Improve network exception logging and update storage account network …

…settings in bootstrap script
microsoft · Feb 20, 2025 · 25e661a · 25e661a
1 parent a905066
commit 25e661a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/devops/scripts/mgmtstorage_add_network_exception.sh b/devops/scripts/mgmtstorage_add_network_exception.sh
@@ -17,7 +17,7 @@ function mgmtstorage_add_network_exception() {
   local MY_IP
   MY_IP=$(get_my_ip)
 
-  echo -e "\nAdding deployment network exception to storage account $SA_NAME..."
+  echo -e "\nAdding deployment network exception to storage account $SA_NAME from IP $MY_IP"
 
   # Ensure storage account exists
   if ! does_storage_account_exist "$SA_NAME"; then
@@ -52,7 +52,7 @@ function mgmtstorage_remove_network_exception() {
   local MY_IP
   MY_IP=$(get_my_ip)
 
-  echo -e "\nRemoving deployment network exception from storage account $SA_NAME..."
+  echo -e "\nRemoving deployment network exception from storage account $SA_NAME from IP $MY_IP"
 
   # Ensure storage account exists
   if ! does_storage_account_exist "$SA_NAME"; then

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
@@ -20,20 +20,16 @@ if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name"
     --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
     --allow-blob-public-access false --min-tls-version TLS1_2 \
     --kind StorageV2 --sku Standard_LRS -o table \
-    --public-network-access enabled \
-    --default-action Deny \
-    --bypass AzureServices \
     --encryption-key-type-for-queue "$encryption_type" \
     --encryption-key-type-for-table "$encryption_type" \
     --require-infrastructure-encryption true
 else
   echo "Storage account already exists..."
   az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
+  # shellcheck disable=SC1091
+  source ../scripts/mgmtstorage_add_network_exception.sh
 fi
 
-# shellcheck disable=SC1091
-source ../scripts/mgmtstorage_add_network_exception.sh
-
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."
 if [ -n "${ARM_CLIENT_ID:-}" ]; then
@@ -95,4 +91,13 @@ if ! terraform state show azurerm_storage_account.state_storage > /dev/null; the
 fi
 echo "State imported"
 
+# Update the storage account network to set default action to Deny and bypass AzureServices
+# shellcheck disable=SC2154
+az storage account update \
+  --name "$TF_VAR_mgmt_storage_account_name" \
+  --resource-group "$TF_VAR_mgmt_resource_group_name" \
+  --public-network-access enabled \
+  --default-action Deny \
+  --bypass AzureServices
+
 set +o nounset