從Azure DevOps限制對Azure的部署權限

Question

我想鎖定對kudu工具的訪問，例如https：//.scm.azurewebsites.net/DebugConsole到azure devops使用的一組ip地址。 我已經進入AzureDevops - >組織設置 - >概述並看到我的組織的Azure Devops在例如西歐舉行我從這里下載了azure數據中心的IP地址列表： https ： //www.microsoft.com/ EN-NZ /下載/ details.aspx？ID = 41653

我已經進入App Service - > Networking blade - > Configure Access限制並上傳了例如West Europe的ip地址列表.scm.azurewebsites.net。

我的理解是AzureDevops代理在組織設置中指定的區域運行，所以如果我輸入這些IP地址，他們應該能夠使kudu工具正常，但我得到以下錯誤：

Failed to deploy web package to App Service.
Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer ("<myappservice>.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.  Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_COULD_NOT_CONNECT_TO_REMOTESVC.
Error: The remote server returned an error: (403) Forbidden.

如果我刪除它所部署的IP地址沒有問題。 如何限制對Azure Devops的部署訪問

Answer 1

正如Daniel Mann的評論所暗示的那樣 - 您應該使用Azure RBAC來限制Azure Devops服務主體在Azure中可以執行的操作。 如果您只允許它管理特定的應用服務 - 它將只能這樣做。

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Answer 2

我找到了一個解決方法，只需要一個預部署步驟，禁用部署到.scm.azurewebsites.net的IP地址限制，然后立即啟用它們。 預部署步驟：

Write-Host ("Removing IP Address restrictions from scm site")
$apiVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).apiVersions[0]
$webAppConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $webSiteName -ResourceGroupName $resourceGroupName -apiVersion $apiVersion)
$webAppConfig.Properties.scmIpSecurityRestrictions = @()
Set-AzureRmResource -ResourceId $webAppConfig.ResourceId -Properties $webAppConfig.Properties -apiVersion $apiVersion -Force
Write-Host ("Removed IP Address restrictions from scm site")

PostDeploy步驟：寫入主機（“啟用Cloudflare防火牆 - 啟動IP地址限制”）

function AddRules($rulesToAdd) {
    $rules = @()
    foreach ($ruleToAdd in $rulesToAdd) 
    {
        $rule = [PSCustomObject] @{
            ipAddress = $ruleToAdd.ipAddress; 
            action = $ruleToAdd.action; 
            priority = $ruleToAdd.priority; 
            name = $ruleToAdd.name; 
            description = $ruleToAdd.description 
            }
        $rules += $rule
    }
return $rules
}

# Access to the main site should only be allowed through cloudflare
[PSCustomObject] $websiteRulesToAdd = 
    @{ipAddress="173.245.48.0/20";action="Allow";priority="100";name="CF01";description="CloudFlare Ip Address"},`
# etc

# Access to the development site should be locked down to developers (NB: These rules are temporarily disabled on deployment)
[PSCustomObject] $scmRulesToAdd = 
    @{ipAddress="X.X.X.X/32";action="Allow";priority="100";name="developer1";description="Developer IP Address"}
# etc

$apiVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).apiVersions[0]
$webAppConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $webSiteName -ResourceGroupName $resourceGroupName -apiVersion $apiVersion)
Write-Host ("Writing IP Address restrictions")
$webAppConfig.Properties.ipSecurityRestrictions = AddRules -rulesToAdd $websiteRulesToAdd
$webAppConfig.Properties.scmIpSecurityRestrictions = AddRules -rulesToAdd $scmRulesToAdd
Set-AzureRmResource -ResourceId $webAppConfig.ResourceId -Properties $webAppConfig.Properties -apiVersion $apiVersion -Force
Write-Host ("Completed IP Address restrictions")

這由AzureDevops作為部署的一部分運行，因此可以控制訪問。 我希望這對某人有用