Security changes (#229)

* Enabled Network ACLs * Reworked sequencing of resources.
Azure · Nov 6, 2024 · 6c64254 · 6c64254
1 parent 80ec467
commit 6c64254
Show file tree

Hide file tree

Showing 79 changed files with 22,968 additions and 2,339 deletions.
diff --git a/bicep/main.bicep b/bicep/main.bicep
diff --git a/bicep/modules/app_assignments.bicep b/bicep/modules/app_assignments.bicep
@@ -1,4 +1,11 @@
-// param operatorIdentityName string
+// Role Assignments Created:
+// 1. Key Vault Secrets User (4633458b-17de-408a-b874-0445c86b69e6) on Key Vault
+// 2. Storage File Data SMB Share Reader (aba4ae5f-2193-4029-9191-0cb91df5e314) on Storage Account  
+// 3. Storage Blob Data Contributor (ba92f5b4-2d11-453d-a403-e96b0029c9fe) on Storage Account
+// 4. Storage Table Data Contributor (0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3) on Storage Account
+// 5. Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c) on Cosmos DB
+
+@description('The principal ID of the identity to assign the roles to')
 param identityprincipalId string
 
 @description('The name of the Azure Key Vault')
@@ -10,6 +17,9 @@ param storageName string = ''
 @description('The name of the Azure Comos DB Account')
 param databaseName string = ''
 
+/////////////////////////////////
+// Existing Resources
+/////////////////////////////////
 
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
   name: kvName
@@ -23,6 +33,7 @@ resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' exis
   name: databaseName
 }
 
+
 var keyVaultSecretsUser = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
 resource kvRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (kvName != '') {
   scope: keyVault
@@ -46,6 +57,7 @@ resource storageRoleShare 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   }
 }
 
+
 var storageBlobContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
 resource storageRoleBlob 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (storageName != '') {
   scope: storageAccount
@@ -57,6 +69,7 @@ resource storageRoleBlob 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   }
 }
 
+
 var storageTableContributor = resourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
 resource storageRoleTable 'Microsoft.Authorization/roleAssignments@2022-04-01' =  if (storageName != '') {
   scope: storageAccount
@@ -68,6 +81,7 @@ resource storageRoleTable 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   }
 }
 
+
 var databaseContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
 resource databaseRole 'Microsoft.Authorization/roleAssignments@2022-04-01' =  if (databaseName != '') {
   scope: databaseAccount