fix: allow optional storage account network rules configuration' (#93)

* fix: default storage account network rules to 'Deny' Signed-off-by: Darren Murray <[email protected]> * fix: default storage account network rules to 'Deny' Signed-off-by: Darren Murray <[email protected]> * docs: update Readme Signed-off-by: Darren Murray <[email protected]> * fix: default storage account network rules to 'Deny' Signed-off-by: Darren Murray <[email protected]> * fix: default storage account network rules to 'Deny' Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> * fix: allow storage account network rule configuration Signed-off-by: Darren Murray <[email protected]> --------- Signed-off-by: Darren Murray <[email protected]>
lacework · Nov 23, 2023 · f424502 · f424502
1 parent 2db2053
commit f424502
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -43,6 +43,7 @@ It configures a Diagnostic Setting that puts logs in an storage account, from wh
 | [azurerm_role_assignment.lacework](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_definition.lacework](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [azurerm_storage_account.lacework](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [azurerm_storage_account_network_rules.lacework](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules) | resource |
 | [azurerm_storage_queue.lacework](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource |
 | [lacework_integration_azure_al.lacework](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/integration_azure_al) | resource |
 | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
@@ -67,12 +68,18 @@ It configures a Diagnostic Setting that puts logs in an storage account, from wh
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix to use at the beginning of every generated resource | `string` | `"lacework"` | no |
 | <a name="input_service_principal_id"></a> [service\_principal\_id](#input\_service\_principal\_id) | The Enterprise App Object ID related to the application\_id (required when use\_existing\_ad\_application is true) | `string` | `""` | no |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | The name of the Storage Account | `string` | `""` | no |
+| <a name="input_storage_account_network_rule_action"></a> [storage\_account\_network\_rule\_action](#input\_storage\_account\_network\_rule\_action) | Configure azurerm\_storage\_account\_network\_rules resource | `string` | `"Deny"` | no |
+| <a name="input_storage_account_network_rule_bypass"></a> [storage\_account\_network\_rule\_bypass](#input\_storage\_account\_network\_rule\_bypass) | Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of `Logging`, `Metrics`, `AzureServices`, or `None`. Requires `use_storage_account_network_rules` enabled. | `list(string)` | <pre>[<br>  "Metrics",<br>  "Logging",<br>  "AzureServices"<br>]</pre> | no |
+| <a name="input_storage_account_network_rule_ip_rules"></a> [storage\_account\_network\_rule\_ip\_rules](#input\_storage\_account\_network\_rule\_ip\_rules) | List of allowed ip addresses. Requires `use_storage_account_network_rules` enabled. | `list(string)` | `[]` | no |
+| <a name="input_storage_account_network_rule_lacework_ip_rules"></a> [storage\_account\_network\_rule\_lacework\_ip\_rules](#input\_storage\_account\_network\_rule\_lacework\_ip\_rules) | List of allowed Lacework ip addresses. See https://docs.lacework.net/onboarding/lacework-outbound-ips#docusaurus_skipToContent_fallback. Requires `use_storage_account_network_rules` enabled. | `list(string)` | <pre>[<br>  "34.208.85.38",<br>  "35.165.121.10",<br>  "35.165.62.149",<br>  "35.165.83.150",<br>  "35.166.181.157",<br>  "35.93.121.192/26",<br>  "44.231.201.69",<br>  "52.42.2.33",<br>  "52.43.197.121",<br>  "52.88.113.199",<br>  "54.200.230.179",<br>  "54.203.18.234",<br>  "54.213.7.200",<br>  "3.75.192.192/26",<br>  "3.121.245.162",<br>  "18.184.141.112",<br>  "18.193.166.115",<br>  "3.27.79.192/26"<br>]</pre> | no |
+| <a name="input_storage_account_network_rule_subnet_ids"></a> [storage\_account\_network\_rule\_subnet\_ids](#input\_storage\_account\_network\_rule\_subnet\_ids) | A list of virtual network subnet ids to secure the storage account. Requires `use_storage_account_network_rules` enabled. | `list(string)` | `[]` | no |
 | <a name="input_storage_account_resource_group"></a> [storage\_account\_resource\_group](#input\_storage\_account\_resource\_group) | The Resource Group for the existing Storage Account | `string` | `""` | no |
 | <a name="input_subscription_exclusions"></a> [subscription\_exclusions](#input\_subscription\_exclusions) | List of subscriptions to exclude when using the `all_subscriptions` option. | `list(string)` | `[]` | no |
 | <a name="input_subscription_ids"></a> [subscription\_ids](#input\_subscription\_ids) | List of subscriptions to enable logging (by default the module will only use the primary subscription) | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Key-value map of Tag names and Tag values | `map(string)` | `{}` | no |
 | <a name="input_use_existing_ad_application"></a> [use\_existing\_ad\_application](#input\_use\_existing\_ad\_application) | Set this to `true` to use an existing Active Directory Application | `bool` | `false` | no |
 | <a name="input_use_existing_storage_account"></a> [use\_existing\_storage\_account](#input\_use\_existing\_storage\_account) | Set this to `true` to use an existing Storage Account. Default behavior creates a new Storage Account | `bool` | `false` | no |
+| <a name="input_use_storage_account_network_rules"></a> [use\_storage\_account\_network\_rules](#input\_use\_storage\_account\_network\_rules) | Configure azurerm\_storage\_account\_network\_rules resource | `bool` | `false` | no |
 | <a name="input_wait_time"></a> [wait\_time](#input\_wait\_time) | Amount of time to wait before the Lacework resources are provisioned | `string` | `"50s"` | no |
 
