diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index f1ce85845e..79e2ac726c 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -11,6 +11,37 @@ "allowBlobPublicAccess": { "value": false }, + "requireInfrastructureEncryption": { + "value": true + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "service": "blob" + }, + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "service": "table" + }, + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "service": "queue" + }, + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "service": "file" + } + ] + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [] + } + }, "blobServices": { "value": { "diagnosticLogsRetentionInDays": 7, diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index f689827bd1..3ce34035dd 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -50,15 +50,18 @@ param azureFilesIdentityBasedAuthentication object = {} @description('Optional. Virtual Network Identifier used to create a service endpoint.') param vNetId string = '' -@description('Optional. Configuration Details for private endpoints.') +@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible') param privateEndpoints array = [] @description('Optional. The Storage Account ManagementPolicies Rules.') param managementPolicyRules array = [] -@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information.') +@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny') param networkAcls object = {} +@description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.') +param requireInfrastructureEncryption bool = true + @description('Optional. Blob service and containers to deploy') param blobServices object = {} @@ -71,8 +74,8 @@ param queueServices object = {} @description('Optional. Table service and tables to create.') param tableServices object = {} -@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account.') -param allowBlobPublicAccess bool = true +@description('Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false.') +param allowBlobPublicAccess bool = false @allowed([ 'TLS1_0' @@ -166,6 +169,7 @@ var saBaseProperties = { minimumTlsVersion: minimumTlsVersion networkAcls: (empty(networkAcls) ? null : networkAcls_var) allowBlobPublicAccess: allowBlobPublicAccess + requireInfrastructureEncryption: requireInfrastructureEncryption } var saOptIdBasedAuthProperties = { azureFilesIdentityBasedAuthentication: azureFilesIdentityBasedAuthentication_var diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index 13693b0fe7..c70b2d57f4 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -27,7 +27,8 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowBlobPublicAccess` | bool | `True` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. | +| `allowBlobPublicAccess` | bool | `False` | | Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | +| `requireInfrastructureEncryption` | boolean | `True` | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Optional. Provides the identity based authentication settings for Azure Files. | | `basetime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Optional. Blob service and containers to deploy |