fix: add vnetContentShareEnabled to web and admin web app modules

When private networking is enabled, web apps need vnetContentShareEnabled
to route content share traffic through VNet. Without this, DNS resolves
cognitive service endpoints to public IPs, causing 403 errors from
Content Safety and other services with private endpoints.

This extends the earlier Function App fix to also cover the web app
and admin web app modules.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Abdul-Microsoft

infra/main.bicep

@@ -1222,6 +1222,7 @@ module web 'modules/app/web.bicep' = {
     userAssignedIdentityResourceId: managedIdentityModule.outputs.resourceId
     diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: monitoring!.outputs.logAnalyticsWorkspaceId }] : []
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
+    vnetContentShareEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.webSubnetResourceId : ''
     publicNetworkAccess: 'Enabled' // Always enabling public network access
@@ -1409,6 +1410,7 @@ module adminweb 'modules/app/adminweb.bicep' = {
     // WAF parameters
     diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: monitoring!.outputs.logAnalyticsWorkspaceId }] : []
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
+    vnetContentShareEnabled: enablePrivateNetworking ? true : false
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.webSubnetResourceId : ''
     publicNetworkAccess: 'Enabled' // Always enabling public network access

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "3300593623201356935"
+      "templateHash": "17330836752643719139"
     }
   },
   "parameters": {
@@ -33279,6 +33279,7 @@
           },
           "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', reference('monitoring').outputs.logAnalyticsWorkspaceId.value))), createObject('value', createArray()))]",
           "vnetRouteAllEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]",
+          "vnetContentShareEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]",
           "vnetImagePullEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]",
           "virtualNetworkSubnetId": "[if(parameters('enablePrivateNetworking'), createObject('value', reference('virtualNetwork').outputs.webSubnetResourceId.value), createObject('value', ''))]",
           "publicNetworkAccess": {
@@ -33297,7 +33298,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.42.1.51946",
-              "templateHash": "8683679294545259497"
+              "templateHash": "12236308682752581177"
             }
           },
           "parameters": {
@@ -33436,6 +33437,13 @@
                 "description": "Optional. To enable pulling image over Virtual Network."
               }
             },
+            "vnetContentShareEnabled": {
+              "type": "bool",
+              "defaultValue": false,
+              "metadata": {
+                "description": "Optional. To enable accessing content over Virtual Network."
+              }
+            },
             "vnetRouteAllEnabled": {
               "type": "bool",
               "defaultValue": false,
@@ -33528,6 +33536,9 @@
                   "vnetImagePullEnabled": {
                     "value": "[parameters('vnetImagePullEnabled')]"
                   },
+                  "vnetContentShareEnabled": {
+                    "value": "[parameters('vnetContentShareEnabled')]"
+                  },
                   "vnetRouteAllEnabled": {
                     "value": "[parameters('vnetRouteAllEnabled')]"
                   },
@@ -35502,6 +35513,7 @@
           "applicationInsightsName": "[if(parameters('enableMonitoring'), createObject('value', reference('monitoring').outputs.applicationInsightsName.value), createObject('value', ''))]",
           "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', reference('monitoring').outputs.logAnalyticsWorkspaceId.value))), createObject('value', createArray()))]",
           "vnetImagePullEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]",
+          "vnetContentShareEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]",
           "vnetRouteAllEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]",
           "virtualNetworkSubnetId": "[if(parameters('enablePrivateNetworking'), createObject('value', reference('virtualNetwork').outputs.webSubnetResourceId.value), createObject('value', ''))]",
           "publicNetworkAccess": {
@@ -35516,7 +35528,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.42.1.51946",
-              "templateHash": "9592410913633598971"
+              "templateHash": "18093852877535318756"
             }
           },
           "parameters": {
@@ -35655,6 +35667,13 @@
                 "description": "Optional. To enable pulling image over Virtual Network."
               }
             },
+            "vnetContentShareEnabled": {
+              "type": "bool",
+              "defaultValue": false,
+              "metadata": {
+                "description": "Optional. To enable accessing content over Virtual Network."
+              }
+            },
             "vnetRouteAllEnabled": {
               "type": "bool",
               "defaultValue": false,
@@ -35747,6 +35766,9 @@
                   "vnetImagePullEnabled": {
                     "value": "[parameters('vnetImagePullEnabled')]"
                   },
+                  "vnetContentShareEnabled": {
+                    "value": "[parameters('vnetContentShareEnabled')]"
+                  },
                   "vnetRouteAllEnabled": {
                     "value": "[parameters('vnetRouteAllEnabled')]"
                   },
@@ -53873,9 +53895,9 @@
         }
       },
       "dependsOn": [
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]",
         "managedIdentityModule",
         "virtualNetwork"
       ]

infra/modules/app/adminweb.bicep

@@ -57,6 +57,9 @@ param diagnosticSettings array = []
 @description('Optional. To enable pulling image over Virtual Network.')
 param vnetImagePullEnabled bool = false
 
+@description('Optional. To enable accessing content over Virtual Network.')
+param vnetContentShareEnabled bool = false
+
 @description('Optional. Virtual Network Route All enabled.')
 param vnetRouteAllEnabled bool = false
 
@@ -69,7 +72,6 @@ param publicNetworkAccess string?
 @description('Optional. Configuration details for private endpoints.')
 param privateEndpoints array = []
 
-
 // Calculate the linuxFxVersion based on runtime or docker settings
 var linuxFxVersion = useDocker
   ? 'DOCKER|${dockerFullImageName}'
@@ -122,6 +124,7 @@ module adminweb '../core/host/appservice.bicep' = {
     configs: appConfigs
     diagnosticSettings: diagnosticSettings
     vnetImagePullEnabled: vnetImagePullEnabled
+    vnetContentShareEnabled: vnetContentShareEnabled
     vnetRouteAllEnabled: vnetRouteAllEnabled
     virtualNetworkSubnetId: virtualNetworkSubnetId
     publicNetworkAccess: empty(publicNetworkAccess) ? null : publicNetworkAccess

infra/modules/app/web.bicep

@@ -58,6 +58,9 @@ param diagnosticSettings array = []
 @description('Optional. To enable pulling image over Virtual Network.')
 param vnetImagePullEnabled bool = false
 
+@description('Optional. To enable accessing content over Virtual Network.')
+param vnetContentShareEnabled bool = false
+
 @description('Optional. Virtual Network Route All enabled.')
 param vnetRouteAllEnabled bool = false
 
@@ -124,6 +127,7 @@ module web '../core/host/appservice.bicep' = {
     configs: appConfigs
     diagnosticSettings: diagnosticSettings
     vnetImagePullEnabled: vnetImagePullEnabled
+    vnetContentShareEnabled: vnetContentShareEnabled
     vnetRouteAllEnabled: vnetRouteAllEnabled
     virtualNetworkSubnetId: virtualNetworkSubnetId
     publicNetworkAccess: empty(publicNetworkAccess) ? null : publicNetworkAccess