def _process_resource(self, resource):
rules = self._build_ip_rules(resource, self.data.get('ip-rules', []))
# Build out the ruleset model to update the resource
rule_set = NetworkRuleSet(default_action=self.data.get('default-action', 'Deny'))
# If the user has too many rules log and skip
if len(rules) > self.rule_limit:
self._log.error("Skipped updating firewall for %s. "
"%s exceeds maximum rule count of %s." %
(resource['name'], len(rules), self.rule_limit))
return
# Add IP rules
rule_set.ip_rules = [IPRule(ip_address_or_range=r) for r in rules]
# Add VNET rules
vnet_rules = self._build_vnet_rules(resource, self.data.get('virtual-network-rules', []))
rule_set.virtual_network_rules = [
VirtualNetworkRule(virtual_network_resource_id=r) for r in vnet_rules]
# Configure BYPASS
rule_set.bypass = self._build_bypass_rules(resource, self.data.get('bypass', []))
# Update resource
self.client.storage_accounts.update(
resource['resourceGroup'],
resource['name'],
StorageAccountUpdateParameters(network_rule_set=rule_set))
def create_storage_account(
self,
account_name: str,
subnets: List[str] = None,
sku: str = "Premium_LRS",
kind: str = "FileStorage",
access_tier: str = "Hot",
) -> str:
self.logger.info("Creating storage account")
if subnets:
network_rules = NetworkRuleSet(
virtual_network_rules=[
VirtualNetworkRule(action="Allow",
virtual_network_resource_id=subnet)
for subnet in set(subnets)
],
default_action="Deny",
ip_rules=[],
)
else:
network_rules = NetworkRuleSet(
virtual_network_rules=[],
default_action="Allow",
ip_rules=[],
)
storage_account = self.client(
StorageManagementClient).storage_accounts.create(
self.rsg,
account_name,
parameters=StorageAccountCreateParameters(
sku=StorageSku(name=sku),
kind=kind,
location=self.get_location(),
access_tier=access_tier,
allow_blob_public_access=False,
enable_https_traffic_only=True,
network_rule_set=network_rules,
),
)
storage_account.result()
access_key = (
self.client(StorageManagementClient).storage_accounts.list_keys(
self.rsg, account_name).keys[0].value)
return access_key
def remediate(self, client, resource_group_name, account_name):
"""Set Default Action for network access rule for a Storage Account as Deny
:param client: Instance of the Azure StorageManagementClient.
:param resource_group_name: The name of the resource group to which the storage account belongs
:param account_name: The name of the storage account.
:type resource_group_name: str.
:type account_name: str.
:returns: Integer signaling success or failure
:rtype: int
:raises: msrestazure.azure_exceptions.CloudError
"""
# Setting Default Action for network as Deny
updated_network_rule_set = NetworkRuleSet(default_action="Deny")
logging.info("Setting default action in network rule set to Deny")
try:
logging.info(" executing client.storage_accounts.update")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" account_name={account_name}")
client.storage_accounts.update(
resource_group_name=resource_group_name,
account_name=account_name,
parameters=StorageAccountUpdateParameters(
network_rule_set=updated_network_rule_set),
)
except Exception as e:
logging.error(f"{str(e)}")
raise
return 0
def _process_resource(self, resource):
# Build out the ruleset model to update the resource
rule_set = NetworkRuleSet(
default_action=self.data.get('default-action', 'Deny'))
# Add IP rules
if self.data.get('ip-rules') is not None:
existing_ip = [
r['value'] for r in resource['properties']['networkAcls'].get(
'ipRules', [])
]
ip_rules = self._build_ip_rules(existing_ip,
self.data.get('ip-rules', []))
# If the user has too many rules raise exception
if len(ip_rules) > self.rule_limit:
raise ValueError(
"Skipped updating firewall for %s. "
"%s exceeds maximum rule count of %s." %
(resource['name'], len(ip_rules), self.rule_limit))
rule_set.ip_rules = [
IPRule(ip_address_or_range=r) for r in ip_rules
]
# Add VNET rules
if self.data.get('virtual-network-rules') is not None:
existing_vnet = \
[r['id'] for r in
resource['properties']['networkAcls'].get('virtualNetworkRules', [])]
vnet_rules = \
self._build_vnet_rules(existing_vnet, self.data.get('virtual-network-rules', []))
rule_set.virtual_network_rules = \
[VirtualNetworkRule(virtual_network_resource_id=r) for r in vnet_rules]
# Configure BYPASS
if self.data.get('bypass-rules') is not None:
existing_bypass = resource['properties']['networkAcls'].get(
'bypass', '').split(',')
rule_set.bypass = self._build_bypass_rules(
existing_bypass, self.data.get('bypass-rules', []))
# Update resource
self.client.storage_accounts.update(
resource['resourceGroup'], resource['name'],
StorageAccountUpdateParameters(network_rule_set=rule_set))
def _process_resource(self, resource):
rule_set = NetworkRuleSet(default_action=self.data['default-action'])
if 'ip-rules' in self.data:
rule_set.ip_rules = [
IPRule(
ip_address_or_range=r['ip-address-or-range'],
action='Allow') # 'Allow' is the only allowed action
for r in self.data['ip-rules']]
if 'virtual-network-rules' in self.data:
rule_set.virtual_network_rules = [
VirtualNetworkRule(
virtual_network_resource_id=r['virtual-network-resource-id'],
action='Allow') # 'Allow' is the only allowed action
for r in self.data['virtual-network-rules']]
if len(self.data.get('bypass', [])) > 0:
rule_set.bypass = '******'.join(self.data['bypass'])
else:
rule_set.bypass = '******'
self.client.storage_accounts.update(
resource['resourceGroup'],
resource['name'],
StorageAccountUpdateParameters(network_rule_set=rule_set))
def test_remediate_bypass_not_none(self):
client = Mock()
action = EnableTrustedMicrosoftServices()
client.storage_accounts.get_properties.return_value = StorageAccount(
id=
"/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/accelerators-team-resources/providers/Microsoft.Sql/servers/remserver5",
name="remstg5",
type="Microsoft.Storage/storageAccounts",
location="eastus",
network_rule_set=NetworkRuleSet(default_action="Deny",
bypass="******"),
)
assert action.remediate(client, "resource_group", "account_name") == 0
def create_storage_account(
self,
resource_group_name,
name,
region,
storage_client,
):
"""Creates a Storage Account
:param storage_client: Instance of the Azure StorageManagementClient.
:param region: The location in which the storage account exists.
:param name: The Storage Account name.
:param resource_group_name: The name of the resource group.
:type storage_client: object
:type region: str
:type name: str
:type resource_group_name: str
:returns: StorageAccount object
:rtype: object
"""
create_params = StorageAccountCreateParameters(
location=region,
sku=sku_storage(name=SkuName.STANDARD_LRS, tier=SkuTier.STANDARD),
identity=Identity(type="SystemAssigned"),
kind="StorageV2",
enable_https_traffic_only=True,
network_rule_set=NetworkRuleSet(default_action=DefaultAction.DENY),
tags={"Created By": "CHSS"},
)
stg_account = storage_client.storage_accounts.begin_create(
resource_group_name=resource_group_name,
account_name=name,
parameters=create_params,
).result()
storage_client.blob_services.set_service_properties(
resource_group_name=resource_group_name,
account_name=name,
parameters=BlobServiceProperties(
delete_retention_policy=DeleteRetentionPolicy(enabled=True,
days=7)),
)
return stg_account
def run_action(credentials, rule, entity, params):
logging.info(f'Parameters are: {params}')
vnet_group_name, vnet_name, subnet_name = params
logging.info(f'{__file__} - ${run_action.__name__} started')
subscription_id = entity['accountNumber']
group_name = entity['resourceGroup']['name']
storage_account_name = entity['name']
logging.info(
f'{__file__} - subscription_id : {subscription_id} - group_name : {group_name} - storage_account : {storage_account_name}'
)
subnet_path = '/subscriptions/' + subscription_id + '/resourceGroups/' + vnet_group_name + \
'/providers/Microsoft.Network/virtualNetworks/' + \
vnet_name + '/subnets/' + subnet_name
if not subscription_id or not credentials:
return raise_credentials_error()
try:
storage_client = StorageManagementClient(credentials, subscription_id)
storage_client.storage_accounts.update(
group_name, storage_account_name,
StorageAccountUpdateParameters(network_rule_set=NetworkRuleSet(
default_action='Deny',
virtual_network_rules=[
VirtualNetworkRule(virtual_network_resource_id=subnet_path)
])))
msg = f'Private network access was successfully configured for storage account: {storage_account_name}'
logging.info(f'{__file__} - {msg}')
return f'{msg}'
except CloudError as e:
msg = f'Unexpected error : {e.message}'
if 'SubnetsHaveNoServiceEndpointsConfigured' in msg:
logging.info(
f'Unable to set private access as the VNet does not have Service Endpoints configured'
)
logging.info(f'{__file__} - {msg}')
return msg
def remediate(self, client, resource_group_name, account_name):
"""Enable Trusted Microsoft Services for Storage Account access
:param client: Instance of the Azure StorageManagementClient.
