## **Description** The SecureApps architecture is a highly secure, private, and scalable Azure-based infrastructure designed for hosting web applications, function apps, and databases. This Terraform-managed environment ensures that critical services such as App Services, SQL Server, Key Vault, and Storage are completely isolated from the public internet, accessible only via private networking.  The architecture follows Zero Trust principles, leveraging: - **Private Endpoints** for SQL, Storage, and Key Vault to eliminate public access - **VNet Integration** for secure internal communication - **Network Security Groups (NSG)** to enforce strict security rules - **Managed Identities** for passwordless authentication - **RBAC Role Assignments** to enforce least-privilege access - **TLS 1.2 & Encryption** for secure data transmission and storage This setup is ideal for enterprises, financial institutions, healthcare, or any organization that requires strong security, compliance, and performance in their Azure cloud deployments. > ✅ *terraform apply: successful*. ## **Architecture Components** | **Resource** | **Resource Type** | **Description** | |--------------------------------------|--------------------------------------------------------|----------------------------------------------------------| | **Virtual Network** | `azurerm_virtual_network` | Defines a secure private network | | **Internal Subnet** | `azurerm_subnet` | Dedicated subnet for App Services and Function Apps | | **Private Endpoint Subnet** | `azurerm_subnet` | Dedicated subnet for Private Endpoints | | **App Service Plan** | `azurerm_app_service_plan` | Defines compute resources for hosting Web Apps | | **App Service** | `azurerm_app_service` | Hosts web applications with VNet integration | | **Function App** | `azurerm_function_app` | Serverless backend with private network access | | **Key Vault** | `azurerm_key_vault` | Securely stores application secrets | | **Azure SQL Server** | `azurerm_mssql_server` | Securely manages SQL databases with private access | | **Azure SQL Database** | `azurerm_mssql_database` | Hosts structured data with encrypted storage | | **Azure Storage Account** | `azurerm_storage_account` | Stores application data with private access | | **Private Endpoint for SQL** | `azurerm_private_endpoint` | Restricts SQL access to internal services only | | **Private Endpoint for Storage** | `azurerm_private_endpoint` | Restricts storage access to internal services only | | **Private Endpoint for Key Vault** | `azurerm_private_endpoint` | Restricts Key Vault access to internal services only | | **Network Security Group (NSG)** | `azurerm_network_security_group` | Controls inbound and outbound traffic | | **Private DNS Zone (SQL, KV, Storage)** | `azurerm_private_dns_zone` | Manages private domain resolution for internal services | | **Private DNS A Records** | `azurerm_private_dns_a_record` | Associates Private Endpoints with custom DNS names | | **Managed Identity (App Service)** | `azurerm_user_assigned_identity` | Provides secure authentication without storing passwords | | **Managed Identity (Function App)** | `azurerm_user_assigned_identity` | Allows Function Apps to access secure resources | | **Role Assignments (RBAC)** | `azurerm_role_assignment` | Implements least-privilege access across services | ## **Requirements** | **Name** | **Configuration** | |------------------------|--------------------------------------------------------------| | **Terraform Version** | Compatible with all versions | | **Provider** | Azure RM | | **Provider Version** | `>= 3.88.0` | | **Access Requirements** | Service Principal with Contributor Role | | **Network Security** | VNet, NSGs, Private Endpoints, Service Endpoints enabled | | **Authentication** | Managed Identities (No credentials stored) | | **Storage Security** | Private Storage, No Public Access, Role-based access control | | **SQL Security** | TLS 1.2, Private Endpoint, No Public Access | | **Key Vault Security** | Private Endpoint, RBAC, No Public Access | ## **How to Use the Architecture** Clone the architecture and modify the following variables according to your needs: ## Variables and Default Values | **Variable** | **Default Value** | **Description** | |--------------------------------------|-----------------------------------------------------------------------------|--------------------------------------------------------| | `app_name` | `"SecureApps"` | Name of the application being deployed | | `asp_kind` | `"App"` | Type of App Service Plan | | `asp_sku_size` | `"B1"` | Size of the App Service Plan | | `asp_sku_tier` | `"Standard"` | SKU tier for the App Service Plan | | `branch_name` | `"master"` | Git branch for source control | | `env` | `"prod"` | Deployment environment | | `keyvault_name` | `"kvsecureapps01"` | Name of the Azure Key Vault | | `kv_sku_name` | `"standard"` | SKU tier of the Key Vault | | `location` | `"France Central"` | Azure region for deployment | | `location_short` | `"frc"` | Short name for the Azure region | | `max_size_gb` | `5` | Maximum size of the database in GB | | `nsg_rules_snet_func` | *List of security rules* | Network Security Group rules for function subnet | | `nsg_rules_snet_int` | *List of security rules* | NSG rules for internal subnet | | `nsg_rules_snet_pep` | *List of security rules* | NSG rules for private endpoint subnet | | `pep_kv_subresource_names` | `"vault"` | Subresource name for Key Vault private endpoint | | `pep_st_subresource_names` | `"blob"` | Subresource name for Storage Account private endpoint| | `private_dns_zone_group_name` | `"default"` | Private DNS Zone Group name | | `privatednszonekv_name` | `"privatelink.vaultcore.azure.net"` | Private DNS zone name for Key Vault | | `privatednszonesql_name` | `"privatelink.database.windows.net"` | Private DNS zone name for SQL Server | | `privatednszonest_name` | `"privatelink.blob.core.windows.net"` | Private DNS zone name for Storage Account | | `registration_enabled` | `"false"` | Whether DNS registration is enabled | | `repo_url` | `"https://github.com/Azure-Samples/app-service-web-nodejs-get-started.git"` | Git repository URL for deployment | | `sql_database_name` | `"sqldb-secureapps"` | Name of the SQL database | | `sql_server_admin_password` | `"6WzjhE?d0qr6hD=&4"` | SQL Server admin password | | `sql_server_admin_username` | `"user_test"` | SQL Server admin username | | `st_access_tier` | `"Hot"` | Access tier for the storage account | | `storage_ac_apps_name` | `"stsecureapps01"` | Storage account name for applications | | `storage_account_kind` | `"StorageV2"` | Type of storage account | | `storage_logs_name` | `"stlogsecuresapps"` | Storage account name for logs | | `storage_tier` | `"Standard"` | Storage performance tier | | `storage_type` | `"LRS"` | Storage replication type | | `subnet_int_addr_prefixes` | `"10.0.1.0/28"` | Address prefix for internal subnet | | `subnet_int_func_addr_prefixes` | `"10.0.1.32/28"` | Address prefix for function subnet | | `subnet_pep_addr_prefixes` | `"10.0.1.16/28"` | Address prefix for private endpoint subnet | | `tags` | `{ archuiid = "426b428f-c229-4736-b89d-1a5eb10e7605", env = "Developement" }` | Tags applied to all resources | | `tll` | `10` | Time-to-live (TTL) for DNS records | | `vnet_address_space` | `"10.0.1.0/25"` | Address space for the virtual network | | `webapp_os_type` | `"Windows"` | OS type for the web application | | `webapp_runtime_stack` | `".NET"` | Runtime stack for the web application | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)