fix: secure observability public network access by default#7
Conversation
Parameterize public network access for Log Analytics and Application Insights instead of hardcoding 'Enabled'. Introduces bool param allowPublicNetworkAccess (default false) in the observability module, mapping to Enabled/Disabled for both ingestion and query on the workspace and the App Insights component. DisableLocalAuth and enableLogAccessUsingOnlyResourcePermissions are preserved. Wire allowObservabilityPublicNetworkAccess through main.bicep and the per-environment .bicepparam files: dev overrides to true, test and prod keep the secure default of false. Expand bicepconfig.json to production linter defaults: core analyzers enabled, secret/security rules at error, style/correctness rules at warning, no-hardcoded-env-urls at error, and use-recent-api-versions disabled to avoid churn. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d9714ff12a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| param foundryRoleDefinitionResourceId = '' | ||
| param enableExternalIngress = false | ||
| param logRetentionDays = 90 | ||
| param allowObservabilityPublicNetworkAccess = false |
There was a problem hiding this comment.
Keep observability public until private link exists
Setting prod (and test) to false flows through infra/main.bicep into both Log Analytics and Application Insights publicNetworkAccessForIngestion/Query = Disabled, but this repo does not define any AMPLS/private endpoint resources and NET-01 is still deferred. Azure Monitor requires private-link resources for ingestion/query after public access is disabled (https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/private-link-configure), so deployments using the supplied prod/test params would block application telemetry and operator queries until private networking is added or public access remains enabled.
Useful? React with 👍 / 👎.
Summary
Hardens the observability module so it is secure by default and adds production linter defaults.
1. Parameterize public network access (
infra/modules/observability.bicep)publicNetworkAccessForIngestion/Query: 'Enabled'on both the Log Analytics workspace and the Application Insights component.param allowPublicNetworkAccess bool = false(secure by default) and maps it toEnabled/Disabledfor all four properties via a local var.DisableLocalAuth: trueandenableLogAccessUsingOnlyResourcePermissions: true.2. Wire the toggle per-environment
infra/main.bicepexposesallowObservabilityPublicNetworkAccess(defaultfalse) and passes it into the observability module.dev.bicepparamsetstrue(public access acceptable for the lower environment);test.bicepparamandprod.bicepparamsetfalse.3. Linter config (
bicepconfig.json)bicepconfig.json(a leading-dot.bicepconfig.jsonwould be ignored), and a functional one already existed at repo root, so the existing file was expanded rather than adding a dead dotfile.error(incl.no-hardcoded-env-urls,adminusername-should-not-be-literal,outputs-should-not-contain-secrets,secure-parameter-default), style/correctness rules atwarning, anduse-recent-api-versionsset tooffto avoid noise.Validation
az bicep build(Bicep CLI 0.40.2) oninfra/main.bicepandinfra/modules/observability.bicep: exit 0, no linter warnings or errors with the new config.Rollback / change safety
publicNetworkAccess*properties, which are in-place updates.Disabledrestricts ingestion/query to private paths. Ensure private endpoints / AMPLS or deployment-agent connectivity is in place before promoting, otherwise ingestion from public agents will be blocked. Revert is a one-line param change back totrue.🤖 Generated with Claude Code