Skip to content

Commit

Permalink
Core key vault firewall should not be set to "Allow public access fro…
Browse files Browse the repository at this point in the history
…m all networks" microsoft#4250
  • Loading branch information
jonnyry committed Jan 7, 2025
1 parent 8c1cea9 commit 765a36c
Show file tree
Hide file tree
Showing 10 changed files with 234 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ ENHANCEMENTS:
* Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949)
* Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)])
* Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))

BUG FIXES:
* Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
Expand Down
19 changes: 19 additions & 0 deletions core/terraform/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions core/terraform/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ set -o pipefail
set -o nounset
# set -o xtrace

# add trap to remove deployment network exceptions
trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT

# now add deployment network exceptions
source "../../devops/scripts/add_deployment_network_exceptions.sh"

# This is where we can migrate any Terraform before we plan and apply
# For instance deprecated Terraform resources
# shellcheck disable=SC1091
Expand Down
3 changes: 3 additions & 0 deletions core/terraform/destroy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ set -o pipefail
set -o nounset
# set -o xtrace

# add deployment network exceptions
source "../../devops/scripts/add_deployment_network_exceptions.sh"

# These variables are loaded in for us
# shellcheck disable=SC2154
../../devops/scripts/terraform_wrapper.sh -g "${TF_VAR_mgmt_resource_group_name}" \
Expand Down
26 changes: 25 additions & 1 deletion core/terraform/keyvault.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,31 @@ resource "azurerm_key_vault" "kv" {
purge_protection_enabled = var.kv_purge_protection_enabled
tags = local.tre_core_tags

lifecycle { ignore_changes = [access_policy, tags] }
public_network_access_enabled = true

network_acls {
default_action = var.enable_local_debugging ? "Allow" : "Deny"
bypass = "AzureServices"
ip_rules = [ local.myip ] # exception for deployment IP, this is removed in the tf postfix step
}

lifecycle {
ignore_changes = [access_policy, tags]
}
}

# add a tag to the key vault denoting it requires an deployment network exception adding
#
resource "null_resource" "add_deployment_tag" {
triggers = {
always_run = timestamp()
}

provisioner "local-exec" {
command = "az resource update --ids ${azurerm_key_vault.kv.id} --set 'tags.${local.tre_deployment_network_exception_tag}=\"true\"' --output none"
}

depends_on = [azurerm_key_vault.kv]
}

resource "azurerm_role_assignment" "keyvault_deployer_role" {
Expand Down
4 changes: 4 additions & 0 deletions core/terraform/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ locals {
tre_core_service_id = var.tre_id
}

# used to tag storage accounts and key vaults that require a IP exception for the deployment runner
# adding to their network firewall during TRE deployment (and removing at the end of deployment)
tre_deployment_network_exception_tag = "tre_deployment_network_exception"

api_diagnostic_categories_enabled = [
"AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs",
"AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"
Expand Down
7 changes: 7 additions & 0 deletions core/terraform/scripts/letsencrypt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ set -e

script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")

# add trap to remove deployment network exceptions on script exit
trap 'source "$script_dir/../../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT

# now add deployment network exceptions
source "$script_dir/../../../devops/scripts/add_deployment_network_exceptions.sh"


if [[ -z ${STORAGE_ACCOUNT} ]]; then
echo "STORAGE_ACCOUNT not set"
exit 1
Expand Down
95 changes: 95 additions & 0 deletions devops/scripts/add_deployment_network_exceptions.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
#!/bin/bash

TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception"

function main() {

set -o errexit
set -o pipefail


# parse params/set up inputs
#
if [[ -z "$TRE_ID" ]]; then
echo -e "Could not open deployment network exceptions: TRE_ID is not set\nExiting...\n"
exit 1
fi

local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"

if [[ -z "$MY_IP" ]]; then
MY_IP=$(curl -s "ipecho.net/plain"; echo)
fi

local TRE_CORE_RG="rg-${TRE_ID}"


# find resources that require network exceptions
#
echo -e "\nQuerying resources that require network exceptions adding for deployment..."

local AZ_IDS
AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv)

if [ -z "$AZ_IDS" ]; then
echo " No resources found"
return 0
fi


# add network exceptions
#
local AZ_ID
for AZ_ID in $AZ_IDS; do

local RESOURCE_TYPE
RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv)

if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then
add_keyvault_network_exception "$AZ_ID" "$MY_IP"
fi

done

echo ""

}

function add_keyvault_network_exception() {
local AZ_ID="$1"
local MY_IP="$2"

local KV_NAME
KV_NAME=$(basename "$AZ_ID")

echo " Adding keyvault deployment network exception for $KV_NAME"

az keyvault network-rule add --name "$KV_NAME" --ip-address "$MY_IP" --output none

local ATTEMPT=1
local MAX_ATTEMPTS=10

while true; do

if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then
echo " Keyvault $KV_NAME is now accessible"
break
fi

if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
echo -e "Could not add deployment network exception for $KV_NAME"
echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n"
echo -e "$KV_OUTPUT\n"

exit 1
fi

echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect."
sleep 5
((ATTEMPT++))

done

}

main "$@"
5 changes: 5 additions & 0 deletions devops/scripts/destroy_env_no_terraform.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ then
no_wait_option="--no-wait"
fi

script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")

# now add deployment network exceptions
source "$script_dir/add_deployment_network_exceptions.sh"

group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?)
if [[ "$group_show_result" != "0" ]]; then
echo "Resource group ${core_tre_rg} not found - skipping destroy"
Expand Down
69 changes: 69 additions & 0 deletions devops/scripts/remove_deployment_network_exceptions.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/bin/bash

TRE_DEPLOYER_FW_EXCEPTION_TAG="tre_deployment_network_exception"

function main() {

set -o errexit
set -o pipefail

# parse params/set up inputs
#
if [[ -z "$TRE_ID" ]]; then
echo -e "Could not close deployment network exceptions: TRE_ID is not set\n"
exit 1
fi

local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"

if [[ -z "$MY_IP" ]]; then
MY_IP=$(curl -s "ipecho.net/plain"; echo)
fi

local TRE_CORE_RG="rg-${TRE_ID}"


# find resources that require network exceptions
#
echo -e "\nQuerying resources that require network exceptions removing for deployment..."

local AZ_IDS
AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYER_FW_EXCEPTION_TAG}=='true'].id" --output tsv)

if [ -z "$AZ_IDS" ]; then
echo " No resources found"
return 0
fi


# remove network exceptions
#
local AZ_ID
for AZ_ID in $AZ_IDS; do

local RESOURCE_TYPE
RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv)

if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then
remove_keyvault_network_exception "$AZ_ID" "$MY_IP"
fi

done

echo ""

}

function remove_keyvault_network_exception() {
local AZ_ID="$1"
local MY_IP="$2"

local KV_NAME
KV_NAME=$(basename "$AZ_ID")

echo " Removing keyvault deployment network exception for $KV_NAME"

az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none
}

main "$@"

0 comments on commit 765a36c

Please sign in to comment.