This is an automated email from the ASF dual-hosted git repository.
arvindsh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fluo-muchos.git
The following commit(s) were added to refs/heads/main by this push:
new f072bd2 Lock down Azure storage account per best practices (#447)
f072bd2 is described below
commit f072bd2c7a134ad5023e18b7d824147c350a4454
Author: Arvind Shyamsundar <[email protected]>
AuthorDate: Thu Nov 14 15:44:18 2024 -0800
Lock down Azure storage account per best practices (#447)
Implement the following based on [published
recommendations](https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations):
- Disallow shared key access and only allow Microsoft Entra ID
authentication.
- Default to OAuth for Azure portal access to Azure storage account.
- Only allow network traffic from configured Accumulo VNET.
- Disallow public blob access at storage account level (container /
filesystem level was already disallowed).
---
ansible/roles/azure/tasks/create_adlsgen2.yml | 23 ++++++++++++++++++++++
.../roles/azure/tasks/create_common_resources.yml | 4 ++++
2 files changed, 27 insertions(+)
diff --git a/ansible/roles/azure/tasks/create_adlsgen2.yml
b/ansible/roles/azure/tasks/create_adlsgen2.yml
index 372b50f..77cbb83 100644
--- a/ansible/roles/azure/tasks/create_adlsgen2.yml
+++ b/ansible/roles/azure/tasks/create_adlsgen2.yml
@@ -75,6 +75,9 @@
regexp: '^instance_volumes_adls\s*=\s*|^[#]instance_volumes_adls\s*=\s*'
line: "instance_volumes_adls = {{ InstanceVolumes|join(',') }}"
+# Create (or set) the storage account. Public network access is allowed at this
+# stage so that storage container / ADLS Gen2 filesystem can be created later.
+# Public network access is disabled in a later step.
# Not registering variable because storage values are not visible immediately
- name: Create ADLS Gen2 storage account
azure.azcollection.azure_rm_storageaccount:
@@ -85,6 +88,12 @@
kind: "StorageV2"
is_hns_enabled: True
location: "{{ location }}"
+ allow_shared_key_access: False
+ allow_blob_public_access: False
+ default_to_o_auth_authentication: True
+ public_network_access: "Enabled"
+ network_acls:
+ default_action: "Allow"
loop: "{{ InstanceVolumes }}"
# Creating User Assigned identity with vmss_name suffixed by ua-msi if not
specified in muchos.props
@@ -189,12 +198,26 @@
resource_group: "{{ resource_group }}"
storage_account_name: "{{ item.split('@')[1].split('.')[0] }}"
container: "{{ item.split('@')[0].split('://')[1] }}"
+ auth_mode: "login"
retries: 20
delay: 30
register: createfsresult
until: createfsresult is succeeded and ((not createfsresult.changed) or
(createfsresult.changed and createfsresult.container|length > 0))
loop: "{{ InstanceVolumes }}"
+- name: Only allow VNET to access the storage account
+ azure.azcollection.azure_rm_storageaccount:
+ resource_group: "{{ resource_group }}"
+ name: "{{ item.split('@')[1].split('.')[0] }}"
+ public_network_access: "Enabled"
+ network_acls:
+ default_action: "Deny"
+ bypass: "None"
+ virtual_network_rules:
+ - id: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{
resource_group }}/providers/Microsoft.Network/virtualNetworks/{{ vnet
}}/subnets/{{ subnet }}"
+ action: "Allow"
+ loop: "{{ InstanceVolumes }}"
+
# Retrieve tenantId for core-site.xml
- name: Update tenantId in muchos.props
lineinfile:
diff --git a/ansible/roles/azure/tasks/create_common_resources.yml
b/ansible/roles/azure/tasks/create_common_resources.yml
index 71c9f70..45d06c5 100644
--- a/ansible/roles/azure/tasks/create_common_resources.yml
+++ b/ansible/roles/azure/tasks/create_common_resources.yml
@@ -63,3 +63,7 @@
virtual_network_name: "{{ vnet }}"
name: "{{ subnet }}"
address_prefix_cidr: "{{ subnet_cidr }}"
+ service_endpoints:
+ - service: "Microsoft.Storage"
+ locations:
+ - "{{ location }}"