data-safe-haven icon indicating copy to clipboard operation
data-safe-haven copied to clipboard

Published 20 hours ago verified publisher icon alan-turing-institute

Safe Haven security groups of torn down TRE do not get automatically removed

Open dsj976 opened this issue 10 months ago • 3 comments

:white_check_mark: Checklist

  • [x] I have searched open and closed issues for duplicates.
  • [x] This is a problem observed when managing a Data Safe Haven.
  • [x] I can reproduce this with the latest version.
  • [x] I have read through the documentation.
  • [x] This isn't an open-ended question (open a discussion if it is).

:computer: System information

  • Data Safe Haven version: v4.2.0
  • Operating system details: macOS

:cactus: Powershell module versions

2024-04-19 10:22:18 [SUCCESS]: [✔] Powershell version: 7.4.1 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Dns module version: 1.1.3 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.MonitoringSolutions module version: 0.1.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Poshstache module version: 0.1.10 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.PrivateDns module version: 1.0.4 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Storage module version: 5.10.1 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.DataProtection module version: 2.1.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.KeyVault module version: 4.12.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Microsoft.Graph.Users module version: 1.21.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Microsoft.Graph.Applications module version: 1.21.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Accounts module version: 2.13.1 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Monitor module version: 4.6.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Compute module version: 6.3.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.OperationalInsights module version: 3.2.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Network module version: 6.2.0 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Resources module version: 6.11.1 2024-04-19 10:22:18 [SUCCESS]: [✔] Az.Automation module version: 1.9.1 2024-04-19 10:22:18 [SUCCESS]: [✔] Powershell-Yaml module version: 0.4.2 2024-04-19 10:22:18 [SUCCESS]: [✔] Microsoft.Graph.Authentication module version: 1.21.0 2024-04-19 10:22:19 [SUCCESS]: [✔] Microsoft.Graph.Identity.DirectoryManagement module version: 1.21.0 2024-04-19 10:22:19 [SUCCESS]: [✔] Az.RecoveryServices module version: 6.6.0

:no_entry_sign: Describe the problem

Unsure of whether this is a bug or it's intentional. When a single SRE gets torn down using the SRE_Teardown.ps1 script, its associated security groups in the SHM domain controller (SG <SRE-ID> Data Administrators, SG <SRE-ID> Research Userrs, SG <SRE-ID> System Administrators) persist. Can these be safely manually removed from the domain controller?

:steam_locomotive: Workarounds or solutions

dsj976 avatar Apr 19 '24 09:04 dsj976

@dsj976 Yes, they can be manually removed if desired.

jemrobinson avatar Apr 22 '24 14:04 jemrobinson

UPDATE: I think that by deleting the data storage account of the TRE within the PERSISTENT_DATA resource group of the SHM, and then running the Run_ADSync.ps1 script in the DC, the security groups get deleted.

dsj976 avatar Apr 23 '24 09:04 dsj976

Hmm, I'm not sure why deleting the data storage account would make any difference here. Running Run_ADSync.ps1 will trigger synchronisation of the groups in AzureAD/Entra to the ones on the domain controller, so if they're already deleted on the domain controller (e.g. by the teardown script) then this will delete them in the cloud too.

jemrobinson avatar Apr 23 '24 12:04 jemrobinson