pamelafox
commented
1 year ago I'm not on the Azure Developer CLI team, but have made a few templates for the Python team with elements you're looking for. Sharing some links in case they're helpful for your team (though maybe you've already worked this all out).
Here's a sample which creates a Virtual Network / Private DNS zone for a Postgres server + Web app: https://github.com/pamelafox/msdocs-django-postgresql-sample-app-azd/blob/main/infra/resources.bicep Here's a Postgres module which defines three possible firewalls (not just the super permissive one): https://github.com/pamelafox/flask-surveys-container-app/blob/main/infra/core/database/postgresql/flexibleserver.bicep
In terms of managed identity, @charris-msft has been playing around with using a postprovision hook for managed identity with Postgres, maybe he can share it here when done.
I've asked the AZD team re deployment slots, and that doesn't seem possible yet. That's discussed in this issue: https://github.com/Azure/azure-dev/issues/383
Also cc @tonybaloney from the Python team who's working on security auditing of our templates.
(I defer to AZD team for official response on upcoming features.)
Our team at work is required to follow Microsoft's Security Recommendations. Doing this exploded our bicep scripts (a simple website with a sql server is around 1700 lines of bicep). It would be really helpful if Microsoft would create a template that actually followed their own recommendations because it is a huge pain to actually get working.
The template the most closely matches our setup is the Todo Application with a C# API and Azure SQL Database. A few things that are missing in the templates are:
I am leaving off a LOT of items, these are just the big ones that we have been struggling with. Some links with a lot more info are: