From b59e34764b651401a073857c1378662743545099 Mon Sep 17 00:00:00 2001 From: Frank Date: Mon, 27 May 2024 13:00:37 -0400 Subject: [PATCH 1/5] raw copy from src --- infra/core/ai/cognitiveservices.bicep | 7 ++- infra/core/host/appservice.bicep | 29 +++++---- infra/core/host/container-app-upsert.bicep | 12 +++- infra/core/host/container-app.bicep | 20 +++++-- .../host/container-apps-environment.bicep | 3 +- infra/core/host/container-apps.bicep | 3 + infra/core/host/container-registry.bicep | 59 ++++++++++++++++++- .../applicationinsights-dashboard.bicep | 1 + infra/core/monitor/applicationinsights.bicep | 7 ++- infra/core/monitor/loganalytics.bicep | 1 + infra/core/monitor/monitoring.bicep | 15 +++-- infra/core/search/search-services.bicep | 14 +++-- infra/core/security/keyvault-access.bicep | 1 + infra/core/security/keyvault-secret.bicep | 1 + infra/core/security/keyvault.bicep | 2 + infra/core/security/registry-access.bicep | 3 +- infra/core/security/role.bicep | 1 + infra/core/storage/storage-account.bicep | 42 ++++++++++++- 18 files changed, 176 insertions(+), 45 deletions(-) diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep index 18ab1c97..76778e61 100644 --- a/infra/core/ai/cognitiveservices.bicep +++ b/infra/core/ai/cognitiveservices.bicep @@ -1,16 +1,15 @@ +metadata description = 'Creates an Azure Cognitive Services instance.' param name string param location string = resourceGroup().location param tags object = {} @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.') param customSubDomainName string = name - - +param disableLocalAuth bool = false param deployments array = [] param kind string = 'OpenAI' @allowed([ 'Enabled', 'Disabled' ]) param publicNetworkAccess string = 'Enabled' - param sku object = { name: 'S0' } @@ -32,6 +31,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { customSubDomainName: customSubDomainName publicNetworkAccess: publicNetworkAccess networkAcls: networkAcls + disableLocalAuth: disableLocalAuth } sku: sku } @@ -51,5 +51,6 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01 }] output endpoint string = account.properties.endpoint +output endpoints object = account.properties.endpoints output id string = account.id output name string = account.name diff --git a/infra/core/host/appservice.bicep b/infra/core/host/appservice.bicep index 5fb45e25..bef4d2ba 100644 --- a/infra/core/host/appservice.bicep +++ b/infra/core/host/appservice.bicep @@ -65,16 +65,6 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = { identity: { type: managedIdentity ? 'SystemAssigned' : 'None' } - resource configLogs 'config' = { - name: 'logs' - properties: { - applicationLogs: { fileSystem: { level: 'Verbose' } } - detailedErrorMessages: { enabled: true } - failedRequestsTracing: { enabled: true } - httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } } - } - } - resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = { name: 'ftp' properties: { @@ -90,7 +80,9 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = { } } -module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) { +// Updates to the single Microsoft.sites/web/config resources that need to be performed sequentially +// sites/web/config 'appsettings' +module configAppSettings 'appservice-appsettings.bicep' = { name: '${name}-appSettings' params: { name: appService.name @@ -99,12 +91,25 @@ module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) { SCM_DO_BUILD_DURING_DEPLOYMENT: string(scmDoBuildDuringDeployment) ENABLE_ORYX_BUILD: string(enableOryxBuild) }, - runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true' } : {}, + runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true'} : {}, !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {}, !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {}) } } +// sites/web/config 'logs' +resource configLogs 'Microsoft.Web/sites/config@2022-03-01' = { + name: 'logs' + parent: appService + properties: { + applicationLogs: { fileSystem: { level: 'Verbose' } } + detailedErrorMessages: { enabled: true } + failedRequestsTracing: { enabled: true } + httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } } + } + dependsOn: [configAppSettings] +} + resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) { name: keyVaultName } diff --git a/infra/core/host/container-app-upsert.bicep b/infra/core/host/container-app-upsert.bicep index 72d4058d..5e05f89b 100644 --- a/infra/core/host/container-app-upsert.bicep +++ b/infra/core/host/container-app-upsert.