Merge pull request #9 from pamelafox/secret-keyvault

.gitattributes

@@ -0,0 +1,3 @@
+* text=auto eol=lf
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf

.pre-commit-config.yaml

@@ -1,17 +1,15 @@
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.3.0
+    rev: v4.4.0
     hooks:
     -   id: check-yaml
     -   id: end-of-file-fixer
     -   id: trailing-whitespace
 -   repo: https://github.com/psf/black
-    rev: 22.3.0
+    rev: 23.1.0
     hooks:
     -   id: black
-        args: ['--config=./pyproject.toml']
 -   repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: v0.0.121
+    rev: v0.0.258
     hooks:
     -   id: ruff
-        exclude: '.venv/'

README.md

@@ -2,26 +2,42 @@
 
 # Quizzes app
 
-An example Django app that serves quizzes and lets people know how they scored.
-Quizzes and their questions are stored in a PostGreSQL database.
-There is no user authentication or per-user data stored.
+An example Django app that serves quizzes and lets people know how they scored. Quizzes and their questions are stored in a PostgreSQL database. There is no user authentication or per-user data stored.
 
-## Local development
+![Screenshot of Quiz page with question](readme_screenshot.png)
+
+The project is designed for deployment on Azure App Service with a PostgreSQL flexible server. See deployment instructions below.
+
+![Diagram of the Architecture: App Service, PostgreSQL server, Key Vault, Log analytics](readme_diagram.png)
+
+The code is tested with `django.test`, linted with [ruff](https://github.com/charliermarsh/ruff), and formatted with [black](https://black.readthedocs.io/en/stable/). Code quality issues are all checked with both [pre-commit](https://pre-commit.com/) and Github actions.
+
+## Opening the project
 
-Install the requirements and Git hooks:
+This project has [Dev Container support](https://code.visualstudio.com/docs/devcontainers/containers), so it will be be setup automatically if you open it in Github Codespaces or in local VS Code with the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).
 
-This project has devcontainer support, so you can open it in Github Codespaces or local VS Code with the Dev Containers extension. If you're unable to open the devcontainer,
-then it's best to first [create a Python virtual environment](https://docs.python.org/3/tutorial/venv.html#creating-virtual-environments) and activate that.
+If you're not using one of those options for opening the project, then you'll need to:
 
-1. Install the requirements:
+1. Create a [Python virtual environment](https://docs.python.org/3/tutorial/venv.html#creating-virtual-environments) and activate it.
+
+2. Install the requirements:
 
     ```shell
     python3 -m pip install -r requirements-dev.txt
     ```
 
-2. Create an `.env` file using `.env.sample` as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. If you're in the devcontainer, copy the values exactly from `.env.sample`.
+3. Install the pre-commit hooks:
+
+    ```shell
+    pre-commit install
+    ```
+
+## Local development
+
 
-3. Fill in a secret value for `SECRET_KEY`. You can use this command to generate an appropriate value.
+1. Create an `.env` file using `.env.sample` as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. If you're in the devcontainer, copy the values exactly from `.env.sample`.
+
+2. Fill in a secret value for `SECRET_KEY`. You can use this command to generate an appropriate value.
 
     ```shell
     python -c 'import secrets; print(secrets.token_hex())'
@@ -39,11 +55,11 @@ then it's best to first [create a Python virtual environment](https://docs.pytho
     python3 manage.py runserver
     ```
 
-5. Navigate to "/quizzes" (since no "/" route is defined) to verify server is working.
+5. Navigate to the displayed URL to verify the website is working.
 
 ### Admin
 
-This app comes with the built-in Django admin.
+This app comes with the built-in Django admin interface.
 
