Container registry private networking and bucket cidr range fix

2020-01-23 13:13:56 -05:00 · 2020-01-23 13:13:56 -05:00 · 536eccdb90
commit 536eccdb90
parent dab6cdb7dc
6 changed files with 117 additions and 7 deletions
--- a/terraform/modules/bucket/main.tf
+++ b/terraform/modules/bucket/main.tf
@ -1,3 +1,11 @@
+#locals {
+#  whitelist = [
+#    for cidr in values(var.whitelist): {
+#      ip = cidrhost(cidr, 0)
+#    }
+#  ]
+#}
+
 resource "azurerm_resource_group" "bucket" {
  name     = "${var.name}-${var.environment}-${var.service_name}"
  location = var.region
@ -9,12 +17,20 @@ resource "azurerm_storage_account" "bucket" {
  location                 = azurerm_resource_group.bucket.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
+}

-  network_rules {
-    default_action             = var.policy
-    virtual_network_subnet_ids = var.subnet_ids
-    ip_rules                   = values(var.whitelist)
-  }
+resource "azurerm_storage_account_network_rules" "acls" {
+  resource_group_name  = azurerm_resource_group.bucket.name
+  storage_account_name = azurerm_storage_account.bucket.name
+
+  default_action = var.policy
+  # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
+  # it must be stripped to just the IP (no CIDR)
+  ip_rules = [
+    for cidr in values(var.whitelist) : cidrhost(cidr, 0)
+  ]
+  virtual_network_subnet_ids = var.subnet_ids
+  bypass                     = ["AzureServices"]
 }

 resource "azurerm_storage_container" "bucket" {
--- a/terraform/modules/container_registry/main.tf
+++ b/terraform/modules/container_registry/main.tf
@ -1,3 +1,7 @@
+locals {
+  whitelist = values(var.whitelist)
+}
+
 resource "azurerm_resource_group" "acr" {
  name     = "${var.name}-${var.environment}-acr"
  location = var.region
@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" {
  sku                 = var.sku
  admin_enabled       = var.admin_enabled
  #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region]
+  network_rule_set {
+    default_action = var.policy
+
+    ip_rule = [
+      for cidr in values(var.whitelist) : {
+        action   = "Allow"
+        ip_range = cidr
+      }
+    ]
+    # Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733
+    #dynamic "ip_rule" {
+    #  for_each = values(var.whitelist)
+    #  content {
+    #    action   = "Allow"
+    #    ip_range = ip_rule.value
+    #  }
+    #}
+
+    virtual_network = [
+      for subnet in var.subnet_ids : {
+        action    = "Allow"
+        subnet_id = subnet.value
+      }
+    ]
+    #virtual_network {
+    #  action = "Allow"
+    #  subnet_id = var.subnet_ids
+    #}
+  }
 }
--- a/terraform/modules/container_registry/variables.tf
+++ b/terraform/modules/container_registry/variables.tf
@ -35,3 +35,20 @@ variable "admin_enabled" {
  default     = false

 }
+
+variable "subnet_ids" {
+  description = "List of subnet_ids that will have access to this service"
+  type        = list
+}
+
+variable "policy" {
+  description = "The default policy for the network access rules (Allow/Deny)"
+  default     = "Deny"
+  type        = string
+}
+
+variable "whitelist" {
+  type        = map
+  description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
+  default     = {}
+}
--- a/terraform/providers/dev/container_registry.tf
+++ b/terraform/providers/dev/container_registry.tf
@ -5,4 +5,7 @@ module "container_registry" {
  environment   = var.environment
  owner         = var.owner
  backup_region = var.backup_region
+  policy        = "Deny"
+  subnet_ids    = []
+  whitelist     = var.admin_user_whitelist
 }
--- a/terraform/providers/dev/k8s-test.tf-old
+++ b/terraform/providers/dev/k8s-test.tf-old
@ -0,0 +1,41 @@
+resource "azurerm_resource_group" "k8s" {
+  name     = "${var.name}-${var.environment}-k8s-test"
+  location = var.region
+}
+
+resource "azurerm_kubernetes_cluster" "k8s" {
+  name                = "${var.name}-${var.environment}-k8s-test"
+  location            = azurerm_resource_group.k8s.location
+  resource_group_name = azurerm_resource_group.k8s.name
+  dns_prefix          = var.k8s_dns_prefix
+
+  service_principal {
+    client_id     = "f05a4457-bd5e-4c63-98e1-89aab42645d0"
+    client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811"
+  }
+
+  default_node_pool {
+    name                  = "default"
+    vm_size               = "Standard_D1_v2"
+    os_disk_size_gb       = 30
+    vnet_subnet_id        = module.vpc.subnets
+    enable_node_public_ip = true # Nodes need a public IP for external resources. FIXME: Switch to NAT Gateway if its available in our subscription
+    enable_auto_scaling   = true
+    max_count             = 2
+    min_count             = 1
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+  lifecycle {
+    ignore_changes = [
+      default_node_pool.0.node_count
+    ]
+  }
+
+  tags = {
+    environment = var.environment
+    owner       = var.owner
+  }
+}
--- a/terraform/providers/dev/variables.tf
+++ b/terraform/providers/dev/variables.tf
@ -91,8 +91,8 @@ variable "admin_users" {
 variable "admin_user_whitelist" {
  type = map
  default = {
-    "Rob Gil"           = "66.220.238.246"
-    "Dan Corrigan Work" = "108.16.207.173"
+    "Rob Gil"           = "66.220.238.246/32"
+    "Dan Corrigan Work" = "108.16.207.173/32"
  }
 }