From bba3943904e6e973b4b7006e5faeea75107721a3 Mon Sep 17 00:00:00 2001 From: elay Date: Wed, 26 Jun 2024 19:16:22 -0700 Subject: [PATCH 1/9] upgrade to linux app and use identity based storage connection for function app --- deployment/terraform/resources/functions.tf | 45 ++++++++++----------- deployment/terraform/resources/output.tf | 2 +- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf index 764a3e45..90b2f6fd 100644 --- a/deployment/terraform/resources/functions.tf +++ b/deployment/terraform/resources/functions.tf @@ -11,14 +11,14 @@ resource "azurerm_app_service_plan" "pc" { } } -resource "azurerm_function_app" "pcfuncs" { - name = "func-${local.prefix}" - location = azurerm_resource_group.pc.location - resource_group_name = azurerm_resource_group.pc.name - app_service_plan_id = azurerm_app_service_plan.pc.id - storage_account_name = azurerm_storage_account.pc.name - storage_account_access_key = azurerm_storage_account.pc.primary_access_key - https_only = true +resource "azurerm_linux_function_app" "pcfuncs" { + name = "func-${local.prefix}" + location = azurerm_resource_group.pc.location + resource_group_name = azurerm_resource_group.pc.name + service_plan_id = azurerm_app_service_plan.pc.id + storage_account_name = azurerm_storage_account.pc.name + storage_uses_managed_identity = true + https_only = true identity { type = "SystemAssigned" @@ -48,18 +48,11 @@ resource "azurerm_function_app" "pcfuncs" { "LOG_ANALYTICS_WORKSPACE_ID" = var.prod_log_analytics_workspace_id, } - os_type = "linux" - version = "~4" site_config { - linux_fx_version = "PYTHON|3.9" - use_32_bit_worker_process = false - ftps_state = "Disabled" - - cors { - allowed_origins = ["*"] + application_stack { + python_version = "3.9" } } - lifecycle { ignore_changes = [ tags @@ -73,23 +66,29 @@ data "azurerm_storage_container" "output" { storage_account_name = var.output_storage_account_name } +resource "azurerm_role_assignment" "function-app-storage-account-access" { + scope = azurerm_storage_account.pc.id + role_definition_name = "Storage Blob Data Owner" + principal_id = azurerm_linux_function_app.pcfuncs.identity[0].principal_id +} + resource "azurerm_role_assignment" "function-app-animation-container-access" { scope = data.azurerm_storage_container.output.resource_manager_id role_definition_name = "Storage Blob Data Contributor" - principal_id = azurerm_function_app.pcfuncs.identity[0].principal_id + principal_id = azurerm_linux_function_app.pcfuncs.identity[0].principal_id depends_on = [ - azurerm_function_app.pcfuncs + azurerm_linux_function_app.pcfuncs ] } resource "azurerm_role_assignment" "function-app-storage-table-data-contributor" { scope = azurerm_storage_account.pc.id role_definition_name = "Storage Table Data Contributor" - principal_id = azurerm_function_app.pcfuncs.identity[0].principal_id + principal_id = azurerm_linux_function_app.pcfuncs.identity[0].principal_id depends_on = [ - azurerm_function_app.pcfuncs + azurerm_linux_function_app.pcfuncs ] } @@ -102,9 +101,9 @@ data "azurerm_log_analytics_workspace" "prod_log_analytics_workspace" { resource "azurerm_role_assignment" "function-app-log-analytics-access" { scope = data.azurerm_log_analytics_workspace.prod_log_analytics_workspace.id role_definition_name = "Log Analytics Reader" - principal_id = azurerm_function_app.pcfuncs.identity[0].principal_id + principal_id = azurerm_linux_function_app.pcfuncs.identity[0].principal_id depends_on = [ - azurerm_function_app.pcfuncs + azurerm_linux_function_app.pcfuncs ] } \ No newline at end of file diff --git a/deployment/terraform/resources/output.tf b/deployment/terraform/resources/output.tf index 45bc4fa8..f6c0c5f2 100644 --- a/deployment/terraform/resources/output.tf +++ b/deployment/terraform/resources/output.tf @@ -137,5 +137,5 @@ output "redis_port" { # Functions output "function_app_name" { - value = azurerm_function_app.pcfuncs.name + value = azurerm_linux_function_app.pcfuncs.name } From 6105db4900cf12a9aa3c90d2a907abb660d23e41 Mon Sep 17 00:00:00 2001 From: elay Date: Wed, 26 Jun 2024 19:54:33 -0700 Subject: [PATCH 2/9] add back config --- deployment/terraform/resources/functions.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf index 90b2f6fd..5d42e241 100644 --- a/deployment/terraform/resources/functions.tf +++ b/deployment/terraform/resources/functions.tf @@ -49,6 +49,10 @@ resource "azurerm_linux_function_app" "pcfuncs" { } site_config { + ftps_state = "Disabled" + cors { + allowed_origins = ["*"] + } application_stack { python_version = "3.9" } From 40f3db177fb1037f68174f5c694c59ecec973a61 Mon Sep 17 00:00:00 2001 From: elay Date: Fri, 28 Jun 2024 01:01:51 -0700 Subject: [PATCH 3/9] remove settings for remote build, enable local build --- deployment/bin/lib | 2 +- deployment/terraform/resources/functions.tf | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/deployment/bin/lib b/deployment/bin/lib index 5710dbce..2030120f 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -122,7 +122,7 @@ function deploy_funcs() { prepare_funcs pushd /opt/src/pcfuncs_deploy - func azure functionapp publish ${FUNCTION_APP_NAME} --python + func azure functionapp publish ${FUNCTION_APP_NAME} --python --no-build popd } diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf index 5d42e241..778f4ff2 100644 --- a/deployment/terraform/resources/functions.tf +++ b/deployment/terraform/resources/functions.tf @@ -25,8 +25,6 @@ resource "azurerm_linux_function_app" "pcfuncs" { } app_settings = { - "ENABLE_ORYX_BUILD" = "true", - "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true", "FUNCTIONS_WORKER_RUNTIME" = "python", "APP_INSIGHTS_IKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key, "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key, From d42655a9cd121cbdb212c224876ea63ba5d8197b Mon Sep 17 00:00:00 2001 From: Rob Emanuele Date: Fri, 28 Jun 2024 10:21:11 -0400 Subject: [PATCH 4/9] Set default deny network action on SA --- deployment/terraform/resources/storage_account.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployment/terraform/resources/storage_account.tf b/deployment/terraform/resources/storage_account.tf index 411270d8..592d4c0c 100644 --- a/deployment/terraform/resources/storage_account.tf +++ b/deployment/terraform/resources/storage_account.tf @@ -7,6 +7,11 @@ resource "azurerm_storage_account" "pc" { min_tls_version = "TLS1_2" allow_nested_items_to_be_public = false + network_rules { + default_action = "Deny" + virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, ] + } + # Disabling shared access keys breaks terraform's ability to do subsequent # resource fetching during terraform plan. As a result, this property is # ignored and managed outside of this apply session, via the deploy script. From 383fc04071e8e44df135be876f6f553e3c9e4f90 Mon Sep 17 00:00:00 2001 From: Rob Emanuele Date: Fri, 28 Jun 2024 10:21:43 -0400 Subject: [PATCH 5/9] Add IP to tf state storage firewall --- deployment/bin/kv_add_ip | 10 ++++++++++ deployment/bin/kv_rmv_ip | 9 +++++++++ deployment/docker-compose.yml | 4 ++++ 3 files changed, 23 insertions(+) diff --git a/deployment/bin/kv_add_ip b/deployment/bin/kv_add_ip index 137dee99..255374d7 100755 --- a/deployment/bin/kv_add_ip +++ b/deployment/bin/kv_add_ip @@ -28,6 +28,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then cidr=$(get_cidr_range) + echo "Adding IP $cidr to Key Vault firewall allow list..." az keyvault network-rule add \ -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ -n ${KEY_VAULT_NAME} \ @@ -35,4 +36,13 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then --subscription ${ARM_SUBSCRIPTION_ID} \ --output none + # Also add the IP to the terraform state storage account + echo "Adding IP $cidr to Storage firewall allow list..." + az storage account network-rule add \ + -g ${TFSTATE_SA_RG} \ + -n ${TFSTATE_SA_NAME} \ + --ip-address $cidr \ + --subscription ${ARM_SUBSCRIPTION_ID} \ + --output none + fi diff --git a/deployment/bin/kv_rmv_ip b/deployment/bin/kv_rmv_ip index 228d9535..50af3432 100755 --- a/deployment/bin/kv_rmv_ip +++ b/deployment/bin/kv_rmv_ip @@ -28,6 +28,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then cidr=$(get_cidr_range) + echo "Removing IP $cidr from Key Vault firewall allow list..." az keyvault network-rule remove \ -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ -n ${KEY_VAULT_NAME} \ @@ -35,4 +36,12 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then --subscription ${ARM_SUBSCRIPTION_ID} \ --output none + echo "Removing IP $cidr from Storage firewall allow list..." + az storage account network-rule remove \ + -g ${TFSTATE_SA_RG} \ + -n ${TFSTATE_SA_NAME} \ + --ip-address $cidr \ + --subscription ${ARM_SUBSCRIPTION_ID} \ + --output none + fi diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml index da67cbbe..43a10461 100644 --- a/deployment/docker-compose.yml +++ b/deployment/docker-compose.yml @@ -32,6 +32,10 @@ services: # Used to open KV firewall for accessing tf.secrets - KEY_VAULT_NAME=pc-test-deploy-secrets - KEY_VAULT_RESOURCE_GROUP_NAME=pc-test-manual-resources + + # Used to open firewall to tfstate SA + - TFSTATE_SA_RG=pc-test-manual-resources + - TFSTATE_SA_NAME=pctesttfstate working_dir: /opt/src/deployment volumes: - ../deployment:/opt/src/deployment From bd420aa5729584bddeb242c12600826d9fb9cef1 Mon Sep 17 00:00:00 2001 From: Rob Emanuele Date: Fri, 28 Jun 2024 10:22:03 -0400 Subject: [PATCH 6/9] Add subscription to shared access key setting --- deployment/bin/lib | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployment/bin/lib b/deployment/bin/lib index 5710dbce..7da26e1f 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -142,6 +142,7 @@ function disable_shared_access_keys() { --name ${SAK_STORAGE_ACCOUNT} \ --resource-group ${SAK_RESOURCE_GROUP} \ --allow-shared-key-access false \ + --subscription ${ARM_SUBSCRIPTION_ID} \ --output none if [ $? -ne 0 ]; then @@ -168,6 +169,7 @@ function enable_shared_access_keys() { --name ${SAK_STORAGE_ACCOUNT} \ --resource-group ${SAK_RESOURCE_GROUP} \ --allow-shared-key-access true \ + --subscription ${ARM_SUBSCRIPTION_ID} \ --output none done } From 9071e459fa5a3a60676b8f36848e1e4a1b2fb5cb Mon Sep 17 00:00:00 2001 From: Matt McFarland Date: Sat, 29 Jun 2024 11:34:46 -0400 Subject: [PATCH 7/9] Function debugging in new premium service plan --- deployment/bin/deploy | 10 ++++- deployment/bin/lib | 2 +- deployment/terraform/resources/functions.tf | 42 +++++++++++++-------- pcfuncs/ipban/__init__.py | 1 + pcfuncs/ipban/function.json | 2 +- scripts/cideploy | 3 +- 6 files changed, 41 insertions(+), 19 deletions(-) diff --git a/deployment/bin/deploy b/deployment/bin/deploy index 1d689580..1199429e 100755 --- a/deployment/bin/deploy +++ b/deployment/bin/deploy @@ -14,6 +14,7 @@ function usage() { Deploys the project infrastructure. -t TERRAFORM_DIR: The terraform directory. Required. +-y: Auto approve the terraform changes. --plan: Only run Terraform plan. --skip-tf: Skips Terraform apply. Will still gather terraform