diff --git a/infra/main.bicep b/infra/main.bicep index 5279b2b7..9f4ec91e 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -362,6 +362,8 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = logAnalyticsWorkspace!.outputs.location +var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}' +var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination' module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) params: { @@ -433,19 +435,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-WindowsEvent' - ] - eventLogName: 'Security' - eventTypes: [ - { - eventType: 'Audit Success' - } - { - eventType: 'Audit Failure' - } + 'Microsoft-Event' ] xPathQueries: [ - 'Security!*[System[(EventID=4624 or EventID=4625)]]' + 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' ] } ] @@ -454,7 +447,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- logAnalytics: [ { workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId - name: 'la-${dataCollectionRulesResourceName}' + name: dcrLogAnalyticsDestinationName } ] } @@ -464,11 +457,21 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Perf' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Perf' } + { + streams: [ + 'Microsoft-Event' + ] + destinations: [ + dcrLogAnalyticsDestinationName + ] + transformKql: 'source' + outputStream: 'Microsoft-Event' + } ] } } @@ -517,7 +520,7 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.1' = [ module logAnalyticsWorkspace 'modules/log-analytics-workspace.bicep' = if (enableMonitoring) { name: take('module.log-analytics-workspace.${solutionSuffix}', 64) params: { - name: 'log-${solutionSuffix}' + name: logAnalyticsWorkspaceResourceName location: location tags: tags enableTelemetry: enableTelemetry @@ -654,6 +657,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = { defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow' ipRules: [] } + requireInfrastructureEncryption: true supportsHttpsTrafficOnly: true accessTier: 'Hot' tags: tags @@ -1048,6 +1052,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = { ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' @@ -1089,6 +1094,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = { ingressTargetPort: 3000 activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false scaleSettings: { maxReplicas: enableScalability ? 3 : 2 minReplicas: enableScalability ? 2 : 1 @@ -1722,6 +1728,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' = ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' diff --git a/infra/main.json b/infra/main.json index 58b0c4ed..e8ba8e73 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "12078312041649297460" + "templateHash": "5885652317352749587" }, "name": "Content Processing Solution Accelerator", "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance." @@ -243,6 +243,8 @@ "bastionHostName": "[format('bas-{0}', variables('solutionSuffix'))]", "jumpboxVmName": "[take(format('vm-{0}', variables('solutionSuffix')), 15)]", "dataCollectionRulesResourceName": "[format('dcr-{0}', variables('solutionSuffix'))]", + "logAnalyticsWorkspaceResourceName": "[format('log-{0}', variables('solutionSuffix'))]", + "dcrLogAnalyticsDestinationName": "[format('la-{0}-destination', variables('logAnalyticsWorkspaceResourceName'))]", "privateDnsZones": [ "privatelink.cognitiveservices.azure.com", "privatelink.openai.azure.com", @@ -14607,19 +14609,10 @@ { "name": "SecurityAuditEvents", "streams": [ - "Microsoft-WindowsEvent" - ], - "eventLogName": "Security", - "eventTypes": [ - { - "eventType": "Audit Success" - }, - { - "eventType": "Audit Failure" - } + "Microsoft-Event" ], "xPathQueries": [ - "Security!*[System[(EventID=4624 or EventID=4625)]]" + "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]" ] } ] @@ -14628,7 +14621,7 @@ "logAnalytics": [ { "workspaceResourceId": "[reference('logAnalyticsWorkspace').outputs.resourceId.value]", - "name": "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "name": "[variables('dcrLogAnalyticsDestinationName')]" } ] }, @@ -14638,10 +14631,20 @@ "Microsoft-Perf" ], "destinations": [ - "[format('la-{0}', variables('dataCollectionRulesResourceName'))]" + "[variables('dcrLogAnalyticsDestinationName')]" ], "transformKql": "source", "outputStream": "Microsoft-Perf" + }, + { + "streams": [ + "Microsoft-Event" + ], + "destinations": [ + "[variables('dcrLogAnalyticsDestinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-Event" } ] } @@ -19272,7 +19275,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[format('log-{0}', variables('solutionSuffix'))]" + "value": "[variables('logAnalyticsWorkspaceResourceName')]" }, "location": { "value": "[parameters('location')]" @@ -28050,6 +28053,9 @@ "ipRules": [] } }, + "requireInfrastructureEncryption": { + "value": true + }, "supportsHttpsTrafficOnly": { "value": true }, @@ -36177,8 +36183,8 @@ "avmContainerApp_API", "avmContainerApp_Workflow", "avmManagedIdentity", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", "virtualNetwork" ] }, @@ -42482,9 +42488,9 @@ "dependsOn": [ "avmAiServices", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "virtualNetwork" ] }, @@ -45910,6 +45916,9 @@ "ingressTransport": { "value": "auto" }, + "ingressAllowInsecure": { + "value": false + }, "corsPolicy": { "value": { "allowedOrigins": [ @@ -47515,6 +47524,9 @@ "ingressTransport": { "value": "auto" }, + "ingressAllowInsecure": { + "value": false + }, "scaleSettings": { "value": { "maxReplicas": "[if(parameters('enableScalability'), 3, 2)]", @@ -63172,6 +63184,9 @@ "ingressTransport": { "value": "auto" }, + "ingressAllowInsecure": { + "value": false + }, "corsPolicy": { "value": { "allowedOrigins": [ diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep index fd462dc6..b2263f10 100644 --- a/infra/main_custom.bicep +++ b/infra/main_custom.bicep @@ -365,6 +365,8 @@ module maintenanceConfiguration 'br/public:avm/res/maintenance/maintenance-confi var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}' var dataCollectionRulesLocation = logAnalyticsWorkspace!.outputs.location +var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}' +var dcrLogAnalyticsDestinationName = 'la-${logAnalyticsWorkspaceResourceName}-destination' module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) { name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64) params: { @@ -436,19 +438,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- { name: 'SecurityAuditEvents' streams: [ - 'Microsoft-WindowsEvent' - ] - eventLogName: 'Security' - eventTypes: [ - { - eventType: 'Audit Success' - } - { - eventType: 'Audit Failure' - } + 'Microsoft-Event' ] xPathQueries: [ - 'Security!*[System[(EventID=4624 or EventID=4625)]]' + 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' ] } ] @@ -457,7 +450,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- logAnalytics: [ { workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId - name: 'la-${dataCollectionRulesResourceName}' + name: dcrLogAnalyticsDestinationName } ] } @@ -467,11 +460,21 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- 'Microsoft-Perf' ] destinations: [ - 'la-${dataCollectionRulesResourceName}' + dcrLogAnalyticsDestinationName ] transformKql: 'source' outputStream: 'Microsoft-Perf' } + { + streams: [ + 'Microsoft-Event' + ] + destinations: [ + dcrLogAnalyticsDestinationName + ] + transformKql: 'source' + outputStream: 'Microsoft-Event' + } ] } } @@ -520,7 +523,7 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.1' = [ module logAnalyticsWorkspace 'modules/log-analytics-workspace.bicep' = if (enableMonitoring) { name: take('module.log-analytics-workspace.${solutionSuffix}', 64) params: { - name: 'log-${solutionSuffix}' + name: logAnalyticsWorkspaceResourceName location: location tags: tags enableTelemetry: enableTelemetry @@ -657,6 +660,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = { defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow' ipRules: [] } + requireInfrastructureEncryption: true supportsHttpsTrafficOnly: true accessTier: 'Hot' tags: tags @@ -1061,6 +1065,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = { ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*' @@ -1107,6 +1112,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = { ingressTargetPort: 3000 activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false scaleSettings: { maxReplicas: enableScalability ? 3 : 2 minReplicas: enableScalability ? 2 : 1 @@ -1756,6 +1762,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' = ingressExternal: true activeRevisionsMode: 'Single' ingressTransport: 'auto' + ingressAllowInsecure: false corsPolicy: { allowedOrigins: [ '*'