Core key vault firewall should not be set to "Allow public access from all networks"

CHANGELOG.md

@@ -32,6 +32,7 @@ ENHANCEMENTS:
 * Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949)
 * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)])
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
+* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

core/terraform/deploy.sh

@@ -5,6 +5,14 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
+# add trap to remove deployment network exceptions
+# shellcheck disable=SC1091
+trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+# shellcheck disable=SC1091
+source "../../devops/scripts/add_deployment_network_exceptions.sh"
+
 # This is where we can migrate any Terraform before we plan and apply
 # For instance deprecated Terraform resources
 # shellcheck disable=SC1091

core/terraform/destroy.sh

@@ -5,6 +5,14 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
+# add trap to remove deployment network exceptions
+# shellcheck disable=SC1091
+trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+# shellcheck disable=SC1091
+source "../../devops/scripts/add_deployment_network_exceptions.sh"
+
 # These variables are loaded in for us
 # shellcheck disable=SC2154
 ../../devops/scripts/terraform_wrapper.sh -g "${TF_VAR_mgmt_resource_group_name}" \

core/terraform/keyvault.tf

@@ -1,14 +1,48 @@
 resource "azurerm_key_vault" "kv" {
-  name                      = "kv-${var.tre_id}"
+  name                      = local.kv_name
   tenant_id                 = data.azurerm_client_config.current.tenant_id
   location                  = azurerm_resource_group.core.location
   resource_group_name       = azurerm_resource_group.core.name
   sku_name                  = "standard"
   enable_rbac_authorization = true
   purge_protection_enabled  = var.kv_purge_protection_enabled
-  tags                      = local.tre_core_tags
+  tags                      = merge(local.tre_core_tags, { (local.tre_deployment_network_exception_tag) = "true" })
 
-  lifecycle { ignore_changes = [access_policy, tags] }
+  public_network_access_enabled = local.kv_public_network_access_enabled
+
+  network_acls {
+    default_action = local.kv_network_default_action
+    bypass         = local.kv_network_bypass
+    ip_rules       = [local.myip] # exception for deployment IP, this is removed in remove_deployment_network_exceptions.sh
+  }
+
+  lifecycle {
+    ignore_changes = [access_policy, tags]
+  }
+
+  # create provisioner required due to https://github.com/hashicorp/terraform-provider-azurerm/issues/18970
+  #
+  provisioner "local-exec" {
+    when    = create
+    command = <<EOT
+az keyvault update --name ${local.kv_name} --public-network-access ${local.kv_public_network_access_enabled ? "Enabled" : "Disabled"} --default-action ${local.kv_network_default_action} --bypass ${local.kv_network_bypass} --output none
+az keyvault network-rule add --name ${local.kv_name} --ip-address ${local.myip} --output none
+EOT
+  }
+}
+
+# provisioner required due to ignore_changes = [tags] in azurerm_key_vault.kv
+#
+resource "null_resource" "add_deployment_tag" {
+  triggers = {
+    always_run = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command = "az resource update --ids ${azurerm_key_vault.kv.id} --set 'tags.${local.tre_deployment_network_exception_tag}=\"true\"' --output none"
+  }
+
+  depends_on = [azurerm_key_vault.kv]
 }
 
 resource "azurerm_role_assignment" "keyvault_deployer_role" {

core/terraform/locals.tf

@@ -46,4 +46,14 @@ locals {
 
   cmk_name                 = "tre-encryption-${var.tre_id}"
   encryption_identity_name = "id-encryption-${var.tre_id}"
+
+  # used to tag resources (e.g. kv, sa) that require a IP exception for the deployment runner
+  # adding to their network firewall during TRE deployment (and removing at the end of deployment)
+  tre_deployment_network_exception_tag = "tre_deployment_network_exception"
+
+  # key vault variables
+  kv_name                          = "kv-${var.tre_id}"
+  kv_public_network_access_enabled = true
+  kv_network_default_action        = var.enable_local_debugging ? "Allow" : "Deny"
+  kv_network_bypass                = "AzureServices"
 }

core/terraform/main.tf

@@ -21,6 +21,10 @@ terraform {
       source  = "Azure/azapi"
       version = "~> 1.15.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = "3.2.3"
+    }
   }
 
   backend "azurerm" {}

core/terraform/scripts/letsencrypt.sh

@@ -3,6 +3,15 @@ set -e
 
 script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
 
+# add trap to remove deployment network exceptions on script exit
+# shellcheck disable=SC1091
+trap 'source "$script_dir/../../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+# shellcheck disable=SC1091
+source "$script_dir/../../../devops/scripts/add_deployment_network_exceptions.sh"
+
+
 if [[ -z ${STORAGE_ACCOUNT} ]]; then
   echo "STORAGE_ACCOUNT not set"
   exit 1

