Support App Service "Access Restrictions" functionality #3685
Comments
|
Also interressed with this feature |
|
I also need a way to set the IP restrictions on the SCM website, and this will need to be added both the I propose an additonal block on the site config property like so: resource "azurerm_app_service" "app_service" {
name = local.name
location = var.location
resource_group_name = var.resource_group_name
app_service_plan_id = var.app_service_plan_id
https_only = true
site_config {
always_on = true
dotnet_framework_version = "v4.0"
http2_enabled = true
default_documents = [
"Default.htm",
]
# Current network IP address restriction on app service
ip_restriction {
ip_address = "1.2.3.4"
subnet_mask = "255.255.255.255"
}
# Proposed new IP address restriction on app service SCM/KUDU website
scm_ip_restriction {
ip_address = "5.6.7.8"
subnet_mask = "255.255.255.255"
}
}
}While we wait for official support the following template can be added in addition to the resource "azurerm_template_deployment" "app-service-scm-ipwhitelist" {
name = "${var.application}-scm-ipwhitelist"
resource_group_name = var.resource_group_name
template_body = <<JSON
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"_force_terraform_to_always_redeploy": "${timestamp()}"
},
"resources": [{
"type":"Microsoft.Web/sites/config",
"apiVersion":"2018-11-01",
"name":"${azurerm_app_service.app_service.name}/web",
"location":"[resourceGroup().location]",
"properties":{
"scmIpSecurityRestrictions":[
{
"ipAddress":"${local.ip_to_whitelist}",
"action":"Allow",
"tag":"Default",
"priority":300,
"name":"allow-my-company-server",
"description":"useful description info..."
}
]
}
}
]
}
JSON
deployment_mode = "Incremental"
} |
|
Is it already implemented? Looking at: https://www.terraform.io/docs/providers/azurerm/d/app_service.html
|
Nope - still need the SCM IP restrictions |
|
What is the reason to have ip restrictions for SCM endpoints, it's only allowed for authenticated users right? |
|
Extra level of security based on where you are as well as who.
…On Tue, 3 Dec 2019 at 16:38, brysk ***@***.***> wrote:
What is the reason to have ip restrictions for SCM endpoints, it's only
allowed for authenticated users right?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3685>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABP3TFL3GMOTDZP2DF7QKTLQW2DQTANCNFSM4HY2NGEQ>
.
|
|
@Brysk and @alastairtree - As to why locking-down your SCM network-connectivity should be done: Consider what happens when a developer angrily exits your organization. You no doubt disable their Azure AD identity, but SCM remains accessible from their home network using credentials stored directly within the App Service. They could access data, logs, and upload binaries. IMHO, this is an often overlooked aspect of securing Azure App Service, and warrants attention. Ideally, you'd cycle those credentials and you'd lock SCM down so it's only accessible from your corporate egress IPs. |
|
thanks @JohnDelisle
Can you please shed more light on it to explain how it works? |
|
Sure thing @Brysk - The easiest way to demonstrate this would be to head to the Azure Portal, create a Resource Group, create an App Service Plan, and create an App Service. Go with a Windows-based ASP.NET App Service, for example. Once that's done, open the App Service, click its "Deployment Center" blade, click on "FTP", and finally click the "Dashboard" button in the bottom-center. A dialog should pop on the right-hand side, providing the credential to use to access the App Service remotely. If that credential is known to a bad actor, and your SCM IP restrictions are permissive, they can connect to your App Service from anywhere and publish a new binary, download logs etc. This is a common theme in Azure - services that are by default internet accessible, where keys used to access them persist after employee termination. Unless you implement good key lifecycle-management and secure the front-end connectivity of the service, that is. Examples off the top of my head include Storage Account, Azure SQL Database, Cosmos, App Service, and basically any other Azure resource that uses its own keys/secrets/certs and is internet accessible. You can mitigate some of this through e.g. VNet endpoints, but that's not always practical. |
|
Thanks for your explanation but I can't agree with everything you said. I have just locked down access to SCM endpoint completely and it doesn't prevent me from accessing the FTP location to upload anything up there. Restrictions applied to SCP IP do not affect FTPS IP. According to my understanding SCM endpoint is behind SSO and only authenticated and authorised users and services can access it. When an user is removed from AAD she/he will not be able to mess up with it. HTTP BASIC auth won't be enabled and only Service Connection configured for Azure DevOps Pipeline will carry out deployments. FTP/FTPS access to App Service can be disabled here: App Service -> Configuration -> General Settings -> FTP state |
|
That's certainly different than my understanding - I'll test and confirm. Assuming you're right re: FTP connectivity, that introduces risks that can only be mitigate through cycling keys.. ouch. Thanks for the update. |
|
See the relevant documentation: https://docs.microsoft.com/en-US/azure/app-service/app-service-ip-restrictions#programmatic-manipulation-of-access-restriction-rules |
This comment has been minimized.
This comment has been minimized.
|
As the main issue, access restrictions for the app service data plane, are already implemented, would it make sense to create a new issue focusing on the yet missingSCM restrictions? @tombuildsstuff ? |
|
Is there any plan to implement ScmSiteAccessRestrictions? Both Azure Powershell and Az CLI support this feature. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Community Note
Description
Azure App Service recently(?) renamed "IP Restrictions" to "Access Restrictions," and added the ability to allow/deny connections from Azure Virtual Network subnets. It appears that an
ip_restrictionargument block exists onazurerm_app_service, however I don't believe this is the same thing as Access Restrictions, or at least it doesn't capture the full capabilities that Access Restrictions provide, such as setting restrictions on the associated SCM/Kudu site.Based on the Azure documentation, there doesn't appear to be a CLI way to set these restrictions, so this work may be blocked:
It would be nice in the future to be able to:
Affected Resource
References
The text was updated successfully, but these errors were encountered: