Update core AZD bicep modules from the official repo

infra/core/ai/cognitiveservices.bicep

@@ -1,16 +1,14 @@
+metadata description = 'Creates an Azure Cognitive Services instance.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = name
-
-
 param deployments array = []
 param kind string = 'OpenAI'
 
 @allowed([ 'Enabled', 'Disabled' ])
 param publicNetworkAccess string = 'Enabled'
-
 param sku object = {
   name: 'S0'
 }
@@ -28,10 +26,14 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   location: location
   tags: tags
   kind: kind
+  identity: {
+    type: 'SystemAssigned'
+  }
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
     networkAcls: networkAcls
+    disableLocalAuth: true
   }
   sku: sku
 }
@@ -51,5 +53,6 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01
 }]
 
 output endpoint string = account.properties.endpoint
+output endpoints object = account.properties.endpoints
 output id string = account.id
 output name string = account.name

infra/core/host/appservice.bicep

@@ -65,16 +65,6 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
 
   identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
 
-  resource configLogs 'config' = {
-    name: 'logs'
-    properties: {
-      applicationLogs: { fileSystem: { level: 'Verbose' } }
-      detailedErrorMessages: { enabled: true }
-      failedRequestsTracing: { enabled: true }
-      httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
-    }
-  }
-
   resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = {
     name: 'ftp'
     properties: {
@@ -90,7 +80,9 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
   }
 }
 
-module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) {
+// Updates to the single Microsoft.sites/web/config resources that need to be performed sequentially
+// sites/web/config 'appsettings'
+module configAppSettings 'appservice-appsettings.bicep' = {
   name: '${name}-appSettings'
   params: {
     name: appService.name
@@ -99,12 +91,25 @@ module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) {
         SCM_DO_BUILD_DURING_DEPLOYMENT: string(scmDoBuildDuringDeployment)
         ENABLE_ORYX_BUILD: string(enableOryxBuild)
       },
-      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true' } : {},
+      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true'} : {},
       !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
       !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
   }
 }
 
+// sites/web/config 'logs'
+resource configLogs 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'logs'
+  parent: appService
+  properties: {
+    applicationLogs: { fileSystem: { level: 'Verbose' } }
+    detailedErrorMessages: { enabled: true }
+    failedRequestsTracing: { enabled: true }
+    httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
+  }
+  dependsOn: [configAppSettings]
+}
+
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
   name: keyVaultName
 }

infra/core/host/container-app-upsert.bicep

@@ -1,3 +1,4 @@
+metadata description = 'Creates or updates an existing Azure Container App.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -25,6 +26,9 @@ param containerName string = 'main'
 @description('The name of the container registry')
 param containerRegistryName string = ''
 
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @allowed([ 'http', 'grpc' ])
 @description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC')
 param daprAppProtocol string = 'http'
@@ -52,12 +56,13 @@ param identityName string = ''
 param imageName string = ''
 
 @description('The secrets required for the container')
-param secrets array = []
+@secure()
+param secrets object = {}
 
 @description('The environment variables for the container')
 param env array = []
 
-@description('Specifies if the resource is external')
+@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
 
 @description('The service binds associated with the container')
@@ -66,7 +71,7 @@ param serviceBinds array = []
 @description('The target port for the container')
 param targetPort int = 80
 
-resource existingApp 'Microsoft.App/containerApps@2023-04-01-preview' existing = if (exists) {
+resource existingApp 'Microsoft.App/containerApps@2023-05-02-preview' existing = if (exists) {
   name: name
 }
 
@@ -82,6 +87,7 @@ module app 'container-app.bicep' = {
     containerName: containerName
     containerAppsEnvironmentName: containerAppsEnvironmentName
     containerRegistryName: containerRegistryName
+    containerRegistryHostSuffix: containerRegistryHostSuffix
     containerCpuCoreCount: containerCpuCoreCount
     containerMemory: containerMemory
     containerMinReplicas: containerMinReplicas

infra/core/host/container-app.bicep

@@ -1,3 +1,4 @@
+metadata description = 'Creates a container app in an Azure Container App environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -27,6 +28,9 @@ param containerName string = 'main'
 @description('The name of the container registry')
 param containerRegistryName string = ''
 
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @description('The protocol used by Dapr to connect to the app, e.g., http or grpc')
 @allowed([ 'http', 'grpc' ])
 param daprAppProtocol string = 'http'
@@ -40,7 +44,7 @@ param daprEnabled bool = false
 @description('The environment variables for the container')
 param env array = []
 
-@description('Specifies if the resource is external')
+@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
 
 @description('The name of the user-assigned identity')
@@ -59,7 +63,8 @@ param ingressEnabled bool = true
 param revisionMode string = 'Single'
 
 @description('The secrets required for the container')
-param secrets array = []
+@secure()
+param secrets object = {}
 
 @description('The service binds associated with the container')
 param serviceBinds array = []
@@ -88,7 +93,7 @@ module containerRegistryAccess '../security/registry-access.bicep' = if (usePriv
   }
 }
 
-resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
+resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
   name: name
   location: location
   tags: tags
@@ -119,11 +124,14 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
         appProtocol: daprAppProtocol
         appPort: ingressEnabled ? targetPort : 0
       } : { enabled: false }
-      secrets: secrets
+      secrets: [for secret in items(secrets): {
+        name: secret.key
+        value: secret.value
+      }]
       service: !empty(serviceType) ? { type: serviceType } : null
       registries: usePrivateRegistry ? [
         {
-          server: '${containerRegistryName}.azurecr.io'
+          server: '${containerRegistryName}.${containerRegistryHostSuffix}'
           identity: userIdentity.id
         }
       ] : []
@@ -149,7 +157,7 @@ resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
   }
 }
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' existing = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
   name: containerAppsEnvironmentName
 }
 

infra/core/host/container-apps-environment.bicep

@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure Container Apps environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -11,7 +12,7 @@ param daprEnabled bool = false
 @description('Name of the Log Analytics workspace')
 param logAnalyticsWorkspaceName string
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = {
   name: name
   location: location
   tags: tags

infra/core/host/container-apps.bicep

@@ -1,10 +1,12 @@
+metadata description = 'Creates an Azure Container Registry and an Azure Container Apps environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 
 param containerAppsEnvironmentName string
 param containerRegistryName string
 param containerRegistryResourceGroupName string = ''
+param containerRegistryAdminUserEnabled bool = false
 param logAnalyticsWorkspaceName string
 param applicationInsightsName string = ''
 
@@ -25,6 +27,7 @@ module containerRegistry 'container-registry.bicep' = {
   params: {
     name: containerRegistryName
     location: location
+    adminUserEnabled: containerRegistryAdminUserEnabled
     tags: tags
   }
 }

infra/core/host/container-registry.bicep

@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure Container Registry.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -8,6 +9,11 @@ param adminUserEnabled bool = false
 @description('Indicates whether anonymous pull is enabled')
 param anonymousPullEnabled bool = false
 
+@description('Azure ad authentication as arm policy settings')
+param azureADAuthenticationAsArmPolicy object = {
+  status: 'enabled'
+}
+
 @description('Indicates whether data endpoint is enabled')
 param dataEndpointEnabled bool = false
 
@@ -16,25 +22,59 @@ param encryption object = {
   status: 'disabled'
 }
 
+@description('Export policy settings')
+param exportPolicy object = {
+  status: 'enabled'
+}
+
+@description('Metadata search settings')
+param metadataSearch string = 'Disabled'
+
 @description('Options for bypassing network rules')
 param networkRuleBypassOptions string = 'AzureServices'
 
 @description('Public network access setting')
 param publicNetworkAccess string = 'Enabled'
 
+@description('Quarantine policy settings')
+param quarantinePolicy object = {
+  status: 'disabled'
+}
+
+@description('Retention policy settings')
+param retentionPolicy object = {
+  days: 7
+  status: 'disabled'
+}
+
+@description('Scope maps setting')
+param scopeMaps array = []
+
 @description('SKU settings')
 param sku object = {
   name: 'Basic'
 }
 
+@description('Soft delete policy settings')
+param softDeletePolicy object = {
+  retentionDays: 7
+  status: 'disabled'
+}
+
+@description('Trust policy settings')
+param trustPolicy object = {
+  type: 'Notary'
+  status: 'disabled'
+}
+
 @description('Zone redundancy setting')
 param zoneRedundancy string = 'Disabled'
 
 @description('The log analytics workspace ID used for logging and monitoring')
 param workspaceId string = ''
 
-// 2022-02-01-preview needed for anonymousPullEnabled
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
+// 2023-11-01-preview needed for metadataSearch
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
   name: name
   location: location
   tags: tags
@@ -44,10 +84,24 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
     anonymousPullEnabled: anonymousPullEnabled
     dataEndpointEnabled: dataEndpointEnabled
     encryption: encryption
+    metadataSearch: metadataSearch
     networkRuleBypassOptions: networkRuleBypassOptions
+    policies:{
+      quarantinePolicy: quarantinePolicy
+      trustPolicy: trustPolicy
+      retentionPolicy: retentionPolicy
+      exportPolicy: exportPolicy
+      azureADAuthenticationAsArmPolicy: azureADAuthenticationAsArmPolicy
+      softDeletePolicy: softDeletePolicy
+    }
     publicNetworkAccess: publicNetworkAccess
     zoneRedundancy: zoneRedundancy
   }
+
+  resource scopeMap 'scopeMaps' = [for scopeMap in scopeMaps: {
+    name: scopeMap.name
+    properties: scopeMap.properties
+  }]
 }
 
 // TODO: Update diagnostics to be its own module
@@ -78,5 +132,6 @@ resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview'
   }
 }
 
+output id string = containerRegistry.id
 output loginServer string = containerRegistry.properties.loginServer
 output name string = containerRegistry.name