fix(infra): address SFI security compliance issues#244
Merged
Conversation
…O #43311) Enables double encryption at rest by setting requireInfrastructureEncryption: true on the AVM storage-account modules used by both the standard and custom deployments, plus the (currently unreferenced) wrapper module for parity with Modernize PR #435. Files touched: - infra/main.bicep (inline AVM storage/storage-account:0.20.0) - infra/main_custom.bicep (inline AVM storage/storage-account:0.20.0) - infra/modules/storageAccount.bicep (wrapper around AVM 0.26.2) Addresses SFI item: "add encryption property and make requireInfrastructureEncryption: true for storage account". Mirrors the storage-account change in microsoft/Modernize-your-code-solution-accelerator#435. Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ent (ADO #43311) Sets peerTrafficEncryption: true on the AVM app/managed-environment:0.11.2 module in both deployment variants. This toggles Microsoft.App/managedEnvironments.properties.peerTrafficConfiguration.encryption.enabled, which is the Container Apps equivalent of the App Service endToEndEncryptionEnabled property called out by the SFI scan (this repo deploys Container Apps, not App Service). Files touched: - infra/main.bicep (containerAppsEnvironment module ~L1121) - infra/main_custom.bicep (containerAppsEnvironment module ~L1074) Addresses SFI item: "endToEndEncryptionEnabled: true in App Service". Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…VM (ADO #43311)
Audited every resource in the Bicep templates against the SFI "identity required"
rule. Resources that support managed identity but were missing one:
* Microsoft.DocumentDB/databaseAccounts (cosmosDb) -> add SystemAssigned
* Microsoft.ContainerRegistry/registries (containerRegistry) -> add SystemAssigned
* Microsoft.Compute/virtualMachines (jumpboxVM) -> add SystemAssigned
The jumpbox VM also gains SystemAssigned because the Azure Monitor Agent extension
needs an identity to authenticate against the Log Analytics workspace when honoring
the SecurityAuditEvents data collection rule association (introduced in a later
commit on this branch).
Resources already compliant and left untouched:
* aiFoundryAiServices -> systemAssigned + userAssignedResourceIds already set
* aiFoundryProject -> identity.type = 'SystemAssigned' already set
* appConfiguration / avmAppConfigUpdated -> systemAssigned already set
* containerAppsEnvironment -> systemAssigned already set
* containerAppBackend / Frontend / Processor -> UAMI (appIdentity) already wired
* storageAccount -> systemAssigned already set
* appIdentity (UAMI itself, N/A)
* Bastion / ApplicationInsights / LAW / PrivateDnsZones (do not support / not in
SFI scope per user's authoritative list)
Files touched:
- infra/main.bicep (cosmosDb, jumpboxVM)
- infra/main_custom.bicep (cosmosDb, containerRegistry, jumpboxVM)
Addresses SFI item: "identity: { type: 'SystemAssigned' } or { type: 'UserAssigned' }".
Work item: AB#43311
ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…DO #43311) Adds a Data Collection Rule that captures Windows audit success (EventID 4624) and audit failure (EventID 4625) Security events from the jumpbox VM and routes them to the Log Analytics workspace via the Microsoft-SecurityEvent stream. The DCR is associated with the VM through the Azure Monitor Agent extension (extensionMonitoringAgentConfig.dataCollectionRuleAssociations). The OMSGallery Security solution is installed on the workspace so the SecurityEvent table is populated for the routed stream. Pattern mirrors microsoft/Modernize-your-code-solution-accelerator#435 but the audit success and audit failure events are covered by a single xPath (Security!*[System[(EventID=4624 or EventID=4625)]]) routed via the Microsoft-SecurityEvent stream rather than Microsoft-WindowsEvent. All new resources are gated on enablePrivateNetworking && enableMonitoring so non-WAF / non-monitoring deployments are unaffected. Files touched: - infra/main.bicep (jumpboxVM AMA extension; new securitySolution + windowsVmDataCollectionRules) - infra/main_custom.bicep (same additions) Addresses SFI item: "data collection rule ['audit success','audit failure'] logs should be enabled". Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Regenerated infra/main.json via 'az bicep build infra/main.bicep' to pick up the four SFI changes on this branch: * Container Apps Environment peerTrafficEncryption * Storage account requireInfrastructureEncryption * SystemAssigned identity on cosmos / ACR / jumpbox VM * Windows Security audit DCR + OMSGallery/Security solution The large diff is dominated by the inlined AVM data-collection-rule:0.11.0 module definition pulled into main.json by the new windowsVmDataCollectionRules module. No main_custom.json exists in this repo (main_custom.bicep is consumed by tooling that runs bicep on demand). Work item: AB#43311 ADO: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_workitems/edit/43311 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
requested review from
Avijit-Microsoft,
Dongbumlee,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801,
nchandhi,
sethsteenken and
toherman-msft
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR addresses SFI (Secure Future Initiative) compliance items flagged by the EXP team (ADO #43311). It is an infra-only change, applied symmetrically to infra/main.bicep and infra/main_custom.bicep, with infra/main.json regenerated.
