange.apply(str) - ) - subnet_guacamole_containers_prefix = ( - props.subnet_guacamole_containers_iprange.apply(str) - ) - subnet_guacamole_containers_support_prefix = ( - props.subnet_guacamole_containers_support_iprange.apply(str) - ) - subnet_identity_containers_prefix = ( - props.subnet_identity_containers_iprange.apply(str) - ) - subnet_monitoring_prefix = props.subnet_monitoring_iprange.apply(str) - subnet_user_services_containers_prefix = ( - props.subnet_user_services_containers_iprange.apply(str) - ) - subnet_user_services_containers_support_prefix = ( - props.subnet_user_services_containers_support_iprange.apply(str) - ) - subnet_user_services_databases_prefix = ( - props.subnet_user_services_databases_iprange.apply(str) - ) - subnet_user_services_software_repositories_prefix = ( - props.subnet_user_services_software_repositories_iprange.apply(str) - ) - subnet_workspaces_prefix = props.subnet_workspaces_iprange.apply(str) - # Define NSGs nsg_application_gateway = network.NetworkSecurityGroup( f"{self._name}_nsg_application_gateway", @@ -208,7 +126,7 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from users over the internet.", - destination_address_prefix=subnet_application_gateway_prefix, + destination_address_prefix=SREIpRanges.application_gateway.prefix, destination_port_ranges=[Ports.HTTP, Ports.HTTPS], direction=network.SecurityRuleDirection.INBOUND, name="AllowUsersInternetInbound", @@ -220,7 +138,7 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from from ssllabs.com for SSL quality reporting.", - destination_address_prefix=subnet_application_gateway_prefix, + destination_address_prefix=SREIpRanges.application_gateway.prefix, destination_port_ranges=[Ports.HTTPS], direction=network.SecurityRuleDirection.INBOUND, name="AllowSslLabsInternetInbound", @@ -248,25 +166,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_application_gateway_prefix, + source_address_prefix=SREIpRanges.application_gateway.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to the Guacamole remote desktop gateway.", - destination_address_prefix=subnet_guacamole_containers_prefix, + destination_address_prefix=SREIpRanges.guacamole_containers.prefix, destination_port_ranges=[Ports.HTTP], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowGuacamoleContainersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_GUACAMOLE_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_application_gateway_prefix, + source_address_prefix=SREIpRanges.application_gateway.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -297,13 +215,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from SRE workspaces.", - destination_address_prefix=subnet_apt_proxy_server_prefix, + destination_address_prefix=SREIpRanges.apt_proxy_server.prefix, destination_port_ranges=[Ports.LINUX_UPDATE], direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspacesInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -334,25 +252,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_apt_proxy_server_prefix, + source_address_prefix=SREIpRanges.apt_proxy_server.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to configuration data endpoints.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataConfigurationEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_CONFIGURATION, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_apt_proxy_server_prefix, + source_address_prefix=SREIpRanges.apt_proxy_server.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -364,7 +282,7 @@ def __init__( name="AllowPackagesInternetOutbound", priority=NetworkingPriorities.EXTERNAL_INTERNET, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_apt_proxy_server_prefix, + source_address_prefix=SREIpRanges.apt_proxy_server.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -392,49 +310,49 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from Guacamole remote desktop gateway.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowGuacamoleContainersInbound", priority=NetworkingPriorities.INTERNAL_SRE_GUACAMOLE_CONTAINERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from identity containers.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowIdentityServersInbound", priority=NetworkingPriorities.INTERNAL_SRE_IDENTITY_CONTAINERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_identity_containers_prefix, + source_address_prefix=SREIpRanges.identity_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from user services containers.