Remove networkAcls for storage account if in development (#396)

twsouthwick · web-flow · commit e6b5229ba701 · 2024-09-24T16:22:35.000Z
diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
@@ -12,11 +12,6 @@ import { PrivateEndpointSettings } from '../../types/PrivateEndpointSettings.bic
 import { DiagnosticSettings } from '../../types/DiagnosticSettings.bicep'
 import { ApplicationIdentity } from '../../types/ApplicationIdentity.bicep'
 
-type FirewallRules = {
-  @description('The list of IP address CIDR blocks to allow access from.')
-  allowedIpAddresses: string[]
-}
-
 // ========================================================================
 // PARAMETERS
 // ========================================================================
@@ -73,9 +68,6 @@ param sku object = { name: 'Standard_LRS' }
 @description('Determines whether or not trusted azure services are allowed to connect to this account')
 param bypass string = 'AzureServices'
 
-@description('The firewall rules to install on the sql-server.')
-param firewallRules FirewallRules?
-
 // ========================================================================
 // VARIABLES
 // ========================================================================
@@ -91,11 +83,6 @@ var storageBlobDataContributorRoleId = 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
 var defaultToOAuthAuthentication = false
 var dnsEndpointType = 'Standard'
 
-
-var allowedCidrBlocks = firewallRules != null ? map(firewallRules!.allowedIpAddresses, ipaddr => {
-  value: ipaddr
-}) : []
-
 // ========================================================================
 // AZURE RESOURCES
 // ========================================================================
@@ -115,13 +102,9 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
     dnsEndpointType: dnsEndpointType
     minimumTlsVersion: minimumTlsVersion
     publicNetworkAccess: enablePublicNetworkAccess ? 'Enabled' : 'Disabled'
-    networkAcls: enablePublicNetworkAccess ? {
+    networkAcls: enablePublicNetworkAccess ? null : {
       bypass: bypass
       defaultAction: 'Deny'
-      ipRules: allowedCidrBlocks
-    } : {
-      defaultAction:'Deny'
-      bypass: bypass
     }
   }
 }
diff --git a/infra/modules/application-resources.bicep b/infra/modules/application-resources.bicep
@@ -443,8 +443,6 @@ module storageAccount '../core/storage/storage-account.bicep' = {
       resourceGroupName: resourceNames.spokeResourceGroup
       subnetId: subnets[resourceNames.spokePrivateEndpointSubnet].id
     } : null
-
-    firewallRules: clientIpAddress != '' ? { allowedIpAddresses: [clientIpAddress]} : null
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -443,8 +443,6 @@ module storageAccount '../core/storage/storage-account.bicep' = {`
`443`	`443`	`resourceGroupName: resourceNames.spokeResourceGroup`
`444`	`444`	`subnetId: subnets[resourceNames.spokePrivateEndpointSubnet].id`
`445`	`445`	`} : null`
`446`		`-`
`447`		`- firewallRules: clientIpAddress != '' ? { allowedIpAddresses: [clientIpAddress]} : null`
`448`	`446`	`}`
`449`	`447`	`}`
`450`	`448`