Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Pulumi to create Entra applications #2248

Merged
merged 16 commits into from
Oct 29, 2024
Merged

Use Pulumi to create Entra applications #2248

merged 16 commits into from
Oct 29, 2024

Conversation

jemrobinson
Copy link
Member

@jemrobinson jemrobinson commented Oct 22, 2024
edited
Loading

✅ Checklist

  • You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
  • You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
  • Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

n/a

⤴️ Summary

Replace creation of SRE Entra applications through the SDK with creation through pulumi-azuread.

Note we still need one SDK-created Entra application in the SHM which is used to authenticate pulumi-azuread.

The msgraph_permissions map looks up the GUIDs for all possible permissions. We could consider replacing this with a static lookup table that only covers the ones we need.

🌂 Related issues

Closes #2215

🔬 Tests

Tested on a fresh SRE deployment

@jemrobinson jemrobinson requested a review from a team as a code owner October 22, 2024 12:17
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 22, 2024
edited
Loading

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  data_safe_haven/commands
  pulumi.py
  sre.py
  data_safe_haven/external/api
  credentials.py
  graph_api.py
  data_safe_haven/infrastructure
  project_manager.py
  data_safe_haven/infrastructure/components/composite
  __init__.py
  entra_application.py 23-30, 53, 78, 102-151
  data_safe_haven/infrastructure/components/dynamic
  __init__.py
  data_safe_haven/infrastructure/programs
  declarative_sre.py 156
  imperative_shm.py
  data_safe_haven/infrastructure/programs/sre
  entra.py 28-30, 43-47, 57-121
  identity.py 39-40
  remote_desktop.py 58-59
  data_safe_haven/provisioning
  sre_provisioning_manager.py
  data_safe_haven/types
  enums.py
Project Total  

This report was generated by python-coverage-comment-action

@jemrobinson jemrobinson changed the title Use Pulumi to create Entra applications WIP Use Pulumi to create Entra applications Oct 22, 2024
@jemrobinson jemrobinson marked this pull request as draft October 22, 2024 14:19
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from b76de51 to 4d7ff34 Compare October 23, 2024 19:30
@jemrobinson jemrobinson marked this pull request as ready for review October 23, 2024 21:44
@jemrobinson jemrobinson changed the title WIP Use Pulumi to create Entra applications Use Pulumi to create Entra applications Oct 23, 2024
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from d211fe6 to 810d86e Compare October 25, 2024 09:22
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from 59078dd to 3d5f21a Compare October 25, 2024 09:41
JimMadge
JimMadge reviewed Oct 28, 2024
View reviewed changes
Copy link
Member

@JimMadge JimMadge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good I think moving more of this stuff to community supported Pulumi modules will help a lot.

Just a few style questions.

data_safe_haven/infrastructure/components/composite/entra_application.py Outdated Show resolved Hide resolved
data_safe_haven/infrastructure/components/composite/entra_application.py Outdated Show resolved Hide resolved
data_safe_haven/infrastructure/programs/imperative_shm.py Outdated Show resolved Hide resolved
@jemrobinson
Copy link
Member Author

jemrobinson commented Oct 28, 2024
edited
Loading

@JimMadge : My biggest worry here is that we add an entry for the Microsoft Graph Service Principal to our state file. This contains a huge amount of data (which more than doubles the size of the state file). Since we're only using it to get the GUIDs for various named permissions, we could replace the bits we need with an Enum or lookup-table. However, this would mean that we would be out-of-sync if any of these GUIDs changed (unlikely to happen as this would break a lot of third-party code).

What do you think?

@JimMadge
Copy link
Member

@jemrobinson is that the long version of the note about msgraph_permissions in the PR?

How large is it exactly, does it cause problems?
I'd be happy to leave it. Might actually provide some protection against Entra configuration changing.

@jemrobinson
Copy link
Member Author

jemrobinson commented Oct 28, 2024
edited
Loading

@jemrobinson is that the long version of the note about msgraph_permissions in the PR?

Yes

How large is it exactly, does it cause problems? I'd be happy to leave it. Might actually provide some protection against Entra configuration changing.

About 12k lines (of which we use maybe 4-5 lines) of a 30k JSON file for a full SRE deployment. Also, we should note that the GraphApi class already has a partial copy of this (see below), so abstracting it into a common class could actually simplify our current structure.

data-safe-haven/data_safe_haven/external/api/graph_api.py

Lines 27 to 49 in 1bf9d0c

application_ids: ClassVar[dict[str, str]] = {
"Microsoft Graph": "00000003-0000-0000-c000-000000000000",
}
role_template_ids: ClassVar[dict[str, str]] = {
"Global Administrator": "62e90394-69f5-4237-9190-012177145e10"
}
uuid_application: ClassVar[dict[str, str]] = {
"Application.ReadWrite.All": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9",
"AppRoleAssignment.ReadWrite.All": "06b708a9-e830-4db3-a914-8e69da51d44f",
"Directory.Read.All": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"Domain.Read.All": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"Group.Read.All": "5b567255-7703-4780-807c-7be8301ae99b",
"Group.ReadWrite.All": "62a82d76-70ea-41e2-9197-370581804d09",
"GroupMember.Read.All": "98830695-27a2-44f7-8c18-0c3ebc9698f6",
"GroupMember.ReadWrite.All": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695",
"User.Read.All": "df021288-bdef-4463-88db-98f22de89214",
"User.ReadWrite.All": "741f803b-c850-494e-b5df-cde7c675a1ca",
"UserAuthenticationMethod.ReadWrite.All": "50483e42-d915-4231-9639-7fdb7fd190e5",
}
uuid_delegated: ClassVar[dict[str, str]] = {
"GroupMember.Read.All": "bc024368-1153-4739-b217-4326f2e966d0",
"User.Read.All": "a154be20-db9c-4678-8ab7-66f6cc099a59",
}

@jemrobinson
🔧 Add GUID for Directory.ReadWrite.All permission
41e3ac4
@jemrobinson
✨ Add pulumi-azuread EntraApplication component
dc14741
@jemrobinson
✨ Add support for web applications as well as desktop applications
f533b0e
@jemrobinson
♻️ Use composite EntraApplication component for identity server
a6ddc98
@jemrobinson
🚚 Consolidate remote desktop URL construction in Entra component
ba1f5b3
@jemrobinson
♻️ Use composite EntraApplication component for remote desktop server
5df24d7
@jemrobinson
⚰️ Drop dynamic EntraApplication component
c43708b
@jemrobinson
🐛 Use client_id instead of id for Entra applications
c0d9857
@jemrobinson
♻️ Add an EntraAppPermissionType enum to ensure that Role/Scope are u…
4f9aa97 
…sed consistently
@jemrobinson
🚚 Simplify import path for Entra components
89d9662
@jemrobinson
⚰️ Drop requirements for GraphAPI everywhere in the SRE where they ar…
463f490 
…e used to seed the pulumi-azuread provider
@jemrobinson
👽 Do not replace azuread:clientId or azuread:tenantId in stack option…
8942257 
…s since these set the provider information in the state file and cannot be changed
@jemrobinson
🔧 Add an EntraSignInAudienceType enum
23918b9
@jemrobinson
🔊 Add comments explaining application scope requirements
e740ba0
@jemrobinson
🎨 Add an enum for Entra application IDs
7ef3d6c
@jemrobinson jemrobinson force-pushed the 2215-create-entra-applications-with-pulumi branch from bc3db5a to 7ef3d6c Compare October 29, 2024 09:42
@JimMadge
Copy link
Member

@jemrobinson That sounds like a good idea then, if the stack doesn't really need the full set 👍.

I'm not super worried though because it is just a few kb in a file we don't expect people to read or edit by hand.

@jemrobinson
Copy link
Member Author

@JimMadge : this is actually a bigger refactor than I'd realised. Let's merge this as-is (if you're happy).

@jemrobinson jemrobinson merged commit 868d41c into alan-turing-institute:develop Oct 29, 2024
11 checks passed
@jemrobinson jemrobinson deleted the 2215-create-entra-applications-with-pulumi branch October 29, 2024 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JimMadge JimMadge JimMadge approved these changes

@craddm craddm Awaiting requested review from craddm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create Entra applications with Pulumi
2 participants
@jemrobinson @JimMadge