⚰️ Drop requirements for GraphAPI everywhere in the SRE where they ar…

…e used to seed the pulumi-azuread provider
alan-turing-institute · Oct 25, 2024 · 810d86e · 810d86e
1 parent 7eb6fa0
commit 810d86e
Show file tree

Hide file tree

Showing 10 changed files with 3 additions and 49 deletions.
diff --git a/data_safe_haven/commands/pulumi.py b/data_safe_haven/commands/pulumi.py
@@ -6,8 +6,7 @@
 import typer
 
 from data_safe_haven import console
-from data_safe_haven.config import ContextManager, DSHPulumiConfig, SHMConfig, SREConfig
-from data_safe_haven.external import GraphApi
+from data_safe_haven.config import ContextManager, DSHPulumiConfig, SREConfig
 from data_safe_haven.infrastructure import SREProjectManager
 
 pulumi_command_group = typer.Typer()
@@ -33,24 +32,12 @@ def run(
     """Run arbitrary Pulumi commands in a DSH project"""
     context = ContextManager.from_file().assert_context()
     pulumi_config = DSHPulumiConfig.from_remote(context)
-    shm_config = SHMConfig.from_remote(context)
     sre_config = SREConfig.from_remote_by_name(context, sre_name)
 
-    graph_api = GraphApi.from_scopes(
-        scopes=[
-            "Application.ReadWrite.All",
-            "AppRoleAssignment.ReadWrite.All",
-            "Directory.ReadWrite.All",
-            "Group.ReadWrite.All",
-        ],
-        tenant_id=shm_config.shm.entra_tenant_id,
-    )
-
     project = SREProjectManager(
         context=context,
         config=sre_config,
         pulumi_config=pulumi_config,
-        graph_api_token=graph_api.token,
     )
 
     stdout = project.run_pulumi_command(command)

diff --git a/data_safe_haven/commands/sre.py b/data_safe_haven/commands/sre.py
@@ -66,7 +66,6 @@ def deploy(
             config=sre_config,
             pulumi_config=pulumi_config,
             create_project=True,
-            graph_api_token=graph_api.token,
         )
         # Set Azure options
         stack.add_option(
@@ -153,7 +152,6 @@ def deploy(
 
         # Provision SRE with anything that could not be done in Pulumi
         manager = SREProvisioningManager(
-            graph_api_token=graph_api.token,
             location=sre_config.azure.location,
             sre_name=sre_config.name,
             sre_stack=stack,
@@ -183,15 +181,8 @@ def teardown(
     """Tear down a deployed a Secure Research Environment."""
     logger = get_logger()
     try:
-        # Load context and SHM config
+        # Load context
         context = ContextManager.from_file().assert_context()
-        shm_config = SHMConfig.from_remote(context)
-
-        # Load GraphAPI as this may require user-interaction
-        graph_api = GraphApi.from_scopes(
-            scopes=["Application.ReadWrite.All", "Group.ReadWrite.All"],
-            tenant_id=shm_config.shm.entra_tenant_id,
-        )
 
         # Load Pulumi and SRE configs
         pulumi_config = DSHPulumiConfig.from_remote(context)
@@ -212,7 +203,6 @@ def teardown(
             context=context,
             config=sre_config,
             pulumi_config=pulumi_config,
-            graph_api_token=graph_api.token,
             create_project=True,
         )
         stack.teardown(force=force)

diff --git a/data_safe_haven/infrastructure/programs/declarative_sre.py b/data_safe_haven/infrastructure/programs/declarative_sre.py
@@ -35,11 +35,9 @@ def __init__(
         self,
         context: Context,
         config: SREConfig,
-        graph_api_token: str,
     ) -> None:
         self.context = context
         self.config = config
-        self.graph_api_token = graph_api_token
         self.stack_name = replace_separators(
             f"shm-{context.name}-sre-{config.name}", "-"
         )
@@ -293,7 +291,6 @@ def __call__(self) -> None:
                 dockerhub_credentials=dockerhub_credentials,
                 entra_application_id=entra.remote_desktop_application_id,
                 entra_application_url=entra.remote_desktop_url,
-                entra_auth_token=self.graph_api_token,
                 entra_tenant_id=shm_entra_tenant_id,
                 ldap_group_filter=ldap_group_filter,
                 ldap_group_search_base=ldap_group_search_base,

diff --git a/data_safe_haven/infrastructure/programs/sre/remote_desktop.py b/data_safe_haven/infrastructure/programs/sre/remote_desktop.py
@@ -32,7 +32,6 @@ def __init__(
         dockerhub_credentials: DockerHubCredentials,
         entra_application_id: Input[str],
         entra_application_url: Input[str],
-        entra_auth_token: str,
         entra_tenant_id: Input[str],
         ldap_group_filter: Input[str],
         ldap_group_search_base: Input[str],
@@ -58,7 +57,6 @@ def __init__(
         self.dockerhub_credentials = dockerhub_credentials
         self.entra_application_id = entra_application_id
         self.entra_application_url = entra_application_url
-        self.entra_auth_token = entra_auth_token
         self.entra_tenant_id = entra_tenant_id
         self.ldap_group_filter = ldap_group_filter
         self.ldap_group_search_base = ldap_group_search_base

