Knowledge Contribution
Type: Pitfall
File: knowledge/services/log-analytics.md
Context
Advisory Notes — Stage 1: Managed Identity
-
[Architectural Trade-off] A single shared identity across all Container Apps simplifies wiring but increases blast radius — if the identity's permissions are over-scoped in later stages, every service inherits that exposure. Consider per-service identities for production least-privilege isolation.
-
[Security] No resource lock is applied to the managed identity. Accidental deletion would orphan all downstream RBAC assignments and break ev
Rationale
Advisory Notes — Stage 1: Managed Identity
-
[Architectural Trade-off] A single shared identity across all Container Apps simplifies wiring but increases blast radius — if the identity's permissions are over-scoped in later stages, every service inherits that exposure. Consider per-service identities for production least-privilege isolation.
-
[Security] No resource lock is applied to the managed identity. Accidental deletion would orphan all downstream RBAC assignments and break ev
Content to Add
## Advisory Notes — Stage 1: Managed Identity
- **[Architectural Trade-off]** A single shared identity across all Container Apps simplifies wiring but increases blast radius — if the identity's permi
Source
Build advisory review
Knowledge Contribution
Type: Pitfall
File:
knowledge/services/log-analytics.mdContext
Advisory Notes — Stage 1: Managed Identity
[Architectural Trade-off] A single shared identity across all Container Apps simplifies wiring but increases blast radius — if the identity's permissions are over-scoped in later stages, every service inherits that exposure. Consider per-service identities for production least-privilege isolation.
[Security] No resource lock is applied to the managed identity. Accidental deletion would orphan all downstream RBAC assignments and break ev
Rationale
Advisory Notes — Stage 1: Managed Identity
[Architectural Trade-off] A single shared identity across all Container Apps simplifies wiring but increases blast radius — if the identity's permissions are over-scoped in later stages, every service inherits that exposure. Consider per-service identities for production least-privilege isolation.
[Security] No resource lock is applied to the managed identity. Accidental deletion would orphan all downstream RBAC assignments and break ev
Content to Add
Source
Build advisory review