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates or updates an existing Azure Container App.' param name string param location string = resourceGroup().location param tags object = {} @@ -25,6 +26,9 @@ param containerName string = 'main' @description('The name of the container registry') param containerRegistryName string = '' +@description('Hostname suffix for container registry. Set when deploying to sovereign clouds') +param containerRegistryHostSuffix string = 'azurecr.io' + @allowed([ 'http', 'grpc' ]) @description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC') param daprAppProtocol string = 'http' @@ -52,12 +56,13 @@ param identityName string = '' param imageName string = '' @description('The secrets required for the container') -param secrets array = [] +@secure() +param secrets object = {} @description('The environment variables for the container') param env array = [] -@description('Specifies if the resource is external') +@description('Specifies if the resource ingress is exposed externally') param external bool = true @description('The service binds associated with the container') @@ -66,7 +71,7 @@ param serviceBinds array = [] @description('The target port for the container') param targetPort int = 80 -resource existingApp 'Microsoft.App/containerApps@2023-04-01-preview' existing = if (exists) { +resource existingApp 'Microsoft.App/containerApps@2023-05-02-preview' existing = if (exists) { name: name } @@ -82,6 +87,7 @@ module app 'container-app.bicep' = { containerName: containerName containerAppsEnvironmentName: containerAppsEnvironmentName containerRegistryName: containerRegistryName + containerRegistryHostSuffix: containerRegistryHostSuffix containerCpuCoreCount: containerCpuCoreCount containerMemory: containerMemory containerMinReplicas: containerMinReplicas diff --git a/infra/core/host/container-app.bicep b/infra/core/host/container-app.bicep index 397b12b3..c64fc824 100644 --- a/infra/core/host/container-app.bicep +++ b/infra/core/host/container-app.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates a container app in an Azure Container App environment.' param name string param location string = resourceGroup().location param tags object = {} @@ -27,6 +28,9 @@ param containerName string = 'main' @description('The name of the container registry') param containerRegistryName string = '' +@description('Hostname suffix for container registry. Set when deploying to sovereign clouds') +param containerRegistryHostSuffix string = 'azurecr.io' + @description('The protocol used by Dapr to connect to the app, e.g., http or grpc') @allowed([ 'http', 'grpc' ]) param daprAppProtocol string = 'http' @@ -40,7 +44,7 @@ param daprEnabled bool = false @description('The environment variables for the container') param env array = [] -@description('Specifies if the resource is external') +@description('Specifies if the resource ingress is exposed externally') param external bool = true @description('The name of the user-assigned identity') @@ -59,7 +63,8 @@ param ingressEnabled bool = true param revisionMode string = 'Single' @description('The secrets required for the container') -param secrets array = [] +@secure() +param secrets object = {} @description('The service binds associated with the container') param serviceBinds array = [] @@ -88,7 +93,7 @@ module containerRegistryAccess '../security/registry-access.bicep' = if (usePriv } } -resource app 'Microsoft.App/containerApps@2023-04-01-preview' = { +resource app 'Microsoft.App/containerApps@2023-05-02-preview' = { name: name location: location tags: tags @@ -119,11 +124,14 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = { appProtocol: daprAppProtocol appPort: ingressEnabled ? targetPort : 0 } : { enabled: false } - secrets: secrets + secrets: [for secret in items(secrets): { + name: secret.key + value: secret.value + }] service: !empty(serviceType) ? { type: serviceType } : null registries: usePrivateRegistry ? [ { - server: '${containerRegistryName}.azurecr.io' + server: '${containerRegistryName}.