Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add script to renew NFS share Stored Access Policies #1739

Merged
merged 21 commits into from
Feb 29, 2024
Merged

Add script to renew NFS share Stored Access Policies #1739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
b5c0152
Add section on SAS renewal
JimMadge Feb 12, 2024
5d56446
WIP: Add outline script to update SAS tokens
JimMadge Feb 12, 2024
6993777
Add script to SAS Tokens
JimMadge Feb 13, 2024
b2fbc44
Change sed delimiter from / to |
JimMadge Feb 14, 2024
489ae0d
Correct expression expansion
JimMadge Feb 14, 2024
005dfe1
Restart mount units
JimMadge Feb 14, 2024
645f1b4
Fix loop syntax
JimMadge Feb 15, 2024
7d524fd
Create SAS policies
JimMadge Feb 15, 2024
348561d
Add loop for each storage container
JimMadge Feb 15, 2024
54da679
Revert "Add loop for each storage container"
JimMadge Feb 15, 2024
51426b9
Decode base64 in sas tokens script
JimMadge Feb 21, 2024
62b6f87
Convert SAS tokens to base64 for remote script
JimMadge Feb 21, 2024
e9ea538
Correct cmdlet name
JimMadge Feb 21, 2024
c5fca83
Import DataStructures module
JimMadge Feb 21, 2024
452100b
Correct parameter
JimMadge Feb 21, 2024
cda5952
Add more feedback
JimMadge Feb 21, 2024
89bdf72
Use systemctl 🤦
JimMadge Feb 21, 2024
acc4920
Add force option for Deploy-SasAccessPolicy
JimMadge Feb 26, 2024
652627d
Only update existing SAS policy
JimMadge Feb 27, 2024
a3a9dc2
Rename script
JimMadge Feb 27, 2024
9c2fa95
Update documentation
JimMadge Feb 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 33 additions & 16 deletions deployment/common/AzureStorage.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,9 @@ function Deploy-SasAccessPolicy {
[Parameter(Mandatory = $false, ParameterSetName = "ByShareName", HelpMessage = "Container name")]
[string]$ShareName,
[Parameter(Mandatory = $false, HelpMessage = "Validity in years")]
[int]$ValidityYears = 20
[int]$ValidityYears = 20,
JimMadge marked this conversation as resolved.
Show resolved Hide resolved
[Parameter(Mandatory = $false, HelpMessage = "Force generating a new policy")]
[switch]$Force
)
$Identifier = $ContainerName ? "container '$ContainerName'" : $ShareName ? "share '$ShareName'" : ""
$PolicyName = "${identifier}${Name}".Replace(" ", "").Replace("'", "").ToLower()
Expand All @@ -65,27 +67,42 @@ function Deploy-SasAccessPolicy {
} elseif ($ShareName) {
$policy = Get-AzStorageShareStoredAccessPolicy -ShareName $ContainerName -Policy $PolicyName -Context $StorageAccount.Context -ErrorAction SilentlyContinue
}
if ($policy) {
if ($policy -and -not $Force) {
Add-LogMessage -Level InfoSuccess "Found existing SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'"
} else {
}
if ($Force -and -not $policy) {
Add-LogMessage -Level Fatal "No existing SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'"
}

