Merge pull request #1350 from robgil-dds/170808212-storage-private-endpoint

Service Endpoints
This commit is contained in:
dandds 2020-01-24 10:24:23 -05:00 committed by GitHub
commit 272d492af6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 204 additions and 21 deletions

View File

@ -281,3 +281,4 @@ secrets-tool secrets --keyvault https://ops-jedidev-keyvault.vault.azure.net/ cr
`terraform apply`
*[Configure AD for MFA](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa)*

View File

@ -11,6 +11,20 @@ resource "azurerm_storage_account" "bucket" {
account_replication_type = "LRS"
}
resource "azurerm_storage_account_network_rules" "acls" {
resource_group_name = azurerm_resource_group.bucket.name
storage_account_name = azurerm_storage_account.bucket.name
default_action = var.policy
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges.
ip_rules = [
for cidr in values(var.whitelist) : cidr
]
virtual_network_subnet_ids = var.subnet_ids
bypass = ["AzureServices"]
}
resource "azurerm_storage_container" "bucket" {
name = "content"
storage_account_name = azurerm_storage_account.bucket.name

View File

@ -29,3 +29,20 @@ variable "service_name" {
description = "Name of the service using this bucket"
type = string
}
variable "subnet_ids" {
description = "List of subnet_ids that will have access to this service"
type = list
}
variable "policy" {
description = "The default policy for the network access rules (Allow/Deny)"
default = "Deny"
type = string
}
variable "whitelist" {
type = map
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
default = {}
}

View File

@ -1,3 +1,7 @@
locals {
whitelist = values(var.whitelist)
}
resource "azurerm_resource_group" "acr" {
name = "${var.name}-${var.environment}-acr"
location = var.region
@ -10,4 +14,30 @@ resource "azurerm_container_registry" "acr" {
sku = var.sku
admin_enabled = var.admin_enabled
#georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region]
network_rule_set {
default_action = var.policy
ip_rule = [
for cidr in values(var.whitelist) : {
action = "Allow"
ip_range = cidr
}
]
# Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733
#dynamic "ip_rule" {
# for_each = values(var.whitelist)
# content {
# action = "Allow"
# ip_range = ip_rule.value
# }
#}
virtual_network = [
for subnet in var.subnet_ids : {
action = "Allow"
subnet_id = subnet.value
}
]
}
}

View File

@ -35,3 +35,20 @@ variable "admin_enabled" {
default = false
}
variable "subnet_ids" {
description = "List of subnet_ids that will have access to this service"
type = list
}
variable "policy" {
description = "The default policy for the network access rules (Allow/Deny)"
default = "Deny"
type = string
}
variable "whitelist" {
type = map
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
default = {}
}

View File

@ -13,6 +13,13 @@ resource "azurerm_key_vault" "keyvault" {
sku_name = "premium"
network_acls {
default_action = var.policy
bypass = "AzureServices"
virtual_network_subnet_ids = var.subnet_ids
ip_rules = values(var.whitelist)
}
tags = {
environment = var.environment
owner = var.owner

View File

@ -32,3 +32,20 @@ variable "admin_principals" {
type = map
description = "A list of user principals who need access to manage the keyvault"
}
variable "subnet_ids" {
description = "List of subnet_ids that will have access to this service"
type = list
}
variable "policy" {
description = "The default policy for the network access rules (Allow/Deny)"
default = "Deny"
type = string
}
variable "whitelist" {
type = map
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
default = {}
}

View File

@ -37,9 +37,9 @@ resource "azurerm_postgresql_virtual_network_rule" "sql" {
}
resource "azurerm_postgresql_database" "db" {
name = "${var.environment}-atat"
name = "${var.name}-${var.environment}-atat"
resource_group_name = azurerm_resource_group.sql.name
server_name = azurerm_postgresql_server.sql.name
charset = "UTF8"
collation = "en_US.utf8"
collation = "en-US"
}

View File

@ -93,4 +93,3 @@ variable "ssl_enforcement" {
description = "Enforce SSL (Enabled/Disable)"
default = "Enabled"
}

View File

@ -13,6 +13,7 @@ resource "azurerm_redis_cache" "redis" {
sku_name = var.sku_name
enable_non_ssl_port = var.enable_non_ssl_port
minimum_tls_version = var.minimum_tls_version
subnet_id = var.subnet_id
redis_configuration {
enable_authentication = var.enable_authentication

View File

@ -22,35 +22,30 @@ variable "capacity" {
type = string
default = 2
description = "The capacity of the redis cache"
}
variable "family" {
type = string
default = "C"
description = "The subscription family for redis"
}
variable "sku_name" {
type = string
default = "Standard"
description = "The sku to use"
}
variable "enable_non_ssl_port" {
type = bool
default = false
description = "Enable non TLS port (default: false)"
}
variable "minimum_tls_version" {
type = string
default = "1.2"
description = "Minimum TLS version to use"
}
variable "enable_authentication" {
@ -58,3 +53,8 @@ variable "enable_authentication" {
default = true
description = "Enable or disable authentication (default: true)"
}
variable "subnet_id" {
type = string
description = "Subnet ID that the service_endpoint should reside"
}

