hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.61k stars 4.65k forks source link

Azure Key Vault allow public access from specific virtual networks and IP addresses #25414

Open Sbargaoui opened 8 months ago

Sbargaoui commented 8 months ago

Is there an existing issue for this?

Community Note

Terraform Version

1.7.5

AzureRM Provider Version

3.97.1

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "vault" {
  name                            = var.key_vault_name
  resource_group_name             = azurerm_resource_group.rg.name
  location                        = azurerm_resource_group.rg.location
  sku_name                        = lower(var.key_vault_sku_name)
  tenant_id                       = var.tenant_id
  soft_delete_retention_days      = var.key_vault_soft_delete_retention_days
  purge_protection_enabled        = var.key_vault_purge_protection_enabled
  enabled_for_deployment          = var.key_vault_enabled_for_deployment
  enabled_for_disk_encryption     = var.key_vault_enabled_for_disk_encryption
  enabled_for_template_deployment = var.key_vault_enabled_for_template_deployment
  enable_rbac_authorization       = var.key_vault_enable_rbac_authorization
  public_network_access_enabled   = false
  tags                            = merge({ "ResourceName" = var.key_vault_name }, var.tags, )

  dynamic "access_policy" {
    for_each = var.key_vault_access_policies
    content {
      tenant_id          = var.tenant_id
      object_id          = access_policy.value.object_id
      secret_permissions = access_policy.value.secret_permissions
    }
  }

  dynamic "network_acls" {
    for_each = var.key_vault_network_acls != null ? { this = var.key_vault_network_acls } : {}
    content {
      bypass                     = network_acls.value.bypass
      default_action             = network_acls.value.default_action
      ip_rules                   = [var.runner_ip_address]
      virtual_network_subnet_ids = azurerm_subnet.undelegated_subnets[*].id
    }
  }
}

Debug Output/Panic Output

N/A

Expected Behaviour

Resource azurerm_key_vault should support allowing public access from specific virtual networks and IP addresses when a network_acls is specified.

Actual Behaviour

Resource azurerm_key_vault only supports Allow public access from all networks or Disable public access even when specifying a network_acls block in order to allow public access from specific virtual networks and IP addresses. The network_acls is taken into account when manually switching to Allow public access from specific virtual networks and IP addresses as shown in the screenshot. keyvault

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

wuxu92 commented 8 months ago

@Sbargaoui Thank you for raising this issue. I have had a try with the Portal, it looks different from your post. To allow public access from selected networks, you have to Public network access first. would you have a try with your Terraform configuration by public_network_access_enabled=true and give acls with specific networks.

image

ghost commented 7 months ago

@Sbargaoui Thank you for raising this issue. I have had a try with the Portal, it looks different from your post. To allow public access from selected networks, you have to Public network access first. would you have a try with your Terraform configuration by public_network_access_enabled=true and give acls with specific networks.

image

The settings in the portal look different when you are create a new Key Vault than when you update an existing one. But you are right, after setting public_network_access_enabled = true and network_acls something like this:

 network_acls {
    default_action = "Deny"

    bypass                     = "AzureServices"
    virtual_network_subnet_ids = [
      azurerm_subnet.subnetxy.id
    ]
  }

in the portal the option "Allow public access from specific virtual networks and IP addresses is selected and the vnet is set accordingly.

Sbargaoui commented 7 months ago

It appears that there's a distinction in behavior between creating a new key vault resource and updating an existing one.

When configuring a network_acls block with public_network_access_enabled=true, the expected behavior is to Allow public access from specific virtual networks and IP addresses, which aligns with the intended functionality.

However, issues arise when attempting to update an existing resource to restrict access solely to specific sources, especially if it was initially configured as fully private or fully public. This inconsistency in behavior during updates is where the problem lies.

daniel-octa commented 1 week ago

I have tried it in here. When creating a KV: Deny + Network ACLS check 'Allow public access from specific virtual networks and IP addresses'. However, when updating an existing KV that has drifted, the same code checks 'Disable public access'.

There is a bug.