Skip to content

Commit

Permalink
Skip adding network rules to storage accounts that don't need them du…
Browse files Browse the repository at this point in the history
…ring cleanup
  • Loading branch information
benbp authored and azure-sdk committed Jul 11, 2024
1 parent e4535b3 commit ae6ae36
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions eng/common/scripts/Helpers/Resource-Helpers.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -308,8 +308,8 @@ function Remove-WormStorageAccounts() {
}
}

function SetResourceNetworkAccessRules([string]$ResourceGroupName, [array]$AllowIpRanges, [switch]$CI) {
SetStorageNetworkAccessRules -ResourceGroupName $ResourceGroupName -AllowIpRanges $AllowIpRanges -CI:$CI
function SetResourceNetworkAccessRules([string]$ResourceGroupName, [array]$AllowIpRanges, [switch]$CI, [switch]$Override) {
SetStorageNetworkAccessRules -ResourceGroupName $ResourceGroupName -AllowIpRanges $AllowIpRanges -CI:$CI -Override:$Override
}

function SetStorageNetworkAccessRules([string]$ResourceGroupName, [array]$AllowIpRanges, [switch]$CI, [switch]$Override) {
Expand All @@ -327,6 +327,16 @@ function SetStorageNetworkAccessRules([string]$ResourceGroupName, [array]$AllowI
Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $account.Name -AllowBlobPublicAccess $false
}

# In override mode, we only want to capture storage accounts that have had incomplete network rules applied,
# otherwise it's not worth updating due to timing and throttling issues.
# If the network rules are deny only without any vnet/ip allowances, then we can't ever purge the storage account
# when immutable blobs need to be removed.
if ($Override -and $rules.DefaultAction -eq "Deny") {
if ($rules.VirtualNetworkRules.Length -gt 0 -or $rules.IpRules.Length -gt 0) {
return
}
}

if ($rules -and ($Override -or $rules.DefaultAction -eq "Allow")) {
Write-Host "Restricting network rules in storage account '$($account.Name)' to deny access by default"
Retry { Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $ResourceGroupName -Name $account.Name -DefaultAction Deny }
Expand Down

0 comments on commit ae6ae36

Please sign in to comment.