From 2dff5dd5ad1a1f9184837b791e3daa3bdbfcd994 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Mon, 13 Dec 2021 19:55:48 +0100 Subject: [PATCH 01/24] Updated key vault --- .../vaults/.parameters/parameters.json | 188 ++++++++++-------- arm/Microsoft.KeyVault/vaults/readme.md | 94 ++++----- 2 files changed, 149 insertions(+), 133 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index 66f042ed63..b54aebe151 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxx-az-kv-x-001" + "value": "sxx-az-kv-x-001-ee" }, "softDeleteRetentionInDays": { "value": 7 @@ -11,95 +11,111 @@ "enableRbacAuthorization": { "value": false }, - "roleAssignments": { + "privateEndpoints": { "value": [ { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "subnetResourceId": "/subscriptions/a7439831-1cd9-435d-a091-4aa863c96556/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "service": "vault" } ] }, - "secrets": { - "value": [ - { - "name": "secretName", - "value": "secretValue", - "contentType": "Something", - "attributesNbf": 10000, - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - } - ] - }, - "keys": { - "value": [ - { - "name": "keyName", - "attributesNbf": 10000, - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - } - ] - }, - "accessPolicies": { - "value": [ - { - "objectId": "<>", - "permissions": { - "keys": [ - "get", - "list", - "update" - ], - "secrets": [ - "all" - ] - }, - "tenantId": "<>" - }, - { - "objectId": "<>", - "permissions": { - "certificates": [ - "backup", - "create", - "delete" - ], - "secrets": [ - "all" - ] - } - } - ] - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" - }, - "workspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" - }, - "eventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - }, - "eventHubName": { - "value": "adp-sxx-az-evh-x-001" + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [] + } } + // "roleAssignments": { + // "value": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "<>" + // ] + // } + // ] + // }, + // "secrets": { + // "value": [ + // { + // "name": "secretName", + // "value": "secretValue", + // "contentType": "Something", + // "attributesNbf": 10000, + // "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "<>" + // ] + // } + // ] + // } + // ] + // }, + // "keys": { + // "value": [ + // { + // "name": "keyName", + // "attributesNbf": 10000, + // "roleAssignments": [ + // { + // "roleDefinitionIdOrName": "Reader", + // "principalIds": [ + // "<>" + // ] + // } + // ] + // } + // ] + // }, + // "accessPolicies": { + // "value": [ + // { + // "objectId": "<>", + // "permissions": { + // "keys": [ + // "get", + // "list", + // "update" + // ], + // "secrets": [ + // "all" + // ] + // }, + // "tenantId": "<>" + // }, + // { + // "objectId": "<>", + // "permissions": { + // "certificates": [ + // "backup", + // "create", + // "delete" + // ], + // "secrets": [ + // "all" + // ] + // } + // } + // ] + // }, + // "diagnosticLogsRetentionInDays": { + // "value": 7 + // }, + // "diagnosticStorageAccountId": { + // "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" + // }, + // "workspaceId": { + // "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + // }, + // "eventHubAuthorizationRuleId": { + // "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + // }, + // "eventHubName": { + // "value": "adp-sxx-az-evh-x-001" + // } } -} +} \ No newline at end of file diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 4412b189f8..db8e767fb5 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -4,51 +4,51 @@ This module deploys a key vault and it's child resources. ## Resource types -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | 2016-09-01 | -| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.KeyVault/vaults` | 2019-09-01 | -| `Microsoft.KeyVault/vaults/accessPolicies` | 2021-06-01-preview | -| `Microsoft.KeyVault/vaults/keys` | 2019-09-01 | -| `Microsoft.KeyVault/vaults/secrets` | 2019-09-01 | -| `Microsoft.Network/privateEndpoints` | 2021-05-01 | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | +| Resource Type | API Version | +| :-------------------------------------------------------- | :----------------- | +| `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | +| `Microsoft.KeyVault/vaults` | 2019-09-01 | +| `Microsoft.KeyVault/vaults/accessPolicies` | 2021-06-01-preview | +| `Microsoft.KeyVault/vaults/keys` | 2019-09-01 | +| `Microsoft.KeyVault/vaults/secrets` | 2019-09-01 | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | ## Parameters -| Parameter Name | Type | Default Value | Possible Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `accessPolicies` | _[accessPolicies](accessPolicies/readme.md)_ array | `[]` | | Optional. Array of access policies object | -| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | -| `createMode` | string | `default` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | -| `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | -| `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | -| `enableSoftDelete` | bool | `True` | | Optional. Switch to enable/disable Key Vault's soft delete feature. | -| `enableVaultForDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for deployment by script or compute | -| `enableVaultForDiskEncryption` | bool | `True` | `[True, False]` | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | -| `enableVaultForTemplateDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for a template deployment | -| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `keys` | _[keys](keys/readme.md)_ array | `[]` | | Optional. All keys to create | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | -| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | -| `logsToEnable` | array | `[AuditEvent]` | `[AuditEvent]` | Optional. The name of logs that will be streamed. | -| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | -| `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | -| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information | -| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | -| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | -| `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | -| `tags` | object | `{object}` | | Optional. Resource tags. | -| `vaultSku` | string | `premium` | `[premium, standard]` | Optional. Specifies the SKU for the vault | -| `vNetId` | string | | | Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well | -| `workspaceId` | string | | | Optional. Resource ID of log analytics. | +| Parameter Name | Type | Default Value | Possible Values | Description | +| :--------------------------------- | :------------------------------------------------- | :--------------------------- | :--------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `accessPolicies` | _[accessPolicies](accessPolicies/readme.md)_ array | `[]` | | Optional. Array of access policies object | +| `baseTime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `createMode` | string | `default` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | +| `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | +| `enableSoftDelete` | bool | `True` | | Optional. Switch to enable/disable Key Vault's soft delete feature. | +| `enableVaultForDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for deployment by script or compute | +| `enableVaultForDiskEncryption` | bool | `True` | `[True, False]` | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | +| `enableVaultForTemplateDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for a template deployment | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `keys` | _[keys](keys/readme.md)_ array | `[]` | | Optional. All keys to create | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[AuditEvent]` | `[AuditEvent]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | +| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. DefaultAction should set to Deny. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | +| `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `vaultSku` | string | `premium` | `[premium, standard]` | Optional. Specifies the SKU for the vault | +| `vNetId` | string | | | Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well | +| `workspaceId` | string | | | Optional. Resource ID of log analytics. | ### Parameter Usage: `roleAssignments` @@ -177,12 +177,12 @@ To use Private Endpoint the following dependencies must be deployed: ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `keyVaultName` | string | The name of the key vault. | +| Output Name | Type | Description | +| :---------------------- | :----- | :----------------------------------------------------------- | +| `keyVaultName` | string | The name of the key vault. | | `keyVaultResourceGroup` | string | The name of the resource group the key vault was created in. | -| `keyVaultResourceId` | string | The resource ID of the key vault. | -| `keyVaultUrl` | string | The URL of the key vault. | +| `keyVaultResourceId` | string | The resource ID of the key vault. | +| `keyVaultUrl` | string | The URL of the key vault. | ## Template references From 658d43c4b3319d0dde5a80d8c9f4e54b814a3bd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Tue, 14 Dec 2021 12:56:07 +0100 Subject: [PATCH 02/24] removed default value for attributesExp param within Key and secret subresources --- arm/Microsoft.KeyVault/vaults/keys/deploy.bicep | 4 ++-- arm/Microsoft.KeyVault/vaults/keys/readme.md | 2 +- arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep | 4 ++-- arm/Microsoft.KeyVault/vaults/secrets/readme.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep index 323472a0a4..879e6b0e19 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep @@ -10,8 +10,8 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') -param attributesExp int = -1 +@description('Required. Expiry date in seconds since 1970-01-01T00:00:00Z.') +param attributesExp int @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') param attributesNbf int = -1 diff --git a/arm/Microsoft.KeyVault/vaults/keys/readme.md b/arm/Microsoft.KeyVault/vaults/keys/readme.md index c12ac3ddfe..d581f4b6b3 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/readme.md +++ b/arm/Microsoft.KeyVault/vaults/keys/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault key. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. | +| `attributesExp` | int | | | Required. Expiry date in seconds since 1970-01-01T00:00:00Z. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `curveName` | string | `P-256` | `[P-256, P-256K, P-384, P-521]` | Optional. The elliptic curve name. | diff --git a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep index c074035a49..45c512cd51 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep @@ -10,8 +10,8 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') -param attributesExp int = -1 +@description('Required. Expiry date in seconds since 1970-01-01T00:00:00Z.') +param attributesExp int @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') param attributesNbf int = -1 diff --git a/arm/Microsoft.KeyVault/vaults/secrets/readme.md b/arm/Microsoft.KeyVault/vaults/secrets/readme.md index c9ef73a1f7..7de1d85f0a 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/readme.md +++ b/arm/Microsoft.KeyVault/vaults/secrets/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault secret. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. | +| `attributesExp` | int | | | Required. Expiry date in seconds since 1970-01-01T00:00:00Z. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `contentType` | secureString | | | Optional. The content type of the secret. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | From 4f47bd162cf482814fb39a4740c05c275469807c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Wed, 15 Dec 2021 15:26:53 +0100 Subject: [PATCH 03/24] Updated key vault --- .../vaults/.parameters/parameters.json | 72 +++++++++---------- .../vaults/keys/deploy.bicep | 4 +- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- .../vaults/secrets/deploy.bicep | 4 +- 4 files changed, 41 insertions(+), 41 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index b54aebe151..83800ac1f8 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -14,7 +14,7 @@ "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/a7439831-1cd9-435d-a091-4aa863c96556/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", "service": "vault" } ] @@ -26,7 +26,7 @@ "virtualNetworkRules": [], "ipRules": [] } - } + }, // "roleAssignments": { // "value": [ // { @@ -37,40 +37,40 @@ // } // ] // }, - // "secrets": { - // "value": [ - // { - // "name": "secretName", - // "value": "secretValue", - // "contentType": "Something", - // "attributesNbf": 10000, - // "roleAssignments": [ - // { - // "roleDefinitionIdOrName": "Reader", - // "principalIds": [ - // "<>" - // ] - // } - // ] - // } - // ] - // }, - // "keys": { - // "value": [ - // { - // "name": "keyName", - // "attributesNbf": 10000, - // "roleAssignments": [ - // { - // "roleDefinitionIdOrName": "Reader", - // "principalIds": [ - // "<>" - // ] - // } - // ] - // } - // ] - // }, + "secrets": { + "value": [ + { + "name": "secretName", + "value": "secretValue", + "contentType": "Something", + "attributesNbf": 10000, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + } + ] + }, + "keys": { + "value": [ + { + "name": "keyName", + "attributesNbf": 10000, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + } + ] + } // "accessPolicies": { // "value": [ // { diff --git a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep index 879e6b0e19..323472a0a4 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep @@ -10,8 +10,8 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Required. Expiry date in seconds since 1970-01-01T00:00:00Z.') -param attributesExp int +@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') +param attributesExp int = -1 @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') param attributesNbf int = -1 diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index db8e767fb5..6f9e11894d 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -41,7 +41,7 @@ This module deploys a key vault and it's child resources. | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | | `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. DefaultAction should set to Deny. | -| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. Security recommendation is to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | | `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | diff --git a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep index 45c512cd51..c074035a49 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep @@ -10,8 +10,8 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Required. Expiry date in seconds since 1970-01-01T00:00:00Z.') -param attributesExp int +@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') +param attributesExp int = -1 @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') param attributesNbf int = -1 From 349f9f70f560ce074575b49a2e74bafda8eb5610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Wed, 15 Dec 2021 15:34:41 +0100 Subject: [PATCH 04/24] Testing parameters --- .../vaults/.parameters/parameters.json | 114 +++++++++--------- 1 file changed, 58 insertions(+), 56 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index 83800ac1f8..c0b8b532e6 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -27,22 +27,23 @@ "ipRules": [] } }, - // "roleAssignments": { - // "value": [ - // { - // "roleDefinitionIdOrName": "Reader", - // "principalIds": [ - // "<>" - // ] - // } - // ] - // }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, "secrets": { "value": [ { "name": "secretName", "value": "secretValue", "contentType": "Something", + "attributesExp": 