Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 33 additions & 4 deletions bicepconfig.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,45 @@
"analyzers": {
"core": {
"enabled": true,
"verbose": false,
"rules": {
"adminusername-should-not-be-literal": { "level": "error" },
"no-hardcoded-env-urls": { "level": "warning" },
"artifacts-parameters": { "level": "warning" },
"decompiler-cleanup": { "level": "warning" },
"explicit-values-for-loc-params": { "level": "warning" },
"max-asserts": { "level": "warning" },
"max-outputs": { "level": "warning" },
"max-params": { "level": "warning" },
"max-resources": { "level": "warning" },
"max-variables": { "level": "warning" },
"nested-deployment-template-scoping": { "level": "error" },
"no-conflicting-metadata": { "level": "warning" },
"no-deployments-resources": { "level": "warning" },
"no-hardcoded-env-urls": { "level": "error" },
"no-hardcoded-location": { "level": "warning" },
"no-loc-expr-outside-params": { "level": "warning" },
"no-unnecessary-dependson": { "level": "warning" },
"no-unused-existing-resources": { "level": "warning" },
"no-unused-params": { "level": "warning" },
"no-unused-vars": { "level": "warning" },
"outputs-should-not-contain-secrets": { "level": "error" },
"prefer-interpolation": { "level": "warning" },
"prefer-unquoted-property-names": { "level": "warning" },
"protect-commandtoexecute-secrets": { "level": "error" },
"secure-parameter-default": { "level": "error" },
"use-recent-api-versions": { "level": "warning" },
"use-resource-id-functions": { "level": "warning" }
"secure-params-in-nested-deploy": { "level": "error" },
"secure-secrets-in-params": { "level": "error" },
"simplify-interpolation": { "level": "warning" },
"simplify-json-null": { "level": "warning" },
"use-parent-property": { "level": "warning" },
"use-recent-api-versions": { "level": "off" },
"use-resource-id-functions": { "level": "warning" },
"use-resource-symbol-reference": { "level": "warning" },
"use-safe-access": { "level": "warning" },
"use-secure-value-for-secure-inputs": { "level": "error" },
"use-stable-resource-identifiers": { "level": "warning" },
"use-stable-vm-image": { "level": "warning" }
}
}
}
}

4 changes: 4 additions & 0 deletions infra/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ param enableExternalIngress bool = false
@minValue(30)
param logRetentionDays int = 30

@description('Allow public network access to Log Analytics and Application Insights ingestion/query. Secure default is false; lower environments (for example dev) may override to true.')
param allowObservabilityPublicNetworkAccess bool = false

@description('Optional monthly resource-group budget. Set to zero to disable.')
@minValue(0)
param monthlyBudget int = 0
Expand Down Expand Up @@ -94,6 +97,7 @@ module observability './modules/observability.bicep' = {
location: location
suffix: suffix
retentionDays: logRetentionDays
allowPublicNetworkAccess: allowObservabilityPublicNetworkAccess
tags: tags
}
}
Expand Down
13 changes: 9 additions & 4 deletions infra/modules/observability.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ param retentionDays int
@description('Common Azure resource tags.')
param tags object

@description('Allow public network access for observability ingestion and query. Secure default is false; individual environments (for example dev) may override to true.')
param allowPublicNetworkAccess bool = false

var publicNetworkAccess = allowPublicNetworkAccess ? 'Enabled' : 'Disabled'

resource workspace 'Microsoft.OperationalInsights/workspaces@2025-02-01' = {
name: 'log-${workloadName}-${environment}-${suffix}'
location: location
Expand All @@ -27,8 +32,8 @@ resource workspace 'Microsoft.OperationalInsights/workspaces@2025-02-01' = {
features: {
enableLogAccessUsingOnlyResourcePermissions: true
}
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
publicNetworkAccessForIngestion: publicNetworkAccess
publicNetworkAccessForQuery: publicNetworkAccess
}
}

Expand All @@ -42,8 +47,8 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
WorkspaceResourceId: workspace.id
DisableLocalAuth: true
IngestionMode: 'LogAnalytics'
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
publicNetworkAccessForIngestion: publicNetworkAccess
publicNetworkAccessForQuery: publicNetworkAccess
}
}

Expand Down
1 change: 1 addition & 0 deletions infra/parameters/dev.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@ param foundryProjectResourceId = ''
param foundryRoleDefinitionResourceId = ''
param enableExternalIngress = false
param logRetentionDays = 30
param allowObservabilityPublicNetworkAccess = true
param monthlyBudget = 0
param budgetContactEmails = []
1 change: 1 addition & 0 deletions infra/parameters/prod.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@ param foundryProjectResourceId = ''
param foundryRoleDefinitionResourceId = ''
param enableExternalIngress = false
param logRetentionDays = 90
param allowObservabilityPublicNetworkAccess = false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep observability public until private link exists

Setting prod (and test) to false flows through infra/main.bicep into both Log Analytics and Application Insights publicNetworkAccessForIngestion/Query = Disabled, but this repo does not define any AMPLS/private endpoint resources and NET-01 is still deferred. Azure Monitor requires private-link resources for ingestion/query after public access is disabled (https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/private-link-configure), so deployments using the supplied prod/test params would block application telemetry and operator queries until private networking is added or public access remains enabled.

Useful? React with 👍 / 👎.

param monthlyBudget = 0
param budgetContactEmails = []
1 change: 1 addition & 0 deletions infra/parameters/test.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@ param foundryProjectResourceId = ''
param foundryRoleDefinitionResourceId = ''
param enableExternalIngress = false
param logRetentionDays = 30
param allowObservabilityPublicNetworkAccess = false
param monthlyBudget = 0
param budgetContactEmails = []
Loading