From b59e34764b651401a073857c1378662743545099 Mon Sep 17 00:00:00 2001
From: Frank <fboucher@outlook.com>
Date: Mon, 27 May 2024 13:00:37 -0400
Subject: [PATCH 1/5] raw copy from src

---
 infra/core/ai/cognitiveservices.bicep         |  7 ++-
 infra/core/host/appservice.bicep              | 29 +++++----
 infra/core/host/container-app-upsert.bicep    | 12 +++-
 infra/core/host/container-app.bicep           | 20 +++++--
 .../host/container-apps-environment.bicep     |  3 +-
 infra/core/host/container-apps.bicep          |  3 +
 infra/core/host/container-registry.bicep      | 59 ++++++++++++++++++-
 .../applicationinsights-dashboard.bicep       |  1 +
 infra/core/monitor/applicationinsights.bicep  |  7 ++-
 infra/core/monitor/loganalytics.bicep         |  1 +
 infra/core/monitor/monitoring.bicep           | 15 +++--
 infra/core/search/search-services.bicep       | 14 +++--
 infra/core/security/keyvault-access.bicep     |  1 +
 infra/core/security/keyvault-secret.bicep     |  1 +
 infra/core/security/keyvault.bicep            |  2 +
 infra/core/security/registry-access.bicep     |  3 +-
 infra/core/security/role.bicep                |  1 +
 infra/core/storage/storage-account.bicep      | 42 ++++++++++++-
 18 files changed, 176 insertions(+), 45 deletions(-)

diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep
index 18ab1c97..76778e61 100644
--- a/infra/core/ai/cognitiveservices.bicep
+++ b/infra/core/ai/cognitiveservices.bicep
@@ -1,16 +1,15 @@
+metadata description = 'Creates an Azure Cognitive Services instance.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = name
-
-
+param disableLocalAuth bool = false
 param deployments array = []
 param kind string = 'OpenAI'
 
 @allowed([ 'Enabled', 'Disabled' ])
 param publicNetworkAccess string = 'Enabled'
-
 param sku object = {
   name: 'S0'
 }
@@ -32,6 +31,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
+    disableLocalAuth: disableLocalAuth
   }
   sku: sku
 }
@@ -51,5 +51,6 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01
 }]
 
 output endpoint string = account.properties.endpoint
+output endpoints object = account.properties.endpoints
 output id string = account.id
 output name string = account.name
diff --git a/infra/core/host/appservice.bicep b/infra/core/host/appservice.bicep
index 5fb45e25..bef4d2ba 100644
--- a/infra/core/host/appservice.bicep
+++ b/infra/core/host/appservice.bicep
@@ -65,16 +65,6 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
 
   identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
 
-  resource configLogs 'config' = {
-    name: 'logs'
-    properties: {
-      applicationLogs: { fileSystem: { level: 'Verbose' } }
-      detailedErrorMessages: { enabled: true }
-      failedRequestsTracing: { enabled: true }
-      httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
-    }
-  }
-
   resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = {
     name: 'ftp'
     properties: {
@@ -90,7 +80,9 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
   }
 }
 
-module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) {
+// Updates to the single Microsoft.sites/web/config resources that need to be performed sequentially
+// sites/web/config 'appsettings'
+module configAppSettings 'appservice-appsettings.bicep' = {
   name: '${name}-appSettings'
   params: {
     name: appService.name
@@ -99,12 +91,25 @@ module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) {
         SCM_DO_BUILD_DURING_DEPLOYMENT: string(scmDoBuildDuringDeployment)
         ENABLE_ORYX_BUILD: string(enableOryxBuild)
       },
-      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true' } : {},
+      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true'} : {},
       !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
       !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
   }
 }
 
