From 1caec3674fd801d67551459bf4fe80d94daadea0 Mon Sep 17 00:00:00 2001
From: Damien Duportal <damien.duportal@gmail.com>
Date: Sat, 6 Jan 2024 09:04:27 +0100
Subject: [PATCH 1/2] feat(updates.jenkins.io) restrict SA to only a few
 administrative IPs

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
---
 .shared-tools         |  2 +-
 locals.tf             |  2 --
 publick8s.tf          | 10 ++++++----
 updates.jenkins.io.tf | 35 ++++++++++++++++++++++++++++-------
 4 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/.shared-tools b/.shared-tools
index 95e1b114..72c9143e 160000
--- a/.shared-tools
+++ b/.shared-tools
@@ -1 +1 @@
-Subproject commit 95e1b114a34698d3876e360fc8241ad4045c947a
+Subproject commit 72c9143ef61ffb1af8a88f5b295dbbe915c438af
diff --git a/locals.tf b/locals.tf
index 116b221b..3ae7fb0e 100644
--- a/locals.tf
+++ b/locals.tf
@@ -31,8 +31,6 @@ locals {
     "keyserver.ubuntu.com" = ["162.213.33.8", "162.213.33.9"]
   }
 
-  privatek8s_outbound_ip_cidr = "20.22.6.81/32"
-
   default_tags = {
     scope      = "terraform-managed"
     repository = "jenkins-infra/azure"
diff --git a/publick8s.tf b/publick8s.tf
index 04b6e692..07c1acc6 100644
--- a/publick8s.tf
+++ b/publick8s.tf
@@ -42,7 +42,12 @@ resource "azurerm_kubernetes_cluster" "publick8s" {
         "%s/32",
         flatten(
           concat(
-            [for key, value in module.jenkins_infra_shared_data.admin_public_ips : value]
+            [for key, value in module.jenkins_infra_shared_data.admin_public_ips : value],
+            # privatek8s outbound IP (traffic routed trhough gateways)
+            module.jenkins_infra_shared_data.outbound_ips["privatek8s.jenkins.io"],
+            # trusted.ci subnet (UC agents need to execute mirrorbits scans)
+            module.jenkins_infra_shared_data.outbound_ips["trusted.ci.jenkins.io"],
+            module.jenkins_infra_shared_data.outbound_ips["trusted.sponsorship.ci.jenkins.io"],
           )
         )
       ),
@@ -50,9 +55,6 @@ resource "azurerm_kubernetes_cluster" "publick8s" {
       data.azurerm_subnet.private_vnet_data_tier.address_prefixes,
       # privatek8s nodes subnet
       data.azurerm_subnet.privatek8s_tier.address_prefixes,
-      [local.privatek8s_outbound_ip_cidr],
-      # trusted.ci subnet (UC agents need to execute mirrorbits scans)
-      formatlist("%s/32", module.jenkins_infra_shared_data.outbound_ips["trusted.ci.jenkins.io"]),
     )
   }
 
diff --git a/updates.jenkins.io.tf b/updates.jenkins.io.tf
index 116722ef..b3cdffe7 100644
--- a/updates.jenkins.io.tf
+++ b/updates.jenkins.io.tf
@@ -6,15 +6,36 @@ resource "azurerm_resource_group" "updates_jenkins_io" {
 }
 
 resource "azurerm_storage_account" "updates_jenkins_io" {
-  name                          = "updatesjenkinsio"
-  resource_group_name           = azurerm_resource_group.updates_jenkins_io.name
-  location                      = azurerm_resource_group.updates_jenkins_io.location
-  account_tier                  = "Standard"
-  account_replication_type      = "LRS"
-  min_tls_version               = "TLS1_2" # default value, needed for tfsec
-  public_network_access_enabled = "true"   # Explicit default value, we want this storage account to be readable from anywhere
+  name                     = "updatesjenkinsio"
+  resource_group_name      = azurerm_resource_group.updates_jenkins_io.name
+  location                 = azurerm_resource_group.updates_jenkins_io.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  min_tls_version          = "TLS1_2" # default value, needed for tfsec
+
+  # No public access as the storage is only access through middlewares (mirrorbits) or Azure API (azcopy)
+  allow_nested_items_to_be_public = false
+  public_network_access_enabled   = false
 
   tags = local.default_tags
+
+  network_rules {
+    default_action = "Deny"
+    ip_rules = setunion(
+      # admins
+      formatlist(
+        "%s/30",
+        flatten(
+          concat(
+            [for key, value in module.jenkins_infra_shared_data.admin_public_ips : value],
+            module.jenkins_infra_shared_data.outbound_ips["trusted.ci.jenkins.io"],
+            module.jenkins_infra_shared_data.outbound_ips["trusted.sponsorship.ci.jenkins.io"],
+            module.jenkins_infra_shared_data.outbound_ips["privatek8s.jenkins.io"]
+          )
+        )
+      ),
+    )
+  }
 }
 
 resource "azurerm_storage_share" "updates_jenkins_io" {

From f2bcecadb3bf331c3304846bb0b088a295df274f Mon Sep 17 00:00:00 2001
From: Damien Duportal <damien.duportal@gmail.com>
Date: Sat, 6 Jan 2024 09:36:30 +0100
Subject: [PATCH 2/2] fixup

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
---
 updates.jenkins.io.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/updates.jenkins.io.tf b/updates.jenkins.io.tf
index b3cdffe7..d057aa61 100644
--- a/updates.jenkins.io.tf
+++ b/updates.jenkins.io.tf
@@ -35,6 +35,7 @@ resource "azurerm_storage_account" "updates_jenkins_io" {
         )
       ),
     )
+    bypass = ["Metrics", "Logging", "AzureServices"]
   }
 }