patch (iac): [secure-hybrid-network] batch code quality fixes

solutions/secure-hybrid-network/README.md

@@ -57,17 +57,18 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east
 
 | Parameter | Type | Description | Default and properties |
 |---|---|---|--|
-| mocOnPremResourceGroup | string | The name of the moc on-prem resource group. | null |
+| mocOnPremResourceGroup | string | The name of the mock on-prem resource group. | null |
 | azureNetworkResourceGroup | string | The name of the Azure network resource group. | null |
-| adminUserName | string | The admin user name for the Azure SQL instance. | null |
-| adminPassword | securestring | The admin password for the Azure SQL instance. | null |
+| adminUserName | string | The admin user name for the virtual machines. | null |
+| adminPassword | securestring | The admin password for the virtual machines. | null |
+| sharedKey | securestring | The shared key used for VPN site-to-site connections. | null |
 
 **nestedtemplates/azure-network-azuredeploy.bicep**
 
 | Parameter | Type | Description | Default and properties |
 |---|---|---|--|
-| adminUserName | string | The admin user name for the Azure SQL instance. | null |
-| adminPassword | securestring | The admin password for the Azure SQL instance. | null |
+| adminUserName | string | The admin user name for the virtual machines. | azureadmin |
+| adminPassword | securestring | The admin password for the virtual machines. | null |
 | windowsVMCount | int | The number of load-balanced virtual machines running IIS. | 2 |
 | vmSize | string | Size of the load-balanced virtual machines. | Standard_A4_v2 |
 | configureSitetosite | bool | Condition for configuring a site-to-site VPN connection. | true |
@@ -78,7 +79,7 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east
 | azureFirewall | object | Object representing the configuration of the Azure Firewall. | name, subnetName, subnetPrefix, publicIPAddressName |
 | spokeRoutes | object | Object representing user-defined routes for the spoke subnet. | tableName, routeNameFirewall |
 | gatewayRoutes | object | Object representing user-defined routes for the gateway network. | tableName, routeNameFirewall |
-| internalLoadBalancer | object | Object representing the configuration of the application load balancer. | name, backendName, fontendName, probeName |
+| internalLoadBalancer | object | Object representing the configuration of the application load balancer. | name, backendName, frontendName, probeName |
 | location | string | Location to be used for all resources. | rg location |
 
 **nestedtemplates/azure-network-local-gateway.bicep**
@@ -87,33 +88,35 @@ az deployment group create -n firewallDnat -g rg-site-to-site-azure-network-east
 |---|---|---|--|
 | connectionName | string | Name of the Azure connection resource. | hub-to-mock-prem |
 | gatewayIpAddress | string | Public IP address of the mock on-prem virtual network gateway. | null |
-| azureCloudVnetPrefix | string | Subnet prefix of the management subnet found in the hub network. | null |
+| azureCloudVnetPrefix | string | Address prefix of the hub network. | null |
 | azureNetworkGatewayName | string | Name of the Azure virtual network gateway. | null |
-| localNetworkGatewayName | string |  Name of the Azure local network gateway. | local-gateway-azure-network |
+| localNetworkGatewayName | string | Name of the Azure local network gateway. | local-gateway-azure-network |
+| sharedKey | securestring | The shared key for the VPN connection. | null |
 
 **nestedtemplates/mock-onprem-azuredeploy.bicep**
 
 | Parameter | Type | Description | Default |
 |---|---|---|--|
-| adminUserName | string | The admin user name for the Azure SQL instance. | null |
-| adminPassword | securestring | The admin password for the Azure SQL instance. | null |
+| adminUserName | string | The admin user name for the virtual machine. | azureadmin |
+| adminPassword | securestring | The admin password for the virtual machine. | null |
 | mocOnpremNetwork | object | Object representing the configuration of the mock on-prem network. | name, addressPrefix, mgmt, subnetPrefix |
 | mocOnpremGateway | object | Object representing the configuration of the VPN gateway. | name, subnetName, subnetPrefix, publicIPAddressName |
 | bastionHost | object | Object representing the configuration of the Bastion host. | name, subnetName, subnetPrefix, publicIPAddressName, nsgName |
-| vmSize | string | Size of the load-balanced virtual machines. | Standard_A4_v2 |
+| vmSize | string | Size of the virtual machine. | Standard_A4_v2 |
 | configureSitetosite | bool | Condition for configuring a site-to-site VPN connection. | true |
 | location | string | Location to be used for all resources. | rg location |
 
