Skip to content

Commit abda030

Browse files
brittneekbrittneek
committed
update waf to private networking
1 parent 4363b6d commit abda030

3 files changed

Lines changed: 53 additions & 48 deletions

File tree

infra/main.bicep

Lines changed: 27 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ targetScope = 'resourceGroup'
44
metadata name = 'Content Processing Solution Accelerator'
55
metadata description = 'Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance.'
66

7+
78
// ========== get up parameters from parameter file ========== //
89
@description('Name of the environment to deploy the solution into:')
910
param environmentName string
@@ -31,7 +32,7 @@ param resourceGroupLocation string = resourceGroup().location
3132
@description('The resource name format string')
3233
param resourceNameFormatString string = '{0}avm-cps'
3334
@description('Enable WAF for the deployment')
34-
param enableWaf bool = true
35+
param enablePrivateNetworking bool = true
3536
@description('Enable telemetry for the deployment')
3637
param enableTelemetry bool = true
3738
//@description('Resource naming abbreviations')
@@ -59,7 +60,7 @@ var namingAbbrs = loadJsonContent('./abbreviations.json')
5960
//
6061

6162
// ========== Network Security Group definition ========== //
62-
module avmNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.5.1' = if (enableWaf) {
63+
module avmNetworkSecurityGroup 'br/public:avm/res/network/network-security-group:0.5.1' = if (enablePrivateNetworking ) {
6364
name: format(
6465
resourceNameFormatString,
6566
'${namingAbbrs.networking.networkSecurityGroup}backend'
@@ -78,7 +79,7 @@ module avmNetworkSecurityGroup 'br/public:avm/res/network/network-security-group
7879

7980
// Securing a custom VNET in Azure Container Apps with Network Security Groups
8081
// https://learn.microsoft.com/en-us/azure/container-apps/firewall-integration?tabs=workload-profiles
81-
module avmNetworkSecurityGroup_Containers 'br/public:avm/res/network/network-security-group:0.5.1' = if (enableWaf) {
82+
module avmNetworkSecurityGroup_Containers 'br/public:avm/res/network/network-security-group:0.5.1' = if (enablePrivateNetworking ) {
8283
name: format(
8384
resourceNameFormatString,
8485
'${namingAbbrs.networking.networkSecurityGroup}containers'
@@ -150,7 +151,7 @@ module avmNetworkSecurityGroup_Containers 'br/public:avm/res/network/network-sec
150151
}
151152
}
152153

153-
module avmNetworkSecurityGroup_Bastion 'br/public:avm/res/network/network-security-group:0.5.1' = if (enableWaf) {
154+
module avmNetworkSecurityGroup_Bastion 'br/public:avm/res/network/network-security-group:0.5.1' = if (enablePrivateNetworking ) {
154155
name: format(
155156
resourceNameFormatString,
156157
'${namingAbbrs.networking.networkSecurityGroup}bastion'
@@ -167,7 +168,7 @@ module avmNetworkSecurityGroup_Bastion 'br/public:avm/res/network/network-securi
167168
}
168169
}
169170

170-
module avmNetworkSecurityGroup_Admin 'br/public:avm/res/network/network-security-group:0.5.1' = if (enableWaf) {
171+
module avmNetworkSecurityGroup_Admin 'br/public:avm/res/network/network-security-group:0.5.1' = if (enablePrivateNetworking ) {
171172
name: format(
172173
resourceNameFormatString,
173174
'${namingAbbrs.networking.networkSecurityGroup}admin'
@@ -191,7 +192,7 @@ module avmNetworkSecurityGroup_Admin 'br/public:avm/res/network/network-security
191192
// Bastion Hosts : 10.0.1.32/27 - 10.0.1.63
192193
// VM(s) :
193194

194-
module avmVirtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = if (enableWaf) {
195+
module avmVirtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = if (enablePrivateNetworking ) {
195196
name: format(resourceNameFormatString, namingAbbrs.networking.virtualNetwork)
196197
params: {
197198
name: '${namingAbbrs.networking.virtualNetwork}${solution_prefix}'
@@ -242,7 +243,7 @@ var openAiPrivateDnsZones = {
242243

