Vnet injection tutorial (#46)

* Updated Solution with a vnet injection sample.

* Added blob public storage feature enablement.

* Updated deploy template.

README.md

@@ -208,6 +208,19 @@ azd env set _VPN_SHARED_KEY <your_shared_key>
 ```
 
 
+#### Feature: Public Blob Access
+
+__Purpose:__ Control public access to Blob Storage.
+
+__Details:__ The Storage accounts have public access points that can be enabled or disabled to enhance security.
+
+__How to Disable:__
+
+```bash
+azd env set ENABLE_BLOB_PUBLIC_ACCESS false
+```
+
+
 ### Deployment Commands
 
 Efficiently manage the resources with these Azure Developer CLI commands. They are designed to streamline the deployment process, allowing for a smooth setup and teardown of your environment.
@@ -269,6 +282,13 @@ Our GitOps configuration resides in this Git repository and uses a customized [r
 
 Our GitOps approach simplifies the process of deploying and managing software, making it easier to maintain and update, as well as providing a configurable way of leveraging other software configurations by pointing to alternate repositories hosting other configurations. By leveraging this method, we ensure that our deployments can be extended to things that not only include the default software load. 
 
+## Customizations
+
+There are many things that can be done to customize the deployment.  One example of this might be virtual network injection.
+
+See [this tutorial](docs/vnet-injection.md) for how a customization like this might be performed.
+
+
 ## Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a

bicep/main.bicep

@@ -221,6 +221,21 @@ param virtualNetworkName string = 'osdu-network'
 @description('Resource group of the VNet (Optional: If exiting Network is selected)')
 param virtualNetworkResourceGroup string = 'osdu-network'
 
+@minLength(9)
+@maxLength(18)
+@description('The address range to use for services')
+param serviceCidr string = '172.16.0.0/16'
+
+@minLength(9)
+@maxLength(18)
+@description('The address range to use for the docker bridge')
+param dockerBridgeCidr string = '172.17.0.1/16'
+
+@minLength(7)
+@maxLength(15)
+@description('The IP address to reserve for DNS')
+param dnsServiceIP string = '172.16.0.10'
+
 var nsgRules = {
   ssh_outbound: {
     name: 'AllowSshOutbound'
@@ -390,7 +405,7 @@ var subnets = {
         service: 'Microsoft.ContainerRegistry'
       }
     ]
-    networkSecurityGroupResourceId: clusterNetworkSecurityGroup.outputs.resourceId
+    networkSecurityGroupResourceId: virtualNetworkNewOrExisting == 'new' ? clusterNetworkSecurityGroup.outputs.resourceId :null
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Network Contributor'
@@ -402,7 +417,7 @@ var subnets = {
   pods: {
     name: podSubnetName
     addressPrefix: podSubnetAddressPrefix
-    networkSecurityGroupResourceId: clusterNetworkSecurityGroup.outputs.resourceId
+    networkSecurityGroupResourceId: virtualNetworkNewOrExisting == 'new' ? clusterNetworkSecurityGroup.outputs.resourceId :null
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Network Contributor'
@@ -440,7 +455,7 @@ var subnets = {
   }
 }
 
-module clusterNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = {
+module clusterNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (virtualNetworkNewOrExisting == 'new') {
   name: '${commonLayerConfig.name}-network-security-group-cluster'
   params: {
     name: 'nsg-common${uniqueString(resourceGroup().id, 'common')}-aks'
@@ -460,7 +475,7 @@ module clusterNetworkSecurityGroup 'br/public:avm/res/network/network-security-g
   }
 }
 
-module bastionNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (enableBastion) {
+module bastionNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (virtualNetworkNewOrExisting == 'new' && enableBastion) {
   name: '${commonLayerConfig.name}-network-security-group-bastion'
   params: {
     name: 'nsg-common${uniqueString(resourceGroup().id, 'common')}-bastion'
@@ -485,7 +500,7 @@ module bastionNetworkSecurityGroup 'br/public:avm/res/network/network-security-g
   }
 }
 
-module machineNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (enableBastion) {
