Skip to content

Add Key Vault network ACLs and NSG management to Azure modules#4

Merged
dmchaledev merged 1 commit into
mainfrom
claude/reddit-terraform-announcement-d5EAC
May 19, 2026
Merged

Add Key Vault network ACLs and NSG management to Azure modules#4
dmchaledev merged 1 commit into
mainfrom
claude/reddit-terraform-announcement-d5EAC

Conversation

@dmchaledev
Copy link
Copy Markdown
Contributor

@dmchaledev dmchaledev commented May 19, 2026

Summary

This PR enhances security posture across Azure modules by adding configurable Key Vault network ACLs and improving network security group (NSG) management. It also modernizes the CI/CD pipeline by replacing a deprecated GitHub Action with direct binary installation.

Key Changes

Security Enhancements

  • Key Vault Network ACLs: Added key_vault_network_default_action and key_vault_ip_rules variables to all Azure modules (unlimited-scale, ha-hot-hot, asm-azure-autoscale, sat-azure-autoscale, asm-azure-ha, sat-azure-ha), allowing customers to restrict Key Vault access from public endpoints while maintaining RBAC and AzureServices bypass
  • NSG Management:
    • Added associate_vm_subnet_nsg variable to autoscale modules to allow customers to manage NSGs via their own landing-zone tooling
    • Implemented NSG creation and association in unlimited-scale/azure module with HTTPS ingress rules built from allowed_cidrs
    • Added NSG association to LB subnet in ha-hot-hot/azure to ensure security rules take effect
  • IAM Policy Scoping: Refined flow-logs IAM policy in unlimited-scale/aws to scope resource access to specific log groups, with only DescribeLogGroups using wildcard (as required by AWS API)

CI/CD Improvements

  • Replaced deprecated aquasecurity/tfsec-sarif-action@v0.1.4 (which bundles Node 16 runtime) with direct binary installation from GitHub releases
  • Added TFSEC_VERSION: v1.28.13 environment variable for version management
  • Simplified tfsec execution to use installed binary directly instead of Docker container

Code Quality

  • Enhanced marketplace publisher validation in CI to scope checks to marketplace_plans block only, preventing false positives from legitimate publisher references elsewhere in Terraform files
  • Added tfsec ignore comments with explanations for intentional security exceptions (e.g., ALB public exposure, S3 SSE-S3 requirement for ALB logs)
  • Improved code formatting and alignment in module variable declarations

Removed Unused Code

  • Removed unused db_arn and db_id local variables from ha-hot-hot modules

Implementation Details

  • Key Vault network ACLs default to "Allow" to preserve backward compatibility; customers can opt into "Deny" after configuring IP rules and service endpoints
  • NSG association is opt-in via associate_vm_subnet_nsg variable (defaults to true) to support customers with existing NSG management
  • All new variables include comprehensive descriptions explaining use cases and prerequisites

https://claude.ai/code/session_01AB4PrWCHV1uNAUpDJfhzcs

@claude
ci: fix marketplace-id false positives + clean tfsec/tflint findings
8f89e58 
The marketplace-id-consistency gate was grepping every publisher = "..."
in a module file and taking the alphabetical first — which caught the
Canonical bastion VM image in ha-hot-hot/azure and the
Microsoft.Azure.Extensions VMSS extensions in unlimited-scale/azure as
"drift" even though neither is a HailBytes marketplace image. Scope the
check to publishers inside the marketplace_plans local block via an awk
brace-depth walker so legitimate non-marketplace publishers in the same
file no longer trip it.

While the CI was open, tighten everything else surfaced by the same run:

- tfsec ignores moved inline (above the offending attribute, not the
  resource) with rationale for: customer-facing ALB (intentionally
  public, gated by allowed_cidrs SG), SNS topic CMK (opt-in via
  var.enable_customer_managed_key), ALB access-log bucket SSE
  (AWS only supports SSE-S3 on ALB log buckets), flow-logs IAM
  DescribeLogGroups wildcard (AWS rejects ARN scoping on that action).

- Key Vault network_acls block added in ha-hot-hot/azure and
  unlimited-scale/azure with new vars key_vault_network_default_action
  (default Allow, preserves current behavior) and key_vault_ip_rules,
  letting customers opt into a Deny default without a breaking change.
  Wrappers forward both vars.

- ha-hot-hot/azure: NSG now actually attaches to lb_subnet_id via
  azurerm_subnet_network_security_group_association — previously the
  NSG was created with allow-https rules but never associated, so the
  rules enforced nothing.

- unlimited-scale/azure: var.allowed_cidrs was declared but unused
  (silent security gap in the example). Now wired through a new NSG
  built from allowed_cidrs, optionally associated with vm_subnet_id
  via associate_vm_subnet_nsg (default true; set false when the
  customer's landing zone already manages the subnet NSG).

- Drop unused declarations flagged by tflint: local.db_arn in
  ha-hot-hot/azure, local.db_id in ha-hot-hot/aws,
  data.azurerm_subscription.current in ha-hot-hot/azure.

- Replace the deprecated aquasecurity/tfsec-sarif-action@v0.1.4
  (bundles a Node 16 runtime) with a direct tfsec binary install in
  the workflow. Same SARIF upload path, no Node 16 deprecation banner.
@dmchaledev dmchaledev merged commit b5bdefb into main May 19, 2026
76 of 77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmchaledev @claude