${containerRegistryHostSuffix}' identity: userIdentity.id } ] : [] @@ -149,7 +157,7 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = { } } -resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' existing = { +resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = { name: containerAppsEnvironmentName } diff --git a/infra/core/host/container-apps-environment.bicep b/infra/core/host/container-apps-environment.bicep index f29079a0..20f4632e 100644 --- a/infra/core/host/container-apps-environment.bicep +++ b/infra/core/host/container-apps-environment.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates an Azure Container Apps environment.' param name string param location string = resourceGroup().location param tags object = {} @@ -11,7 +12,7 @@ param daprEnabled bool = false @description('Name of the Log Analytics workspace') param logAnalyticsWorkspaceName string -resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' = { +resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { name: name location: location tags: tags diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep index 38f47e06..1c656e28 100644 --- a/infra/core/host/container-apps.bicep +++ b/infra/core/host/container-apps.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates an Azure Container Registry and an Azure Container Apps environment.' param name string param location string = resourceGroup().location param tags object = {} @@ -5,6 +6,7 @@ param tags object = {} param containerAppsEnvironmentName string param containerRegistryName string param containerRegistryResourceGroupName string = '' +param containerRegistryAdminUserEnabled bool = false param logAnalyticsWorkspaceName string param applicationInsightsName string = '' @@ -25,6 +27,7 @@ module containerRegistry 'container-registry.bicep' = { params: { name: containerRegistryName location: location + adminUserEnabled: containerRegistryAdminUserEnabled tags: tags } } diff --git a/infra/core/host/container-registry.bicep b/infra/core/host/container-registry.bicep index 02af2992..d14731c9 100644 --- a/infra/core/host/container-registry.bicep +++ b/infra/core/host/container-registry.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates an Azure Container Registry.' param name string param location string = resourceGroup().location param tags object = {} @@ -8,6 +9,11 @@ param adminUserEnabled bool = false @description('Indicates whether anonymous pull is enabled') param anonymousPullEnabled bool = false +@description('Azure ad authentication as arm policy settings') +param azureADAuthenticationAsArmPolicy object = { + status: 'enabled' +} + @description('Indicates whether data endpoint is enabled') param dataEndpointEnabled bool = false @@ -16,25 +22,59 @@ param encryption object = { status: 'disabled' } +@description('Export policy settings') +param exportPolicy object = { + status: 'enabled' +} + +@description('Metadata search settings') +param metadataSearch string = 'Disabled' + @description('Options for bypassing network rules') param networkRuleBypassOptions string = 'AzureServices' @description('Public network access setting') param publicNetworkAccess string = 'Enabled' +@description('Quarantine policy settings') +param quarantinePolicy object = { + status: 'disabled' +} + +@description('Retention policy settings') +param retentionPolicy object = { + days: 7 + status: 'disabled' +} + +@description('Scope maps setting') +param scopeMaps array = [] + @description('SKU settings') param sku object = { name: 'Basic' } +@description('Soft delete policy settings') +param softDeletePolicy object = { + retentionDays: 7 + status: 'disabled' +} + +@description('Trust policy settings') +param trustPolicy object = { + type: 'Notary' + status: 'disabled' +} + @description('Zone redundancy setting') param zoneRedundancy string = 'Disabled' @description('The log analytics workspace ID used for logging and monitoring') param workspaceId string = '' -// 2022-02-01-preview needed for anonymousPullEnabled -resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = { +// 2023-11-01-preview needed for metadataSearch +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = { name: name location: location tags: tags @@ -44,10 +84,24 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr anonymousPullEnabled: anonymousPullEnabled dataEndpointEnabled: dataEndpointEnabled encryption: encryption + metadataSearch: metadataSearch networkRuleBypassOptions: networkRuleBypassOptions + policies:{ + quarantinePolicy: quarantinePolicy + trustPolicy: trustPolicy + retentionPolicy: retentionPolicy + exportPolicy: exportPolicy + azureADAuthenticationAsArmPolicy: azureADAuthenticationAsArmPolicy + softDeletePolicy: softDeletePolicy + } publicNetworkAccess: publicNetworkAccess zoneRedundancy: zoneRedundancy } + + resource scopeMap 'scopeMaps' = [for scopeMap in scopeMaps: { + name: scopeMap.name + properties: scopeMap.properties + }] } // TODO: Update diagnostics to be its own module @@ -78,5 +132,6 @@ resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' } } +output id string = containerRegistry.id output loginServer string = containerRegistry.properties.loginServer output name string = containerRegistry.name diff --git a/infra/core/monitor/applicationinsights-dashboard.bicep b/infra/core/monitor/applicationinsights-dashboard.bicep index b7af2c1a..d082e668 100644 --- a/infra/core/monitor/applicationinsights-dashboard.bicep +++ b/infra/core/monitor/applicationinsights-dashboard.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates a dashboard for an Application Insights instance.' param name string param applicationInsightsName string param location string = resourceGroup().location diff --git a/infra/core/monitor/applicationinsights.bicep b/infra/core/monitor/applicationinsights.bicep index 9cb81432..850e9fe1 100644 --- a/infra/core/monitor/applicationinsights.bicep +++ b/infra/core/monitor/applicationinsights.bicep @@ -1,8 +1,8 @@ +metadata description = 'Creates an Application Insights instance based on an existing Log Analytics workspace.' param name string -param dashboardName string +param dashboardName string = '' param location string = resourceGroup().location param tags object = {} -param includeDashboard bool = true param logAnalyticsWorkspaceId string resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { @@ -16,7 +16,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { } } -module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' = if (includeDashboard) { +module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' = if (!empty(dashboardName)) { name: 'application-insights-dashboard' params: { name: dashboardName @@ -26,5 +26,6 @@ module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' = if } output connectionString string = applicationInsights.properties.ConnectionString +output id string = applicationInsights.id output instrumentationKey string = applicationInsights.properties.InstrumentationKey output name string = applicationInsights.name diff --git a/infra/core/monitor/loganalytics.bicep b/infra/core/monitor/loganalytics.bicep index 770544cc..33f9dc29 100644 --- a/infra/core/monitor/loganalytics.bicep +++ b/infra/core/monitor/loganalytics.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates a Log Analytics workspace.' param name string param location string = resourceGroup().location param tags object = {} diff --git a/infra/core/monitor/monitoring.bicep b/infra/core/monitor/monitoring.bicep index 862ef439..74761258 100644 --- a/infra/core/monitor/monitoring.bicep +++ b/infra/core/monitor/monitoring.bicep @@ -1,10 +1,9 @@ +metadata description = 'Creates an Application Insights instance and a Log Analytics workspace.' param logAnalyticsName string -param includeApplicationInsights bool = false param applicationInsightsName string -param applicationInsightsDashboardName string +param applicationInsightsDashboardName string = '' param location string = resourceGroup().location param tags object = {} -param includeDashboard bool = true module logAnalytics 'loganalytics.bicep' = { name: 'loganalytics' @@ -15,20 +14,20 @@ module logAnalytics 'loganalytics.bicep' = { } } -module applicationInsights 'applicationinsights.bicep' = if (includeApplicationInsights) { +module applicationInsights 'applicationinsights.bicep' = { name: 'applicationinsights' params: { name: applicationInsightsName location: location tags: tags dashboardName: applicationInsightsDashboardName - includeDashboard: includeDashboard logAnalyticsWorkspaceId: logAnalytics.outputs.id } } -output applicationInsightsConnectionString string = includeApplicationInsights ? applicationInsights.outputs.connectionString : '' -output applicationInsightsInstrumentationKey string = includeApplicationInsights ? applicationInsights.outputs.instrumentationKey : '' -output applicationInsightsName string = includeApplicationInsights ? applicationInsights.outputs.name : '' +output applicationInsightsConnectionString string = applicationInsights.outputs.connectionString +output applicationInsightsId string = applicationInsights.outputs.id +output applicationInsightsInstrumentationKey string = applicationInsights.outputs.instrumentationKey +output applicationInsightsName string = applicationInsights.outputs.name output logAnalyticsWorkspaceId string = logAnalytics.outputs.id output logAnalyticsWorkspaceName string = logAnalytics.outputs.name diff --git a/infra/core/search/search-services.bicep b/infra/core/search/search-services.bicep index 399a8f3f..33fd83e1 100644 --- a/infra/core/search/search-services.bicep +++ b/infra/core/search/search-services.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates an Azure AI Search instance.' param name string param location string = resourceGroup().location param tags object = {} @@ -35,15 +36,18 @@ param replicaCount int = 1 ]) param semanticSearch string = 'disabled' +var searchIdentityProvider = (sku.name == 'free') ? null : { + type: 'SystemAssigned' +} + resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = { name: name location: location tags: tags - identity: { - type: 'SystemAssigned' - } + // The free tier does not support managed identity + identity: searchIdentityProvider properties: { - authOptions: authOptions + authOptions: disableLocalAuth ? null : authOptions disableLocalAuth: disableLocalAuth disabledDataExfiltrationOptions: disabledDataExfiltrationOptions encryptionWithCmk: encryptionWithCmk @@ -60,3 +64,5 @@ resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = { output id string = search.id output endpoint string = 'https://${name}.search.windows.net/' output name string = search.name +output principalId string = !empty(searchIdentityProvider) ? search.identity.principalId : '' + diff --git a/infra/core/security/keyvault-access.bicep b/infra/core/security/keyvault-access.bicep index aa989ebd..316775f2 100644 --- a/infra/core/security/keyvault-access.bicep +++ b/infra/core/security/keyvault-access.bicep @@ -1,3 +1,4 @@ +metadata description = 'Assigns an Azure Key Vault access policy.' param name string = 'add' param keyVaultName string diff --git a/infra/core/security/keyvault-secret.bicep b/infra/core/security/keyvault-secret.bicep index 5f786ce5..7441b296 100644 --- a/infra/core/security/keyvault-secret.bicep +++ b/infra/core/security/keyvault-secret.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates or updates a secret in an Azure Key Vault.' param name string param tags object = {} param keyVaultName string diff --git a/infra/core/security/keyvault.bicep b/infra/core/security/keyvault.bicep index 0eb4a86d..663ec00b 100644 --- a/infra/core/security/keyvault.bicep +++ b/infra/core/security/keyvault.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates an Azure Key Vault.' param name string param location string = resourceGroup().location param tags object = {} @@ -22,4 +23,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } output endpoint string = keyVault.properties.vaultUri +output id string = keyVault.id output name string = keyVault.name diff --git a/infra/core/security/registry-access.bicep b/infra/core/security/registry-access.bicep index e17e4045..fc66837a 100644 --- a/infra/core/security/registry-access.bicep +++ b/infra/core/security/registry-access.bicep @@ -1,3 +1,4 @@ +metadata description = 'Assigns ACR Pull permissions to access an Azure Container Registry.' param containerRegistryName string param principalId string @@ -13,6 +14,6 @@ resource aksAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = { } } -resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = { +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = { name: containerRegistryName } diff --git a/infra/core/security/role.bicep b/infra/core/security/role.bicep index dca01e18..0b30cfd3 100644 --- a/infra/core/security/role.bicep +++ b/infra/core/security/role.