Pamela Fox
commited on
Commit
·
b3a3223
1
Parent(s):
f194cdb
Firewall improvement
Browse files- README.md +3 -4
- infra/main.bicep +7 -2
- infra/main.parameters.json +3 -0
README.md
CHANGED
|
@@ -127,10 +127,9 @@ azd pipeline config
|
|
| 127 |
It is important to secure the databases in web applications to prevent unwanted data access.
|
| 128 |
This infrastructure uses the following mechanisms to secure the PostgreSQL database:
|
| 129 |
|
| 130 |
-
* Azure Firewall: The database is accessible
|
| 131 |
-
*
|
| 132 |
-
*
|
| 133 |
-
* PostgreSQL Version: Latest available on Azure, version 14, which includes security improvements.
|
| 134 |
* Django Admin Interface: The URL (typically "/admin") is a unique string generated based on the App Service Plan ID.
|
| 135 |
|
| 136 |
⚠️ For even more security, consider using an Azure Virtual Network to connect the Web App to the Database.
|
|
|
|
| 127 |
It is important to secure the databases in web applications to prevent unwanted data access.
|
| 128 |
This infrastructure uses the following mechanisms to secure the PostgreSQL database:
|
| 129 |
|
| 130 |
+
* Azure Firewall: The database is accessible from all IPs. Once you've set up the database, you can restrict access to only Azure IPs by running `azd env set POSTGRES_ALLOW_ALL_IPS false` followed by `azd provision`.
|
| 131 |
+
* PostgreSQL Authentication: Passwordless connection using [Microsoft Entra Managed Identity](https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-connect-with-managed-identity).
|
| 132 |
+
* PostgreSQL Version: Latest available on Azure, version 16, which includes security improvements.
|
|
|
|
| 133 |
* Django Admin Interface: The URL (typically "/admin") is a unique string generated based on the App Service Plan ID.
|
| 134 |
|
| 135 |
⚠️ For even more security, consider using an Azure Virtual Network to connect the Web App to the Database.
|
infra/main.bicep
CHANGED
|
@@ -33,6 +33,10 @@ param djangoSecretKey string
|
|
| 33 |
@description('Running on GitHub Actions?')
|
| 34 |
param runningOnGh bool = false
|
| 35 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
var resourceToken = toLower(uniqueString(subscription().id, name, location))
|
| 37 |
var tags = { 'azd-env-name': name }
|
| 38 |
|
|
@@ -61,14 +65,14 @@ module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
|
|
| 61 |
storage: {
|
| 62 |
storageSizeGB: 32
|
| 63 |
}
|
| 64 |
-
version: '
|
| 65 |
authType: 'EntraOnly'
|
| 66 |
entraAdministratorName: postgresEntraAdministratorName
|
| 67 |
entraAdministratorObjectId: postgresEntraAdministratorObjectId
|
| 68 |
entraAdministratorType: postgresEntraAdministratorType
|
| 69 |
databaseNames: [ postgresDatabaseName ]
|
| 70 |
allowAzureIPsFirewall: true
|
| 71 |
-
allowAllIPsFirewall:
|
| 72 |
}
|
| 73 |
}
|
| 74 |
|
|
@@ -193,3 +197,4 @@ output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name
|
|
| 193 |
|
| 194 |
output POSTGRES_HOST string = postgresServer.outputs.POSTGRES_DOMAIN_NAME
|
| 195 |
output POSTGRES_USERNAME string = postgresEntraAdministratorName
|
|
|
|
|
|
| 33 |
@description('Running on GitHub Actions?')
|
| 34 |
param runningOnGh bool = false
|
| 35 |
|
| 36 |
+
// Necessary for post-provision script, can be disabled after
|
| 37 |
+
@description('Allow all IPs to connect to the PostgreSQL server')
|
| 38 |
+
param postgresAllowAllIPs bool = true
|
| 39 |
+
|
| 40 |
var resourceToken = toLower(uniqueString(subscription().id, name, location))
|
| 41 |
var tags = { 'azd-env-name': name }
|
| 42 |
|
|
|
|
| 65 |
storage: {
|
| 66 |
storageSizeGB: 32
|
| 67 |
}
|
| 68 |
+
version: '16'
|
| 69 |
authType: 'EntraOnly'
|
| 70 |
entraAdministratorName: postgresEntraAdministratorName
|
| 71 |
entraAdministratorObjectId: postgresEntraAdministratorObjectId
|
| 72 |
entraAdministratorType: postgresEntraAdministratorType
|
| 73 |
databaseNames: [ postgresDatabaseName ]
|
| 74 |
allowAzureIPsFirewall: true
|
| 75 |
+
allowAllIPsFirewall: postgresAllowAllIPs
|
| 76 |
}
|
| 77 |
}
|
| 78 |
|
|
|
|
| 197 |
|
| 198 |
output POSTGRES_HOST string = postgresServer.outputs.POSTGRES_DOMAIN_NAME
|
| 199 |
output POSTGRES_USERNAME string = postgresEntraAdministratorName
|
| 200 |
+
output POSTGRES_ALLOW_ALL_IPS bool = postgresAllowAllIPs
|
infra/main.parameters.json
CHANGED
|
@@ -25,6 +25,9 @@
|
|
| 25 |
},
|
| 26 |
"postgresEntraAdministratorType": {
|
| 27 |
"value": "User"
|
|
|
|
|
|
|
|
|
|
| 28 |
}
|
| 29 |
}
|
| 30 |
}
|
|
|
|
| 25 |
},
|
| 26 |
"postgresEntraAdministratorType": {
|
| 27 |
"value": "User"
|
| 28 |
+
},
|
| 29 |
+
"postgresAllowAllIPs": {
|
| 30 |
+
"value": "${POSTGRES_ALLOW_ALL_IPS=true}"
|
| 31 |
}
|
| 32 |
}
|
| 33 |
}
|