+// sites/web/config 'logs'
+resource configLogs 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'logs'
+  parent: appService
+  properties: {
+    applicationLogs: { fileSystem: { level: 'Verbose' } }
+    detailedErrorMessages: { enabled: true }
+    failedRequestsTracing: { enabled: true }
+    httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
+  }
+  dependsOn: [configAppSettings]
+}
+
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
   name: keyVaultName
 }
diff --git a/infra/core/host/container-app-upsert.bicep b/infra/core/host/container-app-upsert.bicep
index 72d4058d..5e05f89b 100644
--- a/infra/core/host/container-app-upsert.bicep
+++ b/infra/core/host/container-app-upsert.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates or updates an existing Azure Container App.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -25,6 +26,9 @@ param containerName string = 'main'
 @description('The name of the container registry')
 param containerRegistryName string = ''
 
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @allowed([ 'http', 'grpc' ])
 @description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC')
 param daprAppProtocol string = 'http'
@@ -52,12 +56,13 @@ param identityName string = ''
 param imageName string = ''
 
 @description('The secrets required for the container')
-param secrets array = []
+@secure()
+param secrets object = {}
 
 @description('The environment variables for the container')
 param env array = []
 
-@description('Specifies if the resource is external')
+@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
 
 @description('The service binds associated with the container')
@@ -66,7 +71,7 @@ param serviceBinds array = []
 @description('The target port for the container')
 param targetPort int = 80
 
-resource existingApp 'Microsoft.App/containerApps@2023-04-01-preview' existing = if (exists) {
+resource existingApp 'Microsoft.App/containerApps@2023-05-02-preview' existing = if (exists) {
   name: name
 }
 
@@ -82,6 +87,7 @@ module app 'container-app.bicep' = {
     containerName: containerName
     containerAppsEnvironmentName: containerAppsEnvironmentName
     containerRegistryName: containerRegistryName
+    containerRegistryHostSuffix: containerRegistryHostSuffix
     containerCpuCoreCount: containerCpuCoreCount
     containerMemory: containerMemory
     containerMinReplicas: containerMinReplicas
diff --git a/infra/core/host/container-app.bicep b/infra/core/host/container-app.bicep
index 397b12b3..c64fc824 100644
--- a/infra/core/host/container-app.bicep
+++ b/infra/core/host/container-app.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates a container app in an Azure Container App environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -27,6 +28,9 @@ param containerName string = 'main'
 @description('The name of the container registry')
 param containerRegistryName string = ''
 
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @description('The protocol used by Dapr to connect to the app, e.g., http or grpc')
 @allowed([ 'http', 'grpc' ])
 param daprAppProtocol string = 'http'
@@ -40,7 +44,7 @@ param daprEnabled bool = false
 @description('The environment variables for the container')
 param env array = []
 
-@description('Specifies if the resource is external')
+@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
 
 @description('The name of the user-assigned identity')
@@ -59,7 +63,8 @@ param ingressEnabled bool = true
 param revisionMode string = 'Single'
 
 @description('The secrets required for the container')
-param secrets array = []
+@secure()
+param secrets object = {}
 
 @description('The service binds associated with the container')
 param serviceBinds array = []
@@ -88,7 +93,7 @@ module containerRegistryAccess '../security/registry-access.bicep' = if (usePriv
   }
 }
 
-resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
+resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
   name: name
   location: location
   tags: tags
@@ -119,11 +124,14 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
         appProtocol: daprAppProtocol
         appPort: ingressEnabled ? targetPort : 0
       } : { enabled: false }
-      secrets: secrets
+      secrets: [for secret in items(secrets): {
+        name: secret.key
+        value: secret.value
+      }]
       service: !empty(serviceType) ? { type: serviceType } : null
       registries: usePrivateRegistry ? [
         {
-          server: '${containerRegistryName}.azurecr.io'
+          server: '${containerRegistryName}.${containerRegistryHostSuffix}'
           identity: userIdentity.id
         }
       ] : []
@@ -149,7 +157,7 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
   }
 }
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' existing = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
   name: containerAppsEnvironmentName
 }
 