output " @@ -37,6 +38,10 @@ while [[ "$#" -gt 0 ]]; do case $1 in PLAN_ONLY=1 shift ;; + -y) + AUTO_APPROVE=-auto-approve + shift + ;; --help) usage exit 0 @@ -118,12 +123,15 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then exit 0 fi - terraform apply -auto-approve + terraform apply "$AUTO_APPROVE" fi # Gather terraform output gather_tf_output + deploy_funcs + + exit 0 popd ############################## diff --git a/deployment/bin/lib b/deployment/bin/lib index 2030120f..6adb9ad5 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -122,7 +122,7 @@ function deploy_funcs() { prepare_funcs pushd /opt/src/pcfuncs_deploy - func azure functionapp publish ${FUNCTION_APP_NAME} --python --no-build + func azure functionapp publish ${FUNCTION_APP_NAME} --python #--no-build popd } diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf index 778f4ff2..0f85310f 100644 --- a/deployment/terraform/resources/functions.tf +++ b/deployment/terraform/resources/functions.tf @@ -1,22 +1,24 @@ -resource "azurerm_app_service_plan" "pc" { - name = "plan-${local.prefix}" +resource "azurerm_service_plan" "pc" { + name = "app-plan-${local.prefix}" location = azurerm_resource_group.pc.location resource_group_name = azurerm_resource_group.pc.name - kind = "functionapp" - reserved = true + os_type = "Linux" + + sku_name = "EP1" - sku { - tier = "Dynamic" - size = "Y1" - } } resource "azurerm_linux_function_app" "pcfuncs" { - name = "func-${local.prefix}" - location = azurerm_resource_group.pc.location - resource_group_name = azurerm_resource_group.pc.name - service_plan_id = azurerm_app_service_plan.pc.id - storage_account_name = azurerm_storage_account.pc.name + name = "func-${local.prefix}" + location = azurerm_resource_group.pc.location + resource_group_name = azurerm_resource_group.pc.name + service_plan_id = azurerm_service_plan.pc.id + storage_account_name = azurerm_storage_account.pc.name + + ftp_publish_basic_authentication_enabled = false + webdeploy_publish_basic_authentication_enabled = false + + storage_uses_managed_identity = true https_only = true @@ -30,6 +32,14 @@ resource "azurerm_linux_function_app" "pcfuncs" { "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key, "AzureWebJobsDisableHomepage" = true, + "WEBSITE_RUN_FROM_PACKAGE" = 1, + + "BUILD_FLAGS" = "UseExpressBuild", + "ENABLE_ORYX_BUILD" = "true" + "SCM_DO_BUILD_DURING_DEPLOYMENT" = "1", + "WEBSITE_RUN_FROM_PACKAGE" = "1", + "XDG_CACHE_HOME" = "/tmp/.cache" + # Animation Function "ANIMATION_OUTPUT_STORAGE_URL" = var.animation_output_storage_url, "ANIMATION_API_ROOT_URL" = var.funcs_data_api_url, @@ -47,7 +57,9 @@ resource "azurerm_linux_function_app" "pcfuncs" { } site_config { - ftps_state = "Disabled" + application_insights_key = azurerm_application_insights.pc_application_insights.instrumentation_key + ftps_state = "Disabled" + cors { allowed_origins = ["*"] } @@ -108,4 +120,4 @@ resource "azurerm_role_assignment" "function-app-log-analytics-access" { depends_on = [ azurerm_linux_function_app.pcfuncs ] -} \ No newline at end of file +} diff --git a/pcfuncs/ipban/__init__.py b/pcfuncs/ipban/__init__.py index 72f0e645..6d0c369c 100644 --- a/pcfuncs/ipban/__init__.py +++ b/pcfuncs/ipban/__init__.py @@ -17,6 +17,7 @@ def main(mytimer: func.TimerRequest) -> None: datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() ) logger.info("Updating the ip ban list at %s", utc_timestamp) + logger.info("New RUN") credential: DefaultAzureCredential = DefaultAzureCredential() with LogsQueryClient(credential) as logs_query_client: with TableServiceClient( diff --git a/pcfuncs/ipban/function.json b/pcfuncs/ipban/function.json index 2b55fa8e..fa1e72d2 100644 --- a/pcfuncs/ipban/function.json +++ b/pcfuncs/ipban/function.json @@ -5,7 +5,7 @@ "name": "mytimer", "type": "timerTrigger", "direction": "in", - "schedule": "0 */1 * * *" + "schedule": "*/5 * * * *" } ] } diff --git a/scripts/cideploy b/scripts/cideploy index 053695fc..3954187f 100755 --- a/scripts/cideploy +++ b/scripts/cideploy @@ -73,6 +73,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then # Run deployment script ${DOCKER_COMPOSE} run --rm \ deploy bin/deploy \ - -t "${TERRAFORM_DIR}" + -t "${TERRAFORM_DIR}" \ + -y ) fi From 44dc0dd00e46026e76b98cca9919066a56cfaf5d Mon Sep 17 00:00:00 2001 From: Matt McFarland Date: Sat, 29 Jun 2024 16:31:39 -0400 Subject: [PATCH 8/9] Assign function subnet to output storage --- deployment/bin/deploy | 19 ++++--- deployment/bin/kv_add_ip | 48 ---------------- deployment/bin/kv_rmv_ip | 47 ---------------- deployment/bin/lib | 55 ++++++++++++++++++- deployment/docker-compose.yml | 4 -- deployment/terraform/resources/functions.tf | 11 ++-- .../terraform/resources/storage_account.tf | 16 +++++- deployment/terraform/resources/vnet.tf | 24 ++++++++ pcfuncs/ipban/__init__.py | 1 - pcfuncs/ipban/function.json | 2 +- 10 files changed, 110 insertions(+), 117 deletions(-) delete mode 100755 deployment/bin/kv_add_ip delete mode 100755 deployment/bin/kv_rmv_ip diff --git a/deployment/bin/deploy b/deployment/bin/deploy index 1199429e..5e12133e 100755 --- a/deployment/bin/deploy +++ b/deployment/bin/deploy @@ -69,6 +69,14 @@ SAK_STORAGE_ACCOUNTS=( ["pcfilestest"]="pc-test-manual-resources" ) +# Add client IP to firewall for storage accounts that must have properties read +# [storage_account]=resource_group +declare -A FW_STORAGE_ACCOUNTS +FW_STORAGE_ACCOUNTS=( + ["pctesttfstate"]="pc-test-manual-resources" + ["pctapisstagingsa"]="pct-apis-westeurope-staging_rg" +) + if [[ -z ${TERRAFORM_DIR} ]]; then echo "Must pass in TERRAFORM_DIR with -t" exit 1 @@ -100,10 +108,10 @@ fi if [ "${BASH_SOURCE[0]}" = "${0}" ]; then ######################### - # Add IP to KV firewall # + # Add IP to firewalls # ######################### - bin/kv_add_ip + add_ip_to_firewalls ##################### # Deploy Terraform # @@ -129,16 +137,13 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then # Gather terraform output gather_tf_output - deploy_funcs - - exit 0 popd ############################## - # Remove IP from KV firewall # + # Remove IP from firewalls # ############################## - bin/kv_rmv_ip + remove_ip_from_firewalls ############################ # Render Helm chart values # diff --git a/deployment/bin/kv_add_ip b/deployment/bin/kv_add_ip deleted file mode 100755 index 255374d7..00000000 --- a/deployment/bin/kv_add_ip +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash - -set -e - -source bin/lib - -if [[ "${CI}" ]]; then - set -x -fi - -function usage() { - echo -n \ - "Usage: $(basename "$0") -Add runner public IP to Key Vault firewall allow list -" -} - -while [[ "$#" -gt 0 ]]; do case $1 in - *) - usage "Unknown parameter passed: $1" - shift - shift - ;; - esac done - - -if [ "${BASH_SOURCE[0]}" = "${0}" ]; then - - cidr=$(get_cidr_range) - - echo "Adding IP $cidr to Key Vault firewall allow list..." - az keyvault network-rule add \ - -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ - -n ${KEY_VAULT_NAME} \ - --ip-address $cidr \ - --subscription ${ARM_SUBSCRIPTION_ID} \ - --output none - - # Also add the IP to the terraform state storage account - echo "Adding IP $cidr to Storage firewall allow list..." - az storage account network-rule add \ - -g ${TFSTATE_SA_RG} \ - -n ${TFSTATE_SA_NAME} \ - --ip-address $cidr \ - --subscription ${ARM_SUBSCRIPTION_ID} \ - --output