 **nestedtemplates/mock-onprem-local-gateway.bicep**
 
 | Parameter | Type | Description | Default |
 |---|---|---|--|
-| connectionName | string | Name of the mock on-prem connection resource. | hub-to-mock-prem |
-| azureCloudVnetPrefix | string | Subnet prefix of the management subnet found in the hub network. | hub-to-mock-prem |
-| spokeNetworkAddressPrefix | string | Subnet prefix of the resource subnet found in the spoke network. | hub-to-mock-prem |
+| connectionName | string | Name of the mock on-prem connection resource. | mock-prem-to-hub |
+| azureCloudVnetPrefix | string | Address prefix of the hub network. | null |
+| spokeNetworkAddressPrefix | string | Address prefix of the spoke network. | null |
 | gatewayIpAddress | string | Public IP address of the Azure virtual network gateway. | null |
-| mocOnpremGatewayName | string | Name of the mock on-prem local network gateway.  | null |
+| mocOnpremGatewayName | string | Name of the mock on-prem virtual network gateway. | null |
 | localNetworkGateway | string | Name of the mock on-prem local network gateway. | local-gateway-moc-prem |
+| sharedKey | securestring | The shared key for the VPN connection. | null |
 | location | string | Location to be used for all resources. | rg location |
 
 **nestedtemplates/azure-network-azuredeploy-v2.bicep**

solutions/secure-hybrid-network/azuredeploy.bicep

@@ -15,6 +15,10 @@ param adminUserName string
 @secure()
 param adminPassword string
 
+@description('The shared key used for VPN site-to-site connections.')
+@secure()
+param sharedKey string
+
 @description('Azure Virtual Machines, and supporting services region. This defaults to the resource group\'s location for higher reliability.')
 param location string = deployment().location
 
@@ -57,6 +61,7 @@ module mockOnPremLocalGateway 'nestedtemplates/mock-onprem-local-gateway.bicep'
     azureCloudVnetPrefix: azureNetwork.outputs.mocOnpremNetwork
     spokeNetworkAddressPrefix: azureNetwork.outputs.spokeNetworkAddressPrefix
     mocOnpremGatewayName: onPremMock.outputs.mocOnpremGatewayName
+    sharedKey: sharedKey
   }
 }
 
@@ -67,5 +72,6 @@ module azureNetworkLocalGateway 'nestedtemplates/azure-network-local-gateway.bic
     azureCloudVnetPrefix: onPremMock.outputs.mocOnpremNetworkPrefix
     gatewayIpAddress: onPremMock.outputs.vpnIp
     azureNetworkGatewayName: azureNetwork.outputs.azureGatewayName
+    sharedKey: sharedKey
   }
 }

solutions/secure-hybrid-network/azuredeploy.json

@@ -22,6 +22,12 @@
                 "description": "The admin password for both the Windows and Linux virtual machines."
             }
         },
+        "sharedKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "The shared key used for VPN site-to-site connections."
+            }
+        },
         "resourceGrouplocation": {
             "type": "string",
             "defaultValue": "eastus"
@@ -129,6 +135,9 @@
                     "mocOnpremGatewayName": {
                         "value": "[reference('onPremMock').outputs.mocOnpremGatewayName.value]"
                     },
+                    "sharedKey": {
+                        "value": "[parameters('sharedKey')]"
+                    },
                     "location": {
                         "value": "[parameters('resourceGrouplocation')]"
                     }
@@ -160,6 +169,9 @@
                     "azureNetworkGatewayName": {
                         "value": "[reference('azureNetwork').outputs.azureGatewayName.value]"
                     },
+                    "sharedKey": {
+                        "value": "[parameters('sharedKey')]"
+                    },
                     "location": {
                         "value": "[parameters('resourceGrouplocation')]"
                     }

solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep

@@ -48,7 +48,7 @@ param gatewayRoutes object = {
 param internalLoadBalancer object = {
   name: 'lb-internal'
   backendName: 'lb-backend'
-  fontendName: 'lb-frontend'
+  frontendName: 'lb-frontend'
   probeName: 'lb-probe'
 }
 param location string = resourceGroup().location
@@ -226,6 +226,7 @@ resource hubNetworkResource 'Microsoft.Network/virtualNetworks@2024-05-01' = {
         name: bastionHost.subnetName
         properties: {
           addressPrefix: bastionHost.subnetPrefix
+          defaultOutboundAccess: false
           networkSecurityGroup: {
             id: bastionHost_nsg.id
           }
@@ -579,8 +580,9 @@ resource azureFirewallResource_Microsoft_Insights_default_logAnalyticsWorkspace
   }
 }
 
-resource spokeNetwork_subnetNsgName_Microsoft_Insights_default_logAnalyticsWorkspace 'Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings@2021-05-01-preview' = {
-  name: '${spokeNetwork.subnetNsgName}/Microsoft.Insights/default${logAnalyticsWorkspaceName}'
+resource spokeNetwork_subnetNsgName_Microsoft_Insights_default_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  scope: spokeNetwork_subnetNsg
+  name: logAnalyticsWorkspaceName
   properties: {
     workspaceId: logAnalyticsWorkspace.id
     logs: [
@@ -594,10 +596,6 @@ resource spokeNetwork_subnetNsgName_Microsoft_Insights_default_logAnalyticsWorks
       }
     ]
   }
-  dependsOn: [
-    spokeNetwork_subnetNsg
-
-  ]
 }
 
 resource internalLoadBalancerResource 'Microsoft.Network/loadBalancers@2024-05-01' = {
@@ -609,7 +607,7 @@ resource internalLoadBalancerResource 'Microsoft.Network/loadBalancers@2024-05-0
   properties: {
     frontendIPConfigurations: [
       {
-        name: internalLoadBalancer.fontendName
+        name: internalLoadBalancer.frontendName
         properties: {
           subnet: {
             id: resourceId('Microsoft.Network/virtualNetworks/subnets', spokeNetworkResource.name, spokeNetwork.subnetName)
@@ -628,7 +626,7 @@ resource internalLoadBalancerResource 'Microsoft.Network/loadBalancers@2024-05-0
         name: internalLoadBalancer.probeName
         properties: {
           frontendIPConfiguration: {
-            id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', internalLoadBalancer.name, internalLoadBalancer.fontendName)
+            id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', internalLoadBalancer.name, internalLoadBalancer.frontendName)
           }
           frontendPort: 80
           backendPort: 80
@@ -682,7 +680,7 @@ resource gatewayRoutes_tableName_gatewayRoutes_routeNameFirewall 'Microsoft.Netw
   properties: {
     addressPrefix: spokeNetwork.addressPrefix
     nextHopType: 'VirtualAppliance'
-    nextHopIpAddress: reference(azureFirewallResource.id, '2020-05-01').ipConfigurations[0].properties.privateIpAddress
+    nextHopIpAddress: azureFirewallResource.properties.ipConfigurations[0].properties.privateIPAddress
   }
 }
 
@@ -692,7 +690,7 @@ resource spokeRoutes_tableName_spokeRoutes_routeNameFirewall 'Microsoft.Network/
   properties: {
     addressPrefix: '0.0.0.0/0'
     nextHopType: 'VirtualAppliance'
-    nextHopIpAddress: reference(azureFirewallResource.id, '2020-05-01').ipConfigurations[0].properties.privateIpAddress
+    nextHopIpAddress: azureFirewallResource.properties.ipConfigurations[0].properties.privateIPAddress
   }
 }
 

solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json

@@ -88,7 +88,7 @@
             "defaultValue": {
                 "name": "lb-internal",
                 "backendName": "lb-backend",
-                "fontendName": "lb-frontend",
+                "frontendName": "lb-frontend",
                 "probeName": "lb-probe"
             }
         },
@@ -155,6 +155,7 @@
                         "name": "[parameters('bastionHost').subnetName]",
                         "properties": {
                             "addressPrefix": "[parameters('bastionHost').subnetPrefix]",
+                            "defaultOutboundAccess": false,
                             "networkSecurityGroup": {
                                 "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionHost').nsgName)]"
                             }
@@ -896,7 +897,7 @@
             "properties": {
                 "frontendIPConfigurations": [
                     {
-                        "name": "[parameters('internalLoadBalancer').fontendName]",
+                        "name": "[parameters('internalLoadBalancer').frontendName]",
                         "properties": {
                             "subnet": {
                                 "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('spokeNetwork').name, parameters('spokeNetwork').subnetName)]"
@@ -915,7 +916,7 @@
                         "name": "[parameters('internalLoadBalancer').probeName]",
                         "properties": {
                             "frontendIPConfiguration": {
-                                "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').fontendName)]"
+                                "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('internalLoadBalancer').name, parameters('internalLoadBalancer').frontendName)]"
                             },
                             "frontendPort": 80,
                             "backendPort": 80,

solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.bicep

@@ -3,6 +3,10 @@ param gatewayIpAddress string
 param azureCloudVnetPrefix string
 param azureNetworkGatewayName string
 param localNetworkGatewayName string = 'local-gateway-azure-network'
+
+@secure()
+param sharedKey string
+
 param location string  = resourceGroup().location
 
 resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2024-05-01' = {
@@ -37,7 +41,7 @@ resource connection 'Microsoft.Network/connections@2024-05-01' = {
     connectionType: 'IPsec'
     connectionProtocol: 'IKEv2'
     routingWeight: 100
-    sharedKey: '123secret'
+    sharedKey: sharedKey
     enableBgp: false
     useLocalAzureIpAddress: false
     usePolicyBasedTrafficSelectors: false

solutions/secure-hybrid-network/nestedtemplates/azure-network-local-gateway.json

@@ -19,6 +19,9 @@
             "type": "string",
             "defaultValue": "local-gateway-azure-network"
         },
+        "sharedKey": {
+            "type": "securestring"
+        },
         "location": {
             "type": "string"
         }
@@ -60,7 +63,7 @@
                 "connectionType": "IPsec",
                 "connectionProtocol": "IKEv2",
                 "routingWeight": 100,
-                "sharedKey": "123secret",
+                "sharedKey": "[parameters('sharedKey')]",
                 "enableBgp": false,
                 "useLocalAzureIpAddress": false,
                 "usePolicyBasedTrafficSelectors": false,

solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.bicep

@@ -57,6 +57,7 @@ resource mocOnpremNetworkResource 'Microsoft.Network/virtualNetworks@2024-05-01'
         name: bastionHost.subnetName
         properties: {
           addressPrefix: bastionHost.subnetPrefix
+          defaultOutboundAccess: false
         }
       }
     ]

solutions/secure-hybrid-network/nestedtemplates/mock-onprem-azuredeploy.json

@@ -82,7 +82,8 @@
                     {
                         "name": "[parameters('bastionHost').subnetName]",
                         "properties": {
-                            "addressPrefix": "[parameters('bastionHost').subnetPrefix]"
+                            "addressPrefix": "[parameters('bastionHost').subnetPrefix]",
+                            "defaultOutboundAccess": false
                         }
                     }
                 ]

solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.bicep

@@ -4,6 +4,10 @@ param spokeNetworkAddressPrefix string
 param gatewayIpAddress string
 param mocOnpremGatewayName string
 param localNetworkGateway string = 'local-gateway-moc-prem'
+
+@secure()
+param sharedKey string
+
 param location string  = resourceGroup().location
 
 resource localNetworkGateway_resource 'Microsoft.Network/localNetworkGateways@2024-05-01' = {
@@ -39,7 +43,7 @@ resource connection 'Microsoft.Network/connections@2024-05-01' = {
     connectionType: 'IPsec'
     connectionProtocol: 'IKEv2'
     routingWeight: 100
-    sharedKey: '123secret'
+    sharedKey: sharedKey
     enableBgp: false
     useLocalAzureIpAddress: false
     usePolicyBasedTrafficSelectors: false

solutions/secure-hybrid-network/nestedtemplates/mock-onprem-local-gateway.json

@@ -22,6 +22,9 @@
             "type": "string",
             "defaultValue": "local-gateway-moc-prem"
         },
+        "sharedKey": {
+            "type": "securestring"
+        },
         "location": {
             "type": "string"
         }
@@ -64,7 +67,7 @@
                 "connectionType": "IPsec",
                 "connectionProtocol": "IKEv2",
                 "routingWeight": 100,
-                "sharedKey": "123secret",
+                "sharedKey": "[parameters('sharedKey')]",
                 "enableBgp": false,
                 "useLocalAzureIpAddress": false,
                 "usePolicyBasedTrafficSelectors": false,