update KV secrets to have content type & expiration dates compliant w…

…ith BAPS360SecurityPolicy
microsoft · Aug 19, 2024 · b847a15 · b847a15
1 parent a95d3de
commit b847a15
Show file tree

Hide file tree

Showing 13 changed files with 14 additions and 32 deletions.
diff --git a/infra/arm_templates/kv_secret/kv_secret.template.json b/infra/arm_templates/kv_secret/kv_secret.template.json
@@ -16,6 +16,9 @@
         },
         "expiration": {
             "type": "string"
+        },
+        "contentType": {
+            "type": "string"
         }
     },
     "resources": [
@@ -29,7 +32,8 @@
               "attributes": {
                 "enabled": true,
                 "exp": "[parameters('expiration')]"
-              }
+              },
+              "contentType": "[parameters('contentType')]"
             }
         }
     ]

diff --git a/infra/core/ai/bingSearch/bingSearch.tf b/infra/core/ai/bingSearch/bingSearch.tf
@@ -35,4 +35,5 @@ module "bing_search_key" {
   alias                         = "bingkey"
   tags                          = var.tags
   kv_secret_expiration          = var.kv_secret_expiration
+  contentType                   = "application/vnd.bag-StrongEncPasswordString"
 }
diff --git a/infra/core/ai/cogServices/cogServices.tf b/infra/core/ai/cogServices/cogServices.tf
@@ -19,6 +19,7 @@ module "cog_service_key" {
   alias                         = "aisvckey"
   tags                          = var.tags
   kv_secret_expiration          = var.kv_secret_expiration
+  contentType                   = "application/vnd.bag-StrongEncPasswordString"
 }
 
 data "azurerm_subnet" "subnet" {

diff --git a/infra/core/ai/docintelligence/variables.tf b/infra/core/ai/docintelligence/variables.tf
@@ -58,9 +58,4 @@ variable "subnet_name" {
 
 variable "arm_template_schema_mgmt_api" {
   type = string
-}
-
-variable "kv_secret_expiration" {
-  type = string
-  description = "The value for key vault secret expiration in  seconds since 1970-01-01T00:00:00Z"
 }
diff --git a/infra/core/ai/openaiservices/variables.tf b/infra/core/ai/openaiservices/variables.tf
@@ -82,11 +82,6 @@ variable "arm_template_schema_mgmt_api" {
   type = string
 }
 
-variable "kv_secret_expiration" {
-  type = string
-  description = "The value for key vault secret expiration in  seconds since 1970-01-01T00:00:00Z"
-}
-
 variable "logAnalyticsWorkspaceResourceId" {
   type = string
 }
diff --git a/infra/core/db/variables.tf b/infra/core/db/variables.tf
@@ -84,9 +84,4 @@ variable "subnet_name" {
 
 variable "arm_template_schema_mgmt_api" {
   type = string
-}
-
-variable "kv_secret_expiration" {
-  type = string
-  description = "The value for key vault secret expiration in  seconds since 1970-01-01T00:00:00Z"
 }
diff --git a/infra/core/search/variables.tf b/infra/core/search/variables.tf
@@ -62,9 +62,4 @@ variable "private_dns_zone_ids" {
 
 variable "arm_template_schema_mgmt_api" {
   type = string
-}
-
-variable "kv_secret_expiration" {
-  type = string
-  description = "The value for key vault secret expiration in  seconds since 1970-01-01T00:00:00Z"
 }
diff --git a/infra/core/security/keyvault/variables.tf b/infra/core/security/keyvault/variables.tf
@@ -57,9 +57,4 @@ variable "azure_keyvault_domain" {
 
 variable "arm_template_schema_mgmt_api" {
   type = string
-}
-
-variable "kv_secret_expiration" {
-  type = string
-  description = "The value for key vault secret expiration in  seconds since 1970-01-01T00:00:00Z"
 }
diff --git a/infra/core/security/keyvaultSecret/keyvaultSecret.tf b/infra/core/security/keyvaultSecret/keyvaultSecret.tf
@@ -18,6 +18,7 @@ resource "azurerm_resource_group_template_deployment" "kv_secret" {
     "value"                    = { value = "${var.secret_value}" },
     "tags"                      = { value = var.tags },
     "expiration"                = { value = var.kv_secret_expiration },
+    "contentType"               = { value = var.contentType },
   })
   template_content = data.template_file.workflow.template
   # The filemd5 forces this to run when the file is changed

