Container registry private networking and bucket cidr range fix
This commit is contained in:
parent
dab6cdb7dc
commit
536eccdb90
@ -1,3 +1,11 @@
|
||||
#locals {
|
||||
# whitelist = [
|
||||
# for cidr in values(var.whitelist): {
|
||||
# ip = cidrhost(cidr, 0)
|
||||
# }
|
||||
# ]
|
||||
#}
|
||||
|
||||
resource "azurerm_resource_group" "bucket" {
|
||||
name = "${var.name}-${var.environment}-${var.service_name}"
|
||||
location = var.region
|
||||
@ -9,12 +17,20 @@ resource "azurerm_storage_account" "bucket" {
|
||||
location = azurerm_resource_group.bucket.location
|
||||
account_tier = "Standard"
|
||||
account_replication_type = "LRS"
|
||||
}
|
||||
|
||||
network_rules {
|
||||
default_action = var.policy
|
||||
virtual_network_subnet_ids = var.subnet_ids
|
||||
ip_rules = values(var.whitelist)
|
||||
}
|
||||
resource "azurerm_storage_account_network_rules" "acls" {
|
||||
resource_group_name = azurerm_resource_group.bucket.name
|
||||
storage_account_name = azurerm_storage_account.bucket.name
|
||||
|
||||
default_action = var.policy
|
||||
# Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
|
||||
# it must be stripped to just the IP (no CIDR)
|
||||
ip_rules = [
|
||||
for cidr in values(var.whitelist) : cidrhost(cidr, 0)
|
||||
]
|
||||
virtual_network_subnet_ids = var.subnet_ids
|
||||
bypass = ["AzureServices"]
|
||||
}
|
||||
|
||||
resource "azurerm_storage_container" "bucket" {
|
||||
|
@ -1,3 +1,7 @@
|
||||
locals {
|
||||
whitelist = values(var.whitelist)
|
||||
}
|
||||
|
||||
resource "azurerm_resource_group" "acr" {
|
||||
name = "${var.name}-${var.environment}-acr"
|
||||
location = var.region
|
||||
@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" {
|
||||
sku = var.sku
|
||||
admin_enabled = var.admin_enabled
|
||||
#georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region]
|
||||
network_rule_set {
|
||||
default_action = var.policy
|
||||
|
||||
ip_rule = [
|
||||
for cidr in values(var.whitelist) : {
|
||||
action = "Allow"
|
||||
ip_range = cidr
|
||||
}
|
||||
]
|
||||
# Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733
|
||||
#dynamic "ip_rule" {
|
||||
# for_each = values(var.whitelist)
|
||||
# content {
|
||||
# action = "Allow"
|
||||
# ip_range = ip_rule.value
|
||||
# }
|
||||
#}
|
||||
|
||||
virtual_network = [
|
||||
for subnet in var.subnet_ids : {
|
||||
action = "Allow"
|
||||
subnet_id = subnet.value
|
||||
}
|
||||
]
|
||||
#virtual_network {
|
||||
# action = "Allow"
|
||||
# subnet_id = var.subnet_ids
|
||||
#}
|
||||
}
|
||||
}
|
@ -35,3 +35,20 @@ variable "admin_enabled" {
|
||||
default = false
|
||||
|
||||
}
|
||||
|
||||
variable "subnet_ids" {
|
||||
description = "List of subnet_ids that will have access to this service"
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "policy" {
|
||||
description = "The default policy for the network access rules (Allow/Deny)"
|
||||
default = "Deny"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "whitelist" {
|
||||
type = map
|
||||
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
|
||||
default = {}
|
||||
}
|
||||
|
@ -5,4 +5,7 @@ module "container_registry" {
|
||||
environment = var.environment
|
||||
owner = var.owner
|
||||
backup_region = var.backup_region
|
||||
policy = "Deny"
|
||||
subnet_ids = []
|
||||
whitelist = var.admin_user_whitelist
|
||||
}
|
||||
|
41
terraform/providers/dev/k8s-test.tf-old
Normal file
41
terraform/providers/dev/k8s-test.tf-old
Normal file
@ -0,0 +1,41 @@
|
||||
resource "azurerm_resource_group" "k8s" {
|
||||
name = "${var.name}-${var.environment}-k8s-test"
|
||||
location = var.region
|
||||
}
|
||||
|
||||
resource "azurerm_kubernetes_cluster" "k8s" {
|
||||
name = "${var.name}-${var.environment}-k8s-test"
|
||||
location = azurerm_resource_group.k8s.location
|
||||
resource_group_name = azurerm_resource_group.k8s.name
|
||||
dns_prefix = var.k8s_dns_prefix
|
||||
|
||||
service_principal {
|
||||
client_id = "f05a4457-bd5e-4c63-98e1-89aab42645d0"
|
||||
client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811"
|
||||
}
|
||||
|
||||
default_node_pool {
|
||||
name = "default"
|
||||
vm_size = "Standard_D1_v2"
|
||||
os_disk_size_gb = 30
|
||||
vnet_subnet_id = module.vpc.subnets
|
||||
enable_node_public_ip = true # Nodes need a public IP for external resources. FIXME: Switch to NAT Gateway if its available in our subscription
|
||||
enable_auto_scaling = true
|
||||
max_count = 2
|
||||
min_count = 1
|
||||
}
|
||||
|
||||
identity {
|
||||
type = "SystemAssigned"
|
||||
}
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
default_node_pool.0.node_count
|
||||
]
|
||||
}
|
||||
|
||||
tags = {
|
||||
environment = var.environment
|
||||
owner = var.owner
|
||||
}
|
||||
}
|
@ -91,8 +91,8 @@ variable "admin_users" {
|
||||
variable "admin_user_whitelist" {
|
||||
type = map
|
||||
default = {
|
||||
"Rob Gil" = "66.220.238.246"
|
||||
"Dan Corrigan Work" = "108.16.207.173"
|
||||
"Rob Gil" = "66.220.238.246/32"
|
||||
"Dan Corrigan Work" = "108.16.207.173/32"
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user