By default Cloud Shell sessions run inside a container inside a Microsoft network separate from any resources you may have deployed in Azure. So what happens when you want to access services you have deployed inside a Virtual Network such as a private AKS cluster, a Virtual Machine or Private Endpoint enabled services?
Well as you can imagine the solution is to deploy Cloud Shell into an Azure Virtual Network in such a way that the container, it runs on, can acces your private resources. This solution also protects the backing Storage Account that Cloud Shell uses for you the user profiles and data so that you end up with a locked down environmemt.
The following diagram shows the solution archictecture:
If you need more information about the solution, the services and any limitations please check the documentation here: Cloud Shell in an Azure Virtual Network.
Now let’s se how can we use terraform to make your Cloud Shell private!
Deploy a Private Azure Cloud Shell with Terraform
If Cloud Shell has been used in the past, the existing clouddrive must be unmounted. To do this run
clouddrive unmountfrom an active Cloud Shell session.
1. Create a provider.tf file with the following contents:
terraform { required_version = ">= 0.13.5" } provider "azurerm" { version = "= 2.46.1" features {} } provider "azuread" { version = "= 1.3.0" } provider "http" { version = "= 2.0.0" } Note that we are using azurerm to deploy Azure services, azuread to get some Service Principal information and http to get your current public ip address so that only you can reach your Cloud Shell.
2. Create a variables.tf file with the following contents:
variable location { default = "west europe" } variable resource_group { default = "<resource group name>" } variable "vnet_name" { default = "<vnet name>" } variable sa_name { default = "<Backing Storage Account name>" } variable relay_name { default = "<Azure Relay name>" } Make sure you replace the placeholders with the default values you want to use.
3. Create a main.tf file with the following contents:
# Get Azure Container Instance Service Principal. Amazing right? Cloud Shell uses this Service Principal! data "azuread_service_principal" "container" { display_name = "Azure Container Instance Service" } # Create Resource Groupto hold the resources. resource "azurerm_resource_group" "rg" { name = var.resource_group location = var.location } # Create a VNET. resource "azurerm_virtual_network" "vnet" { name = var.vnet_name address_space = ["10.0.0.0/16"] location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name } # Create a Containers Subnet. Here is where Cloud Shell will run. resource "azurerm_subnet" "containers" { name = "cloudshell-containers" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.vnet.name address_prefixes = ["10.0.0.0/24"] # Delegate the subnet to "Microsoft.ContainerInstance/containerGroups". delegation { name = "cloudshell-delegation" service_delegation { name = "Microsoft.ContainerInstance/containerGroups" } } # Add service enpoint so Cloud Shell can reach Storage Accounts. At the moment the solution does not work with Private Enpoints for the Storage Account. service_endpoints = ["Microsoft.Storage"] } # Create a subnet to host Azure Relay service. resource "azurerm_subnet" "relay" { name = "relay" resource_group_name = azurerm_resource_group.rg.name virtual_network_name = azurerm_virtual_network.vnet.name address_prefixes = ["10.0.1.0/24"] enforce_private_link_endpoint_network_policies = true } # Create a network profile for the Cloud Shell containers. resource "azurerm_network_profile" "networkprofile" { name = "cloudshell" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name container_network_interface { name = "cloudshell-containers" ip_configuration { name = "ipconfig" subnet_id = azurerm_subnet.containers.id } } } # Assign Network Contributor to the Azure Container Instance Service Principal. resource "azurerm_role_assignment" "network_contributor" { scope = azurerm_network_profile.networkprofile.id role_definition_name = "Network Contributor" principal_id = data.azuread_service_principal.container.object_id } # Create an Azure Relay namespace. resource "azurerm_relay_namespace" "relay" { name = var.relay_name location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku_name = "Standard" } # Add a private enpoint to the Azure Relay namespace. resource "azurerm_private_endpoint" "endpoint" { name = "cloudshell-privateendpoint" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name subnet_id = azurerm_subnet.relay.id private_service_connection { name = "privateendpoint" private_connection_resource_id = azurerm_relay_namespace.relay.id is_manual_connection = false subresource_names = ["namespace"] } } # Assign Contributor to the Azure Container Instance Service Principal. resource "azurerm_role_assignment" "contributor" { scope = azurerm_relay_namespace.relay.id role_definition_name = "Contributor" principal_id = data.azuread_service_principal.container.object_id } # Create the Storage Account to hold the Cloud Shell profiles. resource "azurerm_storage_account" "sa" { name = var.sa_name resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location account_tier = "Standard" account_replication_type = "GRS" enable_https_traffic_only = true } # Create a file share to hold the user profiles. resource "azurerm_storage_share" "share" { name = "profile" storage_account_name = azurerm_storage_account.sa.name quota = 6 } # Get your current public IP. data "http" "current_public_ip" { url = "http://ipinfo.io/json" request_headers = { Accept = "application/json" } } # Protect the Storage Account setting the firewall. # This is done only after the file share is created. resource "azurerm_storage_account_network_rules" "sa_rules" { resource_group_name = azurerm_resource_group.rg.name storage_account_name = azurerm_storage_account.sa.name default_action = "Deny" virtual_network_subnet_ids = [azurerm_subnet.containers.id] # ip_rules = [ # jsondecode(data.http.current_public_ip.body).ip # ] depends_on = [ azurerm_storage_share.share ] } # Create DNS Zone for Relay resource "azurerm_private_dns_zone" "private" { name = "privatelink.servicebus.windows.net" resource_group_name = azurerm_resource_group.rg.name } # Create A record for the Relay resource "azurerm_private_dns_a_record" "relay" { name = var.relay_name zone_name = azurerm_private_dns_zone.private.name resource_group_name = azurerm_resource_group.rg.name ttl = 3600 records = [azurerm_private_endpoint.endpoint.private_service_connection[0].private_ip_address] } # Link the Private Zone with the VNet resource "azurerm_private_dns_zone_virtual_network_link" "relay" { name = "relay" resource_group_name = azurerm_resource_group.rg.name private_dns_zone_name = azurerm_private_dns_zone.private.name virtual_network_id = azurerm_virtual_network.vnet.id } # Open the relay firewall to local IP resource "null_resource" "open_relay_firewall" { provisioner "local-exec" { interpreter = ["powershell"] command = "az rest --method put --uri '${azurerm_relay_namespace.relay.id}/networkrulesets/default?api-version=2017-04-01' --body '{\"properties\":{\"defaultAction\":\\\"Deny\\\",\"ipRules\":[{\"ipMask\":\\\"${jsondecode(data.http.current_public_ip.body).ip}\\\"}],\"virtualNetworkRules\":[],\"trustedServiceAccessEnabled\":false}}'" } depends_on = [ data.http.current_public_ip, azurerm_relay_namespace.relay ] } 4. Deploy the solution:
Run the following commands:
terraform init terraform plan -out tf.plan terraform apply ./tf.plan Hope it helps! Please find the complete code here
Top comments (0)