Move SHM firewall to SRE

data_safe_haven/commands/sre.py

@@ -76,11 +76,6 @@ def deploy(
         )
         stack.add_option("azure-native:tenantId", config.azure.tenant_id, replace=False)
         # Load SHM stack outputs
-        stack.add_option(
-            "shm-firewall-private-ip-address",
-            shm_stack.output("firewall")["private_ip_address"],
-            replace=True,
-        )
         stack.add_option(
             "shm-monitoring-automation_account_name",
             shm_stack.output("monitoring")["automation_account_name"],

data_safe_haven/infrastructure/common/__init__.py

@@ -1,5 +1,6 @@
 from .ip_ranges import SREDnsIpRanges, SREIpRanges
 from .transformations import (
+    get_address_prefixes_from_subnet,
     get_available_ips_from_subnet,
     get_id_from_rg,
     get_id_from_subnet,
@@ -13,6 +14,7 @@
 )
 
 __all__ = [
+    "get_address_prefixes_from_subnet",
     "get_available_ips_from_subnet",
     "get_id_from_rg",
     "get_id_from_subnet",

data_safe_haven/infrastructure/common/ip_ranges.py

@@ -1,5 +1,6 @@
 """Calculate SRE IP address ranges for a given SRE index"""
 
+from data_safe_haven.exceptions import DataSafeHavenParameterError
 from data_safe_haven.external import AzureIPv4Range
 
 
@@ -10,11 +11,16 @@ class SREIpRanges:
 
     def __init__(self, index: int) -> None:
         """Constructor"""
+        if index < 1 or index > self.max_index:
+            msg = f"Index '{index}' must be between 1 and {self.max_index}"
+            raise DataSafeHavenParameterError(msg)
         self.vnet = AzureIPv4Range(f"10.{index}.0.0", f"10.{index}.255.255")
         self.application_gateway = self.vnet.next_subnet(256)
         self.apt_proxy_server = self.vnet.next_subnet(8)
         self.data_configuration = self.vnet.next_subnet(8)
         self.data_private = self.vnet.next_subnet(8)
+        self.firewall = self.vnet.next_subnet(64)  # 64 address minimum
+        self.firewall_management = self.vnet.next_subnet(64)  # 64 address minimum
         self.guacamole_containers = self.vnet.next_subnet(8)
         self.guacamole_containers_support = self.vnet.next_subnet(8)
         self.identity_containers = self.vnet.next_subnet(8)

data_safe_haven/infrastructure/common/transformations.py

@@ -7,6 +7,16 @@
 from data_safe_haven.external import AzureIPv4Range
 
 
+def get_address_prefixes_from_subnet(subnet: network.GetSubnetResult) -> list[str]:
+    """Get list of CIDRs belonging to this subnet"""
+    if address_prefixes := subnet.address_prefixes:
+        return [str(p) for p in address_prefixes]
+    if address_prefix := subnet.address_prefix:
+        return [address_prefix]
+    msg = f"Subnet '{subnet.name}' has no address prefix."
+    raise DataSafeHavenPulumiError(msg)
+
+
 def get_available_ips_from_subnet(subnet: network.GetSubnetResult) -> list[str]:
     """Get list of available IP addresses from a subnet"""
     if address_prefix := subnet.address_prefix:

data_safe_haven/infrastructure/components/composite/local_dns_record.py

@@ -65,4 +65,6 @@ def __init__(
         )
 
         # Register outputs
-        self.hostname = public_dns_record_set.fqdn
+        self.hostname = public_dns_record_set.fqdn.apply(
+            lambda s: s.strip(".")  # strip trailing "."
+        )

data_safe_haven/infrastructure/programs/declarative_shm.py

@@ -5,7 +5,6 @@
 from data_safe_haven.config import Config
 from data_safe_haven.context import Context
 
-from .shm.firewall import SHMFirewallComponent, SHMFirewallProps
 from .shm.monitoring import SHMMonitoringComponent, SHMMonitoringProps
 from .shm.networking import SHMNetworkingComponent, SHMNetworkingProps
 
@@ -40,20 +39,6 @@ def __call__(self) -> None:
             tags=self.tags,
         )
 
-        # Deploy firewall and routing
-        firewall = SHMFirewallComponent(
-            "shm_firewall",
-            self.stack_name,
-            SHMFirewallProps(
-                dns_zone=networking.dns_zone,
-                location=self.context.location,
-                resource_group_name=networking.resource_group_name,
-                route_table_name=networking.route_table.name,
-                subnet_firewall=networking.subnet_firewall,
-            ),
-            tags=self.tags,
-        )
-
         # Deploy automated monitoring
         monitoring = SHMMonitoringComponent(
             "shm_monitoring",
@@ -69,6 +54,5 @@ def __call__(self) -> None:
         )
 
         # Export values for later use
-        pulumi.export("firewall", firewall.exports)
         pulumi.export("monitoring", monitoring.exports)
         pulumi.export("networking", networking.exports)

data_safe_haven/infrastructure/programs/declarative_sre.py

@@ -23,6 +23,10 @@
     SREDnsServerComponent,
     SREDnsServerProps,
 )
+from .sre.firewall import (
+    SREFirewallComponent,
+    SREFirewallProps,
+)
 from .sre.identity import (
     SREIdentityComponent,
     SREIdentityProps,
@@ -143,9 +147,6 @@ def __call__(self) -> None:
                 dns_resource_group_name=dns.resource_group.name,
                 dns_server_ip=dns.ip_address,
                 dns_virtual_network=dns.virtual_network,
-                firewall_ip_address=self.pulumi_opts.require(
-                    "shm-firewall-private-ip-address"
-                ),
                 location=self.context.location,
                 shm_fqdn=self.cfg.shm.fqdn,
                 shm_networking_resource_group_name=self.pulumi_opts.require(
@@ -167,6 +168,25 @@ def __call__(self) -> None:
             tags=self.tags,
         )
 
+        # Deploy SRE firewall
+        SREFirewallComponent(
+            "sre_firewall",
+            self.stack_name,
+            SREFirewallProps(
+                location=self.context.location,
+                resource_group_name=networking.resource_group.name,
+                route_table_name=networking.route_table_name,
+                subnet_apt_proxy_server=networking.subnet_apt_proxy_server,
+                subnet_firewall=networking.subnet_firewall,
+                subnet_firewall_management=networking.subnet_firewall_management,
+                subnet_guacamole_containers=networking.subnet_guacamole_containers,
+                subnet_identity_containers=networking.subnet_identity_containers,
+                subnet_user_services_software_repositories=networking.subnet_user_services_software_repositories,
+                subnet_workspaces=networking.subnet_workspaces,
+            ),
+            tags=self.tags,
+        )
+
         # Deploy automated monitoring
         SREMonitoringComponent(
             "sre_monitoring",