Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Key Vault allow public access from specific virtual networks and IP addresses #25414

Open
1 task done
Sbargaoui opened this issue Mar 26, 2024 · 3 comments
Open
1 task done

Azure Key Vault allow public access from specific virtual networks and IP addresses #25414

Sbargaoui opened this issue Mar 26, 2024 · 3 comments
Labels
service/key-vault Key Vault v/3.x

Comments

@Sbargaoui
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

3.97.1

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "vault" {
  name                            = var.key_vault_name
  resource_group_name             = azurerm_resource_group.rg.name
  location                        = azurerm_resource_group.rg.location
  sku_name                        = lower(var.key_vault_sku_name)
  tenant_id                       = var.tenant_id
  soft_delete_retention_days      = var.key_vault_soft_delete_retention_days
  purge_protection_enabled        = var.key_vault_purge_protection_enabled
  enabled_for_deployment          = var.key_vault_enabled_for_deployment
  enabled_for_disk_encryption     = var.key_vault_enabled_for_disk_encryption
  enabled_for_template_deployment = var.key_vault_enabled_for_template_deployment
  enable_rbac_authorization       = var.key_vault_enable_rbac_authorization
  public_network_access_enabled   = false
  tags                            = merge({ "ResourceName" = var.key_vault_name }, var.tags, )

  dynamic "access_policy" {
    for_each = var.key_vault_access_policies
    content {
      tenant_id          = var.tenant_id
      object_id          = access_policy.value.object_id
      secret_permissions = access_policy.value.secret_permissions
    }
  }

  dynamic "network_acls" {
    for_each = var.key_vault_network_acls != null ? { this = var.key_vault_network_acls } : {}
    content {
      bypass                     = network_acls.value.bypass
      default_action             = network_acls.value.default_action
      ip_rules                   = [var.runner_ip_address]
      virtual_network_subnet_ids = azurerm_subnet.undelegated_subnets[*].id
    }
  }
}

Debug Output/Panic Output

N/A

Expected Behaviour

Resource azurerm_key_vault should support allowing public access from specific virtual networks and IP addresses when a network_acls is specified.

Actual Behaviour

Resource azurerm_key_vault only supports Allow public access from all networks or Disable public access even when specifying a network_acls block in order to allow public access from specific virtual networks and IP addresses.
The network_acls is taken into account when manually switching to Allow public access from specific virtual networks and IP addresses as shown in the screenshot.
keyvault

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response
@wuxu92
Copy link
Contributor

wuxu92 commented Mar 27, 2024

@Sbargaoui Thank you for raising this issue. I have had a try with the Portal, it looks different from your post. To allow public access from selected networks, you have to Public network access first. would you have a try with your Terraform configuration by public_network_access_enabled=true and give acls with specific networks.

image

@tne-ipt
Copy link

tne-ipt commented Apr 11, 2024
edited

@Sbargaoui Thank you for raising this issue. I have had a try with the Portal, it looks different from your post. To allow public access from selected networks, you have to Public network access first. would you have a try with your Terraform configuration by public_network_access_enabled=true and give acls with specific networks.

image

The settings in the portal look different when you are create a new Key Vault than when you update an existing one.
But you are right, after setting public_network_access_enabled = true and network_acls something like this:

 network_acls {
    default_action = "Deny"

    bypass                     = "AzureServices"
    virtual_network_subnet_ids = [
      azurerm_subnet.subnetxy.id
    ]
  }

in the portal the option "Allow public access from specific virtual networks and IP addresses is selected and the vnet is set accordingly.

@Sbargaoui
Copy link
Author

It appears that there's a distinction in behavior between creating a new key vault resource and updating an existing one.

When configuring a network_acls block with public_network_access_enabled=true, the expected behavior is to Allow public access from specific virtual networks and IP addresses, which aligns with the intended functionality.

However, issues arise when attempting to update an existing resource to restrict access solely to specific sources, especially if it was initially configured as fully private or fully public. This inconsistency in behavior during updates is where the problem lies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/key-vault Key Vault v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wuxu92 @Sbargaoui @tne-ipt @rcskosir