View File

@ -39,6 +39,8 @@ resource "azurerm_subnet" "subnet" {
lifecycle {
ignore_changes = [route_table_id]
}
service_endpoints = split(",", var.service_endpoints[each.key])
#delegation {
# name = "acctestdelegation"
#
@ -108,7 +110,7 @@ resource "azurerm_virtual_network_gateway" "vnet_gateway" {
}
vpn_client_configuration {
address_space = ["172.16.1.0/24"]
address_space = var.vpn_client_cidr
vpn_client_protocols = ["OpenVPN"]
}
}

View File

@ -1,3 +1,9 @@
output "subnets" {
value = azurerm_subnet.subnet["private"].id #FIXME - output should be a map
value = azurerm_subnet.subnet["private"].id #FIXED: this is now legacy, use subnet_list
}
output "subnet_list" {
value = {
for k, id in azurerm_subnet.subnet : k => id
}
}

View File

@ -46,3 +46,15 @@ variable "gateway_subnet" {
type = string
description = "The Subnet CIDR that we'll use for the virtual_network_gateway 'GatewaySubnet'"
}
variable "service_endpoints" {
type = map
description = "A map of the service endpoints and its mapping to subnets"
}
variable "vpn_client_cidr" {
type = list
description = "The CIDR range used for clients on the VPN"
default = ["172.16.0.0/16"]
}

View File

@ -1,3 +1,5 @@
# Task order bucket is required to be accessible publicly by the users.
# which is why the policy here is "Allow"
module "task_order_bucket" {
source = "../../modules/bucket"
service_name = "jeditasksatat"
@ -5,8 +7,15 @@ module "task_order_bucket" {
name = var.name
environment = var.environment
region = var.region
policy = "Allow"
subnet_ids = [module.vpc.subnets]
whitelist = var.storage_admin_whitelist
}
# TF State should be restricted to admins only, but IP protected
# This has to be public due to a chicken/egg issue of VPN not
# existing until TF is run. If this bucket is private, you would
# not be able to access it when running TF without being on a VPN.
module "tf_state" {
source = "../../modules/bucket"
service_name = "jedidevtfstate"
@ -14,4 +23,7 @@ module "tf_state" {
name = var.name
environment = var.environment
region = var.region
policy = "Deny"
subnet_ids = []
whitelist = var.storage_admin_whitelist
}

View File

@ -5,4 +5,7 @@ module "container_registry" {
environment = var.environment
owner = var.owner
backup_region = var.backup_region
policy = "Deny"
subnet_ids = []
whitelist = var.admin_user_whitelist
}

View File

@ -7,5 +7,8 @@ module "keyvault" {
tenant_id = var.tenant_id
principal_id = "f9bcbe58-8b73-4957-aee2-133dc3e58063"
admin_principals = var.admin_users
policy = "Deny"
subnet_ids = [module.vpc.subnets]
whitelist = var.admin_user_whitelist
}

View File

@ -4,4 +4,7 @@ module "redis" {
environment = var.environment
region = var.region
name = var.name
subnet_id = module.vpc.subnet_list["redis"].id
sku_name = "Premium"
family = "P"
}

View File

@ -7,4 +7,7 @@ module "operator_keyvault" {
tenant_id = var.tenant_id
principal_id = ""
admin_principals = var.admin_users
policy = "Deny"
subnet_ids = [module.vpc.subnets]
whitelist = var.admin_user_whitelist
}

View File

@ -32,7 +32,17 @@ variable "networks" {
#format
#name = "CIDR, route table, Security Group Name"
public = "10.1.1.0/24,public" # LBs
private = "10.1.2.0/24,private" # k8s, postgres, redis, dns, ad
private = "10.1.2.0/24,private" # k8s, postgres, keyvault
redis = "10.1.3.0/24,private" # Redis
}
}
variable "service_endpoints" {
type = map
default = {
public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop
private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql"
redis = "Microsoft.Storage,Microsoft.Sql" # FIXME: There is no Microsoft.Redis
}
}
@ -48,6 +58,7 @@ variable "route_tables" {
default = {
public = "Internet"
private = "Internet"
redis = "VnetLocal"
#private = "VnetLocal"
}
}
@ -79,3 +90,26 @@ variable "admin_users" {
"Dan Corrigan" = "7e852ceb-eb0d-49b1-b71e-e9dcd1082ffc"
}
}
variable "admin_user_whitelist" {
type = map
default = {
"Rob Gil" = "66.220.238.246/32"
"Dan Corrigan Work" = "108.16.207.173/32"
"Dan Corrigan Home" = "71.162.221.27/32"
}
}
variable "storage_admin_whitelist" {
type = map
default = {
"Rob Gil" = "66.220.238.246"
"Dan Corrigan Work" = "108.16.207.173"
"Dan Corrigan Home" = "71.162.221.27"
}
}
variable "vpn_client_cidr" {
type = list
default = ["172.16.255.0/24"]
}

View File

@ -1,13 +1,15 @@
module "vpc" {
source = "../../modules/vpc/"
environment = var.environment
region = var.region
virtual_network = var.virtual_network
networks = var.networks
gateway_subnet = var.gateway_subnet
route_tables = var.route_tables
owner = var.owner
name = var.name
dns_servers = var.dns_servers
source = "../../modules/vpc/"
environment = var.environment
region = var.region
virtual_network = var.virtual_network
networks = var.networks
gateway_subnet = var.gateway_subnet
route_tables = var.route_tables
owner = var.owner
name = var.name
dns_servers = var.dns_servers
service_endpoints = var.service_endpoints
vpn_client_cidr = var.vpn_client_cidr
}