Update to private endpoints between app service and keyvault. configure private DNS zones for keyvault.

tonybaloney · tonybaloney · commit c94c948fdc32 · 2024-07-11T17:36:34.000+10:00
diff --git a/{{cookiecutter.__src_folder_name}}/infra/aca.bicep b/{{cookiecutter.__src_folder_name}}/infra/aca.bicep
@@ -15,6 +15,7 @@ param keyVaultName string
 param dbserverDomainName string
 param dbserverDatabaseName string
 param dbserverUser string
+param virtualNetworkSubnetId string = ''
 
 @secure()
 param dbserverPassword string
diff --git a/{{cookiecutter.__src_folder_name}}/infra/appservice.bicep b/{{cookiecutter.__src_folder_name}}/infra/appservice.bicep
@@ -11,6 +11,7 @@ param dbserverDomainName string
 param dbserverUser string
 param dbserverDatabaseName string
 {% endif %}
+param virtualNetworkSubnetId string = ''
 
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = {
   name: applicationInsightsName
diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/host/appservice.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/host/appservice.bicep
@@ -8,6 +8,7 @@ param applicationInsightsName string = ''
 param appServicePlanId string
 param keyVaultName string = ''
 param managedIdentity bool = !empty(keyVaultName)
+param virtualNetworkSubnetId string = ''
 
 // Runtime Properties
 @allowed([
@@ -65,6 +66,7 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
     }
     clientAffinityEnabled: clientAffinityEnabled
     httpsOnly: true
+    virtualNetworkSubnetId: virtualNetworkSubnetId
   }
 
   identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep
@@ -53,6 +53,54 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   tags: tags
 }
 
+module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = {
+  name: 'virtualNetworkDeployment'
+  scope: resourceGroup
+  params: {
+    // Required parameters
+    addressPrefixes: [
+      '10.0.0.0/16'
+    ]
+    name: '${name}-vnet'
+    location: location
+    tags: tags
+    subnets: [
+      {
+        addressPrefix: '10.0.0.0/24'
+        name: 'keyvault'
+        tags: tags
+      }
+      {
+        addressPrefix: '10.0.1.0/24'
+        name: 'web'
+        tags: tags
+        delegations: [
+          {
+            name: 'msft-web-serverfarm-delegation'
+            properties: {
+              serviceName: 'Microsoft.Web/serverFarms'
+            }
+          }
+        ]
+        serviceEndpoints: [
+          { 
+            service: 'Microsoft.KeyVault'
+          }
+        ]
+      }
+    ]
+  }
+}
+
+module privateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = {
+  name: 'privateDnsZoneDeployment'
+  scope: resourceGroup
+  params: {
+    name: 'relecloud.net'
+    tags: tags
+  }
+}
+
 // Store secrets in a keyvault
 module keyVault 'br/public:avm/res/key-vault/vault:0.6.2' = {
   name: 'keyvault'
@@ -66,10 +114,29 @@ module keyVault 'br/public:avm/res/key-vault/vault:0.6.2' = {
     accessPolicies: [
       {
         objectId: principalId
-        permissions: { secrets: [ 'get', 'list' ] }
+        permissions: { secrets: ['get', 'list'] }
         tenantId: subscription().tenantId
       }
     ]
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Deny'
+      // ipRules: [
+      //   { value: '<your IP>' }
+      // ]
+      virtualNetworkRules: [
+        {
+          id: virtualNetwork.outputs.subnetResourceIds[1]
+        }
+      ]
+    }
+    privateEndpoints: [
+      {
+        name: '${name}-keyvault-pe'
+        subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0]
+        privateDnsZoneResourceIds: [privateDnsZone.outputs.resourceId]
+      }
+    ]
     diagnosticSettings: [
       {
         logCategoriesAndGroups: [
@@ -81,16 +148,17 @@ module keyVault 'br/public:avm/res/key-vault/vault:0.6.2' = {
         workspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceId
       }
     ]
-    secrets: [for secret in secrets: {
+    secrets: [
+      for secret in secrets: {
         name: secret.name
         value: secret.value
         tags: tags
-        attributes : {
+        attributes: {
           exp: 0
           nbf: 0
         }
-    }]
-    
+      }
+    ]
   }
 }
 
@@ -191,6 +259,7 @@ module web 'web.bicep' = {
     {% if cookiecutter.db_resource == "postgres-addon" %}
     postgresServiceId: db.outputs.dbserverID
     {% endif %}
+    virtualNetworkSubnetId: virtualNetwork.outputs.subnetResourceIds[1]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ param applicationInsightsName string = ''`
`8`	`8`	`param appServicePlanId string`
`9`	`9`	`param keyVaultName string = ''`
`10`	`10`	`param managedIdentity bool = !empty(keyVaultName)`
	`11`	`+param virtualNetworkSubnetId string = ''`
`11`	`12`
`12`	`13`	`// Runtime Properties`
`13`	`14`	`@allowed([`
`@@ -65,6 +66,7 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {`
`65`	`66`	`}`
`66`	`67`	`clientAffinityEnabled: clientAffinityEnabled`
`67`	`68`	`httpsOnly: true`
	`69`	`+ virtualNetworkSubnetId: virtualNetworkSubnetId`
`68`	`70`	`}`
`69`	`71`
`70`	`72`	`identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }`