Skip to content

Commit

Permalink
Lock down Azure storage account per best practices (#447)
Browse files Browse the repository at this point in the history
Implement the following based on [published
recommendations](https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations):

- Disallow shared key access and only allow Microsoft Entra ID
  authentication.
- Default to OAuth for Azure portal access to Azure storage account.
- Only allow network traffic from configured Accumulo VNET.
- Disallow public blob access at storage account level (container /
  filesystem level was already disallowed).
  • Loading branch information
arvindshmicrosoft authored Nov 14, 2024
1 parent 6e2b39c commit f072bd2
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
23 changes: 23 additions & 0 deletions ansible/roles/azure/tasks/create_adlsgen2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@
regexp: '^instance_volumes_adls\s*=\s*|^[#]instance_volumes_adls\s*=\s*'
line: "instance_volumes_adls = {{ InstanceVolumes|join(',') }}"

# Create (or set) the storage account. Public network access is allowed at this
# stage so that storage container / ADLS Gen2 filesystem can be created later.
# Public network access is disabled in a later step.
# Not registering variable because storage values are not visible immediately
- name: Create ADLS Gen2 storage account
azure.azcollection.azure_rm_storageaccount:
Expand All @@ -85,6 +88,12 @@
kind: "StorageV2"
is_hns_enabled: True
location: "{{ location }}"
allow_shared_key_access: False
allow_blob_public_access: False
default_to_o_auth_authentication: True
public_network_access: "Enabled"
network_acls:
default_action: "Allow"
loop: "{{ InstanceVolumes }}"

# Creating User Assigned identity with vmss_name suffixed by ua-msi if not specified in muchos.props
Expand Down Expand Up @@ -189,12 +198,26 @@
resource_group: "{{ resource_group }}"
storage_account_name: "{{ item.split('@')[1].split('.')[0] }}"
container: "{{ item.split('@')[0].split('://')[1] }}"
auth_mode: "login"
retries: 20
delay: 30
register: createfsresult
until: createfsresult is succeeded and ((not createfsresult.changed) or (createfsresult.changed and createfsresult.container|length > 0))
loop: "{{ InstanceVolumes }}"

- name: Only allow VNET to access the storage account
azure.azcollection.azure_rm_storageaccount:
resource_group: "{{ resource_group }}"
name: "{{ item.split('@')[1].split('.')[0] }}"
public_network_access: "Enabled"
network_acls:
default_action: "Deny"
bypass: "None"
virtual_network_rules:
- id: "/subscriptions/{{ azure_subscription_id }}/resourceGroups/{{ resource_group }}/providers/Microsoft.Network/virtualNetworks/{{ vnet }}/subnets/{{ subnet }}"
action: "Allow"
loop: "{{ InstanceVolumes }}"

# Retrieve tenantId for core-site.xml
- name: Update tenantId in muchos.props
lineinfile:
Expand Down
4 changes: 4 additions & 0 deletions ansible/roles/azure/tasks/create_common_resources.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,7 @@
virtual_network_name: "{{ vnet }}"
name: "{{ subnet }}"
address_prefix_cidr: "{{ subnet_cidr }}"
service_endpoints:
- service: "Microsoft.Storage"
locations:
- "{{ location }}"

0 comments on commit f072bd2

Please sign in to comment.