Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make DDOS plan an optional setting via local.env #793

Merged
merged 7 commits into from
Jul 7, 2024
Merged

Make DDOS plan an optional setting via local.env #793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
79d50a1
add flag to allow DDOS to be optional
dayland-ms Jul 2, 2024
f6c78d8
Merge remote-tracking branch 'origin/vNext-Dev' into dayland/7855-mak…
dayland Jul 3, 2024
6fb7bb8
chore: Update DDOS Protection Plan handling in infrastructure scripts
dayland Jul 4, 2024
8ef092c
add new param to CI/CD parameter files
dayland Jul 4, 2024
f7c2064
Merge remote-tracking branch 'origin/vNext-Dev' into dayland/7855-mak…
dayland-ms Jul 5, 2024
49d8903
Merge branch 'vNext-Dev' into dayland/7855-make-ddos-optional-setting
dayland Jul 5, 2024
b53a7d6
update to switch ARM templates based on config
dayland Jul 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/deployment/deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ ENTRA_OWNERS | No | Defaults to "". Additional user id's you wish to assign as o
SERVICE_MANAGEMENT_REFERENCE | No | Defaults to "". Sets the service management reference value on Azure Entra objects created by Information Assistant if required by your organization.
MAX_CSV_FILE_SIZE | Yes | Defaults to 20. This value limits the size of CSV files in MBs that will be supported for upload in the Tabular Data Assistant UX feature.
PASSWORD_LIFETIME | No | Defaults to 365. The number of days that passwords associated with created identities are set to expire after creation. Change this setting if needed to conform to you policy requirements
ENABLE_DDOS_PROTECTION_PLAN | Yes | Defaults to false. This setting is only used in "secure-mode" and will determine if the private vnet that is deployed is assicated to a DDOS protection plan or not. When true, this setting can be used in conjunction with `DDOS_PLAN_ID` to specify a specfic DDOS protection plan ID or if omitted the scripts will prompt during deployment to select an available DDOS protection plan.

## Log into Azure using the Azure CLI

Expand Down
3 changes: 2 additions & 1 deletion docs/secure_deployment/secure_deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,10 +144,11 @@ To perform a secure deployment, follow these steps:
*Note: Secure mode is blocked when using an existing Azure OpenAI service. We have blocked this scenario to prevent updating a shared instance of Azure OpenAI that may be in use by other workloads*

4. Review the network and subnet CIDRs for your deployment. See the section [Network and subnet CIDR configuration](#network-and-subnet-cidr-configuration) for more details.
5. Decide you approach for DDOS protection for your Info Assistant vnet. If you plan to use an existing DDOS protection plan you can select it in one of two ways:
5. Decide you approach for DDOS protection for your Info Assistant vnet. If you simply don't want to use a DDOS protection plan simply leave the `ENABLE_DDOS_PROTECTION_PLAN` flag set to false. If you plan to use a DDOS protection plan, you need to enable it by setting the `ENABLE_DDOS_PROTECTION_PLAN` flag set to true and then you can select a specific DDOS protection plan in one of two ways:
* **RECOMMENDED:** You can manually provide the DDOS plan ID in your `local.env` file using the following parameter. Be sure to update the subscription id, resource group name, and ddos plan name values.

```bash
export ENABLE_DDOS_PROTECTION_PLAN=true
export DDOS_PLAN_ID="/subscriptions/{subscription id}/resourceGroups/{resource group name}/providers/Microsoft.Network/ddosProtectionPlans/{ddos plan name}"`
```

Expand Down
5 changes: 1 addition & 4 deletions infra/arm_templates/network/vnet.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,7 @@
"addressSpace": {
"addressPrefixes": [ "[parameters('vnet_CIDR')]" ]
},
"ddosProtectionPlan": {
"id": "[parameters('ddos_plan_id')]"
},
"enableDdosProtection": "true",
"enableDdosProtection": "false",
"subnets": [
{
"name": "ampls",
Expand Down
291 changes: 291 additions & 0 deletions infra/arm_templates/network/vnet_w_ddos.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,291 @@
{
"$schema": "${arm_template_schema_mgmt_api}/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
},
"tags": {
"type": "object"
},
"ddos_plan_id": {
"type": "string"
},
"nsg_name": {
"type": "string"
},
"vnet_CIDR": {
"type": "string"
},
"subnet_AzureMonitor_CIDR": {
"type": "string"
},
"subnet_AzureStorage_CIDR": {
"type": "string"
},
"subnet_AzureCosmosDB_CIDR": {
"type": "string"
},
"subnet_AzureAi_CIDR": {
"type": "string"
},
"subnet_KeyVault_CIDR": {
"type": "string"
},
"subnet_App_CIDR": {
"type": "string"
},
"subnet_Function_CIDR": {
"type": "string"
},
"subnet_Enrichment_CIDR": {
"type": "string"
},
"subnet_Integration_CIDR": {
"type": "string"
},
"subnet_AiSearch_CIDR": {
"type": "string"
},
"subnet_AzureOpenAI_CIDR": {
"type": "string"
},
"subnet_Acr_CIDR": {
"type": "string"
},
"subnet_Dns_CIDR": {
"type": "string"
},
"privateEndpointNetworkPoliciesStatus": {
"type": "string"
},
"privateLinkServiceNetworkPoliciesStatus": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-11-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"tags": "[parameters('tags')]",
"properties": {
"addressSpace": {
"addressPrefixes": [ "[parameters('vnet_CIDR')]" ]
},
"ddosProtectionPlan": {
"id": "[parameters('ddos_plan_id')]"
},
"enableDdosProtection": "true",
"subnets": [
{
"name": "ampls",
"properties": {
"addressPrefix": "[parameters('subnet_AzureMonitor_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "storageAccount",
"properties": {
"addressPrefix": "[parameters('subnet_AzureStorage_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "cosmosDb",
"properties": {
"addressPrefix": "[parameters('subnet_AzureCosmosDB_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "azureAi",
"properties": {
"addressPrefix": "[parameters('subnet_AzureAi_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.CognitiveServices" } ]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "keyVault",
"properties": {
"addressPrefix": "[parameters('subnet_KeyVault_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.KeyVault" } ]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "app",
"properties": {
"addressPrefix": "[parameters('subnet_App_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.Storage" } ]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "function",
"properties": {
"addressPrefix": "[parameters('subnet_Function_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.Storage" }, { "service": "Microsoft.KeyVault" }]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "enrichment",
"properties": {
"addressPrefix": "[parameters('subnet_Enrichment_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.Storage" } ]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "integration",
"properties": {
"addressPrefix": "[parameters('subnet_Integration_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [
{
"name": "integrationDelegation",
"properties": {
"serviceName": "Microsoft.Web/serverFarms"
},
"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
}
],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.Storage" } ]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "aiSearch",
"properties": {
"addressPrefix": "[parameters('subnet_AiSearch_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "azureOpenAI",
"properties": {
"addressPrefix": "[parameters('subnet_AzureOpenAI_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]",
"serviceEndpoints": [ { "service": "Microsoft.CognitiveServices" } ]
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "acr",
"properties": {
"addressPrefix": "[parameters('subnet_Acr_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
},
{
"name": "dns",
"properties": {
"addressPrefix": "[parameters('subnet_Dns_CIDR')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsg_name'))]"
},
"delegations": [
{
"name": "dnsDelegation",
"properties": {
"serviceName": "Microsoft.Network/dnsResolvers"
},
"type": "Microsoft.Network/virtualNetworks/subnets/delegations"
}
],
"privateEndpointNetworkPolicies": "[parameters('privateEndpointNetworkPoliciesStatus')]",
"privateLinkServiceNetworkPolicies": "[parameters('privateLinkServiceNetworkPoliciesStatus')]"
},
"type": "Microsoft.Network/virtualNetworks/subnets"
}
]
}
}
],
"outputs": {
"id": {
"value": "[resourceId('Microsoft.Network/virtualNetworks',parameters('name'))]",
"type": "string"
},
"dnsSubnetId": {
"value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('name'), 'dns')]",
"type": "string"
}
}
}
6 changes: 3 additions & 3 deletions infra/core/network/network/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
locals {
arm_file_path = "arm_templates/network/vnet.template.json"
arm_file_path = var.enabledDDOSProtectionPlan ? "arm_templates/network/vnet_w_ddos.template.json" : "arm_templates/network/vnet.template.json"
}

# Create the Bing Search instance via ARM Template
Expand All @@ -20,7 +20,7 @@ resource "azurerm_network_security_group" "nsg" {

//Create the DDoS plan
resource "azurerm_network_ddos_protection_plan" "ddos" {
count = var.ddos_plan_id == "" ? 1 : 0
count = var.enabledDDOSProtectionPlan ? var.ddos_plan_id == "" ? 1 : 0 : 0
name = var.ddos_name
resource_group_name = var.resourceGroupName
location = var.location
Expand All @@ -33,7 +33,7 @@ resource "azurerm_resource_group_template_deployment" "vnet_w_subnets" {
"name" = { value = "${var.vnet_name}" },
"location" = { value = "${var.location}" },
"tags" = { value = var.tags },
"ddos_plan_id" = { value = "${var.ddos_plan_id == "" ? azurerm_network_ddos_protection_plan.ddos[0].id : var.ddos_plan_id}" },
"ddos_plan_id" = { value = "${var.enabledDDOSProtectionPlan ? var.ddos_plan_id == "" ? azurerm_network_ddos_protection_plan.ddos[0].id : var.ddos_plan_id : ""}" },
"nsg_name" = { value = "${azurerm_network_security_group.nsg.name}" },
"vnet_CIDR" = { value = "${var.vnetIpAddressCIDR}" },
"subnet_AzureMonitor_CIDR" = { value = "${var.snetAzureMonitorCIDR}" },
Expand Down
2 changes: 1 addition & 1 deletion infra/core/network/network/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ output "snetAzureOpenAI_name" {
}

output "ddos_plan_id" {
value = var.ddos_plan_id == "" ? azurerm_network_ddos_protection_plan.ddos[0].id : var.ddos_plan_id
value = var.enabledDDOSProtectionPlan ? var.ddos_plan_id == "" ? azurerm_network_ddos_protection_plan.ddos[0].id : var.ddos_plan_id : ""
}

output "dns_private_resolver_ip" {
Expand Down
4 changes: 4 additions & 0 deletions infra/core/network/network/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,4 +100,8 @@ variable "arm_template_schema_mgmt_api" {

variable "azure_environment" {
type = string
}

variable "enabledDDOSProtectionPlan" {
type = bool
}
Loading