Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lock down Azure storage account per best practices #447

Merged
merged 1 commit into from
Nov 14, 2024
+27 −0
Merged

Lock down Azure storage account per best practices #447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions ansible/roles/azure/tasks/create_adlsgen2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@
regexp: '^instance_volumes_adls\s*=\s*|^[#]instance_volumes_adls\s*=\s*'
line: "instance_volumes_adls = {{ InstanceVolumes|join(',') }}"

# Create (or set) the storage account. Public network access is allowed at this
# stage so that storage container / ADLS Gen2 filesystem can be created later.
# Public network access is disabled in a later step.
# Not registering variable because storage values are not visible immediately
- name: Create ADLS Gen2 storage account
azure.azcollection.azure_rm_storageaccount:
Expand All @@ -85,6 +88,12 @@
kind: "StorageV2"
is_hns_enabled: True
location: "{{ location }}"
allow_shared_key_access: False
allow_blob_public_access: False
default_to_o_auth_authentication: True
public_network_access: "Enabled"
network_acls:
default_action: "Allow"
loop: "{{ InstanceVolumes }}"

# Creating User Assigned identity with vmss_name suffixed by ua-msi if not specified in muchos.props
Expand Down Expand Up @@ -189,12 +198,26 @@
resource_group: "{{ resource_group }}"
storage_account_name: "{{ item.split('@')[1].split('.')[0] }}"
container: "{{ item.split('@')[0].split('://')[1] }}"
auth_mode: "login"
retries: 20
delay: 30
register: createfsresult
until: createfsresult is succeeded and ((not createfsresult.changed) or (createfsresult.changed and createfsresult.container|length > 0))
loop: "{{ InstanceVolumes }}"

- name: Only allow VNET to access the storage account
azure.azcollection.azure_rm_storageaccount:
resource_group: "{{ resource_group }}"
name: "{{ item.split('@')[1].split('.')[0] }}"
public_network_access: "Enabled"
network_acls:
default_action: "Deny"
bypass: "None"
virtual_network_rules:
- id: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{ resource_group }}/providers/Microsoft.Network/virtualNetworks/{{ vnet }}/subnets/{{ subnet }}"
action: "Allow"
loop: "{{ InstanceVolumes }}"

# Retrieve tenantId for core-site.xml
- name: Update tenantId in muchos.props
lineinfile:
Expand Down
4 changes: 4 additions & 0 deletions ansible/roles/azure/tasks/create_common_resources.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,7 @@
virtual_network_name: "{{ vnet }}"
name: "{{ subnet }}"
address_prefix_cidr: "{{ subnet_cidr }}"
service_endpoints:
- service: "Microsoft.Storage"
locations:
- "{{ location }}"
Loading