pamelafox · pamelafox · Mar 21, 2023 · Mar 21, 2023 · Mar 21, 2023 · Mar 21, 2023
diff --git a/.github/workflows/azure-bicep-validate.yaml b/.github/workflows/azure-bicep-validate.yaml
@@ -0,0 +1,36 @@
+name: Validate bicep scripts
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+    branches:
+      - main
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Azure CLI script
+        uses: azure/CLI@v1
+        with:
+          inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@preview
+        env:
+          GDN_TEMPLATEANALYZER_VERBOSE: 1
+        id: msdo
+        with:
+          tools: templateanalyzer
+
+      - name: Upload alerts to Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/infra/core/host/appservice.bicep b/infra/core/host/appservice.bicep
@@ -6,7 +6,6 @@ param tags object = {}
 param applicationInsightsName string = ''
 param appServicePlanId string
 param keyVaultName string = ''
-param managedIdentity bool = !empty(keyVaultName)
 
 // Runtime Properties
 @allowed([
@@ -33,6 +32,7 @@ param numberOfWorkers int = -1
 param scmDoBuildDuringDeployment bool = false
 param use32BitWorkerProcess bool = false
 param ftpsState string = 'FtpsOnly'
+param healthCheckPath string = ''
 
 resource appService 'Microsoft.Web/sites@2022-03-01' = {
   name: name
@@ -45,11 +45,13 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       linuxFxVersion: linuxFxVersion
       alwaysOn: alwaysOn
       ftpsState: ftpsState
+      minTlsVersion: '1.2'
       appCommandLine: appCommandLine
       numberOfWorkers: numberOfWorkers != -1 ? numberOfWorkers : null
       minimumElasticInstanceCount: minimumElasticInstanceCount != -1 ? minimumElasticInstanceCount : null
       use32BitWorkerProcess: use32BitWorkerProcess
       functionAppScaleLimit: functionAppScaleLimit != -1 ? functionAppScaleLimit : null
+      healthCheckPath: healthCheckPath
       cors: {
         allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
       }
@@ -58,7 +60,7 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
     httpsOnly: true
   }
 
-  identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
+  identity: { type: 'SystemAssigned' }
 
   resource configAppSettings 'config' = {
     name: 'appsettings'
@@ -93,6 +95,6 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing
   name: applicationInsightsName
 }
 
-output identityPrincipalId string = managedIdentity ? appService.identity.principalId : ''
+output identityPrincipalId string = appService.identity.principalId
 output name string = appService.name
 output uri string = 'https://${appService.properties.defaultHostName}'
diff --git a/infra/core/host/container-app.bicep b/infra/core/host/container-app.bicep
@@ -2,9 +2,9 @@ param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-param containerAppsEnvironmentName string = ''
+param containerAppsEnvironmentName string
 param containerName string = 'main'
-param containerRegistryName string = ''
+param containerRegistryName string
 param env array = []
 param external bool = true
 param imageName string

diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep
@@ -2,9 +2,9 @@ param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-param containerAppsEnvironmentName string = ''
-param containerRegistryName string = ''
-param logAnalyticsWorkspaceName string = ''
+param containerAppsEnvironmentName string
+param containerRegistryName string
+param logAnalyticsWorkspaceName string
 
 module containerAppsEnvironment 'container-apps-environment.bicep' = {
   name: '${name}-container-apps-environment'

diff --git a/infra/core/host/functions.bicep b/infra/core/host/functions.bicep
@@ -62,7 +62,6 @@ module functions 'appservice.bicep' = {
     keyVaultName: keyVaultName
     kind: kind
     linuxFxVersion: linuxFxVersion
-    managedIdentity: managedIdentity
     minimumElasticInstanceCount: minimumElasticInstanceCount
     numberOfWorkers: numberOfWorkers
     runtimeName: runtimeName

diff --git a/infra/core/security/keyvault-access.bicep b/infra/core/security/keyvault-access.bicep
@@ -1,6 +1,6 @@
 param name string = 'add'
 
-param keyVaultName string = ''
+param keyVaultName string
 param permissions object = { secrets: [ 'get', 'list' ] }
 param principalId string