diff --git a/infra/core/host/container-apps-environment.bicep b/infra/core/host/container-apps-environment.bicep
index f29079a0..20f4632e 100644
--- a/infra/core/host/container-apps-environment.bicep
+++ b/infra/core/host/container-apps-environment.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure Container Apps environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -11,7 +12,7 @@ param daprEnabled bool = false
 @description('Name of the Log Analytics workspace')
 param logAnalyticsWorkspaceName string
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = {
   name: name
   location: location
   tags: tags
diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep
index 38f47e06..1c656e28 100644
--- a/infra/core/host/container-apps.bicep
+++ b/infra/core/host/container-apps.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure Container Registry and an Azure Container Apps environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -5,6 +6,7 @@ param tags object = {}
 param containerAppsEnvironmentName string
 param containerRegistryName string
 param containerRegistryResourceGroupName string = ''
+param containerRegistryAdminUserEnabled bool = false
 param logAnalyticsWorkspaceName string
 param applicationInsightsName string = ''
 
@@ -25,6 +27,7 @@ module containerRegistry 'container-registry.bicep' = {
   params: {
     name: containerRegistryName
     location: location
+    adminUserEnabled: containerRegistryAdminUserEnabled
     tags: tags
   }
 }
diff --git a/infra/core/host/container-registry.bicep b/infra/core/host/container-registry.bicep
index 02af2992..d14731c9 100644
--- a/infra/core/host/container-registry.bicep
+++ b/infra/core/host/container-registry.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure Container Registry.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -8,6 +9,11 @@ param adminUserEnabled bool = false
 @description('Indicates whether anonymous pull is enabled')
 param anonymousPullEnabled bool = false
 
+@description('Azure ad authentication as arm policy settings')
+param azureADAuthenticationAsArmPolicy object = {
+  status: 'enabled'
+}
+
 @description('Indicates whether data endpoint is enabled')
 param dataEndpointEnabled bool = false
 
@@ -16,25 +22,59 @@ param encryption object = {
   status: 'disabled'
 }
 
+@description('Export policy settings')
+param exportPolicy object = {
+  status: 'enabled'
+}
+
+@description('Metadata search settings')
+param metadataSearch string = 'Disabled'
+
 @description('Options for bypassing network rules')
 param networkRuleBypassOptions string = 'AzureServices'
 
 @description('Public network access setting')
 param publicNetworkAccess string = 'Enabled'
 
+@description('Quarantine policy settings')
+param quarantinePolicy object = {
+  status: 'disabled'
+}
+
+@description('Retention policy settings')
+param retentionPolicy object = {
+  days: 7
+  status: 'disabled'
+}
+
+@description('Scope maps setting')
+param scopeMaps array = []
+
 @description('SKU settings')
 param sku object = {
   name: 'Basic'
 }
 
+@description('Soft delete policy settings')
+param softDeletePolicy object = {
+  retentionDays: 7
+  status: 'disabled'
+}
+
+@description('Trust policy settings')
+param trustPolicy object = {
+  type: 'Notary'
+  status: 'disabled'
+}
+
 @description('Zone redundancy setting')
 param zoneRedundancy string = 'Disabled'
 
 @description('The log analytics workspace ID used for logging and monitoring')
 param workspaceId string = ''
 
-// 2022-02-01-preview needed for anonymousPullEnabled
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
+// 2023-11-01-preview needed for metadataSearch
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
   name: name
   location: location
   tags: tags
@@ -44,10 +84,24 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
     anonymousPullEnabled: anonymousPullEnabled
     dataEndpointEnabled: dataEndpointEnabled
     encryption: encryption
+    metadataSearch: metadataSearch
     networkRuleBypassOptions: networkRuleBypassOptions
+    policies:{
+      quarantinePolicy: quarantinePolicy
+      trustPolicy: trustPolicy
+      retentionPolicy: retentionPolicy
+      exportPolicy: exportPolicy
+      azureADAuthenticationAsArmPolicy: azureADAuthenticationAsArmPolicy
+      softDeletePolicy: softDeletePolicy
+    }
     publicNetworkAccess: publicNetworkAccess
     zoneRedundancy: zoneRedundancy
   }
+
+  resource scopeMap 'scopeMaps' = [for scopeMap in scopeMaps: {
+    name: scopeMap.name
+    properties: scopeMap.properties
+  }]
 }
 
