From ac7a2d64bd66417926372171e9292efc814d2053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20H=C3=A9zser?= Date: Thu, 20 Feb 2025 21:39:01 +0100 Subject: [PATCH] feat: Update `avm/res/api-management/service` - WAF Security recommendations (#3942) ## Description Adds WAF Security defaults and UDTs. ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.api-management.service](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.res.api-management.service.yml/badge.svg?branch=api-gateway-waf-security)](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.res.api-management.service.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [x] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --------- Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> Co-authored-by: Alexander Sehr --- avm/res/api-management/service/README.md | 33 ++++++-- .../service/api-version-set/main.json | 4 +- .../service/api/diagnostics/main.json | 4 +- avm/res/api-management/service/api/main.json | 12 +-- .../service/api/policy/main.json | 4 +- avm/res/api-management/service/main.bicep | 4 +- avm/res/api-management/service/main.json | 76 +++++++++---------- .../tests/e2e/defaults/main.test.bicep | 2 +- .../tests/e2e/developerSku/main.test.bicep | 2 +- .../service/tests/e2e/max/main.test.bicep | 10 +-- .../service/tests/e2e/v2Sku/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 10 +-- avm/res/api-management/service/version.json | 2 +- 13 files changed, 93 insertions(+), 72 deletions(-) diff --git a/avm/res/api-management/service/README.md b/avm/res/api-management/service/README.md index 290ab46d6c..03538fc39e 100644 --- a/avm/res/api-management/service/README.md +++ b/avm/res/api-management/service/README.md @@ -342,6 +342,10 @@ module service 'br/public:avm/res/api-management/service:' = { displayName: 'Echo API' name: 'echo-api' path: 'echo' + protocols: [ + 'http' + 'https' + ] serviceUrl: 'http://echoapi.cloudapp.net/api' } ] @@ -578,6 +582,10 @@ module service 'br/public:avm/res/api-management/service:' = { "displayName": "Echo API", "name": "echo-api", "path": "echo", + "protocols": [ + "http", + "https" + ], "serviceUrl": "http://echoapi.cloudapp.net/api" } ] @@ -840,6 +848,10 @@ param apis = [ displayName: 'Echo API' name: 'echo-api' path: 'echo' + protocols: [ + 'http' + 'https' + ] serviceUrl: 'http://echoapi.cloudapp.net/api' } ] @@ -1140,6 +1152,9 @@ module service 'br/public:avm/res/api-management/service:' = { displayName: 'Echo API' name: 'echo-api' path: 'echo' + protocols: [ + 'https' + ] serviceUrl: 'https://echoapi.cloudapp.net/api' } ] @@ -1163,8 +1178,8 @@ module service 'br/public:avm/res/api-management/service:' = { { name: 'backend' tls: { - validateCertificateChain: false - validateCertificateName: false + validateCertificateChain: true + validateCertificateName: true } url: 'https://echoapi.cloudapp.net/api' } @@ -1351,6 +1366,9 @@ module service 'br/public:avm/res/api-management/service:' = { "displayName": "Echo API", "name": "echo-api", "path": "echo", + "protocols": [ + "https" + ], "serviceUrl": "https://echoapi.cloudapp.net/api" } ] @@ -1378,8 +1396,8 @@ module service 'br/public:avm/res/api-management/service:' = { { "name": "backend", "tls": { - "validateCertificateChain": false, - "validateCertificateName": false + "validateCertificateChain": true, + "validateCertificateName": true }, "url": "https://echoapi.cloudapp.net/api" } @@ -1584,6 +1602,9 @@ param apis = [ displayName: 'Echo API' name: 'echo-api' path: 'echo' + protocols: [ + 'https' + ] serviceUrl: 'https://echoapi.cloudapp.net/api' } ] @@ -1607,8 +1628,8 @@ param backends = [ { name: 'backend' tls: { - validateCertificateChain: false - validateCertificateName: false + validateCertificateChain: true + validateCertificateName: true } url: 'https://echoapi.cloudapp.net/api' } diff --git a/avm/res/api-management/service/api-version-set/main.json b/avm/res/api-management/service/api-version-set/main.json index b002431030..7680abc895 100644 --- a/avm/res/api-management/service/api-version-set/main.json +++ b/avm/res/api-management/service/api-version-set/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "6801592949576181154" + "version": "0.33.93.31351", + "templateHash": "7829811049560910009" }, "name": "API Management Service API Version Sets", "description": "This module deploys an API Management Service API Version Set." diff --git a/avm/res/api-management/service/api/diagnostics/main.json b/avm/res/api-management/service/api/diagnostics/main.json index 790023763f..18c08257d6 100644 --- a/avm/res/api-management/service/api/diagnostics/main.json +++ b/avm/res/api-management/service/api/diagnostics/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "4899675580903703157" + "version": "0.33.93.31351", + "templateHash": "13183080858238494781" }, "name": "API Management Service APIs Diagnostics.", "description": "This module deploys an API Management Service API Diagnostics." diff --git a/avm/res/api-management/service/api/main.json b/avm/res/api-management/service/api/main.json index de7b395213..f48b80272d 100644 --- a/avm/res/api-management/service/api/main.json +++ b/avm/res/api-management/service/api/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "11063536724422240669" + "version": "0.33.93.31351", + "templateHash": "273590710214674608" }, "name": "API Management Service APIs", "description": "This module deploys an API Management Service API." @@ -279,8 +279,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "8003925948340237461" + "version": "0.33.93.31351", + "templateHash": "1494563992508164069" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy." @@ -425,8 +425,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "4899675580903703157" + "version": "0.33.93.31351", + "templateHash": "13183080858238494781" }, "name": "API Management Service APIs Diagnostics.", "description": "This module deploys an API Management Service API Diagnostics." diff --git a/avm/res/api-management/service/api/policy/main.json b/avm/res/api-management/service/api/policy/main.json index 87e44f9560..9783d01165 100644 --- a/avm/res/api-management/service/api/policy/main.json +++ b/avm/res/api-management/service/api/policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "8003925948340237461" + "version": "0.33.93.31351", + "templateHash": "1494563992508164069" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy." diff --git a/avm/res/api-management/service/main.bicep b/avm/res/api-management/service/main.bicep index bacb6ca151..b5ff91656b 100644 --- a/avm/res/api-management/service/main.bicep +++ b/avm/res/api-management/service/main.bicep @@ -282,7 +282,7 @@ module service_apis 'api/main.bicep' = [ apiVersionDescription: api.?apiVersionDescription apiVersionSetId: api.?apiVersionSetId authenticationSettings: api.?authenticationSettings - format: api.?format ?? 'openapi' + format: api.?format isCurrent: api.?isCurrent protocols: api.?protocols policies: api.?policies @@ -351,7 +351,7 @@ module service_backends 'backend/main.bicep' = [ resourceId: backend.?resourceId serviceFabricCluster: backend.?serviceFabricCluster title: backend.?title - tls: backend.?tls + tls: backend.?tls ?? { validateCertificateChain: true, validateCertificateName: true } } } ] diff --git a/avm/res/api-management/service/main.json b/avm/res/api-management/service/main.json index bff37609e8..d8fc02aaef 100644 --- a/avm/res/api-management/service/main.json +++ b/avm/res/api-management/service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "14024053243776143462" + "version": "0.33.93.31351", + "templateHash": "16108971413887515803" }, "name": "API Management Services", "description": "This module deploys an API Management Service. The default deployment is set to use a Premium SKU to align with Microsoft WAF-aligned best practices. In most cases, non-prod deployments should use a lower-tier SKU." @@ -782,7 +782,7 @@ "value": "[tryGet(parameters('apis')[copyIndex()], 'authenticationSettings')]" }, "format": { - "value": "[coalesce(tryGet(parameters('apis')[copyIndex()], 'format'), 'openapi')]" + "value": "[tryGet(parameters('apis')[copyIndex()], 'format')]" }, "isCurrent": { "value": "[tryGet(parameters('apis')[copyIndex()], 'isCurrent')]" @@ -822,8 +822,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "11063536724422240669" + "version": "0.33.93.31351", + "templateHash": "273590710214674608" }, "name": "API Management Service APIs", "description": "This module deploys an API Management Service API." @@ -1096,8 +1096,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "8003925948340237461" + "version": "0.33.93.31351", + "templateHash": "1494563992508164069" }, "name": "API Management Service APIs Policies", "description": "This module deploys an API Management Service API Policy." @@ -1242,8 +1242,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "4899675580903703157" + "version": "0.33.93.31351", + "templateHash": "13183080858238494781" }, "name": "API Management Service APIs Diagnostics.", "description": "This module deploys an API Management Service API Diagnostics." @@ -1469,8 +1469,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "6801592949576181154" + "version": "0.33.93.31351", + "templateHash": "7829811049560910009" }, "name": "API Management Service API Version Sets", "description": "This module deploys an API Management Service API Version Set." @@ -1609,8 +1609,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "9439651007814693141" + "version": "0.33.93.31351", + "templateHash": "6804762094873651550" }, "name": "API Management Service Authorization Servers", "description": "This module deploys an API Management Service Authorization Server." @@ -1848,7 +1848,7 @@ "value": "[tryGet(parameters('backends')[copyIndex()], 'title')]" }, "tls": { - "value": "[tryGet(parameters('backends')[copyIndex()], 'tls')]" + "value": "[coalesce(tryGet(parameters('backends')[copyIndex()], 'tls'), createObject('validateCertificateChain', true(), 'validateCertificateName', true()))]" } }, "template": { @@ -1858,8 +1858,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "13471923779604074887" + "version": "0.33.93.31351", + "templateHash": "4453336321720967633" }, "name": "API Management Service Backends", "description": "This module deploys an API Management Service Backend." @@ -2038,8 +2038,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "3359248846501864533" + "version": "0.33.93.31351", + "templateHash": "18419808380672694533" }, "name": "API Management Service Caches", "description": "This module deploys an API Management Service Cache." @@ -2192,8 +2192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "4899675580903703157" + "version": "0.33.93.31351", + "templateHash": "13183080858238494781" }, "name": "API Management Service APIs Diagnostics.", "description": "This module deploys an API Management Service API Diagnostics." @@ -2421,8 +2421,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "9439755619586446330" + "version": "0.33.93.31351", + "templateHash": "13263983509172438133" }, "name": "API Management Service Identity Providers", "description": "This module deploys an API Management Service Identity Provider." @@ -2630,8 +2630,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "13044725911661445483" + "version": "0.33.93.31351", + "templateHash": "9800847829037569395" }, "name": "API Management Service Loggers", "description": "This module deploys an API Management Service Logger." @@ -2774,8 +2774,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "8157254408403610295" + "version": "0.33.93.31351", + "templateHash": "11386329254828299336" }, "name": "API Management Service Named Values", "description": "This module deploys an API Management Service Named Value." @@ -2911,8 +2911,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "3588318966794177458" + "version": "0.33.93.31351", + "templateHash": "2236873279760395261" }, "name": "API Management Service Portal Settings", "description": "This module deploys an API Management Service Portal Setting." @@ -3009,8 +3009,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "12529707644768894354" + "version": "0.33.93.31351", + "templateHash": "1189152396458775709" }, "name": "API Management Service Policies", "description": "This module deploys an API Management Service Policy." @@ -3143,8 +3143,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "7427869826758534329" + "version": "0.33.93.31351", + "templateHash": "9602469673358610075" }, "name": "API Management Service Products", "description": "This module deploys an API Management Service Product." @@ -3271,8 +3271,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "6881101310103461222" + "version": "0.33.93.31351", + "templateHash": "7187924573150749189" }, "name": "API Management Service Products APIs", "description": "This module deploys an API