From e0d87475939f3a3f6e3b2d7b0cfedbb389578ee3 Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 15 Nov 2022 18:49:06 +0000 Subject: [PATCH 1/5] fix(Terraform): enable purge protection on the Key Vault --- terraform/key_vault.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/key_vault.tf b/terraform/key_vault.tf index 97cc656e..7fc1166f 100644 --- a/terraform/key_vault.tf +++ b/terraform/key_vault.tf @@ -6,6 +6,9 @@ resource "azurerm_key_vault" "main" { sku_name = "standard" tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_retention_days = 7 + purge_protection_enabled = true + # allow engineers to fully manage secrets access_policy { tenant_id = data.azurerm_client_config.current.tenant_id From 18576a15afad9dd4f973ac8e1f5a63758479ec93 Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 15 Nov 2022 18:49:42 +0000 Subject: [PATCH 2/5] fix(Terraform): set the storage account minimum TLS version --- terraform/storage.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/storage.tf b/terraform/storage.tf index 94c931e3..0f5b03d6 100644 --- a/terraform/storage.tf +++ b/terraform/storage.tf @@ -5,6 +5,7 @@ resource "azurerm_storage_account" "main" { resource_group_name = data.azurerm_resource_group.main.name account_tier = "Standard" account_replication_type = "RAGRS" + min_tls_version = "TLS1_2" blob_properties { last_access_time_enabled = true From ae6a34889514799f9cd06148e4da95aa8b6a9c15 Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 15 Nov 2022 19:02:11 +0000 Subject: [PATCH 3/5] fix(Terraform): enable HTTP/2 --- terraform/app_service.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/app_service.tf b/terraform/app_service.tf index f22e255a..882c198d 100644 --- a/terraform/app_service.tf +++ b/terraform/app_service.tf @@ -19,7 +19,9 @@ resource "azurerm_linux_web_app" "main" { https_only = true site_config { - ftps_state = "Disabled" + ftps_state = "Disabled" + http2_enabled = true + dynamic "ip_restriction" { for_each = var.IP_ADDRESS_WHITELIST content { From 180f7aecfad01d83d3e66822b3712723bd9164ec Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 15 Nov 2022 19:02:49 +0000 Subject: [PATCH 4/5] fix(Terraform): enable better error logging --- terraform/app_service.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/app_service.tf b/terraform/app_service.tf index 882c198d..617e572d 100644 --- a/terraform/app_service.tf +++ b/terraform/app_service.tf @@ -49,8 +49,8 @@ resource "azurerm_linux_web_app" "main" { } logs { - detailed_error_messages = false - failed_request_tracing = false + detailed_error_messages = true + failed_request_tracing = true http_logs { file_system { From 73687cb218c9176fb6d098206749fc658393dfc5 Mon Sep 17 00:00:00 2001 From: Aidan Feldman Date: Tue, 15 Nov 2022 19:27:42 +0000 Subject: [PATCH 5/5] fix(Terraform): change Vault retention to match current value --- terraform/key_vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/key_vault.tf b/terraform/key_vault.tf index 7fc1166f..2211c589 100644 --- a/terraform/key_vault.tf +++ b/terraform/key_vault.tf @@ -6,7 +6,7 @@ resource "azurerm_key_vault" "main" { sku_name = "standard" tenant_id = data.azurerm_client_config.current.tenant_id - soft_delete_retention_days = 7 + soft_delete_retention_days = 90 purge_protection_enabled = true # allow engineers to fully manage secrets