From 78081414c43c76dc3a447f173285ccee5448d5ba Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Thu, 11 Apr 2024 15:32:04 +0000 Subject: [PATCH 1/5] update firewall rules to parity with 4.2.0 --- .../infrastructure/stacks/shm/firewall.py | 139 +++--------------- 1 file changed, 18 insertions(+), 121 deletions(-) diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py index 1f95d20323..7ae968f00d 100644 --- a/data_safe_haven/infrastructure/stacks/shm/firewall.py +++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py @@ -115,96 +115,14 @@ def __init__( ], source_addresses=[props.subnet_identity_servers_iprange], target_fqdns=[ + "*.blob.core.windows.net", + "*.servicebus.windows.net", "aadconnecthealth.azure.com", - "adhsprodncuaadsynciadata.blob.core.windows.net", - "adhsprodwcuaadsynciadata.blob.core.windows.net", - "adhsprodweuaadsynciadata.blob.core.windows.net", - "adhsprodweuehsyncia.servicebus.windows.net", - "adhsprodwusaadsynciadata.blob.core.windows.net", - "adhssyncprodpksweu.servicebus.windows.net", "adminwebservice.microsoftonline.com", - "pksproddatastoreeus101.blob.core.windows.net", - "pksproddatastoreeus102.blob.core.windows.net", - "pksproddatastoreeus103.blob.core.windows.net", - "pksproddatastoreeus104.blob.core.windows.net", - "pksproddatastoreeus105.blob.core.windows.net", - "pksproddatastoreeus106.blob.core.windows.net", - "pksproddatastoreeus107.blob.core.windows.net", - "pksproddatastoreeus108.blob.core.windows.net", - "pksproddatastoreeus109.blob.core.windows.net", - "pksproddatastoreeus111.blob.core.windows.net", - "pksproddatastoreeus112.blob.core.windows.net", - "pksproddatastoreeus113.blob.core.windows.net", - "pksproddatastoreeus114.blob.core.windows.net", - "pksproddatastoreeus115.blob.core.windows.net", - "pksproddatastoreeus116.blob.core.windows.net", - "pksproddatastoreeus117.blob.core.windows.net", - "pksproddatastoreeus118.blob.core.windows.net", - "pksproddatastoreeus119.blob.core.windows.net", - "pksproddatastoreeus120.blob.core.windows.net", - "pksproddatastorencu101.blob.core.windows.net", - "pksproddatastorencu102.blob.core.windows.net", - "pksproddatastorencu103.blob.core.windows.net", - "pksproddatastorencu104.blob.core.windows.net", - "pksproddatastoreneu101.blob.core.windows.net", - "pksproddatastoreneu102.blob.core.windows.net", - "pksproddatastoreneu103.blob.core.windows.net", - "pksproddatastoreneu104.blob.core.windows.net", - "pksproddatastoreneu105.blob.core.windows.net", - "pksproddatastoreneu106.blob.core.windows.net", - "pksproddatastoreneu107.blob.core.windows.net", - "pksproddatastoreneu108.blob.core.windows.net", - "pksproddatastoreneu109.blob.core.windows.net", - "pksproddatastoreneu110.blob.core.windows.net", - "pksproddatastoreneu111.blob.core.windows.net", - "pksproddatastoreneu112.blob.core.windows.net", - "pksproddatastoreneu113.blob.core.windows.net", - "pksproddatastoreneu114.blob.core.windows.net", - "pksproddatastoreneu115.blob.core.windows.net", - "pksproddatastoreneu116.blob.core.windows.net", - "pksproddatastoreneu117.blob.core.windows.net", - "pksproddatastoreneu118.blob.core.windows.net", - "pksproddatastoreneu119.blob.core.windows.net", - "pksproddatastoreneu120.blob.core.windows.net", - "pksproddatastoreweu101.blob.core.windows.net", - "pksproddatastoreweu102.blob.core.windows.net", - "pksproddatastoreweu103.blob.core.windows.net", - "pksproddatastoreweu104.blob.core.windows.net", - "pksproddatastoreweu105.blob.core.windows.net", - "pksproddatastoreweu106.blob.core.windows.net", - "pksproddatastoreweu107.blob.core.windows.net", - "pksproddatastoreweu108.blob.core.windows.net", - "pksproddatastoreweu109.blob.core.windows.net", - "pksproddatastoreweu110.blob.core.windows.net", - "pksproddatastoreweu111.blob.core.windows.net", - "pksproddatastoreweu112.blob.core.windows.net", - "pksproddatastoreweu113.blob.core.windows.net", - "pksproddatastoreweu114.blob.core.windows.net", - "pksproddatastoreweu115.blob.core.windows.net", - "pksproddatastoreweu116.blob.core.windows.net", - "pksproddatastoreweu117.blob.core.windows.net", - "pksproddatastoreweu118.blob.core.windows.net", - "pksproddatastoreweu119.blob.core.windows.net", - "pksproddatastoreweu120.blob.core.