Merge branch 'ryonsteele/6349-production-considerations' of https://g…

…ithub.com/microsoft/PubSec-Info-Assistant into ryonsteele/6349-production-considerations

infra/core/ai/cognitiveservices.bicep

@@ -39,5 +39,3 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01
 output endpoint string = account.properties.endpoint
 output id string = account.id
 output name string = account.name
-#disable-next-line outputs-should-not-contain-secrets
-output key string = account.listKeys().key1

infra/core/ai/enrichment.bicep

@@ -3,6 +3,7 @@ param location string = resourceGroup().location
 param tags object = {}
 param sku string = ''
 param isGovCloudDeployment bool  
+param keyVaultName string = ''
 
 resource cognitiveService 'Microsoft.CognitiveServices/accounts@2023-05-01' = if (!isGovCloudDeployment) {
   name: name
@@ -35,9 +36,19 @@ resource cognitiveServiceGov 'Microsoft.CognitiveServices/accounts@2022-12-01' =
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource enrichmentKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
+  parent: keyVault
+  name: 'ENRICHMENT-KEY'
+  properties: {
+    value: (isGovCloudDeployment) ? cognitiveServiceGov.listKeys().key1 : cognitiveService.listKeys().key1
+  }
+}
+
 
 output cognitiveServicerAccountName string = (isGovCloudDeployment) ? cognitiveServiceGov.name : cognitiveService.name
 output cognitiveServiceID string = (isGovCloudDeployment) ? cognitiveServiceGov.id : cognitiveService.id
 output cognitiveServiceEndpoint string = (isGovCloudDeployment) ? cognitiveServiceGov.properties.endpoint : cognitiveService.properties.endpoint
-#disable-next-line outputs-should-not-contain-secrets
-output cognitiveServiceAccountKey string = (isGovCloudDeployment) ? cognitiveServiceGov.listKeys().key1 : cognitiveService.listKeys().key1

infra/core/ai/formrecognizer.bicep

@@ -1,6 +1,7 @@
 param name string
 param location string = resourceGroup().location
 param tags object = {}
+param keyVaultName string = ''
 
 param customSubDomainName string = name
 param publicNetworkAccess string = 'Enabled'
@@ -36,8 +37,18 @@ resource formRecognizerAccountGov 'Microsoft.CognitiveServices/accounts@2022-12-
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource formRecognizerKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
+  parent: keyVault
+  name: 'AZURE-FORM-RECOGNIZER-KEY'
+  properties: {
+    value: (isGovCloudDeployment) ? formRecognizerAccountGov.listKeys().key1 : formRecognizerAccount.listKeys().key1
+  }
+}
+
 
 output formRecognizerAccountName string = (isGovCloudDeployment) ? formRecognizerAccountGov.name : formRecognizerAccount.name
 output formRecognizerAccountEndpoint string = (isGovCloudDeployment) ? formRecognizerAccountGov.properties.endpoint : formRecognizerAccount.properties.endpoint
-#disable-next-line outputs-should-not-contain-secrets
-output formRecognizerAccountKey string = (isGovCloudDeployment) ? formRecognizerAccountGov.listKeys().key1 : formRecognizerAccount.listKeys().key1

infra/core/db/cosmosdb.bicep

@@ -1,6 +1,7 @@
 param name string
 param location string = resourceGroup().location
 param tags object = {}
+param keyVaultName string = ''
 
 
 @description('The default consistency level of the Cosmos DB account.')
@@ -164,9 +165,19 @@ resource tagContainer 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/contai
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource cosmosdbKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
+  parent: keyVault
+  name: 'COSMOSDB-KEY'
+  properties: {
+    value: cosmosDBAccount.listKeys().primaryMasterKey 
+  }
+}
+
 output CosmosDBEndpointURL string = cosmosDBAccount.properties.documentEndpoint
-#disable-next-line outputs-should-not-contain-secrets
-output CosmosDBKey string = cosmosDBAccount.listKeys().primaryMasterKey
 output CosmosDBLogDatabaseName string = logDatabase.name
 output CosmosDBLogContainerName string = logContainer.name
 output CosmosDBTagsDatabaseName string = tagDatabase.name

infra/core/function/function.bicep

@@ -36,14 +36,6 @@ param blobStorageAccountOutputContainerName string
 @description('Azure Blob Storage Account Log Container Name')
 param blobStorageAccountLogContainerName string
 
-@description('Azure Blob Storage Account Key')
-@secure()
-param blobStorageAccountKey string
-
-@description('Azure Blob Storage Account Connection String')
-@secure()
-param blobStorageAccountConnectionString string
-
 @description('Chunk Target Size ')
 param chunkTargetSize string
 
@@ -56,17 +48,9 @@ param formRecognizerApiVersion string
 @description('Form Recognizer Endpoint')
 param formRecognizerEndpoint string
 
-@description('Form Recognizer API Key')
-@secure()
-param formRecognizerApiKey string
-
 @description('CosmosDB Endpoint')
 param CosmosDBEndpointURL string
 
-@description('CosmosDB Key')
-@secure()
-param CosmosDBKey string
-
 @description('CosmosDB Log Database Name')
 param CosmosDBLogDatabaseName string
 
@@ -121,9 +105,6 @@ param pollingBackoff string
 @description('The maximum number of times we will retry to read a full processed document from FR. Failures in read may be due to network issues downloading the large response')
 param maxReadAttempts string
 
-@description('Key to access the enrichment service')
-param enrichmentKey string
-
 @description('Endpoint of the enrichment service')
 param enrichmentEndpoint string
 
@@ -154,8 +135,8 @@ param azureSearchIndex string
 @description('Endpoint of the Azure Search Service to post data to for ingestion')
 param azureSearchServiceEndpoint string
 
-@description('Used to connect and authenticate to Azure Search Service')
-param azureSearchServiceKey string
+@description('Name of the Azure KeyVault to pull Secret values and create Access Policy')
+param keyVaultName string = ''
 
 // Create function app resource
 resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
@@ -177,17 +158,17 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
       connectionStrings: [
         {
           name: 'BLOB_CONNECTION_STRING'
-          connectionString: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${blobStorageAccountKey}'
+          connectionString: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${existingStorageAccount.listKeys().keys[0].value}'
         }
       ]
       appSettings: [
         {
           name: 'AzureWebJobsStorage'
-          value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${blobStorageAccountKey}'
+          value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${existingStorageAccount.listKeys().keys[0].value}'
         }
         {
           name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
-          value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${blobStorageAccountKey}'
+          value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${existingStorageAccount.listKeys().keys[0].value}'
         }
         {
           name: 'WEBSITE_CONTENTSHARE'
@@ -235,7 +216,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
         }
         {
           name: 'AZURE_BLOB_STORAGE_KEY'
-          value: blobStorageAccountKey
+          value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-BLOB-STORAGE-KEY)'
         }
         {
           name: 'CHUNK_TARGET_SIZE'
@@ -255,19 +236,19 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
         }
         {
           name: 'AZURE_FORM_RECOGNIZER_KEY'
-          value: formRecognizerApiKey
+          value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-FORM-RECOGNIZER-KEY)'
         }
         {
           name: 'BLOB_CONNECTION_STRING'
-          value: blobStorageAccountConnectionString
+          value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/BLOB-CONNECTION-STRING)'
         }
         {
           name: 'COSMOSDB_URL'
           value: CosmosDBEndpointURL
         }
         {
           name: 'COSMOSDB_KEY'
-          value: CosmosDBKey
+          value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/COSMOSDB-KEY)'
         }
         {
           name: 'COSMOSDB_LOG_DATABASE_NAME'
@@ -343,7 +324,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
         }
         {
           name: 'ENRICHMENT_KEY'
-          value: enrichmentKey
+          value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/ENRICHMENT-KEY)'
         }
         {
           name: 'ENRICHMENT_ENDPOINT'
@@ -379,7 +360,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
         }
         {
           name: 'AZURE_SEARCH_SERVICE_KEY'
-          value: azureSearchServiceKey 
+          value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-SEARCH-SERVICE-KEY)'
         }  
         {
           name: 'AZURE_SEARCH_SERVICE_ENDPOINT'
@@ -395,5 +376,32 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = {
   }
 }
 
