feat: Allowlist Ips in Azure (#51)

Co-authored-by: amanpruthi <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
wandb · May 10, 2024 · 18259c0 · 18259c0
1 parent 18f818b
commit 18259c0
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ resources that lack official modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_allowed_ip_ranges"></a> [allowed\_ip\_ranges](#input\_allowed\_ip\_ranges) | allowed public IP addresses or CIDR ranges. | `list(string)` | `[]` | no |
 | <a name="input_app_wandb_env"></a> [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
 | <a name="input_blob_container"></a> [blob\_container](#input\_blob\_container) | Use an existing bucket. | `string` | `""` | no |
 | <a name="input_create_redis"></a> [create\_redis](#input\_create\_redis) | Boolean indicating whether to provision an redis instance (true) or not (false). | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -24,8 +24,8 @@ module "networking" {
   namespace           = var.namespace
   resource_group_name = azurerm_resource_group.default.name
   location            = azurerm_resource_group.default.location
-
-  tags = var.tags
+  allowed_ip_ranges   = var.allowed_ip_ranges
+  tags                = var.tags
 }
 
 module "database" {

diff --git a/modules/networking/main.tf b/modules/networking/main.tf
@@ -34,3 +34,54 @@ resource "azurerm_subnet" "redis" {
   address_prefixes     = [var.network_redis_subnet_cidr]
   virtual_network_name = azurerm_virtual_network.default.name
 }
+
+resource "azurerm_network_security_group" "default" {
+  count               = length(var.allowed_ip_ranges) > 0 ? 1 : 0
+  name                = "${var.namespace}-allowlist-nsg"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  tags                = var.tags
+}
+
+
+resource "azurerm_network_security_rule" "allow_cidr" {
+  count                       = length(var.allowed_ip_ranges) > 0 ? length(var.allowed_ip_ranges) : 0
+  name                        = "allowRule-${count.index}"
+  priority                    = 100 + "${count.index}"
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "*"
+  source_address_prefixes     = [var.allowed_ip_ranges[count.index]]
+  destination_address_prefix  = "*"
+  resource_group_name         = var.resource_group_name
+  network_security_group_name = azurerm_network_security_group.default.0.name
+  depends_on                  = [azurerm_network_security_group.default]
+}
+
+
+
+resource "azurerm_network_security_rule" "default" {
+  count                       = length(var.allowed_ip_ranges) > 0 ? 1 : 0
+  name                        = "defaultAppGatewayV2SkuRule"
+  priority                    = 120
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "*"
+  source_port_range           = "*"
+  destination_port_range      = "65200-65535"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = var.resource_group_name
+  network_security_group_name = azurerm_network_security_group.default.0.name
+}
+
+
+
+resource "azurerm_subnet_network_security_group_association" "public" {
+  count                     = length(var.allowed_ip_ranges) > 0 ? 1 : 0
+  subnet_id                 = azurerm_subnet.public.id
+  network_security_group_id = azurerm_network_security_group.default.0.id
+  depends_on = [ azurerm_network_security_rule.default ]
+}
diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf
@@ -54,3 +54,8 @@ variable "tags" {
   type        = map(string)
   description = "Map of tags for resource"
 }
+
+variable "allowed_ip_ranges" {
+  description = "allowed public IP addresses or CIDR ranges."
+  type = list(string)
+}
diff --git a/variables.tf b/variables.tf
@@ -181,6 +181,17 @@ variable "kubernetes_node_count" {
   type    = number
 }
 
+##########################################
+# Network                                #
+##########################################
+
+variable "allowed_ip_ranges" {
+  description = "allowed public IP addresses or CIDR ranges."
+  type        = list(string)
+  default = []
+}
+
+
 variable "weave_wandb_env" {
   type        = map(string)
   description = "Extra environment variables for W&B"
@@ -198,3 +209,4 @@ variable "parquet_wandb_env" {
   description = "Extra environment variables for W&B"
   default     = {}
 }
+