243244
@batchSize(1)
244245
module avmPrivateDnsZoneAiServices 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
245-
for zone in items(openAiPrivateDnsZones): if (enableWaf) {
246+
for zone in items(openAiPrivateDnsZones): if (enablePrivateNetworking ) {
246247
name: zone.key
247248
params: {
248249
name: zone.key
@@ -262,7 +263,7 @@ var storagePrivateDnsZones = {
262263

263264
@batchSize(1)
264265
module avmPrivateDnsZoneStorages 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
265-
for zone in items(storagePrivateDnsZones): if (enableWaf) {
266+
for zone in items(storagePrivateDnsZones): if (enablePrivateNetworking ) {
266267
name: 'private-dns-zone-storage-${zone.value}'
267268
params: {
268269
name: zone.key
@@ -281,7 +282,7 @@ var aiHubPrivateDnsZones = {
281282

282283
@batchSize(1)
283284
module avmPrivateDnsZoneAiFoundryWorkspace 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
284-
for (zone, i) in items(aiHubPrivateDnsZones): if (enableWaf) {
285+
for (zone, i) in items(aiHubPrivateDnsZones): if (enablePrivateNetworking ) {
285286
name: 'private-dns-zone-aifoundry-workspace-${zone.value}-${i}'
286287
params: {
287288
name: zone.key
@@ -296,7 +297,7 @@ module avmPrivateDnsZoneAiFoundryWorkspace 'br/public:avm/res/network/private-dn
296297
var cosmosdbMongoPrivateDnsZones = {
297298
'privatelink.mongo.cosmos.azure.com': 'cosmosdb'
298299
}
299-
module avmPrivateDnsZoneCosmosMongoDB 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enableWaf) {
300+
module avmPrivateDnsZoneCosmosMongoDB 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enablePrivateNetworking ) {
300301
name: 'private-dns-zone-cosmos-mongo'
301302
params: {
302303
name: items(cosmosdbMongoPrivateDnsZones)[0].key
@@ -313,7 +314,7 @@ module avmPrivateDnsZoneCosmosMongoDB 'br/public:avm/res/network/private-dns-zon
313314
// }
314315

315316
// module avmPrivateDnsZonesAppStorage 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
316-
// for (zone, i) in items(appStoragePrivateDnsZones): if (enableWaf) {
317+
// for (zone, i) in items(appStoragePrivateDnsZones): if (enablePrivateNetworking ) {
317318
// name: 'private-dns-zone-app-storage-${zone.value}-${i}'
318319
// params: {
319320
// name: zone.key
@@ -329,7 +330,7 @@ var appConfigPrivateDnsZones = {
329330
'privatelink.azconfig.io': 'appconfig'
330331
}
331332

332-
module avmPrivateDnsZoneAppConfig 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enableWaf) {
333+
module avmPrivateDnsZoneAppConfig 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enablePrivateNetworking ) {
333334
name: 'private-dns-zone-app-config'
334335
params: {
335336
name: items(appConfigPrivateDnsZones)[0].key
@@ -344,7 +345,7 @@ var keyVaultPrivateDnsZones = {
344345
'privatelink.vaultcore.azure.net': 'keyvault'
345346
}
346347

347-
module avmPrivateDnsZoneKeyVault 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enableWaf) {
348+
module avmPrivateDnsZoneKeyVault 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enablePrivateNetworking ) {
348349
name: 'private-dns-zone-key-vault'
349350
params: {
350351
name: items(keyVaultPrivateDnsZones)[0].key
@@ -359,7 +360,7 @@ var containerRegistryPrivateDnsZones = {
359360
'privatelink.azurecr.io': 'containerregistry'
360361
}
361362

362-
module avmPrivateDnsZoneContainerRegistry 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enableWaf) {
363+
module avmPrivateDnsZoneContainerRegistry 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (enablePrivateNetworking ) {
363364
name: 'private-dns-zone-container-registry'
364365
params: {
365366
name: items(containerRegistryPrivateDnsZones)[0].key
@@ -437,7 +438,7 @@ module avmKeyVault './modules/key-vault.bicep' = {
437438
enableVaultForDiskEncryption: true
438439
enableVaultForTemplateDeployment: true
439440
softDeleteRetentionInDays: 7
440-
publicNetworkAccess: (enableWaf) ? 'Disabled' : 'Enabled'
441+
publicNetworkAccess: (enablePrivateNetworking ) ? 'Disabled' : 'Enabled'
441442
// privateEndpoints omitted for now, as not in strongly-typed params
442443
}
443444
scope: resourceGroup(resourceGroup().name)
@@ -491,9 +492,9 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
491492
accessTier: 'Hot'
492493

