From 9bb888651b8b2fb836767d3a2996c9ba931cc1e0 Mon Sep 17 00:00:00 2001
From: Lyle Xu <luxu@microsoft.com>
Date: Fri, 15 Mar 2024 15:00:58 +0800
Subject: [PATCH] storage account: allow shared key false, cognitive service
 account: diable local auth true

---
 Environments/AKS/core/ai/cognitiveservices.bicep             | 1 +
 Environments/AKS/core/storage/storage-account.bicep          | 2 +-
 Environments/APIM/core/storage/storage-account.bicep         | 1 +
 Environments/ContainerApp/core/storage/storage-account.bicep | 1 +
 Environments/FunctionApp/main.bicep                          | 5 +++--
 Environments/OpenAISearch/core/ai/cognitiveservices.bicep    | 1 +
 Environments/OpenAISearch/core/storage/storage-account.bicep | 2 +-
 Environments/OpenAISearch/main.bicep                         | 1 +
 .../OpenAISummarization/core/ai/openai-account.bicep         | 1 +
 .../OpenAISummarization/core/storage/storage-account.bicep   | 2 +-
 Environments/StaticWeb/core/ai/cognitiveservices.bicep       | 1 +
 Environments/StaticWeb/core/storage/storage-account.bicep    | 2 +-
 Environments/Todo-Mongo-ACA/core/ai/cognitiveservices.bicep  | 1 +
 .../Todo-Mongo-ACA/core/storage/storage-account.bicep        | 2 +-
 .../Todo-Nodejs-Mongo-ACA/core/ai/cognitiveservices.bicep    | 1 +
 .../Todo-Nodejs-Mongo-ACA/core/storage/storage-account.bicep | 2 +-
 .../Todo-Nodejs-Mongo-AKS/core/ai/cognitiveservices.bicep    | 1 +
 .../Todo-Nodejs-Mongo-AKS/core/storage/storage-account.bicep | 2 +-
 Environments/Todo-Shared-AKS/core/ai/cognitiveservices.bicep | 1 +
 .../Todo-Shared-AKS/core/storage/storage-account.bicep       | 2 +-
 20 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/Environments/AKS/core/ai/cognitiveservices.bicep b/Environments/AKS/core/ai/cognitiveservices.bicep
index e0afb877..7336c9f6 100644
--- a/Environments/AKS/core/ai/cognitiveservices.bicep
+++ b/Environments/AKS/core/ai/cognitiveservices.bicep
@@ -18,6 +18,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2022-10-01' = {
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/AKS/core/storage/storage-account.bicep b/Environments/AKS/core/storage/storage-account.bicep
index 53d449ba..aac54563 100644
--- a/Environments/AKS/core/storage/storage-account.bicep
+++ b/Environments/AKS/core/storage/storage-account.bicep
@@ -9,7 +9,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
diff --git a/Environments/APIM/core/storage/storage-account.bicep b/Environments/APIM/core/storage/storage-account.bicep
index a41972ce..f3cabaa1 100644
--- a/Environments/APIM/core/storage/storage-account.bicep
+++ b/Environments/APIM/core/storage/storage-account.bicep
@@ -17,6 +17,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
   properties: {
     minimumTlsVersion: minimumTlsVersion
     allowBlobPublicAccess: allowBlobPublicAccess
+    allowSharedKeyAccess: false
     networkAcls: {
       bypass: 'AzureServices'
       defaultAction: 'Allow'
diff --git a/Environments/ContainerApp/core/storage/storage-account.bicep b/Environments/ContainerApp/core/storage/storage-account.bicep
index a41972ce..f3cabaa1 100644
--- a/Environments/ContainerApp/core/storage/storage-account.bicep
+++ b/Environments/ContainerApp/core/storage/storage-account.bicep
@@ -17,6 +17,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
   properties: {
     minimumTlsVersion: minimumTlsVersion
     allowBlobPublicAccess: allowBlobPublicAccess
+    allowSharedKeyAccess: false
     networkAcls: {
       bypass: 'AzureServices'
       defaultAction: 'Allow'
diff --git a/Environments/FunctionApp/main.bicep b/Environments/FunctionApp/main.bicep
