feat: add option to deploy with enhanced security (closes #34) (#91)

* chore: update deps

* refactor: migrate from deprecated package

* chore: update azd templates

* feat: enable app insights

* chore: update infra

* feat: add infra vnet option

* fix: upload url when vnet is enabled

* docs: update dependencies

* chore: update xo

* refactor: migrate to the new ollama package

* docs: add enhance security docs (#34)

* chore: update lockfile

* fix: container for deployment

* fix: dependency conflict

* chore: update packages

* fix: bicep when using vnet

* chore: clean up

* chore: update chat protocol

* docs: typo

* chore: clean up

* chore: force ftps state in infra

* docs: update enhance security doc

README.md

@@ -136,6 +136,10 @@ The deployment process will take a few minutes. Once it's done, you'll see the U
 
 You can now open the web app in your browser and start chatting with the bot.
 
+##### Enhance security
+
+When deploying the sample in an enterprise context, you may want to enforce tighter security restrictions to protect your data and resources. See the [enhance security](./docs/enhance-security.md) guide for more information.
+
 #### Clean up
 
 To clean up all the Azure resources created by this sample:

azure.yaml

@@ -35,7 +35,7 @@ hooks:
   postup:
     windows:
       shell: pwsh
-      run: node scripts/upload-documents.js "$env:API_URL"
+      run: node scripts/upload-documents.js "$env:UPLOAD_URL"
     posix:
       shell: sh
-      run: node scripts/upload-documents.js "$API_URL"
+      run: node scripts/upload-documents.js "$UPLOAD_URL"

docs/enhance-security.md

@@ -0,0 +1,28 @@
+# Enhance security
+
+To achieve enterprise grade security we've ensured you can leverage the features below through an opt-in flag:
+
+- **Deploy in a [virtual network](https://learn.microsoft.com/azure/virtual-network/virtual-networks-overview)**, to restrict access to the resources including the Azure Functions API and the Azure Storage where the documents are stored.
+
+- **Leverage [Azure Entra managed identity](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)** to disable all local authentication methods (ie API keys) and rely [Role-based Access Control (RBAC)](https://learn.microsoft.com/azure/role-based-access-control/overview).
+
+You can enable these features when deploying this sample by following these steps:
+
+1. Create a new environment for your deployment (you cannot update an existing one):
+   ```bash
+   azd env create my-secure-env
+   ```
+2. Enable the virtual network feature and disable local authentication:
+   ```bash
+   azd env set USE_VNET true
+   ```
+3. Deploy the sample to the new environment:
+   ```bash
+   azd up
+   ```
+
+Note that enabling virtual network will induce additional costs, as it requires the deployment of extra resources and needs to switch to paid plans for the Azure Functions and Azure Static Web App.
+
+> [!IMPORTANT]
+> When VNET is enabled, you will lose the ability to run the sample locally while connected to Azure resources.
+> You can always fall back to using a local AI model and database for development purposes, by deleting the `api/.env` file

