From 06df144c85db9aadb76ba4b7979142ffda46c833 Mon Sep 17 00:00:00 2001 From: Prachig-Microsoft Date: Fri, 15 May 2026 16:25:23 +0530 Subject: [PATCH 1/4] fix: address SFI security compliance issues - Enable infrastructure encryption (double encryption) for storage account - Add Security solution to Log Analytics workspace for SecurityEvent table - Add Windows Security Audit Event Logs (EventID 4624/4625) to data collection rules - Route Microsoft-SecurityEvent stream to Log Analytics in both main.bicep and main_custom.bicep Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- infra/main.bicep | 34 +++++++++++++++++++ infra/main.json | 53 ++++++++++++++++++++++++++---- infra/main_custom.bicep | 25 +++++++++++++- infra/modules/storageAccount.bicep | 2 +- 4 files changed, 105 insertions(+), 9 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 5c0225d3..ec96ec39 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -514,12 +514,27 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi } } +resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { + name: 'Security(log-${solutionSuffix})' + location: location + plan: { + name: 'Security(log-${solutionSuffix})' + publisher: 'Microsoft' + product: 'OMSGallery/Security' + promotionCode: '' + } + properties: { + workspaceResourceId: logAnalyticsWorkspaceResourceId + } +} + var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = useExistingLogAnalytics ? existingLogAnalyticsWorkspace!.location : logAnalyticsWorkspace!.outputs.location module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) + dependsOn: [securitySolution] params: { name: dataCollectionRulesResourceName tags: tags @@ -586,6 +601,17 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- name: 'perfCounterDataSource60' } ] + windowsEventLogs: [ + { + name: 'SecurityAuditEvents' + streams: [ + 'Microsoft-SecurityEvent' + ] + xPathQueries: [ + 'Security!*[System[(EventID=4624 or EventID=4625)]]' + ] + } + ] } destinations: { logAnalytics: [ @@ -604,6 +630,14 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'la-${dataCollectionRulesResourceName}' ] } + { + streams: [ + 'Microsoft-SecurityEvent' + ] + destinations: [ + 'la-${dataCollectionRulesResourceName}' + ] + } ] } } diff --git a/infra/main.json b/infra/main.json index 5e8c5860..7e459623 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "1333265003476738511" + "templateHash": "16804124823752948659" }, "name": "Modernize Your Code Solution Accelerator", "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n" @@ -308,6 +308,25 @@ "resourceGroup": "[variables('existingLawResourceGroup')]", "name": "[variables('existingLawName')]" }, + "securitySolution": { + "condition": "[and(parameters('enablePrivateNetworking'), parameters('enableMonitoring'))]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[format('Security(log-{0})', variables('solutionSuffix'))]", + "location": "[parameters('location')]", + "plan": { + "name": "[format('Security(log-{0})', variables('solutionSuffix'))]", + "publisher": "Microsoft", + "product": "OMSGallery/Security", + "promotionCode": "" + }, + "properties": { + "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)]" + }, + "dependsOn": [ + "logAnalyticsWorkspace" + ] + }, "appIdentity": { "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", @@ -13101,11 +13120,11 @@ }, "dependsOn": [ "applicationInsights", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]", "dataCollectionEndpoint", "logAnalyticsWorkspace", "virtualNetwork" @@ -15351,6 +15370,17 @@ ], "name": "perfCounterDataSource60" } + ], + "windowsEventLogs": [ + { + "name": "SecurityAuditEvents", + "streams": [ + "Microsoft-SecurityEvent" + ], + "xPathQueries": [ + "Security!