fix(infra): address SFI security compliance issues (ADO #43311)#244
Open
Shreyas-Microsoft wants to merge 5 commits into
Open
fix(infra): address SFI security compliance issues (ADO #43311)#244Shreyas-Microsoft wants to merge 5 commits into
Shreyas-Microsoft wants to merge 5 commits into
Conversation
…O #43311) Enables double encryption at rest by setting requireInfrastructureEncryption: true on the AVM storage-account modules used by both the standard and custom deployments, plus the (currently unreferenced) wrapper module for parity with Modernize PR #435. Files touched: - infra/main.bicep (inline AVM storage/storage-account:0.20.0) - infra/main_custom.bicep (inline AVM storage/storage-account:0.20.0) - infra/modules/storageAccount.bicep (wrapper around AVM 0.26.2) Addresses SFI item: "add encryption property and make requireInfrastructureEncryption: true for storage account". Mirrors the storage-account change in microsoft/Modernize-your-code-solution-accelerator#435. Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ent (ADO #43311) Sets peerTrafficEncryption: true on the AVM app/managed-environment:0.11.2 module in both deployment variants. This toggles Microsoft.App/managedEnvironments.properties.peerTrafficConfiguration.encryption.enabled, which is the Container Apps equivalent of the App Service endToEndEncryptionEnabled property called out by the SFI scan (this repo deploys Container Apps, not App Service). Files touched: - infra/main.bicep (containerAppsEnvironment module ~L1121) - infra/main_custom.bicep (containerAppsEnvironment module ~L1074) Addresses SFI item: "endToEndEncryptionEnabled: true in App Service". Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…VM (ADO #43311)
Audited every resource in the Bicep templates against the SFI "identity required"
rule. Resources that support managed identity but were missing one:
* Microsoft.DocumentDB/databaseAccounts (cosmosDb) -> add SystemAssigned
* Microsoft.ContainerRegistry/registries (containerRegistry) -> add SystemAssigned
* Microsoft.Compute/virtualMachines (jumpboxVM) -> add SystemAssigned
The jumpbox VM also gains SystemAssigned because the Azure Monitor Agent extension
needs an identity to authenticate against the Log Analytics workspace when honoring
the SecurityAuditEvents data collection rule association (introduced in a later
commit on this branch).
Resources already compliant and left untouched:
* aiFoundryAiServices -> systemAssigned + userAssignedResourceIds already set
* aiFoundryProject -> identity.type = 'SystemAssigned' already set
* appConfiguration / avmAppConfigUpdated -> systemAssigned already set
* containerAppsEnvironment -> systemAssigned already set
* containerAppBackend / Frontend / Processor -> UAMI (appIdentity) already wired
* storageAccount -> systemAssigned already set
* appIdentity (UAMI itself, N/A)
* Bastion / ApplicationInsights / LAW / PrivateDnsZones (do not support / not in
SFI scope per user's authoritative list)
Files touched:
- infra/main.bicep (cosmosDb, jumpboxVM)
- infra/main_custom.bicep (cosmosDb, containerRegistry, jumpboxVM)
Addresses SFI item: "identity: { type: 'SystemAssigned' } or { type: 'UserAssigned' }".