infra/abbreviations.json

@@ -1,136 +1,137 @@
 {
-  "analysisServicesServers": "as",
-  "apiManagementService": "apim-",
-  "appConfigurationConfigurationStores": "appcs-",
-  "appManagedEnvironments": "cae-",
-  "appContainerApps": "ca-",
-  "authorizationPolicyDefinitions": "policy-",
-  "automationAutomationAccounts": "aa-",
-  "blueprintBlueprints": "bp-",
-  "blueprintBlueprintsArtifacts": "bpa-",
-  "cacheRedis": "redis-",
-  "cdnProfiles": "cdnp-",
-  "cdnProfilesEndpoints": "cdne-",
-  "cognitiveServicesAccounts": "cog-",
-  "cognitiveServicesFormRecognizer": "cog-fr-",
-  "cognitiveServicesTextAnalytics": "cog-ta-",
-  "computeAvailabilitySets": "avail-",
-  "computeCloudServices": "cld-",
-  "computeDiskEncryptionSets": "des",
-  "computeDisks": "disk",
-  "computeDisksOs": "osdisk",
-  "computeGalleries": "gal",
-  "computeSnapshots": "snap-",
-  "computeVirtualMachines": "vm",
-  "computeVirtualMachineScaleSets": "vmss-",
-  "containerInstanceContainerGroups": "ci",
-  "containerRegistryRegistries": "cr",
-  "containerServiceManagedClusters": "aks-",
-  "databricksWorkspaces": "dbw-",
-  "dataFactoryFactories": "adf-",
-  "dataLakeAnalyticsAccounts": "dla",
-  "dataLakeStoreAccounts": "dls",
-  "dataMigrationServices": "dms-",
-  "dBforMySQLServers": "mysql-",
-  "dBforPostgreSQLServers": "psql-",
-  "devicesIotHubs": "iot-",
-  "devicesProvisioningServices": "provs-",
-  "devicesProvisioningServicesCertificates": "pcert-",
-  "documentDBDatabaseAccounts": "cosmos-",
-  "eventGridDomains": "evgd-",
-  "eventGridDomainsTopics": "evgt-",
-  "eventGridEventSubscriptions": "evgs-",
-  "eventHubNamespaces": "evhns-",
-  "eventHubNamespacesEventHubs": "evh-",
-  "hdInsightClustersHadoop": "hadoop-",
-  "hdInsightClustersHbase": "hbase-",
-  "hdInsightClustersKafka": "kafka-",
-  "hdInsightClustersMl": "mls-",
-  "hdInsightClustersSpark": "spark-",
-  "hdInsightClustersStorm": "storm-",
-  "hybridComputeMachines": "arcs-",
-  "insightsActionGroups": "ag-",
-  "insightsComponents": "appi-",
-  "keyVaultVaults": "kv-",
-  "kubernetesConnectedClusters": "arck",
-  "kustoClusters": "dec",
-  "kustoClustersDatabases": "dedb",
-  "loadTesting": "lt-",
-  "logicIntegrationAccounts": "ia-",
-  "logicWorkflows": "logic-",
-  "machineLearningServicesWorkspaces": "mlw-",
-  "managedIdentityUserAssignedIdentities": "id-",
-  "managementManagementGroups": "mg-",
-  "migrateAssessmentProjects": "migr-",
-  "networkApplicationGateways": "agw-",
-  "networkApplicationSecurityGroups": "asg-",
-  "networkAzureFirewalls": "afw-",
-  "networkBastionHosts": "bas-",
-  "networkConnections": "con-",
-  "networkDnsZones": "dnsz-",
-  "networkExpressRouteCircuits": "erc-",
-  "networkFirewallPolicies": "afwp-",
-  "networkFirewallPoliciesWebApplication": "waf",
-  "networkFirewallPoliciesRuleGroups": "wafrg",
-  "networkFrontDoors": "fd-",
-  "networkFrontdoorWebApplicationFirewallPolicies": "fdfp-",
-  "networkLoadBalancersExternal": "lbe-",
-  "networkLoadBalancersInternal": "lbi-",
-  "networkLoadBalancersInboundNatRules": "rule-",
-  "networkLocalNetworkGateways": "lgw-",
-  "networkNatGateways": "ng-",
-  "networkNetworkInterfaces": "nic-",
-  "networkNetworkSecurityGroups": "nsg-",
-  "networkNetworkSecurityGroupsSecurityRules": "nsgsr-",
-  "networkNetworkWatchers": "nw-",
-  "networkPrivateDnsZones": "pdnsz-",
-  "networkPrivateLinkServices": "pl-",
-  "networkPublicIPAddresses": "pip-",
-  "networkPublicIPPrefixes": "ippre-",
-  "networkRouteFilters": "rf-",
-  "networkRouteTables": "rt-",
-  "networkRouteTablesRoutes": "udr-",
-  "networkTrafficManagerProfiles": "traf-",
-  "networkVirtualNetworkGateways": "vgw-",
-  "networkVirtualNetworks": "vnet-",
-  "networkVirtualNetworksSubnets": "snet-",
-  "networkVirtualNetworksVirtualNetworkPeerings": "peer-",
-  "networkVirtualWans": "vwan-",
-  "networkVpnGateways": "vpng-",
-  "networkVpnGatewaysVpnConnections": "vcn-",
-  "networkVpnGatewaysVpnSites": "vst-",
-  "notificationHubsNamespaces": "ntfns-",
-  "notificationHubsNamespacesNotificationHubs": "ntf-",
-  "operationalInsightsWorkspaces": "log-",
-  "portalDashboards": "dash-",
-  "powerBIDedicatedCapacities": "pbi-",
-  "purviewAccounts": "pview-",
-  "recoveryServicesVaults": "rsv-",
-  "resourcesResourceGroups": "rg-",
-  "searchSearchServices": "srch-",
-  "serviceBusNamespaces": "sb-",
-  "serviceBusNamespacesQueues": "sbq-",
-  "serviceBusNamespacesTopics": "sbt-",
-  "serviceEndPointPolicies": "se-",
-  "serviceFabricClusters": "sf-",
-  "signalRServiceSignalR": "sigr",
-  "sqlManagedInstances": "sqlmi-",
-  "sqlServers": "sql-",
-  "sqlServersDataWarehouse": "sqldw-",
-  "sqlServersDatabases": "sqldb-",
-  "sqlServersDatabasesStretch": "sqlstrdb-",
-  "storageStorageAccounts": "st",
-  "storageStorageAccountsVm": "stvm",
-  "storSimpleManagers": "ssimp",
-  "streamAnalyticsCluster": "asa-",
-  "synapseWorkspaces": "syn",
-  "synapseWorkspacesAnalyticsWorkspaces": "synw",
-  "synapseWorkspacesSqlPoolsDedicated": "syndp",
-  "synapseWorkspacesSqlPoolsSpark": "synsp",
-  "timeSeriesInsightsEnvironments": "tsi-",
-  "webServerFarms": "plan-",
-  "webSitesAppService": "app-",
-  "webSitesAppServiceEnvironment": "ase-",
-  "webSitesFunctions": "func-",
-  "webStaticSites": "stapp-"
+    "analysisServicesServers": "as",
+    "apiManagementService": "apim-",
+    "appConfigurationStores": "appcs-",
+    "appManagedEnvironments": "cae-",
+    "appContainerApps": "ca-",
+    "authorizationPolicyDefinitions": "policy-",
+    "automationAutomationAccounts": "aa-",
+    "blueprintBlueprints": "bp-",
+    "blueprintBlueprintsArtifacts": "bpa-",
+    "cacheRedis": "redis-",
+    "cdnProfiles": "cdnp-",
+    "cdnProfilesEndpoints": "cdne-",
+    "cognitiveServicesAccounts": "cog-",
+    "cognitiveServicesFormRecognizer": "cog-fr-",
+    "cognitiveServicesTextAnalytics": "cog-ta-",
+    "cognitiveServicesSpeech": "cog-sp-",
+    "computeAvailabilitySets": "avail-",
+    "computeCloudServices": "cld-",
+    "computeDiskEncryptionSets": "des",
+    "computeDisks": "disk",
+    "computeDisksOs": "osdisk",
+    "computeGalleries": "gal",
+    "computeSnapshots": "snap-",
+    "computeVirtualMachines": "vm",
+    "computeVirtualMachineScaleSets": "vmss-",
+    "containerInstanceContainerGroups": "ci",
+    "containerRegistryRegistries": "cr",
+    "containerServiceManagedClusters": "aks-",
+    "databricksWorkspaces": "dbw-",
+    "dataFactoryFactories": "adf-",
+    "dataLakeAnalyticsAccounts": "dla",
+    "dataLakeStoreAccounts": "dls",
+    "dataMigrationServices": "dms-",
+    "dBforMySQLServers": "mysql-",
+    "dBforPostgreSQLServers": "psql-",
+    "devicesIotHubs": "iot-",
+    "devicesProvisioningServices": "provs-",
+    "devicesProvisioningServicesCertificates": "pcert-",
+    "documentDBDatabaseAccounts": "cosmos-",
+    "eventGridDomains": "evgd-",
+    "eventGridDomainsTopics": "evgt-",
+    "eventGridEventSubscriptions": "evgs-",
+    "eventHubNamespaces": "evhns-",
+    "eventHubNamespacesEventHubs": "evh-",
+    "hdInsightClustersHadoop": "hadoop-",
+    "hdInsightClustersHbase": "hbase-",
+    "hdInsightClustersKafka": "kafka-",
+    "hdInsightClustersMl": "mls-",
