From d5e4c35dcc3aa5a484f206d698ec8063401d8223 Mon Sep 17 00:00:00 2001 From: Andrew Martin Date: Tue, 24 May 2022 14:33:46 -0400 Subject: [PATCH 1/3] add minimum TLS, HTTPS only, and remove public network access on storage --- deploy/bicep/modules/sqlserver.bicep | 1 + deploy/bicep/modules/storage.bicep | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/deploy/bicep/modules/sqlserver.bicep b/deploy/bicep/modules/sqlserver.bicep index 5d765c2..cf0b516 100644 --- a/deploy/bicep/modules/sqlserver.bicep +++ b/deploy/bicep/modules/sqlserver.bicep @@ -10,6 +10,7 @@ resource sqlserver 'Microsoft.Sql/servers@2021-05-01-preview' = { properties: { administratorLogin: sqlAdminLogin administratorLoginPassword: sqlAdminLoginPassword + minimalTlsVersion: '1.2' } } diff --git a/deploy/bicep/modules/storage.bicep b/deploy/bicep/modules/storage.bicep index b0ebc97..742bcab 100644 --- a/deploy/bicep/modules/storage.bicep +++ b/deploy/bicep/modules/storage.bicep @@ -9,6 +9,12 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { sku: { name: 'Standard_LRS' } + properties: { + minimumTlsVersion: 'TLS1_2' + publicNetworkAccess: 'Disabled' + allowBlobPublicAccess: false + supportsHttpsTrafficOnly: true + } } resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2021-06-01' = { From e0e689851c5c51dbb153069f693cbf3698021c80 Mon Sep 17 00:00:00 2001 From: Andrew Martin Date: Wed, 25 May 2022 12:09:57 -0400 Subject: [PATCH 2/3] add vnet integration --- deploy/bicep/main.bicep | 21 ++++++++++++++ deploy/bicep/modules/capps-env.bicep | 12 +++++++- deploy/bicep/modules/storage.bicep | 41 +++++++++++++++++++++++++++- deploy/bicep/modules/vnet.bicep | 29 ++++++++++++++++++++ 4 files changed, 101 insertions(+), 2 deletions(-) create mode 100644 deploy/bicep/modules/vnet.bicep diff --git a/deploy/bicep/main.bicep b/deploy/bicep/main.bicep index c32e2e8..2808121 100644 --- a/deploy/bicep/main.bicep +++ b/deploy/bicep/main.bicep @@ -15,14 +15,30 @@ param sqlServerName string = 'sql-${uniqueSuffix}' param sqlDatabaseName string = 'reddog' param sqlAdminLogin string = 'reddog' param sqlAdminLoginPassword string = take(newGuid(), 16) +param virtualNetworkName string = 'containerapps-${uniqueString(uniqueSeed)}' +param subnetName string = 'containerapps-${uniqueString(uniqueSeed)}' + +module vnetModule 'modules/vnet.bicep' = { + name: '${deployment().name}--containerAppsVnet' + params: { + location: location + virtualNetworkName: virtualNetworkName + subnetName: subnetName + } +} module containerAppsEnvModule 'modules/capps-env.bicep' = { name: '${deployment().name}--containerAppsEnv' + dependsOn: [ + vnetModule + ] params: { location: location containerAppsEnvName: containerAppsEnvName logAnalyticsWorkspaceName: logAnalyticsWorkspaceName appInsightsName: appInsightsName + virtualNetworkName: virtualNetworkName + subnetName: subnetName } } @@ -54,10 +70,15 @@ module cosmosModule 'modules/cosmos.bicep' = { module storageModule 'modules/storage.bicep' = { name: '${deployment().name}--storage' + dependsOn: [ + vnetModule + ] params: { storageAccountName: storageAccountName blobContainerName: blobContainerName location: location + virtualNetworkName: virtualNetworkName + subnetName: subnetName } } diff --git a/deploy/bicep/modules/capps-env.bicep b/deploy/bicep/modules/capps-env.bicep index fe1e10c..510c2c9 100644 --- a/deploy/bicep/modules/capps-env.bicep +++ b/deploy/bicep/modules/capps-env.bicep @@ -2,6 +2,12 @@ param containerAppsEnvName string param logAnalyticsWorkspaceName string param appInsightsName string param location string +param virtualNetworkName string +param subnetName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' existing = { + name: virtualNetworkName +} resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-03-01-preview' = { name: logAnalyticsWorkspaceName @@ -21,7 +27,7 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02-preview' = { name: appInsightsName location: location kind: 'web' - properties: { + properties: { Application_Type: 'web' } } @@ -38,6 +44,10 @@ resource containerAppsEnv 'Microsoft.App/managedEnvironments@2022-01-01-preview' sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey } } + vnetConfiguration: { + infrastructureSubnetId: '${virtualNetwork.id}/subnets/${subnetName}' + internal: false + } } } diff --git a/deploy/bicep/modules/storage.bicep b/deploy/bicep/modules/storage.bicep index 742bcab..d1d1e9f 100644 --- a/deploy/bicep/modules/storage.bicep +++ b/deploy/bicep/modules/storage.bicep @@ -1,6 +1,12 @@ param storageAccountName string param blobContainerName string param location string +param virtualNetworkName string +param subnetName string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' existing = { + name: virtualNetworkName +} resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { name: storageAccountName @@ -11,9 +17,42 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { } properties: { minimumTlsVersion: 'TLS1_2' - publicNetworkAccess: 'Disabled' + publicNetworkAccess: 'Enabled' allowBlobPublicAccess: false supportsHttpsTrafficOnly: true + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [] + resourceAccessRules: [] + virtualNetworkRules: [] + } + } +} + +resource storagePrivateEndpointBlob 'Microsoft.Network/privateEndpoints@2020-06-01' = { + name: 'test' + location: location + properties: { + privateLinkServiceConnections: [ + { + name: 'test' + properties: { + groupIds: [ + 'blob' + ] + privateLinkServiceId: storageAccount.id + privateLinkServiceConnectionState: { + status: 'Approved' + description: 'Auto-Approved' + actionsRequired: 'None' + } + } + } + ] + subnet: { + id: '${virtualNetwork.id}/subnets/${subnetName}' + } } } diff --git a/deploy/bicep/modules/vnet.bicep b/deploy/bicep/modules/vnet.bicep new file mode 100644 index 0000000..b32c1a2 --- /dev/null +++ b/deploy/bicep/modules/vnet.bicep @@ -0,0 +1,29 @@ +param virtualNetworkName string +param subnetName string +param location string + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + '10.0.0.0/16' + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: '10.0.0.0/23' + } + } + ] + } + + resource subnet1 'subnets' existing = { + name: subnetName + } +} + +output subnet1ResourceId string = virtualNetwork::subnet1.id From 5b823532aadddfead14d7aa2938abf1cde9c212e Mon Sep 17 00:00:00 2001 From: Andrew Martin Date: Wed, 25 May 2022 15:04:36 -0400 Subject: [PATCH 3/3] fix vnet integration --- deploy/bicep/modules/storage.bicep | 31 +++++------------------------- deploy/bicep/modules/vnet.bicep | 5 +++++ 2 files changed, 10 insertions(+), 26 deletions(-) diff --git a/deploy/bicep/modules/storage.bicep b/deploy/bicep/modules/storage.bicep index d1d1e9f..f1b5a8c 100644 --- a/deploy/bicep/modules/storage.bicep +++ b/deploy/bicep/modules/storage.bicep @@ -25,33 +25,12 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { defaultAction: 'Deny' ipRules: [] resourceAccessRules: [] - virtualNetworkRules: [] - } - } -} - -resource storagePrivateEndpointBlob 'Microsoft.Network/privateEndpoints@2020-06-01' = { - name: 'test' - location: location - properties: { - privateLinkServiceConnections: [ - { - name: 'test' - properties: { - groupIds: [ - 'blob' - ] - privateLinkServiceId: storageAccount.id - privateLinkServiceConnectionState: { - status: 'Approved' - description: 'Auto-Approved' - actionsRequired: 'None' - } + virtualNetworkRules: [ + { + action: 'Allow' + id: '${virtualNetwork.id}/subnets/${subnetName}' } - } - ] - subnet: { - id: '${virtualNetwork.id}/subnets/${subnetName}' + ] } } } diff --git a/deploy/bicep/modules/vnet.bicep b/deploy/bicep/modules/vnet.bicep index b32c1a2..231ae22 100644 --- a/deploy/bicep/modules/vnet.bicep +++ b/deploy/bicep/modules/vnet.bicep @@ -16,6 +16,11 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-08-01' = { name: subnetName properties: { addressPrefix: '10.0.0.0/23' + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + ] } } ]