Enforce network rules by default

[hknutsen]

All modules should deny all traffic by default for all relevant resources, unless it's a service that is usually exposed to the internet (e.g. a Web App).

Should also add this as a best practice in this repo.

Tasks

• equinor/app-config/azurerm
• equinor/app/azuread
• equinor/mysql/azurerm
• equinor/acr/azurerm
• feat!: enforce network ACLs default action terraform-azurerm-storage#158
• feat!: enforce network ACLs default action terraform-azurerm-key-vault#57
• feat: deny public network access by default terraform-azurerm-web-app#200
• equinor/vm/azurerm
• feat: deny public network access by default terraform-azurerm-service-bus#58
• equinor/sql/azurerm
• equinor/log-analytics/azurerm
• equinor/nat/azurerm
• equinor/grafana/azurerm
• equinor/network/azurerm
• equinor/app-service/azurerm (N/A)
• equinor/databricks/azurerm
• equinor/app-insights/azurerm
• equinor/automation/azurerm
• feat!: deny public network access by default terraform-azurerm-function-app#69
• equinor/postgres/azurerm
• equinor/identity/azurerm
• equinor/event-grid/azurerm
• equinor/public-ip/azurerm
• equinor/container-app/azurerm
• equinor/synapse/azurerm

[hknutsen]

Investigate if any other modules require similar updates.

[helenakallekleiv]

In addition to Storage and Key Vault, a similar update to the Service Bus module may be required (based on policy).

[musifalsk]

• terraform-azurerm-postgres - public_network_access_enabled

variable "public_network_access_enabled" {
  description = "Should public network access be enabled for this PostgreSQL server?"
  type        = bool
  default     = true
}

• terraform-azurerm-sql - firewall_rules

variable "firewall_rules" {
  description = "A map of firewall rules to be configured for this SQL server."

  type = map(object({
    name             = string
    start_ip_address = string
    end_ip_address   = string
  }))

  default = {
    "azure" = {
      name             = "AllowAllWindowsAzureIps"
      start_ip_address = "0.0.0.0"
      end_ip_address   = "0.0.0.0"
    }
  }
}

• terraform-azurerm-automation - public_network_access_enabled

variable "public_network_access_enabled" {
  description = "Should public network access be enabled for this Automation account?"
  type        = bool
  default     = true
}

• terraform-azurerm-acr - public_network_access_enabled

variable "public_network_access_enabled" {
  description = "Should public network access be enabled for this Container Registry?"
  type        = bool
  default     = true
}

• terraform-azurerm-synapse - public_network_access_enabled

variable "public_network_access_enabled" {
  description = "Whether public network access is allowed for the workspace. Defaults to false"
  type        = bool

  default = true
}

variable "allowed_firewall_rules" {
  description = "List  of rules allowing certain ips through the firewall."
  type = list(object({
    name : string
    start_ip_address : string
    end_ip_address : string
  }))

  default = []
}

[musifalsk]

• terraform-azurerm-function-app - missing variable for ip_restriction. Should this be implemented as an option?

[musifalsk]

• terraform-azurerm-service-bus
  
  This is the only configuration i could find for this, not sure if this relates to inbound or outbound access. I cannot find this setting or other restrictive network setting on the namespace in the azure portal.

NB! The Service Bus module is missing essential resources to become complete:

• azurerm_servicebus_queue
• azurerm_servicebus_namespace_authorization_rule
• azurerm_servicebus_queue_authorization_rule

You need at least one of each of these resources together with th namespace resource to have an operational Service Bus

[musifalsk]

• terraform-azurerm-grafana
  public_network_access_enabled is hardcoded in this module. Should this be changed to a variable with a default value of disabled?

public_network_access_enabled     = true

[musifalsk]

remains to clarify what to do and not

[hknutsen]

Regarding public network access:

We usually leave it enabled, but deny all traffic by default. For example, look at the wording in the features section in the Key Vault module README:

[helenakallekleiv]

• terraform-azurerm-service-bus
  
  This is the only configuration i could find for this, not sure if this relates to inbound or outbound access. I cannot find this setting or other restrictive network setting on the namespace in the azure portal.

Could be useful: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_namespace_network_rule_set

[helenakallekleiv]

Moving back to "In progress". Se if we can create new subissues from this after some investigation.

[hknutsen]

Could be useful: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/servicebus_namespace_network_rule_set

Removed in Azure provider v4.

[hknutsen]

Could add overview of all module repos in issue description to keep track of which modules we have checked and not.

[github-actions]

There has been no activity on this issue for 60 days. stale label will be added. If no additional activity occurs, the issue will be closed in 7 days.