CODEWITHSUNDEEP
azureazure-devopsterraformterraform-provider-azure
Patrick
Patrick

Reputation: 177

Azure storage account firewall rule prevents terraform deployment with azure devops

I want to deploy my terraform infrastructure with an Azure DevOps pipeline, but I'm running into a problem with the storage account firewall. Here an example for a storage account:

resource "azurerm_storage_account" "storage_account" {
  name                              = "mystorageaccount"
  resource_group_name               = "myresourcegroup"
...
  network_rules {
      default_action             = "Deny"
      bypass                     = ["AzureServices", "Logging"]
      ip_rules                   = ["192.1.1.1"]
  }
}

The initial creation of the storage account is successful, but because of the firewall rule all further actions, for example adding a container, fail with a not authorized exception.

Unfortunately adding a bypass rule for "AzureServices" does not work.

The reason I have to add the firewall rule is because of company security guidelines, so I cannot just remove it.

Is there a way to handle storage account firewall rules with azure devops?

Upvotes: 11

Views: 7879

Answers (3)

Piotr Gwiazda
Piotr Gwiazda

Reputation: 12212

For Terraform I would suggest running own agent pools. The agent pools for production environments should be separate from non production and should be located in separate vNets. Then add a network rule to your Storage Account to allow access from the agent pool subnet. The same will happen to most of the services when you use Service Endpoints as well.

//EDIT:

Check some fresh best practices for creating Terraform pipelines.

Upvotes: 2

Miles Cattini
Miles Cattini

Reputation: 86

You can utilise a data source to dynamically check your agents IP at apply time.The result of which looks like this:

data "http" "myip" {
  url = "https://ipv4.icanhazip.com"
}

resource "azurerm_storage_account_network_rules" "sample" {
  resource_group_name  = azurerm_resource_group.rg.name
  storage_account_name = zurerm_storage_account.storage.name

  default_action             = "Deny"
  virtual_network_subnet_ids = [azurerm_subnet.subnet.id]
  bypass                     = ["AzureServices", "Logging", "Metrics"]
  ip_rules = [chomp(data.http.myip.body)]
}

You then need to make sure you have removed the IP once you are done, for which I typically just use Remove-AzStorageAccountNetworkRule or as something like this

Upvotes: 2

Patrick
Patrick

Reputation: 177

Just like @a4c74356b41 said you have to whitelist all the ip ranges for the agents in my region as described here.

Unfortunately there are about 160 ip ranges (you have to remove all ranges bigger than .../29) + my own, but at least it works now.

Upvotes: 0

Related Questions