diff --git a/code/function/fastapp/core/config.py b/code/function/fastapp/core/config.py index e77d667..f54f92f 100644 --- a/code/function/fastapp/core/config.py +++ b/code/function/fastapp/core/config.py @@ -21,6 +21,7 @@ class Settings(BaseSettings): WEBSITE_AUTH_ENCRYPTION_KEY: str = Field( default="", alias="WEBSITE_AUTH_ENCRYPTION_KEY" ) + WEBSITE_OS_TYPE: str = Field(default="test", alias="WEBSITE_OS_TYPE") MY_SECRET_CONFIG: str = Field(default="", alias="MY_SECRET_CONFIG") diff --git a/code/function/fastapp/health/validate_request.py b/code/function/fastapp/health/validate_request.py index 40da0bd..5a6163d 100644 --- a/code/function/fastapp/health/validate_request.py +++ b/code/function/fastapp/health/validate_request.py @@ -4,24 +4,28 @@ from fastapi import Header, HTTPException from fastapp.core.config import settings +from fastapp.utils import setup_logging + +logger = setup_logging(__name__) async def verify_health_auth_header( - x_ms_auth_internal_token: Annotated[str, Header()] + x_ms_auth_internal_token: Annotated[str | None, Header()] = None ) -> bool: """Returns true if SHA256 of header_value matches WEBSITE_AUTH_ENCRYPTION_KEY. + This only works on Windows-based app services. Therefore, this feature is turned off for other OS types. Documentation: https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=python#authentication-and-security x_ms_auth_internal_token: Value of the x-ms-auth-internal-token header. RETURNS (bool): Specifies whether the header matches. """ - website_auth_encryption_key = settings.WEBSITE_AUTH_ENCRYPTION_KEY - hash = base64.b64encode( - sha256(website_auth_encryption_key.encode("utf-8")).digest() - ).decode("utf-8") - if hash != x_ms_auth_internal_token: - raise HTTPException( - status_code=400, detail="x-ms-auth-internal-token is invalid" - ) - else: - return True + if settings.WEBSITE_OS_TYPE.lower() == "windows": + website_auth_encryption_key = settings.WEBSITE_AUTH_ENCRYPTION_KEY + hash = base64.b64encode( + sha256(website_auth_encryption_key.encode("utf-8")).digest() + ).decode("utf-8") + if hash != x_ms_auth_internal_token: + raise HTTPException( + status_code=400, detail="x-ms-auth-internal-token is invalid" + ) + return True diff --git a/code/infra/function.tf b/code/infra/function.tf index 37a6542..60eba82 100644 --- a/code/infra/function.tf +++ b/code/infra/function.tf @@ -121,6 +121,10 @@ resource "azapi_resource" "function" { name = "WEBSITE_CONTENTOVERVNET" value = "1" }, + { + name = "WEBSITE_OS_TYPE" + value = azurerm_service_plan.service_plan.os_type + }, { name = "WEBSITE_RUN_FROM_PACKAGE" value = "0" diff --git a/code/infra/logging.tf b/code/infra/logging.tf index d400a5f..c43f02a 100644 --- a/code/infra/logging.tf +++ b/code/infra/logging.tf @@ -16,32 +16,32 @@ resource "azurerm_application_insights" "application_insights" { workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id } -data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" { - resource_id = azurerm_application_insights.application_insights.id -} - -resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" { - name = "logAnalytics" - target_resource_id = azurerm_application_insights.application_insights.id - log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id - - dynamic "enabled_log" { - iterator = entry - for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups - content { - category_group = entry.value - } - } - - dynamic "metric" { - iterator = entry - for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics - content { - category = entry.value - enabled = true - } - } -} +# data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" { # Disable to avoid duplicate logs in Application Insights +# resource_id = azurerm_application_insights.application_insights.id +# } + +# resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" { +# name = "logAnalytics" +# target_resource_id = azurerm_application_insights.application_insights.id +# log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id + +# dynamic "enabled_log" { +# iterator = entry +# for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups +# content { +# category_group = entry.value +# } +# } + +# dynamic "metric" { +# iterator = entry +# for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics +# content { +# category = entry.value +# enabled = true +# } +# } +# } resource "azurerm_log_analytics_workspace" "log_analytics_workspace" { name = "${local.prefix}-log001" diff --git a/code/infra/storage.tf b/code/infra/storage.tf index 5b8acda..68cf9ef 100644 --- a/code/infra/storage.tf +++ b/code/infra/storage.tf @@ -34,6 +34,10 @@ resource "azurerm_storage_account" "storage" { default_action = "Deny" ip_rules = [] virtual_network_subnet_ids = [] + private_link_access { + endpoint_resource_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Security/datascanners/storageDataScanner" + endpoint_tenant_id = data.azurerm_client_config.current.tenant_id + } } nfsv3_enabled = false public_network_access_enabled = false