How to Configure Azure JIT With Terraform

This post will show how to configure Azure Just-In-Time (JIT) administration using Terraform and the AzAPI provider.

Azure Just-In-Time (JIT) is a security feature offered by Microsoft Azure that allows administrators to restrict access to virtual machines (VMs) only when it is needed. This feature is particularly useful for reducing the attack surface of a VM and limiting the amount of time that an attacker has to compromise the system.

JIT access can be configured on a per-VM basis and can be set to automatically expire after a specified period of time. This means that even if an attacker gains access to a VM, they will only have a limited amount of time to carry out an attack before the access is revoked.

The code below uses the AzAPI provider. for more information, read this blog post.

Configuration

The code block below contains the Terraform provider configuration for AzureRM and for AzAPI/

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.33.0"
    }

    azapi = {
      source = "Azure/azapi"
    }
  }

}

provider "azapi" {
}

provider "azurerm" {
 features {
     {}
  }
}

The code block below configures Azure JIT on an Azure Linux Virtual Machine.

Note: Make sure you set the location of the parent_id to the location of the VM.

resource "azapi_resource" "jit" {
  type = "Microsoft.Security/locations/jitNetworkAccessPolicies@2020-01-01"
  name = "myPolicy"
  parent_id = "${azurerm_resource_group.rg.id}/providers/Microsoft.Security/locations/eastus"
  body = jsonencode({
    properties = {
      virtualMachines = [
        {
          id = azurerm_linux_virtual_machine.vm.id
          ports = [
            {
              maxRequestAccessDuration   = "PT3H"
              number                     = 22
              protocol                   = "*"
              allowedSourceAddressPrefix = "*"
            },
             {
              maxRequestAccessDuration   = "PT3H"
              number                     = 3389
              protocol                   = "*"
              allowedSourceAddressPrefix = "*"
            
            }
          ]
        }
      ]
    }
    kind = "Basic"
  })
}

Processing…
Success! You're on the list.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.