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowUserServicesContainersInbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_CONTAINERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from user services software repositories.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowUserServicesSoftwareRepositoriesInbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_SOFTWARE_REPOSITORIES, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_software_repositories_prefix, + source_address_prefix=SREIpRanges.user_services_software_repositories.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -487,13 +405,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from SRE workspaces.", - destination_address_prefix=subnet_data_private_prefix, + destination_address_prefix=SREIpRanges.data_private.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspacesInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -546,13 +464,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from the Application Gateway.", - destination_address_prefix=subnet_guacamole_containers_prefix, + destination_address_prefix=SREIpRanges.guacamole_containers.prefix, destination_port_ranges=[Ports.HTTP], direction=network.SecurityRuleDirection.INBOUND, name="AllowApplicationGatewayInbound", priority=NetworkingPriorities.INTERNAL_SRE_APPLICATION_GATEWAY, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_application_gateway_prefix, + source_address_prefix=SREIpRanges.application_gateway.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -583,61 +501,61 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to configuration data endpoints.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataConfigurationEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_CONFIGURATION, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to Guacamole support services.", - destination_address_prefix=subnet_guacamole_containers_support_prefix, + destination_address_prefix=SREIpRanges.guacamole_containers_support.prefix, destination_port_ranges=[Ports.POSTGRESQL], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowGuacamoleContainersSupportOutbound", priority=NetworkingPriorities.INTERNAL_SRE_GUACAMOLE_CONTAINERS_SUPPORT, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow LDAP client requests over TCP.", - destination_address_prefix=subnet_identity_containers_prefix, + destination_address_prefix=SREIpRanges.identity_containers.prefix, destination_port_ranges=[Ports.LDAP_APRICOT], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowIdentityServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_IDENTITY_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to SRE workspaces.", - destination_address_prefix=subnet_workspaces_prefix, + destination_address_prefix=SREIpRanges.workspaces.prefix, destination_port_ranges=[Ports.SSH, Ports.RDP], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowWorkspacesOutbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -649,7 +567,7 @@ def __init__( name="AllowOAuthInternetOutbound", priority=NetworkingPriorities.EXTERNAL_INTERNET, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -677,13 +595,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from Guacamole remote desktop gateway.", - destination_address_prefix=subnet_guacamole_containers_support_prefix, + destination_address_prefix=SREIpRanges.guacamole_containers_support.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowGuacamoleContainersInbound", priority=NetworkingPriorities.INTERNAL_SRE_GUACAMOLE_CONTAINERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -736,37 +654,37 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow LDAP client requests from Guacamole over TCP.", - destination_address_prefix=subnet_identity_containers_prefix, + destination_address_prefix=SREIpRanges.identity_containers.prefix, destination_port_ranges=[Ports.LDAP_APRICOT], direction=network.SecurityRuleDirection.INBOUND, name="AllowGuacamoleLDAPClientTCPInbound", priority=NetworkingPriorities.INTERNAL_SRE_GUACAMOLE_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow LDAP client requests from user services over TCP.", - destination_address_prefix=subnet_identity_containers_prefix, + destination_address_prefix=SREIpRanges.identity_containers.prefix, destination_port_ranges=[Ports.LDAP_APRICOT], direction=network.SecurityRuleDirection.INBOUND, name="AllowUserServicesLDAPClientTCPInbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow LDAP client requests from workspaces over TCP.", - destination_address_prefix=subnet_identity_containers_prefix, + destination_address_prefix=SREIpRanges.identity_containers.prefix, destination_port_ranges=[Ports.LDAP_APRICOT], direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspaceLDAPClientTCPInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -797,25 +715,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_identity_containers_prefix, + source_address_prefix=SREIpRanges.identity_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to configuration data endpoints.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataConfigurationEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_CONFIGURATION, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_identity_containers_prefix, + source_address_prefix=SREIpRanges.identity_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -827,7 +745,7 @@ def __init__( name="AllowOAuthInternetOutbound", priority=NetworkingPriorities.EXTERNAL_INTERNET, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_identity_containers_prefix, + source_address_prefix=SREIpRanges.identity_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -855,25 +773,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from own subnet.", - destination_address_prefix=subnet_monitoring_prefix, + destination_address_prefix=SREIpRanges.monitoring.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.INBOUND, name="AllowMonitoringToolsInbound", priority=NetworkingPriorities.INTERNAL_SRE_SELF, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_monitoring_prefix, + source_address_prefix=SREIpRanges.monitoring.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from workspaces.", - destination_address_prefix=subnet_monitoring_prefix, + destination_address_prefix=SREIpRanges.monitoring.prefix, destination_port_ranges=[Ports.HTTPS], direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspacesInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -892,25 +810,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to own subnet.", - destination_address_prefix=subnet_monitoring_prefix, + destination_address_prefix=SREIpRanges.monitoring.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowMonitoringToolsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_SELF, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_monitoring_prefix, + source_address_prefix=SREIpRanges.monitoring.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to workspaces.", - destination_address_prefix=subnet_workspaces_prefix, + destination_address_prefix=SREIpRanges.workspaces.prefix, destination_port_ranges=[Ports.AZURE_MONITORING], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowWorkspacesOutbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_monitoring_prefix, + source_address_prefix=SREIpRanges.monitoring.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -938,13 +856,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from SRE workspaces.", - destination_address_prefix=subnet_user_services_containers_prefix, + destination_address_prefix=SREIpRanges.user_services_containers.prefix, destination_port_ranges=[Ports.SSH, Ports.HTTP, Ports.HTTPS], direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspacesInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -975,49 +893,49 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to configuration data endpoints.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataConfigurationEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_CONFIGURATION, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow LDAP client requests over TCP.", - destination_address_prefix=subnet_identity_containers_prefix, + destination_address_prefix=SREIpRanges.identity_containers.prefix, destination_port_ranges=[Ports.LDAP_APRICOT], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowIdentityServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_IDENTITY_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to container support services.", - destination_address_prefix=subnet_user_services_containers_support_prefix, + destination_address_prefix=SREIpRanges.user_services_containers_support.prefix, destination_port_ranges=[Ports.POSTGRESQL], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowUserServicesContainersSupportOutbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_CONTAINERS_SUPPORT, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1045,13 +963,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from user services containers.", - destination_address_prefix=subnet_user_services_containers_support_prefix, + destination_address_prefix=SREIpRanges.user_services_containers_support.prefix, destination_port_ranges=[Ports.POSTGRESQL], direction=network.SecurityRuleDirection.INBOUND, name="AllowUserServicesContainersInbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_user_services_containers_prefix, + source_address_prefix=SREIpRanges.user_services_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1104,13 +1022,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from SRE workspaces.", - destination_address_prefix=subnet_user_services_databases_prefix, + destination_address_prefix=SREIpRanges.user_services_databases.prefix, destination_port_ranges=[Ports.MSSQL, Ports.POSTGRESQL], direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspacesInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1141,25 +1059,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_databases_prefix, + source_address_prefix=SREIpRanges.user_services_databases.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to configuration data endpoints.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataConfigurationEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_CONFIGURATION, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_databases_prefix, + source_address_prefix=SREIpRanges.user_services_databases.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1187,13 +1105,13 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from SRE workspaces.", - destination_address_prefix=subnet_user_services_software_repositories_prefix, + destination_address_prefix=SREIpRanges.user_services_software_repositories.prefix, destination_port_ranges=[Ports.HTTP, Ports.HTTPS, Ports.SQUID], direction=network.SecurityRuleDirection.INBOUND, name="AllowWorkspacesInbound", priority=NetworkingPriorities.INTERNAL_SRE_WORKSPACES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1224,25 +1142,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_software_repositories_prefix, + source_address_prefix=SREIpRanges.user_services_software_repositories.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to configuration data endpoints.", - destination_address_prefix=subnet_data_configuration_prefix, + destination_address_prefix=SREIpRanges.data_configuration.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataConfigurationEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_CONFIGURATION, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_user_services_software_repositories_prefix, + source_address_prefix=SREIpRanges.user_services_software_repositories.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1254,7 +1172,7 @@ def __init__( name="AllowPackagesInternetOutbound", priority=NetworkingPriorities.EXTERNAL_INTERNET, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_user_services_software_repositories_prefix, + source_address_prefix=SREIpRanges.user_services_software_repositories.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1282,25 +1200,25 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from monitoring tools.", - destination_address_prefix=subnet_workspaces_prefix, + destination_address_prefix=SREIpRanges.workspaces.prefix, destination_port_ranges=[Ports.AZURE_MONITORING], direction=network.SecurityRuleDirection.INBOUND, name="AllowMonitoringToolsInbound", priority=NetworkingPriorities.AZURE_MONITORING_SOURCES, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_monitoring_prefix, + source_address_prefix=SREIpRanges.monitoring.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow inbound connections from Guacamole remote desktop gateway.", - destination_address_prefix=subnet_workspaces_prefix, + destination_address_prefix=SREIpRanges.workspaces.prefix, destination_port_ranges=[Ports.SSH, Ports.RDP], direction=network.SecurityRuleDirection.INBOUND, name="AllowGuacamoleContainersInbound", priority=NetworkingPriorities.INTERNAL_SRE_GUACAMOLE_CONTAINERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_guacamole_containers_prefix, + source_address_prefix=SREIpRanges.guacamole_containers.