Merge pull request #1909 from craddm/update-to-gen2

Update Ubuntu VM images
alan-turing-institute · Jun 28, 2024 · 4d52013 · 4d52013
2 parents a7f9b0c + 5fee5e9
commit 4d52013
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 3 deletions.
diff --git a/data_safe_haven/infrastructure/components/composite/virtual_machine.py b/data_safe_haven/infrastructure/components/composite/virtual_machine.py
@@ -108,9 +108,9 @@ def __init__(
     ):
         super().__init__(*args, **kwargs)
         self.image_reference_args = compute.ImageReferenceArgs(
-            offer="0001-com-ubuntu-server-focal",
+            offer="0001-com-ubuntu-server-jammy",
             publisher="Canonical",
-            sku="20_04-LTS",
+            sku="22_04-LTS-gen2",
             version="latest",
         )
         self.os_profile_args = compute.OSProfileArgs(

diff --git a/data_safe_haven/infrastructure/programs/sre/firewall.py b/data_safe_haven/infrastructure/programs/sre/firewall.py
@@ -11,6 +11,7 @@
 )
 from data_safe_haven.types import (
     FirewallPriorities,
+    ForbiddenDomains,
     PermittedDomains,
     Ports,
 )
@@ -224,6 +225,43 @@ def __init__(
                             source_addresses=props.subnet_workspaces_prefixes,
                             target_fqdns=PermittedDomains.UBUNTU_KEYSERVER,
                         ),
+                        network.AzureFirewallApplicationRuleArgs(
+                            description="Allow external Ubuntu Snap Store access",
+                            name="AllowUbuntuSnapcraft",
+                            protocols=[
+                                network.AzureFirewallApplicationRuleProtocolArgs(
+                                    port=int(Ports.HTTPS),
+                                    protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTPS,
+                                ),
+                            ],
+                            source_addresses=props.subnet_workspaces_prefixes,
+                            target_fqdns=PermittedDomains.UBUNTU_SNAPCRAFT,
+                        ),
+                    ],
+                ),
+                network.AzureFirewallApplicationRuleCollectionArgs(
+                    action=network.AzureFirewallRCActionArgs(
+                        type=network.AzureFirewallRCActionType.DENY
+                    ),
+                    name="workspaces-deny",
+                    priority=FirewallPriorities.SRE_WORKSPACES,
+                    rules=[
+                        network.AzureFirewallApplicationRuleArgs(
+                            description="Deny external Ubuntu Snap Store upload and login access",
+                            name="DenyUbuntuSnapcraft",
+                            protocols=[
+                                network.AzureFirewallApplicationRuleProtocolArgs(
+                                    port=int(Ports.HTTP),
+                                    protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTP,
+                                ),
+                                network.AzureFirewallApplicationRuleProtocolArgs(
+                                    port=int(Ports.HTTPS),
+                                    protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTPS,
+                                ),
+                            ],
+                            source_addresses=props.subnet_workspaces_prefixes,
+                            target_fqdns=ForbiddenDomains.UBUNTU_SNAPCRAFT,
+                        ),
                     ],
                 ),
             ],

diff --git a/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml b/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml
@@ -70,7 +70,7 @@ apt:
   preserve_sources_list: true  # Append to the existing /etc/apt/sources.list
   sources:
     microsoft-general.list:
-      source: "deb https://packages.microsoft.com/ubuntu/20.04/prod focal main"
+      source: "deb https://packages.microsoft.com/ubuntu/22.04/prod jammy main"
       keyid: BC528686B50D79E339D3721CEB3E94ADBE1229CF  # Microsoft (Release signing) <gpgsecurity@microsoft.com>
 
 # Install necessary apt packages

diff --git a/data_safe_haven/types/__init__.py b/data_safe_haven/types/__init__.py
@@ -15,6 +15,7 @@
     AzureDnsZoneNames,
     DatabaseSystem,
     FirewallPriorities,
+    ForbiddenDomains,
     NetworkingPriorities,
     PermittedDomains,
     Ports,
@@ -31,6 +32,7 @@
     "EmailAddress",
     "EntraGroupName",
     "FirewallPriorities",
+    "ForbiddenDomains",
     "Fqdn",
     "Guid",
     "IpAddress",

diff --git a/data_safe_haven/types/enums.py b/data_safe_haven/types/enums.py
@@ -41,6 +41,22 @@ class FirewallPriorities(int, Enum):
     SRE_WORKSPACES = 3400
 
 
+@verify(UNIQUE)
+class ForbiddenDomains(tuple[str, ...], Enum):
+    # Block snap upload to the Snap store at snapcraft.io
+    # Upload is through dashboard.snapscraft.io and requires a client to be logged in to
+    # an Ubuntu account.
+    # Login is through login.ubuntu.com.
+    # However, once successfully authorised, it is not necessary to reach
+    # login.ubuntu.com before uploading.
+    # Therefore we should block access to both domains.
+    UBUNTU_SNAPCRAFT = (
+        "dashboard.snapcraft.io",  # upload endpoint
+        "login.ubuntu.com",  # login endpoint (provides auth for upload)
+        "upload.apps.ubuntu.com",
+    )
+
+
 @verify(UNIQUE)
 class NetworkingPriorities(int, Enum):
     """Priorities for network security group rules."""
@@ -114,6 +130,10 @@ class PermittedDomains(tuple[str, ...], Enum):
     SOFTWARE_REPOSITORIES_R = ("cran.r-project.org",)
     SOFTWARE_REPOSITORIES = SOFTWARE_REPOSITORIES_PYTHON + SOFTWARE_REPOSITORIES_R
     UBUNTU_KEYSERVER = ("keyserver.ubuntu.com",)
+    UBUNTU_SNAPCRAFT = (
+        "api.snapcraft.io",
+        "*.snapcraftcontent.com",
+    )
     ALL = tuple(
         sorted(
             set(
@@ -125,6 +145,7 @@ class PermittedDomains(tuple[str, ...], Enum):
                 + SOFTWARE_REPOSITORIES_PYTHON
                 + SOFTWARE_REPOSITORIES_R
                 + UBUNTU_KEYSERVER
+                + UBUNTU_SNAPCRAFT
             )
         )
     )