Changes:
- Enable
peerTrafficEncryptionon the Container Apps Environment andrequireInfrastructureEncryptionon storage accounts. - Add system-assigned managed identities to Cosmos DB, Azure Container Registry, and the jumpbox VM.
- Add an OMS
Securitysolution and a Windows Security audit (EventID 4624/4625) Data Collection Rule, associated with the jumpbox VM via the Azure Monitor Agent.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| infra/modules/storageAccount.bicep | Explicitly enable infrastructure encryption and set keyType: 'Service'. |
| infra/main.bicep | Add identities, DCR + Security solution, peer traffic encryption, and storage infra encryption. |
| infra/main_custom.bicep | Mirror of main.bicep changes for the custom-deployment path. |
| infra/main.json | Regenerated ARM template reflecting Bicep changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
The Microsoft.OperationsManagement/solutions 'Security' (OMSGallery/Security) resource is a legacy artifact from the Log Analytics Agent (MMA) era. With the modern Azure Monitor Agent + Data Collection Rule pipeline used here, the SecurityEvent table is auto-provisioned by Azure Monitor on first ingestion of the Microsoft-SecurityEvent stream. The OMSGallery solution is not required and adds a marketplace plan resource for no functional benefit. - Remove the securitySolution resource from infra/main.bicep and infra/main_custom.bicep. - Drop the now-unnecessary dependsOn: [securitySolution] from the windowsVmDataCollectionRules module. - Regenerate infra/main.json from main.bicep. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
changed the title
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Address review comments from @Harsh-Microsoft on PR #244: - xPathQueries: broaden the Windows Security filter to use the audit Keywords bitmask (0x30000000000000 = AuditSuccess|AuditFailure) and exclude the very high-volume EventID 4624 (successful logon). The new filter captures all audit success and audit failure events (which is what the SFI item actually asks for), not just 4624/4625, while keeping ingestion cost sane. - dataSources: add a small Microsoft-Perf set (CPU, memory, disk, network) to the same DCR so the jumpbox VM also produces a baseline VM health signal alongside the security audit stream. - dcrLogAnalyticsDestinationName: extract the destination name to a variable (\la-<lawName>-destination\) and reference it from the destinations.logAnalytics entry and both dataFlows (SecurityEvent and Perf) so the name is defined once. Applied to both infra/main.bicep and infra/main_custom.bicep, and regenerated infra/main.json from main.bicep. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
…#43311) Align the jumpbox VM's Microsoft-Perf counterSpecifiers list with the pattern established in microsoft/Multi-Agent-Custom-Automation-Engine- Solution-Accelerator PR #989, which uses a comprehensive 46-counter set named 'perfCounterDataSource60'. Previously this PR shipped a minimal 7-counter set; the expanded list adds detailed Processor (privileged/user time, frequency), System (uptime, context switches, queue length), Process (handle/thread counts, working set), Memory (committed bytes, cache, paged/nonpaged pool, page faults), LogicalDisk (read/write time/bytes/transfers, queue lengths, free space) and Network Interface (sent/received bytes and packets, errors) counters. Same set applied to infra/main.bicep and infra/main_custom.bicep, with infra/main.json regenerated from main.bicep. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Address PR #244 review feedback: - Gate jumpbox VM's extensionMonitoringAgentConfig on the same (enablePrivateNetworking && enableMonitoring) expression as the windowsVmDataCollectionRules module so the dereference of windowsVmDataCollectionRules!.outputs.resourceId stays safe even if the outer jumpbox VM gate ever changes (previously gated only on enableMonitoring, which works today only because the outer module is gated on enablePrivateNetworking). - Reword the comment above the extensionMonitoringAgentConfig block to drop the now-misleading '(4624) / (4625)' wording (4624 is excluded by the audit Keywords bitmask filter to control ingestion volume). - Remove all '(ADO #43311)' references from SFI comments in infra/main.bicep, infra/main_custom.bicep, and infra/modules/storageAccount.bicep. Applied to both infra/main.bicep and infra/main_custom.bicep, with infra/main.json regenerated from main.bicep. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Shreyas-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Harsh-Microsoft
approved these changes
May 22, 2026
Prajwal-Microsoft
approved these changes
May 22, 2026
|
🎉 This PR is included in version 2.1.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Addresses ADO #43311 — Container Migration - Check and Fix SFI Issues reported by EXP Team.
The EXP team flagged five SFI (Secure Future Initiative) items on this accelerator. Each is addressed in the infra layer (Bicep + the generated ARM template). No application code is touched. Pattern reference: microsoft/Modernize-your-code-solution-accelerator#435.