493494
//<======================= WAF related parameters
494-
allowBlobPublicAccess: (!enableWaf) // Disable public access when WAF is enabled
495-
publicNetworkAccess: (enableWaf) ? 'Disabled' : 'Enabled'
496-
privateEndpoints: (enableWaf)
495+
allowBlobPublicAccess: (!enablePrivateNetworking ) // Disable public access when WAF is enabled
496+
publicNetworkAccess: (enablePrivateNetworking ) ? 'Disabled' : 'Enabled'
497+
privateEndpoints: (enablePrivateNetworking )
497498
? [
498499
{
499500
name: 'storage-private-endpoint-blob'
@@ -652,7 +653,7 @@ module avmStorageAccount_RoleAssignment_avmContainerApp_API_queue 'br/public:avm
652653
// enableVaultForDiskEncryption: true
653654
// enableVaultForTemplateDeployment: true
654655
// softDeleteRetentionInDays: 7
655-
// publicNetworkAccess: (enableWaf) ? 'Disabled' : 'Enabled'
656+
// publicNetworkAccess: (enablePrivateNetworking ) ? 'Disabled' : 'Enabled'
656657
// // privateEndpoints omitted for now, as not in strongly-typed params
657658
// }
658659
// scope: resourceGroup(resourceGroup().name)
@@ -706,9 +707,9 @@ module avmStorageAccount_RoleAssignment_avmContainerApp_API_queue 'br/public:avm
706707
// accessTier: 'Hot'
707708

708709
// //<======================= WAF related parameters
709-
// allowBlobPublicAccess: (!enableWaf) // Disable public access when WAF is enabled
710-
// publicNetworkAccess: (enableWaf) ? 'Disabled' : 'Enabled'
711-
// privateEndpoints: (enableWaf)
710+
// allowBlobPublicAccess: (!enablePrivateNetworking ) // Disable public access when WAF is enabled
711+
// publicNetworkAccess: (enablePrivateNetworking ) ? 'Disabled' : 'Enabled'
712+
// privateEndpoints: (enablePrivateNetworking )
712713
// ? [
713714
// {
714715
// name: 'storage-private-endpoint-blob'
@@ -1135,7 +1136,7 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.11.1' = {
11351136
platformReservedCidr: '172.17.17.0/24'
11361137
platformReservedDnsIP: '172.17.17.17'
11371138

1138-
infrastructureSubnetResourceId: (enableWaf)
1139+
infrastructureSubnetResourceId: (enablePrivateNetworking )
11391140
? avmVirtualNetwork.outputs.subnetResourceIds[1] // Use the container app subnet
11401141
: null // Use the container app subnet
11411142
}
@@ -1436,12 +1437,12 @@ module avmCosmosDB 'br/public:avm/res/document-db/database-account:0.15.0' = {
14361437

14371438
// WAF related parameters
14381439
networkRestrictions: {
1439-
publicNetworkAccess: (enableWaf) ? 'Disabled' : 'Enabled'
1440+
publicNetworkAccess: (enablePrivateNetworking ) ? 'Disabled' : 'Enabled'
14401441
ipRules: []
14411442
virtualNetworkRules: []
14421443
}
14431444

1444-
privateEndpoints: (enableWaf)
1445+
privateEndpoints: (enablePrivateNetworking )
14451446
? [
14461447
{
14471448
name: 'cosmosdb-private-endpoint'
@@ -1587,7 +1588,7 @@ module avmAppConfig 'br/public:avm/res/app-configuration/configuration-store:0.6
15871588
}
15881589
}
15891590

1590-
module avmAppConfig_update 'br/public:avm/res/app-configuration/configuration-store:0.6.3' = if (enableWaf) {
1591+
module avmAppConfig_update 'br/public:avm/res/app-configuration/configuration-store:0.6.3' = if (enablePrivateNetworking ) {
15911592
name: format(
15921593
resourceNameFormatString,
15931594
'${namingAbbrs.developerTools.appConfigurationStore}-update'

0 commit comments

Comments
 (0)