Container registry private networking and bucket cidr range fix

2020-01-23 13:13:56 -05:00
parent dab6cdb7dc
commit 536eccdb90
6 changed files with 117 additions and 7 deletions
--- a/terraform/modules/bucket/main.tf
+++ b/terraform/modules/bucket/main.tf
@@ -1,3 +1,11 @@
+#locals {
+#  whitelist = [
+#    for cidr in values(var.whitelist): {
+#      ip = cidrhost(cidr, 0)
+#    }
+#  ]
+#}
+
 resource "azurerm_resource_group" "bucket" {
  name     = "${var.name}-${var.environment}-${var.service_name}"
  location = var.region
@@ -9,12 +17,20 @@ resource "azurerm_storage_account" "bucket" {
  location                 = azurerm_resource_group.bucket.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
+}

-  network_rules {
-    default_action             = var.policy
-    virtual_network_subnet_ids = var.subnet_ids
-    ip_rules                   = values(var.whitelist)
-  }
+resource "azurerm_storage_account_network_rules" "acls" {
+  resource_group_name  = azurerm_resource_group.bucket.name
+  storage_account_name = azurerm_storage_account.bucket.name
+
+  default_action = var.policy
+  # Azure Storage CIDR ACLs do not accept /32 CIDR ranges, so
+  # it must be stripped to just the IP (no CIDR)
+  ip_rules = [
+    for cidr in values(var.whitelist) : cidrhost(cidr, 0)
+  ]
+  virtual_network_subnet_ids = var.subnet_ids
+  bypass                     = ["AzureServices"]
 }

 resource "azurerm_storage_container" "bucket" {
--- a/terraform/modules/container_registry/main.tf
+++ b/terraform/modules/container_registry/main.tf
@@ -1,3 +1,7 @@
+locals {
+  whitelist = values(var.whitelist)
+}
+
 resource "azurerm_resource_group" "acr" {
  name     = "${var.name}-${var.environment}-acr"
  location = var.region
@@ -10,4 +14,33 @@ resource "azurerm_container_registry" "acr" {
  sku                 = var.sku
  admin_enabled       = var.admin_enabled
  #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region]
+  network_rule_set {
+    default_action = var.policy
+
+    ip_rule = [
+      for cidr in values(var.whitelist) : {
+        action   = "Allow"
+        ip_range = cidr
+      }
+    ]
+    # Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733
+    #dynamic "ip_rule" {
+    #  for_each = values(var.whitelist)
+    #  content {
+    #    action   = "Allow"
+    #    ip_range = ip_rule.value
+    #  }
+    #}
+
+    virtual_network = [
+      for subnet in var.subnet_ids : {
+        action    = "Allow"
+        subnet_id = subnet.value
+      }
+    ]
+    #virtual_network {
+    #  action = "Allow"
+    #  subnet_id = var.subnet_ids
+    #}
+  }
 }
--- a/terraform/modules/container_registry/variables.tf
+++ b/terraform/modules/container_registry/variables.tf
@@ -35,3 +35,20 @@ variable "admin_enabled" {
  default     = false

 }
+
+variable "subnet_ids" {
+  description = "List of subnet_ids that will have access to this service"
+  type        = list
+}
+
+variable "policy" {
+  description = "The default policy for the network access rules (Allow/Deny)"
+  default     = "Deny"
+  type        = string
+}
+
+variable "whitelist" {
+  type        = map
+  description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
+  default     = {}
+}