From 4e574b36eaff2e049a485a5a0bac174ef561bd1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rasmus=20Lystr=C3=B8m?= <rasmusl@microsoft.com>
Date: Sun, 17 Nov 2024 20:39:59 +0000
Subject: [PATCH] go

---
 .github/linters/.checkov.yaml |  24 +-----
 .github/workflows/lint.yml    |   4 +-
 infrastructure/main.bicep     | 152 ++++++++++++++--------------------
 3 files changed, 63 insertions(+), 117 deletions(-)

diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml
index 393fa50..41b4cee 100644
--- a/.github/linters/.checkov.yaml
+++ b/.github/linters/.checkov.yaml
@@ -1,29 +1,7 @@
 ---
 quiet: true
 skip-check:
-  - CKV_AZURE_13 # Ensure App Service Authentication is set on Azure App Service
-  - CKV_AZURE_15 # Ensure web app is using the latest version of TLS encryption
-  - CKV_AZURE_17 # Ensure the web app has 'Client Certificates (Incoming client certificates)' set
-  - CKV_AZURE_23 # Ensure that 'Auditing' is set to 'On' for SQL servers
-  - CKV_AZURE_24 # Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
-  - CKV_AZURE_25 # Ensure that 'Threat Detection types' is set to 'All'
-  - CKV_AZURE_26 # Ensure that 'Send Alerts To' is enabled for MSSQL servers
-  - CKV_AZURE_27 # Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers
-  - CKV_AZURE_35 # Ensure default network access rule for Storage Accounts is set to deny
-  - CKV_AZURE_52 # Ensure MSSQL is using the latest version of TLS encryption
-  - CKV_AZURE_59 # Ensure that Storage Accounts disallow public access
-  - CKV_AZURE_63 # Ensure that App service enables HTTP logging
-  - CKV_AZURE_65 # Ensure that App service enables detailed error messages
-  - CKV_AZURE_66 # Ensure that App service enables failed request tracing
-  - CKV_AZURE_80 # Ensure that 'Net Framework' version is the latest, if used as a part of the web app
-  - CKV_AZURE_88 # Ensure that App Services use Azure Files
-  - CKV_AZURE_109 # Ensure that Key Vault allows firewall rules settings
-  - CKV_AZURE_113 # Ensure that SQL server disables public network access
-  - CKV_AZURE_145 # Ensure Function app is using the latest version of TLS encryption
-  - CKV_AZURE_212 # Ensure App Service has a minimum number of instances for failover
-  - CKV_AZURE_222 # Ensure that Azure Web App public network access is disabled
-  - CKV_AZURE_225 # Ensure the App Service Plan is zone redundant
-  - CKV_AZURE_229 # Ensure the Azure SQL Database Namespace is zone redundant
+  - CKV_AZURE* # Azure checks are skipped as we rely on Azure Policy instead
 skip-path:
   - bin
   - obj
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 0ca265f..5769ea2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,15 +10,13 @@ name: Lint
       - main
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   build:
     name: Lint
     runs-on: ubuntu-latest
 
     permissions:
+      contents: read
       statuses: write
 
     steps:
diff --git a/infrastructure/main.bicep b/infrastructure/main.bicep
index 6bb310f..e83568a 100644
--- a/infrastructure/main.bicep
+++ b/infrastructure/main.bicep
@@ -12,7 +12,7 @@ param stagingDatabaseSku string = 'Basic'
 var deploymentSlotName = 'staging'
 var stagingDatabaseName = '${databaseName}Staging'
 
-resource webApp 'Microsoft.Web/sites@2023-12-01' = {
+resource webApp 'Microsoft.Web/sites@2024-04-01' = {
   name: webAppName
   location: location
   kind: 'app,linux,container'
@@ -21,52 +21,60 @@ resource webApp 'Microsoft.Web/sites@2023-12-01' = {
   }
   properties: {
     serverFarmId: appServicePlanId
-    reserved: true
-    hyperV: false
     siteConfig: {
       acrUseManagedIdentityCreds: true
-      alwaysOn: true
-      detailedErrorLoggingEnabled: true
-      ftpsState: 'Disabled'
       healthCheckPath: '/healthz'
-      http20Enabled: true
-      httpLoggingEnabled: true
-      minTlsVersion: '1.3'
-      scmMinTlsVersion: '1.3'
     }
-    httpsOnly: true
-    publicNetworkAccess: 'Enabled'
   }
-}
 
-resource deploymentSlot 'Microsoft.Web/sites/slots@2023-12-01' = {
-  name: deploymentSlotName
-  parent: webApp
-  location: location
-  kind: 'app,linux,container'
-  identity: {
-    type: 'SystemAssigned'
+  resource slotConfigNames 'config' = {
+    name: 'slotConfigNames'
+    properties: {
+      appSettingNames: [
+        'APPLICATIONINSIGHTS_CONNECTION_STRING'
+        'AZURE_SQL_CONNECTIONSTRING'
+      ]
+      azureStorageConfigNames: []
+      connectionStringNames: []
+    }
   }
-  properties: {
-    serverFarmId: appServicePlanId
-    reserved: true
-    hyperV: false
-    siteConfig: {
-      acrUseManagedIdentityCreds: true
-      alwaysOn: true
-      detailedErrorLoggingEnabled: true
-      ftpsState: 'Disabled'
-      healthCheckPath: '/healthz'
-      http20Enabled: true
-      httpLoggingEnabled: true
-      minTlsVersion: '1.3'
-      scmMinTlsVersion: '1.3'
+
+  resource appSettings 'config' = {
+    name: 'appsettings'
+    properties: {
+      APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString
+      ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
+      AZURE_SQL_CONNECTIONSTRING: 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Initial Catalog=${databaseName};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication=ActiveDirectoryManagedIdentity'
+      XDT_MicrosoftApplicationInsights_Mode: 'Recommended'
     }
-    httpsOnly: true
-    publicNetworkAccess: 'Enabled'
   }
-}
 
+  resource deploymentSlot 'slots' = {
+    name: deploymentSlotName
+    location: location
+    kind: 'app,linux,container'
+    identity: {
+      type: 'SystemAssigned'
+    }
+    properties: {
+      serverFarmId: appServicePlanId
+      siteConfig: {
+        acrUseManagedIdentityCreds: true
+        healthCheckPath: '/healthz'
+      }
+    }
+
+    resource stagingAppSettings 'config' = {
+      name: 'appsettings'
+      properties: {
+        APPLICATIONINSIGHTS_CONNECTION_STRING: stagingApplicationInsights.properties.ConnectionString
+        ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
+        AZURE_SQL_CONNECTIONSTRING: 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Initial Catalog=${stagingDatabaseName};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication=ActiveDirectoryManagedIdentity'
+        XDT_MicrosoftApplicationInsights_Mode: 'Recommended'
+      }
+    }
+  }
+}
 
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
   name: webAppName
@@ -78,31 +86,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
   }
 }
 
-resource appSettings 'Microsoft.Web/sites/config@2023-12-01' = {
-  name: 'appsettings'
-  parent: webApp
-  properties: {
-    APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString
-    ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
-    AZURE_SQL_CONNECTIONSTRING: 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Initial Catalog=${databaseName};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication=ActiveDirectoryManagedIdentity'
-    XDT_MicrosoftApplicationInsights_Mode: 'Recommended'
-  }
-}
-
-resource slotConfigNames 'Microsoft.Web/sites/config@2023-12-01' = {
-  name: 'slotConfigNames'
-  parent: webApp
-  properties: {
-    appSettingNames: [
-      'APPLICATIONINSIGHTS_CONNECTION_STRING'
-      'AZURE_SQL_CONNECTIONSTRING'
-    ]
-    azureStorageConfigNames: []
-    connectionStringNames: []
-  }
-}
-
-resource stagingApplicationInsights 'Microsoft.Insights/components@2020-02-02'= {
+resource stagingApplicationInsights 'Microsoft.Insights/components@2020-02-02' = {
   name: '${webAppName}-staging'
   location: location
   kind: 'web'
@@ -112,18 +96,7 @@ resource stagingApplicationInsights 'Microsoft.Insights/components@2020-02-02'=
   }
 }
 
-resource stagingAppSettings 'Microsoft.Web/sites/slots/config@2023-12-01' = {
-  name: 'appsettings'
-  parent: deploymentSlot
-  properties: {
-    APPLICATIONINSIGHTS_CONNECTION_STRING: stagingApplicationInsights.properties.ConnectionString
-    ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
-    AZURE_SQL_CONNECTIONSTRING: 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Initial Catalog=${stagingDatabaseName};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication=ActiveDirectoryManagedIdentity'
-    XDT_MicrosoftApplicationInsights_Mode: 'Recommended'
-  }
-}
-
-resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
+resource sqlServer 'Microsoft.Sql/servers@2024-05-01-preview' = {
   name: sqlServerName
   location: location
   identity: {
@@ -137,7 +110,6 @@ resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
       principalType: 'Group'
       sid: sqlAdminGroupId
     }
-    minimalTlsVersion: '1.3'
   }
 
   resource azureServices 'firewallRules' = {
@@ -147,24 +119,22 @@ resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
       endIpAddress: '0.0.0.0'
     }
   }
-}
 
-resource database 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
-  parent: sqlServer
-  name: databaseName
-  location: location
-  sku: {
-    name: databaseSku
+  resource database 'databases' = {
+    name: databaseName
+    location: location
+    sku: {
+      name: databaseSku
+    }
+    properties: {}
   }
-  properties: {}
-}
 
-resource stagingDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
-  parent: sqlServer
-  name: stagingDatabaseName
-  location: location
-  sku: {
-    name: stagingDatabaseSku
+  resource stagingDatabase 'databases' = {
+    name: stagingDatabaseName
+    location: location
+    sku: {
+      name: stagingDatabaseSku
+    }
+    properties: {}
   }
-  properties: {}
 }