From 488d17ae09da22e6e5c792d02c8af2eeba8df5c9 Mon Sep 17 00:00:00 2001 From: Taylor Southwick Date: Mon, 26 Aug 2024 20:09:45 +0000 Subject: [PATCH 1/2] Remove networkAcls for storage account if in development --- infra/core/storage/storage-account.bicep | 14 +------------- infra/modules/application-resources.bicep | 2 -- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep index 991e21d2..ed994a3f 100644 --- a/infra/core/storage/storage-account.bicep +++ b/infra/core/storage/storage-account.bicep @@ -73,9 +73,6 @@ param sku object = { name: 'Standard_LRS' } @description('Determines whether or not trusted azure services are allowed to connect to this account') param bypass string = 'AzureServices' -@description('The firewall rules to install on the sql-server.') -param firewallRules FirewallRules? - // ======================================================================== // VARIABLES // ======================================================================== @@ -91,11 +88,6 @@ var storageBlobDataContributorRoleId = 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' var defaultToOAuthAuthentication = false var dnsEndpointType = 'Standard' - -var allowedCidrBlocks = firewallRules != null ? map(firewallRules!.allowedIpAddresses, ipaddr => { - value: ipaddr -}) : [] - // ======================================================================== // AZURE RESOURCES // ======================================================================== @@ -115,13 +107,9 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = { dnsEndpointType: dnsEndpointType minimumTlsVersion: minimumTlsVersion publicNetworkAccess: enablePublicNetworkAccess ? 'Enabled' : 'Disabled' - networkAcls: enablePublicNetworkAccess ? { + networkAcls: enablePublicNetworkAccess ? null : { bypass: bypass defaultAction: 'Deny' - ipRules: allowedCidrBlocks - } : { - defaultAction:'Deny' - bypass: bypass } } } diff --git a/infra/modules/application-resources.bicep b/infra/modules/application-resources.bicep index 5e464071..e62ca669 100644 --- a/infra/modules/application-resources.bicep +++ b/infra/modules/application-resources.bicep @@ -443,8 +443,6 @@ module storageAccount '../core/storage/storage-account.bicep' = { resourceGroupName: resourceNames.spokeResourceGroup subnetId: subnets[resourceNames.spokePrivateEndpointSubnet].id } : null - - firewallRules: clientIpAddress != '' ? { allowedIpAddresses: [clientIpAddress]} : null } } From f9ca927cd9539bb5b9d9ec2cf49382247435af10 Mon Sep 17 00:00:00 2001 From: Taylor Southwick Date: Thu, 29 Aug 2024 17:08:53 +0000 Subject: [PATCH 2/2] remove unused type --- infra/core/storage/storage-account.bicep | 5 ----- 1 file changed, 5 deletions(-) diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep index ed994a3f..19d39ca7 100644 --- a/infra/core/storage/storage-account.bicep +++ b/infra/core/storage/storage-account.bicep @@ -12,11 +12,6 @@ import { PrivateEndpointSettings } from '../../types/PrivateEndpointSettings.bic import { DiagnosticSettings } from '../../types/DiagnosticSettings.bicep' import { ApplicationIdentity } from '../../types/ApplicationIdentity.bicep' -type FirewallRules = { - @description('The list of IP address CIDR blocks to allow access from.') - allowedIpAddresses: string[] -} - // ======================================================================== // PARAMETERS // ========================================================================