Merge pull request #1096 from Thorium/master

Storage-accounts: Add restrict_to_ips taking a list of IPs
CompositionalIT · Feb 22, 2024 · 5f93acc · 5f93acc
2 parents 9edce10 + c57815a
commit 5f93acc
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 2 deletions.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -2,6 +2,7 @@ Release Notes
 =============
 
 ## 1.8.8
+* Storage accounts: restrict_to_ips to support a list of IPs.
 * Virtual Machines: Adds [CBL Mariner 2.0](https://microsoft.github.io/CBL-Mariner/docs/) images.
 
 ## 1.8.7

diff --git a/docs/content/api-overview/resources/storage-account.md b/docs/content/api-overview/resources/storage-account.md
@@ -35,6 +35,7 @@ The Storage Account builder creates storage accounts and their associated contai
 | add_policies | Adds a list of Policies to the different storage services |
 | enable_versioning | Enabled versioning for different storage services |
 | restrict_to_ip | Restrict access to a given ip address |
+| restrict_to_ips | Restrict access to a given ip address list |
 | restrict_to_subnet | Restrict access to a given virtual network subnet |
 | restrict_to_azure_services | Restrict access to a given set of Azure Services. (Used when access to the storage account already controlled by private endpoint) |
 | disable_public_network_access | Disables public network access to the storage account |

diff --git a/src/Farmer/Builders/Builders.Storage.fs b/src/Farmer/Builders/Builders.Storage.fs
@@ -569,6 +569,37 @@ type StorageAccountBuilder() =
                     |> Some
             }
 
+    [<CustomOperation "restrict_to_ips">]
+    member this.RestrictToIps(state: StorageAccountConfig, ips: string list) =
+        let allowIps =
+            ips
+            |> List.map (fun ip ->
+                {
+                    Value = IpRuleAddress(System.Net.IPAddress.Parse ip)
+                    Action = RuleAction.Allow
+                })
+
+        match state.NetworkAcls with
+        | None ->
+            { state with
+                NetworkAcls =
+                    {
+                        Bypass = set [ NetworkRuleSetBypass.AzureServices ]
+                        VirtualNetworkRules = []
+                        IpRules = allowIps
+                        DefaultAction = RuleAction.Deny
+                    }
+                    |> Some
+            }
+        | Some existingAcl ->
+            { state with
+                NetworkAcls =
+                    { existingAcl with
+                        IpRules = allowIps @ existingAcl.IpRules
+                    }
+                    |> Some
+            }
+
     /// Restrict access to this storage account to the private endpoints and azure services.
     [<CustomOperation "restrict_to_azure_services">]
     member _.RestrictToAzureServices(state: StorageAccountConfig, bypass: NetworkRuleSetBypass list) =

diff --git a/src/Tests/Storage.fs b/src/Tests/Storage.fs
@@ -545,15 +545,16 @@ let tests =
                     storageAccount {
                         name "onlymyhouse24125"
                         restrict_to_ip "8.8.8.8"
+                        restrict_to_ips [ "1.2.3.4" ]
                         restrict_to_prefix "8.8.8.0/24"
                     }
 
                 let generated = arm { add_resource storage } |> getStorageResource
-                Expect.hasLength generated.NetworkRuleSet.IpRules 2 "Wrong number of IP rules"
+                Expect.hasLength generated.NetworkRuleSet.IpRules 3 "Wrong number of IP rules"
 
                 Expect.containsAll
                     (generated.NetworkRuleSet.IpRules |> Seq.map (fun rule -> rule.IPAddressOrRange))
-                    [ "8.8.8.8"; "8.8.8.0/24" ]
+                    [ "8.8.8.8"; "1.2.3.4"; "8.8.8.0/24" ]
                     "Missing IP rules"
             }
             test "Restrict to vnet" {