From d42655a9cd121cbdb212c224876ea63ba5d8197b Mon Sep 17 00:00:00 2001 From: Rob Emanuele Date: Fri, 28 Jun 2024 10:21:11 -0400 Subject: [PATCH 1/3] Set default deny network action on SA --- deployment/terraform/resources/storage_account.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployment/terraform/resources/storage_account.tf b/deployment/terraform/resources/storage_account.tf index 411270d8..592d4c0c 100644 --- a/deployment/terraform/resources/storage_account.tf +++ b/deployment/terraform/resources/storage_account.tf @@ -7,6 +7,11 @@ resource "azurerm_storage_account" "pc" { min_tls_version = "TLS1_2" allow_nested_items_to_be_public = false + network_rules { + default_action = "Deny" + virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, ] + } + # Disabling shared access keys breaks terraform's ability to do subsequent # resource fetching during terraform plan. As a result, this property is # ignored and managed outside of this apply session, via the deploy script. From 383fc04071e8e44df135be876f6f553e3c9e4f90 Mon Sep 17 00:00:00 2001 From: Rob Emanuele Date: Fri, 28 Jun 2024 10:21:43 -0400 Subject: [PATCH 2/3] Add IP to tf state storage firewall --- deployment/bin/kv_add_ip | 10 ++++++++++ deployment/bin/kv_rmv_ip | 9 +++++++++ deployment/docker-compose.yml | 4 ++++ 3 files changed, 23 insertions(+) diff --git a/deployment/bin/kv_add_ip b/deployment/bin/kv_add_ip index 137dee99..255374d7 100755 --- a/deployment/bin/kv_add_ip +++ b/deployment/bin/kv_add_ip @@ -28,6 +28,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then cidr=$(get_cidr_range) + echo "Adding IP $cidr to Key Vault firewall allow list..." az keyvault network-rule add \ -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ -n ${KEY_VAULT_NAME} \ @@ -35,4 +36,13 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then --subscription ${ARM_SUBSCRIPTION_ID} \ --output none + # Also add the IP to the terraform state storage account + echo "Adding IP $cidr to Storage firewall allow list..." + az storage account network-rule add \ + -g ${TFSTATE_SA_RG} \ + -n ${TFSTATE_SA_NAME} \ + --ip-address $cidr \ + --subscription ${ARM_SUBSCRIPTION_ID} \ + --output none + fi diff --git a/deployment/bin/kv_rmv_ip b/deployment/bin/kv_rmv_ip index 228d9535..50af3432 100755 --- a/deployment/bin/kv_rmv_ip +++ b/deployment/bin/kv_rmv_ip @@ -28,6 +28,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then cidr=$(get_cidr_range) + echo "Removing IP $cidr from Key Vault firewall allow list..." az keyvault network-rule remove \ -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ -n ${KEY_VAULT_NAME} \ @@ -35,4 +36,12 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then --subscription ${ARM_SUBSCRIPTION_ID} \ --output none + echo "Removing IP $cidr from Storage firewall allow list..." + az storage account network-rule remove \ + -g ${TFSTATE_SA_RG} \ + -n ${TFSTATE_SA_NAME} \ + --ip-address $cidr \ + --subscription ${ARM_SUBSCRIPTION_ID} \ + --output none + fi diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml index da67cbbe..43a10461 100644 --- a/deployment/docker-compose.yml +++ b/deployment/docker-compose.yml @@ -32,6 +32,10 @@ services: # Used to open KV firewall for accessing tf.secrets - KEY_VAULT_NAME=pc-test-deploy-secrets - KEY_VAULT_RESOURCE_GROUP_NAME=pc-test-manual-resources + + # Used to open firewall to tfstate SA + - TFSTATE_SA_RG=pc-test-manual-resources + - TFSTATE_SA_NAME=pctesttfstate working_dir: /opt/src/deployment volumes: - ../deployment:/opt/src/deployment From bd420aa5729584bddeb242c12600826d9fb9cef1 Mon Sep 17 00:00:00 2001 From: Rob Emanuele Date: Fri, 28 Jun 2024 10:22:03 -0400 Subject: [PATCH 3/3] Add subscription to shared access key setting --- deployment/bin/lib | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployment/bin/lib b/deployment/bin/lib index 5710dbce..7da26e1f 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -142,6 +142,7 @@ function disable_shared_access_keys() { --name ${SAK_STORAGE_ACCOUNT} \ --resource-group ${SAK_RESOURCE_GROUP} \ --allow-shared-key-access false \ + --subscription ${ARM_SUBSCRIPTION_ID} \ --output none if [ $? -ne 0 ]; then @@ -168,6 +169,7 @@ function enable_shared_access_keys() { --name ${SAK_STORAGE_ACCOUNT} \ --resource-group ${SAK_RESOURCE_GROUP} \ --allow-shared-key-access true \ + --subscription ${ARM_SUBSCRIPTION_ID} \ --output none done }