Security: Default storageAccountUseIdentityAuthentication to true

[Copilot]

Description

Storage account keys were exposed in ARM deployment templates when using the web/site config module with default settings, triggering Defender for Cloud alerts.

Changes

• Breaking: Changed storageAccountUseIdentityAuthentication default from false to true in:
  • avm/res/web/site/config/main.bicep
  • avm/res/web/site/slot/config/main.bicep
• Enhanced parameter description to document security implications of false value

Behavior Change

Before:

configs: [{
  name: 'appsettings'
  storageAccountResourceId: sa.id
  // implicitly: storageAccountUseIdentityAuthentication = false
  // Result: storage keys exposed in deployment template
}]

After:

configs: [{
  name: 'appsettings'
  storageAccountResourceId: sa.id
  // implicitly: storageAccountUseIdentityAuthentication = true
  // Result: identity-based auth, no key exposure
}]

Users requiring key-based auth must explicitly set storageAccountUseIdentityAuthentication: false.

Requirements for Identity-Based Auth

• App Service managed identity configured
• Storage Blob Data Owner role assigned to storage account

Pipeline Reference

Pipeline

Type of Change

• Azure Verified Module updates:
  • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
  • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
  • Breaking changes and I have bumped the MAJOR version in version.json.
  • Update to documentation
• Update to CI Environment or utilities (Non-module affecting changes)

Checklist

• I'm sure there are no other open Pull Requests for the same update/change
• I have run Set-AVMModule locally to generate the supporting module files.
• My corresponding pipelines / checks run clean and green without any errors or warnings
• I have updated the module's CHANGELOG.md file with an entry for the next version

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• azure.github.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • Triggering command: /usr/bin/pwsh pwsh -Command . './utilities/tools/Set-AVMModule.ps1'; Set-AVMModule -ModuleFolderPath './avm/res/web/site' -SkipBuild -SkipFileAndFolderSetup -ThrottleLimit 5 (dns block)
  • Triggering command: /usr/bin/pwsh pwsh -Command . './utilities/tools/Set-AVMModule.ps1'; Set-AVMModule -ModuleFolderPath './avm/res/web/site' -SkipBuild -SkipFileAndFolderSetup -ThrottleLimit 5 -Verbose (dns block)
• live-data.bicep.azure.com
  • Triggering command: /usr/local/bin/bicep /usr/local/bin/bicep build /home/REDACTED/work/bicep-registry-modules/bicep-registry-modules/avm/res/web/site/main.bicep --stdout (dns block)
  • Triggering command: /usr/local/bin/bicep /usr/local/bin/bicep build /home/REDACTED/work/bicep-registry-modules/bicep-registry-modules/avm/res/web/site/tests/e2e/waf-aligned/main.test.bicep --stdout (dns block)
  • Triggering command: /usr/local/bin/bicep /usr/local/bin/bicep build /home/REDACTED/work/bicep-registry-modules/bicep-registry-modules/avm/res/web/site/tests/e2e/functionApp.max/main.test.bicep --stdout (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[AVM Module Issue]:</issue_title>
<issue_description>### Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Security Bug

Module Name

avm/res/web/site

(Optional) Module Version

No response

Description

avm/res/web/site/config/main.bicep

var azureWebJobsValues
...
? {
AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageAccount!.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
...

The Storage Account Key is submitted to ARM in clear text and triggers the Defender for Cloud recommendation: Azure Resource Manager deployments should have secrets findings resolved.

Are there any plans to pass this securely, without me having to make modifications to this file and parent files?

(Optional) Correlation Id

No response</issue_description>

<agent_instructions>Fix the issue</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@pankajagrawal16 Thanks for opening the issue. We should have a look at this.

• Fixes [AVM Module Issue]: #6504

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[microsoft-github-policy-service]

Important

If this is a module-related PR, being submitted by the sole owner of the module, the AVM core team must review and approve it (as module owners can't approve their own PRs).

To indicate this PR needs the core team''s attention, apply the "Needs: Core Team 🧞" label!

The core team will only review and approve PRs that have this label applied!