diff --git a/data_safe_haven/infrastructure/project_manager.py b/data_safe_haven/infrastructure/project_manager.py
@@ -446,14 +446,12 @@ def __init__(
         pulumi_config: DSHPulumiConfig,
         *,
         create_project: bool = False,
-        graph_api_token: str | None = None,
     ) -> None:
         """Constructor"""
-        token = graph_api_token or ""
         super().__init__(
             context,
             pulumi_config,
             config.name,
-            DeclarativeSRE(context, config, token),
+            DeclarativeSRE(context, config),
             create_project=create_project,
         )
diff --git a/data_safe_haven/provisioning/sre_provisioning_manager.py b/data_safe_haven/provisioning/sre_provisioning_manager.py
@@ -7,7 +7,6 @@
     AzureContainerInstance,
     AzurePostgreSQLDatabase,
     AzureSdk,
-    GraphApi,
 )
 from data_safe_haven.infrastructure import SREProjectManager
 from data_safe_haven.logging import get_logger
@@ -19,7 +18,6 @@ class SREProvisioningManager:
 
     def __init__(
         self,
-        graph_api_token: str,
         location: AzureLocation,
         sre_name: str,
         sre_stack: SREProjectManager,
@@ -28,7 +26,6 @@ def __init__(
     ):
         self._available_vm_skus: dict[str, dict[str, Any]] | None = None
         self.location = location
-        self.graph_api = GraphApi.from_token(graph_api_token)
         self.logger = get_logger()
         self.sre_name = sre_name
         self.subscription_name = subscription_name

diff --git a/tests/commands/conftest.py b/tests/commands/conftest.py
@@ -48,11 +48,6 @@ def mock_graph_api_get_application_by_name(mocker, request):
     )
 
 
-@fixture
-def mock_graph_api_token(mocker):
-    mocker.patch.object(GraphApi, "token", return_value="dummy-token")
-
-
 @fixture
 def mock_imperative_shm_deploy(mocker):
     mocker.patch.object(

diff --git a/tests/commands/test_pulumi.py b/tests/commands/test_pulumi.py
@@ -6,7 +6,6 @@ def test_run_sre(
         self,
         runner,
         local_project_settings,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_install_plugins,  # noqa: ARG002
         mock_key_vault_key,  # noqa: ARG002
         mock_pulumi_config_no_key_from_remote,  # noqa: ARG002
@@ -30,7 +29,6 @@ def test_run_sre_invalid_command(
         self,
         runner,
         local_project_settings,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_install_plugins,  # noqa: ARG002
         mock_key_vault_key,  # noqa: ARG002
         mock_pulumi_config_no_key_from_remote,  # noqa: ARG002
@@ -48,7 +46,6 @@ def test_run_sre_invalid_name(
         self,
         runner,
         local_project_settings,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_install_plugins,  # noqa: ARG002
         mock_key_vault_key,  # noqa: ARG002
         mock_pulumi_config_no_key_from_remote,  # noqa: ARG002

diff --git a/tests/commands/test_shm.py b/tests/commands/test_shm.py
@@ -7,7 +7,6 @@ def test_infrastructure_deploy(
         runner,
         mock_imperative_shm_deploy_then_exit,  # noqa: ARG002
         mock_graph_api_add_custom_domain,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_shm_config_from_remote,  # noqa: ARG002
         mock_shm_config_remote_exists,  # noqa: ARG002
         mock_shm_config_upload,  # noqa: ARG002

diff --git a/tests/commands/test_sre.py b/tests/commands/test_sre.py
@@ -13,7 +13,6 @@ def test_deploy(
         self,
         runner: CliRunner,
         mock_azuresdk_get_subscription_name,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_contextmanager_assert_context,  # noqa: ARG002
         mock_ip_1_2_3_4,  # noqa: ARG002
         mock_pulumi_config_from_remote_or_create,  # noqa: ARG002
@@ -34,7 +33,6 @@ def test_no_application(
         runner: CliRunner,
         mock_azuresdk_get_subscription_name,  # noqa: ARG002
         mock_contextmanager_assert_context,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_ip_1_2_3_4,  # noqa: ARG002
         mock_pulumi_config_from_remote_or_create,  # noqa: ARG002
         mock_shm_config_from_remote,  # noqa: ARG002
@@ -56,7 +54,6 @@ def test_no_application_secret(
         mocker: MockerFixture,
         mock_azuresdk_get_subscription_name,  # noqa: ARG002
         mock_graph_api_get_application_by_name,  # noqa: ARG002
-        mock_graph_api_token,  # noqa: ARG002
         mock_ip_1_2_3_4,  # noqa: ARG002
         mock_pulumi_config_from_remote_or_create,  # noqa: ARG002
         mock_shm_config_from_remote,  # noqa: ARG002
@@ -104,7 +101,6 @@ class TestTeardownSRE:
     def test_teardown(
         self,
         runner: CliRunner,
-        mock_graph_api_token,  # noqa: ARG002
         mock_ip_1_2_3_4,  # noqa: ARG002
         mock_pulumi_config_from_remote,  # noqa: ARG002
         mock_shm_config_from_remote,  # noqa: ARG002