 1. Create a superuser:
 
@@ -86,7 +102,7 @@ azd up
 python manage.py createsuperuser
 ```
 
-## CI/CD pipeline
+### CI/CD pipeline
 
 This project includes a Github workflow for deploying the resources to Azure
 on every push to main. That workflow requires several Azure-related authentication secrets
@@ -96,21 +112,34 @@ to be stored as Github action secrets. To set that up, run:
 azd pipeline config
 ```
 
+## Security
+
+It is important to secure the databases in web applications to prevent unwanted data access.
+This infrastructure uses the following mechanisms to secure the PostgreSQL database:
+
+* Azure Firewall: The database is accessible only from other Azure IPs, not from public IPs. (Note that includes other customers using Azure).
+* Admin Username: Unique string generated based on subscription ID and stored in Key Vault.
+* Admin Password: Randomly generated and stored in Key Vault.
+* PostgreSQL Version: Latest available on Azure, version 14, which includes security improvements.
+
+⚠️ For even more security, consider using an Azure Virtual Network to connect the Web App to the Database.
+See [the Django-on-Azure project](https://github.com/tonybaloney/django-on-azure) for example infrastructure files.
+
 ### Costs
 
 Pricing varies per region and usage, so it isn't possible to predict exact costs for your usage.
 
-You can try the Azure pricing calculator for the resources:
+You can try the [Azure pricing calculator](https://azure.com/e/560b5f259111424daa7eb23c6848d164) for the resources:
 
 - Azure App Service: Basic Tier with 1 CPU core, 1.75GB RAM. Pricing is hourly. [Pricing](https://azure.microsoft.com/pricing/details/app-service/linux/)
 - PostgreSQL Flexible Server: Burstable Tier with 1 CPU core, 32GB storage. Pricing is hourly. [Pricing](https://azure.microsoft.com/pricing/details/postgresql/flexible-server/)
-- Virtual Network: Pricing based on data transfer. [Pricing](https://azure.microsoft.com/en-us/pricing/details/virtual-network/)
-- Private DNS Zone: Pricing based on number of zones per region per month. [Pricing](https://azure.microsoft.com/en-in/pricing/details/dns/)
+- Key Vault: Standard tier. Costs are per transaction, a few transactions are used on each deploy. [Pricing](https://azure.microsoft.com/pricing/details/key-vault/)
 - Log analytics: Pay-as-you-go tier. Costs based on data ingested. [Pricing](https://azure.microsoft.com/pricing/details/monitor/)
 
 ⚠️ To avoid unnecessary costs, remember to take down your app if it's no longer in use,
 either by deleting the resource group in the Portal or running `azd down`.
 
+
 ## Getting help
 
 If you're working with this project and running into issues, please post in **Discussions**.

infra/core/database/postgresql/flexibleserver.bicep

@@ -4,20 +4,19 @@ param tags object = {}
 
 param sku object
 param storage object
-param delegatedSubnetResourceId string = ''
-param privateDnsZoneArmResourceId string = ''
-param privateDnsZoneLink object = {}
-
-param databaseName string
 param administratorLogin string
 @secure()
 param administratorLoginPassword string
+param databaseNames array = []
+param allowAzureIPsFirewall bool = false
+param allowAllIPsFirewall bool = false
+param allowedSingleIPs array = []
 
 // PostgreSQL version
-@allowed(['11', '12', '13', '14', '15'])
 param version string
 
-resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {
+// Latest official version 2022-12-01 does not have Bicep types available
+resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
   location: location
   tags: tags
   name: name
@@ -27,25 +26,39 @@ resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-pr
     administratorLogin: administratorLogin
     administratorLoginPassword: administratorLoginPassword
     storage: storage
-    network: union(
-      !empty(delegatedSubnetResourceId) ? { delegatedSubnetResourceId: delegatedSubnetResourceId } : {},
-      !empty(privateDnsZoneArmResourceId) ? {privateDnsZoneArmResourceId: privateDnsZoneArmResourceId } : {})
     highAvailability: {
       mode: 'Disabled'
     }
   }
 
-  resource database 'databases' = {
-    name: databaseName
+  resource database 'databases' = [for name in databaseNames: {
+    name: name
+  }]
+
+  resource firewall_all 'firewallRules' = if (allowAllIPsFirewall) {
+    name: 'allow-all-IPs'
+    properties: {
+        startIpAddress: '0.0.0.0'
+        endIpAddress: '255.255.255.255'
+    }
   }
 
-  resource firewall 'firewallRules' = {
-    name: 'AllowAllWindowsAzureIps'
+  resource firewall_azure 'firewallRules' = if (allowAzureIPsFirewall) {
+    name: 'allow-all-azure-internal-IPs'
     properties: {
         startIpAddress: '0.0.0.0'
         endIpAddress: '0.0.0.0'
     }
   }
 
-  dependsOn: empty(privateDnsZoneLink) ? [] : [privateDnsZoneLink]
+  resource firewall_single 'firewallRules' = [for ip in allowedSingleIPs: {
+    name: 'allow-single-${replace(ip, '.', '')}'
+    properties: {
+        startIpAddress: ip
+        endIpAddress: ip
+    }
+  }]
+
 }
+
+output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName

infra/core/host/appservice.bicep

@@ -33,10 +33,7 @@ param numberOfWorkers int = -1
 param scmDoBuildDuringDeployment bool = false
 param use32BitWorkerProcess bool = false
 param ftpsState string = 'FtpsOnly'
-
-// Microsoft.Web/sites/networkConfig
-param subnetResourceId string = ''
-param virtualNetwork object
+param healthCheckPath string = ''
 
 resource appService 'Microsoft.Web/sites@2022-03-01' = {
   name: name
@@ -49,11 +46,13 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       linuxFxVersion: linuxFxVersion
       alwaysOn: alwaysOn
       ftpsState: ftpsState
+      minTlsVersion: '1.2'
       appCommandLine: appCommandLine
       numberOfWorkers: numberOfWorkers != -1 ? numberOfWorkers : null
       minimumElasticInstanceCount: minimumElasticInstanceCount != -1 ? minimumElasticInstanceCount : null
       use32BitWorkerProcess: use32BitWorkerProcess
       functionAppScaleLimit: functionAppScaleLimit != -1 ? functionAppScaleLimit : null
+      healthCheckPath: healthCheckPath
       cors: {
         allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
       }
@@ -87,15 +86,6 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       configAppSettings
     ]
   }
-
-  resource webappVnetConfig 'networkConfig' =  if (!(empty(virtualNetwork))) {
-    name: 'virtualNetwork'
-    properties: {
-      subnetResourceId: subnetResourceId
-    }
-  }
-
-  dependsOn: empty(virtualNetwork) ? [] : [virtualNetwork]
 }
 
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {

infra/main.bicep

@@ -9,9 +9,20 @@ param name string
 @description('Primary location for all resources')
 param location string
 
+@secure()
+@description('PostGreSQL Server administrator username')
+param postgresAdminUser string = 'admin${uniqueString(subscription().subscriptionId)}'
+
 @secure()
 @description('PostGreSQL Server administrator password')
-param databasePassword string
+param postgresAdminPassword string
+
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
+@secure()
+@description('Django SECRET_KEY for cryptographic signing')
+param djangoSecretKey string
 
 var resourceToken = toLower(uniqueString(subscription().id, name, location))
 var tags = { 'azd-env-name': name }
@@ -26,19 +37,7 @@ var prefix = '${name}-${resourceToken}'
 
 var postgresServerName = '${prefix}-postgresql'
 
-module virtualNetwork 'core/security/virtualnetwork.bicep' = {
-  name: 'virtualnetwork'
-  scope: resourceGroup
-  params: {
-    name: '${prefix}-vnet'
-    location: location
-    tags: tags
-    postgresServerName: postgresServerName
-  }
-}
-
-var databaseName = 'django'
-var databaseUser = 'django'
+var postgresDatabaseName = 'django'
 
 module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
   name: 'postgresql'
@@ -54,13 +53,11 @@ module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
     storage: {
       storageSizeGB: 32
     }
-    version: '13'
-    administratorLogin: databaseUser
-    administratorLoginPassword: databasePassword
-    databaseName: databaseName
-    delegatedSubnetResourceId: virtualNetwork.outputs.databaseSubnetId
-    privateDnsZoneArmResourceId: virtualNetwork.outputs.privateDnsZoneId
-    privateDnsZoneLink: virtualNetwork.outputs.privateDnsZoneLink
+    version: '14'
+    administratorLogin: postgresAdminUser
+    administratorLoginPassword: postgresAdminPassword
+    databaseNames: [postgresDatabaseName]
+    allowAzureIPsFirewall: true
   }
 }
 