10000, "attributesNbf": 10000, "roleAssignments": [ { @@ -59,6 +60,7 @@ "value": [ { "name": "keyName", + "attributesExp": 10000, "attributesNbf": 10000, "roleAssignments": [ { @@ -70,52 +72,52 @@ ] } ] + }, + "accessPolicies": { + "value": [ + { + "objectId": "<>", + "permissions": { + "keys": [ + "get", + "list", + "update" + ], + "secrets": [ + "all" + ] + }, + "tenantId": "<>" + }, + { + "objectId": "<>", + "permissions": { + "certificates": [ + "backup", + "create", + "delete" + ], + "secrets": [ + "all" + ] + } + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" + }, + "workspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + }, + "eventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "eventHubName": { + "value": "adp-sxx-az-evh-x-001" } - // "accessPolicies": { - // "value": [ - // { - // "objectId": "<>", - // "permissions": { - // "keys": [ - // "get", - // "list", - // "update" - // ], - // "secrets": [ - // "all" - // ] - // }, - // "tenantId": "<>" - // }, - // { - // "objectId": "<>", - // "permissions": { - // "certificates": [ - // "backup", - // "create", - // "delete" - // ], - // "secrets": [ - // "all" - // ] - // } - // } - // ] - // }, - // "diagnosticLogsRetentionInDays": { - // "value": 7 - // }, - // "diagnosticStorageAccountId": { - // "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" - // }, - // "workspaceId": { - // "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" - // }, - // "eventHubAuthorizationRuleId": { - // "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - // }, - // "eventHubName": { - // "value": "adp-sxx-az-evh-x-001" - // } } } \ No newline at end of file From 9b24c5f75cc1b3ca029f440af0b3aa296399ce2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Mon, 17 Jan 2022 16:48:03 +0100 Subject: [PATCH 05/24] Updated key vault with security recommendations --- arm/Microsoft.KeyVault/vaults/keys/readme.md | 2 +- arm/Microsoft.KeyVault/vaults/secrets/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/keys/readme.md b/arm/Microsoft.KeyVault/vaults/keys/readme.md index d581f4b6b3..37eb3aeb13 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/readme.md +++ b/arm/Microsoft.KeyVault/vaults/keys/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault key. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | | | Required. Expiry date in seconds since 1970-01-01T00:00:00Z. | +| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. Security recommendation is to set expiration date whenever possible.| | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `curveName` | string | `P-256` | `[P-256, P-256K, P-384, P-521]` | Optional. The elliptic curve name. | diff --git a/arm/Microsoft.KeyVault/vaults/secrets/readme.md b/arm/Microsoft.KeyVault/vaults/secrets/readme.md index 7de1d85f0a..79b954f47f 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/readme.md +++ b/arm/Microsoft.KeyVault/vaults/secrets/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault secret. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | | | Required. Expiry date in seconds since 1970-01-01T00:00:00Z. | +| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. Security recommendation is to set expiration date whenever possible. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `contentType` | secureString | | | Optional. The content type of the secret. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | From 1d432ce0683b9b48c6294ae659a8ecad8194bb80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Mon, 17 Jan 2022 16:48:22 +0100 Subject: [PATCH 06/24] upodated key vault with security recommendations --- arm/Microsoft.KeyVault/vaults/.parameters/parameters.json | 6 +++--- arm/Microsoft.KeyVault/vaults/readme.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index c0b8b532e6..4b0abc3603 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -43,7 +43,7 @@ "name": "secretName", "value": "secretValue", "contentType": "Something", - "attributesExp": 10000, + "attributesExp": 1702648632, "attributesNbf": 10000, "roleAssignments": [ { @@ -60,7 +60,7 @@ "value": [ { "name": "keyName", - "attributesExp": 10000, + "attributesExp": 1702648632, "attributesNbf": 10000, "roleAssignments": [ { @@ -111,7 +111,7 @@ "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" }, "workspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" }, "eventHubAuthorizationRuleId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 55e9e83cfa..df53b522d3 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -25,7 +25,7 @@ This module deploys a key vault and it's child resources. | `createMode` | string | `default` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Optional. Switch to enable/disable Key Vault's soft delete feature. | @@ -33,7 +33,7 @@ This module deploys a key vault and it's child resources. | `enableVaultForDiskEncryption` | bool | `True` | `[True, False]` | Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | | `enableVaultForTemplateDeployment` | bool | `True` | `[True, False]` | Optional. Specifies if the vault is enabled for a template deployment | | `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `keys` | _[keys](keys/readme.md)_ array | `[]` | | Optional. All keys to create | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | @@ -48,7 +48,7 @@ This module deploys a key vault and it's child resources. | `tags` | object | `{object}` | | Optional. Resource tags. | | `vaultSku` | string | `premium` | `[premium, standard]` | Optional. Specifies the SKU for the vault | | `vNetId` | string | | | Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well | -| `workspaceId` | string | | | Optional. Resource ID of log analytics. | +| `workspaceId` | string | | | Optional. Resource ID of log analytics. Without this, an event hub is created for each log category. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | ### Parameter Usage: `roleAssignments` From 0042b47763725b0175448af8be54c3891fd987ff Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Mon, 17 Jan 2022 17:38:57 +0100 Subject: [PATCH 07/24] Update arm/Microsoft.KeyVault/vaults/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.KeyVault/vaults/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index a797c1410d..1c5cc4ec89 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxx-az-kv-x-001-ee" + "value": "sxx-az-kv-x-001" }, "softDeleteRetentionInDays": { "value": 7 From 7cfa73785d59851d83d167f9762cb319122d6595 Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:44:57 +0100 Subject: [PATCH 08/24] Update arm/Microsoft.KeyVault/vaults/secrets/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/secrets/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/secrets/readme.md b/arm/Microsoft.KeyVault/vaults/secrets/readme.md index 49e2d02769..63559535de 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/readme.md +++ b/arm/Microsoft.KeyVault/vaults/secrets/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault secret. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. Security recommendation is to set expiration date whenever possible. | +| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `contentType` | secureString | | | Optional. The content type of the secret. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | From 87b9fa29849238f39d81a8b6fb7340dbf0feb9cd Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:45:23 +0100 Subject: [PATCH 09/24] Update arm/Microsoft.KeyVault/vaults/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index c8f6777938..daf0cb73ef 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -42,7 +42,7 @@ This module deploys a key vault and it's child resources. | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | | `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. DefaultAction should set to Deny for security recommendation. | -| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. Security recommendation is to use private endpoints whenever possible. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is reommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | | `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | From 6af1df824a2b08b477f29609c6fb149d09799c2d Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:45:34 +0100 Subject: [PATCH 10/24] Update arm/Microsoft.KeyVault/vaults/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index daf0cb73ef..880bdf88f6 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -41,7 +41,7 @@ This module deploys a key vault and it's child resources. | `logsToEnable` | array | `[AuditEvent]` | `[AuditEvent]` | Optional. The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | -| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. DefaultAction should set to Deny for security recommendation. | +| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction `Deny` | | `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is reommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | From 2956eaefa1e5c13ee26faaf5d0b2342de7e0a68a Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:45:59 +0100 Subject: [PATCH 11/24] Update arm/Microsoft.KeyVault/vaults/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 880bdf88f6..a376d91273 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -28,7 +28,7 @@ This module deploys a key vault and it's child resources. | `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | -| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Optional. Switch to enable/disable Key Vault's soft delete feature. | From 27e628f0a535e7515e937c3cff72087ed4fe69ce Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:46:08 +0100 Subject: [PATCH 12/24] Update arm/Microsoft.KeyVault/vaults/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index a376d91273..e4cd22046f 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -27,7 +27,7 @@ This module deploys a key vault and it's child resources. | `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | From 9f3905eaa8589882e99ce61053261497ec6f65b5 Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:46:18 +0100 Subject: [PATCH 13/24] Update arm/Microsoft.KeyVault/vaults/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index e4cd22046f..dcf897c34d 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -25,7 +25,7 @@ This module deploys a key vault and it's child resources. | `createMode` | string | `default` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. The security recommendation is to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | From 848fef551003689ae58a4f062f2b952042953469 Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Tue, 18 Jan 2022 17:46:25 +0100 Subject: [PATCH 14/24] Update arm/Microsoft.KeyVault/vaults/keys/readme.md Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/keys/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/keys/readme.md b/arm/Microsoft.KeyVault/vaults/keys/readme.md index 742fb6fada..2d282e9348 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/readme.md +++ b/arm/Microsoft.KeyVault/vaults/keys/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault key. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. Security recommendation is to set expiration date whenever possible.| +| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `curveName` | string | `P-256` | `[P-256, P-256K, P-384, P-521]` | Optional. The elliptic curve name. | From dcb9db1eb46215ff9b8a2444d44ce6d780dfecc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Tue, 18 Jan 2022 17:49:30 +0100 Subject: [PATCH 15/24] reformatting outputs readme --- arm/Microsoft.KeyVault/vaults/readme.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index dcf897c34d..4659289b71 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -177,12 +177,12 @@ To use Private Endpoint the following dependencies must be deployed: ## Outputs -| Output Name | Type | Description | -| :---------------------- | :----- | :----------------------------------------------------------- | -| `keyVaultName` | string | The name of the key vault. | +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `keyVaultName` | string | The name of the key vault. | | `keyVaultResourceGroup` | string | The name of the resource group the key vault was created in. | -| `keyVaultResourceId` | string | The resource ID of the key vault. | -| `keyVaultUrl` | string | The URL of the key vault. | +| `keyVaultResourceId` | string | The resource ID of the key vault. | +| `keyVaultUrl` | string | The URL of the key vault. | ## Template references From 217d54a50792a4c6ebf50980259529965902d74a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elena=20Batanero=20Garc=C3=ADa?= Date: Tue, 18 Jan 2022 17:56:14 +0100 Subject: [PATCH 16/24] Updated params descriptions and readme according to comments --- arm/Microsoft.KeyVault/vaults/deploy.bicep | 12 ++++++------ arm/Microsoft.KeyVault/vaults/keys/deploy.bicep | 2 +- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index 44ee6033fa..d653d587fc 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -57,7 +57,7 @@ param enablePurgeProtection bool = false ]) param vaultSku string = 'premium' -@description('Optional. Service endpoint object information') +@description('Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny') param networkAcls object = {} @description('Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well') @@ -68,16 +68,16 @@ param vNetId string = '' @maxValue(365) param diagnosticLogsRetentionInDays int = 365 -@description('Optional. Resource ID of the diagnostic storage account.') +@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticStorageAccountId string = '' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') +@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. ') param diagnosticEventHubAuthorizationRuleId string = '' -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticEventHubName string = '' @allowed([ @@ -91,7 +91,7 @@ param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Configuration Details for private endpoints.') +@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible') param privateEndpoints array = [] @description('Optional. Resource tags.') diff --git a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep index 323472a0a4..cb311bd70b 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep @@ -10,7 +10,7 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') +@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible.') param attributesExp int = -1 @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 4659289b71..5720a1dbd4 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -42,7 +42,7 @@ This module deploys a key vault and it's child resources. | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | | `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction `Deny` | -| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is reommended to use private endpoints whenever possible. | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | | `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | diff --git a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep index c074035a49..00620edcda 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep @@ -10,7 +10,7 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') +@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible.') param attributesExp int = -1 @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') From ba36eaf0bc9e51cc69cc847fd75761397cefce6a Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Fri, 21 Jan 2022 16:02:01 +0100 Subject: [PATCH 17/24] storage account security --- .../.parameters/parameters.json | 30 ++++++++++++++++++- .../storageAccounts/deploy.bicep | 4 +-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index f1ce85845e..1e5d170211 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxxazsax001" + "value": "sxxazsax001ee" }, "storageAccountSku": { "value": "Standard_LRS" @@ -11,6 +11,34 @@ "allowBlobPublicAccess": { "value": false }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "blob" + }, + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "table" + }, + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "queue" + }, + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "file" + } + ] + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [] + } + }, "blobServices": { "value": { "diagnosticLogsRetentionInDays": 7, diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index f689827bd1..c8169b4739 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -50,13 +50,13 @@ param azureFilesIdentityBasedAuthentication object = {} @description('Optional. Virtual Network Identifier used to create a service endpoint.') param vNetId string = '' -@description('Optional. Configuration Details for private endpoints.') +@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible') param privateEndpoints array = [] @description('Optional. The Storage Account ManagementPolicies Rules.') param managementPolicyRules array = [] -@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information.') +@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny') param networkAcls object = {} @description('Optional. Blob service and containers to deploy') From 32faf5fa2110d6f70db7ff1edf447a37e817ddef Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Fri, 21 Jan 2022 16:25:34 +0100 Subject: [PATCH 18/24] requireInfrastructureEncryption --- .../storageAccounts/.parameters/parameters.json | 3 ++- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 1e5d170211..6fbc6d4e5b 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxxazsax001ee" + "value": "sxxazsax001" }, "storageAccountSku": { "value": "Standard_LRS" @@ -39,6 +39,7 @@ "ipRules": [] } }, + "requireInfrastructureEncryption": true, "blobServices": { "value": { "diagnosticLogsRetentionInDays": 7, diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index c8169b4739..aeede3941b 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -59,6 +59,9 @@ param managementPolicyRules array = [] @description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny') param networkAcls object = {} +@description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true') +param requireInfrastructureEncryption bool = false + @description('Optional. Blob service and containers to deploy') param blobServices object = {} @@ -155,6 +158,7 @@ var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substr var saBaseProperties = { encryption: { keySource: 'Microsoft.Storage' + requireInfrastructureEncryption: requireInfrastructureEncryption services: { blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) From 0c2658002bb0b8b11c68673174a4ee69d5858c18 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Fri, 21 Jan 2022 19:22:43 +0100 Subject: [PATCH 19/24] readme update --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 2 +- arm/Microsoft.Storage/storageAccounts/readme.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index aeede3941b..f2e00db7f2 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -59,7 +59,7 @@ param managementPolicyRules array = [] @description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny') param networkAcls object = {} -@description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true') +@description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.') param requireInfrastructureEncryption bool = false @description('Optional. Blob service and containers to deploy') diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index 13693b0fe7..ee874b5d68 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -30,6 +30,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `allowBlobPublicAccess` | bool | `True` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. | | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Optional. Provides the identity based authentication settings for Azure Files. | | `basetime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | +| `requireInfrastructureEncryption` | boolean | False | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Optional. Blob service and containers to deploy | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | From 82c3d76633f7e393b4e9200f704bd0b116b4533b Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Sat, 22 Jan 2022 01:48:02 +0100 Subject: [PATCH 20/24] requireInfrastructureEncryption --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 4 ++-- arm/Microsoft.Storage/storageAccounts/readme.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index f2e00db7f2..f69ac6d7ef 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -74,7 +74,7 @@ param queueServices object = {} @description('Optional. Table service and tables to create.') param tableServices object = {} -@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account.') +@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.') param allowBlobPublicAccess bool = true @allowed([ @@ -158,7 +158,6 @@ var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substr var saBaseProperties = { encryption: { keySource: 'Microsoft.Storage' - requireInfrastructureEncryption: requireInfrastructureEncryption services: { blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) @@ -170,6 +169,7 @@ var saBaseProperties = { minimumTlsVersion: minimumTlsVersion networkAcls: (empty(networkAcls) ? null : networkAcls_var) allowBlobPublicAccess: allowBlobPublicAccess + requireInfrastructureEncryption: requireInfrastructureEncryption } var saOptIdBasedAuthProperties = { azureFilesIdentityBasedAuthentication: azureFilesIdentityBasedAuthentication_var diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index ee874b5d68..901320e3ec 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -27,10 +27,10 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowBlobPublicAccess` | bool | `True` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. | +| `allowBlobPublicAccess` | bool | `True` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | +| `requireInfrastructureEncryption` | boolean | False | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Optional. Provides the identity based authentication settings for Azure Files. | | `basetime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | -| `requireInfrastructureEncryption` | boolean | False | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Optional. Blob service and containers to deploy | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | From 18d9b1499232d7dd87c58a26ae83ae6b2423e632 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Sat, 22 Jan 2022 01:59:53 +0100 Subject: [PATCH 21/24] requireInfrastructureEncryption param --- .../storageAccounts/.parameters/parameters.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 6fbc6d4e5b..1b64cc20b1 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -11,6 +11,9 @@ "allowBlobPublicAccess": { "value": false }, + "requireInfrastructureEncryption": { + "value": true + }, "privateEndpoints": { "value": [ { @@ -39,7 +42,6 @@ "ipRules": [] } }, - "requireInfrastructureEncryption": true, "blobServices": { "value": { "diagnosticLogsRetentionInDays": 7, From 76e9f2b8732f92fef7966799411bd540a5ca052b Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Sat, 22 Jan 2022 02:22:47 +0100 Subject: [PATCH 22/24] dependency vnet name update --- .../storageAccounts/.parameters/parameters.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 1b64cc20b1..1724015815 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -17,19 +17,19 @@ "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", "service": "blob" }, { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", "service": "table" }, { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", "service": "queue" }, { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", "service": "file" } ] From 9cf1663df774dfca42c595ccbbaad4d4d7dbc942 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Sat, 22 Jan 2022 05:52:21 +0100 Subject: [PATCH 23/24] sxx-az-subnet-x-005-privateEndpoints param --- .../storageAccounts/.parameters/parameters.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 1724015815..79e2ac726c 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -17,19 +17,19 @@ "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", "service": "blob" }, { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", "service": "table" }, { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", "service": "queue" }, { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", "service": "file" } ] From 0e8998fbe2569096843bf78cfdbf206cb48e0eb1 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Mon, 24 Jan 2022 12:16:50 +0100 Subject: [PATCH 24/24] default security values set --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 4 ++-- arm/Microsoft.Storage/storageAccounts/readme.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index f69ac6d7ef..3ce34035dd 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -60,7 +60,7 @@ param managementPolicyRules array = [] param networkAcls object = {} @description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.') -param requireInfrastructureEncryption bool = false +param requireInfrastructureEncryption bool = true @description('Optional. Blob service and containers to deploy') param blobServices object = {} @@ -75,7 +75,7 @@ param queueServices object = {} param tableServices object = {} @description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.') -param allowBlobPublicAccess bool = true +param allowBlobPublicAccess bool = false @allowed([ 'TLS1_0' diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index 901320e3ec..c70b2d57f4 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -27,8 +27,8 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowBlobPublicAccess` | bool | `True` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | -| `requireInfrastructureEncryption` | boolean | False | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | +| `allowBlobPublicAccess` | bool | `False` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | +| `requireInfrastructureEncryption` | boolean | `True` | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Optional. Provides the identity based authentication settings for Azure Files. | | `basetime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Optional. Blob service and containers to deploy |