Fixed documentation bugs for container apps Azure#2876 (Azure#2943)

Author: BernieWhite

docs/CHANGELOG-v1.md

@@ -43,6 +43,8 @@ What's changed since pre-release v1.38.0-B0011:
     [#2935](https://github.com/Azure/PSRule.Rules.Azure/issues/2935)
   - Fixed identification of `list*` function false positive with resource by @BernieWhite.
     [#2919](https://github.com/Azure/PSRule.Rules.Azure/issues/2919)
+  - Fixed documentation bugs for container apps by @BernieWhite.
+    [#2876](https://github.com/Azure/PSRule.Rules.Azure/issues/2876)
 
 ## v1.38.0-B0011 (pre-release)
 

docs/en/rules/Azure.ContainerApp.PublicAccess.md

@@ -1,4 +1,5 @@
 ---
+reviewed: 2024-06-18
 severity: Important
 pillar: Security
 category: SE:06 Network controls
@@ -23,11 +24,15 @@ Disable public network access to improve security by exposing the Container Apps
 
 This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.
 
-To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.
+To provide secure access externally, instead consider using:
+
+- An Application Gateway in front of your Container Apps using your private VNET.
+- A Azure Front Door premium profile with private link to your Container Apps.
+  This currently only applies to Container Apps using consumption without workload profiles.
 
 ## RECOMMENDATION
 
-Consider disabling public network access.
+Consider disabling public network access by deploying an internal-only container apps to reduce the attack surface.
 
 ## EXAMPLES
 
@@ -42,18 +47,28 @@ For example:
 
 ```json
 {
-  "type": "Microsoft.App/containerApps",
-  "apiVersion": "2022-10-01",
+  "type": "Microsoft.App/managedEnvironments",
+  "apiVersion": "2024-03-01",
   "name": "[parameters('envName')]",
   "location": "[parameters('location')]",
   "properties": {
+    "appLogsConfiguration": {
+      "destination": "log-analytics",
+      "logAnalyticsConfiguration": {
+        "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').customerId]",
+        "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceId')), '2022-10-01').primarySharedKey]"
+      }
+    },
+    "zoneRedundant": true,
+    "workloadProfiles": [
+      {
+        "name": "Consumption",
+        "workloadProfileType": "Consumption"
+      }
+    ],
     "vnetConfiguration": {
-      "dockerBridgeCidr": "[parameters('dockerBridgeCidr')]",
-      "infrastructureSubnetId": "[parameters('infrastructureSubnetId')]",
-      "internal": true,
-      "outboundSettings": {},
-      "platformReservedCidr": "[parameters('platformReservedCidr')]",
-      "platformReservedDnsIP": "[parameters('platformReservedDnsIP')]",
+      "infrastructureSubnetId": "[parameters('subnetId')]",
+      "internal": true
     }
   }
 }
@@ -69,24 +84,37 @@ To deploy Container Apps environments that pass this rule:
 For example:
 
 ```bicep
-resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-10-01' = {
+resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = {
   name: envName
   location: location
   properties: {
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: workspace.properties.customerId
+        sharedKey: workspace.listKeys().primarySharedKey
+      }
+    }
+    zoneRedundant: true
+    workloadProfiles: [
+      {
+        name: 'Consumption'
+        workloadProfileType: 'Consumption'
+      }
+    ]
     vnetConfiguration: {
-      dockerBridgeCidr: dockerBridgeCidr
-      infrastructureSubnetId: infrastructureSubnetId
+      infrastructureSubnetId: subnetId
       internal: true
-      outboundSettings: {}
-      platformReservedCidr: platformReservedCidr
-      platformReservedDnsIP: platformReservedDnsIP
     }
   }
 }
 ```
 
+<!-- external:avm avm/res/app/managed-environment infrastructureSubnetId,internal -->
+
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline)
 - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/managedenvironments#vnetconfiguration)

docs/en/rules/Azure.ContainerApp.RestrictIngress.md

@@ -1,4 +1,5 @@
 ---
+reviewed: 2024-06-18
 severity: Important
 pillar: Security
 category: SE:06 Network controls
@@ -44,39 +45,47 @@ For example:
 ```json
 {
   "type": "Microsoft.App/containerApps",
-  "apiVersion": "2022-11-01-preview",
+  "apiVersion": "2024-03-01",
   "name": "[parameters('appName')]",
   "location": "[parameters('location')]",
   "identity": {
-    "type": "SystemAssigned",
-    "userAssignedIdentities": {}
+    "type": "SystemAssigned"
   },
   "properties": {
-    "environmentId": "[parameters('environmentId')]",
+    "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]",
     "template": {
-      "revisionSuffix": "",
-      "containers": "[variables('containers')]"
+      "revisionSuffix": "[parameters('revision')]",
+      "containers": "[variables('containers')]",
+      "scale": {
+        "minReplicas": 2
+      }
     },
     "configuration": {
       "ingress": {
-        "external": false,
+        "allowInsecure": false,
         "ipSecurityRestrictions": [
           {
             "action": "Allow",
-            "description": "ClientIPAddress_1",
+            "description": "Allowed IP address range",
             "ipAddressRange": "10.1.1.1/32",
             "name": "ClientIPAddress_1"
           },
           {
             "action": "Allow",
-            "description": "ClientIPAddress_2",
+            "description": "Allowed IP address range",
             "ipAddressRange": "10.1.2.1/32",
             "name": "ClientIPAddress_2"
           }
-        ]
+        ],
+        "stickySessions": {
+          "affinity": "none"
+        }
       }
     }
-  }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]"
+  ]
 }
 ```
 
@@ -90,53 +99,61 @@ To deploy Container Apps that pass this rule:
 For example:
 