SFI items addressed
endToEndEncryptionEnabled: truefor App Service ↔ Container Apps equivalent (peerTrafficEncryption/ mTLS for intra-environment traffic)infra/main.bicep,infra/main_custom.bicep— Container Apps Environment0x30000000000000) except EventID 4624 (very high-volume successful logon), streamed viaMicrosoft-SecurityEventto Log Analytics, plus a smallMicrosoft-Perfset (CPU / memory / disk / network) on the same DCR for jumpbox VM health, associated with the jumpbox VMinfra/main.bicep,infra/main_custom.bicepdisableLocalAuth: truefor AI Servicesdevvia the AVMcognitive-services/account:0.13.2module onaiFoundryAiServices; app code uses Entra ID (use_entra_id=True) everywhereidentity: { type: 'SystemAssigned' }where missinginfra/main.bicep,infra/main_custom.bicep(resources already on UAMI were not modified)encryption.requireInfrastructureEncryption: trueset explicitly (rather than relying on the AVM default)infra/modules/storageAccount.bicepDoes this introduce a breaking change?
Infra-only. Identity additions are additive;
peerTrafficEncryptionis transparent to workloads; the DCR is a new resource with no impact on existing ones;requireInfrastructureEncryptionmatches the existing AVM default.Golden Path Validation
Deployment Validation
az bicep build infra/main.bicepandaz bicep build infra/main_custom.bicepsucceed with no new warnings/errors (only the pre-existingBCP334warning onmain_custom.bicep, unchanged by this PR).infra/main.jsonregenerated frommain.bicep(not hand-edited).What to Check
Verify that the following are valid:
peerTrafficEncryption: trueis set on the Container Apps Environment ininfra/main.bicepandinfra/main_custom.bicepand intra-environment traffic between revisions is encrypted (mTLS) on a deployed resource group.Microsoft.Insights/dataCollectionRulesresourcedcr-<solutionSuffix>is created (gated onenablePrivateNetworking && enableMonitoring), is associated with the jumpbox VM, and thatSecurityEventrows for audit failures (e.g.EventID == 4625) appear in the Log Analytics workspace after a failed logon on the jumpbox. Successful-logonEventID 4624rows are intentionally excluded by the xPath filterSecurity!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]to control ingestion cost while still satisfying the SFI audit-success/audit-failure requirement via the other audit events (4625, 4634, 4647, 4672, etc.). TheSecurityEventtable is auto-provisioned by Azure Monitor on first ingestion via the DCR — noOMSGallery/Securitysolution is required (removed in commite9215d2).Microsoft-Perffor the jumpbox VM (CPU, memory, disk, network) and rows appear in thePerftable in the Log Analytics workspace shortly after the jumpbox starts.requireInfrastructureEncryption: true(double encryption at rest) and existing storage-dependent workflows continue to read/write blobs and queues.aiFoundryAiServicesdeploys withdisableLocalAuth: trueand app code paths that talk to AI Services (src/backend-api/,src/processor/) continue to succeed using Entra ID — no key-based fallback is triggered.Other Information
Commits
b410134— fix(infra): require infrastructure encryption on storage accounts8d2391f— fix(infra): enable peer traffic encryption on container apps environment817d529— fix(infra): add system-assigned identity to cosmos, ACR, and jumpbox VMffc1eed— fix(infra): add windows security audit DCR + OMS Security solution786b7e2— chore(infra): regenerate main.json from main.bicepe9215d2— fix(infra): remove legacy OMSGallery/Security solution (the DCR alone, via theMicrosoft-SecurityEventstream and the modern AMA pipeline, auto-provisions theSecurityEventtable; theOMSGallery/Securitysolution is a Log Analytics Agent / MMA-era artifact and is not required)74a2a63— fix(infra): apply DCR review feedback from PR fix(infra): address SFI security compliance issues #244 — broaden the xPath filter to the audit Keywords bitmask (0x30000000000000) excluding 4624; add aMicrosoft-Perfdata source (CPU / memory / disk / network) and matching data flow; extract the destination name tovar dcrLogAnalyticsDestinationName = 'la-<lawName>-destination'and use it in bothdestinations.logAnalyticsand bothdataFlowsentries873d6e5— fix(infra): expand DCRcounterSpecifiersto the 46-counter pattern established in Multi-Agent-Custom-Automation-Engine-Solution-Accelerator PR #989 (detailed Processor / System / Process / Memory / LogicalDisk / Network Interface counters) and rename the data source toperfCounterDataSource60for consistency with that pattern062f656— fix(infra): align the jumpbox VM'sextensionMonitoringAgentConfiggate to the same(enablePrivateNetworking && enableMonitoring)expression used for thewindowsVmDataCollectionRulesmodule (so thewindowsVmDataCollectionRules!.outputs.resourceIddereference stays safe regardless of the outer jumpbox VM gate); reword the adjacent comment to drop the misleading(4624)mention; remove all(ADO #43311)references from SFI comments ininfra/main.bicep,infra/main_custom.bicep, andinfra/modules/storageAccount.bicepVerification
585 passed, 93.28% coverage (gate: 82%)812 passed, 87.44% coverage (gate: 82%)az bicep build infra/main.bicep— cleanaz bicep build infra/main_custom.bicep— clean (only the pre-existing BCP334 warning, unchanged)Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com