Management Service Product API." @@ -3360,8 +3360,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "7173352386317054073" + "version": "0.33.93.31351", + "templateHash": "12351031153434834126" }, "name": "API Management Service Products Groups", "description": "This module deploys an API Management Service Product Group." @@ -3519,8 +3519,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "3748720225613039754" + "version": "0.33.93.31351", + "templateHash": "16999168968925536172" }, "name": "API Management Service Subscriptions", "description": "This module deploys an API Management Service Subscription." diff --git a/avm/res/api-management/service/tests/e2e/defaults/main.test.bicep b/avm/res/api-management/service/tests/e2e/defaults/main.test.bicep index d1dd29a05c..54d81f75c1 100644 --- a/avm/res/api-management/service/tests/e2e/defaults/main.test.bicep +++ b/avm/res/api-management/service/tests/e2e/defaults/main.test.bicep @@ -26,7 +26,7 @@ param namePrefix string = '#_namePrefix_#' // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-11-01' = { name: resourceGroupName location: resourceLocation } diff --git a/avm/res/api-management/service/tests/e2e/developerSku/main.test.bicep b/avm/res/api-management/service/tests/e2e/developerSku/main.test.bicep index d9f8a2d610..4aef7f9900 100644 --- a/avm/res/api-management/service/tests/e2e/developerSku/main.test.bicep +++ b/avm/res/api-management/service/tests/e2e/developerSku/main.test.bicep @@ -26,7 +26,7 @@ param namePrefix string = '#_namePrefix_#' // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-11-01' = { name: resourceGroupName location: resourceLocation } diff --git a/avm/res/api-management/service/tests/e2e/max/main.test.bicep b/avm/res/api-management/service/tests/e2e/max/main.test.bicep index e8d162bf6b..162cb6f991 100644 --- a/avm/res/api-management/service/tests/e2e/max/main.test.bicep +++ b/avm/res/api-management/service/tests/e2e/max/main.test.bicep @@ -33,7 +33,7 @@ param customSecret string = newGuid() // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-11-01' = { name: resourceGroupName location: resourceLocation } @@ -111,6 +111,10 @@ module testDeployment '../../../main.bicep' = [ name: 'echo-api' path: 'echo' serviceUrl: 'http://echoapi.cloudapp.net/api' + protocols: [ + 'http' + 'https' + ] } ] authorizationServers: { @@ -287,9 +291,5 @@ module testDeployment '../../../main.bicep' = [ Role: 'DeploymentValidation' } } - dependsOn: [ - nestedDependencies - diagnosticDependencies - ] } ] diff --git a/avm/res/api-management/service/tests/e2e/v2Sku/main.test.bicep b/avm/res/api-management/service/tests/e2e/v2Sku/main.test.bicep index bb37ce6721..742a6ad819 100644 --- a/avm/res/api-management/service/tests/e2e/v2Sku/main.test.bicep +++ b/avm/res/api-management/service/tests/e2e/v2Sku/main.test.bicep @@ -26,7 +26,7 @@ param namePrefix string = '#_namePrefix_#' // General resources // ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { +resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-11-01' = { name: resourceGroupName location: resourceLocation } diff --git a/avm/res/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/avm/res/api-management/service/tests/e2e/waf-aligned/main.test.bicep index 6bef96d931..2453e2a05a 100644 --- a/avm/res/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -115,6 +115,9 @@ module testDeployment '../../../main.bicep' = [ name: 'echo-api' path: 'echo' serviceUrl: 'https://echoapi.cloudapp.net/api' + protocols: [ + 'https' + ] } ] authorizationServers: { @@ -137,8 +140,8 @@ module testDeployment '../../../main.bicep' = [ { name: 'backend' tls: { - validateCertificateChain: false - validateCertificateName: false + validateCertificateChain: true + validateCertificateName: true } url: 'https://echoapi.cloudapp.net/api' } @@ -253,8 +256,5 @@ module testDeployment '../../../main.bicep' = [ Role: 'DeploymentValidation' } } - dependsOn: [ - diagnosticDependencies - ] } ] diff --git a/avm/res/api-management/service/version.json b/avm/res/api-management/service/version.json index b6668657e7..b39a201436 100644 --- a/avm/res/api-management/service/version.json +++ b/avm/res/api-management/service/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.8", + "version": "0.9", "pathFilters": [ "./main.json" ]