Core key vault firewall should not be set to "Allow public access from all networks" #4250

Author: jonnyry

CHANGELOG.md

@@ -32,6 +32,7 @@ ENHANCEMENTS:
 * Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949)
 * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)])
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
+* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

core/terraform/.terraform.lock.hcl

@@ -5,6 +5,12 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
+# add trap to remove deployment network exceptions
+trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+source "../../devops/scripts/add_deployment_network_exceptions.sh"
+
 # This is where we can migrate any Terraform before we plan and apply
 # For instance deprecated Terraform resources
 # shellcheck disable=SC1091

core/terraform/deploy.sh

@@ -5,6 +5,12 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
+# add trap to remove deployment network exceptions on script exit
+trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+source "$script_dir/add_deployment_network_exceptions.sh"
+
 # These variables are loaded in for us
 # shellcheck disable=SC2154
 ../../devops/scripts/terraform_wrapper.sh -g "${TF_VAR_mgmt_resource_group_name}" \

core/terraform/destroy.sh

@@ -1,14 +1,48 @@
 resource "azurerm_key_vault" "kv" {
-  name                      = "kv-${var.tre_id}"
+  name                      = local.kv_name
   tenant_id                 = data.azurerm_client_config.current.tenant_id
   location                  = azurerm_resource_group.core.location
   resource_group_name       = azurerm_resource_group.core.name
   sku_name                  = "standard"
   enable_rbac_authorization = true
   purge_protection_enabled  = var.kv_purge_protection_enabled
-  tags                      = local.tre_core_tags
+  tags                      = merge(local.tre_core_tags, { "${local.tre_deployment_network_exception_tag}" = "true" })
 
-  lifecycle { ignore_changes = [access_policy, tags] }
+  public_network_access_enabled = local.kv_public_network_access_enabled
+
+  network_acls {
+    default_action = local.kv_network_default_action
+    bypass         = local.kv_network_bypass
+    ip_rules       = [ local.myip ]  # exception for deployment IP, this is removed in remove_deployment_network_exceptions.sh
+  }
+
+  lifecycle {
+    ignore_changes = [access_policy, tags]
+  }
+
+  # create provisioner required due to https://github.com/hashicorp/terraform-provider-azurerm/issues/18970
+  #
+  provisioner "local-exec" {
+    when = create
+    command = <<EOT
+az keyvault update --name ${local.kv_name} --public-network-access ${local.kv_public_network_access_enabled ? "Enabled" : "Disabled"} --default-action ${local.kv_network_default_action} --bypass ${local.kv_network_bypass} --output none
+az keyvault network-rule add --name ${local.kv_name} --ip-address ${local.myip} --output none
+EOT
+  }
+}
+
+# provisioner required due to ignore_changes = [tags] in azurerm_key_vault.kv
+#
+resource "null_resource" "add_deployment_tag" {
+  triggers = {
+    always_run = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command = "az resource update --ids ${azurerm_key_vault.kv.id} --set 'tags.${local.tre_deployment_network_exception_tag}=\"true\"' --output none"
+  }
+
+  depends_on = [azurerm_key_vault.kv]
 }
 
 resource "azurerm_role_assignment" "keyvault_deployer_role" {

core/terraform/keyvault.tf

@@ -46,4 +46,14 @@ locals {
 
   cmk_name                 = "tre-encryption-${var.tre_id}"
   encryption_identity_name = "id-encryption-${var.tre_id}"
+
+  # used to tag resources (e.g. kv, sa) that require a IP exception for the deployment runner
+  # adding to their network firewall during TRE deployment (and removing at the end of deployment)
+  tre_deployment_network_exception_tag = "tre_deployment_network_exception"
+
+  # key vault variables
+  kv_name = "kv-${var.tre_id}"
+  kv_public_network_access_enabled = true
+  kv_network_default_action = var.enable_local_debugging ? "Allow" : "Deny"
+  kv_network_bypass = "AzureServices"
 }

core/terraform/locals.tf

@@ -3,6 +3,13 @@ set -e
 
 script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
 
+# add trap to remove deployment network exceptions on script exit
+trap 'source "$script_dir/../../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+source "$script_dir/../../../devops/scripts/add_deployment_network_exceptions.sh"
+
+
 if [[ -z ${STORAGE_ACCOUNT} ]]; then
   echo "STORAGE_ACCOUNT not set"
   exit 1

