[Modules] Congnitive Services: Set secure defaults (#1483)

* Fixed readme

* Flipped image build deployment

* Undid param change

* Implemented --no-restore for workaround

* Regenerated readme

* Draft for cognitive services cmk

* Removed CMK implementation as its currently not fully working & Set secure defaults

* Added encryption test

* Added docs

* Updated readme

* Updated metadata

* Shuffle

* Minor update

* Minor update

* Update arm/Microsoft.CognitiveServices/accounts/readme.md

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>

* Update arm/Microsoft.CognitiveServices/accounts/deploy.bicep

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>

* Adjusted network access default

* Update to latest

* Updated readme

* Updated param

* Adjusted default

* Minor fix

* Updated readme

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>

Author: AlexanderSehr

.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml

@@ -47,6 +47,8 @@ stages:
           deploymentBlocks:
             - path: $(modulePath)/.parameters/parameters.json
             - path: $(modulePath)/.parameters/speech.parameters.json
+            - path: $(modulePath)/.parameters/encr.parameters.json
+            - path: $(modulePath)/.parameters/min.parameters.json
 
   - stage: Publishing
     displayName: Publishing

arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json

@@ -0,0 +1,34 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-cgs-encr-001"
+        },
+        "kind": {
+            "value": "SpeechServices"
+        },
+        "sku": {
+            "value": "S0"
+        },
+        "userAssignedIdentities": {
+            "value": {
+                "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
+            }
+        },
+        "publicNetworkAccess": {
+            "value": "Enabled"
+        },
+        "encryption": {
+            "value": {
+                "keySource": "Microsoft.KeyVault",
+                "keyVaultProperties": {
+                    "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity
+                    "keyVaultUri": "https://adp-<<namePrefix>>-az-kv-nopr-002.vault.azure.net/",
+                    "keyName": "keyEncryptionKey",
+                    "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // Version must be updated for new keys
+                }
+            }
+        }
+    }
+}

arm/Microsoft.CognitiveServices/accounts/.parameters/min.parameters.json

@@ -0,0 +1,12 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-cgs-min-001"
+        },
+        "kind": {
+            "value": "SpeechServices"
+        }
+    }
+}

arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json

@@ -12,7 +12,7 @@
             "value": "Face"
         },
         "sku": {
-            "value": "F0"
+            "value": "S0"
         },
         "roleAssignments": {
             "value": [
@@ -24,6 +24,20 @@
                 }
             ]
         },
+        "networkAcls": {
+            "value": {
+                "defaultAction": "deny",
+                "virtualNetworkRules": [
+                    {
+                        "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-001",
+                        "action": "Allow"
+                    }
+                ]
+            }
+        },
+        "customSubDomainName": {
+            "value": "<<namePrefix>>xdomain"
+        },
         "systemAssignedIdentity": {
             "value": true
         },

arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json

@@ -9,7 +9,7 @@
             "value": "SpeechServices"
         },
         "sku": {
-            "value": "F0"
+            "value": "S0"
         },
         "systemAssignedIdentity": {
             "value": true
@@ -20,7 +20,7 @@
             }
         },
         "customSubDomainName": {
-            "value": "<<namePrefix>>domain"
+            "value": "<<namePrefix>>speechdomain"
         },
         "privateEndpoints": {
             "value": [

arm/Microsoft.CognitiveServices/accounts/deploy.bicep

@@ -1,7 +1,7 @@
 @description('Required. The name of Cognitive Services account.')
 param name string
 
-@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'sku\' for your Azure region.')
+@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.')
 @allowed([
   'AnomalyDetector'
   'Bing.Autosuggest.v7'
@@ -28,7 +28,7 @@ param name string
 ])
 param kind string
 
-@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'sku\' for your Azure region.')
+@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.')
 @allowed([
   'C2'
   'C3'
@@ -70,23 +70,24 @@ param diagnosticEventHubAuthorizationRuleId string = ''
 @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
 param diagnosticEventHubName string = ''
 
-@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.')
+@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' or \'privateEndpoints\' are set.')
 param customSubDomainName string = ''
 
 @description('Optional. Whether or not public endpoint access is allowed for this account.')
 @allowed([
+  ''
   'Enabled'
   'Disabled'
 ])
-param publicNetworkAccess string = 'Enabled'
+param publicNetworkAccess string = ''
 
 @description('Optional. Service endpoint object information.')
 param networkAcls object = {}
 
 @description('Optional. Enables system assigned managed identity on the resource.')
 param systemAssignedIdentity bool = false
 
-@description('Optional. The ID(s) to assign to the resource.')
+@description('Conditional. The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
 param userAssignedIdentities object = {}
 
 @allowed([
@@ -112,8 +113,8 @@ param allowedFqdnList array = []
 @description('Optional. The API properties for special APIs.')
 param apiProperties object = {}
 
-@description('Optional. Allow only Azure AD authentication.')
-param disableLocalAuth bool = false
+@description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.')
+param disableLocalAuth bool = true
 
 @description('Optional. Properties to configure encryption.')
 param encryption object = {}
@@ -182,12 +183,6 @@ var identity = identityType != 'None' ? {
   userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
 } : null
 
-var networkAcls_var = {
-  defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null
-  virtualNetworkRules: !empty(networkAcls) ? ((length(networkAcls.virtualNetworkRules) == 0) ? [] : networkAcls.virtualNetworkRules) : null
-  ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) == 0) ? [] : networkAcls.ipRules) : null
-}
-
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
   properties: {
@@ -211,8 +206,8 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = {
   }
   properties: {
     customSubDomainName: !empty(customSubDomainName) ? customSubDomainName : null
-    networkAcls: !empty(networkAcls) ? networkAcls_var : null
-    publicNetworkAccess: publicNetworkAccess
+    networkAcls: networkAcls
+    publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)
     allowedFqdnList: allowedFqdnList
     apiProperties: apiProperties
     disableLocalAuth: disableLocalAuth