*[System[(EventID=4624 or EventID=4625)]]" + ] + } ] }, "destinations": { @@ -15369,6 +15399,14 @@ "destinations": [ "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" ] + }, + { + "streams": [ + "Microsoft-SecurityEvent" + ], + "destinations": [ + "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + ] } ] } @@ -16578,7 +16616,8 @@ "dependsOn": [ "dataCollectionEndpoint", "existingLogAnalyticsWorkspace", - "logAnalyticsWorkspace" + "logAnalyticsWorkspace", + "securitySolution" ] }, "proximityPlacementGroup": { @@ -32018,8 +32057,8 @@ "dependsOn": [ "aiServices", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "virtualNetwork" ] }, @@ -32076,7 +32115,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "3598447245043879538" + "templateHash": "15460841004653840446" } }, "definitions": { @@ -32314,7 +32353,7 @@ "value": "TLS1_2" }, "requireInfrastructureEncryption": { - "value": false + "value": true }, "keyType": { "value": "Service" diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index 938ca3e5..b4886690 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -422,12 +422,27 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi } } +resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { + name: 'Security(log-${solutionSuffix})' + location: location + plan: { + name: 'Security(log-${solutionSuffix})' + publisher: 'Microsoft' + product: 'OMSGallery/Security' + promotionCode: '' + } + properties: { + workspaceResourceId: logAnalyticsWorkspaceResourceId + } +} + var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = useExistingLogAnalytics ? existingLogAnalyticsWorkspace!.location : logAnalyticsWorkspace!.outputs.location module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) + dependsOn: [securitySolution] params: { name: dataCollectionRulesResourceName tags: tags @@ -497,7 +512,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-WindowsEvent' + 'Microsoft-SecurityEvent' ] xPathQueries: [ 'Security!*[System[(EventID=4624 or EventID=4625)]]' @@ -524,6 +539,14 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- transformKql: 'source' outputStream: 'Microsoft-Perf' } + { + streams: [ + 'Microsoft-SecurityEvent' + ] + destinations: [ + 'la-${dataCollectionRulesResourceName}' + ] + } ] } } diff --git a/infra/modules/storageAccount.bicep b/infra/modules/storageAccount.bicep index b6c25f76..c9e1a1a5 100644 --- a/infra/modules/storageAccount.bicep +++ b/infra/modules/storageAccount.bicep @@ -58,7 +58,7 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = { allowSharedKeyAccess: false allowCrossTenantReplication: false minimumTlsVersion: 'TLS1_2' - requireInfrastructureEncryption: false + requireInfrastructureEncryption: true keyType: 'Service' enableHierarchicalNamespace: false enableNfsV3: false From 4503d5b0f44e378468c6bcd3a6baa0d2d6588bd9 Mon Sep 17 00:00:00 2001 From: Prachig-Microsoft Date: Mon, 18 May 2026 19:41:00 +0530 Subject: [PATCH 2/4] fix: address PR review - remove unneeded SecurityEvent DCR/solution Revert the Microsoft.OperationsManagement/solutions 'Security' resource and the Microsoft-SecurityEvent data source/dataflow added in the previous commit. The SecurityEvent table is not provisioned by OMSGallery/Security in modern subscriptions and this workload has no Windows VMs to source the events, which was causing 'InvalidOutputTable' deployment failures. Retain only the storage account double-encryption change. --- infra/main.bicep | 34 ----------------------------- infra/main.json | 47 ++++------------------------------------- infra/main_custom.bicep | 25 +--------------------- 3 files changed, 5 insertions(+), 101 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index ec96ec39..5c0225d3 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -514,27 +514,12 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi } } -resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { - name: 'Security(log-${solutionSuffix})' - location: location - plan: { - name: 'Security(log-${solutionSuffix})' - publisher: 'Microsoft' - product: 'OMSGallery/Security' - promotionCode: '' - } - properties: { - workspaceResourceId: logAnalyticsWorkspaceResourceId - } -} - var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = useExistingLogAnalytics ? existingLogAnalyticsWorkspace!.location : logAnalyticsWorkspace!.outputs.location module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) - dependsOn: [securitySolution] params: { name: dataCollectionRulesResourceName tags: tags @@ -601,17 +586,6 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- name: 'perfCounterDataSource60' } ] - windowsEventLogs: [ - { - name: 'SecurityAuditEvents' - streams: [ - 'Microsoft-SecurityEvent' - ] - xPathQueries: [ - 'Security!