Adds IP whitelisting to storage buckets

This commit is contained in:
Rob Gil 2020-01-23 10:02:31 -05:00
parent d22357e609
commit 48482785ac
4 changed files with 24 additions and 3 deletions

View File

@ -13,7 +13,7 @@ resource "azurerm_storage_account" "bucket" {
network_rules {
default_action = var.policy
virtual_network_subnet_ids = var.subnet_ids
#ip_rules = ["66.220.238.246/30"]
ip_rules = values(var.whitelist)
}
}

View File

@ -40,3 +40,9 @@ variable "policy" {
default = "Deny"
type = string
}
variable "whitelist" {
type = map
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
default = {}
}

View File

@ -1,3 +1,5 @@
# Task order bucket is required to be accessible publicly by the users.
# which is why the policy here is "Allow"
module "task_order_bucket" {
source = "../../modules/bucket"
service_name = "jeditasksatat"
@ -5,10 +7,15 @@ module "task_order_bucket" {
name = var.name
environment = var.environment
region = var.region
policy = "Deny"
policy = "Allow"
subnet_ids = [module.vpc.subnets]
whitelist = var.admin_user_whitelist
}
# TF State should be restricted to admins only, but IP protected
# This has to be public due to a chicken/egg issue of VPN not
# existing until TF is run. If this bucket is private, you would
# not be able to access it when running TF without being on a VPN.
module "tf_state" {
source = "../../modules/bucket"
service_name = "jedidevtfstate"
@ -16,6 +23,7 @@ module "tf_state" {
name = var.name
environment = var.environment
region = var.region
policy = "Allow"
policy = "Deny"
subnet_ids = []
whitelist = var.admin_user_whitelist
}

View File

@ -87,3 +87,10 @@ variable "admin_users" {
"Dan Corrigan" = "7e852ceb-eb0d-49b1-b71e-e9dcd1082ffc"
}
}
variable "admin_user_whitelist" {
type = map
default = {
"Rob Gil" = "66.220.238.246"
}
}