 ```bicep
-resource containerApp 'Microsoft.App/containerApps@2022-11-01-preview' = {
+resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: appName
   location: location
   identity: {
     type: 'SystemAssigned'
-    userAssignedIdentities: {}
   }
-   properties: {
-    environmentId: environmentId
+  properties: {
+    environmentId: containerEnv.id
     template: {
-      revisionSuffix: ''
+      revisionSuffix: revision
       containers: containers
+      scale: {
+        minReplicas: 2
+      }
     }
     configuration: {
       ingress: {
-        external: false
+        allowInsecure: false
         ipSecurityRestrictions: [
           {
             action: 'Allow'
-            description: 'ClientIPAddress_1'
+            description: 'Allowed IP address range'
             ipAddressRange: '10.1.1.1/32'
             name: 'ClientIPAddress_1'
           }
           {
             action: 'Allow'
-            description: 'ClientIPAddress_2'
+            description: 'Allowed IP address range'
             ipAddressRange: '10.1.2.1/32'
             name: 'ClientIPAddress_2'
           }
         ]
+        stickySessions: {
+          affinity: 'none'
+        }
       }
     }
   }
 }
 ```
 
+<!-- external:avm avm/res/app/container-app ipSecurityRestrictions -->
+
 ## NOTES
 
-All rules must be the same type. It is not supported to combine allow rules and deny rules.
+All rules must be the same type.
+It is not supported to combine allow rules and deny rules.
 If no rules are defined at all, the rule will not pass as it expects at least one allow rule to be configured.
 
 ## LINKS
 
 - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline#ns-2-secure-cloud-services-with-network-controls)
 - [Networking in Azure Container Apps environment](https://learn.microsoft.com/azure/container-apps/networking)
 - [IP restrictions](https://learn.microsoft.com/azure/container-apps/ingress-overview#ip-restrictions)
 - [Set up IP ingress restrictions in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ip-restrictions)
 - [Azure security baseline for Azure Container Apps](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline)
-- [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-container-apps-security-baseline#ns-2-secure-cloud-services-with-network-controls)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#ipsecurityrestrictionrule)

docs/examples-containerapp.bicep

@@ -39,7 +39,7 @@ var containers = [
 ]
 
 // An example App Environment configured with a consumption workload profile.
-resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
+resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = {
   name: envName
   location: location
   properties: {
@@ -65,7 +65,7 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
 }
 
 // An example Container App using a minimum of 2 replicas.
-resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
+resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: appName
   location: location
   identity: {
@@ -83,6 +83,20 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
     configuration: {
       ingress: {
         allowInsecure: false
+        ipSecurityRestrictions: [
+          {
+            action: 'Allow'
+            description: 'Allowed IP address range'
+            ipAddressRange: '10.1.1.1/32'
+            name: 'ClientIPAddress_1'
+          }
+          {
+            action: 'Allow'
+            description: 'Allowed IP address range'
+            ipAddressRange: '10.1.2.1/32'
+            name: 'ClientIPAddress_2'
+          }
+        ]
         stickySessions: {
           affinity: 'none'
         }

docs/examples-containerapp.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "3735352956667233547"
+      "version": "0.28.1.47646",
+      "templateHash": "3152038712307898231"
     }
   },
   "parameters": {
@@ -64,7 +64,7 @@
   "resources": [
     {
       "type": "Microsoft.App/managedEnvironments",
-      "apiVersion": "2023-05-01",
+      "apiVersion": "2024-03-01",
       "name": "[parameters('envName')]",
       "location": "[parameters('location')]",
       "properties": {
@@ -90,7 +90,7 @@
     },
     {
       "type": "Microsoft.App/containerApps",
-      "apiVersion": "2023-05-01",
+      "apiVersion": "2024-03-01",
       "name": "[parameters('appName')]",
       "location": "[parameters('location')]",
       "identity": {
@@ -108,6 +108,20 @@
         "configuration": {
           "ingress": {
             "allowInsecure": false,
+            "ipSecurityRestrictions": [
+              {
+                "action": "Allow",
+                "description": "Allowed IP address range",
+                "ipAddressRange": "10.1.1.1/32",
+                "name": "ClientIPAddress_1"
+              },
+              {
+                "action": "Allow",
+                "description": "Allowed IP address range",
+                "ipAddressRange": "10.1.2.1/32",
+                "name": "ClientIPAddress_2"
+              }
+            ],
             "stickySessions": {
               "affinity": "none"
             }