Skip to content

fix: secure observability public network access by default#7

Merged
OgeonX-Ai merged 1 commit into
mainfrom
fix/cas-platform-observability-hardening
Jul 3, 2026
Merged

fix: secure observability public network access by default#7
OgeonX-Ai merged 1 commit into
mainfrom
fix/cas-platform-observability-hardening

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

Hardens the observability module so it is secure by default and adds production linter defaults.

1. Parameterize public network access (infra/modules/observability.bicep)

  • Previously hardcoded publicNetworkAccessForIngestion/Query: 'Enabled' on both the Log Analytics workspace and the Application Insights component.
  • Adds param allowPublicNetworkAccess bool = false (secure by default) and maps it to Enabled/Disabled for all four properties via a local var.
  • Preserves DisableLocalAuth: true and enableLogAccessUsingOnlyResourcePermissions: true.

2. Wire the toggle per-environment

  • infra/main.bicep exposes allowObservabilityPublicNetworkAccess (default false) and passes it into the observability module.
  • dev.bicepparam sets true (public access acceptable for the lower environment); test.bicepparam and prod.bicepparam set false.

3. Linter config (bicepconfig.json)

  • Bicep only recognizes the filename bicepconfig.json (a leading-dot .bicepconfig.json would be ignored), and a functional one already existed at repo root, so the existing file was expanded rather than adding a dead dotfile.
  • Enables core analyzers with production defaults: secret/security rules at error (incl. no-hardcoded-env-urls, adminusername-should-not-be-literal, outputs-should-not-contain-secrets, secure-parameter-default), style/correctness rules at warning, and use-recent-api-versions set to off to avoid noise.

Validation

az bicep build (Bicep CLI 0.40.2) on infra/main.bicep and infra/modules/observability.bicep: exit 0, no linter warnings or errors with the new config.

Rollback / change safety

  • Additive and non-destructive: no resource renames or replacements. Redeploying flips only the publicNetworkAccess* properties, which are in-place updates.
  • Flipping prod/test to Disabled restricts ingestion/query to private paths. Ensure private endpoints / AMPLS or deployment-agent connectivity is in place before promoting, otherwise ingestion from public agents will be blocked. Revert is a one-line param change back to true.

🤖 Generated with Claude Code

Parameterize public network access for Log Analytics and Application
Insights instead of hardcoding 'Enabled'. Introduces bool param
allowPublicNetworkAccess (default false) in the observability module,
mapping to Enabled/Disabled for both ingestion and query on the
workspace and the App Insights component. DisableLocalAuth and
enableLogAccessUsingOnlyResourcePermissions are preserved.

Wire allowObservabilityPublicNetworkAccess through main.bicep and the
per-environment .bicepparam files: dev overrides to true, test and prod
keep the secure default of false.

Expand bicepconfig.json to production linter defaults: core analyzers
enabled, secret/security rules at error, style/correctness rules at
warning, no-hardcoded-env-urls at error, and use-recent-api-versions
disabled to avoid churn.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d9714ff12a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

param foundryRoleDefinitionResourceId = ''
param enableExternalIngress = false
param logRetentionDays = 90
param allowObservabilityPublicNetworkAccess = false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep observability public until private link exists

Setting prod (and test) to false flows through infra/main.bicep into both Log Analytics and Application Insights publicNetworkAccessForIngestion/Query = Disabled, but this repo does not define any AMPLS/private endpoint resources and NET-01 is still deferred. Azure Monitor requires private-link resources for ingestion/query after public access is disabled (https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/private-link-configure), so deployments using the supplied prod/test params would block application telemetry and operator queries until private networking is added or public access remains enabled.

Useful? React with 👍 / 👎.

@OgeonX-Ai OgeonX-Ai merged commit 202d078 into main Jul 3, 2026
4 checks passed
@OgeonX-Ai OgeonX-Ai deleted the fix/cas-platform-observability-hardening branch July 3, 2026 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants