Azure storage account firewall rule prevents terraform deployment with azure devops

7
votes

I want to deploy my terraform infrastructure with an Azure DevOps pipeline, but I'm running into a problem with the storage account firewall. Here an example for a storage account:

resource "azurerm_storage_account" "storage_account" {
  name                              = "mystorageaccount"
  resource_group_name               = "myresourcegroup"
...
  network_rules {
      default_action             = "Deny"
      bypass                     = ["AzureServices", "Logging"]
      ip_rules                   = ["192.1.1.1"]
  }
}

The initial creation of the storage account is successful, but because of the firewall rule all further actions, for example adding a container, fail with a not authorized exception.

Unfortunately adding a bypass rule for "AzureServices" does not work.

The reason I have to add the firewall rule is because of company security guidelines, so I cannot just remove it.

Is there a way to handle storage account firewall rules with azure devops?

3
azureazure-devopsterraformterraform-provider-azure
like the existing answer suggested (before removed by the author) - you have to whitelist your agents ip ranges. if you are using hosted ones - that means a azure datacenter IP ranges for the geo location. otherwise - you can define outgoing IPs for your agents (if they run on Azure)4c74356b41

3 Answers

1
votes

For Terraform I would suggest running own agent pools. The agent pools for production environments should be separate from non production and should be located in separate vNets. Then add a network rule to your Storage Acconut to allow access from the agent pool subnet. The same will happen to most of the services when you use Service Endpoints as well.

//EDIT:

Check some fresh best practices for creating Terraform pipelines.

1
votes

You can utilise a data source to dynamically check your agents IP at apply time.The result of which looks like this:

data "http" "myip" {
  url = "https://ipv4.icanhazip.com"
}

resource "azurerm_storage_account_network_rules" "sample" {
  resource_group_name  = azurerm_resource_group.rg.name
  storage_account_name = zurerm_storage_account.storage.name

  default_action             = "Deny"
  virtual_network_subnet_ids = [azurerm_subnet.subnet.id]
  bypass                     = ["AzureServices", "Logging", "Metrics"]
  ip_rules = [chomp(data.http.myip.body)]
}

You then need to make sure you have removed the IP once you are done, for which I typically just use Remove-AzStorageAccountNetworkRule or as something like this

0
votes

Just like @a4c74356b41 said you have to whitelist all the ip ranges for the agents in my region as described here.

Unfortunately there are about 160 ip ranges (you have to remove all ranges bigger than .../29) + my own, but at least it works now.