Merge pull request #435 from microsoft/feature/sfi-security-fixes

Prajwal-Microsoft · web-flow · commit b22f28495b6d · 2026-05-21T13:54:00.000Z
fix: address SFI security compliance issues
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -518,6 +518,7 @@ var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
 var dataCollectionRulesLocation = useExistingLogAnalytics
   ? existingLogAnalyticsWorkspace!.location
   : logAnalyticsWorkspace!.outputs.location
+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceName}-destination'
 module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
   params: {
@@ -586,12 +587,23 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             name: 'perfCounterDataSource60'
           }
         ]
+        windowsEventLogs: [
+          {
+            name: 'SecurityAuditEvents'
+            streams: [
+              'Microsoft-Event'
+            ]
+            xPathQueries: [
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
+            ]
+          }
+        ]
       }
       destinations: {
         logAnalytics: [
           {
             workspaceResourceId: logAnalyticsWorkspaceResourceId
-            name: 'la-${dataCollectionRulesResourceName}'
+            name: dcrLogAnalyticsDestinationName
           }
         ]
       }
@@ -601,8 +613,18 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             'Microsoft-Perf'
           ]
           destinations: [
-            'la-${dataCollectionRulesResourceName}'
+            dcrLogAnalyticsDestinationName
+          ]
+        }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            dcrLogAnalyticsDestinationName
           ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
         }
       ]
     }
@@ -1077,6 +1099,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.22.0' = {
     ]
     ingressTargetPort: 8000
     ingressExternal: true
+    ingressAllowInsecure: false
     scaleSettings: {
       // maxReplicas: enableScalability ? 3 : 1
       maxReplicas: 1 // maxReplicas set to 1 (not 3) due to multiple agents created per type during WAF deployment
@@ -1132,6 +1155,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.22.0' = {
     ]
     ingressTargetPort: 3000
     ingressExternal: true
+    ingressAllowInsecure: false
     scaleSettings: {
       maxReplicas: enableScalability ? 3 : 1
       minReplicas: 1
diff --git a/infra/main.json b/infra/main.json
@@ -5,11 +5,11 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.43.8.12551",
-      "templateHash": "2263929965524886405"
+      "version": "0.42.1.51946",
+      "templateHash": "18156607440911418905"
     },
     "name": "Modernize Your Code Solution Accelerator",
-    "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \n"
+    "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n"
   },
   "parameters": {
     "solutionName": {
@@ -5093,8 +5093,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.43.8.12551",
-              "templateHash": "14487392921976794826"
+              "version": "0.42.1.51946",
+              "templateHash": "15922750226218572834"
             }
           },
           "definitions": {
@@ -13101,11 +13101,11 @@
       },
       "dependsOn": [
         "applicationInsights",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]",
         "dataCollectionEndpoint",
         "logAnalyticsWorkspace",
         "virtualNetwork"
@@ -15351,13 +15351,24 @@
                     ],
                     "name": "perfCounterDataSource60"
                   }
+                ],
+                "windowsEventLogs": [
+                  {
+                    "name": "SecurityAuditEvents",
+                    "streams": [
+                      "Microsoft-Event"
+                    ],
+                    "xPathQueries": [
+                      "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]"
+                    ]
+                  }
                 ]
               },
               "destinations": {
                 "logAnalytics": [
                   {
                     "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)]",
-                    "name": "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                    "name": "[format('la-{0}-destination', if(variables('useExistingLogAnalytics'), variables('existingLawName'), reference('logAnalyticsWorkspace').outputs.name.value))]"
                   }
                 ]
               },
@@ -15367,8 +15378,18 @@
                     "Microsoft-Perf"
                   ],
                   "destinations": [
-                    "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                    "[format('la-{0}-destination', if(variables('useExistingLogAnalytics'), variables('existingLawName'), reference('logAnalyticsWorkspace').outputs.name.value))]"
                   ]
+                },
+                {
+                  "streams": [
+                    "Microsoft-Event"
+                  ],
+                  "destinations": [
+                    "[format('la-{0}-destination', if(variables('useExistingLogAnalytics'), variables('existingLawName'), reference('logAnalyticsWorkspace').outputs.name.value))]"
+                  ],
+                  "transformKql": "source",
+                  "outputStream": "Microsoft-Event"
                 }
               ]
             }
@@ -26168,8 +26189,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.43.8.12551",
-              "templateHash": "5833130864503278162"
+              "version": "0.42.1.51946",
+              "templateHash": "7788164101952925462"
             },
             "name": "AI Services and Project Module",
             "description": "This module creates an AI Services resource and an AI Foundry project within it. It supports private networking, OpenAI deployments, and role assignments."
@@ -27466,8 +27487,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.43.8.12551",
-                      "templateHash": "427786211377533956"
+                      "version": "0.42.1.51946",
+                      "templateHash": "3451497265231138743"
                     }
                   },
                   "definitions": {
@@ -29176,8 +29197,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.43.8.12551",
-                              "templateHash": "9014582203949799641"
+                              "version": "0.42.1.51946",
+                              "templateHash": "6439859910553532577"
                             }
                           },
                           "definitions": {
@@ -29391,8 +29412,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.43.8.12551",
-                      "templateHash": "427786211377533956"
+                      "version": "0.42.1.51946",
+                      "templateHash": "3451497265231138743"
                     }
                   },
                   "definitions": {
@@ -31101,8 +31122,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.43.8.12551",
-                              "templateHash": "9014582203949799641"
+                              "version": "0.42.1.51946",
+                              "templateHash": "6439859910553532577"
                             }
                           },
                           "definitions": {
@@ -32017,9 +32038,9 @@
       },
       "dependsOn": [
         "aiServices",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
         "virtualNetwork"
       ]
     },
@@ -32075,8 +32096,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.43.8.12551",
-              "templateHash": "12228537903958998388"
+              "version": "0.42.1.51946",
+              "templateHash": "15460841004653840446"
             }
           },
           "definitions": {
@@ -32314,7 +32335,7 @@
                     "value": "TLS1_2"
                   },
                   "requireInfrastructureEncryption": {
-                    "value": false
+                    "value": true
                   },
                   "keyType": {
                     "value": "Service"
@@ -40529,8 +40550,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.43.8.12551",
-              "templateHash": "9897457440526781857"
+              "version": "0.42.1.51946",
+              "templateHash": "9745767047675020484"
             }
           },
           "definitions": {
@@ -47977,6 +47998,9 @@
           "ingressExternal": {
             "value": true
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "scaleSettings": {
             "value": {
               "maxReplicas": 1,
@@ -49551,6 +49575,9 @@
           "ingressExternal": {
             "value": true
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "scaleSettings": {
             "value": {
               "maxReplicas": "[if(parameters('enableScalability'), 3, 1)]",
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -426,6 +426,7 @@ var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
 var dataCollectionRulesLocation = useExistingLogAnalytics
   ? existingLogAnalyticsWorkspace!.location
   : logAnalyticsWorkspace!.outputs.location
+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceName}-destination'
 module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
   name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
   params: {
@@ -497,10 +498,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
+              'Microsoft-Event'
             ]
             xPathQueries: [
-              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
@@ -509,7 +510,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
         logAnalytics: [
           {
             workspaceResourceId: logAnalyticsWorkspaceResourceId
-            name: 'la-${dataCollectionRulesResourceName}'
+            name: dcrLogAnalyticsDestinationName
           }
         ]
       }
@@ -519,11 +520,21 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             'Microsoft-Perf'
           ]
           destinations: [
-            'la-${dataCollectionRulesResourceName}'
+            dcrLogAnalyticsDestinationName
           ]
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            dcrLogAnalyticsDestinationName
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }
@@ -1022,6 +1033,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.22.0' = {
     ]
     ingressTargetPort: 8000
     ingressExternal: true
+    ingressAllowInsecure: false
     scaleSettings: {
       // maxReplicas: enableScalability ? 3 : 1
       maxReplicas: 1 // maxReplicas set to 1 (not 3) due to multiple agents created per type during WAF deployment
@@ -1085,6 +1097,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.22.0' = {
     ]
     ingressTargetPort: 3000
     ingressExternal: true
+    ingressAllowInsecure: false
     scaleSettings: {
       maxReplicas: enableScalability ? 3 : 1
       minReplicas: 1
diff --git a/infra/modules/storageAccount.bicep b/infra/modules/storageAccount.bicep
@@ -58,7 +58,7 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = {
     allowSharedKeyAccess: false
     allowCrossTenantReplication: false
     minimumTlsVersion: 'TLS1_2'
-    requireInfrastructureEncryption: false
+    requireInfrastructureEncryption: true
     keyType: 'Service'
     enableHierarchicalNamespace: false
     enableNfsV3: false

Original file line number	Diff line number	Diff line change
`@@ -518,6 +518,7 @@ var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'`
`518`	`518`	`var dataCollectionRulesLocation = useExistingLogAnalytics`
`519`	`519`	`? existingLogAnalyticsWorkspace!.location`
`520`	`520`	`: logAnalyticsWorkspace!.outputs.location`
	`521`	`+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceName}-destination'`
`521`	`522`	`module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {`
`522`	`523`	`name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)`
`523`	`524`	`params: {`
`@@ -586,12 +587,23 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`586`	`587`	`name: 'perfCounterDataSource60'`
`587`	`588`	`}`
`588`	`589`	`]`
	`590`	`+ windowsEventLogs: [`
	`591`	`+ {`
	`592`	`+ name: 'SecurityAuditEvents'`
	`593`	`+ streams: [`
	`594`	`+ 'Microsoft-Event'`
	`595`	`+ ]`
	`596`	`+ xPathQueries: [`
	`597`	`+ 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'`
	`598`	`+ ]`
	`599`	`+ }`
	`600`	`+ ]`
`589`	`601`	`}`
`590`	`602`	`destinations: {`
`591`	`603`	`logAnalytics: [`
`592`	`604`	`{`
`593`	`605`	`workspaceResourceId: logAnalyticsWorkspaceResourceId`
`594`		`- name: 'la-${dataCollectionRulesResourceName}'`
	`606`	`+ name: dcrLogAnalyticsDestinationName`
`595`	`607`	`}`
`596`	`608`	`]`
`597`	`609`	`}`
`@@ -601,8 +613,18 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`601`	`613`	`'Microsoft-Perf'`
`602`	`614`	`]`
`603`	`615`	`destinations: [`
`604`		`- 'la-${dataCollectionRulesResourceName}'`
	`616`	`+ dcrLogAnalyticsDestinationName`
	`617`	`+ ]`
	`618`	`+ }`
	`619`	`+ {`
	`620`	`+ streams: [`
	`621`	`+ 'Microsoft-Event'`
	`622`	`+ ]`
	`623`	`+ destinations: [`
	`624`	`+ dcrLogAnalyticsDestinationName`
`605`	`625`	`]`
	`626`	`+ transformKql: 'source'`
