From a3122a441d7c26c4480b65e059426003b0d561ab Mon Sep 17 00:00:00 2001 From: Benny Austin Date: Tue, 21 Jan 2025 12:31:27 +1100 Subject: [PATCH 1/2] Disable shared key access on storage --- iac/bicep/modules/sqldb.bicep | 12 +++++ iac/bicep/modules/storage-permissions.bicep | 55 +++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 iac/bicep/modules/storage-permissions.bicep diff --git a/iac/bicep/modules/sqldb.bicep b/iac/bicep/modules/sqldb.bicep index 488d66b..6c3f149 100644 --- a/iac/bicep/modules/sqldb.bicep +++ b/iac/bicep/modules/sqldb.bicep @@ -101,6 +101,18 @@ resource audit_storage_account 'Microsoft.Storage/storageAccounts@2023-01-01' ex scope: resourceGroup(auditrg) } +module storage_permissions 'storage-permissions.bicep' = { + name: 'storage_permissions' + scope: resourceGroup(auditrg) + params:{ + storage_name: audit_storage_name + storage_rg: auditrg + principalId: sqlserver.identity.principalId + grant_reader: false + grant_contributor: true + } +} + // Deploy audit diagnostics Azure SQL Server to storage account resource sqlserver_audit 'Microsoft.Sql/servers/auditingSettings@2023-08-01-preview' = { name: 'default' diff --git a/iac/bicep/modules/storage-permissions.bicep b/iac/bicep/modules/storage-permissions.bicep new file mode 100644 index 0000000..7e0c20a --- /dev/null +++ b/iac/bicep/modules/storage-permissions.bicep @@ -0,0 +1,55 @@ +@description('Resource name storage account to which permissions are to be granted') +param storage_name string + +@description('Resource group of storage account') +param storage_rg string + +@description('Managed Identity of the resource being granted permissions') +param principalId string + +@description('Flag to grant Storage Blob Data Reader role to the storage account') +param grant_reader bool = true + +@description('Flag to grant Storage Blob Data Contributor role to the storage account') +param grant_contributor bool = true + +//Get Reference to storage account +resource storage_account 'Microsoft.Storage/storageAccounts@2023-01-01' existing = { + name: storage_name + scope: resourceGroup(storage_rg) +} + +//In-built role definition for storage account +@description('This is the built-in Storage Blob Contributor role. See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles') +resource sbdcRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = { + scope: subscription() + name: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' +} + +@description('This is the built-in Storage Blob Reader role. See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor') +resource sbdrRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = { + scope: subscription() + name: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' +} + +//Grant Storage Blob Data Contributor role to resource +resource grant_sbdc_role 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (grant_contributor) { + name: guid(subscription().subscriptionId, principalId, sbdcRoleDefinition.id) + // scope: storage_account + properties: { + principalType: 'ServicePrincipal' + principalId: principalId + roleDefinitionId: sbdcRoleDefinition.id + } +} + +//Grant Storage Blob Data Reader role to resource +resource grant_sbdr_role 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (grant_reader) { + name: guid(subscription().subscriptionId, principalId, sbdrRoleDefinition.id) + // scope: storage_account + properties: { + principalType: 'ServicePrincipal' + principalId: principalId + roleDefinitionId: sbdrRoleDefinition.id + } +} From 4de71855599fae1eea3b98f916e87690d00051f7 Mon Sep 17 00:00:00 2001 From: Benny Austin Date: Tue, 21 Jan 2025 12:44:35 +1100 Subject: [PATCH 2/2] Disable shared key on storage --- iac/bicep/modules/storage-permissions.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iac/bicep/modules/storage-permissions.bicep b/iac/bicep/modules/storage-permissions.bicep index 7e0c20a..bf989c7 100644 --- a/iac/bicep/modules/storage-permissions.bicep +++ b/iac/bicep/modules/storage-permissions.bicep @@ -35,7 +35,7 @@ resource sbdrRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01- //Grant Storage Blob Data Contributor role to resource resource grant_sbdc_role 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (grant_contributor) { name: guid(subscription().subscriptionId, principalId, sbdcRoleDefinition.id) - // scope: storage_account + scope: storage_account properties: { principalType: 'ServicePrincipal' principalId: principalId @@ -46,7 +46,7 @@ resource grant_sbdc_role 'Microsoft.Authorization/roleAssignments@2020-04-01-pre //Grant Storage Blob Data Reader role to resource resource grant_sbdr_role 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (grant_reader) { name: guid(subscription().subscriptionId, principalId, sbdrRoleDefinition.id) - // scope: storage_account + scope: storage_account properties: { principalType: 'ServicePrincipal' principalId: principalId