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates a role assignment for a service principal.' param principalId string @allowed([ diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep index fcc7df7d..6149fb2f 100644 --- a/infra/core/storage/storage-account.bicep +++ b/infra/core/storage/storage-account.bicep @@ -1,3 +1,4 @@ +metadata description = 'Creates an Azure storage account.' param name string param location string = resourceGroup().location param tags object = {} @@ -11,13 +12,18 @@ param allowBlobPublicAccess bool = true param allowCrossTenantReplication bool = true param allowSharedKeyAccess bool = true param containers array = [] -param supportsHttpsTrafficOnly bool = true +param corsRules array = [] param defaultToOAuthAuthentication bool = false param deleteRetentionPolicy object = {} @allowed([ 'AzureDnsZone', 'Standard' ]) param dnsEndpointType string = 'Standard' +param files array = [] param kind string = 'StorageV2' param minimumTlsVersion string = 'TLS1_2' +param queues array = [] +param shareDeleteRetentionPolicy object = {} +param supportsHttpsTrafficOnly bool = true +param tables array = [] param networkAcls object = { bypass: 'AzureServices' defaultAction: 'Allow' @@ -26,7 +32,7 @@ param networkAcls object = { param publicNetworkAccess string = 'Enabled' param sku object = { name: 'Standard_LRS' } -resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = { +resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = { name: name location: location tags: tags @@ -48,6 +54,9 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = { resource blobServices 'blobServices' = if (!empty(containers)) { name: 'default' properties: { + cors: { + corsRules: corsRules + } deleteRetentionPolicy: deleteRetentionPolicy } resource container 'containers' = [for container in containers: { @@ -57,7 +66,36 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = { } }] } + + resource fileServices 'fileServices' = if (!empty(files)) { + name: 'default' + properties: { + cors: { + corsRules: corsRules + } + shareDeleteRetentionPolicy: shareDeleteRetentionPolicy + } + } + + resource queueServices 'queueServices' = if (!empty(queues)) { + name: 'default' + properties: { + + } + resource queue 'queues' = [for queue in queues: { + name: queue.name + properties: { + metadata: {} + } + }] + } + + resource tableServices 'tableServices' = if (!empty(tables)) { + name: 'default' + properties: {} + } } +output id string = storage.id output name string = storage.name output primaryEndpoints object = storage.properties.primaryEndpoints From ee9d6527bd93eb731ddce17575dd36165038bb22 Mon Sep 17 00:00:00 2001 From: Frank Date: Mon, 27 May 2024 13:54:48 -0400 Subject: [PATCH 2/5] adding some exception and remove extra param --- .../monitor/applicationinsights-dashboard.bicep | 16 ++++++++++++++++ infra/core/monitor/monitoring.bicep | 4 +++- infra/main.bicep | 1 - 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/infra/core/monitor/applicationinsights-dashboard.bicep b/infra/core/monitor/applicationinsights-dashboard.bicep index d082e668..fcd37ac5 100644 --- a/infra/core/monitor/applicationinsights-dashboard.bicep +++ b/infra/core/monitor/applicationinsights-dashboard.bicep @@ -34,10 +34,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/AspNetOverviewPinnedPart' + #disable-next-line BCP037 asset: { idInputName: 'id' type: 'ApplicationInsights' } + #disable-next-line BCP037 defaultMenuItemId: 'overview' } } @@ -65,10 +67,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/ProactiveDetectionAsyncPart' + #disable-next-line BCP037 asset: { idInputName: 'ComponentId' type: 'ApplicationInsights' } + #disable-next-line BCP037 defaultMenuItemId: 'ProactiveDetection' } } @@ -96,6 +100,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/QuickPulseButtonSmallPart' + #disable-next-line BCP037 asset: { idInputName: 'ComponentId' type: 'ApplicationInsights' @@ -137,6 +142,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/AvailabilityNavButtonPart' + #disable-next-line BCP037 asset: { idInputName: 'ComponentId' type: 'ApplicationInsights' @@ -178,6 +184,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/AppMapButtonPart' + #disable-next-line BCP037 asset: { idInputName: 'ComponentId' type: 'ApplicationInsights' @@ -236,6 +243,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/UsageUsersOverviewPart' + #disable-next-line BCP037 asset: { idInputName: 'ComponentId' type: 'ApplicationInsights' @@ -298,11 +306,14 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/CuratedBladeFailuresPinnedPart' + #disable-next-line BCP037 isAdapter: true + #disable-next-line BCP037 asset: { idInputName: 'ResourceId' type: 'ApplicationInsights' } + #disable-next-line BCP037 defaultMenuItemId: 'failures' } } @@ -362,11 +373,14 