	`627`	`+ outputStream: 'Microsoft-Event'`
`606`	`628`	`}`
`607`	`629`	`]`
`608`	`630`	`}`
`@@ -1077,6 +1099,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.22.0' = {`
`1077`	`1099`	`]`
`1078`	`1100`	`ingressTargetPort: 8000`
`1079`	`1101`	`ingressExternal: true`
	`1102`	`+ ingressAllowInsecure: false`
`1080`	`1103`	`scaleSettings: {`
`1081`	`1104`	`// maxReplicas: enableScalability ? 3 : 1`
`1082`	`1105`	`maxReplicas: 1 // maxReplicas set to 1 (not 3) due to multiple agents created per type during WAF deployment`
`@@ -1132,6 +1155,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.22.0' = {`
`1132`	`1155`	`]`
`1133`	`1156`	`ingressTargetPort: 3000`
`1134`	`1157`	`ingressExternal: true`
	`1158`	`+ ingressAllowInsecure: false`
`1135`	`1159`	`scaleSettings: {`
`1136`	`1160`	`maxReplicas: enableScalability ? 3 : 1`
`1137`	`1161`	`minReplicas: 1`
Original file line number	Diff line number	Diff line change
`@@ -426,6 +426,7 @@ var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'`
`426`	`426`	`var dataCollectionRulesLocation = useExistingLogAnalytics`
`427`	`427`	`? existingLogAnalyticsWorkspace!.location`
`428`	`428`	`: logAnalyticsWorkspace!.outputs.location`
	`429`	`+var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceName}-destination'`
`429`	`430`	`module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {`
`430`	`431`	`name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)`
`431`	`432`	`params: {`
`@@ -497,10 +498,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`497`	`498`	`{`
`498`	`499`	`name: 'SecurityAuditEvents'`
`499`	`500`	`streams: [`
`500`		`- 'Microsoft-WindowsEvent'`
	`501`	`+ 'Microsoft-Event'`
`501`	`502`	`]`
`502`	`503`	`xPathQueries: [`
`503`		`- 'Security!*[System[(EventID=4624 or EventID=4625)]]'`
	`504`	`+ 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'`
`504`	`505`	`]`
`505`	`506`	`}`
`506`	`507`	`]`
`@@ -509,7 +510,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`509`	`510`	`logAnalytics: [`
`510`	`511`	`{`
`511`	`512`	`workspaceResourceId: logAnalyticsWorkspaceResourceId`
`512`		`- name: 'la-${dataCollectionRulesResourceName}'`
	`513`	`+ name: dcrLogAnalyticsDestinationName`
`513`	`514`	`}`
`514`	`515`	`]`
`515`	`516`	`}`
`@@ -519,11 +520,21 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`519`	`520`	`'Microsoft-Perf'`
`520`	`521`	`]`
`521`	`522`	`destinations: [`
`522`		`- 'la-${dataCollectionRulesResourceName}'`
	`523`	`+ dcrLogAnalyticsDestinationName`
`523`	`524`	`]`
`524`	`525`	`transformKql: 'source'`
`525`	`526`	`outputStream: 'Microsoft-Perf'`
`526`	`527`	`}`
	`528`	`+ {`
	`529`	`+ streams: [`
	`530`	`+ 'Microsoft-Event'`
	`531`	`+ ]`
	`532`	`+ destinations: [`
	`533`	`+ dcrLogAnalyticsDestinationName`
	`534`	`+ ]`
	`535`	`+ transformKql: 'source'`
	`536`	`+ outputStream: 'Microsoft-Event'`
	`537`	`+ }`
`527`	`538`	`]`
`528`	`539`	`}`
`529`	`540`	`}`
`@@ -1022,6 +1033,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.22.0' = {`
`1022`	`1033`	`]`
`1023`	`1034`	`ingressTargetPort: 8000`
`1024`	`1035`	`ingressExternal: true`
	`1036`	`+ ingressAllowInsecure: false`
`1025`	`1037`	`scaleSettings: {`
`1026`	`1038`	`// maxReplicas: enableScalability ? 3 : 1`
`1027`	`1039`	`maxReplicas: 1 // maxReplicas set to 1 (not 3) due to multiple agents created per type during WAF deployment`
`@@ -1085,6 +1097,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.22.0' = {`
`1085`	`1097`	`]`
`1086`	`1098`	`ingressTargetPort: 3000`
`1087`	`1099`	`ingressExternal: true`
	`1100`	`+ ingressAllowInsecure: false`
`1088`	`1101`	`scaleSettings: {`
`1089`	`1102`	`maxReplicas: enableScalability ? 3 : 1`
`1090`	`1103`	`minReplicas: 1`