From 855680b74ffbbcafb88740a8abc8b75b3ddb8490 Mon Sep 17 00:00:00 2001 From: Alastair Lock Date: Wed, 20 May 2026 16:09:30 +0100 Subject: [PATCH] PPHA-685: Pen testing hardening changes --- infrastructure/modules/container-app/main.tf | 1 - infrastructure/modules/storage/main.tf | 3 +++ infrastructure/modules/storage/tfdocs.md | 10 +++++++++- infrastructure/modules/storage/variables.tf | 8 +++++++- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf index 131f8324..c0703816 100644 --- a/infrastructure/modules/container-app/main.tf +++ b/infrastructure/modules/container-app/main.tf @@ -81,7 +81,6 @@ resource "azurerm_container_app" "main" { } } - dynamic "secret" { for_each = var.secret_variables content { diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf index 26ad4000..67cad697 100644 --- a/infrastructure/modules/storage/main.tf +++ b/infrastructure/modules/storage/main.tf @@ -10,6 +10,9 @@ resource "azurerm_storage_account" "storage_account" { access_tier = var.access_tier shared_access_key_enabled = var.shared_access_key_enabled + # Public access controls + allow_nested_items_to_be_public = var.allow_nested_items_to_be_public + tags = var.tags blob_properties { diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md index 5ae92187..99460b0e 100644 --- a/infrastructure/modules/storage/tfdocs.md +++ b/infrastructure/modules/storage/tfdocs.md @@ -126,6 +126,14 @@ Type: `string` Default: `"PT5M"` +### [allow\_nested\_items\_to\_be\_public](#input\_allow\_nested\_items\_to\_be\_public) + +Description: Allows or disallows public access to nested items within a container, such as blobs, when the container itself is public. Defaults to false. + +Type: `bool` + +Default: `false` + ### [availability\_low\_threshold](#input\_availability\_low\_threshold) Description: This will alert of storage queue transactions is higher that given value, default will be 99. @@ -238,7 +246,7 @@ Default: `null` ### [shared\_access\_key\_enabled](#input\_shared\_access\_key\_enabled) -Description: Enables or disables Shared Key authorization for the storage account, defaults will be true. +Description: Enables or disables Shared Key authorization for the storage account. Defaults to true. If set to false, access must be authenticated using Microsoft Entra ID (Azure AD). Terraform deployments should configure the AzureRM provider with `storage_use_azuread = true` to allow storage data-plane operations without using storage account access keys. Type: `bool` diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf index 2b5a9160..477c2ac9 100644 --- a/infrastructure/modules/storage/variables.tf +++ b/infrastructure/modules/storage/variables.tf @@ -220,10 +220,16 @@ variable "share_properties_retention_policy_days" { variable "shared_access_key_enabled" { type = bool - description = "Enables or disables Shared Key authorization for the storage account, defaults will be true." + description = "Enables or disables Shared Key authorization for the storage account. Defaults to true. If set to false, access must be authenticated using Microsoft Entra ID (Azure AD). Terraform deployments should configure the AzureRM provider with `storage_use_azuread = true` to allow storage data-plane operations without using storage account access keys." default = true } +variable "allow_nested_items_to_be_public" { + type = bool + description = "Allows or disallows public access to nested items within a container, such as blobs, when the container itself is public. Defaults to false." + default = false +} + locals { alert_frequency_map = { PT5M = "PT1M"