Work item: AB#43311
ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…DO #43311) Adds a Data Collection Rule that captures Windows audit success (EventID 4624) and audit failure (EventID 4625) Security events from the jumpbox VM and routes them to the Log Analytics workspace via the Microsoft-SecurityEvent stream. The DCR is associated with the VM through the Azure Monitor Agent extension (extensionMonitoringAgentConfig.dataCollectionRuleAssociations). The OMSGallery Security solution is installed on the workspace so the SecurityEvent table is populated for the routed stream. Pattern mirrors microsoft/Modernize-your-code-solution-accelerator#435 but the audit success and audit failure events are covered by a single xPath (Security!*[System[(EventID=4624 or EventID=4625)]]) routed via the Microsoft-SecurityEvent stream rather than Microsoft-WindowsEvent. All new resources are gated on enablePrivateNetworking && enableMonitoring so non-WAF / non-monitoring deployments are unaffected. Files touched: - infra/main.bicep (jumpboxVM AMA extension; new securitySolution + windowsVmDataCollectionRules) - infra/main_custom.bicep (same additions) Addresses SFI item: "data collection rule ['audit success','audit failure'] logs should be enabled". Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Regenerated infra/main.json via 'az bicep build infra/main.bicep' to pick up the four SFI changes on this branch: * Container Apps Environment peerTrafficEncryption * Storage account requireInfrastructureEncryption * SystemAssigned identity on cosmos / ACR / jumpbox VM * Windows Security audit DCR + OMSGallery/Security solution The large diff is dominated by the inlined AVM data-collection-rule:0.11.0 module definition pulled into main.json by the new windowsVmDataCollectionRules module. No main_custom.json exists in this repo (main_custom.bicep is consumed by tooling that runs bicep on demand). Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
requested review from
Avijit-Microsoft,
Dongbumlee,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801,
nchandhi,
sethsteenken and
toherman-msft
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR addresses SFI (Secure Future Initiative) compliance items flagged by the EXP team (ADO #43311). It is an infra-only change, applied symmetrically to infra/main.bicep and infra/main_custom.bicep, with infra/main.json regenerated.
Changes:
- Enable
peerTrafficEncryptionon the Container Apps Environment andrequireInfrastructureEncryptionon storage accounts. - Add system-assigned managed identities to Cosmos DB, Azure Container Registry, and the jumpbox VM.
- Add an OMS
Securitysolution and a Windows Security audit (EventID 4624/4625) Data Collection Rule, associated with the jumpbox VM via the Azure Monitor Agent.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| infra/modules/storageAccount.bicep | Explicitly enable infrastructure encryption and set keyType: 'Service'. |
| infra/main.bicep | Add identities, DCR + Security solution, peer traffic encryption, and storage infra encryption. |
| infra/main_custom.bicep | Mirror of main.bicep changes for the custom-deployment path. |
| infra/main.json | Regenerated ARM template reflecting Bicep changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // workspace so that the Microsoft-SecurityEvent stream produced by the data | ||
| // collection rule below populates the SecurityEvent table. Same gate as the | ||
| // DCR. (ADO #43311) | ||
| resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { |
Comment on lines
+421
to
+432
| extensionMonitoringAgentConfig: enableMonitoring | ||
| ? { | ||
| enabled: true | ||
| tags: allTags | ||
| dataCollectionRuleAssociations: [ | ||
| { | ||
| name: 'send-${logAnalyticsWorkspaceResourceName}' | ||
| dataCollectionRuleResourceId: windowsVmDataCollectionRules!.outputs.resourceId | ||
| } | ||
| ] | ||
| } | ||
| : null |
Comment on lines
+436
to
+457
| // SFI: install the Azure Monitor "Security" solution on the Log Analytics | ||
| // workspace so that the Microsoft-SecurityEvent stream produced by the data | ||
| // collection rule below populates the SecurityEvent table. Same gate as the | ||
| // DCR. (ADO #43311) | ||
| resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { | ||
| name: 'Security(${logAnalyticsWorkspaceResourceName})' | ||
| location: solutionLocation | ||
| plan: { | ||
| name: 'Security(${logAnalyticsWorkspaceResourceName})' | ||
| publisher: 'Microsoft' | ||
| product: 'OMSGallery/Security' | ||
| promotionCode: '' | ||
| } | ||
| properties: { | ||
| workspaceResourceId: logAnalyticsWorkspaceResourceId | ||
| } | ||
| } | ||
|
|
||
| // SFI: data collection rule that captures Windows Security audit success | ||
| // (EventID 4624) and audit failure (EventID 4625) events from the jumpbox VM | ||
| // and routes them to Log Analytics via the Microsoft-SecurityEvent stream. | ||
| // (ADO #43311) |
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
| // workspace so that the Microsoft-SecurityEvent stream produced by the data | ||
| // collection rule below populates the SecurityEvent table. Same gate as the | ||
| // DCR. (ADO #43311) | ||
| resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { |
Contributor
There was a problem hiding this comment.
