Core key vault firewall should not be set to "Allow public access from all networks" #4260
Conversation
Unit Test Results0 tests 0 ✅ 0s ⏱️ Results for commit 4a1b8b8. ♻️ This comment has been updated with latest results. |
|
/test 8af920d |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12660338621 (with refid (in response to this comment from @jonnyry) |
|
/test-extended 8af920d |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/12661150197 (with refid (in response to this comment from @jonnyry) |
core/terraform/keyvault.tf
Outdated
| # | ||
| resource "null_resource" "add_deployment_tag" { | ||
| triggers = { | ||
| always_run = timestamp() |
There was a problem hiding this comment.
Why does this always need to run? Once it's added once, it shouldn't get removed?
There was a problem hiding this comment.
The intention was so if the tag is removed in Azure, it will always be readded.
However as discussed, have removed the use of tags altogether, so the provisioner has been removed.
There was a problem hiding this comment.
Can the Storage Account rules in this script be handles the same way?
There was a problem hiding this comment.
Yes certainly - planning to have a look at storage accounts after this.
|
/destroy-test-env |
|
🤖 pr-bot 🤖
You can use the following commands: (in response to this comment from @jonnyry) |
|
/test-destroy-env |
|
Destroying PR test environment (RG: rg-tre26f9d939)... (run: https://github.com/microsoft/AzureTRE/actions/runs/12669260987) |
|
/test 2970a5d |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12669597448 (with refid (in response to this comment from @jonnyry) |
jonnyry
force-pushed
the
jr/upstream-main/93-close-keyvault-firewall
branch
from
2970a5d to
dcb0b8f
Compare
|
/test 272589f |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12670289419 (with refid (in response to this comment from @jonnyry) |
|
/test bf9fd32 |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12670349633 (with refid (in response to this comment from @jonnyry) |
|
/test-destroy-env |
|
Destroying PR test environment (RG: rg-tre26f9d939)... (run: https://github.com/microsoft/AzureTRE/actions/runs/12670413797) |
jonnyry
force-pushed
the
jr/upstream-main/93-close-keyvault-firewall
branch
from
bf9fd32 to
dcb0b8f
Compare
|
PR test environment destroy complete (RG: rg-tre26f9d939) |
|
/test dcb0b8f |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12671159667 (with refid (in response to this comment from @jonnyry) |
|
/test dcb0b8f |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12671848713 (with refid (in response to this comment from @jonnyry) |
CHANGELOG.md
Outdated
There was a problem hiding this comment.
I don't have time to go over this the next few days and guess @marrobi is the same. Just wanted to point out we now have 2 vaults being used from the deployer point of view.
There was a problem hiding this comment.
When CMK is enabled another vault is created in the mgmt resource group
Notes on test run starting with an empty environment: KV exception added here: https://github.com/microsoft/AzureTRE/actions/runs/12671848713/job/35314921879#step:3:432 KV exception removed here: https://github.com/microsoft/AzureTRE/actions/runs/12671848713/job/35314921879#step:3:8259 |
|
/test 135be76 |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12674163834 (with refid (in response to this comment from @jonnyry) |
Notes on test run starting with an existing TRE: KV exception added here: https://github.com/microsoft/AzureTRE/actions/runs/12674163834/job/35322577601#step:3:456 KV exception removed here: https://github.com/microsoft/AzureTRE/actions/runs/12674163834/job/35322577601#step:3:1181 |
Resolves #4250
What is being addressed
PUBLIC_DEPLOYMENT_IP_ADDRESSvariable if set) during deploymentHow is this addressed
devops/scripts/kv_add_network_exception.shdevops/scripts/kv_remove_network_exception.shcore/terraform/deploy.shcore/terraform/scripts/letsencrypt.shdevops/scripts/destroy_env_no_terraform.shcore/terraform/destroy.shdevops/scripts/key_vault_list.shdevops/scripts/set_contributor_sp_secrets.shA bug in azurerm provider was encountered which required the use of a terraform provisioner:
azurerm_key_vaultwas required to work around an azurerm provider bug which means if a key vault is being re-created (it was previously soft deleted), the network acls are not updated. This can be removed when the bug is fixed, or a different workaround found.Updates since inital commit (as discussed with @marrobi):