Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Modules] Congnitive Services: Set secure defaults #1483

Merged
merged 35 commits into from
Jun 22, 2022
Merged
Show file tree
Hide file tree
Changes from 29 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
411cd06
Implemented --no-restore for workaround
AlexanderSehr Jun 4, 2022
aebb1da
Regenerated readme
AlexanderSehr Jun 4, 2022
77dc472
Merge branch 'users/alsehr/1471_cliWorkaround' into users/alsehr/776_…
AlexanderSehr Jun 4, 2022
317efd6
Draft for cognitive services cmk
AlexanderSehr Jun 4, 2022
258beff
Removed CMK implementation as its currently not fully working & Set s…
AlexanderSehr Jun 5, 2022
06cd4f8
Added encryption test
AlexanderSehr Jun 5, 2022
7666d27
Added docs
AlexanderSehr Jun 5, 2022
e3207e0
Updated readme
AlexanderSehr Jun 5, 2022
4306b8d
Updated metadata
AlexanderSehr Jun 5, 2022
3ac2081
Shuffle
AlexanderSehr Jun 5, 2022
111e169
Minor update
AlexanderSehr Jun 5, 2022
77f7561
Minor update
AlexanderSehr Jun 5, 2022
52dc586
Merge branch 'main' into users/alsehr/776_cogSerCMK
AlexanderSehr Jun 5, 2022
4577734
Update arm/Microsoft.CognitiveServices/accounts/readme.md
AlexanderSehr Jun 6, 2022
ee3d885
Merge branch 'main' into users/alsehr/776_cogSerCMK
AlexanderSehr Jun 7, 2022
179817e
Merge branch 'users/alsehr/776_cogSerCMK' of https://github.com/Azure…
AlexanderSehr Jun 7, 2022
3292633
Update arm/Microsoft.CognitiveServices/accounts/deploy.bicep
AlexanderSehr Jun 7, 2022
e4d8b78
Adjusted network access default
AlexanderSehr Jun 7, 2022
bc49e4f
Merge branch 'users/alsehr/776_cogSerCMK' of https://github.com/Azure…
AlexanderSehr Jun 7, 2022
4f465c0
Update to latest
AlexanderSehr Jun 7, 2022
365e182
Updated readme
AlexanderSehr Jun 7, 2022
cdbd0f5
Updated param
AlexanderSehr Jun 7, 2022
21c8c83
Adjusted default
AlexanderSehr Jun 7, 2022
3900e87
Minor fix
AlexanderSehr Jun 7, 2022
f215233
Updated readme
AlexanderSehr Jun 7, 2022
478c0fb
Changed network acls + added test case
AlexanderSehr Jun 9, 2022
d119873
Small adjustment
AlexanderSehr Jun 9, 2022
98193fb
Updated param & readme
AlexanderSehr Jun 9, 2022
9d5c8f3
Updated param & readme
AlexanderSehr Jun 9, 2022
61c38f9
Added min test
AlexanderSehr Jun 16, 2022
5db56d7
Updated minor
AlexanderSehr Jun 16, 2022
b68eda3
Merge branch 'main' into users/alsehr/776_cogSerCMK
AlexanderSehr Jun 17, 2022
4bd01a5
Merge branch 'main' into users/alsehr/776_cogSerCMK
AlexanderSehr Jun 21, 2022
e86ad9e
Added network rule & service endpoint
AlexanderSehr Jun 21, 2022
3fcf964
Updated readme
AlexanderSehr Jun 21, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ stages:
deploymentBlocks:
- path: $(modulePath)/.parameters/parameters.json
- path: $(modulePath)/.parameters/speech.parameters.json
- path: $(modulePath)/.parameters/encr.parameters.json
eriqua marked this conversation as resolved.
Show resolved Hide resolved

- stage: Publishing
displayName: Publishing
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"value": "<<namePrefix>>-az-cgs-encr-001"
},
"kind": {
"value": "SpeechServices"
},
"sku": {
"value": "S0"
},
"userAssignedIdentities": {
"value": {
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
}
},
"publicNetworkAccess": {
"value": "Enabled"
},
"encryption": {
"value": {
"keySource": "Microsoft.KeyVault",
"keyVaultProperties": {
"identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity
"keyVaultUri": "https://adp-<<namePrefix>>-az-kv-nopr-002.vault.azure.net/",
"keyName": "keyEncryptionKey",
"keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // Version must be updated for new keys
}
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"value": "Face"
},
"sku": {
"value": "F0"
"value": "S0"
},
"roleAssignments": {
"value": [
Expand All @@ -24,6 +24,15 @@
}
]
},
"networkAcls": {
"value": {
"defaultAction": "deny",
"virtualNetworkRules": []
}
},
eriqua marked this conversation as resolved.
Show resolved Hide resolved
"customSubDomainName": {
"value": "<<namePrefix>>xdomain"
},
"systemAssignedIdentity": {
"value": true
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"value": "SpeechServices"
},
"sku": {
"value": "F0"
"value": "S0"
},
"systemAssignedIdentity": {
"value": true
Expand All @@ -20,7 +20,7 @@
}
},
"customSubDomainName": {
"value": "<<namePrefix>>domain"
"value": "<<namePrefix>>speechdomain"
},
"privateEndpoints": {
"value": [
Expand Down
25 changes: 10 additions & 15 deletions arm/Microsoft.CognitiveServices/accounts/deploy.bicep
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
@description('Required. The name of Cognitive Services account.')
param name string

@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'sku\' for your Azure region.')
@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.')
@allowed([
'AnomalyDetector'
'Bing.Autosuggest.v7'
Expand All @@ -28,7 +28,7 @@ param name string
])
param kind string

@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'sku\' for your Azure region.')
@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.')
@allowed([
'C2'
'C3'
Expand Down Expand Up @@ -70,23 +70,24 @@ param diagnosticEventHubAuthorizationRuleId string = ''
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
param diagnosticEventHubName string = ''

@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.')
@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set (including private endpoints).')
eriqua marked this conversation as resolved.
Show resolved Hide resolved
param customSubDomainName string = ''

@description('Optional. Whether or not public endpoint access is allowed for this account.')
@allowed([
''
'Enabled'
'Disabled'
])
param publicNetworkAccess string = 'Enabled'
param publicNetworkAccess string = ''

@description('Optional. Service endpoint object information.')
param networkAcls object = {}

@description('Optional. Enables system assigned managed identity on the resource.')
param systemAssignedIdentity bool = false

@description('Optional. The ID(s) to assign to the resource.')
@description('Conditional. The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
param userAssignedIdentities object = {}

@allowed([
Expand All @@ -112,8 +113,8 @@ param allowedFqdnList array = []
@description('Optional. The API properties for special APIs.')
param apiProperties object = {}

@description('Optional. Allow only Azure AD authentication.')
param disableLocalAuth bool = false
@description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.')
param disableLocalAuth bool = true

@description('Optional. Properties to configure encryption.')
param encryption object = {}
Expand Down Expand Up @@ -180,12 +181,6 @@ var identity = identityType != 'None' ? {
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
} : null

var networkAcls_var = {
defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null
virtualNetworkRules: !empty(networkAcls) ? ((length(networkAcls.virtualNetworkRules) == 0) ? [] : networkAcls.virtualNetworkRules) : null
ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) == 0) ? [] : networkAcls.ipRules) : null
}

resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
properties: {
Expand All @@ -209,8 +204,8 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = {
}
properties: {
customSubDomainName: !empty(customSubDomainName) ? customSubDomainName : null
networkAcls: !empty(networkAcls) ? networkAcls_var : null
publicNetworkAccess: publicNetworkAccess
networkAcls: networkAcls
publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
allowedFqdnList: allowedFqdnList
apiProperties: apiProperties
disableLocalAuth: disableLocalAuth
Expand Down
Loading