diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json index 26282772f7b..57ceda77161 100644 --- a/pkg/deploy/assets/rp-production.json +++ b/pkg/deploy/assets/rp-production.json @@ -541,7 +541,7 @@ }, "location": "[resourceGroup().location]", "name": "[substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.'))]", - "type": "Microsoft.Storage/storageAccounts", + "type": "Microsoft.Storage/storageAccounts", { "properties": "allowSharedAccessKey: false" }, "apiVersion": "2019-06-01" }, { diff --git a/pkg/deploy/generator/generators.go b/pkg/deploy/generator/generators.go index ac550bf3e65..9928380024e 100644 --- a/pkg/deploy/generator/generators.go +++ b/pkg/deploy/generator/generators.go @@ -114,7 +114,13 @@ func (g *generator) Artifacts() error { } func (g *generator) writeTemplate(t *arm.Template, output string) error { - b, err := g.templateFixup(t) + + sharedAccessKeyHack := false + if output == FileRPProduction { + sharedAccessKeyHack = true + } + + b, err := g.templateFixup(t, sharedAccessKeyHack) if err != nil { return err } diff --git a/pkg/deploy/generator/templates.go b/pkg/deploy/generator/templates.go index 501956fbfdf..320f4821fab 100644 --- a/pkg/deploy/generator/templates.go +++ b/pkg/deploy/generator/templates.go @@ -39,7 +39,7 @@ func max(is ...int) int { return max } -func (g *generator) templateFixup(t *arm.Template) ([]byte, error) { +func (g *generator) templateFixup(t *arm.Template, sharedAccessKeyHack bool) ([]byte, error) { b, err := json.MarshalIndent(t, "", " ") if err != nil { return nil, err @@ -68,6 +68,32 @@ func (g *generator) templateFixup(t *arm.Template) ([]byte, error) { b = bytes.Replace(b, []byte(`"sourceAddressPrefixes": []`), []byte(`"sourceAddressPrefixes": "[parameters('rpNsgPortalSourceAddressPrefixes')]"`), 1) } + if sharedAccessKeyHack { + b = bytes.ReplaceAll(b, []byte(`"type": "Microsoft.Storage/storageAccounts"`), []byte(`"type": "Microsoft.Storage/storageAccounts", { "properties": "allowSharedAccessKey: false" }`)) + } + + // TO-DO: + // This hack allows us to specify `allowSharedKeyAccess = false` for the storage accounts. + // This is required by Security Wave - 2024. + // However, the reason this hack is necessary is that we are using the old package for ARM Template Storage Accounts (mgmt/storage). + // If we complete the migration from SDK track 1 to SDK track 2, which includes using armstorage instead of mgmt/storage, + // we are able to directly set allowStorageKeyAccess to false in the ARM template struct itself, + // specifically on resource_rp.go's rpStorageAccount() function or g.storageAccount() from resources.go. + // When we do this and start setting allowSharedKeyAccess to false directly on the functions, this hack can be safely removed. + + // Example usage of new package in AKS: https://msazure.visualstudio.com/CloudNativeCompute/_git/aksiknife?path=/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/models.go&version=GBmaster&line=197&lineEnd=197&lineStartColumn=1&lineEndColumn=68&lineStyle=plain&_a=contents + + // New package docs: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage + + // Package migration guide: https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/MIGRATION_GUIDE.md + + // Old package, latest version, containing deprecation warning: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage + + // Old package, old version, which we're using, so it took me a while to find the deprecation warning: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go@v63.1.0+incompatible/services/storage/mgmt/2019-06-01/storage + + // ARM Template modification: add "properties:" {"allowSharedKeyAccess": false} to the storage account resource. + // As described by ARM Template documentation, here: https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-arm-template + return append(b, byte('\n')), nil }