equinor / terraform-baseline

Best practices for creating reusable Terraform modules using the Azure provider
https://equinor.github.io/terraform-baseline/
MIT License
12 stars 5 forks source link

Enforce network rules by default #47

Open hknutsen opened 1 year ago

hknutsen commented 1 year ago

All modules should deny all traffic by default for all relevant resources, unless it's a service that is usually exposed to the internet (e.g. a Web App).

Should also add this as a best practice in this repo.

Tasks

hknutsen commented 1 year ago

Investigate if any other modules require similar updates.

helenakallekleiv commented 1 year ago

In addition to Storage and Key Vault, a similar update to the Service Bus module may be required (based on policy).

musifalsk commented 3 months ago
variable "firewall_rules" {
  description = "A map of firewall rules to be configured for this SQL server."

  type = map(object({
    name             = string
    start_ip_address = string
    end_ip_address   = string
  }))

  default = {
    "azure" = {
      name             = "AllowAllWindowsAzureIps"
      start_ip_address = "0.0.0.0"
      end_ip_address   = "0.0.0.0"
    }
  }
}

variable "allowed_firewall_rules" { description = "List of rules allowing certain ips through the firewall." type = list(object({ name : string start_ip_address : string end_ip_address : string }))

default = [] }

musifalsk commented 3 months ago
musifalsk commented 3 months ago

NB! The Service Bus module is missing essential resources to become complete:

You need at least one of each of these resources together with th namespace resource to have an operational Service Bus

musifalsk commented 3 months ago
musifalsk commented 3 months ago

remains to clarify what to do and not

hknutsen commented 3 months ago

Regarding public network access:

We usually leave it enabled, but deny all traffic by default. For example, look at the wording in the features section in the Key Vault module README:

Image

helenakallekleiv commented 3 months ago
  • [ ] terraform-azurerm-service-bus image This is the only configuration i could find for this, not sure if this relates to inbound or outbound access. I cannot find this setting or other restrictive network setting on the namespace in the azure portal.

Could be useful: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_namespace_network_rule_set

helenakallekleiv commented 3 months ago

Moving back to "In progress". Se if we can create new subissues from this after some investigation.

hknutsen commented 3 months ago

Could be useful: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_namespace_network_rule_set

Removed in Azure provider v4.

hknutsen commented 1 month ago

Could add overview of all module repos in issue description to keep track of which modules we have checked and not.