@@ -78,13 +75,13 @@ module web 'core/host/appservice.bicep' = {
     ftpsState: 'Disabled'
     managedIdentity: true
     appCommandLine: 'python manage.py migrate && gunicorn --workers 2 --threads 4 --timeout 60 --access-logfile \'-\' --error-logfile \'-\' --bind=0.0.0.0:8000 --chdir=/home/site/wwwroot quizsite.wsgi'
-    virtualNetwork: virtualNetwork
-    subnetResourceId: virtualNetwork.outputs.webSubnetId
     appSettings: {
+      ADMIN_URL: 'admin${uniqueString(appServicePlan.outputs.id)}'
       DBHOST: postgresServerName
-      DBNAME: databaseName
-      DBUSER: databaseUser
-      DBPASS: databasePassword
+      DBNAME: postgresDatabaseName
+      DBUSER: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=postgresAdminUser)'
+      DBPASS: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=postgresAdminPassword)'
+      SECRET_KEY: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=djangoSecretKey)'
     }
   }
 }
@@ -104,6 +101,54 @@ module appServicePlan 'core/host/appserviceplan.bicep' = {
   }
 }
 
+module webKeyVaultAccess 'core/security/keyvault-access.bicep' = {
+  name: 'web-keyvault-access'
+  scope: resourceGroup
+  params: {
+    keyVaultName: keyVault.outputs.name
+    principalId: web.outputs.identityPrincipalId
+  }
+}
+
+// Store secrets in a keyvault
+module keyVault './core/security/keyvault.bicep' = {
+  name: 'keyvault'
+  scope: resourceGroup
+  params: {
+    name: '${take(replace(prefix, '-', ''), 17)}-vault'
+    location: location
+    tags: tags
+    principalId: principalId
+  }
+}
+
+var secrets = [
+  {
+    name: 'djangoSecretKey'
+    value: djangoSecretKey
+  }
+  {
+    name: 'postgresAdminUser'
+    value: postgresAdminUser
+  }
+  {
+    name: 'postgresAdminPassword'
+    value: postgresAdminPassword
+  }
+]
+
+@batchSize(1)
+module keyVaultSecrets './core/security/keyvault-secret.bicep' = [for secret in secrets: {
+  name: 'keyvault-secret-${secret.name}'
+  scope: resourceGroup
+  params: {
+    keyVaultName: keyVault.outputs.name
+    name: secret.name
+    secretValue: secret.value
+  }
+}]
+
+
 module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
   name: 'loganalytics'
   scope: resourceGroup

infra/main.parameters.json

@@ -8,8 +8,14 @@
       "location": {
         "value": "${AZURE_LOCATION}"
       },
-      "databasePassword": {
-        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} databasePassword)"
+      "principalId": {
+        "value": "${AZURE_PRINCIPAL_ID}"
+      },
+      "postgresAdminPassword": {
+        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} postgresAdminPassword)"
+      },
+      "djangoSecretKey": {
+        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} djangoSecretKey)"
       }
     }
   }

pyproject.toml

@@ -1,14 +1,14 @@
+[tool.ruff]
+select = ["E", "F", "I", "UP"]
+target-version = "py310"
+line-length = 120
+
 [tool.black]
+target-version = ['py310']
 line-length = 120
-target-version = ['py39']
 exclude = '''
 /(
   | \.venv
   | migrations
 )/
-
 '''
-
-[tool.ruff]
-line-length = 120
-ignore = ['D203']

quizsite/production.py

@@ -6,6 +6,7 @@ import os
 ALLOWED_HOSTS = [os.environ["WEBSITE_HOSTNAME"]] if "WEBSITE_HOSTNAME" in os.environ else []
 CSRF_TRUSTED_ORIGINS = ["https://" + os.environ["WEBSITE_HOSTNAME"]] if "WEBSITE_HOSTNAME" in os.environ else []
 DEBUG = False
+ADMIN_URL = os.environ["ADMIN_URL"]
 
 # DBHOST is only the server name, not the full URL
 hostname = os.environ["DBHOST"]
@@ -19,5 +20,6 @@ DATABASES = {
         "HOST": hostname + ".postgres.database.azure.com",
         "USER": os.environ["DBUSER"],
         "PASSWORD": os.environ["DBPASS"],
+        "OPTIONS": {"sslmode": "require"},
     }
 }

quizsite/settings.py

@@ -10,9 +10,8 @@ For the full list of settings and their values, see
 https://docs.djangoproject.com/en/4.1/ref/settings/
 """
 