+module machineNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.1.0' = if (virtualNetworkNewOrExisting == 'new' && enableBastion) {
   name: '${commonLayerConfig.name}-network-security-group-manage'
   params: {
     name: 'nsg-common${uniqueString(resourceGroup().id, 'common')}-vm'
@@ -501,7 +516,7 @@ module machineNetworkSecurityGroup 'br/public:avm/res/network/network-security-g
   }
 }
 
-module network 'br/public:avm/res/network/virtual-network:0.1.0' = {
+module network 'br/public:avm/res/network/virtual-network:0.1.0' = if (virtualNetworkNewOrExisting == 'new') {
   name: '${commonLayerConfig.name}-virtual-network'
   params: {
     name: 'vnet-common${uniqueString(resourceGroup().id, 'common')}'
@@ -781,6 +796,9 @@ module vaultEndpoint './modules/private-endpoint/main.bicep' = if (enablePrivate
 |_______/       |__|      \______/  | _| `._____/__/     \__\ \______| |_______|                                                                 
 */
 
+@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.')
+param enableBlobPublicAccess bool = true
+
 var storageDNSZoneForwarder = 'blob.${environment().suffixes.storage}'
 var storageDnsZoneName = 'privatelink.${storageDNSZoneForwarder}'
 
@@ -803,6 +821,9 @@ module configStorage './modules/storage-account/main.bicep' = {
     sku: commonLayerConfig.storage.sku
     tables: commonLayerConfig.storage.tables
 
+    // Apply Security
+    allowBlobPublicAccess: enableBlobPublicAccess
+
     // Assign RBAC
     roleAssignments: [
       {
@@ -986,7 +1007,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:0.1.0' = if (enableBa
   name: '${manageLayerConfig.name}-bastion'
   params: {
     name: 'bh-${replace(manageLayerConfig.name, '-', '')}${uniqueString(resourceGroup().id, manageLayerConfig.name)}'
-    vNetId: network.outputs.resourceId
+    vNetId: vnetId[virtualNetworkNewOrExisting]
     location: location
     enableTelemetry: enableTelemetry
   }  
@@ -1290,6 +1311,9 @@ module partitionStorage './modules/storage-account/main.bicep' = [for (partition
     diagnosticWorkspaceId: logAnalytics.outputs.resourceId
     diagnosticLogsRetentionInDays: 0
 
+    // Apply Security
+    allowBlobPublicAccess: enableBlobPublicAccess
+
     // Configure Service
     sku: partitionLayerConfig.storage.sku
     containers: concat(partitionLayerConfig.storage.containers, [partition.name])
@@ -1452,7 +1476,7 @@ var serviceLayerConfig = {
   cluster: {
     aksVersion: '1.28'
     meshVersion: 'asm-1-18'
-    networkPlugin: 'kubenet'
+    networkPlugin: enablePodSubnet ? 'azure' : 'kubenet'
   }
   gitops: {
     name: 'flux-system'
@@ -1508,6 +1532,11 @@ module cluster './modules/aks_cluster.bicep' = {
     identityId: stampIdentity.outputs.resourceId
     workspaceId: logAnalytics.outputs.resourceId
 
+    // Configure VNET Injection
+    serviceCidr: serviceCidr
+    dnsServiceIP: dnsServiceIP
+    dockerBridgeCidr: dockerBridgeCidr
+
     // Configure Istio
     serviceMeshProfile: 'Istio'
     istioRevision: serviceLayerConfig.cluster.meshVersion
@@ -1556,7 +1585,8 @@ module espool1 './modules/aks_agent_pool.bicep' = {
     availabilityZones: [
       '1'
     ]
-    subnetId: ''
+    subnetId: virtualNetworkNewOrExisting != 'new' ? '${vnetId[virtualNetworkNewOrExisting]}/subnets/${aksSubnetName}' : '${vnetId[virtualNetworkNewOrExisting]}/subnets/${aksSubnetName}' 
+    podSubnetId: virtualNetworkNewOrExisting != 'new' && enablePodSubnet ? '${vnetId[virtualNetworkNewOrExisting]}/subnets/${podSubnetName}' : ''
     nodeTaints: ['app=elasticsearch:NoSchedule']
     nodeLabels: {
       app: 'elasticsearch'
@@ -1575,7 +1605,8 @@ module espool2 './modules/aks_agent_pool.bicep' = {
     availabilityZones: [
       '2'
     ]
-    subnetId: ''
+    subnetId: virtualNetworkNewOrExisting != 'new' ? '${vnetId[virtualNetworkNewOrExisting]}/subnets/${aksSubnetName}' : '${vnetId[virtualNetworkNewOrExisting]}/subnets/${aksSubnetName}' 
+    podSubnetId: virtualNetworkNewOrExisting != 'new' && enablePodSubnet ? '${vnetId[virtualNetworkNewOrExisting]}/subnets/${podSubnetName}' : ''
     nodeTaints: ['app=elasticsearch:NoSchedule']
     nodeLabels: {
       app: 'elasticsearch'