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/CuratedBladePerformancePinnedPart' + #disable-next-line BCP037 isAdapter: true + #disable-next-line BCP037 asset: { idInputName: 'ResourceId' type: 'ApplicationInsights' } + #disable-next-line BCP037 defaultMenuItemId: 'performance' } } @@ -453,10 +467,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr ] #disable-next-line BCP036 type: 'Extension/AppInsightsExtension/PartType/MetricsExplorerBladePinnedPart' + #disable-next-line BCP037 asset: { idInputName: 'ComponentId' type: 'ApplicationInsights' } + #disable-next-line BCP037 defaultMenuItemId: 'browser' } } diff --git a/infra/core/monitor/monitoring.bicep b/infra/core/monitor/monitoring.bicep index 74761258..a95a50dc 100644 --- a/infra/core/monitor/monitoring.bicep +++ b/infra/core/monitor/monitoring.bicep @@ -1,10 +1,12 @@ metadata description = 'Creates an Application Insights instance and a Log Analytics workspace.' param logAnalyticsName string +param includeApplicationInsights bool = false param applicationInsightsName string param applicationInsightsDashboardName string = '' param location string = resourceGroup().location param tags object = {} + module logAnalytics 'loganalytics.bicep' = { name: 'loganalytics' params: { @@ -14,7 +16,7 @@ module logAnalytics 'loganalytics.bicep' = { } } -module applicationInsights 'applicationinsights.bicep' = { +module applicationInsights 'applicationinsights.bicep' = if(includeApplicationInsights) { name: 'applicationinsights' params: { name: applicationInsightsName diff --git a/infra/main.bicep b/infra/main.bicep index eb1225ea..65a5b091 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -383,7 +383,6 @@ module monitoring 'core/monitor/monitoring.bicep' = { params: { location: location tags: updatedTags - includeDashboard: false includeApplicationInsights: true logAnalyticsName: !empty(logAnalyticsName) ? logAnalyticsName : '${abbrs.operationalInsightsWorkspaces}${resourceToken}' applicationInsightsName: !empty(applicationInsightsName) ? applicationInsightsName : '${abbrs.insightsComponents}${resourceToken}' From 9b4993e453e34e9b7ff4c3debab06adaa0f6d2ff Mon Sep 17 00:00:00 2001 From: Frank Date: Wed, 5 Jun 2024 16:10:11 -0400 Subject: [PATCH 3/5] adding SystemAssigned identity --- infra/core/ai/cognitiveservices.bicep | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep index 76778e61..37d169d2 100644 --- a/infra/core/ai/cognitiveservices.bicep +++ b/infra/core/ai/cognitiveservices.bicep @@ -27,11 +27,14 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { location: location tags: tags kind: kind + identity: { + type: 'SystemAssigned' + } properties: { customSubDomainName: customSubDomainName publicNetworkAccess: publicNetworkAccess networkAcls: networkAcls - disableLocalAuth: disableLocalAuth + disableLocalAuth: true } sku: sku } From bbf02c4ed6606c992263fdc7ef290bab735c4ce2 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 6 Jun 2024 10:35:22 +1000 Subject: [PATCH 4/5] disableLocalAuth should pass the parameter --- infra/core/ai/cognitiveservices.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep index 37d169d2..44add42e 100644 --- a/infra/core/ai/cognitiveservices.bicep +++ b/infra/core/ai/cognitiveservices.bicep @@ -34,7 +34,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { customSubDomainName: customSubDomainName publicNetworkAccess: publicNetworkAccess networkAcls: networkAcls - disableLocalAuth: true + disableLocalAuth: disableLocalAuth } sku: sku } From 4324e72d1ab9a5b57113807a5c361ddb4806df10 Mon Sep 17 00:00:00 2001 From: Frank Date: Thu, 6 Jun 2024 10:43:46 -0400 Subject: [PATCH 5/5] force disableLocalAuth to true --- infra/core/ai/cognitiveservices.bicep | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep index 44add42e..3588072c 100644 --- a/infra/core/ai/cognitiveservices.bicep +++ b/infra/core/ai/cognitiveservices.bicep @@ -4,7 +4,6 @@ param location string = resourceGroup().location param tags object = {} @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.') param customSubDomainName string = name -param disableLocalAuth bool = false param deployments array = [] param kind string = 'OpenAI' @@ -34,7 +33,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = { customSubDomainName: customSubDomainName publicNetworkAccess: publicNetworkAccess networkAcls: networkAcls - disableLocalAuth: disableLocalAuth + disableLocalAuth: true } sku: sku }