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1331,97 +1249,97 @@ def __init__( network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow LDAP client requests over TCP.", - destination_address_prefix=subnet_identity_containers_prefix, + destination_address_prefix=SREIpRanges.identity_containers.prefix, destination_port_ranges=[Ports.LDAP_APRICOT], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowIdentityServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_IDENTITY_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", - destination_address_prefix=dns_servers_prefix, + destination_address_prefix=SREDnsIpRanges.vnet.prefix, destination_port_ranges=[Ports.DNS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDNSServersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DNS_SERVERS, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to private data endpoints.", - destination_address_prefix=subnet_data_private_prefix, + destination_address_prefix=SREIpRanges.data_private.prefix, destination_port_range="*", direction=network.SecurityRuleDirection.OUTBOUND, name="AllowDataPrivateEndpointsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_DATA_PRIVATE, protocol=network.SecurityRuleProtocol.ASTERISK, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to monitoring tools.", - destination_address_prefix=subnet_monitoring_prefix, + destination_address_prefix=SREIpRanges.monitoring.prefix, destination_port_ranges=[Ports.HTTPS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowMonitoringToolsOutbound", priority=NetworkingPriorities.INTERNAL_SRE_MONITORING_TOOLS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to user services containers.", - destination_address_prefix=subnet_user_services_containers_prefix, + destination_address_prefix=SREIpRanges.user_services_containers.prefix, destination_port_ranges=[Ports.SSH, Ports.HTTP, Ports.HTTPS], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowUserServicesContainersOutbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_CONTAINERS, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to user services databases.", - destination_address_prefix=subnet_user_services_databases_prefix, + destination_address_prefix=SREIpRanges.user_services_databases.prefix, destination_port_ranges=[Ports.MSSQL, Ports.POSTGRESQL], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowUserServicesDatabasesOutbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_DATABASES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to user services software repositories.", - destination_address_prefix=subnet_user_services_software_repositories_prefix, + destination_address_prefix=SREIpRanges.user_services_software_repositories.prefix, destination_port_ranges=[Ports.HTTP, Ports.HTTPS, Ports.SQUID], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowUserServicesSoftwareRepositoriesOutbound", priority=NetworkingPriorities.INTERNAL_SRE_USER_SERVICES_SOFTWARE_REPOSITORIES, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to apt proxy server.", - destination_address_prefix=subnet_apt_proxy_server_prefix, + destination_address_prefix=SREIpRanges.apt_proxy_server.prefix, destination_port_ranges=[Ports.LINUX_UPDATE], direction=network.SecurityRuleDirection.OUTBOUND, name="AllowAptProxyServerOutbound", priority=NetworkingPriorities.INTERNAL_SRE_APT_PROXY_SERVER, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1433,7 +1351,7 @@ def __init__( name="AllowConfigurationInternetOutbound", priority=NetworkingPriorities.EXTERNAL_INTERNET, protocol=network.SecurityRuleProtocol.TCP, - source_address_prefix=subnet_workspaces_prefix, + source_address_prefix=SREIpRanges.workspaces.prefix, source_port_range="*", ), network.SecurityRuleArgs( @@ -1477,7 +1395,7 @@ def __init__( sre_virtual_network = network.VirtualNetwork( f"{self._name}_virtual_network", address_space=network.AddressSpaceArgs( - address_prefixes=[props.vnet_iprange.apply(str)], + address_prefixes=[SREIpRanges.vnet.prefix], ), dhcp_options=network.DhcpOptionsArgs(dns_servers=[props.dns_server_ip]), resource_group_name=resource_group.name, @@ -1485,7 +1403,7 @@ def __init__( subnets=[ # Application gateway subnet network.SubnetArgs( - address_prefix=subnet_application_gateway_prefix, + address_prefix=SREIpRanges.application_gateway.prefix, name=subnet_application_gateway_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_application_gateway.id @@ -1494,7 +1412,7 @@ def __init__( ), # apt proxy server network.SubnetArgs( - address_prefix=subnet_apt_proxy_server_prefix, + address_prefix=SREIpRanges.apt_proxy_server.prefix, delegations=[ network.DelegationArgs( name="SubnetDelegationContainerGroups", @@ -1510,7 +1428,7 @@ def __init__( ), # Configuration data subnet network.SubnetArgs( - address_prefix=subnet_data_configuration_prefix, + address_prefix=SREIpRanges.data_configuration.prefix, name=subnet_data_configuration_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_data_configuration.id @@ -1525,7 +1443,7 @@ def __init__( ), # Private data network.SubnetArgs( - address_prefix=subnet_data_private_prefix, + address_prefix=SREIpRanges.data_private.prefix, name=subnet_data_private_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_data_private.id @@ -1540,19 +1458,19 @@ def __init__( ), # Firewall network.SubnetArgs( - address_prefix=subnet_firewall_prefix, + address_prefix=SREIpRanges.firewall.prefix, name=subnet_firewall_name, # Note that NSGs cannot be attached to a subnet containing a firewall ), # Firewall management network.SubnetArgs( - address_prefix=subnet_firewall_management_prefix, + address_prefix=SREIpRanges.firewall_management.prefix, name=subnet_firewall_management_name, # Note that NSGs cannot be attached to a subnet containing a firewall ), # Guacamole containers network.SubnetArgs( - address_prefix=subnet_guacamole_containers_prefix, + address_prefix=SREIpRanges.guacamole_containers.prefix, delegations=[ network.DelegationArgs( name="SubnetDelegationContainerGroups", @@ -1568,7 +1486,7 @@ def __init__( ), # Guacamole containers support network.SubnetArgs( - address_prefix=subnet_guacamole_containers_support_prefix, + address_prefix=SREIpRanges.guacamole_containers_support.prefix, name=subnet_guacamole_containers_support_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_guacamole_containers_support.id @@ -1578,7 +1496,7 @@ def __init__( ), # Identity containers network.SubnetArgs( - address_prefix=subnet_identity_containers_prefix, + address_prefix=SREIpRanges.identity_containers.prefix, delegations=[ network.DelegationArgs( name="SubnetDelegationContainerGroups", @@ -1594,7 +1512,7 @@ def __init__( ), # Monitoring network.SubnetArgs( - address_prefix=subnet_monitoring_prefix, + address_prefix=SREIpRanges.monitoring.prefix, name=subnet_monitoring_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_monitoring.id @@ -1603,7 +1521,7 @@ def __init__( ), # User services containers network.SubnetArgs( - address_prefix=subnet_user_services_containers_prefix, + address_prefix=SREIpRanges.user_services_containers.prefix, delegations=[ network.DelegationArgs( name="SubnetDelegationContainerGroups", @@ -1619,7 +1537,7 @@ def __init__( ), # User services containers support network.SubnetArgs( - address_prefix=subnet_user_services_containers_support_prefix, + address_prefix=SREIpRanges.user_services_containers_support.prefix, name=subnet_user_services_containers_support_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_user_services_containers_support.id @@ -1628,7 +1546,7 @@ def __init__( ), # User services databases network.SubnetArgs( - address_prefix=subnet_user_services_databases_prefix, + address_prefix=SREIpRanges.user_services_databases.prefix, name=subnet_user_services_databases_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_user_services_databases.id @@ -1637,7 +1555,7 @@ def __init__( ), # User services software repositories network.SubnetArgs( - address_prefix=subnet_user_services_software_repositories_prefix, + address_prefix=SREIpRanges.user_services_software_repositories.prefix, delegations=[ network.DelegationArgs( name="SubnetDelegationContainerGroups", @@ -1653,7 +1571,7 @@ def __init__( ), # Workspaces network.SubnetArgs( - address_prefix=subnet_workspaces_prefix, + address_prefix=SREIpRanges.workspaces.prefix, name=subnet_workspaces_name, network_security_group=network.NetworkSecurityGroupArgs( id=nsg_workspaces.id diff --git a/tests/config/test_config.py b/tests/config/test_config.py index 3939a88206..d0a734741d 100644 --- a/tests/config/test_config.py +++ b/tests/config/test_config.py @@ -72,7 +72,6 @@ def test_constructor(self, remote_desktop_config): sre_config = ConfigSectionSRE( databases=[DatabaseSystem.POSTGRESQL], data_provider_ip_addresses=["0.0.0.0"], # noqa: S104 - index=1, remote_desktop=remote_desktop_config, workspace_skus=["Standard_D2s_v4"], research_user_ip_addresses=["0.0.0.0"], # noqa: S104 @@ -81,7 +80,7 @@ def test_constructor(self, remote_desktop_config): assert sre_config.data_provider_ip_addresses[0] == "0.0.0.0/32" def test_constructor_defaults(self, remote_desktop_config): - sre_config = ConfigSectionSRE(index=1) + sre_config = ConfigSectionSRE() assert sre_config.databases == [] assert sre_config.data_provider_ip_addresses == [] assert sre_config.remote_desktop == remote_desktop_config @@ -92,12 +91,11 @@ def test_constructor_defaults(self, remote_desktop_config): def test_all_databases_must_be_unique(self): with pytest.raises(ValueError, match="All items must be unique."): ConfigSectionSRE( - index=1, databases=[DatabaseSystem.POSTGRESQL, DatabaseSystem.POSTGRESQL], ) def test_update(self): - sre_config = ConfigSectionSRE(index=1) + sre_config = ConfigSectionSRE() assert sre_config.databases == [] assert sre_config.data_provider_ip_addresses == [] assert sre_config.workspace_skus == [] @@ -125,19 +123,6 @@ def test_constructor(self, azure_config, shm_config): ) assert not config.sres - def test_all_sre_indices_must_be_unique(self, azure_config, shm_config): - with pytest.raises(ValueError, match="All items must be unique."): - sre_config_1 = ConfigSectionSRE(index=1) - sre_config_2 = ConfigSectionSRE(index=1) - Config( - azure=azure_config, - shm=shm_config, - sres={ - "sre1": sre_config_1, - "sre2": sre_config_2, - }, - ) - @pytest.mark.parametrize("require_sres,expected", [(False, True), (True, False)]) def test_is_complete_no_sres(self, config_no_sres, require_sres, expected): assert config_no_sres.is_complete(require_sres=require_sres) is expected @@ -148,8 +133,6 @@ def test_is_complete_sres(self, config_sres, require_sres): def test_sre(self, config_sres): sre1, sre2 = config_sres.sre("sre1"), config_sres.sre("sre2") - assert sre1.index == 1 - assert sre2.index == 2 assert sre1 != sre2 def test_sre_invalid(self, config_sres): diff --git a/tests/conftest.py b/tests/conftest.py index 106b30bf16..1ac030c2d8 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -78,7 +78,6 @@ def config_yaml(): sre1: data_provider_ip_addresses: [] databases: [] - index: 1 remote_desktop: allow_copy: false allow_paste: false @@ -88,10 +87,9 @@ def config_yaml(): sre2: data_provider_ip_addresses: [] databases: [] - index: 2 remote_desktop: - allow_copy: false - allow_paste: false + allow_copy: true + allow_paste: true research_user_ip_addresses: [] software_packages: none workspace_skus: [] @@ -140,8 +138,12 @@ def config_no_sres(azure_config, shm_config): @fixture def config_sres(azure_config, shm_config): - sre_config_1 = ConfigSectionSRE(index=1) - sre_config_2 = ConfigSectionSRE(index=2) + sre_config_1 = ConfigSectionSRE() + sre_config_2 = ConfigSectionSRE( + remote_desktop=ConfigSubsectionRemoteDesktopOpts( + allow_copy=True, allow_paste=True + ) + ) return Config( azure=azure_config, shm=shm_config, diff --git a/tests/infrastructure/common/test_ip_ranges.py b/tests/infrastructure/common/test_ip_ranges.py index 70aa3383eb..0c9abc7c66 100644 --- a/tests/infrastructure/common/test_ip_ranges.py +++ b/tests/infrastructure/common/test_ip_ranges.py @@ -1,49 +1,46 @@ -import pytest - -from data_safe_haven.exceptions import DataSafeHavenParameterError from data_safe_haven.external import AzureIPv4Range from data_safe_haven.infrastructure.common import SREDnsIpRanges, SREIpRanges class TestSREIpRanges: - def test_invalid_low_index(self): - with pytest.raises(DataSafeHavenParameterError) as exc_info: - SREIpRanges(-1) - assert exc_info.match("Index '-1' must be between 1 and 256") - - def test_invalid_high_index(self): - with pytest.raises(DataSafeHavenParameterError) as exc_info: - SREIpRanges(999) - assert exc_info.match("Index '999' must be between 1 and 256") - def test_vnet_and_subnets(self): - ips = SREIpRanges(5) - assert ips.vnet == AzureIPv4Range("10.5.0.0", "10.5.255.255") - assert ips.application_gateway == AzureIPv4Range("10.5.0.0", "10.5.0.255") - assert ips.apt_proxy_server == AzureIPv4Range("10.5.1.0", "10.5.1.7") - assert ips.data_configuration == AzureIPv4Range("10.5.1.8", "10.5.1.15") - assert ips.data_private == AzureIPv4Range("10.5.1.16", "10.5.1.23") - assert ips.firewall == AzureIPv4Range("10.5.1.64", "10.5.1.127") - assert ips.firewall_management == AzureIPv4Range("10.5.1.128", "10.5.1.191") - assert ips.guacamole_containers == AzureIPv4Range("10.5.1.24", "10.5.1.31") - assert ips.guacamole_containers_support == AzureIPv4Range( - "10.5.1.32", "10.5.1.39" - ) - assert ips.identity_containers == AzureIPv4Range("10.5.1.40", "10.5.1.47") - assert ips.monitoring == AzureIPv4Range("10.5.1.192", "10.5.1.223") - assert ips.user_services_containers == AzureIPv4Range("10.5.1.48", "10.5.1.55") - assert ips.user_services_containers_support == AzureIPv4Range( - "10.5.1.56", "10.5.1.63" - ) - assert ips.user_services_databases == AzureIPv4Range("10.5.1.224", "10.5.1.231") - assert ips.user_services_software_repositories == AzureIPv4Range( - "10.5.1.232", "10.5.1.239" - ) - assert ips.workspaces == AzureIPv4Range("10.5.2.0", "10.5.2.255") + assert SREIpRanges.vnet == AzureIPv4Range("10.0.0.0", "10.0.255.255") + assert SREIpRanges.application_gateway == AzureIPv4Range( + "10.0.0.0", "10.0.0.255" + ) + assert SREIpRanges.apt_proxy_server == AzureIPv4Range("10.0.1.0", "10.0.1.7") + assert SREIpRanges.data_configuration == AzureIPv4Range("10.0.1.8", "10.0.1.15") + assert SREIpRanges.data_private == AzureIPv4Range("10.0.1.16", "10.0.1.23") + assert SREIpRanges.firewall == AzureIPv4Range("10.0.1.64", "10.0.1.127") + assert SREIpRanges.firewall_management == AzureIPv4Range( + "10.0.1.128", "10.0.1.191" + ) + assert SREIpRanges.guacamole_containers == AzureIPv4Range( + "10.0.1.24", "10.0.1.31" + ) + assert SREIpRanges.guacamole_containers_support == AzureIPv4Range( + "10.0.1.32", "10.0.1.39" + ) + assert SREIpRanges.identity_containers == AzureIPv4Range( + "10.0.1.40", "10.0.1.47" + ) + assert SREIpRanges.monitoring == AzureIPv4Range("10.0.1.192", "10.0.1.223") + assert SREIpRanges.user_services_containers == AzureIPv4Range( + "10.0.1.48", "10.0.1.55" + ) + assert SREIpRanges.user_services_containers_support == AzureIPv4Range( + "10.0.1.56", "10.0.1.63" + ) + assert SREIpRanges.user_services_databases == AzureIPv4Range( + "10.0.1.224", "10.0.1.231" + ) + assert SREIpRanges.user_services_software_repositories == AzureIPv4Range( + "10.0.1.232", "10.0.1.239" + ) + assert SREIpRanges.workspaces == AzureIPv4Range("10.0.2.0", "10.0.2.255") class TestSREDnsIpRanges: def test_vnet(self): - ips = SREDnsIpRanges() - assert ips.vnet == AzureIPv4Range("192.168.0.0", "192.168.0.7") + assert SREDnsIpRanges.vnet == AzureIPv4Range("192.168.0.0", "192.168.0.7") diff --git a/tests/infrastructure/programs/sre/conftest.py b/tests/infrastructure/programs/sre/conftest.py index ec2cad3217..efcbe0c921 100644 --- a/tests/infrastructure/programs/sre/conftest.py +++ b/tests/infrastructure/programs/sre/conftest.py @@ -62,16 +62,16 @@ def identity_key_vault_reader( @fixture -def subnet_application_gateway(sre_index) -> network.GetSubnetResult: +def subnet_application_gateway() -> network.GetSubnetResult: return network.GetSubnetResult( - address_prefix=str(SREIpRanges(sre_index).application_gateway), + address_prefix=SREIpRanges.application_gateway.prefix, id="subnet_application_gateway_id", ) @fixture -def subnet_guacamole_containers(sre_index) -> network.GetSubnetResult: +def subnet_guacamole_containers() -> network.GetSubnetResult: return network.GetSubnetResult( - address_prefix=str(SREIpRanges(sre_index).guacamole_containers), + address_prefix=SREIpRanges.guacamole_containers.prefix, id="subnet_guacamole_containers_id", ) diff --git a/tests/infrastructure/programs/sre/test_application_gateway.py b/tests/infrastructure/programs/sre/test_application_gateway.py index bde05a3689..ee2a989d90 100644 --- a/tests/infrastructure/programs/sre/test_application_gateway.py +++ b/tests/infrastructure/programs/sre/test_application_gateway.py @@ -101,7 +101,7 @@ def test_props_subnet_guacamole_containers_ip_addresses( self, application_gateway_props: SREApplicationGatewayProps ): application_gateway_props.subnet_guacamole_containers_ip_addresses.apply( - partial(assert_equal, ["10.1.1.28", "10.1.1.29", "10.1.1.30"]), + partial(assert_equal, ["10.0.1.28", "10.0.1.29", "10.0.1.30"]), run_with_unknowns=True, ) @@ -157,9 +157,9 @@ def test_application_gateway_backend_address_pools( "provisioning_state": None, "type": None, "backend_addresses": [ - {"ip_address": "10.1.1.28"}, - {"ip_address": "10.1.1.29"}, - {"ip_address": "10.1.1.30"}, + {"ip_address": "10.0.1.28"}, + {"ip_address": "10.0.1.29"}, + {"ip_address": "10.0.1.30"}, ], "name": "appGatewayBackendGuacamole", }