 ## Outputs

diff --git a/examples/storage-account-network-rules/README.md b/examples/storage-account-network-rules/README.md
@@ -0,0 +1,27 @@
+# Integrate Azure with Lacework for Activity Log Analysis with storage account network rules
+
+The following example shows configuring storage account network rules. Whenuse_storage_account_network_rules is enabled the default network rule action is set to DENY. The Terraform Caller must be added to the allowed ip rules to enable Terraform management such as subsequent terraform apply or terraform destroy.
+
+## Sample Code
+
+```hcl
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_activity_log" {
+  source  = "lacework/activity-log/azure"
+  version = "~> 2.0"
+
+  use_storage_account_network_rules = true
+
+  # Example of allowed user Ip addresses. Should Include the Terraform caller.
+  storage_account_network_rule_ip_rules = ["34.208.85.38"]
+}
+```
+
+For detailed information on integrating Lacework with Azure, see [Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host](https://docs.lacework.com/onboarding/azure-compliance-and-activity-log-integrations-terraform-from-any-supported-host).
+
+For detailed information on customizing the `azurerm` provider, see [the Terraform Registry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs).
diff --git a/examples/storage-account-network-rules/main.tf b/examples/storage-account-network-rules/main.tf
@@ -0,0 +1,14 @@
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_activity_log" {
+  source = "../../"
+
+  use_storage_account_network_rules = true
+
+  # Example of allowed user Ip addresses. Should Include the Terraform caller.
+  storage_account_network_rule_ip_rules = ["34.208.85.38"]
+}
diff --git a/examples/storage-account-network-rules/versions.tf b/examples/storage-account-network-rules/versions.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -71,6 +71,18 @@ resource "azurerm_storage_account" "lacework" {
   }
 }
 
+resource "azurerm_storage_account_network_rules" "lacework" {
+  count = var.use_storage_account_network_rules && !var.use_existing_storage_account ? 1 : 0
+
+  storage_account_id = local.storage_account_id
+  default_action     = var.storage_account_network_rule_action
+  bypass             = var.storage_account_network_rule_bypass
+  ip_rules           = concat(var.storage_account_network_rule_ip_rules,
+   var.storage_account_network_rule_lacework_ip_rules)
+
+  depends_on = [azurerm_storage_queue.lacework]
+}
+
 resource "azurerm_storage_queue" "lacework" {
   name = "${var.prefix}-queue-${random_id.uniq.hex}"
   storage_account_name = var.use_existing_storage_account ? (

diff --git a/variables.tf b/variables.tf
@@ -96,5 +96,57 @@ variable "infrastructure_encryption_enabled" {
   default     = false
   description = "Enable Infrastructure Encryption for Azure Storage Account"
 }
+variable "use_storage_account_network_rules" {
+  type        = bool
+  default     = false
+  description = "Configure azurerm_storage_account_network_rules resource"
+}
+variable "storage_account_network_rule_action" {
+  type        = string
+  default     = "Deny"
+  description = "Configure azurerm_storage_account_network_rules resource"
+}
+variable "storage_account_network_rule_bypass" {
+  type        = list(string)
+  default     = ["Metrics", "Logging", "AzureServices"]
+  description = "Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of `Logging`, `Metrics`, `AzureServices`, or `None`. Requires `use_storage_account_network_rules` enabled."
+}
+variable "storage_account_network_rule_subnet_ids" {
+  type        = list(string)
+  default     = []
+  description = "A list of virtual network subnet ids to secure the storage account. Requires `use_storage_account_network_rules` enabled."
+}
+variable "storage_account_network_rule_ip_rules" {
+  type        = list(string)
+  default     = []
+  description = "List of allowed ip addresses. Requires `use_storage_account_network_rules` enabled."
+}
+variable "storage_account_network_rule_lacework_ip_rules" {
+  type        = list(string)
+  default     = [
+    # US
+    "34.208.85.38", 
+    "35.165.121.10",  
+    "35.165.62.149",
+    "35.165.83.150",  
+    "35.166.181.157",
+    "35.93.121.192/26",
+    "44.231.201.69",
+    "52.42.2.33",
+    "52.43.197.121",
+    "52.88.113.199",
+    "54.200.230.179",
+    "54.203.18.234",
+    "54.213.7.200",
+    # EU
+    "3.75.192.192/26",
+    "3.121.245.162",
+    "18.184.141.112",
+    "18.193.166.115",
+    # APAC
+    "3.27.79.192/26"
+  ]
+  description = "List of allowed Lacework ip addresses. See https://docs.lacework.net/onboarding/lacework-outbound-ips#docusaurus_skipToContent_fallback. Requires `use_storage_account_network_rules` enabled."
+}