if (-not $Force) {
Add-LogMessage -Level Info "[ ] Creating new SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'"
$StartTime = (Get-Date).AddMinutes(-1) # allow for possible clock-skew between different systems
$ExpiryTime = $StartTime.AddYears($ValidityYears)
$success = $false
if ($ContainerName) {
} else {
Add-LogMessage -Level Info "[ ] Updating SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'"
}
$StartTime = (Get-Date).AddMinutes(-1) # allow for possible clock-skew between different systems
$ExpiryTime = $StartTime.AddYears($ValidityYears)
$success = $false
if ($ContainerName) {
if (-not $Force) {
$null = New-AzStorageContainerStoredAccessPolicy -Container $ContainerName -Policy $PolicyName -Context $StorageAccount.Context -Permission $Permission -StartTime $StartTime -ExpiryTime $ExpiryTime
$policy = Get-AzStorageContainerStoredAccessPolicy -Container $ContainerName -Policy $PolicyName -Context $StorageAccount.Context
$success = $?
} elseif ($ShareName) {
$null = New-AzStorageShareStoredAccessPolicy -ShareName $ShareName -Policy $PolicyName -Context $StorageAccount.Context -Permission $Permission -StartTime $StartTime -ExpiryTime $ExpiryTime
$policy = Get-AzStorageShareStoredAccessPolicy -ShareName $ShareName -Policy $PolicyName -Context $StorageAccount.Context
$success = $?
} else {
$null = Set-AzStorageContainerStoredAccessPolicy -Container $ContainerName -Policy $PolicyName -Context $StorageAccount.Context -Permission $Permission -StartTime $StartTime -ExpiryTime $ExpiryTime
}
if ($success) {
Add-LogMessage -Level Success "Created new SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'"
$policy = Get-AzStorageContainerStoredAccessPolicy -Container $ContainerName -Policy $PolicyName -Context $StorageAccount.Context
$success = $?
} elseif ($ShareName) {
if (-not $Force) {
$null = New-AzStorageShareStoredAccessPolicy -ShareName $ShareName -Policy $PolicyName -Context $StorageAccount.Context -Permission $Permission -StartTime $StartTime -ExpiryTime $ExpiryTime
} else {
Add-LogMessage -Level Fatal "Failed to create new SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'!"
$null = Set-AzStorageShareStoredAccessPolicy -ShareName $ShareName -Policy $PolicyName -Context $StorageAccount.Context -Permission $Permission -StartTime $StartTime -ExpiryTime $ExpiryTime
}
$policy = Get-AzStorageShareStoredAccessPolicy -ShareName $ShareName -Policy $PolicyName -Context $StorageAccount.Context
$success = $?
}
if ($success) {
Add-LogMessage -Level Success "Created new SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'"
} else {
Add-LogMessage -Level Fatal "Failed to create new SAS policy '$PolicyName' for $Identifier in '$($StorageAccount.StorageAccountName)'!"
}
return $policy
}
Expand Down
38 changes: 38 additions & 0 deletions deployment/secure_research_environment/setup/Update_Stored_Access_Policies.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
param(
[Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. 'project')")]
[string]$shmId,
[Parameter(Mandatory = $true, HelpMessage = "Enter SRE ID (e.g. 'sandbox')")]
[string]$sreId
)

Import-Module Az.Accounts -ErrorAction Stop
Import-Module Az.Resources -ErrorAction Stop
Import-Module Az.Storage -ErrorAction Stop
Import-Module $PSScriptRoot/../../common/AzureStorage -Force -ErrorAction Stop
Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
Import-Module $PSScriptRoot/../../common/DataStructures -Force -ErrorAction Stop
Import-Module $PSScriptRoot/../../common/Logging -Force -ErrorAction Stop


# Get config and original context before changing subscription
# ------------------------------------------------------------
$config = Get-SreConfig -shmId $shmId -sreId $sreId
$originalContext = Get-AzContext
$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop

# Update each SAS Access Policy to be valid for one year from now
JimMadge marked this conversation as resolved.
Show resolved Hide resolved
# ---------------------------------------------------------------
$persistentStorageAccount = Get-StorageAccount -ResourceGroupName $config.shm.storage.persistentdata.rg -Name $config.sre.storage.persistentdata.account.name
foreach ($receptacleName in $config.sre.storage.persistentdata.containers.Keys) {
$accessPolicyName = $config.sre.storage.persistentdata.containers[$receptacleName].accessPolicyName
$null = Deploy-SasAccessPolicy -Name $accessPolicyName `
-Permission $config.sre.storage.accessPolicies[$accessPolicyName].permissions `
-StorageAccount $persistentStorageAccount `
-ContainerName $receptacleName `
-ValidityYears 1 `
-Force
}

# Switch back to original subscription
# ------------------------------------
$null = Set-AzContext -Context $originalContext -ErrorAction Stop
16 changes: 16 additions & 0 deletions docs/source/roles/system_manager/manage_deployments.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,22 @@ PS> ./Update_SRE_SSL_Certificate.ps1 -shmId <SHM ID> -sreId <SRE ID>
- where `<SHM ID>` is the {ref}`management environment ID <roles_deployer_shm_id>` for this SHM
- where `<SRE ID>` is the {ref}`secure research environment ID <roles_deployer_sre_id>` for this SRE

(renew_sas)=

## {{locked_with_key}} Renew SRE Container Access Policies

The [SRE storage containers](role_researcher_user_guide_shared_storage) for input data, backup and output are all provided by blob storage.
The SRDs use [SAS tokens](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview) bound to a [Stored Access Policy](https://learn.microsoft.com/en-us/azure/storage/common/storage-stored-access-policy-define-dotnet) to authenticate and access the data.

When the containers are deployed the Stored Access Policy is valid for one year.
JimMadge marked this conversation as resolved.
Show resolved Hide resolved
If a SRE is deployed for longer than this, the policy will need to be renewed in order to maintain access to these containers.

![Powershell: five minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=powershell&label=local&color=blue&message=five%20minutes) at {{file_folder}} `./deployment/secure_research_environment/setup`

```powershell
PS> ./Update_Stored_Access_Policies.ps1 -shmId <SHM ID> -sreId <SRE ID>
```

(resize_vm)=

## {{arrow_upper_right}} Resize the Virtual Machine (VM) of a Secure Research Desktop (SRD)
Expand Down
Loading