Assign function subnet to output storage

microsoft · Jun 29, 2024 · 44dc0dd · 44dc0dd
1 parent 6e031c0
commit 44dc0dd
Show file tree

Hide file tree

Showing 10 changed files with 110 additions and 117 deletions.
diff --git a/deployment/bin/deploy b/deployment/bin/deploy
@@ -69,6 +69,14 @@ SAK_STORAGE_ACCOUNTS=(
   ["pcfilestest"]="pc-test-manual-resources"
 )
 
+# Add client IP to firewall for storage accounts that must have properties read
+# [storage_account]=resource_group
+declare -A FW_STORAGE_ACCOUNTS
+FW_STORAGE_ACCOUNTS=(
+    ["pctesttfstate"]="pc-test-manual-resources"
+    ["pctapisstagingsa"]="pct-apis-westeurope-staging_rg"
+)
+
 if [[ -z ${TERRAFORM_DIR} ]]; then
     echo "Must pass in TERRAFORM_DIR with -t"
     exit 1
@@ -100,10 +108,10 @@ fi
 if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
 
     #########################
-    # Add IP to KV firewall #
+    # Add IP to firewalls #
     #########################
 
-    bin/kv_add_ip
+    add_ip_to_firewalls
 
     #####################
     # Deploy Terraform  #
@@ -129,16 +137,13 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
     # Gather terraform output
     gather_tf_output
 
-    deploy_funcs
-
-    exit 0
     popd
 
     ##############################
-    # Remove IP from KV firewall #
+    # Remove IP from firewalls #
     ##############################
 
-    bin/kv_rmv_ip
+    remove_ip_from_firewalls
 
     ############################
     # Render Helm chart values #

diff --git a/deployment/bin/kv_add_ip b/deployment/bin/kv_add_ip
diff --git a/deployment/bin/kv_rmv_ip b/deployment/bin/kv_rmv_ip
diff --git a/deployment/bin/lib b/deployment/bin/lib
@@ -155,21 +155,72 @@ function disable_shared_access_keys() {
 }
 
 function enable_shared_access_keys() {
-    echo "Enabling shared key access for storage account..."
     # Terraform isn't able to read all resources from a storage account if shared key access is disabled
     # so while we're deploying, we need to enable it. Since we haven't run TF yet, we don't have the name of the account
     # so they are hardcoded here. This is a temporary workaround until this is resolved
     # https://github.com/hashicorp/terraform-provider-azurerm/issues/25218
 
+    echo "Enabling shared key access for storage accounts..."
     for SAK_STORAGE_ACCOUNT in "${!SAK_STORAGE_ACCOUNTS[@]}"; do
         SAK_RESOURCE_GROUP=${SAK_STORAGE_ACCOUNTS[$SAK_STORAGE_ACCOUNT]}
 
-        echo "   - enabling ${SAK_STORAGE_ACCOUNT} / ${SAK_RESOURCE_GROUP}"
+        echo "   - ${SAK_RESOURCE_GROUP}.${SAK_STORAGE_ACCOUNT}"
         az storage account update \
             --name ${SAK_STORAGE_ACCOUNT} \
             --resource-group ${SAK_RESOURCE_GROUP} \
             --allow-shared-key-access true \
             --subscription ${ARM_SUBSCRIPTION_ID} \
             --output none
     done
+
+    sleep 10
+}
+
+function add_ip_to_firewalls() {
+    cidr=$(get_cidr_range)
+
+    echo "Adding IP $cidr to Key Vault firewall allow list..."
+    az keyvault network-rule add \
+        -g "${KEY_VAULT_RESOURCE_GROUP_NAME}"  \
+        -n "${KEY_VAULT_NAME}" \
+        --ip-address "$cidr" \
+        --subscription "${ARM_SUBSCRIPTION_ID}" \
+        --output none
+
+    # Also add the IP to the terraform state storage account
+    for FW_STORAGE_ACCOUNT in "${!FW_STORAGE_ACCOUNTS[@]}"; do
+        FW_RESOURCE_GROUP=${FW_STORAGE_ACCOUNTS[$FW_STORAGE_ACCOUNT]}
+        echo "Adding IP $cidr to ${FW_STORAGE_ACCOUNT} Storage firewall allow list..."
+        az storage account network-rule add \
+            -g "${FW_RESOURCE_GROUP}" \
+            -n "${FW_STORAGE_ACCOUNT}" \
+            --ip-address "$cidr" \
+            --subscription "${ARM_SUBSCRIPTION_ID}" \
+            --output none
+    done
+
+    sleep 10
+}
+
+function remove_ip_from_firewalls() {
+    cidr=$(get_cidr_range)
+
+    echo "Removing IP $cidr from Key Vault firewall allow list..."
+    az keyvault network-rule remove \
+        -g ${KEY_VAULT_RESOURCE_GROUP_NAME}  \
+        -n ${KEY_VAULT_NAME} \
+        --ip-address $cidr \
+        --subscription ${ARM_SUBSCRIPTION_ID} \
+        --output none
+
+    for FW_STORAGE_ACCOUNT in "${!FW_STORAGE_ACCOUNTS[@]}"; do
+        FW_RESOURCE_GROUP=${FW_STORAGE_ACCOUNTS[$FW_STORAGE_ACCOUNT]}
+        echo "Removing IP $cidr from ${FW_STORAGE_ACCOUNT} Storage firewall allow list..."
+        az storage account network-rule remove \
+            -g ${FW_RESOURCE_GROUP} \
+            -n ${FW_STORAGE_ACCOUNT} \
+            --ip-address $cidr \
+            --subscription ${ARM_SUBSCRIPTION_ID} \
+            --output none
+    done
 }
diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml
@@ -32,10 +32,6 @@ services:
       # Used to open KV firewall for accessing tf.secrets
       - KEY_VAULT_NAME=pc-test-deploy-secrets
       - KEY_VAULT_RESOURCE_GROUP_NAME=pc-test-manual-resources
-
-      # Used to open firewall to tfstate SA
-      - TFSTATE_SA_RG=pc-test-manual-resources
-      - TFSTATE_SA_NAME=pctesttfstate
     working_dir: /opt/src/deployment
     volumes:
       - ../deployment:/opt/src/deployment

diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf
@@ -15,6 +15,8 @@ resource "azurerm_linux_function_app" "pcfuncs" {
   service_plan_id      = azurerm_service_plan.pc.id
   storage_account_name = azurerm_storage_account.pc.name
 
+  virtual_network_subnet_id = azurerm_subnet.function_subnet.id
+
   ftp_publish_basic_authentication_enabled       = false
   webdeploy_publish_basic_authentication_enabled = false
 
@@ -57,6 +59,7 @@ resource "azurerm_linux_function_app" "pcfuncs" {
   }
 
   site_config {
+    vnet_route_all_enabled   = true
     application_insights_key = azurerm_application_insights.pc_application_insights.instrumentation_key
     ftps_state               = "Disabled"
 
@@ -74,11 +77,7 @@ resource "azurerm_linux_function_app" "pcfuncs" {
   }
 }
 
-# Note: this must be in the same subscription as the rest of the deployed infrastructure
-data "azurerm_storage_container" "output" {
-  name                 = var.output_container_name
-  storage_account_name = var.output_storage_account_name
-}
+
 
 resource "azurerm_role_assignment" "function-app-storage-account-access" {
   scope                = azurerm_storage_account.pc.id
@@ -87,7 +86,7 @@ resource "azurerm_role_assignment" "function-app-storage-account-access" {
 }
 
 resource "azurerm_role_assignment" "function-app-animation-container-access" {
-  scope                = data.azurerm_storage_container.output.resource_manager_id
+  scope                = data.azurerm_storage_account.output-storage-account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_linux_function_app.pcfuncs.identity[0].principal_id
 

diff --git a/deployment/terraform/resources/storage_account.tf b/deployment/terraform/resources/storage_account.tf
@@ -9,7 +9,7 @@ resource "azurerm_storage_account" "pc" {
 
   network_rules {
     default_action             = "Deny"
-    virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, ]
+    virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, azurerm_subnet.function_subnet.id]
   }
 
   # Disabling shared access keys breaks terraform's ability to do subsequent
@@ -47,3 +47,17 @@ resource "azurerm_storage_table" "blobstoragebannedip" {
   name                 = "blobstoragebannedip"
   storage_account_name = azurerm_storage_account.pc.name
 }
+
+# Output storage account for function app, "pcfilestest"
+data "azurerm_storage_account" "output-storage-account" {
+  name                = var.output_storage_account_name
+  resource_group_name = var.pc_test_resources_rg
+
+}
+
+resource "azurerm_storage_account_network_rules" "pcfunc-vnet-access" {
+  storage_account_id = data.azurerm_storage_account.output-storage-account.id
+
+  default_action             = "Deny"
+  virtual_network_subnet_ids = [azurerm_subnet.function_subnet.id]
+}
diff --git a/deployment/terraform/resources/vnet.tf b/deployment/terraform/resources/vnet.tf
@@ -26,6 +26,25 @@ resource "azurerm_subnet" "cache_subnet" {
   service_endpoints    = []
 }
 
+resource "azurerm_subnet" "function_subnet" {
+  name                 = "${local.prefix}-functions-subnet"
+  virtual_network_name = azurerm_virtual_network.pc.name
+  resource_group_name  = azurerm_resource_group.pc.name
+
+  service_endpoints = ["Microsoft.Storage.Global"]
+  delegation {
+    name = "delegation"
+    service_delegation {
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/action",
+      ]
+      name = "Microsoft.Web/serverFarms"
+    }
+  }
+
+  address_prefixes = ["10.3.0.0/26"]
+}
+
 resource "azurerm_network_security_group" "pc" {
   name                = "${local.prefix}-security-group"
   location            = azurerm_resource_group.pc.location
@@ -53,3 +72,8 @@ resource "azurerm_subnet_network_security_group_association" "pc-cache" {
   subnet_id                 = azurerm_subnet.cache_subnet.id
   network_security_group_id = azurerm_network_security_group.pc.id
 }
+
+resource "azurerm_subnet_network_security_group_association" "pc-functions" {
+  subnet_id                 = azurerm_subnet.function_subnet.id
+  network_security_group_id = azurerm_network_security_group.pc.id
+}
diff --git a/pcfuncs/ipban/__init__.py b/pcfuncs/ipban/__init__.py
@@ -17,7 +17,6 @@ def main(mytimer: func.TimerRequest) -> None:
         datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
     )
     logger.info("Updating the ip ban list at %s", utc_timestamp)
-    logger.info("New RUN")
     credential: DefaultAzureCredential = DefaultAzureCredential()
     with LogsQueryClient(credential) as logs_query_client:
         with TableServiceClient(

diff --git a/pcfuncs/ipban/function.json b/pcfuncs/ipban/function.json
@@ -5,7 +5,7 @@
       "name": "mytimer",
       "type": "timerTrigger",
       "direction": "in",
-      "schedule": "*/5 * * * *"
+      "schedule": "0 */1 * * *"
     }
   ]
 }