:param resource_group_name: The name of the resource group to which the storage account belongs.
:param account_name: The name of the storage account.
:param client: str.
:type resource_group_name: str.
:type account_name: str.
:returns: Integer signaling success or failure.
:rtype: int
:raises: msrestazure.azure_exceptions.CloudError
"""
try:
storage_account = client.storage_accounts.get_properties(
resource_group_name=resource_group_name, account_name=account_name,
)
if storage_account.network_rule_set.bypass is None:
bypass = "******"
else:
bypass = storage_account.network_rule_set.bypass + ", AzureServices"
logging.info(" executing client.blob_containers.update")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" account_name={account_name}")
# Enabling Trusted Microsoft Services for Storage Account access
client.storage_accounts.update(
resource_group_name=resource_group_name,
account_name=account_name,
parameters=StorageAccountUpdateParameters(
network_rule_set=NetworkRuleSet(
bypass=bypass, default_action="Deny"
)
),
)
except Exception as e:
logging.error(f"{str(e)}")
raise
return 0
network_client = NetworkManagementClient(credentials, subscription_id)
resource_client = ResourceManagementClient(credentials, subscription_id)
storage_client = StorageManagementClient(credentials, subscription_id)
resource_group_params = {'location':LOCATION}
resource_client.resource_groups.create_or_update(GROUP_NAME, resource_group_params)
vnet_params = { 'location': LOCATION, 'address_space' : { 'address_prefixes': [VNET_AP] } }
async_vnet_creation = network_client.virtual_networks.create_or_update(GROUP_NAME, VNET_NAME, vnet_params)
async_vnet_creation.wait()
ep = ServiceEndpointPropertiesFormat(service='Microsoft.Storage')
ep_list = [ep]
subnet = Subnet(address_prefix = SB_AP, service_endpoints = ep_list)
async_vnet_subnet_creation = network_client.subnets.create_or_update(GROUP_NAME, VNET_NAME, SB_NAME, subnet)
async_vnet_subnet_creation.wait()
if async_vnet_subnet_creation.status() == 'Succeeded':
sb_result = async_vnet_subnet_creation.result()
virtual_network_resource_id = sb_result.id
vr = VirtualNetworkRule(virtual_network_resource_id=virtual_network_resource_id)
vnets = [vr]
ns = NetworkRuleSet(bypass='******', virtual_network_rules=vnets, default_action='Deny')
storage_client = StorageManagementClient(credentials, subscription_id)
sku = Sku(name=SkuName.standard_lrs)
st1 = StorageAccountCreateParameters(sku=sku, kind=Kind.storage, location=LOCATION, network_rule_set=ns)
storage_async_operation = storage_client.storage_accounts.create(GROUP_NAME, STORAGE_ACCOUNT_NAME, st1, location=LOCATION)
#stlist = storage_client.storage_accounts.list()
print("Done")
