jdthorpe/Adding App Services to an Azure Key Vault Firewall.sh

## Adding App Services to an Azure Key Vault Firewall.sh
# --------------------------------------------------
# Configuration
# --------------------------------------------------

# names of the app service or funciton app details
app_grp=myAppResourceGroup
app_name=MyAppServiceOrFunctionApp

# key vault details
valut_grp=MyKevaultResourceGroup
valut_name=MyKeyVault

# --------------------------------------------------
# adding each possible outgoing ip address of the app
# service to the key vault network rules
# --------------------------------------------------

# get the full list of outbound IP addresses from the web app
ip_addresses=$(az webapp show --resource-group $app_grp --name $app_name --query possibleOutboundIpAddresses --output tsv)
echo "Outbound IP addresses: $ip_addresses"

# add inbound ip address to the keyvault network rules
for ip in ${ip_addresses//,/ }
do
    az keyvault network-rule add --name $valut_name --resource-group $valut_grp --ip-address $ip --no-wait
    echo "adding allowed inbound ip address: $ip"
done

# wait until the rules have been implemented
az keyvault network-rule wait --name $valut_name --resource-group $valut_grp --updated
echo "Finished adding inbound ip addresses"

# view the list of ipRules
az keyvault show --name $valut_name --resource-group $valut_grp --query "properties.networkAcls.ipRules[].value" --output tsv

# --------------------------------------------------
# set the default action to Deny
# --------------------------------------------------

# view the network action
az keyvault show --name $valut_name --resource-group $valut_grp --query "properties.networkAcls.defaultAction" --output tsv

# set the default action to Deny
az keyvault update --name $valut_name --resource-group $valut_grp --default-action Deny

# check that the default action was set to deny
az keyvault show --name $valut_name --resource-group $valut_grp --query "properties.networkAcls.defaultAction" --output tsv
	# --------------------------------------------------
	# Configuration
	# --------------------------------------------------

	# names of the app service or funciton app details
	app_grp=myAppResourceGroup
	app_name=MyAppServiceOrFunctionApp

	# key vault details
	valut_grp=MyKevaultResourceGroup
	valut_name=MyKeyVault

	# --------------------------------------------------
	# adding each possible outgoing ip address of the app
	# service to the key vault network rules
	# --------------------------------------------------

	# get the full list of outbound IP addresses from the web app
	ip_addresses=$(az webapp show --resource-group $app_grp --name $app_name --query possibleOutboundIpAddresses --output tsv)
	echo "Outbound IP addresses: $ip_addresses"

	# add inbound ip address to the keyvault network rules
	for ip in ${ip_addresses//,/ }
	do
	az keyvault network-rule add --name $valut_name --resource-group $valut_grp --ip-address $ip --no-wait
	echo "adding allowed inbound ip address: $ip"
	done

	# wait until the rules have been implemented
	az keyvault network-rule wait --name $valut_name --resource-group $valut_grp --updated
	echo "Finished adding inbound ip addresses"

	# view the list of ipRules
	az keyvault show --name $valut_name --resource-group $valut_grp --query "properties.networkAcls.ipRules[].value" --output tsv

	# --------------------------------------------------
	# set the default action to Deny
	# --------------------------------------------------

	# view the network action
	az keyvault show --name $valut_name --resource-group $valut_grp --query "properties.networkAcls.defaultAction" --output tsv

	# set the default action to Deny
	az keyvault update --name $valut_name --resource-group $valut_grp --default-action Deny

	# check that the default action was set to deny
	az keyvault show --name $valut_name --resource-group $valut_grp --query "properties.networkAcls.defaultAction" --output tsv