diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index a92dc84f..2e43e304 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -1,3 +1,11 @@ +#locals { +# whitelist = [ +# for cidr in values(var.whitelist): { +# ip = cidrhost(cidr, 0) +# } +# ] +#} + resource "azurerm_resource_group" "bucket" { name = "${var.name}-${var.environment}-${var.service_name}" location = var.region @@ -9,12 +17,20 @@ resource "azurerm_storage_account" "bucket" { location = azurerm_resource_group.bucket.location account_tier = "Standard" account_replication_type = "LRS" +} - network_rules { - default_action = var.policy - virtual_network_subnet_ids = var.subnet_ids - ip_rules = values(var.whitelist) - } +resource "azurerm_storage_account_network_rules" "acls" { + resource_group_name = azurerm_resource_group.bucket.name + storage_account_name = azurerm_storage_account.bucket.name + + default_action = var.policy + # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so + # it must be stripped to just the IP (no CIDR) + ip_rules = [ + for cidr in values(var.whitelist) : cidrhost(cidr, 0) + ] + virtual_network_subnet_ids = var.subnet_ids + bypass = ["AzureServices"] } resource "azurerm_storage_container" "bucket" { diff --git a/terraform/modules/container_registry/main.tf b/terraform/modules/container_registry/main.tf index a22bacf0..6ee6022d 100644 --- a/terraform/modules/container_registry/main.tf +++ b/terraform/modules/container_registry/main.tf @@ -1,3 +1,7 @@ +locals { + whitelist = values(var.whitelist) +} + resource "azurerm_resource_group" "acr" { name = "${var.name}-${var.environment}-acr" location = var.region @@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" { sku = var.sku admin_enabled = var.admin_enabled #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region] + network_rule_set { + default_action = var.policy + + ip_rule = [ + for cidr in values(var.whitelist) : { + action = "Allow" + ip_range = cidr + } + ] + # Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733 + #dynamic "ip_rule" { + # for_each = values(var.whitelist) + # content { + # action = "Allow" + # ip_range = ip_rule.value + # } + #} + + virtual_network = [ + for subnet in var.subnet_ids : { + action = "Allow" + subnet_id = subnet.value + } + ] + #virtual_network { + # action = "Allow" + # subnet_id = var.subnet_ids + #} + } } \ No newline at end of file diff --git a/terraform/modules/container_registry/variables.tf b/terraform/modules/container_registry/variables.tf index 6fe16ad5..48fbb64a 100644 --- a/terraform/modules/container_registry/variables.tf +++ b/terraform/modules/container_registry/variables.tf @@ -35,3 +35,20 @@ variable "admin_enabled" { default = false } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} diff --git a/terraform/providers/dev/container_registry.tf b/terraform/providers/dev/container_registry.tf index 0bbf0901..805ef3e8 100644 --- a/terraform/providers/dev/container_registry.tf +++ b/terraform/providers/dev/container_registry.tf @@ -5,4 +5,7 @@ module "container_registry" { environment = var.environment owner = var.owner backup_region = var.backup_region + policy = "Deny" + subnet_ids = [] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/k8s-test.tf-old b/terraform/providers/dev/k8s-test.tf-old new file mode 100644 index 00000000..c681d2db --- /dev/null +++ b/terraform/providers/dev/k8s-test.tf-old @@ -0,0 +1,41 @@ +resource "azurerm_resource_group" "k8s" { + name = "${var.name}-${var.environment}-k8s-test" + location = var.region +} + +resource "azurerm_kubernetes_cluster" "k8s" { + name = "${var.name}-${var.environment}-k8s-test" + location = azurerm_resource_group.k8s.location + resource_group_name = azurerm_resource_group.k8s.name + dns_prefix = var.k8s_dns_prefix + + service_principal { + client_id = "f05a4457-bd5e-4c63-98e1-89aab42645d0" + client_secret = "19b69e2c-9f55-4850-87cb-88c67a8dc811" + } + + default_node_pool { + name = "default" + vm_size = "Standard_D1_v2" + os_disk_size_gb = 30 + vnet_subnet_id = module.vpc.subnets + enable_node_public_ip = true # Nodes need a public IP for external resources. FIXME: Switch to NAT Gateway if its available in our subscription + enable_auto_scaling = true + max_count = 2 + min_count = 1 + } + + identity { + type = "SystemAssigned" + } + lifecycle { + ignore_changes = [ + default_node_pool.0.node_count + ] + } + + tags = { + environment = var.environment + owner = var.owner + } +} diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 467f806c..99bd1b87 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -91,8 +91,8 @@ variable "admin_users" { variable "admin_user_whitelist" { type = map default = { - "Rob Gil" = "66.220.238.246" - "Dan Corrigan Work" = "108.16.207.173" + "Rob Gil" = "66.220.238.246/32" + "Dan Corrigan Work" = "108.16.207.173/32" } }