Skip to content

Commit

Permalink
Move NFSv3 accounts to a component resource
Browse files Browse the repository at this point in the history
Diagnostic settings are created as part of the component.
  • Loading branch information
JimMadge committed Nov 28, 2024
1 parent 168ca24 commit e43bd6e
Show file tree
Hide file tree
Showing 7 changed files with 47 additions and 145 deletions.
6 changes: 4 additions & 2 deletions data_safe_haven/infrastructure/components/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@
MicrosoftSQLDatabaseProps,
NFSV3BlobContainerComponent,
NFSV3BlobContainerProps,
NFSV3StorageAccountComponent,
NFSV3StorageAccountProps,
PostgresqlDatabaseComponent,
PostgresqlDatabaseProps,
VMComponent,
Expand All @@ -23,7 +25,6 @@
)
from .wrapped import (
WrappedLogAnalyticsWorkspace,
WrappedNFSV3StorageAccount,
)

__all__ = [
Expand All @@ -41,11 +42,12 @@
"MicrosoftSQLDatabaseProps",
"NFSV3BlobContainerComponent",
"NFSV3BlobContainerProps",
"NFSV3StorageAccountComponent",
"NFSV3StorageAccountProps",
"PostgresqlDatabaseComponent",
"PostgresqlDatabaseProps",
"SSLCertificate",
"SSLCertificateProps",
"VMComponent",
"WrappedLogAnalyticsWorkspace",
"WrappedNFSV3StorageAccount",
]
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@
MicrosoftSQLDatabaseProps,
)
from .nfsv3_blob_container import NFSV3BlobContainerComponent, NFSV3BlobContainerProps
from .nfsv3_storage_account import (
NFSV3StorageAccountComponent,
NFSV3StorageAccountProps,
)
from .postgresql_database import PostgresqlDatabaseComponent, PostgresqlDatabaseProps
from .virtual_machine import LinuxVMComponentProps, VMComponent

Expand All @@ -23,6 +27,8 @@
"MicrosoftSQLDatabaseProps",
"NFSV3BlobContainerComponent",
"NFSV3BlobContainerProps",
"NFSV3StorageAccountComponent",
"NFSV3StorageAccountProps",
"PostgresqlDatabaseComponent",
"PostgresqlDatabaseProps",
"VMComponent",
Expand Down
2 changes: 0 additions & 2 deletions data_safe_haven/infrastructure/components/wrapped/__init__.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
from .log_analytics_workspace import WrappedLogAnalyticsWorkspace
from .nfsv3_storage_account import WrappedNFSV3StorageAccount

__all__ = [
"WrappedLogAnalyticsWorkspace",
"WrappedNFSV3StorageAccount",
]

This file was deleted.

1 change: 1 addition & 0 deletions data_safe_haven/infrastructure/programs/declarative_sre.py
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,7 @@ def __call__(self) -> None:
ldap_user_filter=ldap_user_filter,
ldap_user_search_base=ldap_user_search_base,
location=self.config.azure.location,
log_analytics_workspace=monitoring.log_analytics,
resource_group=resource_group,
software_repository_hostname=user_services.software_repositories.hostname,
subnet_desired_state=networking.subnet_desired_state,
Expand Down
70 changes: 18 additions & 52 deletions data_safe_haven/infrastructure/programs/sre/data.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
from pulumi import ComponentResource, Input, Output, ResourceOptions
from pulumi_azure_native import (
authorization,
insights,
keyvault,
managedidentity,
network,
Expand All @@ -32,10 +31,11 @@
from data_safe_haven.infrastructure.components import (
NFSV3BlobContainerComponent,
NFSV3BlobContainerProps,
NFSV3StorageAccountComponent,
NFSV3StorageAccountProps,
SSLCertificate,
SSLCertificateProps,
WrappedLogAnalyticsWorkspace,
WrappedNFSV3StorageAccount,
)
from data_safe_haven.types import AzureDnsZoneNames, AzureServiceTag

Expand Down Expand Up @@ -471,20 +471,26 @@ def __init__(
# Deploy sensitive data blob storage account
# - This holds the /mnt/input and /mnt/output containers that are mounted by workspaces
# - Azure blobs have worse NFS support but can be accessed with Azure Storage Explorer
storage_account_data_private_sensitive = WrappedNFSV3StorageAccount(
component_data_private_sensitive = NFSV3StorageAccountComponent(
f"{self._name}_storage_account_data_private_sensitive",
# Storage account names have a maximum of 24 characters
account_name=alphanumeric(
f"{''.join(truncate_tokens(stack_name.split('-'), 11))}sensitivedata{sha256hash(self._name)}"
)[:24],
allowed_ip_addresses=data_private_sensitive_ip_addresses,
allowed_service_tag=data_private_sensitive_service_tag,
location=props.location,
subnet_id=props.subnet_data_private_id,
resource_group_name=props.resource_group_name,
NFSV3StorageAccountProps(
# Storage account names have a maximum of 24 characters
account_name=alphanumeric(
f"{''.join(truncate_tokens(stack_name.split('-'), 11))}sensitivedata{sha256hash(self._name)}"
)[:24],
allowed_ip_addresses=data_private_sensitive_ip_addresses,
allowed_service_tag=data_private_sensitive_service_tag,
location=props.location,
log_analytics_workspace=props.log_analytics_workspace,
subnet_id=props.subnet_data_private_id,
resource_group_name=props.resource_group_name,
),
opts=child_opts,
tags=child_tags,
)
storage_account_data_private_sensitive = (
component_data_private_sensitive.storage_account
)
# Deploy storage containers
NFSV3BlobContainerComponent(
f"{self._name}_blob_egress",
Expand Down Expand Up @@ -516,46 +522,6 @@ def __init__(
subscription_name=props.subscription_name,
),
)
# Add diagnostic setting for blobs
insights.DiagnosticSetting(
f"{storage_account_data_private_sensitive._name}_diagnostic_setting",
name=f"{storage_account_data_private_sensitive._name}_diagnostic_setting",
log_analytics_destination_type="Dedicated",
logs=[
{
"category_group": "allLogs",
"enabled": True,
"retention_policy": {
"days": 0,
"enabled": False,
},
},
{
"category_group": "audit",
"enabled": True,
"retention_policy": {
"days": 0,
"enabled": False,
},
},
],
metrics=[
{
"category": "Transaction",
"enabled": True,
"retention_policy": {
"days": 0,
"enabled": False,
},
}
],
resource_uri=storage_account_data_private_sensitive.id.apply(
# This is the URI of the blobServices resource which is automatically
# created.
lambda resource_id: resource_id + "/blobServices/default"
),
workspace_id=props.log_analytics_workspace.id,
)
# Set up a private endpoint for the sensitive data storage account
storage_account_data_private_sensitive_endpoint = network.PrivateEndpoint(
f"{storage_account_data_private_sensitive._name}_private_endpoint",
Expand Down
28 changes: 18 additions & 10 deletions data_safe_haven/infrastructure/programs/sre/desired_state.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,9 @@
from data_safe_haven.infrastructure.components import (
NFSV3BlobContainerComponent,
NFSV3BlobContainerProps,
WrappedNFSV3StorageAccount,
NFSV3StorageAccountComponent,
NFSV3StorageAccountProps,
WrappedLogAnalyticsWorkspace,
)
from data_safe_haven.resources import resources_path
from data_safe_haven.types import AzureDnsZoneNames
Expand All @@ -55,6 +57,7 @@ def __init__(
ldap_user_filter: Input[str],
ldap_user_search_base: Input[str],
location: Input[str],
log_analytics_workspace: Input[WrappedLogAnalyticsWorkspace],
resource_group: Input[resources.ResourceGroup],
software_repository_hostname: Input[str],
subscription_name: Input[str],
Expand All @@ -73,6 +76,7 @@ def __init__(
self.ldap_user_filter = ldap_user_filter
self.ldap_user_search_base = ldap_user_search_base
self.location = location
self.log_analytics_workspace = log_analytics_workspace
self.resource_group_id = Output.from_input(resource_group).apply(get_id_from_rg)
self.resource_group_name = Output.from_input(resource_group).apply(
get_name_from_rg
Expand Down Expand Up @@ -102,19 +106,23 @@ def __init__(
# Deploy desired state storage account
# - This holds the /var/local/ansible container that is mounted by workspaces
# - Azure blobs have worse NFS support but can be accessed with Azure Storage Explorer
storage_account = WrappedNFSV3StorageAccount(
storage_component = NFSV3StorageAccountComponent(
f"{self._name}_storage_account",
account_name=alphanumeric(
f"{''.join(truncate_tokens(stack_name.split('-'), 11))}desiredstate{sha256hash(self._name)}"
)[:24],
allowed_ip_addresses=props.admin_ip_addresses,
allowed_service_tag=None,
location=props.location,
resource_group_name=props.resource_group_name,
subnet_id=props.subnet_desired_state_id,
NFSV3StorageAccountProps(
account_name=alphanumeric(
f"{''.join(truncate_tokens(stack_name.split('-'), 11))}desiredstate{sha256hash(self._name)}"
)[:24],
allowed_ip_addresses=props.admin_ip_addresses,
allowed_service_tag=None,
location=props.location,
log_analytics_workspace=props.log_analytics_workspace,
resource_group_name=props.resource_group_name,
subnet_id=props.subnet_desired_state_id,
),
opts=child_opts,
tags=child_tags,
)
storage_account = storage_component.storage_account
# Deploy desired state share
container_desired_state = NFSV3BlobContainerComponent(
f"{self._name}_blob_desired_state",
Expand Down

0 comments on commit e43bd6e

Please sign in to comment.