Managing Data Safe Haven deployments#

Important

This document assumes that you already have access to a Safe Haven Management (SHM) environment and one or more Secure Research Environments (SREs) that are linked to it.

🔥 Remove a single SRE#

In order to tear down an SRE, use the following procedure:

On your deployment machine.

  • Ensure you have the same version of the Data Safe Haven repository as was used by your deployment team

  • Open a Powershell terminal and navigate to the deployment/administration directory within the Data Safe Haven repository

  • Ensure you are logged into Azure within Powershell using the command: Connect-AzAccount. This command will give you a URL and a short alphanumeric code. You will need to visit that URL in a web browser and enter the code

  • NB. If your account is a guest in additional Azure tenants, you may need to add the -Tenant <Tenant ID> flag, where <Tenant ID> is the ID of the Azure tenant you want to deploy into.

  • Run the following script:

    ./SRE_Teardown.ps1 -shmId <SHM ID> -sreId <SRE ID>

  • If you provide the optional -dryRun parameter then the names of all affected resources will be printed, but nothing will be deleted

🔚 Remove a complete Safe Haven#

💥 Tear down any attached SREs#

On your deployment machine.

  • Ensure you have the same version of the Data Safe Haven repository as was used by your deployment team

  • Open a Powershell terminal and navigate to the deployment/administration directory within the Data Safe Haven repository

  • Ensure you are logged into Azure within Powershell using the command: Connect-AzAccount. This command will give you a URL and a short alphanumeric code. You will need to visit that URL in a web browser and enter the code

    Attention

    If your account is a guest in additional Azure tenants, you may need to add the -Tenant <Tenant ID> flag, where <Tenant ID> is the ID of the Azure tenant you want to deploy into.

  • For each SRE attached to the SHM, do the following:

    • Tear down the SRE by running:

    ./SRE_Teardown.ps1 -sreId <SRE ID>

    where the SRE ID is the one specified in the relevant config file

    Note

    If you provide the optional -dryRun parameter then the names of all affected resources will be printed, but nothing will be deleted

🔓 Disconnect from the Azure Active Directory#

Connect to the SHM Domain Controller (DC1) via Remote Desktop Client over the SHM VPN connection

  • Log in as a domain user (ie. <admin username>@<SHM domain>) using the username and password obtained from the Azure portal

  • If you see a warning dialog that the certificate cannot be verified as root, accept this and continue

  • Open Powershell as an administrator

    • Navigate to C:\Installation

    • Run .\Disconnect_AD.ps1

    • You will need to provide login credentials (including MFA if set up) for <admin username>@<SHM domain>

Attention

Full disconnection of the Azure Active Directory can take up to 72 hours but is typically less. If you are planning to install a new SHM connected to the same Azure Active Directory you may find the AzureADConnect installation step requires you to wait for the previous disconnection to complete.

💣 Tear down the SHM#

On your deployment machine.

  • Ensure you have the same version of the Data Safe Haven repository as was used by your deployment team

  • Open a Powershell terminal and navigate to the deployment/administration directory within the Data Safe Haven repository

  • Ensure you are logged into Azure within Powershell using the command: Connect-AzAccount. This command will give you a URL and a short alphanumeric code. You will need to visit that URL in a web browser and enter the code

    Attention

    If your account is a guest in additional Azure tenants, you may need to add the -Tenant <Tenant ID> flag, where <Tenant ID> is the ID of the Azure tenant you want to deploy into.

  • Tear down the SHM by running:

    ./SHM_Teardown.ps1 -shmId <SHM ID>

    where <SHM ID> is the management environment ID specified in the configuration file.