From 6693c660a6f842e719fce40282356858ee538f97 Mon Sep 17 00:00:00 2001
From: Aaron Wislang <aaron.wislang@microsoft.com>
Date: Wed, 28 Aug 2024 20:21:14 -0400
Subject: [PATCH]     Update acls, admin users, Makefile, *.json

    Signed-off-by: Aaron Wislang <aaron.wislang@microsoft.com>
---
 cloud-native/Makefile                            |  6 ------
 cloud-native/aks-azure-linux/aks.bicep           |  9 ++++++++-
 .../containerapps-bicep/containerapp.bicep       |  2 +-
 .../containerapps-bicep/containerapp.json        |  2 +-
 cloud-native/containerapps-bicep/keyvault.bicep  |  2 +-
 cloud-native/containerapps-bicep/main.json       |  4 ++--
 .../containerapps-bicep/postgres-keyvault.bicep  |  2 +-
 cloud-native/containerapps-bicep/storage.bicep   |  7 +++++++
 linux/vm-flatcar-postgres/main.json              | 16 ++++++++--------
 linux/vm-mariner/vm.bicep                        |  7 +++++++
 linux/vm-mariner/vm.json                         | 11 +++++++++--
 linux/vm-mastodon/vm.json                        |  4 ++--
 linux/vm/vm.json                                 |  4 ++--
 linux/vmss/vmss.json                             |  4 ++--
 14 files changed, 51 insertions(+), 29 deletions(-)

diff --git a/cloud-native/Makefile b/cloud-native/Makefile
index 5982ca6..03f572e 100644
--- a/cloud-native/Makefile
+++ b/cloud-native/Makefile
@@ -1,8 +1,2 @@
 bicep:
-	az bicep build -f aks-arm64/main.bicep 
-	az bicep build -f aks-bicep-keda/01-aks/main.bicep 
-	az bicep build -f aks-bicep/01-aks/main.bicep 
-	az bicep build -f aks-open-service-mesh/main.bicep
-	az bicep build -f aks-webapp-routing/main.bicep 
 	az bicep build -f containerapps-bicep/main.bicep
-	az bicep build -f aks-bicep-k8s/main.bicep 
diff --git a/cloud-native/aks-azure-linux/aks.bicep b/cloud-native/aks-azure-linux/aks.bicep
index 212bd74..70408f6 100644
--- a/cloud-native/aks-azure-linux/aks.bicep
+++ b/cloud-native/aks-azure-linux/aks.bicep
@@ -76,7 +76,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-05-01' =
     name: 'Standard'
   }
   properties: {
-    adminUserEnabled: true
+    adminUserEnabled: false
   }
 }
 
@@ -88,6 +88,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
     name: 'Premium_LRS'
   }
   properties: {
+    allowBlobPublicAccess: false
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     minimumTlsVersion: 'TLS1_2'
   }
 }
diff --git a/cloud-native/containerapps-bicep/containerapp.bicep b/cloud-native/containerapps-bicep/containerapp.bicep
index 2004553..a399824 100644
--- a/cloud-native/containerapps-bicep/containerapp.bicep
+++ b/cloud-native/containerapps-bicep/containerapp.bicep
@@ -18,7 +18,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2019-05-01' =
     name: 'Standard'
   }
   properties: {
-    adminUserEnabled: true
+    adminUserEnabled: false
   }
 }
 