core/terraform/scripts/letsencrypt.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception"
+
+function main() {
+
+    set -o errexit
+    set -o pipefail
+
+
+    # parse params/set up inputs
+    #
+    if [[ -z "$TRE_ID" ]]; then
+      echo -e "Could not open deployment network exceptions: TRE_ID is not set\nExiting...\n"
+      exit 1
+    fi
+
+    local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"
+
+    if [[ -z "$MY_IP" ]]; then
+      MY_IP=$(curl -s "ipecho.net/plain"; echo)
+    fi
+
+    local TRE_CORE_RG="rg-${TRE_ID}"
+
+
+    # find resources that require network exceptions
+    #
+    echo -e "\nQuerying resources that require network exceptions adding for deployment..."
+
+    if [[ -z "$(az group list --query "[?name=='$TRE_CORE_RG']" --output tsv)" ]]; then
+        echo -e " Core resource group $TRE_CORE_RG not found\n"
+        return 0
+    fi
+
+    local AZ_IDS
+    AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv)
+
+    if [ -z "$AZ_IDS" ]; then
+      echo -e " No resources found\n"
+      return 0
+    fi
+
+
+    # add network exceptions
+    #
+    local AZ_ID
+    for AZ_ID in $AZ_IDS; do
+
+      local RESOURCE_TYPE
+      RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv)
+
+      if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then
+        add_keyvault_network_exception "$AZ_ID" "$MY_IP"
+      fi
+
+    done
+
+    echo ""
+
+}
+
+function add_keyvault_network_exception() {
+  local AZ_ID="$1"
+  local MY_IP="$2"
+
+  local KV_NAME
+  KV_NAME=$(basename "$AZ_ID")
+
+  echo " Adding keyvault deployment network exception for $KV_NAME"
+
+  az keyvault network-rule add --name "$KV_NAME" --ip-address "$MY_IP" --output none
+
+  local ATTEMPT=1
+  local MAX_ATTEMPTS=10
+
+  while true; do
+
+    if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then
+      echo "  Keyvault $KV_NAME is now accessible"
+      break
+    fi
+
+    if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
+      echo -e "Could not add deployment network exception for $KV_NAME"
+      echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n"
+      echo -e "$KV_OUTPUT\n"
+
+      exit 1
+    fi
+
+    echo "  Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect."
+    sleep 5
+    ((ATTEMPT++))
+
+  done
+
+}
+
+main "$@"

devops/scripts/add_deployment_network_exceptions.sh

@@ -66,6 +66,14 @@ then
   no_wait_option="--no-wait"
 fi
 
+script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+
+# add trap to remove deployment network exceptions on script exit
+trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+source "$script_dir/add_deployment_network_exceptions.sh"
+
 group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?)
 if [[ "$group_show_result" !=  "0" ]]; then
   echo "Resource group ${core_tre_rg} not found - skipping destroy"

devops/scripts/destroy_env_no_terraform.sh

@@ -7,6 +7,14 @@ fi
 
 echo "DEBUG: Check keyvault and secrets exist"
 
+script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+
+# add trap to remove deployment network exceptions on script exit
+trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+source "$script_dir/add_deployment_network_exceptions.sh"
+
 echo "az keyvault show"
 az keyvault show --name kv-${TRE_ID}
 

devops/scripts/key_vault_list.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception"
+
+function main() {
+
+    set -o errexit
+    set -o pipefail
+
+
+    # parse params/set up inputs
+    #
+    if [[ -z "$TRE_ID" ]]; then
+      echo -e "Could not close deployment network exceptions: TRE_ID is not set\nExiting...\n"
+      exit 1
+    fi
+
+    local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"
+
+    if [[ -z "$MY_IP" ]]; then
+      MY_IP=$(curl -s "ipecho.net/plain"; echo)
+    fi
+
+    local TRE_CORE_RG="rg-${TRE_ID}"
+
+
+    # find resources that require network exceptions
+    #
+    echo -e "\nQuerying resources that require network exceptions removing for deployment..."
+
+    if [[ -z "$(az group list --query "[?name=='$TRE_CORE_RG']" --output tsv)" ]]; then
+        echo -e " Core resource group $TRE_CORE_RG not found\n"
+        return 0
+    fi
+
+    local AZ_IDS
+    AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv)
+
+    if [ -z "$AZ_IDS" ]; then
+      echo -e " No resources found\n"
+      return 0
+    fi
+
+
+    # remove network exceptions
+    #
+    local AZ_ID
+    for AZ_ID in $AZ_IDS; do
+
+      local RESOURCE_TYPE
+      RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv)
+
+      if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then
+        remove_keyvault_network_exception "$AZ_ID" "$MY_IP"
+      fi
+
+    done
+
+    echo ""
+
+}
+
+function remove_keyvault_network_exception() {
+  local AZ_ID="$1"
+  local MY_IP="$2"
+
+  local KV_NAME
+  KV_NAME=$(basename "$AZ_ID")
+
+  echo " Removing keyvault deployment network exception for $KV_NAME"
+
+  az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none
+}
+
+main "$@"

devops/scripts/remove_deployment_network_exceptions.sh

@@ -16,6 +16,16 @@ set -e
 #
 
 echo -e "\n\e[34m»»» 🤖 \e[96mCreating (or updating) service principal ID and secret to Key Vault\e[0m..."
+
+script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+
+# add trap to remove deployment network exceptions on script exit
+trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+source "$script_dir/add_deployment_network_exceptions.sh"
+
+
 key_vault_name="kv-$TRE_ID"
 az account set --subscription $ARM_SUBSCRIPTION_ID
 az keyvault secret set --name deployment-processor-azure-client-id --vault-name $key_vault_name --value $RESOURCE_PROCESSOR_CLIENT_ID