diff --git a/infra/core/security/keyvaultSecret/variables.tf b/infra/core/security/keyvaultSecret/variables.tf
@@ -31,4 +31,8 @@ variable "alias" {
 variable "kv_secret_expiration" {
   type = string
   description = "The value for key vault secret expiration in  seconds since 1970-01-01T00:00:00Z"
+}
+
+variable "contentType" {
+  type = string
 }
diff --git a/infra/core/storage/storage-account.tf b/infra/core/storage/storage-account.tf
@@ -193,6 +193,7 @@ module "storage_connection_string" {
   tags                          = var.tags
   alias                         = "blobconnstring"
   kv_secret_expiration          = var.kv_secret_expiration
+  contentType                   = "application/vnd.ms-StorageConnectionString"
 }
 
 data "azurerm_subnet" "subnet" {

diff --git a/infra/main.tf b/infra/main.tf
@@ -263,7 +263,6 @@ module "kvModule" {
   depends_on                    = [ module.entraObjects, module.privateDnsZoneKeyVault[0] ]
   azure_keyvault_domain         = var.azure_keyvault_domain
   arm_template_schema_mgmt_api  = var.arm_template_schema_mgmt_api
-  kv_secret_expiration          = var.kv_secret_expiration
 }
 
 module "enrichmentApp" {
@@ -505,7 +504,6 @@ module "openaiServices" {
   private_dns_zone_ids            = var.is_secure_mode ? [module.privateDnsZoneAzureOpenAi[0].privateDnsZoneResourceId] : null
   arm_template_schema_mgmt_api    = var.arm_template_schema_mgmt_api
   key_vault_name                  = module.kvModule.keyVaultName
-  kv_secret_expiration            = var.kv_secret_expiration
   logAnalyticsWorkspaceResourceId = module.logging.logAnalyticsId
 
   deployments = [
@@ -547,7 +545,6 @@ module "aiDocIntelligence" {
   vnet_name                     = var.is_secure_mode ? module.network[0].vnet_name : null
   private_dns_zone_ids          = var.is_secure_mode ? [module.privateDnsZoneAzureAi[0].privateDnsZoneResourceId] : null
   arm_template_schema_mgmt_api  = var.arm_template_schema_mgmt_api
-  kv_secret_expiration          = var.kv_secret_expiration
 }
 
 module "cognitiveServices" {
@@ -580,7 +577,6 @@ module "searchServices" {
   private_dns_zone_ids          = var.is_secure_mode ? [module.privateDnsZoneSearchService[0].privateDnsZoneResourceId] : null
   arm_template_schema_mgmt_api  = var.arm_template_schema_mgmt_api
   key_vault_name                = module.kvModule.keyVaultName
-  kv_secret_expiration          = var.kv_secret_expiration
 }
 
 module "cosmosdb" {
@@ -597,7 +593,6 @@ module "cosmosdb" {
   vnet_name                     = var.is_secure_mode ? module.network[0].vnet_name : null
   private_dns_zone_ids          = var.is_secure_mode ? [module.privateDnsZoneCosmosDb[0].privateDnsZoneResourceId] : null
   arm_template_schema_mgmt_api  = var.arm_template_schema_mgmt_api
-  kv_secret_expiration          = var.kv_secret_expiration
 }
 
 module "acr"{

diff --git a/scripts/environments/local.env.example b/scripts/environments/local.env.example
@@ -57,7 +57,7 @@ export REQUIRE_WEBSITE_SECURITY_MEMBERSHIP=false # Required
 # with Microsoft's recommended guardrails for Azure Key Vault policy. We have NOT included automatic secret rotation in this deployment. See 
 # https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation for more information on enabling cryptographic key auto-rotation.
 # The following setting will set the secret expiration to the current day plus the number of days specified.
-export SECRET_EXPIRATION_DAYS=120 # Required
+export SECRET_EXPIRATION_DAYS=730 # Required
 
 # Uncomment this if you want to avoid the "are you sure?" prompt when applying TF changes
 # export SKIP_PLAN_CHECK=1