From a6a0cd30612dcc76e6edfdba299e35ad49754aa4 Mon Sep 17 00:00:00 2001 From: Patrick Hallisey Date: Tue, 9 Jul 2024 16:23:38 -0700 Subject: [PATCH] Add vnet and environment setting to Pipeline Witness bicep (#8584) --- .../appsettings.test.json | 7 ++ .../bicep/appResourceGroup.bicep | 97 +++++++++++++++++-- .../infrastructure/bicep/appSettings.bicep | 13 +++ .../bicep/logsResourceGroup.bicep | 19 +++- .../bicep/parameters.production.json | 15 +++ .../bicep/parameters.staging.json | 15 +++ .../infrastructure/bicep/parameters.test.json | 15 +++ .../infrastructure/bicep/resourceGroups.bicep | 11 +++ 8 files changed, 179 insertions(+), 13 deletions(-) create mode 100644 tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/appsettings.test.json create mode 100644 tools/pipeline-witness/infrastructure/bicep/appSettings.bicep diff --git a/tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/appsettings.test.json b/tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/appsettings.test.json new file mode 100644 index 00000000000..428f706905c --- /dev/null +++ b/tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/appsettings.test.json @@ -0,0 +1,7 @@ +{ + "PipelineWitness": { + "QueueStorageAccountUri": "https://pipelinewitnesstest.queue.core.windows.net", + "BlobStorageAccountUri": "https://pipelinelogstest.blob.core.windows.net", + "CosmosAccountUri": "https://pipelinewitnesstest.documents.azure.com" + } +} diff --git a/tools/pipeline-witness/infrastructure/bicep/appResourceGroup.bicep b/tools/pipeline-witness/infrastructure/bicep/appResourceGroup.bicep index 686fa33e48b..1ad73a302ac 100644 --- a/tools/pipeline-witness/infrastructure/bicep/appResourceGroup.bicep +++ b/tools/pipeline-witness/infrastructure/bicep/appResourceGroup.bicep @@ -1,11 +1,75 @@ param webAppName string +param networkSecurityGroupName string +param vnetName string param appServicePlanName string param appStorageAccountName string +param aspEnvironment string param cosmosAccountName string param location string +param vnetPrefix string +param subnetPrefix string var cosmosContributorRoleId = '00000000-0000-0000-0000-000000000002' // Built-in Contributor role +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-11-01' = { + name: networkSecurityGroupName + location: 'westus2' + properties: { + securityRules: [] + } +} + +resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = { + name: vnetName + location: 'westus2' + properties: { + addressSpace: { + addressPrefixes: [ + vnetPrefix + ] + } + virtualNetworkPeerings: [] + enableDdosProtection: false + } +} + +resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' = { + parent: vnet + name: 'default' + properties: { + addressPrefix: subnetPrefix + networkSecurityGroup: { + id: networkSecurityGroup.id + } + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + locations: [ + 'westus2' + 'westcentralus' + ] + } + { + service: 'Microsoft.AzureCosmosDB' + locations: [ + '*' + ] + } + ] + delegations: [ + { + name: 'delegation' + properties: { + serviceName: 'Microsoft.Web/serverfarms' + } + type: 'Microsoft.Network/virtualNetworks/subnets/delegations' + } + ] + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } +} + resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = { name: appServicePlanName location: location @@ -28,6 +92,8 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { linuxFxVersion: 'DOTNETCORE|6.0' } httpsOnly: true + virtualNetworkSubnetId: subnet.id + publicNetworkAccess: 'Enabled' } identity: { type: 'SystemAssigned' @@ -46,13 +112,12 @@ resource appStorageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { defaultToOAuthAuthentication: false allowCrossTenantReplication: true minimumTlsVersion: 'TLS1_2' - allowBlobPublicAccess: true - allowSharedKeyAccess: true + allowBlobPublicAccess: false + allowSharedKeyAccess: false networkAcls: { bypass: 'AzureServices' - virtualNetworkRules: [] - ipRules: [] - defaultAction: 'Allow' + virtualNetworkRules: [{ id: subnet.id }] + defaultAction: 'Deny' } supportsHttpsTrafficOnly: true encryption: { @@ -120,8 +185,10 @@ resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2024-02-15-preview publicNetworkAccess: 'Enabled' enableAutomaticFailover: false enableMultipleWriteLocations: false - isVirtualNetworkFilterEnabled: false - virtualNetworkRules: [] + isVirtualNetworkFilterEnabled: true + virtualNetworkRules: [{ + id: subnet.id + }] disableKeyBasedMetadataWriteAccess: false enableFreeTier: false enableAnalyticalStorage: false @@ -129,7 +196,7 @@ resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2024-02-15-preview databaseAccountOfferType: 'Standard' enableMaterializedViews: false networkAclBypass: 'None' - disableLocalAuth: false + disableLocalAuth: true enablePartitionMerge: false enablePerRegionPerPartitionAutoscale: false enableBurstCapacity: false @@ -275,4 +342,18 @@ resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignm } } +// Use a module to merge the current app settings with the new ones to prevent overwritting the app insights configured settings +module appSettings 'appSettings.bicep' = { + name: '${webAppName}-appsettings' + params: { + webAppName: webApp.name + // Get the current appsettings + currentAppSettings: list(resourceId('Microsoft.Web/sites/config', webApp.name, 'appsettings'), '2022-03-01').properties + appSettings: { + ASPNETCORE_ENVIRONMENT: aspEnvironment + } + } +} + output appIdentityPrincipalId string = webApp.identity.principalId +output subnetId string = subnet.id diff --git a/tools/pipeline-witness/infrastructure/bicep/appSettings.bicep b/tools/pipeline-witness/infrastructure/bicep/appSettings.bicep new file mode 100644 index 00000000000..ed51dd88066 --- /dev/null +++ b/tools/pipeline-witness/infrastructure/bicep/appSettings.bicep @@ -0,0 +1,13 @@ +param webAppName string +param appSettings object +param currentAppSettings object + +resource webApp 'Microsoft.Web/sites@2022-03-01' existing = { + name: webAppName +} + +resource siteconfig 'Microsoft.Web/sites/config@2022-03-01' = { + parent: webApp + name: 'appsettings' + properties: union(currentAppSettings, appSettings) +} diff --git a/tools/pipeline-witness/infrastructure/bicep/logsResourceGroup.bicep b/tools/pipeline-witness/infrastructure/bicep/logsResourceGroup.bicep index 6476c5201c6..e2c85460c5d 100644 --- a/tools/pipeline-witness/infrastructure/bicep/logsResourceGroup.bicep +++ b/tools/pipeline-witness/infrastructure/bicep/logsResourceGroup.bicep @@ -3,6 +3,7 @@ param logsStorageAccountName string param kustoClusterName string param kustoDatabaseName string param webAppName string +param subnetId string param appIdentityPrincipalId string var tables = [ @@ -54,13 +55,12 @@ resource logsStorageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { defaultToOAuthAuthentication: false allowCrossTenantReplication: true minimumTlsVersion: 'TLS1_2' - allowBlobPublicAccess: true - allowSharedKeyAccess: true + allowBlobPublicAccess: false + allowSharedKeyAccess: false networkAcls: { bypass: 'AzureServices' - virtualNetworkRules: [] - ipRules: [] - defaultAction: 'Allow' + virtualNetworkRules: [{ id: subnetId }] + defaultAction: 'Deny' } supportsHttpsTrafficOnly: true encryption: { @@ -180,6 +180,7 @@ resource kustoCluster 'Microsoft.Kusto/Clusters@2022-02-01' = { enableAutoStop: false publicIPType: 'IPv4' } + resource database 'Databases' = { name: kustoDatabaseName location: location @@ -188,6 +189,14 @@ resource kustoCluster 'Microsoft.Kusto/Clusters@2022-02-01' = { hotCachePeriod: 'P31D' } } + + resource managedEndpoint 'managedPrivateEndpoints' = { + name: logsStorageAccountName + properties: { + groupId: 'blob' + privateLinkResourceId: logsStorageAccount.id + } + } } // Resources per table diff --git a/tools/pipeline-witness/infrastructure/bicep/parameters.production.json b/tools/pipeline-witness/infrastructure/bicep/parameters.production.json index 874d2e2fabe..e20b6bbe45a 100644 --- a/tools/pipeline-witness/infrastructure/bicep/parameters.production.json +++ b/tools/pipeline-witness/infrastructure/bicep/parameters.production.json @@ -20,6 +20,9 @@ "appStorageAccountName": { "value": "pipelinewitnessprod" }, + "aspEnvironment": { + "value": "production" + }, "logsResourceGroupName": { "value": "pipelinelogs" }, @@ -31,6 +34,18 @@ }, "kustoDatabaseName": { "value": "Pipelines" + }, + "networkSecurityGroupName": { + "value": "pipelinewitnessprod" + }, + "vnetName": { + "value": "pipelinewitnessprod" + }, + "vnetPrefix": { + "value": "10.9.0.0/16" + }, + "subnetPrefix": { + "value": "10.9.0.0/24" } } } \ No newline at end of file diff --git a/tools/pipeline-witness/infrastructure/bicep/parameters.staging.json b/tools/pipeline-witness/infrastructure/bicep/parameters.staging.json index b9c1e44f461..32342d8c04a 100644 --- a/tools/pipeline-witness/infrastructure/bicep/parameters.staging.json +++ b/tools/pipeline-witness/infrastructure/bicep/parameters.staging.json @@ -20,6 +20,9 @@ "appStorageAccountName": { "value": "pipelinewitnessstaging" }, + "aspEnvironment": { + "value": "staging" + }, "logsResourceGroupName": { "value": "pipelinelogs" }, @@ -31,6 +34,18 @@ }, "kustoDatabaseName": { "value": "Staging" + }, + "networkSecurityGroupName": { + "value": "pipelinewitnessstaging" + }, + "vnetName": { + "value": "pipelinewitnessstaging" + }, + "vnetPrefix": { + "value": "10.8.0.0/16" + }, + "subnetPrefix": { + "value": "10.8.0.0/24" } } } \ No newline at end of file diff --git a/tools/pipeline-witness/infrastructure/bicep/parameters.test.json b/tools/pipeline-witness/infrastructure/bicep/parameters.test.json index f9b7dc4b5e7..b7c356abe23 100644 --- a/tools/pipeline-witness/infrastructure/bicep/parameters.test.json +++ b/tools/pipeline-witness/infrastructure/bicep/parameters.test.json @@ -20,6 +20,9 @@ "appStorageAccountName": { "value": "pipelinewitnesstest" }, + "aspEnvironment": { + "value": "test" + }, "logsResourceGroupName": { "value": "pipelinelogstest" }, @@ -31,6 +34,18 @@ }, "kustoDatabaseName": { "value": "test" + }, + "networkSecurityGroupName": { + "value": "pipelinewitnesstest" + }, + "vnetName": { + "value": "pipelinewitnesstest" + }, + "vnetPrefix": { + "value": "10.7.0.0/16" + }, + "subnetPrefix": { + "value": "10.7.0.0/24" } } } \ No newline at end of file diff --git a/tools/pipeline-witness/infrastructure/bicep/resourceGroups.bicep b/tools/pipeline-witness/infrastructure/bicep/resourceGroups.bicep index c97baad39c5..845f495c162 100644 --- a/tools/pipeline-witness/infrastructure/bicep/resourceGroups.bicep +++ b/tools/pipeline-witness/infrastructure/bicep/resourceGroups.bicep @@ -5,8 +5,13 @@ param location string param appResourceGroupName string param appServicePlanName string param webAppName string +param networkSecurityGroupName string +param vnetName string +param vnetPrefix string +param subnetPrefix string param cosmosAccountName string param appStorageAccountName string +param aspEnvironment string param logsResourceGroupName string param logsStorageAccountName string @@ -25,9 +30,14 @@ module pipelineWitness 'appResourceGroup.bicep' = { params: { location: location appServicePlanName: appServicePlanName + vnetPrefix: vnetPrefix + subnetPrefix: subnetPrefix webAppName: webAppName cosmosAccountName: cosmosAccountName appStorageAccountName: appStorageAccountName + aspEnvironment: aspEnvironment + networkSecurityGroupName: networkSecurityGroupName + vnetName: vnetName } } @@ -49,5 +59,6 @@ module pipelineLogs 'logsResourceGroup.bicep' = { kustoDatabaseName: kustoDatabaseName webAppName: webAppName appIdentityPrincipalId: pipelineWitness.outputs.appIdentityPrincipalId + subnetId: pipelineWitness.outputs.subnetId } }