 // TODO: Update diagnostics to be its own module
@@ -78,5 +132,6 @@ resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview'
   }
 }
 
+output id string = containerRegistry.id
 output loginServer string = containerRegistry.properties.loginServer
 output name string = containerRegistry.name
diff --git a/infra/core/monitor/applicationinsights-dashboard.bicep b/infra/core/monitor/applicationinsights-dashboard.bicep
index b7af2c1a..d082e668 100644
--- a/infra/core/monitor/applicationinsights-dashboard.bicep
+++ b/infra/core/monitor/applicationinsights-dashboard.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates a dashboard for an Application Insights instance.'
 param name string
 param applicationInsightsName string
 param location string = resourceGroup().location
diff --git a/infra/core/monitor/applicationinsights.bicep b/infra/core/monitor/applicationinsights.bicep
index 9cb81432..850e9fe1 100644
--- a/infra/core/monitor/applicationinsights.bicep
+++ b/infra/core/monitor/applicationinsights.bicep
@@ -1,8 +1,8 @@
+metadata description = 'Creates an Application Insights instance based on an existing Log Analytics workspace.'
 param name string
-param dashboardName string
+param dashboardName string = ''
 param location string = resourceGroup().location
 param tags object = {}
-param includeDashboard bool = true
 param logAnalyticsWorkspaceId string
 
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
@@ -16,7 +16,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
   }
 }
 
-module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' =  if (includeDashboard) {
+module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' = if (!empty(dashboardName)) {
   name: 'application-insights-dashboard'
   params: {
     name: dashboardName
@@ -26,5 +26,6 @@ module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' =  if
 }
 
 output connectionString string = applicationInsights.properties.ConnectionString
+output id string = applicationInsights.id
 output instrumentationKey string = applicationInsights.properties.InstrumentationKey
 output name string = applicationInsights.name
diff --git a/infra/core/monitor/loganalytics.bicep b/infra/core/monitor/loganalytics.bicep
index 770544cc..33f9dc29 100644
--- a/infra/core/monitor/loganalytics.bicep
+++ b/infra/core/monitor/loganalytics.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates a Log Analytics workspace.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
diff --git a/infra/core/monitor/monitoring.bicep b/infra/core/monitor/monitoring.bicep
index 862ef439..74761258 100644
--- a/infra/core/monitor/monitoring.bicep
+++ b/infra/core/monitor/monitoring.bicep
@@ -1,10 +1,9 @@
+metadata description = 'Creates an Application Insights instance and a Log Analytics workspace.'
 param logAnalyticsName string
-param includeApplicationInsights bool = false
 param applicationInsightsName string
-param applicationInsightsDashboardName string
+param applicationInsightsDashboardName string = ''
 param location string = resourceGroup().location
 param tags object = {}
-param includeDashboard bool = true
 
 module logAnalytics 'loganalytics.bicep' = {
   name: 'loganalytics'
@@ -15,20 +14,20 @@ module logAnalytics 'loganalytics.bicep' = {
   }
 }
 
-module applicationInsights 'applicationinsights.bicep' = if (includeApplicationInsights) {
+module applicationInsights 'applicationinsights.bicep' = {
   name: 'applicationinsights'
   params: {
     name: applicationInsightsName
     location: location
     tags: tags
     dashboardName: applicationInsightsDashboardName
-    includeDashboard: includeDashboard
     logAnalyticsWorkspaceId: logAnalytics.outputs.id
   }
 }
 
-output applicationInsightsConnectionString string = includeApplicationInsights ? applicationInsights.outputs.connectionString : ''
-output applicationInsightsInstrumentationKey string = includeApplicationInsights ? applicationInsights.outputs.instrumentationKey : ''
-output applicationInsightsName string = includeApplicationInsights ? applicationInsights.outputs.name : ''
+output applicationInsightsConnectionString string = applicationInsights.outputs.connectionString
+output applicationInsightsId string = applicationInsights.outputs.id
+output applicationInsightsInstrumentationKey string = applicationInsights.outputs.instrumentationKey
+output applicationInsightsName string = applicationInsights.outputs.name
 output logAnalyticsWorkspaceId string = logAnalytics.outputs.id
 output logAnalyticsWorkspaceName string = logAnalytics.outputs.name
diff --git a/infra/core/search/search-services.bicep b/infra/core/search/search-services.bicep
index 399a8f3f..33fd83e1 100644
--- a/infra/core/search/search-services.bicep
+++ b/infra/core/search/search-services.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure AI Search instance.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -35,15 +36,18 @@ param replicaCount int = 1
 ])
 param semanticSearch string = 'disabled'
 
+var searchIdentityProvider = (sku.name == 'free') ? null : {
+  type: 'SystemAssigned'
+}
+
 resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = {
   name: name
   location: location
   tags: tags
-  identity: {
-    type: 'SystemAssigned'
-  }
+  // The free tier does not support managed identity
+  identity: searchIdentityProvider
   properties: {
-    authOptions: authOptions
+    authOptions: disableLocalAuth ? null : authOptions
     disableLocalAuth: disableLocalAuth
     disabledDataExfiltrationOptions: disabledDataExfiltrationOptions
     encryptionWithCmk: encryptionWithCmk
@@ -60,3 +64,5 @@ resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = {
 output id string = search.id
 output endpoint string = 'https://${name}.search.windows.net/'
 output name string = search.name
+output principalId string = !empty(searchIdentityProvider) ? search.identity.principalId : ''
+
diff --git a/infra/core/security/keyvault-access.bicep b/infra/core/security/keyvault-access.bicep
index aa989ebd..316775f2 100644
--- a/infra/core/security/keyvault-access.bicep
+++ b/infra/core/security/keyvault-access.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Assigns an Azure Key Vault access policy.'
 param name string = 'add'
 
 param keyVaultName string
diff --git a/infra/core/security/keyvault-secret.bicep b/infra/core/security/keyvault-secret.bicep
index 5f786ce5..7441b296 100644
--- a/infra/core/security/keyvault-secret.bicep
+++ b/infra/core/security/keyvault-secret.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates or updates a secret in an Azure Key Vault.'
 param name string
 param tags object = {}
 param keyVaultName string
diff --git a/infra/core/security/keyvault.bicep b/infra/core/security/keyvault.bicep
index 0eb4a86d..663ec00b 100644
--- a/infra/core/security/keyvault.bicep
+++ b/infra/core/security/keyvault.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure Key Vault.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -22,4 +23,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
 }
 
 output endpoint string = keyVault.properties.vaultUri
+output id string = keyVault.id
 output name string = keyVault.name
diff --git a/infra/core/security/registry-access.bicep b/infra/core/security/registry-access.bicep
index e17e4045..fc66837a 100644
--- a/infra/core/security/registry-access.bicep
+++ b/infra/core/security/registry-access.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Assigns ACR Pull permissions to access an Azure Container Registry.'
 param containerRegistryName string
 param principalId string
 
@@ -13,6 +14,6 @@ resource aksAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   }
 }
 
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = {
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
   name: containerRegistryName
 }
diff --git a/infra/core/security/role.bicep b/infra/core/security/role.bicep
index dca01e18..0b30cfd3 100644
--- a/infra/core/security/role.bicep
+++ b/infra/core/security/role.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates a role assignment for a service principal.'
 param principalId string
 
 @allowed([
diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
index fcc7df7d..6149fb2f 100644
--- a/infra/core/storage/storage-account.bicep
+++ b/infra/core/storage/storage-account.bicep
@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure storage account.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -11,13 +12,18 @@ param allowBlobPublicAccess bool = true
 param allowCrossTenantReplication bool = true
 param allowSharedKeyAccess bool = true
 param containers array = []
-param supportsHttpsTrafficOnly bool = true
+param corsRules array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}
 @allowed([ 'AzureDnsZone', 'Standard' ])
 param dnsEndpointType string = 'Standard'
+param files array = []
 param kind string = 'StorageV2'
 param minimumTlsVersion string = 'TLS1_2'
+param queues array = []
+param shareDeleteRetentionPolicy object = {}
+param supportsHttpsTrafficOnly bool = true
+param tables array = []
 param networkAcls object = {
   bypass: 'AzureServices'
   defaultAction: 'Allow'
@@ -26,7 +32,7 @@ param networkAcls object = {
 param publicNetworkAccess string = 'Enabled'
 param sku object = { name: 'Standard_LRS' }
 
-resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
+resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
   name: name
   location: location
   tags: tags
@@ -48,6 +54,9 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
   resource blobServices 'blobServices' = if (!empty(containers)) {
     name: 'default'
     properties: {
+      cors: {
+        corsRules: corsRules
+      }
       deleteRetentionPolicy: deleteRetentionPolicy
     }
     resource container 'containers' = [for container in containers: {
@@ -57,7 +66,36 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
       }
     }]
   }
+
+  resource fileServices 'fileServices' = if (!empty(files)) {
+    name: 'default'
+    properties: {
+      cors: {
+        corsRules: corsRules
+      }
+      shareDeleteRetentionPolicy: shareDeleteRetentionPolicy
+    }
+  }
+
+  resource queueServices 'queueServices' = if (!empty(queues)) {
+    name: 'default'
+    properties: {
+
+    }
+    resource queue 'queues' = [for queue in queues: {
+      name: queue.name
+      properties: {
+        metadata: {}
+      }
+    }]
+  }
+
+  resource tableServices 'tableServices' = if (!empty(tables)) {
+    name: 'default'
+    properties: {}
+  }
 }
 
+output id string = storage.id
 output name string = storage.name
 output primaryEndpoints object = storage.properties.primaryEndpoints

From ee9d6527bd93eb731ddce17575dd36165038bb22 Mon Sep 17 00:00:00 2001
From: Frank <fboucher@outlook.com>
Date: Mon, 27 May 2024 13:54:48 -0400
Subject: [PATCH 2/5] adding some exception and remove extra param

---
 .../monitor/applicationinsights-dashboard.bicep  | 16 ++++++++++++++++
 infra/core/monitor/monitoring.bicep              |  4 +++-
 infra/main.bicep                                 |  1 -
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/infra/core/monitor/applicationinsights-dashboard.bicep b/infra/core/monitor/applicationinsights-dashboard.bicep
index d082e668..fcd37ac5 100644
--- a/infra/core/monitor/applicationinsights-dashboard.bicep
+++ b/infra/core/monitor/applicationinsights-dashboard.bicep
@@ -34,10 +34,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/AspNetOverviewPinnedPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'id'
                 type: 'ApplicationInsights'
               }
+              #disable-next-line BCP037
               defaultMenuItemId: 'overview'
             }
           }
@@ -65,10 +67,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/ProactiveDetectionAsyncPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
               }
+              #disable-next-line BCP037
               defaultMenuItemId: 'ProactiveDetection'
             }
           }
@@ -96,6 +100,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/QuickPulseButtonSmallPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
@@ -137,6 +142,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/AvailabilityNavButtonPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
@@ -178,6 +184,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/AppMapButtonPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
@@ -236,6 +243,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/UsageUsersOverviewPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
@@ -298,11 +306,14 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/CuratedBladeFailuresPinnedPart'
+              #disable-next-line BCP037
               isAdapter: true
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ResourceId'
                 type: 'ApplicationInsights'
               }
+              #disable-next-line BCP037
               defaultMenuItemId: 'failures'
             }
           }
@@ -362,11 +373,14 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/CuratedBladePerformancePinnedPart'
+              #disable-next-line BCP037
               isAdapter: true
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ResourceId'
                 type: 'ApplicationInsights'
               }
+              #disable-next-line BCP037
               defaultMenuItemId: 'performance'
             }
           }
@@ -453,10 +467,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               ]
               #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/MetricsExplorerBladePinnedPart'
+              #disable-next-line BCP037
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
               }
+              #disable-next-line BCP037
               defaultMenuItemId: 'browser'
             }
           }
diff --git a/infra/core/monitor/monitoring.bicep b/infra/core/monitor/monitoring.bicep
index 74761258..a95a50dc 100644
--- a/infra/core/monitor/monitoring.bicep
+++ b/infra/core/monitor/monitoring.bicep
@@ -1,10 +1,12 @@
 metadata description = 'Creates an Application Insights instance and a Log Analytics workspace.'
 param logAnalyticsName string
+param includeApplicationInsights bool = false
 param applicationInsightsName string
 param applicationInsightsDashboardName string = ''
 param location string = resourceGroup().location
 param tags object = {}
 