windows.net", - "pksproddatastorewus101.blob.core.windows.net", - "pksproddatastorewus102.blob.core.windows.net", - "pksproddatastorewus103.blob.core.windows.net", - "pksproddatastorewus104.blob.core.windows.net", - "pksproddatastorewus105.blob.core.windows.net", - "pksproddatastorewus106.blob.core.windows.net", - "pksproddatastorewus107.blob.core.windows.net", - "pksproddatastorewus108.blob.core.windows.net", - "pksproddatastorewus109.blob.core.windows.net", - "pksproddatastorewus111.blob.core.windows.net", - "pksproddatastorewus112.blob.core.windows.net", - "pksproddatastorewus113.blob.core.windows.net", - "pksproddatastorewus114.blob.core.windows.net", - "pksproddatastorewus115.blob.core.windows.net", - "pksproddatastorewus116.blob.core.windows.net", - "pksproddatastorewus117.blob.core.windows.net", - "pksproddatastorewus118.blob.core.windows.net", - "pksproddatastorewus119.blob.core.windows.net", - "pksproddatastorewus120.blob.core.windows.net", + "s1.adhybridhealth.azure.com", + "umwatson.events.data.microsoft.com", + "v10.events.data.microsoft.com", + "v20.events.data.microsoft.com" ], ), network.AzureFirewallApplicationRuleArgs( @@ -219,16 +137,8 @@ def __init__( source_addresses=[props.subnet_identity_servers_iprange], target_fqdns=[ "*-sb.servicebus.windows.net", - "passwordreset.microsoftonline.com", - "ssprdedicatedsbprodeus2-1.servicebus.windows.net", - "ssprdedicatedsbprodfra-1.servicebus.windows.net", - "ssprdedicatedsbprodncu-2.servicebus.windows.net", - "ssprdedicatedsbprodncu.servicebus.windows.net", - "ssprdedicatedsbprodneu.servicebus.windows.net", - "ssprdedicatedsbprodscu-2.servicebus.windows.net", - "ssprdedicatedsbprodscu.servicebus.windows.net", - "ssprdedicatedsbprodsea-1.servicebus.windows.net", - "ssprdedicatedsbprodweu.servicebus.windows.net", + "*.servicebus.windows.net", + "passwordreset.microsoftonline.com" ], ), network.AzureFirewallApplicationRuleArgs( @@ -245,7 +155,6 @@ def __init__( "s1.adhybridhealth.azure.com", "management.azure.com", "policykeyservice.dc.ad.msft.net", - "provisioningapi.microsoftonline.com", "www.office.com", ], ), @@ -373,6 +282,7 @@ def __init__( source_addresses=[props.subnet_identity_servers_iprange], target_fqdns=[ "au.download.windowsupdate.com", + # "{{storage.artifacts.accountName}}.blob.core.windows.net", "ctldl.windowsupdate.com", "download.microsoft.com", "download.windowsupdate.com", @@ -403,30 +313,11 @@ def __init__( network.AzureFirewallApplicationRuleArgs( description="Allow external Azure Automation requests", name="AllowExternalAzureAutomationOperations", - protocols=[ - network.AzureFirewallApplicationRuleProtocolArgs( - port=443, - protocol_type="Https", - ) - ], + protocols=[azure_native.network.AzureFirewallNetworkRuleProtocol.TCP, + azure_native.network.AzureFirewallNetworkRuleProtocol.UDP], source_addresses=["*"], target_fqdns=[ - "ac-jobruntimedata-prod-su1.azure-automation.net", - "ae-jobruntimedata-prod-su1.azure-automation.net", - "ase-jobruntimedata-prod-su1.azure-automation.net", - "cc-jobruntimedata-prod-su1.azure-automation.net", - "cid-jobruntimedata-prod-su1.azure-automation.net", - "eus2-jobruntimedata-prod-su1.azure-automation.net", - "jpe-jobruntimedata-prod-su1.azure-automation.net", - "ne-jobruntimedata-prod-su1.azure-automation.net", - "scus-jobruntimedata-prod-su1.azure-automation.net", - "sea-jobruntimedata-prod-su1.azure-automation.net", - "stzn-jobruntimedata-prod-su1.azure-automation.net", - "uks-jobruntimedata-prod-su1.azure-automation.net", - "usge-jobruntimedata-prod-su1.azure-automation.us", - "wcus-jobruntimedata-prod-su1.azure-automation.net", - "we-jobruntimedata-prod-su1.azure-automation.net", - "wus2-jobruntimedata-prod-su1.azure-automation.net", + "GuestAndHybridManagement", ], ), network.AzureFirewallApplicationRuleArgs( @@ -463,12 +354,18 @@ def __init__( ], source_addresses=[props.subnet_update_servers_iprange], target_fqdns=[ + "apt.postgresql.org", "archive.ubuntu.com", "azure.archive.ubuntu.com", "changelogs.ubuntu.com", "cloudapp.azure.com", # this is where azure.archive.ubuntu.com is hosted + "d20rj4el6vkp4c.cloudfront.net", + "dbeaver.io", + "packages.gitlab.com", "packages.microsoft.com", + "qgis.org", "security.ubuntu.com", + "ubuntu.qgis.org" ], ), ], From b5d77ae2334c1589998a9b443db89d3e66166c63 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Thu, 11 Apr 2024 15:38:30 +0000 Subject: [PATCH 2/5] Comment out currently unused additional repositories --- .../infrastructure/stacks/shm/firewall.