LibreDevOpsHelpers.AzureNetworkSecurityPerimeter/LibreDevOpsHelpers.AzureNetworkSecurityPerimeter.psm1
|
Set-StrictMode -Version Latest function Add-LdoNspCurrentIpRule { <# .SYNOPSIS Adds an inbound access rule for the caller's public IP to a Network Security Perimeter profile. .DESCRIPTION Resolves the caller's current public IP and creates an inbound access rule on the given NSP profile allowing that IP, so a runner can reach a resource's data plane while it is inside an Enforced perimeter. If a rule with the same name already exists it is deleted and recreated so it always reflects the current IP. This is the NSP counterpart to Add-LdoStorageCurrentIpRule; pair it with Remove-LdoNspRule in a finally block. Requires the Azure CLI to be signed in. .PARAMETER ResourceGroup Resource group containing the network security perimeter. .PARAMETER PerimeterName Name of the network security perimeter. .PARAMETER ProfileName Name of the perimeter profile to attach the rule to. .PARAMETER RuleName Name of the access rule to create or update. Defaults to ldo-runner-allow. .EXAMPLE Add-LdoNspCurrentIpRule -ResourceGroup rg -PerimeterName nsp -ProfileName default .OUTPUTS None #> [CmdletBinding()] [OutputType([void])] param( [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$ResourceGroup, [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$PerimeterName, [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$ProfileName, [string]$RuleName = 'ldo-runner-allow' ) $ip = Get-LdoPublicIpAddress Write-LdoLog -Level INFO -Message "Current public IP: $ip" $existing = az network perimeter profile access-rule list --resource-group $ResourceGroup --perimeter-name $PerimeterName --profile-name $ProfileName --query "[?name=='$RuleName']" -o tsv 2>$null if ($existing) { Write-LdoLog -Level INFO -Message "NSP rule $RuleName already exists on $PerimeterName/$ProfileName; recreating it with the current IP." az network perimeter profile access-rule delete --resource-group $ResourceGroup --perimeter-name $PerimeterName --profile-name $ProfileName --name $RuleName --yes | Out-Null Assert-LdoLastExitCode -Operation "az network perimeter profile access-rule delete ($RuleName)" } az network perimeter profile access-rule create ` --resource-group $ResourceGroup ` --perimeter-name $PerimeterName ` --profile-name $ProfileName ` --name $RuleName ` --direction Inbound ` --address-prefixes "$ip/32" | Out-Null Assert-LdoLastExitCode -Operation "az network perimeter profile access-rule create ($RuleName)" Write-LdoLog -Level INFO -Message "Added temporary NSP inbound rule $RuleName for $ip on $PerimeterName/$ProfileName." } function Remove-LdoNspRule { <# .SYNOPSIS Removes a Network Security Perimeter access rule by name if it exists. .DESCRIPTION Deletes the named access rule from the given NSP profile when present, and does nothing (no error) when it is already absent. Requires the Azure CLI to be signed in. .PARAMETER ResourceGroup Resource group containing the network security perimeter. .PARAMETER PerimeterName Name of the network security perimeter. .PARAMETER ProfileName Name of the perimeter profile the rule is on. .PARAMETER RuleName Name of the access rule to remove. .EXAMPLE Remove-LdoNspRule -ResourceGroup rg -PerimeterName nsp -ProfileName default -RuleName ldo-runner-allow .OUTPUTS None #> [CmdletBinding()] [OutputType([void])] param( [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$ResourceGroup, [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$PerimeterName, [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$ProfileName, [Parameter(Mandatory)][ValidateNotNullOrEmpty()][string]$RuleName ) $existing = az network perimeter profile access-rule list --resource-group $ResourceGroup --perimeter-name $PerimeterName --profile-name $ProfileName --query "[?name=='$RuleName']" -o tsv 2>$null if (-not $existing) { Write-LdoLog -Level INFO -Message "NSP rule $RuleName does not exist on $PerimeterName/$ProfileName; nothing to remove." return } az network perimeter profile access-rule delete --resource-group $ResourceGroup --perimeter-name $PerimeterName --profile-name $ProfileName --name $RuleName --yes | Out-Null Assert-LdoLastExitCode -Operation "az network perimeter profile access-rule delete ($RuleName)" Write-LdoLog -Level INFO -Message "Removed NSP rule $RuleName from $PerimeterName/$ProfileName." } Export-ModuleMember -Function ` Add-LdoNspCurrentIpRule, ` Remove-LdoNspRule |