+
 module logAnalytics 'loganalytics.bicep' = {
   name: 'loganalytics'
   params: {
@@ -14,7 +16,7 @@ module logAnalytics 'loganalytics.bicep' = {
   }
 }
 
-module applicationInsights 'applicationinsights.bicep' = {
+module applicationInsights 'applicationinsights.bicep' = if(includeApplicationInsights) {
   name: 'applicationinsights'
   params: {
     name: applicationInsightsName
diff --git a/infra/main.bicep b/infra/main.bicep
index eb1225ea..65a5b091 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -383,7 +383,6 @@ module monitoring 'core/monitor/monitoring.bicep' = {
   params: {
     location: location
     tags: updatedTags
-    includeDashboard: false
     includeApplicationInsights: true
     logAnalyticsName: !empty(logAnalyticsName) ? logAnalyticsName : '${abbrs.operationalInsightsWorkspaces}${resourceToken}'
     applicationInsightsName: !empty(applicationInsightsName) ? applicationInsightsName : '${abbrs.insightsComponents}${resourceToken}'

From 9b4993e453e34e9b7ff4c3debab06adaa0f6d2ff Mon Sep 17 00:00:00 2001
From: Frank <fboucher@outlook.com>
Date: Wed, 5 Jun 2024 16:10:11 -0400
Subject: [PATCH 3/5] adding SystemAssigned identity

---
 infra/core/ai/cognitiveservices.bicep | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep
index 76778e61..37d169d2 100644
--- a/infra/core/ai/cognitiveservices.bicep
+++ b/infra/core/ai/cognitiveservices.bicep
@@ -27,11 +27,14 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   location: location
   tags: tags
   kind: kind
+  identity: {
+    type: 'SystemAssigned'
+  }
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
-    disableLocalAuth: disableLocalAuth
+    disableLocalAuth: true
   }
   sku: sku
 }

From bbf02c4ed6606c992263fdc7ef290bab735c4ce2 Mon Sep 17 00:00:00 2001
From: Anthony Shaw <anthony.p.shaw@gmail.com>
Date: Thu, 6 Jun 2024 10:35:22 +1000
Subject: [PATCH 4/5] disableLocalAuth should pass the parameter

---
 infra/core/ai/cognitiveservices.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep
index 37d169d2..44add42e 100644
--- a/infra/core/ai/cognitiveservices.bicep
+++ b/infra/core/ai/cognitiveservices.bicep
@@ -34,7 +34,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
-    disableLocalAuth: true
+    disableLocalAuth: disableLocalAuth
   }
   sku: sku
 }

From 4324e72d1ab9a5b57113807a5c361ddb4806df10 Mon Sep 17 00:00:00 2001
From: Frank <fboucher@outlook.com>
Date: Thu, 6 Jun 2024 10:43:46 -0400
Subject: [PATCH 5/5] force  disableLocalAuth to true

---
 infra/core/ai/cognitiveservices.bicep | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep
index 44add42e..3588072c 100644
--- a/infra/core/ai/cognitiveservices.bicep
+++ b/infra/core/ai/cognitiveservices.bicep
@@ -4,7 +4,6 @@ param location string = resourceGroup().location
 param tags object = {}
 @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = name
-param disableLocalAuth bool = false
 param deployments array = []
 param kind string = 'OpenAI'
 
@@ -34,7 +33,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
-    disableLocalAuth: disableLocalAuth
+    disableLocalAuth: true
   }
   sku: sku
 }