From a222fc74a5cfe71948fe998e1bbad78a92a3e6ae Mon Sep 17 00:00:00 2001 From: reneenoble Date: Thu, 2 May 2024 18:07:25 +1000 Subject: [PATCH 1/4] Key vault IP address access restriction. --- .../infra/core/security/keyvault.bicep | 14 ++++++++++++++ .../infra/main.bicep | 7 +++++++ 2 files changed, 21 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep index 663ec00..6cfcf03 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep @@ -5,6 +5,19 @@ param tags object = {} param principalId string = '' +// Allow public network access to Key Vault +param allowPublicNetworkAccess bool = true + +// Allow all Azure services to bypass Key Vault network rules +param allowAzureServicesAccess bool = true + +param networkAcls object = { + bypass: allowAzureServicesAccess ? 'AzureServices' : 'None' + defaultAction: allowPublicNetworkAccess ? 'Allow' : 'Deny' + ipRules: [] + virtualNetworkRules: [] +} + resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: name location: location @@ -12,6 +25,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { properties: { tenantId: subscription().tenantId sku: { family: 'A', name: 'standard' } + networkAcls: networkAcls accessPolicies: !empty(principalId) ? [ { objectId: principalId diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index b8bfe82..8135d83 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -32,6 +32,9 @@ var resourceToken = toLower(uniqueString(subscription().id, name, location)) var prefix = '${name}-${resourceToken}' var tags = { 'azd-env-name': name } +var allowAzureServicesAccess = true +var defaultAction = false + resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: '${name}-rg' location: location @@ -47,6 +50,10 @@ module keyVault './core/security/keyvault.bicep' = { location: location tags: tags principalId: principalId + networkAcls: { + allowAzureServicesAccess: allowAzureServicesAccess + defaultAction: defaultAction + } } } From 2ce6e6e98c9aee327a46a38759af75e6301450c6 Mon Sep 17 00:00:00 2001 From: reneenoble Date: Fri, 3 May 2024 11:20:18 +1000 Subject: [PATCH 2/4] Overide allowPublicNetworkAccess as false in main.bicep --- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 2 ++ 1 file changed, 2 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 8135d83..c1dedcc 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -35,6 +35,7 @@ var tags = { 'azd-env-name': name } var allowAzureServicesAccess = true var defaultAction = false + resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: '${name}-rg' location: location @@ -50,6 +51,7 @@ module keyVault './core/security/keyvault.bicep' = { location: location tags: tags principalId: principalId + allowPublicNetworkAccess: false networkAcls: { allowAzureServicesAccess: allowAzureServicesAccess defaultAction: defaultAction From 7c0d58a173f2ac501d3b48a2b3aec015f12972ba Mon Sep 17 00:00:00 2001 From: reneenoble Date: Fri, 3 May 2024 12:14:08 +1000 Subject: [PATCH 3/4] Remove networkAcls params --- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 4 ---- 1 file changed, 4 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index c1dedcc..75e3718 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -52,10 +52,6 @@ module keyVault './core/security/keyvault.bicep' = { tags: tags principalId: principalId allowPublicNetworkAccess: false - networkAcls: { - allowAzureServicesAccess: allowAzureServicesAccess - defaultAction: defaultAction - } } } From 463c512ba417af1dc47201908246ec709d53f361 Mon Sep 17 00:00:00 2001 From: reneenoble Date: Mon, 6 May 2024 09:55:14 +1000 Subject: [PATCH 4/4] Secure by default, remove unused varaibles --- .../infra/core/security/keyvault.bicep | 2 +- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep index 6cfcf03..31cc4b0 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep @@ -6,7 +6,7 @@ param tags object = {} param principalId string = '' // Allow public network access to Key Vault -param allowPublicNetworkAccess bool = true +param allowPublicNetworkAccess bool = false // Allow all Azure services to bypass Key Vault network rules param allowAzureServicesAccess bool = true diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 75e3718..b8bfe82 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -32,10 +32,6 @@ var resourceToken = toLower(uniqueString(subscription().id, name, location)) var prefix = '${name}-${resourceToken}' var tags = { 'azd-env-name': name } -var allowAzureServicesAccess = true -var defaultAction = false - - resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: '${name}-rg' location: location @@ -51,7 +47,6 @@ module keyVault './core/security/keyvault.bicep' = { location: location tags: tags principalId: principalId - allowPublicNetworkAccess: false } }