you can remove this
| streams: [ | ||
| 'Microsoft-SecurityEvent' | ||
| ] | ||
| xPathQueries: [ |
Contributor
There was a problem hiding this comment.
update xPathQueries to 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
| location: dataCollectionRulesLocation | ||
| dataCollectionRuleProperties: { | ||
| kind: 'Windows' | ||
| dataSources: { |
Contributor
There was a problem hiding this comment.
add performanceCounters as well
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Addresses ADO #43311 — Container Migration - Check and Fix SFI Issues reported by EXP Team.
The EXP team flagged the following SFI (Secure Future Initiative) items for this accelerator. Each one is addressed below. Pattern reference: microsoft/Modernize-your-code-solution-accelerator#435 (sibling repo's SFI PR).
SFI items addressed
endToEndEncryptionEnabled: truefor App Serviceinfra/main.bicep,infra/main_custom.bicep—peerTrafficEncryptionenabled on the Container Apps Environment. This repo runs on Azure Container Apps, not App Service;peerTrafficEncryptionis the Container Apps equivalent ofendToEndEncryptionEnabledand enforces mTLS for intra-environment traffic.infra/main.bicep,infra/main_custom.bicep— added aMicrosoft.Insights/dataCollectionRulesresource withwindowsEventLogssource covering Security event IDs 4624 (audit success) and 4625 (audit failure), streamingMicrosoft-SecurityEventto the Log Analytics workspace, plus anOMSGallery/Securitysolution attached to the LAW. The DCR is associated with the jumpbox VM.disableLocalAuth: truefor AI Servicesdevinfra/main.bicep:920,infra/main_custom.bicep:876— theaiFoundryAiServicesresource uses AVMbr/public:avm/res/cognitive-services/account:0.13.2withdisableLocalAuth: true, set by a prior refactor commit ondev. TheexistingBYO AI Services path is immutable from this Bicep, and the AI Foundry project sub-resource's schema does not exposedisableLocalAuth(auth is inherited from the parent account). App code (src/backend-api/,src/processor/) uses Entra ID (use_entra_id=True) everywhere; no local-key dependency.identity: { type: 'SystemAssigned' }or'UserAssigned'infra/main.bicep,infra/main_custom.bicep— addedidentity: { type: 'SystemAssigned' }to Cosmos DB, Azure Container Registry, and the Jumpbox VM where it was missing. Did not modify resources that already use a user-assigned identity.encryption.requireInfrastructureEncryption: truefor storageinfra/modules/storageAccount.bicep— added explicitrequireInfrastructureEncryption: true. The AVMstorage-account:0.26.2default is alreadytrue, but SFI policy prefers the property be set explicitly rather than relying on module defaults.Commits
b410134— fix(infra): require infrastructure encryption on storage accounts8d2391f— fix(infra): enable peer traffic encryption on container apps environment817d529— fix(infra): add system-assigned identity to cosmos, ACR, and jumpbox VMffc1eed— fix(infra): add windows security audit DCR + OMS Security solution786b7e2— chore(infra): regenerate main.json from main.bicepVerification
az bicep build infra/main.bicep— clean (only pre-existing BCP334 warning, unchanged)585 passed, 93.28% coverage (gate: 82%)812 passed, 87.44% coverage (gate: 82%)Does this introduce a breaking change?
peerTrafficEncryptionis transparent to workloads; DCR adds a new resource with no impact on existing ones;requireInfrastructureEncryptionmatches the existing AVM default)Golden Path Validation
Deployment Validation
az bicep build infra/main.bicepsucceeds with no new warnings/errors.infra/main.jsonregenerated from the updatedmain.bicep(not hand-edited).Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com