Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AVM Module Issue]: Improper use of code 'firewallRules' db-for-my-sql/flexible-server #3717

Open
1 task done
FallenHoot opened this issue Nov 3, 2024 · 8 comments · May be fixed by #3775
Open
1 task done

[AVM Module Issue]: Improper use of code 'firewallRules' db-for-my-sql/flexible-server #3717

FallenHoot opened this issue Nov 3, 2024 · 8 comments · May be fixed by #3775
Assignees
@hundredacres
Labels
Class: Resource Module 📦 This is a resource module Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed Needs: Triage 🔍 Maintainers need to triage still Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Type: Bug 🐛 Something isn't working

Comments

@FallenHoot
Copy link
Contributor

Check for previous/existing GitHub issues

  • I have checked for previous/existing GitHub issues

Issue Type?

Bug

Module Name

avm/res/db-for-my-sql/flexible-server

(Optional) Module Version

0.4

Description

Can someone explain to me why the following is in the main.bicep. You can't create delegatedSubnetResourceId, because it requires firewallRules. The main README.MD has no mention of firewallRules.

 @description('Optional. The firewall rules to create in the MySQL flexible server.')
param firewallRules array = []

network: !empty(delegatedSubnetResourceId) && empty(firewallRules)
      ? {
          delegatedSubnetResourceId: delegatedSubnetResourceId
          privateDnsZoneResourceId: privateDnsZoneResourceId
        }
      : null

My feedback after looking into this more.
When to Use mysqlFirewallRule
Public Network Access: If your MySQL flexible server has public network access enabled (publicNetworkAccess: 'Enabled'), you should use firewall rules to restrict access to specific IP addresses or ranges. This helps prevent unauthorized access from the internet.
Specific IP Restrictions: If you need to allow access only from certain IP addresses or ranges, even within a virtual network, firewall rules are necessary.

When You Might Not Need mysqlFirewallRule
Private Network Access Only: If your MySQL flexible server is configured to be accessible only within a virtual network (publicNetworkAccess: 'Disabled'), and you have other network security measures in place (e.g., Network Security Groups, Azure Firewall), you might not need additional firewall rules.
Controlled Environment: If the server is in a highly controlled environment where access is already restricted by other means, firewall rules might be redundant.

It looks like the real issue is that the module is missing publicNetworkAccess in network.

The delegatedSubnetResourceId is used to specify a subnet within a virtual network that is delegated to the MySQL flexible server. This allows the server to be part of a virtual network, providing network isolation and security. However, if publicNetworkAccess is enabled, firewall rules are required to control access to the server.

Suggested fix:

@description('Optional. Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration.')
param publicNetworkAccess string = 'Disabled'

network: publicNetworkAccess == 'Enabled'
  ? (!empty(delegatedSubnetResourceId) || empty(firewallRules)
      ? {
          publicNetworkAccess: publicNetworkAccess
          delegatedSubnetResourceId: delegatedSubnetResourceId
          privateDnsZoneResourceId: privateDnsZoneResourceId
        }
      : null)
  : (!empty(delegatedSubnetResourceId)
      ? {
          publicNetworkAccess: publicNetworkAccess
          delegatedSubnetResourceId: delegatedSubnetResourceId
          privateDnsZoneResourceId: privateDnsZoneResourceId
        }
      : null)

Happy to create a PR if needed.

(Optional) Correlation Id

No response
@FallenHoot FallenHoot added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Nov 3, 2024
@github-project-automation github-project-automation bot moved this to Needs: Triage in AVM - Module Issues Nov 3, 2024
@avm-team-linter avm-team-linter bot added the Class: Resource Module 📦 This is a resource module label Nov 3, 2024
@avm-team-linter AVM Team Linter
Copy link

@FallenHoot, thanks for submitting this issue for the avm/res/db-for-my-sql/flexible-server module!

Important

A member of the @Azure/avm-res-dbformysql-flexibleserver-module-owners-bicep or @Azure/avm-res-dbformysql-flexibleserver-module-contributors-bicep team will review it soon!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Type: Bug 🐛 Something isn't working label Nov 3, 2024
@FallenHoot FallenHoot changed the title [AVM Module Issue]: Bade Code db-for-my-sql/flexible-server [AVM Module Issue]: Improper use of code 'firewallRules' db-for-my-sql/flexible-server Nov 3, 2024
@hundredacres
Copy link
Contributor

@FallenHoot happy to take a PR to resolve the issue. Let me know if you run into any issues doing so. Thanks!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service microsoft-github-policy-service bot added the Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days label Nov 8, 2024
@FallenHoot FallenHoot linked a pull request Nov 12, 2024 that will close this issue
Open
11 tasks
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Caution

**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days. **

Tip

  • To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed label Nov 14, 2024
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Warning

Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

Tip

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link

Caution

**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days. **

Tip

  • To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention ‼️" label once the issue has been responded to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hundredacres hundredacres

Labels
Class: Resource Module 📦 This is a resource module Needs: Immediate Attention ‼️ Immediate attention of module owner / AVM team is needed Needs: Triage 🔍 Maintainers need to triage still Status: Response Overdue 🚩 When an issue/PR has not been responded to for X amount of days Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Type: Bug 🐛 Something isn't working
Projects
AVM - Module Issues
Status: Needs: Triage
Milestone
No milestone
2 participants
@hundredacres @FallenHoot