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py index 7ae968f00d..da4d7f51d3 100644 --- a/data_safe_haven/infrastructure/stacks/shm/firewall.py +++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py @@ -354,18 +354,18 @@ def __init__( ], source_addresses=[props.subnet_update_servers_iprange], target_fqdns=[ - "apt.postgresql.org", + # "apt.postgresql.org", "archive.ubuntu.com", "azure.archive.ubuntu.com", "changelogs.ubuntu.com", "cloudapp.azure.com", # this is where azure.archive.ubuntu.com is hosted - "d20rj4el6vkp4c.cloudfront.net", - "dbeaver.io", - "packages.gitlab.com", + # "d20rj4el6vkp4c.cloudfront.net", + # "dbeaver.io", + # "packages.gitlab.com", "packages.microsoft.com", - "qgis.org", + # "qgis.org", "security.ubuntu.com", - "ubuntu.qgis.org" + # "ubuntu.qgis.org" ], ), ], From 73318247de4234322afeb86a2fd496350a62c400 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Thu, 11 Apr 2024 15:51:36 +0000 Subject: [PATCH 3/5] Remove unnecessary shm artifacts storage fqdn --- data_safe_haven/infrastructure/stacks/shm/firewall.py | 1 - 1 file changed, 1 deletion(-) diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py index da4d7f51d3..ae44bc52cd 100644 --- a/data_safe_haven/infrastructure/stacks/shm/firewall.py +++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py @@ -282,7 +282,6 @@ def __init__( source_addresses=[props.subnet_identity_servers_iprange], target_fqdns=[ "au.download.windowsupdate.com", - # "{{storage.artifacts.accountName}}.blob.core.windows.net", "ctldl.windowsupdate.com", "download.microsoft.com", "download.windowsupdate.com", From b0bd3b01c55928ae8fd562ad998ad1c97145bc01 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Fri, 12 Apr 2024 15:54:38 +0100 Subject: [PATCH 4/5] Correct undefined reference --- data_safe_haven/infrastructure/stacks/shm/firewall.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py index ae44bc52cd..251b10e2e8 100644 --- a/data_safe_haven/infrastructure/stacks/shm/firewall.py +++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py @@ -312,8 +312,8 @@ def __init__( network.AzureFirewallApplicationRuleArgs( description="Allow external Azure Automation requests", name="AllowExternalAzureAutomationOperations", - protocols=[azure_native.network.AzureFirewallNetworkRuleProtocol.TCP, - azure_native.network.AzureFirewallNetworkRuleProtocol.UDP], + protocols=[network.AzureFirewallNetworkRuleProtocol.TCP, + network.AzureFirewallNetworkRuleProtocol.UDP], source_addresses=["*"], target_fqdns=[ "GuestAndHybridManagement", From 9cde2233efa5d4c5809b68131e60ce8eb78d5148 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Fri, 12 Apr 2024 15:55:26 +0100 Subject: [PATCH 5/5] Run lint:fmt --- data_safe_haven/infrastructure/stacks/shm/firewall.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py index 251b10e2e8..71543607ce 100644 --- a/data_safe_haven/infrastructure/stacks/shm/firewall.py +++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py @@ -122,7 +122,7 @@ def __init__( "s1.adhybridhealth.azure.com", "umwatson.events.data.microsoft.com", "v10.events.data.microsoft.com", - "v20.events.data.microsoft.com" + "v20.events.data.microsoft.com", ], ), network.AzureFirewallApplicationRuleArgs( @@ -138,7 +138,7 @@ def __init__( target_fqdns=[ "*-sb.servicebus.windows.net", "*.servicebus.windows.net", - "passwordreset.microsoftonline.com" + "passwordreset.microsoftonline.com", ], ), network.AzureFirewallApplicationRuleArgs( @@ -312,8 +312,10 @@ def __init__( network.AzureFirewallApplicationRuleArgs( description="Allow external Azure Automation requests", name="AllowExternalAzureAutomationOperations", - protocols=[network.AzureFirewallNetworkRuleProtocol.TCP, - network.AzureFirewallNetworkRuleProtocol.UDP], + protocols=[ + network.AzureFirewallNetworkRuleProtocol.TCP, + network.AzureFirewallNetworkRuleProtocol.UDP, + ], source_addresses=["*"], target_fqdns=[ "GuestAndHybridManagement",