Update acls, admin users, Makefile, *.json

asw101 · asw101 · commit 6693c660a6f8 · 2024-08-28T20:21:14.000-04:00
Signed-off-by: Aaron Wislang &lt;aaron.wislang@microsoft.com&gt;
diff --git a/cloud-native/Makefile b/cloud-native/Makefile
@@ -1,8 +1,2 @@
 bicep:
-	az bicep build -f aks-arm64/main.bicep 
-	az bicep build -f aks-bicep-keda/01-aks/main.bicep 
-	az bicep build -f aks-bicep/01-aks/main.bicep 
-	az bicep build -f aks-open-service-mesh/main.bicep
-	az bicep build -f aks-webapp-routing/main.bicep 
 	az bicep build -f containerapps-bicep/main.bicep
-	az bicep build -f aks-bicep-k8s/main.bicep 
diff --git a/cloud-native/aks-azure-linux/aks.bicep b/cloud-native/aks-azure-linux/aks.bicep
@@ -76,7 +76,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-05-01' =
     name: 'Standard'
   }
   properties: {
-    adminUserEnabled: true
+    adminUserEnabled: false
   }
 }
 
@@ -88,6 +88,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
     name: 'Premium_LRS'
   }
   properties: {
+    allowBlobPublicAccess: false
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     minimumTlsVersion: 'TLS1_2'
   }
 }
diff --git a/cloud-native/containerapps-bicep/containerapp.bicep b/cloud-native/containerapps-bicep/containerapp.bicep
@@ -18,7 +18,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-05-01' =
     name: 'Standard'
   }
   properties: {
-    adminUserEnabled: true
+    adminUserEnabled: false
   }
 }
 
diff --git a/cloud-native/containerapps-bicep/containerapp.json b/cloud-native/containerapps-bicep/containerapp.json
@@ -47,7 +47,7 @@
           "name": "Standard"
         },
         "properties": {
-          "adminUserEnabled": true
+          "adminUserEnabled": false
         }
       },
       {
diff --git a/cloud-native/containerapps-bicep/keyvault.bicep b/cloud-native/containerapps-bicep/keyvault.bicep
@@ -23,7 +23,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
       family: 'A'
     }
     networkAcls: {
-      defaultAction: 'Allow'
+      defaultAction: 'Deny'
       bypass: 'AzureServices'
     }
     accessPolicies: [
diff --git a/cloud-native/containerapps-bicep/main.json b/cloud-native/containerapps-bicep/main.json
@@ -89,7 +89,7 @@
                 "name": "Standard"
               },
               "properties": {
-                "adminUserEnabled": true
+                "adminUserEnabled": false
               }
             },
             {
@@ -268,7 +268,7 @@
                   "family": "A"
                 },
                 "networkAcls": {
-                  "defaultAction": "Allow",
+                  "defaultAction": "Deny",
                   "bypass": "AzureServices"
                 },
                 "accessPolicies": [
diff --git a/cloud-native/containerapps-bicep/postgres-keyvault.bicep b/cloud-native/containerapps-bicep/postgres-keyvault.bicep
@@ -26,7 +26,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
       family: 'A'
     }
     networkAcls: {
-      defaultAction: 'Allow'
+      defaultAction: 'Deny'
       bypass: 'AzureServices'
     }
     accessPolicies: [
diff --git a/cloud-native/containerapps-bicep/storage.bicep b/cloud-native/containerapps-bicep/storage.bicep
@@ -15,6 +15,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
     name: 'Premium_LRS'
   }
   properties: {
+    allowBlobPublicAccess: false
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     minimumTlsVersion: 'TLS1_2'
   }
 }
diff --git a/linux/vm-flatcar-postgres/main.json b/linux/vm-flatcar-postgres/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "16546506825093351762"
+      "version": "0.29.47.4906",
+      "templateHash": "61716172662635668"
     }
   },
   "parameters": {
@@ -59,8 +59,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "5008762517955484404"
+              "version": "0.29.47.4906",
+              "templateHash": "13749006361708145984"
             }
           },
           "parameters": {
@@ -479,8 +479,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "17782720627283437608"
+              "version": "0.29.47.4906",
+              "templateHash": "13926952482795887884"
             }
           },
           "parameters": {
@@ -594,8 +594,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.28.1.47646",
-                      "templateHash": "9620970338207014434"
+                      "version": "0.29.47.4906",
+                      "templateHash": "17815256772229698992"
                     }
                   },
                   "parameters": {
diff --git a/linux/vm-mariner/vm.bicep b/linux/vm-mariner/vm.bicep
@@ -351,6 +351,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
     name: 'Premium_LRS'
   }
   properties: {
+    allowBlobPublicAccess: false
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     minimumTlsVersion: 'TLS1_2'
   }
 }
diff --git a/linux/vm-mariner/vm.json b/linux/vm-mariner/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "15024671018336532028"
+      "version": "0.29.47.4906",
+      "templateHash": "4772838773161597591"
     }
   },
   "parameters": {
@@ -414,6 +414,13 @@
         "name": "Premium_LRS"
       },
       "properties": {
+        "allowBlobPublicAccess": false,
+        "networkAcls": {
+          "defaultAction": "Deny",
+          "bypass": "AzureServices",
+          "virtualNetworkRules": [],
+          "ipRules": []
+        },
         "minimumTlsVersion": "TLS1_2"
       }
     },
diff --git a/linux/vm-mastodon/vm.json b/linux/vm-mastodon/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "9529550557696470493"
+      "version": "0.29.47.4906",
+      "templateHash": "1716787271065300818"
     }
   },
   "parameters": {
diff --git a/linux/vm/vm.json b/linux/vm/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "3859452481311857536"
+      "version": "0.29.47.4906",
+      "templateHash": "18192218196942100983"
     }
   },
   "parameters": {
diff --git a/linux/vmss/vmss.json b/linux/vmss/vmss.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "9575926172091705339"
+      "version": "0.29.47.4906",
+      "templateHash": "14570331344852001599"
     }
   },
   "parameters": {