+resource existingStorageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' existing = {
+  name: blobStorageAccountName
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
+  parent: keyVault
+  name: 'add'
+  properties: {
+    accessPolicies: [
+      {
+        tenantId: functionApp.identity.tenantId
+        objectId: functionApp.identity.principalId
+        permissions: {
+          secrets: [
+            'get'
+            'list'
+          ]
+        }
+      }
+    ]
+  }
+}
+
 output name string = functionApp.name
 output identityPrincipalId string = functionApp.identity.principalId

infra/core/host/appservice.bicep

@@ -77,6 +77,11 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       {
         SCM_DO_BUILD_DURING_DEPLOYMENT: toLower(string(scmDoBuildDuringDeployment))
         ENABLE_ORYX_BUILD: string(enableOryxBuild)
+        AZURE_SEARCH_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-SEARCH-SERVICE-KEY)'
+        AZURE_OPENAI_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-OPENAI-SERVICE-KEY)'
+        AZURE_BLOB_STORAGE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-BLOB-STORAGE-KEY)'
+        COSMOSDB_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/COSMOSDB-KEY)'
+        AZURE_CLIENT_SECRET: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-CLIENT-SECRET)'
       },
       !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
       !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
@@ -128,6 +133,25 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(
   name: keyVaultName
 }
 
+resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
+  parent: keyVault
+  name: 'add'
+  properties: {
+    accessPolicies: [
+      {
+        tenantId: appService.identity.tenantId
+        objectId: appService.identity.principalId
+        permissions: {
+          secrets: [
+            'get'
+            'list'
+          ]
+        }
+      }
+    ]
+  }
+}
+
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) {
   name: applicationInsightsName
 }

infra/core/host/enrichmentappservice.bicep

@@ -68,6 +68,11 @@ properties: {
       {
         SCM_DO_BUILD_DURING_DEPLOYMENT: toLower(string(scmDoBuildDuringDeployment))
         ENABLE_ORYX_BUILD: string(enableOryxBuild)
+        COSMOSDB_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/COSMOSDB-KEY)'
+        AZURE_SEARCH_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-SEARCH-SERVICE-KEY)'
+        BLOB_CONNECTION_STRING: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/BLOB-CONNECTION-STRING)'
+        AZURE_OPENAI_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-OPENAI-SERVICE-KEY)'
+        AZURE_BLOB_STORAGE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-BLOB-STORAGE-KEY)'
       },
       !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
       !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
@@ -91,6 +96,25 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(
   name: keyVaultName
 }
 
+resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
+  parent: keyVault
+  name: 'add'
+  properties: {
+    accessPolicies: [
+      {
+        tenantId: appService.identity.tenantId
+        objectId: appService.identity.principalId
+        permissions: {
+          secrets: [
+            'get'
+            'list'
+          ]
+        }
+      }
+    ]
+  }
+}
+
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) {
   name: applicationInsightsName
 }

infra/core/logging/logging.bicep

@@ -28,6 +28,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02-preview'
   }
 }
 
+
 output applicationInsightsId string = applicationInsights.id
 output logAnalyticsId string = logAnalytics.id
 output applicationInsightsName string = applicationInsights.name

infra/core/search/search-services.bicep

@@ -9,6 +9,7 @@ param sku object = {
 param authOptions object = {}
 param semanticSearch string = 'disabled'
 param isGovCloudDeployment bool  
+param keyVaultName string = ''
 
 resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = {
   name: name
@@ -37,9 +38,22 @@ resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = {
   sku: sku
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource searchServiceKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
+  parent: keyVault
+  name: 'AZURE-SEARCH-SERVICE-KEY'
+  properties: {
+    value: search.listAdminKeys().primaryKey 
+    attributes: {
+      enabled: true
+    }
+  }
+}
+
 
 output id string = search.id
 output endpoint string = (isGovCloudDeployment) ? 'https://${name}.search.azure.us/' : 'https://${name}.search.windows.net/'
 output name string = search.name
-#disable-next-line outputs-should-not-contain-secrets
-output searchServiceKey string = search.listAdminKeys().primaryKey