hknutsen
commented
1 year ago Investigate if any other modules require similar updates.
Open hknutsen opened 1 year ago
hknutsen
commented
1 year ago Investigate if any other modules require similar updates.
helenakallekleiv
commented
1 year ago In addition to Storage and Key Vault, a similar update to the Service Bus module may be required (based on policy).
musifalsk
commented
3 months ago variable "public_network_access_enabled" {
description = "Should public network access be enabled for this PostgreSQL server?"
type = bool
default = true
}variable "firewall_rules" {
description = "A map of firewall rules to be configured for this SQL server."
type = map(object({
name = string
start_ip_address = string
end_ip_address = string
}))
default = {
"azure" = {
name = "AllowAllWindowsAzureIps"
start_ip_address = "0.0.0.0"
end_ip_address = "0.0.0.0"
}
}
}variable "public_network_access_enabled" {
description = "Should public network access be enabled for this Automation account?"
type = bool
default = true
}variable "public_network_access_enabled" {
description = "Should public network access be enabled for this Container Registry?"
type = bool
default = true
}[ ] terraform-azurerm-synapse - public_network_access_enabled
variable "public_network_access_enabled" {
description = "Whether public network access is allowed for the workspace. Defaults to false"
type = bool
default = true
}variable "allowed_firewall_rules" { description = "List of rules allowing certain ips through the firewall." type = list(object({ name : string start_ip_address : string end_ip_address : string }))
default = [] }
NB! The Service Bus module is missing essential resources to become complete:
You need at least one of each of these resources together with th namespace resource to have an operational Service Bus
musifalsk
commented
3 months ago public_network_access_enabled = trueremains to clarify what to do and not
hknutsen
commented
2 months ago Regarding public network access:
We usually leave it enabled, but deny all traffic by default. For example, look at the wording in the features section in the Key Vault module README:
helenakallekleiv
commented
2 months ago
- [ ] terraform-azurerm-service-bus
This is the only configuration i could find for this, not sure if this relates to inbound or outbound access. I cannot find this setting or other restrictive network setting on the namespace in the azure portal.
Could be useful: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_namespace_network_rule_set
helenakallekleiv
commented
2 months ago Moving back to "In progress". Se if we can create new subissues from this after some investigation.
hknutsen
commented
2 months ago Could be useful: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_namespace_network_rule_set
Removed in Azure provider v4.
hknutsen
commented
1 month ago Could add overview of all module repos in issue description to keep track of which modules we have checked and not.
All modules should deny all traffic by default for all relevant resources, unless it's a service that is usually exposed to the internet (e.g. a Web App).
Should also add this as a best practice in this repo.
Tasks