Merge pull request #21 from Azure-Samples/improve_security

Improve security
Azure-Samples · Jun 7, 2024 · 3fab440 · 3fab440
2 parents dbbf413 + 210e96b
commit 3fab440
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 26 deletions.
diff --git a/Bicep/main.bicep b/Bicep/main.bicep
@@ -54,9 +54,6 @@ module acrDeploy 'modules/acr/acr.bicep' = {
   }
 }
 
-/*
-// Uncomment this to configure log analytics workspace
-
 module akslaworkspace 'modules/laworkspace/la.bicep' = {
   scope: resourceGroup(rg.name)
   name: 'akslaworkspace'
@@ -65,7 +62,7 @@ module akslaworkspace 'modules/laworkspace/la.bicep' = {
     location: location
   }
 }
-*/
+
 
 resource subnetaks 'Microsoft.Network/virtualNetworks/subnets@2020-11-01' existing = {
   name: 'aksSubNet'
@@ -103,6 +100,7 @@ module aksCluster 'modules/aks/aks.bicep' = {
       '${aksIdentity.outputs.identityid}' : {}
     }
     principalId: aksIdentity.outputs.principalId
+    workspaceId: akslaworkspace.outputs.laworkspaceId
   }
 }
 
@@ -127,7 +125,6 @@ module keyvault 'modules/keyvault/keyvault.bicep'={
     location:location
     principalId:aksIdentity.outputs.principalId
     cosmosEndpoint: cosmosdb.outputs.cosmosEndpoint
+    workspaceId: akslaworkspace.outputs.laworkspaceId
   }
-
 }
-
diff --git a/Bicep/modules/aks/aks.bicep b/Bicep/modules/aks/aks.bicep
@@ -8,19 +8,18 @@ param location string = resourceGroup().location
 param podBindingSelector string
 param podIdentityName string
 param podIdentityNamespace string
+param workspaceId string
 
-//param logworkspaceid string  // Uncomment this to configure log analytics workspace
 
-
-resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-06-02-preview' = {
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
   name: '${basename}aks'
   location: location
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: identity   
   }
   properties: {
-    kubernetesVersion: '1.22.11'
+    kubernetesVersion: '1.29'
     nodeResourceGroup: '${basename}-aksInfraRG'
     dnsPrefix: '${basename}aks'
     agentPoolProfiles: [
@@ -45,27 +44,26 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-06-02-previ
       loadBalancerSku: 'standard'
       networkPlugin: 'azure'
       outboundType: 'loadBalancer'
-      dockerBridgeCidr: '172.17.0.1/16'
       dnsServiceIP: '10.0.0.10'
       serviceCidr: '10.0.0.0/16'
-
     }
     apiServerAccessProfile: {
       enablePrivateCluster: false
     }
     enableRBAC: true
     enablePodSecurityPolicy: false
     addonProfiles:{
-      /*
-	  // Uncomment this to configure log analytics workspace
-	  omsagent: {
+	    omsagent: {
         config: {
-          logAnalyticsWorkspaceResourceID: logworkspaceid
+          logAnalyticsWorkspaceResourceID: workspaceId
         }
         enabled: true
-      }*/
+      }
       azureKeyvaultSecretsProvider: {
         enabled: true
+        config: {
+          enableSecretRotation: 'true'
+        }
       }
       azurepolicy: {
         enabled: false
@@ -95,16 +93,46 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-06-02-previ
       ]
     }
     disableLocalAccounts: false
-  }
+    autoUpgradeProfile: {
+      upgradeChannel: 'stable'
+    }
+    securityProfile: {
+      defender: {
+        logAnalyticsWorkspaceResourceId: workspaceId
+        securityMonitoring: {
+          enabled: true
+        }
+      }
+    }
+  } 
 }
 
 
 
+var aksDiagCategories = [
+  'cluster-autoscaler'
+  'kube-controller-manager'
+  'kube-audit-admin'
+  'guard'
+]
 
-
-
-
-
-
-
-
+// TODO: Update diagnostics to be its own module
+// Blocking issue: https://github.com/Azure/bicep/issues/622
+// Unable to pass in a `resource` scope or unable to use string interpolation in resource types
+resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {
+  name: 'aks-diagnostics'
+  scope: aksCluster
+  properties: {
+    workspaceId: workspaceId
+    logs: [for category in aksDiagCategories: {
+      category: category
+      enabled: true
+    }]
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
+      }
+    ]
+  }
+}
diff --git a/Bicep/modules/cosmos/cosmos.bicep b/Bicep/modules/cosmos/cosmos.bicep
@@ -33,7 +33,7 @@ var locations = [
 var roleDefinitionId = guid('sql-role-definition-', principalId, databaseAccount.id)
 var roleAssignmentId = guid(roleDefinitionId, principalId, databaseAccount.id)
 
-resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2022-05-15' = {
+resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = {
   name: accountName
   kind: 'GlobalDocumentDB'
   location: location
@@ -54,6 +54,8 @@ resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2022-05-15' = {
               ignoreMissingVNetServiceEndpoint: false
           }
       ]
+    minimalTlsVersion: 'Tls12'
+    disableKeyBasedMetadataWriteAccess: true
   }
 }
 output cosmosEndpoint string = databaseAccount.name

diff --git a/Bicep/modules/keyvault/keyvault.bicep b/Bicep/modules/keyvault/keyvault.bicep
@@ -2,6 +2,7 @@ param cosmosEndpoint string
 param location string = resourceGroup().location
 param principalId string
 param basename string
+param workspaceId string
 
 resource keyvault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: '${basename}kv'
@@ -41,6 +42,20 @@ resource keyvault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   }
 }
 
+resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'logs'
+  scope: keyvault
+  properties: {
+    workspaceId: workspaceId
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+  }
+}
+
 
 resource kvSecretCosmosEndpoint 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
   name: 'CosmosEndpoint'