Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict live test storage account access to client IP #8371

Merged
merged 7 commits into from
Jul 1, 2024
Merged

Restrict live test storage account access to client IP #8371

merged 7 commits into from
Jul 1, 2024

Conversation

benbp
Copy link
Member

@benbp benbp commented Jun 3, 2024
edited
Loading

Not quite sure about the ordering here, if we want to set networks rules before or after post-script/deployment removal or not.

This adds a step to our deployment script that sets any deployed storage accounts to a network deny state, but punches a hole through for the client's IP. A medium term solution until better ones come online (reach out for details).

@benbp benbp requested a review from a team as a code owner June 3, 2024 19:50
@benbp benbp added the Central-EngSys This issue is owned by the Engineering System team. label Jun 3, 2024
@benbp benbp self-assigned this Jun 3, 2024
@benbp benbp requested review from weshaggard and mikeharder June 3, 2024 19:50
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

This was referenced Jun 3, 2024
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@benbp benbp force-pushed the benbp/test-resources-allowlist branch from daa331e to d07adbb Compare June 3, 2024 21:02
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@weshaggard
Copy link
Member

@benbp is there a way to potential do this inside of a bicep template we can force folks to start using if they are deploying storage accounts?

@benbp
Copy link
Member Author

benbp commented Jun 4, 2024

@weshaggard we could add some sort of dynamic parameter to pass in for the IP, but that won't help with new bicep files. Also we're going to go with a vnet solution for the agent pools, so we don't want client ip to be used in every case either.

@benbp benbp force-pushed the benbp/test-resources-allowlist branch from d07adbb to 52d3d42 Compare June 18, 2024 20:32
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@benbp benbp force-pushed the benbp/test-resources-allowlist branch from 52d3d42 to 44660f4 Compare June 18, 2024 21:36
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@benbp benbp force-pushed the benbp/test-resources-allowlist branch from 618f4df to 57b8e6c Compare June 19, 2024 21:19
@benbp benbp force-pushed the benbp/test-resources-allowlist branch from 827deae to 6d5edeb Compare June 24, 2024 20:36
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

This was referenced Jun 26, 2024
Merged
Merged
Merged
Merged
Merged
benbp added a commit to Azure/azure-sdk-for-js that referenced this pull request Jun 26, 2024
@benbp
Add pool env variable to build-test-resource-config template (#30177)
ceca52d 
Update for Azure/azure-sdk-tools#8371
@benbp benbp force-pushed the benbp/test-resources-allowlist branch from 4d1e7b9 to e324291 Compare June 26, 2024 20:58
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

@benbp benbp mentioned this pull request Jun 26, 2024
Merged
@benbp
Copy link
Member Author

benbp commented Jun 26, 2024

Waiting on the java/net PRs from @danieljurek to update the federated auth conditional before this goes in (since it relies on two other PRs that are blocked on the aforementioned PRs)

@benbp benbp force-pushed the benbp/test-resources-allowlist branch from e324291 to 47e9665 Compare June 26, 2024 21:54
@azure-sdk
Copy link
Collaborator

The following pipelines have been queued for testing:
java - template
java - template - tests
js - template
net - template
net - template - tests
python - template
python - template - tests
You can sign off on the approval gate to test the release stage of each pipeline.
See eng/common workflow

azure-sdk added a commit to Azure/azure-sdk-for-js that referenced this pull request Jul 1, 2024
@azure-sdk @benbp
Sync eng/common directory with azure-sdk-tools for PR 8371 (#29878)
8577f84 
Sync eng/common directory with azure-sdk-tools for PR
Azure/azure-sdk-tools#8371 See [eng/common
workflow](https://github.com/Azure/azure-sdk-tools/blob/main/eng/common/README.md#workflow)

---------

Co-authored-by: Ben Broderick Phillips <[email protected]>
@benbp benbp enabled auto-merge (squash) July 1, 2024 19:09
@benbp benbp merged commit 22ec778 into Azure:main Jul 1, 2024
8 checks passed
@benbp benbp deleted the benbp/test-resources-allowlist branch July 1, 2024 19:16
@maorleger maorleger mentioned this pull request Feb 4, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weshaggard weshaggard weshaggard approved these changes

@mikeharder mikeharder mikeharder left review comments

Assignees

@benbp benbp

Labels
Central-EngSys This issue is owned by the Engineering System team.
Projects
Azure SDK EngSys 🤖🧠
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@benbp @azure-sdk @weshaggard @mikeharder