Pulumi: Add Git and Markdown servers

data_safe_haven/commands/deploy_shm_command.py

@@ -112,11 +112,13 @@ def handle(self) -> int:
             return 0
 
         except DataSafeHavenException as exc:
-            error_msg = (
+            exception_text = (
                 f"Could not deploy Data Safe Haven Management environment.\n{str(exc)}"
             )
-            for line in error_msg.split("\n"):
-                self.error(line)
+        except Exception as exc:
+            exception_text = f"Uncaught exception of type '{type(exc)}'.\n{str(exc)}"
+        for line in exception_text.split("\n"):
+            self.error(line)
         return 1
 
     def add_missing_values(self, config: Config) -> None:

data_safe_haven/commands/deploy_sre_command.py

@@ -99,6 +99,11 @@ def handle(self) -> int:
                 shm_stack.output("domain_controllers")["ldap_server_ip"],
                 True,
             )
+            stack.add_option(
+                "shm-domain_controllers-netbios_name",
+                shm_stack.output("domain_controllers")["netbios_name"],
+                True,
+            )
             stack.add_option(
                 "shm-monitoring-automation_account_name",
                 shm_stack.output("monitoring")["automation_account_name"],
@@ -156,6 +161,8 @@ def handle(self) -> int:
             )
             # Add necessary secrets
             stack.copy_secret("password-domain-ldap-searcher", shm_stack)
+            stack.add_secret("password-gitea-database-admin", password(20))
+            stack.add_secret("password-hedgedoc-database-admin", password(20))
             stack.add_secret("password-user-database-admin", password(20))
             stack.add_secret("password-secure-research-desktop-admin", password(20))
             stack.add_secret("token-azuread-graphapi", graph_api.token, replace=True)
@@ -184,12 +191,11 @@ def handle(self) -> int:
             return 0
 
         except DataSafeHavenException as exc:
-            for (
-                line
-            ) in f"Could not deploy Secure Research Environment {self.sre_name}.\n{str(exc)}".split(
-                "\n"
-            ):
-                self.error(line)
+            exception_text = f"Could not deploy Secure Research Environment {self.sre_name}.\n{str(exc)}"
+        except Exception as exc:
+            exception_text = f"Uncaught exception of type '{type(exc)}'.\n{str(exc)}"
+        for line in exception_text.split("\n"):
+            self.error(line)
         return 1
 
     def add_missing_values(self, config: Config) -> None:

data_safe_haven/external/api/graph_api.py

@@ -401,7 +401,7 @@ def create_token_administrator(self) -> str:
                     f"Please sign-in with <fg=green>global administrator</> credentials for Azure Active Directory <fg=green>{self.tenant_id}</>."
                 )
                 self.info(
-                    "Note that the sign-in screen will prompt you to sign-in to <fg=blue>Microsoft Graph Powershell</> - this is expected."
+                    "Note that the sign-in screen will prompt you to sign-in to <fg=blue>Microsoft Graph Command Line Tools</> - this is expected."
                 )
                 self.info(flow["message"])
                 # Block until a response is received

data_safe_haven/external/interface/azure_container_instance.py

@@ -98,7 +98,7 @@ def run_executable(self, container_name: str, executable_path: str) -> List[str]
         """
         Run a script or command on one of the containers.
 
-        The command cannot take any arguments and must be a single expression.
+        It is possible to provide arguments to the command if needed.
         The most likely use-case is running a script already present in the container.
         """
         # Connect to Azure clients

data_safe_haven/provisioning/sre_provisioning_manager.py

@@ -44,7 +44,7 @@ def __init__(
             "resource_group_name": shm_stack.output("domain_controllers")[
                 "resource_group_name"
             ],
-            "group_name": sre_stack.output("research_desktops")["security_group_name"],
+            "group_name": sre_stack.output("ldap")["security_group_name"],
             "vm_name": shm_stack.output("domain_controllers")["vm_name"],
         }
 
@@ -76,6 +76,17 @@ def create_security_group(self) -> None:
         for line in output.split("\n"):
             self.parse_as_log(line)
 
+    def restart_remote_desktop_containers(self) -> None:
+        # Restart the Guacamole container group
+        guacamole_provisioner = AzureContainerInstance(
+            self.remote_desktop_params["container_group_name"],
+            self.remote_desktop_params["resource_group_name"],
+            self.subscription_name,
+        )
+        guacamole_provisioner.restart(
+            self.remote_desktop_params["container_ip_address"]
+        )
+
     def update_remote_desktop_connections(self) -> None:
         """Update connection information on the Guacamole PostgreSQL server"""
         postgres_provisioner = AzurePostgreSQLDatabase(
@@ -115,17 +126,6 @@ def update_remote_desktop_connections(self) -> None:
             mustache_values=connection_data,
         )
 
-    def restart_remote_desktop_containers(self) -> None:
-        # Restart the Guacamole container group
-        guacamole_provisioner = AzureContainerInstance(
-            self.remote_desktop_params["container_group_name"],
-            self.remote_desktop_params["resource_group_name"],
-            self.subscription_name,
-        )
-        guacamole_provisioner.restart(
-            self.remote_desktop_params["container_ip_address"]
-        )
-
     def run(self) -> None:
         """Apply SRE configuration"""
         self.create_security_group()

data_safe_haven/pulumi/common/enums.py

@@ -17,6 +17,7 @@ class NetworkingPriorities(int, Enum):
     INTERNAL_SHM_UPDATE_SERVERS = 1400
     INTERNAL_SRE_PRIVATE_DATA = 1500
     INTERNAL_SRE_REMOTE_DESKTOP = 1600
+    INTERNAL_SRE_USER_SERVICES = 1700
     INTERNAL_DSH_VIRTUAL_NETWORK = 1999
     # Authorised external IPs: 2000-2999
     AUTHORISED_EXTERNAL_ADMIN_IPS = 2000

data_safe_haven/pulumi/common/transformations.py

@@ -22,7 +22,7 @@ def get_id_from_rg(rg: resources.ResourceGroup) -> Input[str]:
     """Get the ID of a resource group"""
     if isinstance(rg.id, Output):
         return rg.id
-    raise DataSafeHavenPulumiException(f"Resource group '{rg.name}'has no ID.")
+    raise DataSafeHavenPulumiException(f"Resource group '{rg.name}' has no ID.")
 
 
 def get_id_from_subnet(subnet: network.GetSubnetResult) -> str:
@@ -32,11 +32,28 @@ def get_id_from_subnet(subnet: network.GetSubnetResult) -> str:
     raise DataSafeHavenPulumiException(f"Subnet '{subnet.name}' has no ID.")
 
 
+def get_ip_addresses_from_private_endpoint(
+    endpoint: network.PrivateEndpoint,
+) -> Input[List[str]]:
+    """Get a list of IP addresses from a private endpoint"""
+    if isinstance(endpoint.custom_dns_configs, Output):
+        return endpoint.custom_dns_configs.apply(
+            lambda cfgs: sum(
+                [list(cfg.ip_addresses) if cfg.ip_addresses else [] for cfg in cfgs], []
+            )
+            if cfgs
+            else []
+        )
+    raise DataSafeHavenPulumiException(
+        f"Private endpoint '{endpoint.name}' has no IP addresses."
+    )
+
+
 def get_name_from_rg(rg: resources.ResourceGroup) -> Input[str]:
     """Get the name of a resource group"""
     if isinstance(rg.name, Output):
         return rg.name.apply(lambda s: str(s))
-    raise DataSafeHavenPulumiException(f"Resource group '{rg.id}'has no name.")
+    raise DataSafeHavenPulumiException(f"Resource group '{rg.id}' has no name.")
 
 
 def get_name_from_subnet(subnet: network.GetSubnetResult) -> str:
@@ -50,4 +67,4 @@ def get_name_from_vnet(vnet: network.VirtualNetwork) -> Input[str]:
     """Get the ID of a virtual network"""
     if isinstance(vnet.name, Output):
         return vnet.name.apply(lambda s: str(s))
-    raise DataSafeHavenPulumiException(f"Virtual network '{vnet.id}'has no name.")
+    raise DataSafeHavenPulumiException(f"Virtual network '{vnet.id}' has no name.")

data_safe_haven/pulumi/components/shm_bastion.py

@@ -36,7 +36,7 @@ def __init__(
         props: SHMBastionProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMBastionComponent", name, {}, opts)
+        super().__init__("dsh:shm:BastionComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
 
         # Deploy IP address

data_safe_haven/pulumi/components/shm_data.py

@@ -62,7 +62,7 @@ def __init__(
         props: SHMDataProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMDataComponent", name, {}, opts)
+        super().__init__("dsh:shm:DataComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
 
         # Deploy resource group

data_safe_haven/pulumi/components/shm_domain_controllers.py

@@ -86,7 +86,7 @@ def __init__(
         props: SHMDomainControllersProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMDomainControllersComponent", name, {}, opts)
+        super().__init__("dsh:shm:DomainControllersComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
         resources_path = pathlib.Path(__file__).parent.parent.parent / "resources"
 
@@ -195,6 +195,7 @@ def __init__(
             "ldap_root_dn": props.domain_root_dn,
             "ldap_search_username": props.username_domain_searcher,
             "ldap_server_ip": primary_domain_controller.ip_address_private,
+            "netbios_name": props.domain_netbios_name,
             "resource_group_name": resource_group.name,
             "vm_name": primary_domain_controller.vm_name,
         }

data_safe_haven/pulumi/components/shm_firewall.py

@@ -53,7 +53,7 @@ def __init__(
         props: SHMFirewallProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMFirewallComponent", name, {}, opts)
+        super().__init__("dsh:shm:FirewallComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
 
         # Important IP addresses

data_safe_haven/pulumi/components/shm_monitoring.py

@@ -53,7 +53,7 @@ def __init__(
         props: SHMMonitoringProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMMonitoringComponent", name, {}, opts)
+        super().__init__("dsh:shm:MonitoringComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
 
         # Deploy resource group

data_safe_haven/pulumi/components/shm_networking.py

@@ -50,7 +50,7 @@ def __init__(
         props: SHMNetworkingProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMNetworkingComponent", name, {}, opts)
+        super().__init__("dsh:shm:NetworkingComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
 
         # Deploy resource group
@@ -274,6 +274,7 @@ def __init__(
             network_security_group_name=f"{stack_name}-nsg-identity",
             resource_group_name=resource_group.name,
             security_rules=[
+                # Inbound
                 network.SecurityRuleArgs(
                     access=network.SecurityRuleAccess.ALLOW,
                     description="Allow inbound LDAP to domain controllers.",

data_safe_haven/pulumi/components/shm_update_servers.py

@@ -56,7 +56,7 @@ def __init__(
         props: SHMUpdateServersProps,
         opts: Optional[ResourceOptions] = None,
     ):
-        super().__init__("dsh:shm:SHMUpdateServersComponent", name, {}, opts)
+        super().__init__("dsh:shm:UpdateServersComponent", name, {}, opts)
         child_opts = ResourceOptions.merge(ResourceOptions(parent=self), opts)
 
         # Load cloud-init file