Menu
I want to deploy my terraform infrastructure with an Azure DevOps pipeline, but I'm running into a problem with the storage account firewall. Here an example for a storage account:
resource "azurerm_storage_account" "storage_account" {
name = "mystorageaccount"
resource_group_name = "myresourcegroup"
...
network_rules {
default_action = "Deny"
bypass = ["AzureServices", "Logging"]
ip_rules = ["192.1.1.1"]
}
}
The initial creation of the storage account is successful, but because of the firewall rule all further actions, for example adding a container, fail with a not authorized exception.
Unfortunately adding a bypass rule for "AzureServices" does not work.
The reason I have to add the firewall rule is because of company security guidelines, so I cannot just remove it.
Is there a way to handle storage account firewall rules with azure devops?
698
And we have added Terraform file (Infrastructure as Code) to source control repository in your Azure DevOps project which can deploy the required Azure resources. If you would like to learn more about the terraform basics click here.
It automatically downloads any of the providers (Azure or AWS) required for them to provision infrastructure. Terraform plan -- This command determines what actions are necessary to achieve the desired state specified in the configuration files. This is a dry run and shows which actions will be made.
To block traffic from all networks, use the az storage account update command and set the --public-network-access parameter to Disabled . Traffic will be allowed only through a private endpoint. You'll have to create that private endpoint.
For Terraform I would suggest running own agent pools. The agent pools for production environments should be separate from non production and should be located in separate vNets. Then add a network rule to your Storage Acconut to allow access from the agent pool subnet. The same will happen to most of the services when you use Service Endpoints as well.
//EDIT:
Check some fresh best practices for creating Terraform pipelines.
130
You can utilise a data source to dynamically check your agents IP at apply time.The result of which looks like this:
data "http" "myip" {
url = "https://ipv4.icanhazip.com"
}
resource "azurerm_storage_account_network_rules" "sample" {
resource_group_name = azurerm_resource_group.rg.name
storage_account_name = zurerm_storage_account.storage.name
default_action = "Deny"
virtual_network_subnet_ids = [azurerm_subnet.subnet.id]
bypass = ["AzureServices", "Logging", "Metrics"]
ip_rules = [chomp(data.http.myip.body)]
}
You then need to make sure you have removed the IP once you are done, for which I typically just use Remove-AzStorageAccountNetworkRule or as something like this
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With