Add allow_workspace_internet parameter to template

alan-turing-institute · Jan 9, 2025 · ef05a6c · ef05a6c
1 parent a7f9275
commit ef05a6c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/data_safe_haven/config/sre_config.py b/data_safe_haven/config/sre_config.py
@@ -50,29 +50,35 @@ def template(cls: type[Self], tier: int | None = None) -> SREConfig:
         """Create SREConfig without validation to allow "replace me" prompts."""
         # Set tier-dependent defaults
         if tier == 0:
+            allow_workspace_internet = True
             remote_desktop_allow_copy = True
             remote_desktop_allow_paste = True
             software_packages = SoftwarePackageCategory.ANY
         elif tier == 1:
+            allow_workspace_internet = True
             remote_desktop_allow_copy = True
             remote_desktop_allow_paste = True
             software_packages = SoftwarePackageCategory.ANY
         elif tier == 2:  # noqa: PLR2004
+            allow_workspace_internet = False
             remote_desktop_allow_copy = False
             remote_desktop_allow_paste = False
             software_packages = SoftwarePackageCategory.ANY
         elif tier == 3:  # noqa: PLR2004
+            allow_workspace_internet = False
             remote_desktop_allow_copy = False
             remote_desktop_allow_paste = False
             software_packages = SoftwarePackageCategory.PRE_APPROVED
         elif tier == 4:  # noqa: PLR2004
+            allow_workspace_internet = False
             remote_desktop_allow_copy = False
             remote_desktop_allow_paste = False
             software_packages = SoftwarePackageCategory.NONE
         else:
+            allow_workspace_internet = "True/False: whether to allow outbound internet access from workspaces."  # type: ignore
             remote_desktop_allow_copy = "True/False: whether to allow copying text out of the environment."  # type: ignore
             remote_desktop_allow_paste = "True/False: whether to allow pasting text into the environment."  # type: ignore
-            software_packages = "Which Python/R packages to allow users to install: [any/pre-approved/none]"  # type: ignore
+            software_packages = "[any/pre-approved/none]: which Python/R packages to allow users to install."  # type: ignore
 
         return SREConfig.model_construct(
             azure=ConfigSectionAzure.model_construct(
@@ -89,6 +95,7 @@ def template(cls: type[Self], tier: int | None = None) -> SREConfig:
             sre=ConfigSectionSRE.model_construct(
                 admin_email_address="Email address shared by all administrators",
                 admin_ip_addresses=["List of IP addresses belonging to administrators"],
+                allow_workspace_internet=allow_workspace_internet,
                 databases=["List of database systems to deploy"],  # type:ignore
                 data_provider_ip_addresses=[
                     "List of IP addresses belonging to data providers"

diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md
@@ -58,6 +58,7 @@ name: # A name for your SRE deployment containing only letters, numbers, hyphens
 sre:
   admin_email_address: # Email address shared by all administrators
   admin_ip_addresses: # List of IP addresses belonging to administrators
+  allow_workspace_internet: # True/False: whether to allow outbound internet access from workspaces.
   data_provider_ip_addresses: # List of IP addresses belonging to data providers
   databases: # List of database systems to deploy
   remote_desktop: