Adds list of users for access to storage and more service endpoints

This sets up the rest of the service endpoints on the subnets. It also
adds a variable map specifically to grant IP access to the storage
buckets. This new variable map is necessary since the azure storage ip
rules do not accept /32 CIDR ranges. The rest of the services do support
cidr ranges.
This commit is contained in:
Rob Gil 2020-01-23 18:41:29 -05:00
parent 536eccdb90
commit 38ce1ef2b2
3 changed files with 15 additions and 7 deletions

View File

@ -24,10 +24,10 @@ resource "azurerm_storage_account_network_rules" "acls" {
storage_account_name = azurerm_storage_account.bucket.name
default_action = var.policy
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
# it must be stripped to just the IP (no CIDR)
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges.
ip_rules = [
for cidr in values(var.whitelist) : cidrhost(cidr, 0)
for cidr in values(var.whitelist) : cidr
]
virtual_network_subnet_ids = var.subnet_ids
bypass = ["AzureServices"]

View File

@ -9,7 +9,7 @@ module "task_order_bucket" {
region = var.region
policy = "Allow"
subnet_ids = [module.vpc.subnets]
whitelist = var.admin_user_whitelist
whitelist = var.storage_admin_whitelist
}
# TF State should be restricted to admins only, but IP protected
@ -25,5 +25,5 @@ module "tf_state" {
region = var.region
policy = "Deny"
subnet_ids = []
whitelist = var.admin_user_whitelist
whitelist = var.storage_admin_whitelist
}

View File

@ -39,8 +39,8 @@ variable "networks" {
variable "service_endpoints" {
type = map
default = {
public = ""
private = "Microsoft.Storage,Microsoft.KeyVault"
public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop
private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql"
}
}
@ -96,6 +96,14 @@ variable "admin_user_whitelist" {
}
}
variable "storage_admin_whitelist" {
type = map
default = {
"Rob Gil" = "66.220.238.246"
"Dan Corrigan Work" = "108.16.207.173"
}
}
variable "vpn_client_cidr" {
type = list
default = ["172.16.255.0/24"]