Restrict SSH Access in Azure using Terraform for Your Current IP Address

Concerns have arisen post-quick start guide from Microsoft’s Azure Virtual Machines for Linux quick create. Specifically, the lastb command on your provisioned host displays multiple SSH login attempts across various public IP addresses—a clear indicator of overly permissive security rules in place within Azure Terraform configuration files.

Your objective is to narrow down these permissions so that only connections from your current machine are permitted for SSH access into the virtual machines (VMs) provisioned through this setup, without resorting simply to manual configurations or tedious script implementations post-provisioning. Here’s how you can achieve a more secure environment using Terraform variables and scripts:

Adjustments with Variables in variables.tf File

To ensure only your IP address is allowed for SSH access, update the variable declaration within <code>variables.tf</code> as follows:

variable "source_address_prefix" {
  type        = string
  description = "[SSH Access Permission Description]: Source IP address permitted to make ssh connections."
}

This introduces a variable source_address_prefix, which you will set during execution.

Update Security Rule in Terraform Scripts (main.tf) or Module Files:

Adjust the security rule within your configuration files accordingly, such as <code>security_rule</code> block below using dynamic variables from above:

  resource "azurerm_network_security_group" "example" {
    name                = azurerm_lb.this.nsg_name
     location            = azurerm_resource_group.rg.location
      ... # other necessary configurations for security group creation go here, not shown in detail above...
  }
  
  resource "azurerm_network_security_rule" "ssh-allow" {
    name                       = "SSHAllowRuleNameHere" // Consider renaming to avoid conflicts if using multiple rules.
    priority                   = 1001
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*/32" // IPv4 example, adapt for dual-stack if necessary.
    destination_port_range     = "22" 
    priority                   = var.source_address_prefix ? (100 - parseInt(var.source_address_prefix)) : null
    source_address_prefix      = var.sources[count.index] // Here `var` refers to the newly introduced variable, replace with actual configuration detail if needed. 
                                // Note: The use of count and sources requires further context from your Terraform code structure which wasn't provided in this snippet. Ensure that these concepts fit into your current implementation or remove them as necessary for clarity here on SO format.    
    destination_address_prefix = "*" 
                                // This may require refinement if specific filtering of source addresses is required beyond just single IPs, not shown in detail above...  
        
      # Ensure that the count or conditional logic align with your use case and existing code structure. Refer to Terraform documentation for accurate implementation based on usage context.   
  }

By leveraging these dynamic configurations within variables block of Terraform, SSH access will be allowed only from IPs explicitly defined by a variable at provision time or derived dynamically if your setup accommodates count loops with sources (not demonstrated here due to initial question’s brevity). Ensure appropriate handling for various networking scenarios such as dual-stack and potential multiple source restrictions.

Executing Terraform Apply:

Set the source_address_prefix environment variable based on your actual IP address, then proceed with applying changes using:

export TF_VAR_source_address_prefix=192.168.1.1  # Update this to reflect current local machine's publicly accessible IP for SSH connections only
terraform apply --auto-approve

Here, apply will modify your Azure resources as defined in the configuration without manual intervention during provisioning time—effectively locking down access strictly according to these rules.

Post execution: Confirm that unwanted login attempts have been mitigated by monitoring SSH logs with commands such as lastb. If further refinements are needed, additional configurations or scripts can be considered accordingly within Terraform’s extensive capabilities and the Azure platform’n security model to ensure your infrastructure remains secure.

Further Steps:

Keep in mind that this setup may need adjustments based on dynamic IP changes (e.g., DHCP) for local networks or if dealing with public-facing services where fixed addresses are not applicable; consult Azure’s documentation and Terraform best practices as needed to tailor the solution properly within your specific environment context while maintaining security integrity across provisioned resources in a scalable manner that aligns with both platforms.

Previous Post
appears that you encountered an issue related to
Next Post
Understanding Penalties for Canceling a Google Clo