Merge pull request #717 from alan-turing-institute/decovid-redeploy

jemrobinson · web-flow · commit d6fbbfa315cc · 2020-06-30T12:13:01.000+01:00
Deployment fixes
diff --git a/deployment/safe_haven_management_environment/remote/create_dc/scripts/Active_Directory_Configuration.ps1 b/deployment/safe_haven_management_environment/remote/create_dc/scripts/Active_Directory_Configuration.ps1
@@ -175,6 +175,11 @@ $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRul
 $success = $success -and $?
 $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adsyncSID, "WriteProperty", "Allow", $guidmap["pwdLastSet"], "Descendents", $guidmap["user"]))
 $success = $success -and $?
+# Allow the localadsync account to write the mS-DS-ConsistencyGuid extended property (used as an anchor) on all descendent user objects
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adsyncSID, "WriteProperty", "Allow", $guidmap["mS-DS-ConsistencyGuid"], "Descendents", $guidmap["user"]))
+$success = $success -and $?
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $adsyncSID, "WriteProperty", "Allow", $guidmap["msDS-KeyCredentialLink"], "Descendents", $guidmap["user"]))
+$success = $success -and $?
 # Set the ACL properties
 Set-ACL -ACLObject $acl -Path "AD:\${domainou}"
 $success = $success -and $?
diff --git a/deployment/secure_research_environment/arm_templates/sre-vnet-gateway-template.json b/deployment/secure_research_environment/arm_templates/sre-vnet-gateway-template.json
@@ -17,6 +17,9 @@
         "Subnet-Data Address Prefix": {
             "type": "string"
         },
+        "Subnet-Databases Address Prefix": {
+            "type": "string"
+        },
         "Subnet-Identity Name": {
             "type": "string"
         },
@@ -26,6 +29,9 @@
         "Subnet-Data Name": {
             "type": "string"
         },
+        "Subnet-Databases Name": {
+            "type": "string"
+        },
         "VNET_DNS_DC1": {
             "type": "string"
         },
@@ -48,7 +54,7 @@
                 },
                 "dhcpOptions": {
                     "dnsServers": [
-                        "[parameters('VNET_DNS_DC1')]",                        
+                        "[parameters('VNET_DNS_DC1')]",
                         "[parameters('VNET_DNS_DC2')]"
                     ]
                 },
@@ -75,6 +81,14 @@
                             "serviceEndpoints": [],
                             "delegations": []
                         }
+                    },
+                    {
+                        "name": "[parameters('Subnet-Databases Name')]",
+                        "properties": {
+                            "addressPrefix": "[parameters('Subnet-Databases Address Prefix')]",
+                            "serviceEndpoints": [],
+                            "delegations": []
+                        }
                     }
                 ],
                 "enableDdosProtection": false,
@@ -123,6 +137,20 @@
             "dependsOn": [
                 "[resourceId('Microsoft.Network/virtualNetworks', parameters('Virtual Network Name'))]"
             ]
+        },
+        {
+            "type": "Microsoft.Network/virtualNetworks/subnets",
+            "name": "[concat(parameters('Virtual Network Name'), '/', parameters('Subnet-Databases Name'))]",
+            "apiVersion": "2018-10-01",
+            "scale": null,
+            "properties": {
+                "addressPrefix": "[parameters('Subnet-Databases Address Prefix')]",
+                "serviceEndpoints": [],
+                "delegations": []
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/virtualNetworks', parameters('Virtual Network Name'))]"
+            ]
         }
     ]
 }
diff --git a/deployment/secure_research_environment/setup/Setup_SRE_VNET_RDS.ps1 b/deployment/secure_research_environment/setup/Setup_SRE_VNET_RDS.ps1
@@ -32,9 +32,11 @@ $params = @{
     "Subnet-Identity Address Prefix" = $config.sre.network.subnets.identity.cidr
     "Subnet-RDS Address Prefix" = $config.sre.network.subnets.rds.cidr
     "Subnet-Data Address Prefix" = $config.sre.network.subnets.data.cidr
+    "Subnet-Databases Address Prefix" = $config.sre.network.subnets.databases.cidr
     "Subnet-Identity Name" = $config.sre.network.subnets.identity.Name
     "Subnet-RDS Name" = $config.sre.network.subnets.rds.Name
     "Subnet-Data Name" = $config.sre.network.subnets.data.Name
+    "Subnet-Databases Name" = $config.sre.network.subnets.databases.Name
     "VNET_DNS_DC1" = $config.shm.dc.ip
     "VNET_DNS_DC2" = $config.shm.dcb.ip
 }
diff --git a/docs/deploy_sre_instructions.md b/docs/deploy_sre_instructions.md
@@ -243,7 +243,7 @@ On your **deployment machine**.
   - NB. If your account is a guest in additional Azure tenants, you may need to add the `-Tenant <Tenant ID>` flag, where `<Tenant ID>` is the ID of the Azure tenant you want to deploy into.
 - Run the `./Update_SRE_RDS_SSL_Certificate.ps1 -sreId <SRE ID> -emailAddress <email>`, where the SRE ID is the one specified in the config and the email address is one that you would like to be notified when certificate expiry is approaching.
 - **NOTE:** This script should be run again whenever you want to update the certificate for this SRE.
-- **Troubleshooting:** Let's Encrypt will only issue **5 certificates per week** for a particular host (e.g. `rdg-sre-sandbox.testa.dsgroupdev.co.uk`). For production environments this should usually not be an issue. The signed certificates are also stored in the key vault for easy redeployment. However, if you find yourself needing to re-run this step without the key vault secret available, either to debug an error experienced in production or when redeploying a test environment frequently during development, you should run `./Update_SRE_RDS_Ssl_Certificate.ps1 -dryRun $true` to use the Let's Encrypt staging server, which will issue certificates more frequently. However, these certificates will not be trusted by your browser, so you will need to override the security warning in your browser to access the RDS web client for testing.
+- **Troubleshooting:** Let's Encrypt will only issue **5 certificates per week** for a particular host (e.g. `rdg-sre-sandbox.testa.dsgroupdev.co.uk`). For production environments this should usually not be an issue. The signed certificates are also stored in the key vault for easy redeployment. However, if you find yourself needing to re-run this step without the key vault secret available, either to debug an error experienced in production or when redeploying a test environment frequently during development, you should run `./Update_SRE_RDS_SSL_Certificate.ps1 -dryRun $true` to use the Let's Encrypt staging server, which will issue certificates more frequently. However, these certificates will not be trusted by your browser, so you will need to override the security warning in your browser to access the RDS web client for testing.
 
 ### :microscope: Test RDS deployment
 - Disconnect from any SRE VMs and connect to the SHM VPN
