Validate and update ip firewall rules

benbp · benbp · commit 6d5edebdc0f2 · 2024-06-24T16:36:05.000-04:00
diff --git a/eng/common/TestResources/New-TestResources.ps1 b/eng/common/TestResources/New-TestResources.ps1
@@ -83,6 +83,14 @@ param (
     # List of CIDR ranges to add to specific resource firewalls, e.g. @(10.100.0.0/16, 10.200.0.0/16)
     [Parameter()]
     [ValidateCount(0,399)]
+    [Validatescript({
+        foreach ($range in $PSItem) {
+            if ($range -like '*/31' -or $range -like '*/32') {
+                throw "Firewall IP Ranges cannot contain a /31 or /32 CIDR"
+            }
+        }
+        return $true
+    })]
     [array] $AllowIpRanges = @(),
 
     [Parameter()]
@@ -128,9 +136,9 @@ $azsdkPipelineSubnetMap = @{
 
 $poolSubnet = ''
 if ($env:Pool) {
-  $poolSubnet = $azsdkPipelineSubnetMap[$env:Pool]
+    $poolSubnet = $azsdkPipelineSubnetMap[$env:Pool]
 } else {
-  Write-Warning "Pool environment variable is not defined! Subnet allowlisting will not work and live test resources may be non-compliant."
+    Write-Warning "Pool environment variable is not defined! Subnet allowlisting will not work and live test resources may be non-compliant."
 }
 
 if (!$ServicePrincipalAuth) {
@@ -877,7 +885,7 @@ try {
                     } elseif (!$CI) {
                         Write-Host "Enabling access to '$($account.Name)' from client IP"
                         $clientIp ??= Retry { Invoke-RestMethod -Uri 'https://icanhazip.com/' }  # cloudflare owned ip site
-                        Retry { Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $ResourceGroupName -Name $account.Name -IPRule @{ Action = 'allow'; IPAddressOrRange = $clientIp } | Out-Null }
+                        Retry { Add-AzStorageAccountNetworkRule -ResourceGroupName $ResourceGroupName -Name $account.Name -IPAddressOrRange $clientIp | Out-Null }
                     }
                 }
             }
diff --git a/eng/common/TestResources/deploy-test-resources.yml b/eng/common/TestResources/deploy-test-resources.yml
@@ -68,6 +68,7 @@ steps:
             -DeleteAfterHours '${{ parameters.DeleteAfterHours }}' `
             @subscriptionConfiguration `
             -AdditionalParameters ${{ parameters.ArmTemplateParameters }} `
+            -AllowIpRanges ('$(azsdk-corp-net-ip-ranges)' -split ',') `
             -CI `
             -Force `
             -Verbose | Out-Null
@@ -89,6 +90,7 @@ steps:
           -DeleteAfterHours '${{ parameters.DeleteAfterHours }}' `
           @subscriptionConfiguration `
           -AdditionalParameters ${{ parameters.ArmTemplateParameters }} `
+          -AllowIpRanges ('$(azsdk-corp-net-ip-ranges)' -split ',') `
           -CI `
           -ServicePrincipalAuth `
           -Force `