+    "hdInsightClustersSpark": "spark-",
+    "hdInsightClustersStorm": "storm-",
+    "hybridComputeMachines": "arcs-",
+    "insightsActionGroups": "ag-",
+    "insightsComponents": "appi-",
+    "keyVaultVaults": "kv-",
+    "kubernetesConnectedClusters": "arck",
+    "kustoClusters": "dec",
+    "kustoClustersDatabases": "dedb",
+    "loadTesting": "lt-",
+    "logicIntegrationAccounts": "ia-",
+    "logicWorkflows": "logic-",
+    "machineLearningServicesWorkspaces": "mlw-",
+    "managedIdentityUserAssignedIdentities": "id-",
+    "managementManagementGroups": "mg-",
+    "migrateAssessmentProjects": "migr-",
+    "networkApplicationGateways": "agw-",
+    "networkApplicationSecurityGroups": "asg-",
+    "networkAzureFirewalls": "afw-",
+    "networkBastionHosts": "bas-",
+    "networkConnections": "con-",
+    "networkDnsZones": "dnsz-",
+    "networkExpressRouteCircuits": "erc-",
+    "networkFirewallPolicies": "afwp-",
+    "networkFirewallPoliciesWebApplication": "waf",
+    "networkFirewallPoliciesRuleGroups": "wafrg",
+    "networkFrontDoors": "fd-",
+    "networkFrontdoorWebApplicationFirewallPolicies": "fdfp-",
+    "networkLoadBalancersExternal": "lbe-",
+    "networkLoadBalancersInternal": "lbi-",
+    "networkLoadBalancersInboundNatRules": "rule-",
+    "networkLocalNetworkGateways": "lgw-",
+    "networkNatGateways": "ng-",
+    "networkNetworkInterfaces": "nic-",
+    "networkNetworkSecurityGroups": "nsg-",
+    "networkNetworkSecurityGroupsSecurityRules": "nsgsr-",
+    "networkNetworkWatchers": "nw-",
+    "networkPrivateDnsZones": "pdnsz-",
+    "networkPrivateLinkServices": "pl-",
+    "networkPublicIPAddresses": "pip-",
+    "networkPublicIPPrefixes": "ippre-",
+    "networkRouteFilters": "rf-",
+    "networkRouteTables": "rt-",
+    "networkRouteTablesRoutes": "udr-",
+    "networkTrafficManagerProfiles": "traf-",
+    "networkVirtualNetworkGateways": "vgw-",
+    "networkVirtualNetworks": "vnet-",
+    "networkVirtualNetworksSubnets": "snet-",
+    "networkVirtualNetworksVirtualNetworkPeerings": "peer-",
+    "networkVirtualWans": "vwan-",
+    "networkVpnGateways": "vpng-",
+    "networkVpnGatewaysVpnConnections": "vcn-",
+    "networkVpnGatewaysVpnSites": "vst-",
+    "notificationHubsNamespaces": "ntfns-",
+    "notificationHubsNamespacesNotificationHubs": "ntf-",
+    "operationalInsightsWorkspaces": "log-",
+    "portalDashboards": "dash-",
+    "powerBIDedicatedCapacities": "pbi-",
+    "purviewAccounts": "pview-",
+    "recoveryServicesVaults": "rsv-",
+    "resourcesResourceGroups": "rg-",
+    "searchSearchServices": "srch-",
+    "serviceBusNamespaces": "sb-",
+    "serviceBusNamespacesQueues": "sbq-",
+    "serviceBusNamespacesTopics": "sbt-",
+    "serviceEndPointPolicies": "se-",
+    "serviceFabricClusters": "sf-",
+    "signalRServiceSignalR": "sigr",
+    "sqlManagedInstances": "sqlmi-",
+    "sqlServers": "sql-",
+    "sqlServersDataWarehouse": "sqldw-",
+    "sqlServersDatabases": "sqldb-",
+    "sqlServersDatabasesStretch": "sqlstrdb-",
+    "storageStorageAccounts": "st",
+    "storageStorageAccountsVm": "stvm",
+    "storSimpleManagers": "ssimp",
+    "streamAnalyticsCluster": "asa-",
+    "synapseWorkspaces": "syn",
+    "synapseWorkspacesAnalyticsWorkspaces": "synw",
+    "synapseWorkspacesSqlPoolsDedicated": "syndp",
+    "synapseWorkspacesSqlPoolsSpark": "synsp",
+    "timeSeriesInsightsEnvironments": "tsi-",
+    "webServerFarms": "plan-",
+    "webSitesAppService": "app-",
+    "webSitesAppServiceEnvironment": "ase-",
+    "webSitesFunctions": "func-",
+    "webStaticSites": "stapp-"
 }

infra/app/api.bicep

@@ -0,0 +1,67 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param appServicePlanId string
+param storageAccountName string
+param virtualNetworkSubnetId string
+param applicationInsightsName string
+param allowedOrigins array
+param appSettings object
+param staticWebAppName string = ''
+
+var useVnet = !empty(virtualNetworkSubnetId)
+var finalApi = useVnet ? apiFlex : api
+
+module apiFlex '../core/host/functions-flex.bicep' = if (useVnet) {
+  name: 'api-flex'
+  scope: resourceGroup()
+  params: {
+    name: name
+    location: location
+    tags: tags
+    allowedOrigins: allowedOrigins
+    alwaysOn: false
+    runtimeName: 'node'
+    runtimeVersion: '20'
+    appServicePlanId: appServicePlanId
+    storageAccountName: storageAccountName
+    applicationInsightsName: applicationInsightsName
+    virtualNetworkSubnetId: virtualNetworkSubnetId
+    appSettings: appSettings
+  }
+}
+
+module api '../core/host/functions.bicep' = if (!useVnet) {
+  name: 'api'
+  scope: resourceGroup()
+  params: {
+    name: name
+    location: location
+    tags: tags
+    allowedOrigins: allowedOrigins
+    alwaysOn: false
+    runtimeName: 'node'
+    runtimeVersion: '20'
+    appServicePlanId: appServicePlanId
+    storageAccountName: storageAccountName
+    applicationInsightsName: applicationInsightsName
+    managedIdentity: true
+    appSettings: appSettings
+  }
+}
+
+// Link the Function App to the Static Web App
+module linkedBackend './linked-backend.bicep' = if (useVnet) {
+  name: 'linkedbackend'
+  scope: resourceGroup()
+  params: {
+    staticWebAppName: staticWebAppName
+    backendResourceId: finalApi.outputs.id
+    backendLocation: location
+  }
+}
+
+output identityPrincipalId string = finalApi.outputs.identityPrincipalId
+output name string = finalApi.outputs.name
+output uri string = finalApi.outputs.uri