From 38ce1ef2b269cb05d24ea8900f5c4e4361f49b06 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Thu, 23 Jan 2020 18:41:29 -0500 Subject: [PATCH] Adds list of users for access to storage and more service endpoints This sets up the rest of the service endpoints on the subnets. It also adds a variable map specifically to grant IP access to the storage buckets. This new variable map is necessary since the azure storage ip rules do not accept /32 CIDR ranges. The rest of the services do support cidr ranges. --- terraform/modules/bucket/main.tf | 6 +++--- terraform/providers/dev/buckets.tf | 4 ++-- terraform/providers/dev/variables.tf | 12 ++++++++++-- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 2e43e304..3b2463ed 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -24,10 +24,10 @@ resource "azurerm_storage_account_network_rules" "acls" { storage_account_name = azurerm_storage_account.bucket.name default_action = var.policy - # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so - # it must be stripped to just the IP (no CIDR) + + # Azure Storage CIDR ACLs do not accept /32 CIDR ranges. ip_rules = [ - for cidr in values(var.whitelist) : cidrhost(cidr, 0) + for cidr in values(var.whitelist) : cidr ] virtual_network_subnet_ids = var.subnet_ids bypass = ["AzureServices"] diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf index ad2c7ab5..36510f3e 100644 --- a/terraform/providers/dev/buckets.tf +++ b/terraform/providers/dev/buckets.tf @@ -9,7 +9,7 @@ module "task_order_bucket" { region = var.region policy = "Allow" subnet_ids = [module.vpc.subnets] - whitelist = var.admin_user_whitelist + whitelist = var.storage_admin_whitelist } # TF State should be restricted to admins only, but IP protected @@ -25,5 +25,5 @@ module "tf_state" { region = var.region policy = "Deny" subnet_ids = [] - whitelist = var.admin_user_whitelist + whitelist = var.storage_admin_whitelist } diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 99bd1b87..c4e0f338 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -39,8 +39,8 @@ variable "networks" { variable "service_endpoints" { type = map default = { - public = "" - private = "Microsoft.Storage,Microsoft.KeyVault" + public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop + private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql" } } @@ -96,6 +96,14 @@ variable "admin_user_whitelist" { } } +variable "storage_admin_whitelist" { + type = map + default = { + "Rob Gil" = "66.220.238.246" + "Dan Corrigan Work" = "108.16.207.173" + } +} + variable "vpn_client_cidr" { type = list default = ["172.16.255.0/24"]