This post will show how to configure Azure Just-In-Time (JIT) administration using Terraform and the AzAPI provider.
Azure Just-In-Time (JIT) is a security feature offered by Microsoft Azure that allows administrators to restrict access to virtual machines (VMs) only when it is needed. This feature is particularly useful for reducing the attack surface of a VM and limiting the amount of time that an attacker has to compromise the system.
JIT access can be configured on a per-VM basis and can be set to automatically expire after a specified period of time. This means that even if an attacker gains access to a VM, they will only have a limited amount of time to carry out an attack before the access is revoked.
The code below uses the AzAPI provider. for more information, read this blog post.
Configuration
The code block below contains the Terraform provider configuration for AzureRM and for AzAPI/
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.33.0"
}
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
}
provider "azurerm" {
features {
{}
}
}
The code block below configures Azure JIT on an Azure Linux Virtual Machine.
Note: Make sure you set the location of the parent_id
to the location of the VM.
resource "azapi_resource" "jit" {
type = "Microsoft.Security/locations/jitNetworkAccessPolicies@2020-01-01"
name = "myPolicy"
parent_id = "${azurerm_resource_group.rg.id}/providers/Microsoft.Security/locations/eastus"
body = jsonencode({
properties = {
virtualMachines = [
{
id = azurerm_linux_virtual_machine.vm.id
ports = [
{
maxRequestAccessDuration = "PT3H"
number = 22
protocol = "*"
allowedSourceAddressPrefix = "*"
},
{
maxRequestAccessDuration = "PT3H"
number = 3389
protocol = "*"
allowedSourceAddressPrefix = "*"
}
]
}
]
}
kind = "Basic"
})
}