-from pathlib import Path
 import os
-
+from pathlib import Path
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -27,6 +26,8 @@ SECRET_KEY = os.getenv("SECRET_KEY")
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
+ADMIN_URL = "admin/"
+
 CSRF_TRUSTED_ORIGINS = [
     "http://localhost:8000",
     f"https://{os.getenv('CODESPACE_NAME')}-8000.{os.getenv('GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN')}",

quizsite/urls.py

@@ -13,10 +13,11 @@ Including another URLconf
     1. Import the include() function: from django.urls import include, path
     2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
 """
+from django.conf import settings
 from django.contrib import admin
 from django.urls import include, path
 
 urlpatterns = [
-    path("quizzes/", include("quizzes.urls")),
-    path("admin/", admin.site.urls),
+    path("", include("quizzes.urls")),
+    path(settings.ADMIN_URL, admin.site.urls),
 ]

quizzes/admin.py

@@ -1,5 +1,6 @@
 from django.contrib import admin
-from .models import Quiz, Question, FreeTextAnswer, MultipleChoiceAnswer
+
+from .models import FreeTextAnswer, MultipleChoiceAnswer, Question, Quiz
 
 admin.site.register(Quiz)
 

quizzes/migrations/0001_initial.py

@@ -1,12 +1,11 @@
 # Generated by Django 4.1.1 on 2022-09-14 18:17
 
 import django.contrib.postgres.fields
-from django.db import migrations, models
 import django.db.models.deletion
+from django.db import migrations, models
 
 
 class Migration(migrations.Migration):
-
     initial = True
 
     dependencies = []
@@ -46,9 +45,7 @@ class Migration(migrations.Migration):
                 ),
                 (
                     "quiz",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="quizzes.quiz"
-                    ),
+                    models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="quizzes.quiz"),
                 ),
             ],
         ),

quizzes/migrations/0002_remove_question_answer_status_and_more.py

@@ -1,11 +1,10 @@
 # Generated by Django 4.1.1 on 2022-09-15 00:57
 
-from django.db import migrations, models
 import django.db.models.deletion
+from django.db import migrations, models
 
 
 class Migration(migrations.Migration):
-
     dependencies = [
         ("quizzes", "0001_initial"),
     ]
@@ -18,15 +17,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name="freetextanswer",
             name="question",
-            field=models.OneToOneField(
-                on_delete=django.db.models.deletion.CASCADE, to="quizzes.question"
-            ),
+            field=models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to="quizzes.question"),
         ),
         migrations.AlterField(
             model_name="multiplechoiceanswer",
             name="question",
-            field=models.OneToOneField(
-                on_delete=django.db.models.deletion.CASCADE, to="quizzes.question"
-            ),
+            field=models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to="quizzes.question"),
         ),
     ]

quizzes/models.py

@@ -1,5 +1,5 @@
-from django.db import models
 from django.contrib.postgres import fields
+from django.db import models
 
 
 class Quiz(models.Model):

quizzes/tests.py

@@ -1,7 +1,7 @@
 from django.test import TestCase
 from django.urls import reverse
 
-from .models import Quiz, Question, FreeTextAnswer, MultipleChoiceAnswer
+from .models import FreeTextAnswer, MultipleChoiceAnswer, Question, Quiz
 
 
 def create_quiz():

quizzes/urls.py

@@ -6,7 +6,7 @@ app_name = "quizzes"
 
 urlpatterns = [
     path("", views.IndexView.as_view(), name="index"),
-    path("<int:quiz_id>/", views.display_quiz, name="display_quiz"),
-    path("<int:quiz_id>/questions/<int:question_id>", views.display_question, name="display_question"),
+    path("quizzes/<int:quiz_id>/", views.display_quiz, name="display_quiz"),
+    path("quizzes/<int:quiz_id>/questions/<int:question_id>", views.display_question, name="display_question"),
     path("questions/<int:question_id>/grade/", views.grade_question, name="grade_question"),
 ]

quizzes/views.py

@@ -1,8 +1,8 @@
-from django.shortcuts import get_object_or_404, render, redirect
+from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.views import generic
 
-from .models import Quiz, Question
+from .models import Question, Quiz
 
 
 class IndexView(generic.ListView):