Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancements to azure.azcollection.azure_rm_storageaccount for Improved Security Compliance and Functionality #1330

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from

Conversation

chitender
Copy link

SUMMARY

This feature request proposes several enhancements to the azure.azcollection.azure_rm_storageaccount collection in Ansible. These changes aim to align more closely with Azure security policies and address common functional requirements in managing Azure Storage Accounts.

  • Option to Enable/Disable allow_shared_key_access for Storage Accounts: Introduce a configurable option to enable or disable shared key access, enhancing security and compliance with organizational policies.

  • Identity Block for Key Vault Encryption Prerequisites: Implement an identity block within the module to support scenarios requiring user-assigned identities as a prerequisite for Key Vault encryption (CMK encryption).

  • Inclusion of Key Vault Properties in Encryption Block: Add support for specifying Key Vault properties directly within the encryption block when the encryption source is set to Microsoft.Keyvault. This will facilitate smoother integration with Azure Key Vault for encryption purposes.

  • Incorporate Network ACL Rule Sets in create_account Requests: Instead of setting network ACLs separately, include them directly in the create_account request. This change aims to streamline the process and reduce the complexity of storage account creation.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

azure.azcollection.azure_rm_storageaccount

ADDITIONAL INFORMATION

These enhancements are motivated by the need for improved compliance with Azure security policies and functional requirements in resource management. Enforcing security policies at subscription and resource group levels is a common practice, and non-compliance can lead to service denial due to policy violations. The proposed changes address specific areas like encryption, identity management, and network access control, which are crucial for maintaining high-security standards.

not sure how to add verbatim command output, so have added below task snippet which is as per the changes in plugins/modules/azure_rm_storageaccount.py

- name: Create Storage account
  azure.azcollection.azure_rm_storageaccount:
    allow_shared_key_access: 'False'
    minimum_tls_version: "TLS1_2"
    resource_group: "{{ project.resource_group_name }}"
    name: "{{ project.storage_account_name }}"
    location: "{{ project.region }}"
    type: Standard_RAGRS
    kind: BlobStorage
    access_tier: Cool
    subscription_id: "{{ azure_env.ARM_SUBSCRIPTION_ID }}"
    tenant: "{{ azure_env.ARM_TENANT_ID }}"
    client_id: "{{ azure_env.ARM_CLIENT_ID }}"
    secret: "{{ azure_env.ARM_CLIENT_SECRET }}"
    https_only: 'True'
    allow_blob_public_access: 'False'
    public_network_access: 'Enabled'
    identity:
      type: UserAssigned
      user_assigned_identities: "/subscriptions/{{ azure_env.ARM_SUBSCRIPTION_ID }}/resourceGroups/{{ project.resource_group_name }}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{ project.storage_account_name }}"

    network_acls:
      bypass: AzureServices,Metrics,Logging
      default_action: Deny
      virtual_network_rules:
        - id: /subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/vnetSubnetName
          action: Allow
    encryption:
      require_infrastructure_encryption: false
      services:
        blob:
          enabled: true
        file:
          enabled: true
        table:
          enabled: true
        queue:
          enabled: true
      key_source: 'Microsoft.Keyvault'
      key_vault_properties:
        key_vault_uri: "{{ keyVaultInfo.keyvaults[0].vault_uri }}"
        key_name: "storage-encryption-key"
        key_version: "{{ keyvault_key.state.key_id.split('/')[-1] }}"
      encryption_identity:
        encryption_user_assigned_identity: "{{ user_identity }}"

if i have made any mistakes which are not as per community guidelines then please guide me to correct it as this is first time me raising pull request.

… for Key Vault Encryption Prerequisites,Inclusion of Key Vault Properties in Encryption Block,Incorporate Network ACL Rule Sets in create_account Requests
@Fred-sun
Copy link
Collaborator

@chitender Please help fix the error as below:

ERROR: plugins/modules/azure_rm_storageaccount.py:850:9: E303: too many blank lines
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: parameter-type-not-in-doc: Argument 'key_version' in argument_spec found in encryption -> key_vault_properties defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: parameter-type-not-in-doc: Argument 'type' in argument_spec found in identity defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: parameter-type-not-in-doc: Argument 'user_assigned_identities' in argument_spec found in identity defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'allow_shared_key_access' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'encryption_identity' found in encryption is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'encryption_user_assigned_identity' found in encryption -> encryption_identity is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'identity' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_name' found in encryption -> key_vault_properties is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_vault_properties' found in encryption is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_vault_uri' found in encryption -> key_vault_properties is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_version' found in encryption -> key_vault_properties is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'type' found in identity is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'user_assigned_identities' found in identity is listed in the argument_spec, but not documented in the module documentation

@Fred-sun Fred-sun added medium_priority Medium priority work in In trying to solve, or in working with contributors labels Nov 13, 2023
@chitender
Copy link
Author

@Fred-sun have updated the documentation.

@chitender
Copy link
Author

@Fred-sun could you please check this?

Copy link
Collaborator

@Fred-sun Fred-sun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be even better if we could add test cases for the newly added parameters!

@@ -870,11 +981,12 @@ def account_obj_to_dict(self, account_obj, blob_mgmt_props=None, blob_client_pro
allow_blob_public_access=account_obj.allow_blob_public_access,
network_acls=account_obj.network_rule_set,
is_hns_enabled=account_obj.is_hns_enabled if account_obj.is_hns_enabled else False,
allow_shared_key_access=account_obj.allow_shared_key_access if account_obj.allow_shared_key_access else False,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be perfect if we could also increase this return value to azure_rm_storageaccount_info.py!

@Fred-sun
Copy link
Collaborator

@chitender There is a conflict in the PR you submitted, please help solve the conflict, we will review this PR as soon as possible! Thank you!

@Fred-sun
Copy link
Collaborator

kindly ping!

@Fred-sun Fred-sun added the question Further information is requested label Feb 18, 2024
@Fred-sun
Copy link
Collaborator

Fred-sun commented Aug 1, 2024

@chitender Please help to resolve the conflicting documents, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
medium_priority Medium priority question Further information is requested work in In trying to solve, or in working with contributors
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants