Adds list of users for access to storage and more service endpoints
This sets up the rest of the service endpoints on the subnets. It also adds a variable map specifically to grant IP access to the storage buckets. This new variable map is necessary since the azure storage ip rules do not accept /32 CIDR ranges. The rest of the services do support cidr ranges.
This commit is contained in:
parent
536eccdb90
commit
38ce1ef2b2
@ -24,10 +24,10 @@ resource "azurerm_storage_account_network_rules" "acls" {
|
||||
storage_account_name = azurerm_storage_account.bucket.name
|
||||
|
||||
default_action = var.policy
|
||||
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
|
||||
# it must be stripped to just the IP (no CIDR)
|
||||
|
||||
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges.
|
||||
ip_rules = [
|
||||
for cidr in values(var.whitelist) : cidrhost(cidr, 0)
|
||||
for cidr in values(var.whitelist) : cidr
|
||||
]
|
||||
virtual_network_subnet_ids = var.subnet_ids
|
||||
bypass = ["AzureServices"]
|
||||
|
@ -9,7 +9,7 @@ module "task_order_bucket" {
|
||||
region = var.region
|
||||
policy = "Allow"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
whitelist = var.storage_admin_whitelist
|
||||
}
|
||||
|
||||
# TF State should be restricted to admins only, but IP protected
|
||||
@ -25,5 +25,5 @@ module "tf_state" {
|
||||
region = var.region
|
||||
policy = "Deny"
|
||||
subnet_ids = []
|
||||
whitelist = var.admin_user_whitelist
|
||||
whitelist = var.storage_admin_whitelist
|
||||
}
|
||||
|
@ -39,8 +39,8 @@ variable "networks" {
|
||||
variable "service_endpoints" {
|
||||
type = map
|
||||
default = {
|
||||
public = ""
|
||||
private = "Microsoft.Storage,Microsoft.KeyVault"
|
||||
public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop
|
||||
private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql"
|
||||
}
|
||||
}
|
||||
|
||||
@ -96,6 +96,14 @@ variable "admin_user_whitelist" {
|
||||
}
|
||||
}
|
||||
|
||||
variable "storage_admin_whitelist" {
|
||||
type = map
|
||||
default = {
|
||||
"Rob Gil" = "66.220.238.246"
|
||||
"Dan Corrigan Work" = "108.16.207.173"
|
||||
}
|
||||
}
|
||||
|
||||
variable "vpn_client_cidr" {
|
||||
type = list
|
||||
default = ["172.16.255.0/24"]
|
||||
|
Loading…
x
Reference in New Issue
Block a user