Add subnet of pct sas kubernetes cluster to the storage account that holds ip ban table (#230)

Co-authored-by: elay <yileihu@microsoft.com>
2024-07-02 10:47:02 -07:00 · 2024-07-02 10:47:02 -07:00 · 23b5e6936b
--- a/deployment/terraform/resources/storage_account.tf
+++ b/deployment/terraform/resources/storage_account.tf
@ -9,7 +9,7 @@ resource "azurerm_storage_account" "pc" {

  network_rules {
    default_action             = "Deny"
-    virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, azurerm_subnet.function_subnet.id]
+    virtual_network_subnet_ids = [azurerm_subnet.node_subnet.id, azurerm_subnet.function_subnet.id, data.azurerm_subnet.sas_node_subnet.id]
  }

  # Disabling shared access keys breaks terraform's ability to do subsequent
--- a/deployment/terraform/resources/variables.tf
+++ b/deployment/terraform/resources/variables.tf
@ -144,6 +144,17 @@ variable "func_storage_account_url" {
  type = string
 }

+variable "sas_node_subnet_name" {
+  type = string
+}
+
+variable "sas_node_subnet_virtual_network_name" {
+  type = string
+}
+
+variable "sas_node_subnet_resource_group_name" {
+  type = string
+}
 # -----------------
 # Local variables

--- a/deployment/terraform/resources/vnet.tf
+++ b/deployment/terraform/resources/vnet.tf
@ -26,6 +26,12 @@ resource "azurerm_subnet" "cache_subnet" {
  service_endpoints    = []
 }

+data "azurerm_subnet" "sas_node_subnet" {
+  name                 = var.sas_node_subnet_name
+  virtual_network_name = var.sas_node_subnet_virtual_network_name
+  resource_group_name  = var.sas_node_subnet_resource_group_name
+}
+
 resource "azurerm_subnet" "function_subnet" {
  name                 = "${local.prefix}-functions-subnet"
  virtual_network_name = azurerm_virtual_network.pc.name
--- a/deployment/terraform/staging/main.tf
+++ b/deployment/terraform/staging/main.tf
@ -26,6 +26,10 @@ module "resources" {
  prod_log_analytics_workspace_id   = "78d48390-b6bb-49a9-b7fd-a86f6522e9c4"
  func_storage_account_url          = "https://pctapisstagingsa.table.core.windows.net/"
  banned_ip_table                   = "blobstoragebannedip"
+
+  sas_node_subnet_name                 = "pct-sas-westeurope-staging-node-subnet"
+  sas_node_subnet_virtual_network_name = "pct-sas-westeurope-staging-network"
+  sas_node_subnet_resource_group_name  = "pct-sas-westeurope-staging_rg"
 }

 terraform {