Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArcBox - Security enhancements #2907

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

ArcBox - Security enhancements #2907

wants to merge 15 commits into from

Conversation

janegilring
Copy link
Contributor

This pull request includes multiple changes to the azure_jumpstart_arcbox project, focusing on simplifying parameter handling, enhancing security, and improving role assignments. The most important changes are summarized below:

Parameter Handling Simplification:

  • Removed several parameters (adminPassword, spnClientSecret, azdataPassword, registryPassword) from Bootstrap.ps1 and clientVm.bicep, simplifying the scripts by reducing the number of required inputs. [1] [2]
  • Updated the commandToExecute in clientVm.bicep to reflect the removal of these parameters.

Security Enhancements:

  • Changed the retrieval of AZDATA_PASSWORD from Azure Key Vault to use windowsAdminPassword instead in DataOpsLogonScript.ps1.
  • Added secure default values for windowsAdminPassword and registryPassword using newGuid() in main.bicep. [1] [2]
  • Stored windowsAdminPassword and registryPassword in Azure Key Vault as secrets in mgmtArtifacts.bicep.

Role Assignments:

  • Added a new role assignment for the deploy user as an Azure Key Vault Administrator in clientVm.bicep.

VM Management:

  • Forced VM restarts in ArcServersLogonScript.ps1 to ensure the changes take effect immediately.

These changes collectively enhance the security and manageability of the Azure Jumpstart ArcBox deployment scripts.

@janegilring janegilring added the ArcBox Jumpstart ArcBox related label Feb 2, 2025
@janegilring janegilring added this to the February 2025 milestone Feb 2, 2025
@janegilring janegilring self-assigned this Feb 2, 2025
@janegilring
Bugfix - secret name
1cec16f 
Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Bugfix - role assignment name
7cee0eb 
Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Added default value to Log Analytics workspace name to not make it a …
8eb639d 
…mandatory parameter

Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Updated ARM-template to reflect latest Bicep-updates
7e2f3e2 
Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Refactor password handling and add role assignments for AD DS VM iden…
c8ce645 
…tity

Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Set Diagnostic Data settings. Added Key Vault logic.
434e58a 
Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Update default Windows OS version to 2025
aa4c4d5 
Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Reorganize VM Autologon configuration logic
e1b02a2 
Signed-off-by: Jan Egil Ring <[email protected]>
@janegilring
Fix role assignment name generation for Key Vault Administrator
c18f13b 
Signed-off-by: Jan Egil Ring <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@janegilring janegilring

Labels
ArcBox Jumpstart ArcBox related
Projects
Azure Arc Jumpstart
Status: No status
Milestone
February 2025
Development

Successfully merging this pull request may close these issues.
1 participant
@janegilring