index 607a75de..b1f2b05c 100644
--- a/Environments/FunctionApp/main.bicep
+++ b/Environments/FunctionApp/main.bicep
@@ -71,6 +71,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
   kind: 'StorageV2'
   properties: {
     supportsHttpsTrafficOnly: supportsHttpsTrafficOnly
+    allowSharedKeyAccess: false
   }
   tags: tags
 }
@@ -89,8 +90,8 @@ resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
       linuxFxVersion: linexFxVersions[runtime]
       appSettings: [
         {
-          name: 'AzureWebJobsStorage'
-          value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount.listKeys().keys[0].value}'
+          name: 'AzureWebJobsStorage__accountName'
+          value: storageAccount.name
         }
         {
           name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
diff --git a/Environments/OpenAISearch/core/ai/cognitiveservices.bicep b/Environments/OpenAISearch/core/ai/cognitiveservices.bicep
index 39108a39..8594e16f 100644
--- a/Environments/OpenAISearch/core/ai/cognitiveservices.bicep
+++ b/Environments/OpenAISearch/core/ai/cognitiveservices.bicep
@@ -18,6 +18,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2022-10-01' = {
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/OpenAISearch/core/storage/storage-account.bicep b/Environments/OpenAISearch/core/storage/storage-account.bicep
index b6dd9891..aa7d5873 100644
--- a/Environments/OpenAISearch/core/storage/storage-account.bicep
+++ b/Environments/OpenAISearch/core/storage/storage-account.bicep
@@ -6,7 +6,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = false
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
 @allowed([ 'AzureDnsZone', 'Standard' ])
diff --git a/Environments/OpenAISearch/main.bicep b/Environments/OpenAISearch/main.bicep
index 9d79a7fa..8a73859c 100644
--- a/Environments/OpenAISearch/main.bicep
+++ b/Environments/OpenAISearch/main.bicep
@@ -154,6 +154,7 @@ module storage 'core/storage/storage-account.bicep' = {
     location: storageResourceGroupLocation
     tags: tags
     publicNetworkAccess: 'Enabled'
+    allowSharedKeyAccess: false
     sku: {
       name: 'Standard_ZRS'
     }
diff --git a/Environments/OpenAISummarization/core/ai/openai-account.bicep b/Environments/OpenAISummarization/core/ai/openai-account.bicep
index 45cba57b..28141d55 100644
--- a/Environments/OpenAISummarization/core/ai/openai-account.bicep
+++ b/Environments/OpenAISummarization/core/ai/openai-account.bicep
@@ -12,6 +12,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2022-10-01' = {
   properties: {
     customSubDomainName: name
     publicNetworkAccess: 'Enabled'
+    disableLocalAuth: true
   }
   sku: {
     name: 'S0'
diff --git a/Environments/OpenAISummarization/core/storage/storage-account.bicep b/Environments/OpenAISummarization/core/storage/storage-account.bicep
index 5f74102b..e86514ff 100644
--- a/Environments/OpenAISummarization/core/storage/storage-account.bicep
+++ b/Environments/OpenAISummarization/core/storage/storage-account.bicep
@@ -6,7 +6,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = false
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param defaultToOAuthAuthentication bool = false
 @allowed([ 'AzureDnsZone', 'Standard' ])
 param dnsEndpointType string = 'Standard'
diff --git a/Environments/StaticWeb/core/ai/cognitiveservices.bicep b/Environments/StaticWeb/core/ai/cognitiveservices.bicep
index e0afb877..7336c9f6 100644
--- a/Environments/StaticWeb/core/ai/cognitiveservices.bicep
+++ b/Environments/StaticWeb/core/ai/cognitiveservices.bicep
