Change infrastructure

.gitattributes

@@ -0,0 +1,3 @@
+* text=auto eol=lf
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf

.pre-commit-config.yaml

@@ -9,9 +9,7 @@ repos:
     rev: 22.3.0
     hooks:
     -   id: black
-        args: ['--config=./pyproject.toml']
 -   repo: https://github.com/charliermarsh/ruff-pre-commit
     rev: v0.0.121
     hooks:
     -   id: ruff
-        exclude: '.venv/'

README.md

@@ -3,25 +3,35 @@
 # Quizzes app
 
 An example Django app that serves quizzes and lets people know how they scored.
-Quizzes and their questions are stored in a PostGreSQL database.
+Quizzes and their questions are stored in a PostgreSQL database.
 There is no user authentication or per-user data stored.
 
-## Local development
+## Opening the project
+
+This project has [Dev Container support](https://code.visualstudio.com/docs/devcontainers/containers), so it will be be setup automatically if you open it in Github Codespaces or in local VS Code with the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).
 
-Install the requirements and Git hooks:
+If you're not using one of those options for opening the project, then you'll need to:
 
-This project has devcontainer support, so you can open it in Github Codespaces or local VS Code with the Dev Containers extension. If you're unable to open the devcontainer,
-then it's best to first [create a Python virtual environment](https://docs.python.org/3/tutorial/venv.html#creating-virtual-environments) and activate that.
+1. Create a [Python virtual environment](https://docs.python.org/3/tutorial/venv.html#creating-virtual-environments) and activate it.
 
-1. Install the requirements:
+2. Install the requirements:
 
     ```shell
     python3 -m pip install -r requirements-dev.txt
     ```
 
-2. Create an `.env` file using `.env.sample` as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. If you're in the devcontainer, copy the values exactly from `.env.sample`.
+3. Install the pre-commit hooks:
+
+    ```shell
+    pre-commit install
+    ```
+
+## Local development
+
+
+1. Create an `.env` file using `.env.sample` as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. If you're in the devcontainer, copy the values exactly from `.env.sample`.
 
-3. Fill in a secret value for `SECRET_KEY`. You can use this command to generate an appropriate value.
+2. Fill in a secret value for `SECRET_KEY`. You can use this command to generate an appropriate value.
 
     ```shell
     python -c 'import secrets; print(secrets.token_hex())'
@@ -43,7 +53,7 @@ then it's best to first [create a Python virtual environment](https://docs.pytho
 
 ### Admin
 
-This app comes with the built-in Django admin.
+This app comes with the built-in Django admin interface.
 
 1. Create a superuser:
 
@@ -86,7 +96,7 @@ azd up
 python manage.py createsuperuser
 ```
 
-## CI/CD pipeline
+### CI/CD pipeline
 
 This project includes a Github workflow for deploying the resources to Azure
 on every push to main. That workflow requires several Azure-related authentication secrets
@@ -96,21 +106,34 @@ to be stored as Github action secrets. To set that up, run:
 azd pipeline config
 ```
 
+## Security
+
+It is important to secure the databases in web applications to prevent unwanted data access.
+This infrastructure uses the following mechanisms to secure the PostgreSQL database:
+
+* Azure Firewall: The database is accessible only from other Azure IPs, not from public IPs. (Note that includes other customers using Azure).
+* Admin Username: Randomly generated and stored in Key Vault.
+* Admin Password: Randomly generated and stored in Key Vault.
+* PostgreSQL Version: Latest available on Azure, version 14, which includes security improvements.
+
+⚠️ For even more security, consider using an Azure Virtual Network to connect the Web App to the Database.
+See [the Django-on-Azure project](https://github.com/tonybaloney/django-on-azure) for example infrastructure files.
+
 ### Costs
 
 Pricing varies per region and usage, so it isn't possible to predict exact costs for your usage.
 
-You can try the Azure pricing calculator for the resources:
+You can try the [Azure pricing calculator](https://azure.com/e/560b5f259111424daa7eb23c6848d164) for the resources:
 
 - Azure App Service: Basic Tier with 1 CPU core, 1.75GB RAM. Pricing is hourly. [Pricing](https://azure.microsoft.com/pricing/details/app-service/linux/)
 - PostgreSQL Flexible Server: Burstable Tier with 1 CPU core, 32GB storage. Pricing is hourly. [Pricing](https://azure.microsoft.com/pricing/details/postgresql/flexible-server/)
-- Virtual Network: Pricing based on data transfer. [Pricing](https://azure.microsoft.com/en-us/pricing/details/virtual-network/)
-- Private DNS Zone: Pricing based on number of zones per region per month. [Pricing](https://azure.microsoft.com/en-in/pricing/details/dns/)
+- Key Vault: Standard tier. Costs are per transaction, a few transactions are used on each deploy. [Pricing](https://azure.microsoft.com/pricing/details/key-vault/)
 - Log analytics: Pay-as-you-go tier. Costs based on data ingested. [Pricing](https://azure.microsoft.com/pricing/details/monitor/)
 
 ⚠�� To avoid unnecessary costs, remember to take down your app if it's no longer in use,
 either by deleting the resource group in the Portal or running `azd down`.
 
+
 ## Getting help
 
 If you're working with this project and running into issues, please post in **Discussions**.

infra/core/database/postgresql/flexibleserver.bicep

@@ -4,20 +4,19 @@ param tags object = {}
 
 param sku object
 param storage object
-param delegatedSubnetResourceId string = ''
-param privateDnsZoneArmResourceId string = ''
-param privateDnsZoneLink object = {}
-
-param databaseName string
 param administratorLogin string
 @secure()
 param administratorLoginPassword string
+param databaseNames array = []
+param allowAzureIPsFirewall bool = false
+param allowAllIPsFirewall bool = false
+param allowedSingleIPs array = []
 
 // PostgreSQL version
-@allowed(['11', '12', '13', '14', '15'])
 param version string
 
-resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {
+// Latest official version 2022-12-01 does not have Bicep types available
+resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
   location: location
   tags: tags
   name: name
@@ -27,25 +26,39 @@ resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-pr
     administratorLogin: administratorLogin
     administratorLoginPassword: administratorLoginPassword
     storage: storage
-    network: union(
-      !empty(delegatedSubnetResourceId) ? { delegatedSubnetResourceId: delegatedSubnetResourceId } : {},
-      !empty(privateDnsZoneArmResourceId) ? {privateDnsZoneArmResourceId: privateDnsZoneArmResourceId } : {})
     highAvailability: {
       mode: 'Disabled'
     }
   }
 
-  resource database 'databases' = {
-    name: databaseName
+  resource database 'databases' = [for name in databaseNames: {
+    name: name
+  }]
+
+  resource firewall_all 'firewallRules' = if (allowAllIPsFirewall) {
+    name: 'allow-all-IPs'
+    properties: {
+        startIpAddress: '0.0.0.0'
+        endIpAddress: '255.255.255.255'
+    }
   }
 
-  resource firewall 'firewallRules' = {
-    name: 'AllowAllWindowsAzureIps'
+  resource firewall_azure 'firewallRules' = if (allowAzureIPsFirewall) {
+    name: 'allow-all-azure-internal-IPs'
     properties: {
         startIpAddress: '0.0.0.0'
         endIpAddress: '0.0.0.0'
     }
   }
 
-  dependsOn: empty(privateDnsZoneLink) ? [] : [privateDnsZoneLink]
+  resource firewall_single 'firewallRules' = [for ip in allowedSingleIPs: {
+    name: 'allow-single-${replace(ip, '.', '')}'
+    properties: {
+        startIpAddress: ip
+        endIpAddress: ip
+    }
+  }]
+
 }
+
+output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName

infra/core/host/appservice.bicep

@@ -33,10 +33,7 @@ param numberOfWorkers int = -1
 param scmDoBuildDuringDeployment bool = false
 param use32BitWorkerProcess bool = false
 param ftpsState string = 'FtpsOnly'
-
-// Microsoft.Web/sites/networkConfig
-param subnetResourceId string = ''
-param virtualNetwork object
+param healthCheckPath string = ''
 
 resource appService 'Microsoft.Web/sites@2022-03-01' = {
   name: name
@@ -49,11 +46,13 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       linuxFxVersion: linuxFxVersion
       alwaysOn: alwaysOn
       ftpsState: ftpsState
+      minTlsVersion: '1.2'
       appCommandLine: appCommandLine
       numberOfWorkers: numberOfWorkers != -1 ? numberOfWorkers : null
       minimumElasticInstanceCount: minimumElasticInstanceCount != -1 ? minimumElasticInstanceCount : null
       use32BitWorkerProcess: use32BitWorkerProcess
       functionAppScaleLimit: functionAppScaleLimit != -1 ? functionAppScaleLimit : null
+      healthCheckPath: healthCheckPath
       cors: {
         allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
       }
@@ -87,15 +86,6 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       configAppSettings
     ]
   }
-
-  resource webappVnetConfig 'networkConfig' =  if (!(empty(virtualNetwork))) {
-    name: 'virtualNetwork'
-    properties: {
-      subnetResourceId: subnetResourceId
-    }
-  }
-
-  dependsOn: empty(virtualNetwork) ? [] : [virtualNetwork]
 }
 
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {

infra/main.bicep

@@ -9,9 +9,20 @@ param name string
 @description('Primary location for all resources')
 param location string
 
+@secure()
+@description('PostGreSQL Server administrator username')
+param postgresAdminUser string
+
 @secure()
 @description('PostGreSQL Server administrator password')
-param databasePassword string
+param postgresAdminPassword string
+
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
+@secure()
+@description('Django SECRET_KEY for cryptographic signing')
+param djangoSecretKey string
 
 var resourceToken = toLower(uniqueString(subscription().id, name, location))
 var tags = { 'azd-env-name': name }
@@ -26,19 +37,7 @@ var prefix = '${name}-${resourceToken}'
 
 var postgresServerName = '${prefix}-postgresql'
 
-module virtualNetwork 'core/security/virtualnetwork.bicep' = {
-  name: 'virtualnetwork'
-  scope: resourceGroup
-  params: {
-    name: '${prefix}-vnet'
-    location: location
-    tags: tags
-    postgresServerName: postgresServerName
-  }
-}
-
-var databaseName = 'django'
-var databaseUser = 'django'
+var postgresDatabaseName = 'django'
 
 module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
   name: 'postgresql'
@@ -54,13 +53,11 @@ module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
     storage: {
       storageSizeGB: 32
     }
-    version: '13'
-    administratorLogin: databaseUser
-    administratorLoginPassword: databasePassword
-    databaseName: databaseName
-    delegatedSubnetResourceId: virtualNetwork.outputs.databaseSubnetId
-    privateDnsZoneArmResourceId: virtualNetwork.outputs.privateDnsZoneId
-    privateDnsZoneLink: virtualNetwork.outputs.privateDnsZoneLink
+    version: '14'
+    administratorLogin: postgresAdminUser
+    administratorLoginPassword: postgresAdminPassword
+    databaseNames: [postgresDatabaseName]
+    allowAzureIPsFirewall: true
   }
 }
 
@@ -78,13 +75,12 @@ module web 'core/host/appservice.bicep' = {
     ftpsState: 'Disabled'
     managedIdentity: true
     appCommandLine: 'python manage.py migrate && gunicorn --workers 2 --threads 4 --timeout 60 --access-logfile \'-\' --error-logfile \'-\' --bind=0.0.0.0:8000 --chdir=/home/site/wwwroot quizsite.wsgi'
-    virtualNetwork: virtualNetwork
-    subnetResourceId: virtualNetwork.outputs.webSubnetId
     appSettings: {
       DBHOST: postgresServerName
-      DBNAME: databaseName
-      DBUSER: databaseUser
-      DBPASS: databasePassword
+      DBNAME: postgresDatabaseName
+      DBUSER: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=postgresAdminUser)'
+      DBPASS: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=postgresAdminPassword)'
+      SECRET_KEY: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=djangoSecretKey)'
     }
   }
 }
@@ -104,6 +100,45 @@ module appServicePlan 'core/host/appserviceplan.bicep' = {
   }
 }
 
+// Store secrets in a keyvault
+module keyVault './core/security/keyvault.bicep' = {
+  name: 'keyvault'
+  scope: resourceGroup
+  params: {
+    name: '${take(replace(prefix, '-', ''), 17)}-vault'
+    location: location
+    tags: tags
+    principalId: principalId
+  }
+}
+
+var secrets = [
+  {
+    name: 'djangoSecretKey'
+    value: djangoSecretKey
+  }
+  {
+    name: 'postgresAdminUser'
+    value: postgresAdminUser
+  }
+  {
+    name: 'postgresAdminPassword'
+    value: postgresAdminPassword
+  }
+]
+
+@batchSize(1)
+module keyVaultSecrets './core/security/keyvault-secret.bicep' = [for secret in secrets: {
+  name: 'keyvault-secret-${secret.name}'
+  scope: resourceGroup
+  params: {
+    keyVaultName: keyVault.outputs.name
+    name: secret.name
+    secretValue: secret.value
+  }
+}]
+
+
 module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
   name: 'loganalytics'
   scope: resourceGroup

infra/main.parameters.json

@@ -8,8 +8,17 @@
       "location": {
         "value": "${AZURE_LOCATION}"
       },
-      "databasePassword": {
-        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} databasePassword)"
+      "principalId": {
+        "value": "${AZURE_PRINCIPAL_ID}"
+      },
+      "postgresAdminUser": {
+        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} postgresAdminUser)"
+      },
+      "postgresAdminPassword": {
+        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} postgresAdminPassword)"
+      },
+      "djangoSecretKey": {
+        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} djangoSecretKey)"
       }
     }
   }

pyproject.toml

@@ -1,14 +1,14 @@
+[tool.ruff]
+select = ["E", "F", "I", "UP"]
+target-version = "py310"
+line-length = 120
+
 [tool.black]
+target-version = ['py310']
 line-length = 120
-target-version = ['py39']
 exclude = '''
 /(
   | \.venv
   | migrations
 )/
-
 '''
-
-[tool.ruff]
-line-length = 120
-ignore = ['D203']