diff --git a/cloud-native/containerapps-bicep/containerapp.json b/cloud-native/containerapps-bicep/containerapp.json
index a3d14f7..aaf3cf9 100644
--- a/cloud-native/containerapps-bicep/containerapp.json
+++ b/cloud-native/containerapps-bicep/containerapp.json
@@ -47,7 +47,7 @@
           "name": "Standard"
         },
         "properties": {
-          "adminUserEnabled": true
+          "adminUserEnabled": false
         }
       },
       {
diff --git a/cloud-native/containerapps-bicep/keyvault.bicep b/cloud-native/containerapps-bicep/keyvault.bicep
index 052780c..6df522b 100644
--- a/cloud-native/containerapps-bicep/keyvault.bicep
+++ b/cloud-native/containerapps-bicep/keyvault.bicep
@@ -23,7 +23,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
       family: 'A'
     }
     networkAcls: {
-      defaultAction: 'Allow'
+      defaultAction: 'Deny'
       bypass: 'AzureServices'
     }
     accessPolicies: [
diff --git a/cloud-native/containerapps-bicep/main.json b/cloud-native/containerapps-bicep/main.json
index e07d5c2..c2a7952 100644
--- a/cloud-native/containerapps-bicep/main.json
+++ b/cloud-native/containerapps-bicep/main.json
@@ -89,7 +89,7 @@
                 "name": "Standard"
               },
               "properties": {
-                "adminUserEnabled": true
+                "adminUserEnabled": false
               }
             },
             {
@@ -268,7 +268,7 @@
                   "family": "A"
                 },
                 "networkAcls": {
-                  "defaultAction": "Allow",
+                  "defaultAction": "Deny",
                   "bypass": "AzureServices"
                 },
                 "accessPolicies": [
diff --git a/cloud-native/containerapps-bicep/postgres-keyvault.bicep b/cloud-native/containerapps-bicep/postgres-keyvault.bicep
index 5340285..1718c44 100644
--- a/cloud-native/containerapps-bicep/postgres-keyvault.bicep
+++ b/cloud-native/containerapps-bicep/postgres-keyvault.bicep
@@ -26,7 +26,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
       family: 'A'
     }
     networkAcls: {
-      defaultAction: 'Allow'
+      defaultAction: 'Deny'
       bypass: 'AzureServices'
     }
     accessPolicies: [
diff --git a/cloud-native/containerapps-bicep/storage.bicep b/cloud-native/containerapps-bicep/storage.bicep
index 4f7fb6d..9015898 100644
--- a/cloud-native/containerapps-bicep/storage.bicep
+++ b/cloud-native/containerapps-bicep/storage.bicep
@@ -15,6 +15,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
     name: 'Premium_LRS'
   }
   properties: {
+    allowBlobPublicAccess: false
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     minimumTlsVersion: 'TLS1_2'
   }
 }
diff --git a/linux/vm-flatcar-postgres/main.json b/linux/vm-flatcar-postgres/main.json
index cee5216..b502d3e 100644
--- a/linux/vm-flatcar-postgres/main.json
+++ b/linux/vm-flatcar-postgres/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "16546506825093351762"
+      "version": "0.29.47.4906",
+      "templateHash": "61716172662635668"
     }
   },
   "parameters": {
@@ -59,8 +59,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "5008762517955484404"
+              "version": "0.29.47.4906",
+              "templateHash": "13749006361708145984"
             }
           },
           "parameters": {
@@ -479,8 +479,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "17782720627283437608"
+              "version": "0.29.47.4906",
+              "templateHash": "13926952482795887884"
             }
           },
           "parameters": {
@@ -594,8 +594,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.28.1.47646",
-                      "templateHash": "9620970338207014434"
+                      "version": "0.29.47.4906",
+                      "templateHash": "17815256772229698992"
                     }
                   },
                   "parameters": {
diff --git a/linux/vm-mariner/vm.bicep b/linux/vm-mariner/vm.bicep
index 79ce1dd..7b499a1 100644
--- a/linux/vm-mariner/vm.bicep
+++ b/linux/vm-mariner/vm.bicep
@@ -351,6 +351,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
     name: 'Premium_LRS'
   }
   properties: {
+    allowBlobPublicAccess: false
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     minimumTlsVersion: 'TLS1_2'
   }
 }
diff --git a/linux/vm-mariner/vm.json b/linux/vm-mariner/vm.json
index 1216572..f57b66b 100644
--- a/linux/vm-mariner/vm.json
+++ b/linux/vm-mariner/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "15024671018336532028"
+      "version": "0.29.47.4906",
+      "templateHash": "4772838773161597591"
     }
   },
   "parameters": {
@@ -414,6 +414,13 @@
         "name": "Premium_LRS"
       },
       "properties": {
+        "allowBlobPublicAccess": false,
+        "networkAcls": {
+          "defaultAction": "Deny",
+          "bypass": "AzureServices",
+          "virtualNetworkRules": [],
+          "ipRules": []
+        },
         "minimumTlsVersion": "TLS1_2"
       }
     },
diff --git a/linux/vm-mastodon/vm.json b/linux/vm-mastodon/vm.json
index 0a4fa13..7f877a3 100644
--- a/linux/vm-mastodon/vm.json
+++ b/linux/vm-mastodon/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "9529550557696470493"
+      "version": "0.29.47.4906",
+      "templateHash": "1716787271065300818"
     }
   },
   "parameters": {
diff --git a/linux/vm/vm.json b/linux/vm/vm.json
index 3693ef0..f7cc81a 100644
--- a/linux/vm/vm.json
+++ b/linux/vm/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "3859452481311857536"
+      "version": "0.29.47.4906",
+      "templateHash": "18192218196942100983"
     }
   },
   "parameters": {
diff --git a/linux/vmss/vmss.json b/linux/vmss/vmss.json
index d0828b6..ca8aa26 100644
--- a/linux/vmss/vmss.json
+++ b/linux/vmss/vmss.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "9575926172091705339"
+      "version": "0.29.47.4906",
+      "templateHash": "14570331344852001599"
     }
   },
   "parameters": {