alan-turing-institute · jemrobinson · May 16, 2024 · May 10, 2024 · May 10, 2024 · May 10, 2024
@@ -4,7 +4,7 @@
 from typing import Any
 
 from pulumi import ComponentResource, Input, Output, ResourceOptions
-from pulumi_azure_native import compute, network
+from pulumi_azure_native import compute, maintenance, network
 
 from data_safe_haven.functions import replace_separators
 from data_safe_haven.infrastructure.components.wrapped import (
@@ -36,13 +36,15 @@ def __init__(
         log_analytics_workspace: Input[WrappedLogAnalyticsWorkspace] | None = None,
         log_analytics_workspace_id: Input[str] | None = None,
         log_analytics_workspace_key: Input[str] | None = None,
+        maintenance_configuration_id: Input[str] | None = None,
     ) -> None:
         self.admin_password = admin_password
         self.admin_username = admin_username if admin_username else "dshvmadmin"
         self.image_reference_args = None
         self.ip_address_private = ip_address_private
         self.ip_address_public = ip_address_public
         self.location = location
+        self.maintenance_configuration_id = maintenance_configuration_id
         if log_analytics_workspace:
             self.log_analytics_workspace_id = Output.from_input(
                 log_analytics_workspace
@@ -140,6 +142,11 @@ def __init__(
             linux_configuration=compute.LinuxConfigurationArgs(
                 patch_settings=compute.LinuxPatchSettingsArgs(
                     assessment_mode=compute.LinuxPatchAssessmentMode.AUTOMATIC_BY_PLATFORM,
+                    patch_mode=compute.LinuxVMGuestPatchMode.AUTOMATIC_BY_PLATFORM,
+                    automatic_by_platform_settings=compute.LinuxVMGuestPatchAutomaticByPlatformSettingsArgs(
+                        bypass_platform_safety_checks_on_user_schedule=True,
+                        reboot_setting=compute.LinuxVMGuestPatchAutomaticByPlatformRebootSetting.IF_REQUIRED,
+                    ),
                 ),
                 provision_vm_agent=True,
             ),
@@ -276,6 +283,17 @@ def __init__(
             tags=child_tags,
         )
 
+        # Add VM to maintenance configuration
+        self.configuration_assignment_resource = maintenance.ConfigurationAssignment(
+            f"{name_underscored}_configurationAssignment",
+            provider_name="Microsoft.Compute",
+            resource_group_name=props.resource_group_name,
+            resource_name_=virtual_machine.name,
+            resource_type="VirtualMachines",
+            location=props.location,
+            maintenance_configuration_id=props.maintenance_configuration_id,
+        )
+
         # Register outputs
         self.ip_address_private: Output[str] = Output.from_input(
             props.ip_address_private

@@ -366,7 +366,7 @@ def __call__(self) -> None:
 
         # Deploy backup service
         SREBackupComponent(
-            "sre_user_services",
+            "sre_backup",
             self.stack_name,
             SREBackupProps(
                 location=self.context.location,

