Controlled access to external sites

[TonyWildish-BH]

Some projects require the use of tools that need to contact upstream servers, e.g. for downloading reference data etc. This means we need to be able to open controlled outbound access from the workspace to dedicated IP addresses/ranges and ports.

I don't believe there's any requirement to allow incoming access, even from a whitelisted source, so we should ignore that for now.

In principle, this is fairly easy to do, providing a service that can be used to poke holes in the firewall for a particular workspace. The harder part is how to allow only the TRE Admin to do this, not the workspace admin. Either this is a workspace-level option/service, but we prevent the workspace admin from using it, or it's a shared service, in which case it needs to know which workspace it's going to apply to.

A minimal solution could be to provide an external tool that does this, and not an option in the UI, but that then becomes harder to track.

We also need to know how this will affect terraform. When it comes to updating other components, we don't want terraform to think it has to rebuild the firewall because it finds a hole in it.

Acceptance criteria:

• Solution proposed/accepted
• PoC implemented, with grant/revoke ability
• Testing
• MVP implemented
• Documentation
• Deployment to the SDE-MVP