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.16"
+__version__ = "0.11.17"

devops/scripts/add_deployment_network_exceptions.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception"
+
+function main() {
+
+    set -o errexit
+    set -o pipefail
+
+
+    # parse params/set up inputs
+    #
+    if [[ -z "$TRE_ID" ]]; then
+      echo -e "Could not open deployment network exceptions: TRE_ID is not set\nExiting...\n"
+      exit 1
+    fi
+
+    local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"
+
+    if [[ -z "$MY_IP" ]]; then
+      MY_IP=$(curl -s "ipecho.net/plain"; echo)
+    fi
+
+    local TRE_CORE_RG="rg-${TRE_ID}"
+
+
+    # find resources that require network exceptions
+    #
+    echo -e "\nQuerying resources that require network exceptions adding for deployment..."
+
+    if [[ -z "$(az group list --query "[?name=='$TRE_CORE_RG']" --output tsv)" ]]; then
+        echo -e " Core resource group $TRE_CORE_RG not found\n"
+        return 0
+    fi
+
+    local AZ_IDS
+    AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv)
+
+    if [ -z "$AZ_IDS" ]; then
+      echo -e " No resources found\n"
+      return 0
+    fi
+
+
+    # add network exceptions
+    #
+    local AZ_ID
+    for AZ_ID in $AZ_IDS; do
+
+      local RESOURCE_TYPE
+      RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv)
+
+      if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then
+        add_keyvault_network_exception "$AZ_ID" "$MY_IP"
+      fi
+
+    done
+
+    echo ""
+
+}
+
+function add_keyvault_network_exception() {
+  local AZ_ID="$1"
+  local MY_IP="$2"
+
+  local KV_NAME
+  KV_NAME=$(basename "$AZ_ID")
+
+  echo " Adding keyvault deployment network exception for $KV_NAME"
+
+  az keyvault network-rule add --name "$KV_NAME" --ip-address "$MY_IP" --output none
+
+  local ATTEMPT=1
+  local MAX_ATTEMPTS=10
+
+  while true; do
+
+    if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then
+      echo "  Keyvault $KV_NAME is now accessible"
+      break
+    fi
+
+    if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
+      echo -e "Could not add deployment network exception for $KV_NAME"
+      echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n"
+      echo -e "$KV_OUTPUT\n"
+
+      exit 1
+    fi
+
+    echo "  Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect."
+    sleep 5
+    ((ATTEMPT++))
+
+  done
+
+}
+
+main "$@"

devops/scripts/destroy_env_no_terraform.sh

@@ -66,6 +66,16 @@ then
   no_wait_option="--no-wait"
 fi
 
+script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+
+# add trap to remove deployment network exceptions on script exit
+# shellcheck disable=SC1091
+trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+# shellcheck disable=SC1091
+source "$script_dir/add_deployment_network_exceptions.sh"
+
 group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?)
 if [[ "$group_show_result" !=  "0" ]]; then
   echo "Resource group ${core_tre_rg} not found - skipping destroy"

devops/scripts/key_vault_list.sh

@@ -7,11 +7,21 @@ fi
 
 echo "DEBUG: Check keyvault and secrets exist"
 
+script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+
+# add trap to remove deployment network exceptions on script exit
+# shellcheck disable=SC1091
+trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT
+
+# now add deployment network exceptions
+# shellcheck disable=SC1091
+source "$script_dir/add_deployment_network_exceptions.sh"
+
 echo "az keyvault show"
-az keyvault show --name kv-${TRE_ID}
+az keyvault show --name "kv-${TRE_ID}"
 
 echo "az keyvault secret list"
-az keyvault secret list --vault-name kv-${TRE_ID}
+az keyvault secret list --vault-name "kv-${TRE_ID}"
 
 echo "az keyvault secret list-deleted"
-az keyvault secret list-deleted --vault-name kv-${TRE_ID}
+az keyvault secret list-deleted --vault-name "kv-${TRE_ID}"

devops/scripts/remove_deployment_network_exceptions.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception"
+
+function main() {
+
+    set -o errexit
+    set -o pipefail
+
+
+    # parse params/set up inputs
+    #
+    if [[ -z "$TRE_ID" ]]; then
+      echo -e "Could not close deployment network exceptions: TRE_ID is not set\nExiting...\n"
+      exit 1
+    fi
+
+    local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}"
+
+    if [[ -z "$MY_IP" ]]; then
+      MY_IP=$(curl -s "ipecho.net/plain"; echo)
+    fi
+
+    local TRE_CORE_RG="rg-${TRE_ID}"
+
+
+    # find resources that require network exceptions
+    #
+    echo -e "\nQuerying resources that require network exceptions removing for deployment..."
+
+    if [[ -z "$(az group list --query "[?name=='$TRE_CORE_RG']" --output tsv)" ]]; then
+        echo -e " Core resource group $TRE_CORE_RG not found\n"
+        return 0
+    fi
+
+    local AZ_IDS
+    AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv)
+
+    if [ -z "$AZ_IDS" ]; then
+      echo -e " No resources found\n"
+      return 0
+    fi
+
+
+    # remove network exceptions
+    #
+    local AZ_ID
+    for AZ_ID in $AZ_IDS; do
+
+      local RESOURCE_TYPE
+      RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv)
+
+      if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then
+        remove_keyvault_network_exception "$AZ_ID" "$MY_IP"
+      fi
+
+    done
+
+    echo ""
+
+}
+
+function remove_keyvault_network_exception() {
+  local AZ_ID="$1"
+  local MY_IP="$2"
+
+  local KV_NAME
+  KV_NAME=$(basename "$AZ_ID")
+
+  echo " Removing keyvault deployment network exception for $KV_NAME"
+
+  az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none
+}
+
+main "$@"