@@ -0,0 +1,58 @@
+"""Pulumi component for SRE Maintenance"""
+
+from collections.abc import Mapping
+
+from pulumi import ComponentResource, Input, Output, ResourceOptions
+from pulumi_azure_native import maintenance
+
+
+class SREMaintenanceProps:
+    """Properties for SREMaintenanceComponent"""
+
+    def __init__(
+        self,
+        location: Input[str],
+        resource_group_name: Input[str],
+    ) -> None:
+        self.location = location
+        self.resource_group_name = resource_group_name
+
+
+class SREMaintenanceComponent(ComponentResource):
+    """Deploy SRE maintenance with Pulumi"""
+
+    def __init__(
+        self,
+        name: str,
+        stack_name: str,
+        props: SREMaintenanceProps,
+        opts: ResourceOptions | None = None,
+        tags: Input[Mapping[str, Input[str]]] | None = None,
+    ) -> None:
+        super().__init__("dsh:sre:MaintenanceComponent", name, {}, opts)
+        child_tags = tags if tags else {}
+
+        # Deploy maintenance configuration
+        maintenance_configuration = maintenance.MaintenanceConfiguration(
+            f"{self._name}_maintenance_configuration",
+            duration="03:55",
+            extension_properties={"InGuestPatchMode": "User"},
+            install_patches=maintenance.InputPatchConfigurationArgs(
+                linux_parameters=maintenance.InputLinuxParametersArgs(
+                    classifications_to_include=["Critical", "Security"],
+                ),
+                reboot_setting="IfRequired",
+            ),
+            location=props.location,
+            maintenance_scope=maintenance.MaintenanceScope.IN_GUEST_PATCH,
+            recur_every="1Day",
+            resource_group_name=props.resource_group_name,
+            resource_name_=f"{stack_name}-maintenance-configuration",
+            start_date_time="2020-04-30 01:00",
+            time_zone="GMT Standard Time",
+            visibility=maintenance.Visibility.CUSTOM,
+            tags=child_tags,
+        )
+
+        # Register outputs
+        self.maintenance_configuration_id: Output[str] = maintenance_configuration.id
@@ -20,6 +20,10 @@
     LinuxVMComponentProps,
     VMComponent,
 )
+from data_safe_haven.infrastructure.programs.sre.maintenance import (
+    SREMaintenanceComponent,
+    SREMaintenanceProps,
+)
 from data_safe_haven.resources import resources_path
 from data_safe_haven.utility import FileReader
 
@@ -133,6 +137,17 @@ def __init__(
             storage_account_data_private_sensitive_name=props.storage_account_data_private_sensitive_name,
         ).apply(lambda kwargs: self.read_cloudinit(**kwargs))
 
+        # Deploy maintenance configuration
+        maintenance_configuration = SREMaintenanceComponent(
+            "sre_maintenance",
+            stack_name,
+            SREMaintenanceProps(
+                location=props.location,
+                resource_group_name=resource_group.name,
+            ),
+            tags=child_tags,
+        )
+
         # Deploy a variable number of VMs depending on the input parameters
         vms = [
             VMComponent(
@@ -145,6 +160,7 @@ def __init__(
                     location=props.location,
                     log_analytics_workspace_id=props.log_analytics_workspace_id,
                     log_analytics_workspace_key=props.log_analytics_workspace_key,
+                    maintenance_configuration_id=maintenance_configuration.maintenance_configuration_id,
                     resource_group_name=resource_group.name,
                     subnet_name=props.subnet_workspaces_name,
                     virtual_network_name=props.virtual_network_name,
@@ -177,13 +193,17 @@ def __init__(
         file_uploads = [
             (FileReader(resources_path / "workspace" / "run_all_tests.bats"), "0444")
         ]
+        vm_index = 0
         for test_file in pathlib.Path(resources_path / "workspace").glob("test*"):
             file_uploads.append((FileReader(test_file), "0444"))
         for vm, vm_output in zip(vms, vm_outputs, strict=True):
+            vm_index += 1
             outputs: dict[str, Output[str]] = {}
             for file_upload, file_permissions in file_uploads:
                 file_smoke_test = FileUpload(
-                    replace_separators(f"{self._name}_file_{file_upload.name}", "_"),
+                    replace_separators(
+                        f"workspace_{vm_index:02d}_file_{file_upload.name}", "_"
+                    ),
                     FileUploadProps(
                         file_contents=file_upload.file_contents(
                             mustache_values=mustache_values

@@ -7,6 +7,7 @@ import pulumi_azure_native.dataprotection as dataprotection
 import pulumi_azure_native.dbforpostgresql as dbforpostgresql
 import pulumi_azure_native.insights as insights
 import pulumi_azure_native.keyvault as keyvault
+import pulumi_azure_native.maintenance as maintenance
 import pulumi_azure_native.managedidentity as managedidentity
 import pulumi_azure_native.network as network
 import pulumi_azure_native.operationalinsights as operationalinsights
@@ -24,6 +25,7 @@ __all__ = [
     "dbforpostgresql",
     "insights",
     "keyvault",
+    "maintenance",
     "managedidentity",
     "network",
     "operationalinsights",