none - -fi diff --git a/deployment/bin/kv_rmv_ip b/deployment/bin/kv_rmv_ip deleted file mode 100755 index 50af3432..00000000 --- a/deployment/bin/kv_rmv_ip +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -set -e - -source bin/lib - -if [[ "${CI}" ]]; then - set -x -fi - -function usage() { - echo -n \ - "Usage: $(basename "$0") -Remove runner public IP from Key Vault firewall allow list -" -} - -while [[ "$#" -gt 0 ]]; do case $1 in - *) - usage "Unknown parameter passed: $1" - shift - shift - ;; - esac done - - -if [ "${BASH_SOURCE[0]}" = "${0}" ]; then - - cidr=$(get_cidr_range) - - echo "Removing IP $cidr from Key Vault firewall allow list..." - az keyvault network-rule remove \ - -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ - -n ${KEY_VAULT_NAME} \ - --ip-address $cidr \ - --subscription ${ARM_SUBSCRIPTION_ID} \ - --output none - - echo "Removing IP $cidr from Storage firewall allow list..." - az storage account network-rule remove \ - -g ${TFSTATE_SA_RG} \ - -n ${TFSTATE_SA_NAME} \ - --ip-address $cidr \ - --subscription ${ARM_SUBSCRIPTION_ID} \ - --output none - -fi diff --git a/deployment/bin/lib b/deployment/bin/lib index 04d7311a..b67a0b32 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -155,16 +155,16 @@ function disable_shared_access_keys() { } function enable_shared_access_keys() { - echo "Enabling shared key access for storage account..." # Terraform isn't able to read all resources from a storage account if shared key access is disabled # so while we're deploying, we need to enable it. Since we haven't run TF yet, we don't have the name of the account # so they are hardcoded here. This is a temporary workaround until this is resolved # https://github.com/hashicorp/terraform-provider-azurerm/issues/25218 + echo "Enabling shared key access for storage accounts..." for SAK_STORAGE_ACCOUNT in "${!SAK_STORAGE_ACCOUNTS[@]}"; do SAK_RESOURCE_GROUP=${SAK_STORAGE_ACCOUNTS[$SAK_STORAGE_ACCOUNT]} - echo " - enabling ${SAK_STORAGE_ACCOUNT} / ${SAK_RESOURCE_GROUP}" + echo " - ${SAK_RESOURCE_GROUP}.${SAK_STORAGE_ACCOUNT}" az storage account update \ --name ${SAK_STORAGE_ACCOUNT} \ --resource-group ${SAK_RESOURCE_GROUP} \ @@ -172,4 +172,55 @@ function enable_shared_access_keys() { --subscription ${ARM_SUBSCRIPTION_ID} \ --output none done + + sleep 10 +} + +function add_ip_to_firewalls() { + cidr=$(get_cidr_range) + + echo "Adding IP $cidr to Key Vault firewall allow list..." + az keyvault network-rule add \ + -g "${KEY_VAULT_RESOURCE_GROUP_NAME}" \ + -n "${KEY_VAULT_NAME}" \ + --ip-address "$cidr" \ + --subscription "${ARM_SUBSCRIPTION_ID}" \ + --output none + + # Also add the IP to the terraform state storage account + for FW_STORAGE_ACCOUNT in "${!FW_STORAGE_ACCOUNTS[@]}"; do + FW_RESOURCE_GROUP=${FW_STORAGE_ACCOUNTS[$FW_STORAGE_ACCOUNT]} + echo "Adding IP $cidr to ${FW_STORAGE_ACCOUNT} Storage firewall allow list..." + az storage account network-rule add \ + -g "${FW_RESOURCE_GROUP}" \ + -n "${FW_STORAGE_ACCOUNT}" \ + --ip-address "$cidr" \ + --subscription "${ARM_SUBSCRIPTION_ID}" \ + --output none + done + + sleep 10 +} + +function remove_ip_from_firewalls() { + cidr=$(get_cidr_range) + + echo "Removing IP $cidr from Key Vault firewall allow list..." + az keyvault network-rule remove \ + -g ${KEY_VAULT_RESOURCE_GROUP_NAME} \ + -n ${KEY_VAULT_NAME} \ + --ip-address $cidr \ + --subscription ${ARM_SUBSCRIPTION_ID} \ + --output none + + for FW_STORAGE_ACCOUNT in "${!FW_STORAGE_ACCOUNTS[@]}"; do + FW_RESOURCE_GROUP=${FW_STORAGE_ACCOUNTS[$FW_STORAGE_ACCOUNT]} + echo "Removing IP $cidr from ${FW_STORAGE_ACCOUNT} Storage firewall allow list..." + az storage account network-rule remove \ + -g ${FW_RESOURCE_GROUP} \ + -n ${FW_STORAGE_ACCOUNT} \ + --ip-address $cidr \ + --subscription ${ARM_SUBSCRIPTION_ID} \ + --output none + done } diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml index 43a10461..da67cbbe 100644 --- a/deployment/docker-compose.yml +++ b/deployment/docker-compose.yml @@ -32,10 +32,6 @@ services: # Used to open KV firewall for accessing tf.secrets - KEY_VAULT_NAME=pc-test-deploy-secrets - KEY_VAULT_RESOURCE_GROUP_NAME=pc-test-manual-resources - - # Used to open firewall to tfstate SA - - TFSTATE_SA_RG=pc-test-manual-resources - - TFSTATE_SA_NAME=pctesttfstate working_dir: /opt/src/deployment volumes: - ../deployment:/opt/src/deployment diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf index 0f85310f..d1c4c961 100644 --- a/deployment/terraform/resources/functions.tf +++ b/deployment/terraform/resources/functions.tf @@ -15,6 +15,8 @@ resource "azurerm_linux_function_app" "pcfuncs" { service_plan_id = azurerm_service_plan.pc.id storage_account_name = azurerm_storage_account.pc.name + virtual_network_subnet_id = azurerm_subnet.function_subnet.id + ftp_publish_basic_authentication_enabled = false webdeploy_publish_basic_authentication_enabled = false @@ -57,6 +59,7 @@ resource "azurerm_linux_function_app" "pcfuncs" { } site_config { + vnet_route_all_enabled = true application_insights_key = azurerm_application_insights.pc_application_insights.instrumentation_key ftps_state = "Disabled" @@ -74,11 +77,7 @@ resource "azurerm_linux_function_app" "pcfuncs" { } } -# Note: this must be in the same subscription as the rest of the deployed infrastructure -data "azurerm_storage_container" "output" { - name = var.output_container_name - storage_account_name = var.output_storage_account_name -} + resource "azurerm_role_assignment" "function-app-storage-account-access" { scope = azurerm_storage_account.pc.id @@ -87,7 +86,7 @@ resource "azurerm_role_assignment" "function-app-storage-account-access" { } resource "azurerm_role_assignment" "function-app-animation-container-access" { - scope = data.azurerm_storage_container.output.resource_manager_id + scope = data.azurerm_storage_account.output-storage-account.id role_definition_name = "Storage Blob Data Contributor" principal_id = azurerm_linux_function_app.pcfuncs.identity[0].principal_id diff --git a/deployment/terraform/resources/storage_account.tf b/deployment/terraform/resources/storage_account.tf index 592d4c0c..8b9a5dde 100644 --- a/deployment/terraform/resources/storage_account.tf +++ b/deployment/terraform/resources/storage_account.tf @@ -9,7 +9,7 @@ resource "azurerm_storage_account" "pc" { network_rules { default_action = "Deny" - virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, ] + virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, azurerm_subnet.function_subnet.id] } # Disabling shared access keys breaks terraform's ability to do subsequent @@ -47,3 +47,17 @@ resource "azurerm_storage_table" "blobstoragebannedip" { name = "blobstoragebannedip" storage_account_name = azurerm_storage_account.pc.name } + +# Output storage account for function app, "pcfilestest" +data "azurerm_storage_account" "output-storage-account" { + name = var.output_storage_account_name + resource_group_name = var.pc_test_resources_rg + +} + +resource "azurerm_storage_account_network_rules" "pcfunc-vnet-access" { + storage_account_id = data.azurerm_storage_account.output-storage-account.id + + default_action = "Deny" + virtual_network_subnet_ids = [azurerm_subnet.function_subnet.id] +} diff --git a/deployment/terraform/resources/vnet.tf b/deployment/terraform/resources/vnet.tf index 917152b7..5d759ca1 100644 --- a/deployment/terraform/resources/vnet.tf +++ b/deployment/terraform/resources/vnet.tf @@ -26,6 +26,25 @@ resource "azurerm_subnet" "cache_subnet" { service_endpoints = [] } +resource "azurerm_subnet" "function_subnet" { + name = "${local.prefix}-functions-subnet" + virtual_network_name = azurerm_virtual_network.pc.name + resource_group_name = azurerm_resource_group.pc.name + + service_endpoints = ["Microsoft.Storage.Global"] + delegation { + name = "delegation" + service_delegation { + actions = [ + "Microsoft.Network/virtualNetworks/subnets/action", + ] + name = "Microsoft.Web/serverFarms" + } + } + + address_prefixes = ["10.3.0.0/26"] +} + resource "azurerm_network_security_group" "pc" { name = "${local.prefix}-security-group" location = azurerm_resource_group.pc.location @@ -53,3 +72,8 @@ resource "azurerm_subnet_network_security_group_association" "pc-cache" { subnet_id = azurerm_subnet.cache_subnet.id network_security_group_id = azurerm_network_security_group.pc.id } + +resource "azurerm_subnet_network_security_group_association" "pc-functions" { + subnet_id = azurerm_subnet.function_subnet.id + network_security_group_id = azurerm_network_security_group.pc.id +} diff --git a/pcfuncs/ipban/__init__.py b/pcfuncs/ipban/__init__.py index 6d0c369c..72f0e645 100644 --- a/pcfuncs/ipban/__init__.py +++ b/pcfuncs/ipban/__init__.py @@ -17,7 +17,6 @@ def main(mytimer: func.TimerRequest) -> None: datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() ) logger.info("Updating the ip ban list at %s", utc_timestamp) - logger.info("New RUN") credential: DefaultAzureCredential = DefaultAzureCredential() with LogsQueryClient(credential) as logs_query_client: with TableServiceClient( diff --git a/pcfuncs/ipban/function.json b/pcfuncs/ipban/function.json index fa1e72d2..2b55fa8e 100644 --- a/pcfuncs/ipban/function.json +++ b/pcfuncs/ipban/function.json @@ -5,7 +5,7 @@ "name": "mytimer", "type": "timerTrigger", "direction": "in", - "schedule": "*/5 * * * *" + "schedule": "0 */1 * * *" } ] } From 8774038e58ef250bf90aee0a87209b89c4495487 Mon Sep 17 00:00:00 2001 From: Matt McFarland Date: Sat, 29 Jun 2024 16:50:56 -0400 Subject: [PATCH 9/9] Cleanup --- deployment/bin/lib | 2 +- deployment/terraform/resources/functions.tf | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/deployment/bin/lib b/deployment/bin/lib index b67a0b32..c2c7cbf5 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -122,7 +122,7 @@ function deploy_funcs() { prepare_funcs pushd /opt/src/pcfuncs_deploy - func azure functionapp publish ${FUNCTION_APP_NAME} --python #--no-build + func azure functionapp publish ${FUNCTION_APP_NAME} --python popd } diff --git a/deployment/terraform/resources/functions.tf b/deployment/terraform/resources/functions.tf index d1c4c961..463ef33c 100644 --- a/deployment/terraform/resources/functions.tf +++ b/deployment/terraform/resources/functions.tf @@ -29,18 +29,15 @@ resource "azurerm_linux_function_app" "pcfuncs" { } app_settings = { - "FUNCTIONS_WORKER_RUNTIME" = "python", - "APP_INSIGHTS_IKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key, - "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key, - "AzureWebJobsDisableHomepage" = true, - - "WEBSITE_RUN_FROM_PACKAGE" = 1, + "FUNCTIONS_WORKER_RUNTIME" = "python", + "APP_INSIGHTS_IKEY" = azurerm_application_insights.pc_application_insights.instrumentation_key, + # Remote build "BUILD_FLAGS" = "UseExpressBuild", "ENABLE_ORYX_BUILD" = "true" "SCM_DO_BUILD_DURING_DEPLOYMENT" = "1", - "WEBSITE_RUN_FROM_PACKAGE" = "1", "XDG_CACHE_HOME" = "/tmp/.cache" + "AzureWebJobsDisableHomepage" = true, # Animation Function "ANIMATION_OUTPUT_STORAGE_URL" = var.animation_output_storage_url,