Container registry private networking and bucket cidr range fix

This commit is contained in:
Rob Gil 2020-01-23 13:13:56 -05:00
parent dab6cdb7dc
commit 536eccdb90
6 changed files with 117 additions and 7 deletions

View File

@ -1,3 +1,11 @@
#locals {
# whitelist = [
# for cidr in values(var.whitelist): {
# ip = cidrhost(cidr, 0)
# }
# ]
#}
resource "azurerm_resource_group" "bucket" {
name = "${var.name}-${var.environment}-${var.service_name}"
location = var.region
@ -9,12 +17,20 @@ resource "azurerm_storage_account" "bucket" {
location = azurerm_resource_group.bucket.location
account_tier = "Standard"
account_replication_type = "LRS"
}
network_rules {
default_action = var.policy
virtual_network_subnet_ids = var.subnet_ids
ip_rules = values(var.whitelist)
}
resource "azurerm_storage_account_network_rules" "acls" {
resource_group_name = azurerm_resource_group.bucket.name
storage_account_name = azurerm_storage_account.bucket.name
default_action = var.policy
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
# it must be stripped to just the IP (no CIDR)
ip_rules = [
for cidr in values(var.whitelist) : cidrhost(cidr, 0)
]
virtual_network_subnet_ids = var.subnet_ids
bypass = ["AzureServices"]
}
resource "azurerm_storage_container" "bucket" {

View File

@ -1,3 +1,7 @@
locals {
whitelist = values(var.whitelist)
}
resource "azurerm_resource_group" "acr" {
name = "${var.name}-${var.environment}-acr"
location = var.region
@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" {
sku = var.sku
admin_enabled = var.admin_enabled
#georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region]
network_rule_set {
default_action = var.policy
ip_rule = [
for cidr in values(var.whitelist) : {
action = "Allow"
ip_range = cidr
}
]
# Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733
#dynamic "ip_rule" {
# for_each = values(var.whitelist)
# content {
# action = "Allow"
# ip_range = ip_rule.value
# }
#}
virtual_network = [
for subnet in var.subnet_ids : {
action = "Allow"
subnet_id = subnet.value
}
]
#virtual_network {
# action = "Allow"
# subnet_id = var.subnet_ids
#}
}
}

View File

@ -35,3 +35,20 @@ variable "admin_enabled" {
default = false
}
variable "subnet_ids" {
description = "List of subnet_ids that will have access to this service"
type = list
}
variable "policy" {
description = "The default policy for the network access rules (Allow/Deny)"
default = "Deny"
type = string
}
variable "whitelist" {
type = map
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
default = {}
}

View File

@ -5,4 +5,7 @@ module "container_registry" {
environment = var.environment
owner = var.owner
backup_region = var.backup_region
policy = "Deny"
subnet_ids = []
whitelist = var.admin_user_whitelist
}

View File

@ -0,0 +1,41 @@
resource "azurerm_resource_group" "k8s" {
name = "${var.name}-${var.environment}-k8s-test"
location = var.region
}
resource "azurerm_kubernetes_cluster" "k8s" {
name = "${var.name}-${var.environment}-k8s-test"
location = azurerm_resource_group.k8s.location
resource_group_name = azurerm_resource_group.k8s.name
dns_prefix = var.k8s_dns_prefix
service_principal {
client_id = "f05a4457-bd5e-4c63-98e1-89aab42645d0"
client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811"
}
default_node_pool {
name = "default"
vm_size = "Standard_D1_v2"
os_disk_size_gb = 30
vnet_subnet_id = module.vpc.subnets
enable_node_public_ip = true # Nodes need a public IP for external resources. FIXME: Switch to NAT Gateway if its available in our subscription
enable_auto_scaling = true
max_count = 2
min_count = 1
}
identity {
type = "SystemAssigned"
}
lifecycle {
ignore_changes = [
default_node_pool.0.node_count
]
}
tags = {
environment = var.environment
owner = var.owner
}
}

View File

@ -91,8 +91,8 @@ variable "admin_users" {
variable "admin_user_whitelist" {
type = map
default = {
"Rob Gil" = "66.220.238.246"
"Dan Corrigan Work" = "108.16.207.173"
"Rob Gil" = "66.220.238.246/32"
"Dan Corrigan Work" = "108.16.207.173/32"
}
}