Skip to content

fix: Disable Zone Redundant for all locations #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Parent: ci: enhance MACAE deployment and testing workflows
merged 1 commit into from
Jun 12, 2025
Merged

fix: Disable Zone Redundant for all locations #261

merged 1 commit into from
Jun 12, 2025

Conversation

@NirajC-Microsoft
Copy link
Contributor

This pull request makes several updates to the infra/main.bicep file to enhance security and simplify configurations. The changes primarily involve disabling public access and zone redundancy for various resources.

Security Enhancements:

Updated allowBlobPublicAccess to always be false, regardless of the virtualNetworkEnabled setting, ensuring no public access to storage blobs.

Configuration Simplifications:

Added isZoneRedundant: false to explicitly disable zone redundancy for Cosmos DB accounts.
Updated zoneRedundant to always be false, simplifying the configuration for container app environments.## Purpose

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

@NirajC-Microsoft NirajC-Microsoft requested a review from Copilot June 11, 2025 13:31
Copilot AI reviewed Jun 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR disables public blob access and zone redundancy across storage, Cosmos DB, and container app environments to improve security and simplify configuration.

  • Force allowBlobPublicAccess to false on the storage account
  • Explicitly set isZoneRedundant: false for Cosmos DB
  • Always use zoneRedundant: false for container app environments

Reviewed Changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

File Description
infra/main.bicep Disabled blob public access unconditionally
infra/main.bicep Added explicit isZoneRedundant: false to Cosmos DB accounts
infra/main.bicep Hardcoded zoneRedundant: false for container app environments
Comments suppressed due to low confidence (3)

infra/main.bicep:1039

  • [nitpick] Add a brief comment or update project documentation to explain why zone redundancy is being explicitly disabled for Cosmos DB accounts, so future maintainers understand the security or cost rationale.
isZoneRedundant: false

infra/main.bicep:864

  • The publicNetworkAccess property still allows network-level access when virtualNetworkEnabled is false, but blob-level access is always blocked. This mismatch can cause confusion or unintended failures; consider aligning both settings (e.g., disable public network access as well or make the blob access toggle follow the same condition).
allowBlobPublicAccess: false

infra/main.bicep:1077

  • [nitpick] Since this setting no longer depends on virtualNetworkEnabled, consider parameterizing zoneRedundant or removing the now-unused virtualNetworkEnabled toggle to keep configuration flexible and avoid dead code.
zoneRedundant: false

@Roopan-Microsoft Roopan-Microsoft merged commit 421b6e7 into hotfix Jun 12, 2025
4 checks passed
@NirajC-Microsoft NirajC-Microsoft deleted the psl-bug-macae-19139 branch July 14, 2025 04:50
blessing-msft pushed a commit that referenced this pull request Aug 1, 2025
@Roopan-Microsoft
Merge pull request #261 from microsoft/psl-bug-macae-19139
664e9b4 
fix: Disable Zone Redundant for all locations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Roopan-Microsoft Roopan-Microsoft Roopan-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NirajC-Microsoft @Roopan-Microsoft