Merge pull request #164 from Azure/gb-kvwhitelist

Key Vault IP AllowList

Author: Gordon Byers

.github/workflows/ghpages.yml

@@ -25,7 +25,7 @@ on:
         required: false
 
 env:
-  templateRelease: 0.3.5
+  templateRelease: 0.4.0-preview
   AZCLIVERSION: 2.30.0 #2.29.2 #2.26.0 #latest
   RG: "Automation-Actions-AksPublishCI"
 

.github/workflows_dep/regressionparams/key-vault.json

@@ -38,7 +38,7 @@
     "createKV": {
       "value": true
     },
-    "kvIPWhitelist": {
+    "kvIPAllowlist": {
       "value": [
         "1.2.3.4/32"
       ]

bicep/compiled/main.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.4.1008.15138",
-      "templateHash": "10327328712553938589"
+      "templateHash": "1113433167775496239"
     }
   },
   "parameters": {
@@ -120,11 +120,11 @@
         "description": "If purge protection is enabled"
       }
     },
-    "kvIPWhitelist": {
+    "kvIPAllowlist": {
       "type": "array",
       "defaultValue": [],
       "metadata": {
-        "description": "Add IP to firewall whitelist"
+        "description": "Add IP to KV firewall allow-list"
       }
     },
     "kvOfficerRolePrincipalId": {
@@ -401,6 +401,15 @@
   },
   "functions": [],
   "variables": {
+    "copy": [
+      {
+        "name": "kvIPRules",
+        "count": "[length(parameters('kvIPAllowlist'))]",
+        "input": {
+          "value": "[parameters('kvIPAllowlist')[copyIndex('kvIPRules')]]"
+        }
+      }
+    ],
     "aks_byo_identity": "[or(parameters('custom_vnet'), not(empty(parameters('byoAKSSubnetId'))))]",
     "existingAksVnetRG": "[if(not(empty(parameters('byoAKSSubnetId'))), if(greater(length(split(parameters('byoAKSSubnetId'), '/')), 4), split(parameters('byoAKSSubnetId'), '/')[4], ''), '')]",
     "existingAGWSubnetName": "[if(not(empty(parameters('byoAGWSubnetId'))), if(greater(length(split(parameters('byoAGWSubnetId'), '/')), 10), split(parameters('byoAGWSubnetId'), '/')[10], ''), '')]",
@@ -532,8 +541,8 @@
           "family": "A",
           "name": "standard"
         },
-        "publicNetworkAccess": "[if(and(parameters('privateLinks'), empty(parameters('kvIPWhitelist'))), 'disabled', 'enabled')]",
-        "networkAcls": "[if(and(parameters('privateLinks'), not(empty(parameters('kvIPWhitelist')))), createObject('bypass', 'AzureServices', 'defaultAction', 'Deny', 'ipRules', parameters('kvIPWhitelist'), 'virtualNetworkRules', createArray()), createObject())]",
+        "publicNetworkAccess": "[if(and(parameters('privateLinks'), empty(parameters('kvIPAllowlist'))), 'disabled', 'enabled')]",
+        "networkAcls": "[if(and(parameters('privateLinks'), not(empty(parameters('kvIPAllowlist')))), createObject('bypass', 'AzureServices', 'defaultAction', 'Deny', 'ipRules', variables('kvIPRules'), 'virtualNetworkRules', createArray()), createObject())]",
         "enableRbacAuthorization": true,
         "enabledForDeployment": false,
         "enabledForDiskEncryption": false,

bicep/main.bicep

@@ -159,11 +159,15 @@ param KeyVaultSoftDelete bool = true
 @description('If purge protection is enabled')
 param KeyVaultPurgeProtection bool = true
 
-@description('Add IP to firewall whitelist')
-param kvIPWhitelist array = []
+@description('Add IP to KV firewall allow-list')
+param kvIPAllowlist array = []
 
 var akvName = 'kv-${replace(resourceName, '-', '')}'
 
+var kvIPRules = [for kvIp in kvIPAllowlist: {
+  value: kvIp
+}]
+
 resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = if (createKV) {
   name: akvName
   location: location
@@ -174,12 +178,12 @@ resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = if (createKV) {
       name: 'standard'
     }
     // publicNetworkAccess:  whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked.
-    publicNetworkAccess: privateLinks && empty(kvIPWhitelist) ? 'disabled' : 'enabled'
+    publicNetworkAccess: privateLinks && empty(kvIPAllowlist) ? 'disabled' : 'enabled'
 
-    networkAcls: privateLinks && !empty(kvIPWhitelist) ? {
+    networkAcls: privateLinks && !empty(kvIPAllowlist) ? {
       bypass: 'AzureServices'
       defaultAction: 'Deny'
-      ipRules: kvIPWhitelist
+      ipRules: kvIPRules
       virtualNetworkRules: []
     } : {}
 

helper/.playwrighttests/helper-export-az-commands.spec.js

@@ -18,6 +18,7 @@ test('test', async ({ page }) => {
   //Save the contents of the az cmd box to file
   const clitextboxrevisted = await page.$('[data-testid="deploy-deploycmd"]')
   const azcmdManagedPrivate =await clitextboxrevisted.innerText();
+  console.log(azcmdManagedPrivate);
   fs.writeFileSync('azcmd-managed-private.sh', azcmdManagedPrivate);
 
 });

helper/src/components/deployTab.js

@@ -45,7 +45,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     ...(net.afw && { azureFirewalls: true, ...(addons.certMan && {certManagerFW: true}), ...(net.vnet_opt === "custom" && defaults.net.vnetFirewallSubnetAddressPrefix !== net.vnetFirewallSubnetAddressPrefix && { vnetFirewallSubnetAddressPrefix: net.vnetFirewallSubnetAddressPrefix }) }),
     ...(net.vnet_opt === "custom" && net.vnetprivateend && {
         privateLinks: true,
-        ...(addons.csisecret === 'akvNew' && deploy.kvIPWhitelist  && apiips_array.length > 0 && {kvIPWhitelist: apiips_array.map(v => {return {"value": v}}) }),
+        ...(addons.csisecret === 'akvNew' && deploy.kvIPAllowlist  && apiips_array.length > 0 && {kvIPAllowlist: apiips_array }),
         ...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}),
     }),
     ...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }),
@@ -309,7 +309,7 @@ ${cluster.apisecurity === "private" ? `az aks command invoke -g ${deploy.rg} -n
           <Stack.Item>
             <Label>Grant Key Vault Certificate and Secret Officer role <a target="_target" href="https://docs.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations">docs</a></Label>
             <Checkbox disabled={addons.csisecret !== 'akvNew'} checked={deploy.kvCertSecretRole} onChange={(ev, v) => updateFn("kvCertSecretRole", v)} label="Assign deployment user Certificate and Secret Officer" />
-            <Checkbox disabled={addons.csisecret !== 'akvNew' || !net.vnetprivateend} checked={deploy.kvIPWhitelist} onChange={(ev, v) => updateFn("kvIPWhitelist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" />
+            <Checkbox disabled={addons.csisecret !== 'akvNew' || !net.vnetprivateend} checked={deploy.kvIPAllowlist} onChange={(ev, v) => updateFn("kvIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" />
           </Stack.Item>
 
         </Stack>

helper/src/config.json

@@ -15,7 +15,7 @@
             "disablePreviews": false,
             "acrPushRole": true,
             "kvCertSecretRole": true,
-            "kvIPWhitelist": false,
+            "kvIPAllowlist": false,
             "clusterAdminRole": true,
             "clusterIPWhitelist" : true
         },
@@ -235,7 +235,7 @@
                     "icon": "Unlock",
                     "values": {
                         "deploy": {
-                            "kvIPWhitelist": false
+                            "kvIPAllowlist": false
                         },
                         "cluster": {
                             "enable_aad": false,
@@ -301,7 +301,7 @@
                     "icon": "Lock12",
                     "values": {
                         "deploy": {
-                            "kvIPWhitelist": false
+                            "kvIPAllowlist": false
                         },
                         "cluster": {
                             "enable_aad": true,
@@ -399,7 +399,7 @@
                     "icon": "ProtectionCenterLogo32",
                     "values": {
                         "deploy": {
-                            "kvIPWhitelist": true
+                            "kvIPAllowlist": true
                         },
                         "cluster": {
                             "enable_aad": true,