stackoom
  简体   繁体   中英

Azure storage account firewall rule prevents terraform deployment with azure devops

 原文  2020-03-02 10:24:48       azure/ azure-devops/ terraform/ terraform-provider-azure

Question

I want to deploy my terraform infrastructure with an Azure DevOps pipeline, but I'm running into a problem with the storage account firewall. Here an example for a storage account:

resource "azurerm_storage_account" "storage_account" {
  name                              = "mystorageaccount"
  resource_group_name               = "myresourcegroup"
...
  network_rules {
      default_action             = "Deny"
      bypass                     = ["AzureServices", "Logging"]
      ip_rules                   = ["192.1.1.1"]
  }
}

The initial creation of the storage account is successful, but because of the firewall rule all further actions, for example adding a container, fail with a not authorized exception.

Unfortunately adding a bypass rule for "AzureServices" does not work.

The reason I have to add the firewall rule is because of company security guidelines, so I cannot just remove it.

Is there a way to handle storage account firewall rules with azure devops?

3 answers

solution1
 1 ACCPTED  2020-03-02 21:01:13

For Terraform I would suggest running own agent pools. The agent pools for production environments should be separate from non production and should be located in separate vNets. Then add a network rule to your Storage Acconut to allow access from the agent pool subnet. The same will happen to most of the services when you use Service Endpoints as well.

//EDIT:

Check some fresh best practices for creating Terraform pipelines.

solution2
 1  2021-01-02 06:38:59

You can utilise a data source to dynamically check your agents IP at apply time.The result of which looks like this:

data "http" "myip" {
  url = "https://ipv4.icanhazip.com"
}

resource "azurerm_storage_account_network_rules" "sample" {
  resource_group_name  = azurerm_resource_group.rg.name
  storage_account_name = zurerm_storage_account.storage.name

  default_action             = "Deny"
  virtual_network_subnet_ids = [azurerm_subnet.subnet.id]
  bypass                     = ["AzureServices", "Logging", "Metrics"]
  ip_rules = [chomp(data.http.myip.body)]
}

You then need to make sure you have removed the IP once you are done, for which I typically just use Remove-AzStorageAccountNetworkRule or as something like this

solution3
 0  2020-03-02 13:57:44

Just like @a4c74356b41 said you have to whitelist all the ip ranges for the agents in my region as described here .

Unfortunately there are about 160 ip ranges (you have to remove all ranges bigger than .../29 ) + my own, but at least it works now.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure Storage Account firewall AnonymousIpAuthorizationError Azure Functions access to Azure Storage Account Firewall Remove Azure Analysis Services Firewall Rule in DevOps Update firewall rule of Azure KeyVault using Terraform Azure Storage account failover using Azure devops Azure Runbook Failed due to Storage Account Firewall Azure Storage Account: Firewall and virtual networks Cannot create many Azure firewall rule sets concurrently in Terraform Terraform and Azure: Unable to provision Storage Account Setting CORS in Azure storage account from Terraform
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM