Adds list of users for access to storage and more service endpoints

This sets up the rest of the service endpoints on the subnets. It also adds a variable map specifically to grant IP access to the storage buckets. This new variable map is necessary since the azure storage ip rules do not accept /32 CIDR ranges. The rest of the services do support cidr ranges.
2020-01-23 18:41:29 -05:00 · 2020-01-23 18:41:29 -05:00 · 38ce1ef2b2
commit 38ce1ef2b2
parent 536eccdb90
3 changed files with 15 additions and 7 deletions
--- a/terraform/modules/bucket/main.tf
+++ b/terraform/modules/bucket/main.tf
@ -24,10 +24,10 @@ resource "azurerm_storage_account_network_rules" "acls" {
  storage_account_name = azurerm_storage_account.bucket.name

  default_action = var.policy
-  # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
-  # it must be stripped to just the IP (no CIDR)
+
+  # Azure Storage CIDR ACLs do not accept /32 CIDR ranges.
  ip_rules = [
-    for cidr in values(var.whitelist) : cidrhost(cidr, 0)
+    for cidr in values(var.whitelist) : cidr
  ]
  virtual_network_subnet_ids = var.subnet_ids
  bypass                     = ["AzureServices"]
--- a/terraform/providers/dev/buckets.tf
+++ b/terraform/providers/dev/buckets.tf
@ -9,7 +9,7 @@ module "task_order_bucket" {
  region       = var.region
  policy       = "Allow"
  subnet_ids   = [module.vpc.subnets]
-  whitelist    = var.admin_user_whitelist
+  whitelist    = var.storage_admin_whitelist
 }

 # TF State should be restricted to admins only, but IP protected
@ -25,5 +25,5 @@ module "tf_state" {
  region       = var.region
  policy       = "Deny"
  subnet_ids   = []
-  whitelist    = var.admin_user_whitelist
+  whitelist    = var.storage_admin_whitelist
 }
--- a/terraform/providers/dev/variables.tf
+++ b/terraform/providers/dev/variables.tf
@ -39,8 +39,8 @@ variable "networks" {
 variable "service_endpoints" {
  type = map
  default = {
-    public  = ""
-    private = "Microsoft.Storage,Microsoft.KeyVault"
+    public  = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop
+    private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql"
  }
 }

@ -96,6 +96,14 @@ variable "admin_user_whitelist" {
  }
 }

+variable "storage_admin_whitelist" {
+  type = map
+  default = {
+    "Rob Gil"           = "66.220.238.246"
+    "Dan Corrigan Work" = "108.16.207.173"
+  }
+}
+
 variable "vpn_client_cidr" {
  type    = list
  default = ["172.16.255.0/24"]