*[System[(EventID=4624 or EventID=4625)]]' - ] - } - ] } destinations: { logAnalytics: [ @@ -630,14 +604,6 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'la-${dataCollectionRulesResourceName}' ] } - { - streams: [ - 'Microsoft-SecurityEvent' - ] - destinations: [ - 'la-${dataCollectionRulesResourceName}' - ] - } ] } } diff --git a/infra/main.json b/infra/main.json index 7e459623..5835bd09 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "16804124823752948659" + "templateHash": "17498808897015217801" }, "name": "Modernize Your Code Solution Accelerator", "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n" @@ -308,25 +308,6 @@ "resourceGroup": "[variables('existingLawResourceGroup')]", "name": "[variables('existingLawName')]" }, - "securitySolution": { - "condition": "[and(parameters('enablePrivateNetworking'), parameters('enableMonitoring'))]", - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "name": "[format('Security(log-{0})', variables('solutionSuffix'))]", - "location": "[parameters('location')]", - "plan": { - "name": "[format('Security(log-{0})', variables('solutionSuffix'))]", - "publisher": "Microsoft", - "product": "OMSGallery/Security", - "promotionCode": "" - }, - "properties": { - "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)]" - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, "appIdentity": { "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", @@ -13120,11 +13101,11 @@ }, "dependsOn": [ "applicationInsights", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]", "dataCollectionEndpoint", "logAnalyticsWorkspace", "virtualNetwork" @@ -15370,17 +15351,6 @@ ], "name": "perfCounterDataSource60" } - ], - "windowsEventLogs": [ - { - "name": "SecurityAuditEvents", - "streams": [ - "Microsoft-SecurityEvent" - ], - "xPathQueries": [ - "Security!*[System[(EventID=4624 or EventID=4625)]]" - ] - } ] }, "destinations": { @@ -15399,14 +15369,6 @@ "destinations": [ "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" ] - }, - { - "streams": [ - "Microsoft-SecurityEvent" - ], - "destinations": [ - "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" - ] } ] } @@ -16616,8 +16578,7 @@ "dependsOn": [ "dataCollectionEndpoint", "existingLogAnalyticsWorkspace", - "logAnalyticsWorkspace", - "securitySolution" + "logAnalyticsWorkspace" ] }, "proximityPlacementGroup": { @@ -32056,8 +32017,8 @@ }, "dependsOn": [ "aiServices", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "virtualNetwork" ] diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index b4886690..938ca3e5 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -422,27 +422,12 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi } } -resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) { - name: 'Security(log-${solutionSuffix})' - location: location - plan: { - name: 'Security(log-${solutionSuffix})' - publisher: 'Microsoft' - product: 'OMSGallery/Security' - promotionCode: '' - } - properties: { - workspaceResourceId: logAnalyticsWorkspaceResourceId - } -} - var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = useExistingLogAnalytics ? existingLogAnalyticsWorkspace!.location : logAnalyticsWorkspace!.outputs.location module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) - dependsOn: [securitySolution] params: { name: dataCollectionRulesResourceName tags: tags @@ -512,7 +497,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-SecurityEvent' + 'Microsoft-WindowsEvent' ] xPathQueries: [ 'Security!*[System[(EventID=4624 or EventID=4625)]]' @@ -539,14 +524,6 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- transformKql: 'source' outputStream: 'Microsoft-Perf' } - { - streams: [ - 'Microsoft-SecurityEvent' - ] - destinations: [ - 'la-${dataCollectionRulesResourceName}' - ] - } ] } } From fdf9237b4a1aa4f811778a193604c4974e07fd6f Mon Sep 17 00:00:00 2001 From: Prachig-Microsoft Date: Tue, 19 May 2026 12:46:44 +0530 Subject: [PATCH 3/4] fix: use Microsoft-Event stream with audit keyword xPath filter Address PR review: keep the Windows Security event DCR but use the always-available 'Microsoft-Event' stream (Event table) instead of 'Microsoft-SecurityEvent' (which requires Sentinel). Apply the reviewer-suggested xPathQueries filter 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' in both main.bicep and main_custom.bicep, and add the matching dataflow. --- infra/main.bicep | 21 +++++++++++++++++++++ infra/main.json | 27 ++++++++++++++++++++++++--- infra/main_custom.bicep | 14 ++++++++++++-- 3 files changed, 57 insertions(+), 5 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 5c0225d3..d08fe517 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -586,6 +586,17 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- name: 'perfCounterDataSource60' } ] + windowsEventLogs: [ + { + name: 'SecurityAuditEvents' + streams: [ + 'Microsoft-Event' + ] + xPathQueries: [ + 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' + ] + } + ] } destinations: { logAnalytics: [ @@ -604,6 +615,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'la-${dataCollectionRulesResourceName}' ] } + { + streams: [ + 'Microsoft-Event' + ] + destinations: [ + 'la-${dataCollectionRulesResourceName}' + ] + transformKql: 'source' + outputStream: 'Microsoft-Event' + } ] } } diff --git a/infra/main.json b/infra/main.json index 5835bd09..1d783fed 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "17498808897015217801" + "templateHash": "16719390237009495333" }, "name": "Modernize Your Code Solution Accelerator", "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n" @@ -13101,11 +13101,11 @@ }, "dependsOn": [ "applicationInsights", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]", "dataCollectionEndpoint", "logAnalyticsWorkspace", "virtualNetwork" @@ -15351,6 +15351,17 @@ ], "name": "perfCounterDataSource60" } + ], + "windowsEventLogs": [ + { + "name": "SecurityAuditEvents", + "streams": [ + "Microsoft-Event" + ], + "xPathQueries": [ + "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]" + ] + } ] }, "destinations": { @@ -15369,6 +15380,16 @@ "destinations": [ "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" ] + }, + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + ], + "transformKql": "source", + "outputStream": "Microsoft-Event" } ] } @@ -40484,8 +40505,8 @@ }, "dependsOn": [ "appIdentity", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]", "logAnalyticsWorkspace", "virtualNetwork" ] diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index 938ca3e5..a0770636 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -497,10 +497,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-WindowsEvent' + 'Microsoft-Event' ] xPathQueries: [ - 'Security!*[System[(EventID=4624 or EventID=4625)]]' + 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' ] } ] @@ -524,6 +524,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- transformKql: 'source' outputStream: 'Microsoft-Perf' } + { + streams: [ + 'Microsoft-Event' + ] + destinations: [ + 'la-${dataCollectionRulesResourceName}' + ] + transformKql: 'source' + outputStream: 'Microsoft-Event' + } ] } } From 6d62c07cad9e9a97e08f2aabc2f36a762b860ca2 Mon Sep 17 00:00:00 2001 From: Prachig-Microsoft Date: Wed, 20 May 2026 13:49:25 +0530 Subject: [PATCH 4/4] fix: enforce HTTPS-only ingress and refactor DCR destination name - Set ingressAllowInsecure: false on backend and frontend container apps in main.bicep and main_custom.bicep (SFI: disallow plain HTTP at public ingress). - Extract DCR Log Analytics destination name into a new variable 'dcrLogAnalyticsDestinationName' and use it across the destination definition and dataflows in both bicep files. --- infra/main.bicep | 9 ++++++--- infra/main.json | 16 +++++++++++----- infra/main_custom.bicep | 9 ++++++--- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index d08fe517..2c158227 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -518,6 +518,7 @@ var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = useExistingLogAnalytics ? existingLogAnalyticsWorkspace!.location : logAnalyticsWorkspace!.outputs.location +var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceName}-destination' module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) params: { @@ -602,7 +603,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- logAnalytics: [ { workspaceResourceId: logAnalyticsWorkspaceResourceId - name: 'la-${dataCollectionRulesResourceName}' + name: dcrLogAnalyticsDestinationName } ] } @@ -612,7 +613,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Perf' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] } { @@ -620,7 +621,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Event' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Event' @@ -1098,6 +1099,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.22.0' = { ] ingressTargetPort: 8000 ingressExternal: true + ingressAllowInsecure: false scaleSettings: { // maxReplicas: enableScalability ? 3 : 1 maxReplicas: 1 // maxReplicas set to 1 (not 3) due to multiple agents created per type during WAF deployment @@ -1153,6 +1155,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.22.0' = { ] ingressTargetPort: 3000 ingressExternal: true + ingressAllowInsecure: false scaleSettings: { maxReplicas: enableScalability ? 3 : 1 minReplicas: 1 diff --git a/infra/main.json b/infra/main.json index 1d783fed..624cf877 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "16719390237009495333" + "templateHash": "18156607440911418905" }, "name": "Modernize Your Code Solution Accelerator", "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n" @@ -15368,7 +15368,7 @@ "logAnalytics": [ { "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)]", - "name": "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "name": "[format('la-{0}-destination', if(variables('useExistingLogAnalytics'), variables('existingLawName'), reference('logAnalyticsWorkspace').outputs.name.value))]" } ] }, @@ -15378,7 +15378,7 @@ "Microsoft-Perf" ], "destinations": [ - "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "[format('la-{0}-destination', if(variables('useExistingLogAnalytics'), variables('existingLawName'), reference('logAnalyticsWorkspace').outputs.name.value))]" ] }, { @@ -15386,7 +15386,7 @@ "Microsoft-Event" ], "destinations": [ - "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "[format('la-{0}-destination', if(variables('useExistingLogAnalytics'), variables('existingLawName'), reference('logAnalyticsWorkspace').outputs.name.value))]" ], "transformKql": "source", "outputStream": "Microsoft-Event" @@ -32039,8 +32039,8 @@ "dependsOn": [ "aiServices", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "virtualNetwork" ] }, @@ -47998,6 +47998,9 @@ "ingressExternal": { "value": true }, + "ingressAllowInsecure": { + "value": false + }, "scaleSettings": { "value": { "maxReplicas": 1, @@ -49572,6 +49575,9 @@ "ingressExternal": { "value": true }, + "ingressAllowInsecure": { + "value": false + }, "scaleSettings": { "value": { "maxReplicas": "[if(parameters('enableScalability'), 3, 1)]", diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index a0770636..1db40cd7 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -426,6 +426,7 @@ var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = useExistingLogAnalytics ? existingLogAnalyticsWorkspace!.location : logAnalyticsWorkspace!.outputs.location +var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceName}-destination' module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) params: { @@ -509,7 +510,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- logAnalytics: [ { workspaceResourceId: logAnalyticsWorkspaceResourceId - name: 'la-${dataCollectionRulesResourceName}' + name: dcrLogAnalyticsDestinationName } ] } @@ -519,7 +520,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Perf' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Perf' @@ -529,7 +530,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Event' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Event' @@ -1032,6 +1033,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.22.0' = { ] ingressTargetPort: 8000 ingressExternal: true + ingressAllowInsecure: false scaleSettings: { // maxReplicas: enableScalability ? 3 : 1 maxReplicas: 1 // maxReplicas set to 1 (not 3) due to multiple agents created per type during WAF deployment @@ -1095,6 +1097,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.22.0' = { ] ingressTargetPort: 3000 ingressExternal: true + ingressAllowInsecure: false scaleSettings: { maxReplicas: enableScalability ? 3 : 1 minReplicas: 1