@@ -18,6 +18,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2022-10-01' = {
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/StaticWeb/core/storage/storage-account.bicep b/Environments/StaticWeb/core/storage/storage-account.bicep
index 53d449ba..aac54563 100644
--- a/Environments/StaticWeb/core/storage/storage-account.bicep
+++ b/Environments/StaticWeb/core/storage/storage-account.bicep
@@ -9,7 +9,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
diff --git a/Environments/Todo-Mongo-ACA/core/ai/cognitiveservices.bicep b/Environments/Todo-Mongo-ACA/core/ai/cognitiveservices.bicep
index 1bf5666b..2d5b8e4b 100644
--- a/Environments/Todo-Mongo-ACA/core/ai/cognitiveservices.bicep
+++ b/Environments/Todo-Mongo-ACA/core/ai/cognitiveservices.bicep
@@ -30,6 +30,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/Todo-Mongo-ACA/core/storage/storage-account.bicep b/Environments/Todo-Mongo-ACA/core/storage/storage-account.bicep
index 4b6febbe..7ce6aec8 100644
--- a/Environments/Todo-Mongo-ACA/core/storage/storage-account.bicep
+++ b/Environments/Todo-Mongo-ACA/core/storage/storage-account.bicep
@@ -10,7 +10,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
diff --git a/Environments/Todo-Nodejs-Mongo-ACA/core/ai/cognitiveservices.bicep b/Environments/Todo-Nodejs-Mongo-ACA/core/ai/cognitiveservices.bicep
index 1bf5666b..2d5b8e4b 100644
--- a/Environments/Todo-Nodejs-Mongo-ACA/core/ai/cognitiveservices.bicep
+++ b/Environments/Todo-Nodejs-Mongo-ACA/core/ai/cognitiveservices.bicep
@@ -30,6 +30,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/Todo-Nodejs-Mongo-ACA/core/storage/storage-account.bicep b/Environments/Todo-Nodejs-Mongo-ACA/core/storage/storage-account.bicep
index 4b6febbe..7ce6aec8 100644
--- a/Environments/Todo-Nodejs-Mongo-ACA/core/storage/storage-account.bicep
+++ b/Environments/Todo-Nodejs-Mongo-ACA/core/storage/storage-account.bicep
@@ -10,7 +10,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
diff --git a/Environments/Todo-Nodejs-Mongo-AKS/core/ai/cognitiveservices.bicep b/Environments/Todo-Nodejs-Mongo-AKS/core/ai/cognitiveservices.bicep
index 1bf5666b..2d5b8e4b 100644
--- a/Environments/Todo-Nodejs-Mongo-AKS/core/ai/cognitiveservices.bicep
+++ b/Environments/Todo-Nodejs-Mongo-AKS/core/ai/cognitiveservices.bicep
@@ -30,6 +30,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/Todo-Nodejs-Mongo-AKS/core/storage/storage-account.bicep b/Environments/Todo-Nodejs-Mongo-AKS/core/storage/storage-account.bicep
index 4b6febbe..7ce6aec8 100644
--- a/Environments/Todo-Nodejs-Mongo-AKS/core/storage/storage-account.bicep
+++ b/Environments/Todo-Nodejs-Mongo-AKS/core/storage/storage-account.bicep
@@ -10,7 +10,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
diff --git a/Environments/Todo-Shared-AKS/core/ai/cognitiveservices.bicep b/Environments/Todo-Shared-AKS/core/ai/cognitiveservices.bicep
index 1bf5666b..2d5b8e4b 100644
--- a/Environments/Todo-Shared-AKS/core/ai/cognitiveservices.bicep
+++ b/Environments/Todo-Shared-AKS/core/ai/cognitiveservices.bicep
@@ -30,6 +30,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
+    disableLocalAuth: true
   }
   sku: sku
 }
diff --git a/Environments/Todo-Shared-AKS/core/storage/storage-account.bicep b/Environments/Todo-Shared-AKS/core/storage/storage-account.bicep
index 4b6febbe..7ce6aec8 100644
--- a/Environments/Todo-Shared-AKS/core/storage/storage-account.bicep
+++ b/Environments/Todo-Shared-AKS/core/storage/storage-account.bicep
@@ -10,7 +10,7 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param allowSharedKeyAccess bool = false
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}