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-05-01' =`
`76`	`76`	`name: 'Standard'`
`77`	`77`	`}`
`78`	`78`	`properties: {`
`79`		`- adminUserEnabled: true`
	`79`	`+ adminUserEnabled: false`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`
`@@ -88,6 +88,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {`
`88`	`88`	`name: 'Premium_LRS'`
`89`	`89`	`}`
`90`	`90`	`properties: {`
	`91`	`+ allowBlobPublicAccess: false`
	`92`	`+ networkAcls: {`
	`93`	`+ defaultAction: 'Deny'`
	`94`	`+ bypass: 'AzureServices'`
	`95`	`+ virtualNetworkRules: []`
	`96`	`+ ipRules: []`
	`97`	`+ }`
`91`	`98`	`minimumTlsVersion: 'TLS1_2'`
`92`	`99`	`}`
`93`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-05-01' =`
`18`	`18`	`name: 'Standard'`
`19`	`19`	`}`
`20`	`20`	`properties: {`
`21`		`- adminUserEnabled: true`
	`21`	`+ adminUserEnabled: false`
`22`	`22`	`}`
`23`	`23`	`}`
`24`	`24`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@`
`47`	`47`	`"name": "Standard"`
`48`	`48`	`},`
`49`	`49`	`"properties": {`
`50`		`- "adminUserEnabled": true`
	`50`	`+ "adminUserEnabled": false`
`51`	`51`	`}`
`52`	`52`	`},`
`53`	`53`	`{`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {`
`23`	`23`	`family: 'A'`
`24`	`24`	`}`
`25`	`25`	`networkAcls: {`
`26`		`- defaultAction: 'Allow'`
	`26`	`+ defaultAction: 'Deny'`
`27`	`27`	`bypass: 'AzureServices'`
`28`	`28`	`}`
`29`	`29`	`accessPolicies: [`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {`
`26`	`26`	`family: 'A'`
`27`	`27`	`}`
`28`	`28`	`networkAcls: {`
`29`		`- defaultAction: 'Allow'`
	`29`	`+ defaultAction: 'Deny'`
`30`	`30`	`bypass: 'AzureServices'`
`31`	`31`	`}`
`32`	`32`	`accessPolicies: [`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {`
`15`	`15`	`name: 'Premium_LRS'`
`16`	`16`	`}`
`17`	`17`	`properties: {`
	`18`	`+ allowBlobPublicAccess: false`
	`19`	`+ networkAcls: {`
	`20`	`+ defaultAction: 'Deny'`
	`21`	`+ bypass: 'AzureServices'`
	`22`	`+ virtualNetworkRules: []`
	`23`	`+ ipRules: []`
	`24`	`+ }`
`18`	`25`	`minimumTlsVersion: 'TLS1_2'`
`19`	`26`	`}`
`20`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -351,6 +351,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {`
`351`	`351`	`name: 'Premium_LRS'`
`352`	`352`	`}`
`353`	`353`	`properties: {`
	`354`	`+ allowBlobPublicAccess: false`
	`355`	`+ networkAcls: {`
	`356`	`+ defaultAction: 'Deny'`
	`357`	`+ bypass: 'AzureServices'`
	`358`	`+ virtualNetworkRules: []`
	`359`	`+ ipRules: []`
	`360`	`+ }`
`354`	`361`	`minimumTlsVersion: 'TLS1_2'`
`355`	`362`	`}`
`356`	`363`	`}`