@@ -1594,7 +1625,8 @@ module espool3 './modules/aks_agent_pool.bicep' = {
     availabilityZones: [
       '3'
     ]
-    subnetId: ''
+    subnetId: virtualNetworkNewOrExisting != 'new' ? '${vnetId[virtualNetworkNewOrExisting]}/subnets/${aksSubnetName}' : '${vnetId[virtualNetworkNewOrExisting]}/subnets/${aksSubnetName}' 
+    podSubnetId: virtualNetworkNewOrExisting != 'new' && enablePodSubnet ? '${vnetId[virtualNetworkNewOrExisting]}/subnets/${podSubnetName}' : ''
     nodeTaints: ['app=elasticsearch:NoSchedule']
     nodeLabels: {
       app: 'elasticsearch'

bicep/main.parameters.json

@@ -1,33 +1,36 @@
 {
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-      "applicationClientId": {
-        "value": "${AZURE_CLIENT_ID}"
-      },
-      "enablePodSubnet": {
-        "value": "${ENABLE_POD_SUBNET}"
-      },
-      "enableVpnGateway": {
-        "value": "${ENABLE_VPN_GATEWAY}"
-      },
-      "enableBastion": {
-        "value": "${ENABLE_BASTION}"
-      },
-      "vpnSharedKey": {
-        "value": "${VPN_SHARED_KEY}"
-      },
-      "remoteVpnAddress": {
-        "value": "${REMOTE_VPN_ADDRESS}"
-      },
-      "remoteNetworkPrefix": {
-        "value": "${REMOTE_NETWORK_PREFIX}"
-      },
-      "softwareRepository": {
-        "value": "${SOFTWARE_REPOSITORY}"
-      },
-      "softwareBranch": {
-        "value": "${SOFTWARE_BRANCH}"
-      }
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "applicationClientId": {
+      "value": "${AZURE_CLIENT_ID}"
+    },
+    "enablePodSubnet": {
+      "value": "${ENABLE_POD_SUBNET}"
+    },
+    "enableVpnGateway": {
+      "value": "${ENABLE_VPN_GATEWAY}"
+    },
+    "enableBastion": {
+      "value": "${ENABLE_BASTION}"
+    },
+    "enableBlobPublicAccess": {
+      "value": "${ENABLE_BLOB_PUBLIC_ACCESS}"
+    },
+    "vpnSharedKey": {
+      "value": "${VPN_SHARED_KEY}"
+    },
+    "remoteVpnAddress": {
+      "value": "${REMOTE_VPN_ADDRESS}"
+    },
+    "remoteNetworkPrefix": {
+      "value": "${REMOTE_NETWORK_PREFIX}"
+    },
+    "softwareRepository": {
+      "value": "${SOFTWARE_REPOSITORY}"
+    },
+    "softwareBranch": {
+      "value": "${SOFTWARE_BRANCH}"
     }
-  }
+  }
+}

bicep/modules/aks_agent_pool.bicep

@@ -33,6 +33,9 @@ param nodeLabels object = {}
 @description('The subnet the node pool will use')
 param subnetId string
 
+@description('The subnet the pods will use')
+param podSubnetId string
+
 @description('OS Type for the node pool')
 @allowed([
   'Linux'
@@ -61,6 +64,7 @@ resource nodepool 'Microsoft.ContainerService/managedClusters/agentPools@2023-10
     maxPods: maxPods
     type: 'VirtualMachineScaleSets'
     vnetSubnetID: !empty(subnetId) ? subnetId : null
+    podSubnetID: !empty(podSubnetId) ? podSubnetId : null
     upgradeSettings: {
       maxSurge: '33%'
     }

bicep/modules/aks_cluster.bicep

@@ -476,6 +476,7 @@ var userPoolProfile = {
   enableAutoScaling: true
   maxPods: userPoolPresets[clusterSize].maxPods
   vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null
+  podSubnetID: !empty(aksPodSubnetId) ? aksPodSubnetId : null
   upgradeSettings: {
     maxSurge: '33%'
   }

bicep/modules/storage-account/main.bicep

@@ -143,6 +143,9 @@ param cmekConfiguration object = {
 @maxValue(365)
 param deleteRetention int = 0
 
+@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.')
+param allowBlobPublicAccess bool = false
+
 var enableCMEK = !empty(cmekConfiguration.kvUrl) && !empty(cmekConfiguration.keyName) && !empty(cmekConfiguration.identityId) ? true : false
 
 var diagnosticsLogs = [for log in logsToEnable: {
@@ -222,6 +225,8 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
       keySource: 'Microsoft.Storage'
     }
 
+    allowBlobPublicAccess: allowBlobPublicAccess
+
     networkAcls: enablePrivateLink ? {
       bypass: 'AzureServices'
       defaultAction: 'Deny'

bicep/modules/storage-account/test/main.test.bicep

@@ -13,7 +13,7 @@ param location string = resourceGroup().location
 module storage '../main.bicep' = {
   name: 'storage_account'
   params: {
-    resourceName: resourceName
+    name: 'sa${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
     location: location
     sku: 'Standard_LRS'
   }