do not expose secrets as part of deployment output during azure deployment (#3578)

* do not expose secrets during deployment

* remove commented out code

* was passing wrong connection string

---------

Co-authored-by: stas <statis@microsoft.com>

Author: stishkin

src/deployment/azuredeploy.bicep

@@ -156,7 +156,6 @@ module storage 'bicep-templates/storageAccounts.bicep' = {
   params: {
     location: location
     owner: owner
-    signedExpiry: signedExpiry
   }
 }
 
@@ -172,6 +171,7 @@ module autoscaleSettings 'bicep-templates/autoscale-settings.bicep' = {
   }
 }
 
+
 module eventGrid 'bicep-templates/event-grid.bicep' = {
   name: 'event-grid'
   params: {
@@ -227,8 +227,8 @@ module function 'bicep-templates/function.bicep' = {
   params: {
     name: name
     linux_fx_version: 'DOTNET-ISOLATED|7.0'
-
-    app_logs_sas_url: storage.outputs.FuncSasUrlBlobAppLogs
+    signedExpiry: signedExpiry
+    logs_storage: storage.outputs.FuncName
     app_func_audiences: app_func_audiences
     app_func_issuer: app_func_issuer
     client_id: clientId
@@ -241,6 +241,9 @@ module function 'bicep-templates/function.bicep' = {
     use_windows: true
     enable_remote_debugging: enable_remote_debugging
   }
+  dependsOn:[
+    storage
+  ]
 }
 
 module functionSettings 'bicep-templates/function-settings.bicep' = {
@@ -254,8 +257,9 @@ module functionSettings 'bicep-templates/function-settings.bicep' = {
     app_insights_app_id: operationalInsights.outputs.appInsightsAppId
     app_insights_key: operationalInsights.outputs.appInsightsInstrumentationKey
     client_secret: clientSecret
-    signal_r_connection_string: signalR.outputs.connectionString
-    func_sas_url: storage.outputs.FuncSasUrl
+
+    signalRName: signalR.outputs.signalRName
+    funcStorageName: storage.outputs.FuncName
     func_storage_resource_id: storage.outputs.FuncId
     fuzz_storage_resource_id: storage.outputs.FuzzId
     keyvault_name: keyVaultName
@@ -269,16 +273,18 @@ module functionSettings 'bicep-templates/function-settings.bicep' = {
   }
   dependsOn: [
     function
+    storage
+    signalR
   ]
 }
 
 output fuzz_storage string = storage.outputs.FuzzId
 output fuzz_name string = storage.outputs.FuzzName
-output fuzz_key string = storage.outputs.FuzzKey
+
 
 output func_storage string = storage.outputs.FuncId
 output func_name string = storage.outputs.FuncName
-output func_key string = storage.outputs.FuncKey
+
 
 output scaleset_identity string = scaleset_identity
 output tenant_id string = tenantId

src/deployment/bicep-templates/function-settings.bicep

@@ -5,17 +5,11 @@ param app_insights_app_id string
 @secure()
 param app_insights_key string
 
-@secure()
-param func_sas_url string
-
 param cli_app_id string
 param authority string
 param tenant_domain string
 param multi_tenant_domain string
 
-@secure()
-param signal_r_connection_string string
-
 param app_config_endpoint string
 
 param func_storage_resource_id string
@@ -33,8 +27,21 @@ param functions_extension_version string
 
 param enable_profiler bool
 
+param signalRName string
+param funcStorageName string
+
 var telemetry = 'd7a73cf4-5a1a-4030-85e1-e5b25867e45a'
 
+
+resource signal_r 'Microsoft.SignalRService/signalR@2021-10-01' existing = {
+ name: signalRName
+}
+
+
+resource funcStorage 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
+  name: funcStorageName
+}
+
 resource function 'Microsoft.Web/sites@2021-02-01' existing = {
   name: name
 }
@@ -44,6 +51,7 @@ var enable_profilers = enable_profiler ? {
   DiagnosticServices_EXTENSION_VERSION: '~3'
 } : {}
 
+var func_key = funcStorage.listKeys().keys[0].value
 resource functionSettings 'Microsoft.Web/sites/config@2021-03-01' = {
   parent: function
   name: 'appsettings'
@@ -54,13 +62,13 @@ resource functionSettings 'Microsoft.Web/sites/config@2021-03-01' = {
       APPINSIGHTS_INSTRUMENTATIONKEY: app_insights_key
       APPINSIGHTS_APPID: app_insights_app_id
       ONEFUZZ_TELEMETRY: telemetry
-      AzureWebJobsStorage: func_sas_url
+      AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${funcStorage.name};AccountKey=${func_key};EndpointSuffix=core.windows.net'
       CLI_APP_ID: cli_app_id
       AUTHORITY: authority
       TENANT_DOMAIN: tenant_domain
       MULTI_TENANT_DOMAIN: multi_tenant_domain
       AzureWebJobsDisableHomepage: 'true'
-      AzureSignalRConnectionString: signal_r_connection_string
+      AzureSignalRConnectionString: signal_r.listKeys().primaryConnectionString
       AzureSignalRServiceTransportType: 'Transient'
       APPCONFIGURATION_ENDPOINT: app_config_endpoint
       ONEFUZZ_INSTANCE_NAME: instance_name

src/deployment/bicep-templates/function.bicep

@@ -9,8 +9,9 @@ param app_func_audiences array
 param use_windows bool
 param enable_remote_debugging bool
 
-@secure()
-param app_logs_sas_url string
+param logs_storage string
+param signedExpiry string
+
 
 @description('The degree of severity for diagnostics logs.')
 @allowed([
@@ -28,6 +29,14 @@ var siteconfig = (use_windows) ? {
   linuxFxVersion: linux_fx_version
 }
 
+var storage_account_sas = {
+  signedExpiry: signedExpiry
+  signedPermission: 'rwdlacup'
+  signedResourceTypes: 'sco'
+  signedServices: 'bfqt'
+}
+
+
 var commonSiteConfig = {
   alwaysOn: true
   defaultDocuments: []
@@ -45,6 +54,11 @@ var extraProperties = (use_windows && enable_remote_debugging) ? {
   remoteDebuggingVersion: 'VS2022'
 } : {}
 
+resource funcStorage 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
+  name: logs_storage
+}
+
+
 resource function 'Microsoft.Web/sites@2021-03-01' = {
   name: name
   location: location
@@ -97,14 +111,15 @@ resource funcAuthSettings 'Microsoft.Web/sites/config@2021-03-01' = {
   parent: function
 }
 
+var sas = funcStorage.listAccountSas('2021-08-01', storage_account_sas)
 resource funcLogs 'Microsoft.Web/sites/config@2021-03-01' = {
   name: 'logs'
   properties: {
     applicationLogs: {
       azureBlobStorage: {
         level: diagnostics_log_level
         retentionInDays: log_retention
-        sasUrl: app_logs_sas_url
+        sasUrl: '${funcStorage.properties.primaryEndpoints.blob}app-logs?${sas.accountSasToken}'
       }
     }
   }

src/deployment/bicep-templates/signalR.bicep

@@ -30,5 +30,4 @@ resource signalR 'Microsoft.SignalRService/signalR@2021-10-01' = {
   }
 }
 
-var connectionString = signalR.listKeys().primaryConnectionString
-output connectionString string = connectionString
+output signalRName string = signalr_name

src/deployment/bicep-templates/storageAccounts.bicep

@@ -1,18 +1,10 @@
 param owner string
 param location string
-param signedExpiry string
 
 var suffix = uniqueString(resourceGroup().id)
 var storageAccountNameFuzz = 'fuzz${suffix}'
 var storageAccountNameFunc = 'func${suffix}'
 
-var storage_account_sas = {
-  signedExpiry: signedExpiry
-  signedPermission: 'rwdlacup'
-  signedResourceTypes: 'sco'
-  signedServices: 'bfqt'
-}
-
 var storageAccountFuzzContainersParams = [
   'events'
 ]
@@ -119,14 +111,3 @@ output FuzzId string = storageAccountFuzz.id
 output FuncId string = storageAccountFunc.id
 
 output FileChangesQueueName string = storageAccountFuncQueuesParams[fileChangesQueueIndex]
-
-var sas = storageAccountFunc.listAccountSas('2021-08-01', storage_account_sas)
-output FuncSasUrlBlobAppLogs string = '${storageAccountFunc.properties.primaryEndpoints.blob}app-logs?${sas.accountSasToken}'
-
-var fuzz_key = storageAccountFuzz.listKeys().keys[0].value
-output FuzzKey string = fuzz_key
-
-var func_key = storageAccountFunc.listKeys().keys[0].value
-output FuncKey string = func_key
-
-output FuncSasUrl string = 'DefaultEndpointsProtocol=https;AccountName=${storageAccountFunc.name};AccountKey=${func_key};EndpointSuffix=core.windows.net'