James Robinson

Let's leave it until we've worked out whether that's possible.

No, it's still possible for an SHM and SRE to share a name. If so, this will cause a clash in the DSHPulumiConfig

We're already doing this i.e. running as an `inline program` not a `local program`. We still need the Pulumi YAML files in order to synchronise state between multiple users deploying/changing...

Passing the values in and letting Pulumi sort out how to manage the local files is certainly reasonable. Let me know if it works! NB. I don't think we ever...

@JimMadge : is this closed by #1820?

Config examples here: https://blog.thinkbox.dev/posts/0009-domain-filter-with-squid/ https://wiki.squid-cache.org/SquidFaq/SquidAcl https://xebia.com/blog/how-to-configure-squid-as-an-egress-gateway/ https://jasonpangazure.medium.com/how-to-use-azure-firewall-and-squid-as-virtual-appliance-in-azure-route-table-to-overwrite-debc98b8f0b8

It looks like getting Squid to work with HTTPS is complicated (see e.g. https://dev.to/suntong/squid-proxy-and-ssl-interception-1oa4) and is likely to involve installing a self-signed certificate on all resources that need to make...

This is less about accessing e.g. `https://gitea..com` inside the environment but more about accessing `https://login.microsoftonline.com` for user authentication.

I mean, it *is* a MITM attack. The proxy is essentially unwrapping an HTTPS request to find its destination, deciding whether or not to forward it on, making a new...

NB. Azure Firewall does this by resolving FQDNs to a list of IP addresses every 15 seconds (https://learn.microsoft.com/en-us/azure/firewall/fqdn-filtering-network-rules#how-it-works). Could be a way forward if we're happy to write some code...