This project sets up a self-hosted, secured CTFd environment, using Azure PaaS, that is easy to maintain. It supports the Capture-the-Flag with CTFd on Azure PaaS content on the [Azure Architecture Center](link.com TODO:).

This project provides the following features:

• Infrastructure as Code with Azure Bicep.
• High scale that meets different team sizes with Azure App Service Web App for Containers.
• Backend database and cache provided with Azure PaaS Database for MySQL and Cache for Redis.
• Secrets management using Azure Key Vault.
• Log Management with Azure Log Analytics.
• Adjustable level of network isolation: The solution can be provisioned either with or without virtual network. Private networking is provided using Private Endpoints and App Service VNet Integration.
• Custom CTFd container image built and hosted on Azure Container Registry with certificates to allow TLS connectivity to Azure Database for MySQL.
  • The image is based off the community CTFd image layered with the certificate required to communicate with Azure Database for MySQL over TLS.

• Azure CLI
• Azure Subscription with at least a Resource-Group's Contributor access

git clone https://github.com/Azure-Samples/ctfd-azure-paas.git
cd ctfd-azure-paas

# This is bash syntax. if using Powershell, add $ sign before the assignments (i.e. $DB_PASSWORD='YOUR PASSWORD')
DB_PASSWORD='YOUR PASSWORD'
RESOURCE_GROUP_NAME='RESOURCE GROUP NAME'

az deployment group create --resource-group $RESOURCE_GROUP_NAME --template-file ctfd.bicep --parameters administratorLoginPassword=$DB_PASSWORD 

• Navigate your browser to the App Service URL, in the form of *https://[YOUR APP SERVICE NAME].azurewebsites.net*
• Configure your Capture the Flag event using the administrator dashboard. more info here

• Navigate to the Log Analytics workspace in the resource group.
• Check logs from CTFd container(s) using the table AppServiceConsoleLogs

By default the solution isolates network traffic from the CTFd App Service to the internal services (database, cache and key mangement) using a virtual network. You may reduce the solution complexity and potentially optimize cost by provisioning it without network isolation using the following command:

az deployment group create --resource-group $RESOURCE_GROUP_NAME --template-file ctfd.bicep --parameters administratorLoginPassword=$DB_PASSWORD --parameters vnet=False

When provisioing the solution without a virtual network, the archicture diagram should look like this:

Delete the resource group using the following command

az group delete -n $RESOURCE_GROUP_NAME

The template deployment can be further configured using the following parameters:

• resourcesLocation - Location for all resources. Defaults to the resource group location.
• vnet - Deploy the solution with VNet. Defaults to True
• redisSkuName - Azure Cache for Redis SKU Name. More info at Azure Cache for Redis Pricing
• redisSkuSize - Azure Cache for Redis SKU Size. More info at Azure Cache for Redis Pricing
• administratorLogin - Admin Login of Azure Database for MySQL
• administratorLoginPassword - Admin Password of Azure Database for MySQL
• mysqlType - Azure Database for MySQL Workload Type. Can be either Development, SmallMedium or BusinessCritical. This affects the underlying virtual machine size as well as the storage capacity. More info at Azure Database for MySQL Pricing
• appServicePlanSkuName - Azure App Service Plan SKU Name. More info at Azure App Service Pricing
• webAppName - Azure App Service Name. Controls the DNS name of the CTF site.

Follow the Contribution Guide

• App Services - Web App for container
• Azure Database for MySQL
• Azure Cache for Redis
• Azure Key Vault
• Azure Log Analytics
• Azure Networking
• Azure Container Registry