Add vnet and environment setting to Pipeline Witness bicep (#8584)

Author: hallipr

tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/appsettings.test.json

@@ -0,0 +1,7 @@
+{
+  "PipelineWitness": {
+    "QueueStorageAccountUri": "https://pipelinewitnesstest.queue.core.windows.net",
+    "BlobStorageAccountUri": "https://pipelinelogstest.blob.core.windows.net",
+    "CosmosAccountUri": "https://pipelinewitnesstest.documents.azure.com"
+  }
+}

tools/pipeline-witness/infrastructure/bicep/appResourceGroup.bicep

@@ -1,11 +1,75 @@
 param webAppName string
+param networkSecurityGroupName string
+param vnetName string
 param appServicePlanName string
 param appStorageAccountName string
+param aspEnvironment string
 param cosmosAccountName string
 param location string
+param vnetPrefix string
+param subnetPrefix string
 
 var cosmosContributorRoleId = '00000000-0000-0000-0000-000000000002' // Built-in Contributor role
 
+resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  name: networkSecurityGroupName
+  location: 'westus2'
+  properties: {
+    securityRules: []
+  }
+}
+
+resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
+  name: vnetName
+  location: 'westus2'
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        vnetPrefix
+      ]
+    }
+    virtualNetworkPeerings: []
+    enableDdosProtection: false
+  }
+}
+
+resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' = {
+  parent: vnet
+  name: 'default'
+  properties: {
+    addressPrefix: subnetPrefix
+    networkSecurityGroup: {
+      id: networkSecurityGroup.id
+    }
+    serviceEndpoints: [
+      {
+        service: 'Microsoft.Storage'
+        locations: [
+          'westus2'
+          'westcentralus'
+        ]
+      }
+      {
+        service: 'Microsoft.AzureCosmosDB'
+        locations: [
+          '*'
+        ]
+      }
+    ]
+    delegations: [
+      {
+        name: 'delegation'
+        properties: {
+          serviceName: 'Microsoft.Web/serverfarms'
+        }
+        type: 'Microsoft.Network/virtualNetworks/subnets/delegations'
+      }
+    ]
+    privateEndpointNetworkPolicies: 'Disabled'
+    privateLinkServiceNetworkPolicies: 'Enabled'
+  }
+}
+
 resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
   name: appServicePlanName
   location: location
@@ -28,6 +92,8 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
       linuxFxVersion: 'DOTNETCORE|6.0'
     }
     httpsOnly: true
+    virtualNetworkSubnetId: subnet.id
+    publicNetworkAccess: 'Enabled'
   }
   identity: {
     type: 'SystemAssigned'
@@ -46,13 +112,12 @@ resource appStorageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
     defaultToOAuthAuthentication: false
     allowCrossTenantReplication: true
     minimumTlsVersion: 'TLS1_2'
-    allowBlobPublicAccess: true
-    allowSharedKeyAccess: true
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: false
     networkAcls: {
       bypass: 'AzureServices'
-      virtualNetworkRules: []
-      ipRules: []
-      defaultAction: 'Allow'
+      virtualNetworkRules: [{ id: subnet.id }]
+      defaultAction: 'Deny'
     }
     supportsHttpsTrafficOnly: true
     encryption: {
@@ -120,16 +185,18 @@ resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2024-02-15-preview
     publicNetworkAccess: 'Enabled'
     enableAutomaticFailover: false
     enableMultipleWriteLocations: false
-    isVirtualNetworkFilterEnabled: false
-    virtualNetworkRules: []
+    isVirtualNetworkFilterEnabled: true
+    virtualNetworkRules: [{
+      id: subnet.id
+    }]
     disableKeyBasedMetadataWriteAccess: false
     enableFreeTier: false
     enableAnalyticalStorage: false
     analyticalStorageConfiguration: {}
     databaseAccountOfferType: 'Standard'
     enableMaterializedViews: false
     networkAclBypass: 'None'
-    disableLocalAuth: false
+    disableLocalAuth: true
     enablePartitionMerge: false
     enablePerRegionPerPartitionAutoscale: false
     enableBurstCapacity: false
@@ -275,4 +342,18 @@ resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignm
   }
 }
 
+// Use a module to merge the current app settings with the new ones to prevent overwritting the app insights configured settings
+module appSettings 'appSettings.bicep' = {
+  name: '${webAppName}-appsettings'
+  params: {
+    webAppName: webApp.name
+    // Get the current appsettings
+    currentAppSettings: list(resourceId('Microsoft.Web/sites/config', webApp.name, 'appsettings'), '2022-03-01').properties
+    appSettings: {
+      ASPNETCORE_ENVIRONMENT: aspEnvironment
+    }
+  }
+}
+
 output appIdentityPrincipalId string = webApp.identity.principalId
+output subnetId string = subnet.id

tools/pipeline-witness/infrastructure/bicep/appSettings.bicep

@@ -0,0 +1,13 @@
+param webAppName string
+param appSettings object
+param currentAppSettings object
+
+resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
+  name: webAppName
+}
+
+resource siteconfig 'Microsoft.Web/sites/config@2022-03-01' = {
+  parent: webApp
+  name: 'appsettings'
+  properties: union(currentAppSettings, appSettings)
+}

tools/pipeline-witness/infrastructure/bicep/logsResourceGroup.bicep

@@ -3,6 +3,7 @@ param logsStorageAccountName string
 param kustoClusterName string
 param kustoDatabaseName string
 param webAppName string
+param subnetId string
 param appIdentityPrincipalId string
 
 var tables = [
@@ -54,13 +55,12 @@ resource logsStorageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
     defaultToOAuthAuthentication: false
     allowCrossTenantReplication: true
     minimumTlsVersion: 'TLS1_2'
-    allowBlobPublicAccess: true
-    allowSharedKeyAccess: true
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: false
     networkAcls: {
       bypass: 'AzureServices'
-      virtualNetworkRules: []
-      ipRules: []
-      defaultAction: 'Allow'
+      virtualNetworkRules: [{ id: subnetId }]
+      defaultAction: 'Deny'
     }
     supportsHttpsTrafficOnly: true
     encryption: {
@@ -180,6 +180,7 @@ resource kustoCluster 'Microsoft.Kusto/Clusters@2022-02-01' = {
     enableAutoStop: false
     publicIPType: 'IPv4'
   }
+
   resource database 'Databases' = {
     name: kustoDatabaseName
     location: location
@@ -188,6 +189,14 @@ resource kustoCluster 'Microsoft.Kusto/Clusters@2022-02-01' = {
       hotCachePeriod: 'P31D'
     }
   }
+
+  resource managedEndpoint 'managedPrivateEndpoints' = {
+    name: logsStorageAccountName
+    properties: {
+      groupId: 'blob'
+      privateLinkResourceId: logsStorageAccount.id
+    }
+  }
 }
 
 // Resources per table

tools/pipeline-witness/infrastructure/bicep/parameters.production.json

@@ -20,6 +20,9 @@
     "appStorageAccountName": {
       "value": "pipelinewitnessprod"
     },
+    "aspEnvironment": {
+      "value": "production"
+    },
     "logsResourceGroupName": {
       "value": "pipelinelogs"
     },
@@ -31,6 +34,18 @@
     },
     "kustoDatabaseName": {
       "value": "Pipelines"
+    },
+    "networkSecurityGroupName": {
+      "value": "pipelinewitnessprod"
+    },
+    "vnetName": {
+      "value": "pipelinewitnessprod"
+    },
+    "vnetPrefix": {
+      "value": "10.9.0.0/16"
+    },
+    "subnetPrefix": {
+      "value": "10.9.0.0/24"
     }
   }
 }

tools/pipeline-witness/infrastructure/bicep/parameters.staging.json

@@ -20,6 +20,9 @@
     "appStorageAccountName": {
       "value": "pipelinewitnessstaging"
     },
+    "aspEnvironment": {
+      "value": "staging"
+    },
     "logsResourceGroupName": {
       "value": "pipelinelogs"
     },
@@ -31,6 +34,18 @@
     },
     "kustoDatabaseName": {
       "value": "Staging"
+    },
+    "networkSecurityGroupName": {
+      "value": "pipelinewitnessstaging"
+    },
+    "vnetName": {
+      "value": "pipelinewitnessstaging"
+    },
+    "vnetPrefix": {
+      "value": "10.8.0.0/16"
+    },
+    "subnetPrefix": {
+      "value": "10.8.0.0/24"
     }
   }
 }

tools/pipeline-witness/infrastructure/bicep/parameters.test.json

@@ -20,6 +20,9 @@
     "appStorageAccountName": {
       "value": "pipelinewitnesstest"
     },
+    "aspEnvironment": {
+      "value": "test"
+    },
     "logsResourceGroupName": {
       "value": "pipelinelogstest"
     },
@@ -31,6 +34,18 @@
     },
     "kustoDatabaseName": {
       "value": "test"
+    },
+    "networkSecurityGroupName": {
+      "value": "pipelinewitnesstest"
+    },
+    "vnetName": {
+      "value": "pipelinewitnesstest"
+    },
+    "vnetPrefix": {
+      "value": "10.7.0.0/16"
+    },
+    "subnetPrefix": {
+      "value": "10.7.0.0/24"
     }
   }
 }

tools/pipeline-witness/infrastructure/bicep/resourceGroups.bicep

@@ -5,8 +5,13 @@ param location string
 param appResourceGroupName string
 param appServicePlanName string
 param webAppName string
+param networkSecurityGroupName string
+param vnetName string
+param vnetPrefix string
+param subnetPrefix string
 param cosmosAccountName string
 param appStorageAccountName string
+param aspEnvironment string
 
 param logsResourceGroupName string
 param logsStorageAccountName string
@@ -25,9 +30,14 @@ module pipelineWitness 'appResourceGroup.bicep' = {
   params: {
     location: location
     appServicePlanName: appServicePlanName
+    vnetPrefix: vnetPrefix
+    subnetPrefix: subnetPrefix
     webAppName: webAppName
     cosmosAccountName: cosmosAccountName
     appStorageAccountName: appStorageAccountName
+    aspEnvironment: aspEnvironment
+    networkSecurityGroupName: networkSecurityGroupName
+    vnetName: vnetName
   }
 }
 
@@ -49,5 +59,6 @@ module pipelineLogs 'logsResourceGroup.bicep' = {
     kustoDatabaseName: kustoDatabaseName
     webAppName: webAppName
     appIdentityPrincipalId: pipelineWitness.outputs.appIdentityPrincipalId
+    subnetId: pipelineWitness.outputs.subnetId
   }
 }