Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure storage_ip_rules regexall only matches /31 and /32, but leaves /30 alone since it is valid #18

Merged
merged 2 commits into from
Jan 8, 2025
Merged

Ensure storage_ip_rules regexall only matches /31 and /32, but leaves /30 alone since it is valid #18

merged 2 commits into from
Jan 8, 2025

Conversation

blongv
Copy link
Contributor

@blongv blongv commented Jan 7, 2025
edited
Loading

Fixes #19

Based on https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#restrictions-for-ip-network-rules and my testing, /30 CIDRs should be allowed and are configurable as storage account firewall rules.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Changes proposed in this pull request

  • Change regexall("/3.", cidr) to regexall("/3(1|2)", cidr) to ensure /30 CIDRs are passed through correctly.

If I have a data service tag resource as follows:

# az network list-service-tags --location usgovvirginia
#
data "azurerm_network_service_tags" "frontdoor" {
  location = var.azure_location
  service  = "AzureFrontDoor"
}

And I try configuring this module as follows:

  allowed_cidrs = concat(
    ["64.102.0.0/16"],
    data.azurerm_network_service_tags.frontdoor.ipv4_cidrs
  )

It will fail to apply the /30 CIDRs from Azure service tags to the storage account. For example, 20.140.152.52/30 will be changed to 20.140.152.52 and this means 20.140.152.53, 20.140.152.54, 20.140.152.55 will be blocked when they should be allowed.

@claranet/fr-azure-reviewers

@Shr3ps Shr3ps force-pushed the bugfix/storage-ip-rules branch from 598aad7 to 8fce7a8 Compare January 8, 2025 08:33
zfiel
zfiel reviewed Jan 8, 2025
View reviewed changes
locals.tf Outdated Show resolved Hide resolved
@Shr3ps @zfiel
refactor: update locals.tf
7b3ff63 
Co-authored-by: Thierry L <50585160+zfiel@users.noreply.github.com>
@Shr3ps Shr3ps merged commit b3336c4 into claranet:master Jan 8, 2025
1 of 2 checks passed
@BzSpi
Copy link
Contributor

BzSpi commented Jan 8, 2025

Nice catch ! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zfiel zfiel zfiel approved these changes

@Shr3ps Shr3ps Shr3ps approved these changes

@BzSpi BzSpi Awaiting requested review from BzSpi BzSpi is a code owner

@rossifumax rossifumax Awaiting requested review from rossifumax rossifumax is a code owner

@jmapro jmapro Awaiting requested review from jmapro jmapro is a code owner

@maxpoullain maxpoullain Awaiting requested review from maxpoullain maxpoullain is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] local.storage_ip_rules incorrectly modifies /30 CIDR rules
4 participants
@blongv @BzSpi @Shr3ps @zfiel