Skip to content
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 115 additions & 0 deletions infra/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,10 @@ module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.15.0' = if (enable
adminPassword: vmAdminPassword ?? 'JumpboxAdminP@ssw0rd1234!'
tags: allTags
zone: 0
// SFI: enable system-assigned managed identity on the jumpbox VM. Required so
// the Azure Monitor Agent can authenticate to the Log Analytics workspace and
// honor the SecurityAuditEvents data collection rule association. (ADO #43311)
managedIdentities: { systemAssigned: true }
imageReference: {
offer: 'WindowsServer'
publisher: 'MicrosoftWindowsServer'
Expand Down Expand Up @@ -409,6 +413,108 @@ module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.15.0' = if (enable
}
]
enableTelemetry: enableTelemetry
// SFI: associate the SecurityAuditEvents data collection rule with the
// jumpbox VM via the Azure Monitor Agent extension. Routes Windows audit
// success (4624) / audit failure (4625) events to Log Analytics. Disabled
// when monitoring is off because the DCR is also gated on enableMonitoring.
// (ADO #43311)
Comment thread
Shreyas-Microsoft marked this conversation as resolved.
Outdated
extensionMonitoringAgentConfig: enableMonitoring
? {
enabled: true
tags: allTags
dataCollectionRuleAssociations: [
{
name: 'send-${logAnalyticsWorkspaceResourceName}'
dataCollectionRuleResourceId: windowsVmDataCollectionRules!.outputs.resourceId
}
]
}
: null
Comment thread
Shreyas-Microsoft marked this conversation as resolved.
Outdated
}
}

// SFI: data collection rule that captures Windows Security audit success and
// audit failure events from the jumpbox VM and routes them to Log Analytics
// via the Microsoft-SecurityEvent stream. The xPath filter uses the Windows
// audit Keywords bitmask (0x30000000000000 = AuditSuccess|AuditFailure) and
// excludes EventID 4624 (successful logon) because it is extremely
// high-volume. Also collects a small set of Windows performance counters via
// Microsoft-Perf for the jumpbox so the same DCR provides basic VM health
// signal. The SecurityEvent / Perf tables are auto-provisioned by Azure
// Monitor on first ingestion via the DCR; no legacy OMSGallery/Security
// solution is needed. (ADO #43311)
var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
var dataCollectionRulesLocation = useExistingLogAnalytics
? existingLogAnalyticsWorkspace!.location
: logAnalyticsWorkspace!.outputs.location
var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination'
module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
params: {
name: dataCollectionRulesResourceName
tags: allTags
enableTelemetry: enableTelemetry
location: dataCollectionRulesLocation
dataCollectionRuleProperties: {
kind: 'Windows'
dataSources: {
Comment thread
Shreyas-Microsoft marked this conversation as resolved.
windowsEventLogs: [
{
name: 'SecurityAuditEvents'
streams: [
'Microsoft-SecurityEvent'
]
xPathQueries: [
Comment thread
Shreyas-Microsoft marked this conversation as resolved.
'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
Comment thread
Shreyas-Microsoft marked this conversation as resolved.
]
}
]
performanceCounters: [
{
name: 'VMPerfCounters'
streams: [
'Microsoft-Perf'
]
samplingFrequencyInSeconds: 60
counterSpecifiers: [
'\\Processor Information(_Total)\\% Processor Time'
'\\Memory\\% Committed Bytes In Use'
'\\Memory\\Available Bytes'
'\\LogicalDisk(_Total)\\% Free Space'
'\\LogicalDisk(_Total)\\Disk Reads/sec'
'\\LogicalDisk(_Total)\\Disk Writes/sec'
'\\Network Interface(*)\\Bytes Total/sec'
]
}
]
}
destinations: {
logAnalytics: [
{
workspaceResourceId: logAnalyticsWorkspaceResourceId
name: dcrLogAnalyticsDestinationName
}
]
}
dataFlows: [
{
streams: [
'Microsoft-SecurityEvent'
]
destinations: [
dcrLogAnalyticsDestinationName
]
}
{
streams: [
'Microsoft-Perf'
]
destinations: [
dcrLogAnalyticsDestinationName
]
}
]
}
}
}

Expand Down Expand Up @@ -480,6 +586,8 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
location: solutionLocation
managedIdentities: { systemAssigned: true }
minimumTlsVersion: 'TLS1_2'
// SFI: enable infrastructure (double) encryption at rest (ADO #43311)
requireInfrastructureEncryption: true
enableTelemetry: enableTelemetry
tags: allTags
accessTier: 'Hot'
Expand Down Expand Up @@ -598,6 +706,8 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
location: cosmosLocation
tags: allTags
enableTelemetry: enableTelemetry
// SFI: enable system-assigned managed identity for Cosmos DB account (ADO #43311)
managedIdentities: { systemAssigned: true }
Comment thread
Prajwal-Microsoft marked this conversation as resolved.
sqlDatabases: [
{
name: cosmosDatabaseName
Expand Down Expand Up @@ -1147,6 +1257,11 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
]
enableTelemetry: enableTelemetry
publicNetworkAccess: 'Enabled' // Always enabled for Container Apps Environment
// SFI: enable mTLS / end-to-end encryption between revisions within the
// Container Apps environment (Container Apps equivalent of App Service's
// endToEndEncryptionEnabled). Applies to Microsoft.App/managedEnvironments
// peerTrafficConfiguration.encryption.enabled. (ADO #43311)
peerTrafficEncryption: true

// <========== WAF related parameters

Expand Down
Loading
Loading