Storage account IP-rules

[Thorium]

I cannot find a way to add "Storage Account -> Networking -> Firewall IpRules".

            "type": "Microsoft.Storage/storageAccounts",
            // <other properties cut here/>
            "properties": {
                // <other properties cut here/>
                "networkAcls": {
                    // <other properties cut here/>
                    "ipRules": [
                        {
                            "value": "11.22.33.44",
                            "action": "Allow"
                        },
                        {
                            "value": "12.23.45.78",
                            "action": "Allow"
                        }
                    ],
                    "defaultAction": "Deny"
                },
                "supportsHttpsTrafficOnly": true,
                // <other properties cut here/>
            }

This could be useful if you have already defined static IP-addresses by Farmer script and you wouldn't want to open a public storage.

[ninjarobot]

This is supported:

storageAccount {
    restrict_to_ip "11.22.33.44"
    restrict_to_ip "12.23.45.78"
}

The supportsHttpsTrafficOnly isn't emitted but will default to true so unless you want it to allow HTTP, you should be good.

[Thorium]

Thanks, it is undocumented: https://compositionalit.github.io/farmer/api-overview/resources/storage-account/

Also, I'd need to push there a list of just-deployed-VMs as ResourceId list, not a string of absolute address.

[ninjarobot]

I apologize that is missing in the documentation.

Are these VM's attached to a virtual network? If so, this will generate the ACL to restrict access to a subnet.

restrict_to_subnet "myvnet" "mysubnet"

This should be used in conjunction with a service endpoint on that subnet - example here.