Dev pipeline issue fix

Co-authored-by: Copilot <copilot@github.com>

Author: AjitPadhi-Microsoft

extensions/teams/infra/azure.bicep

@@ -52,7 +52,7 @@ resource webApp 'Microsoft.Web/sites@2024-04-01' = {
     httpsOnly: true
     siteConfig: {
       alwaysOn: true
-      minTlsVersion: '1.2'
+      minTlsVersion: '1.3'
       appSettings: [
         {
           name: 'WEBSITE_RUN_FROM_PACKAGE'

infra/main.bicep

@@ -857,7 +857,6 @@ module keyvault './modules/key-vault/vault/vault.bicep' = {
     enableVaultForDeployment: true
     enableVaultForDiskEncryption: true
     enableVaultForTemplateDeployment: true
-    enableRbacAuthorization: true
     enableSoftDelete: true
     softDeleteRetentionInDays: 7
     diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: monitoring!.outputs.logAnalyticsWorkspaceId }] : null

infra/main.json

@@ -83,7 +83,7 @@ var siteConfig = {
   cors: {
     allowedOrigins: allowedOrigins
   }
-  minTlsVersion: '1.2'
+  minTlsVersion: '1.3'
 }
 
 // Build the configs array expected by the child module (appsettings config)

infra/modules/app/adminweb.bicep

@@ -30,63 +30,84 @@ param logAnalyticsWorkspaceResourceId string = ''
 @description('Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-module avmEventGridSystemTopic 'br/public:avm/res/event-grid/system-topic:0.6.4' = {
-  name: take('avm.res.event-grid.system-topic.${name}', 64)
-  params: {
-    name: name
+var userAssignedIdentities = {
+  '${userAssignedResourceId}': {}
+}
+
+#disable-next-line no-deployments-resources
+resource telemetry 'Microsoft.Resources/deployments@2025-04-01' = if (enableTelemetry) {
+  name: 'eventgrid.${substring(uniqueString(deployment().name, location), 0, 6)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource systemTopic 'Microsoft.EventGrid/systemTopics@2025-02-15' = {
+  name: name
+  location: location
+  tags: tags
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: userAssignedIdentities
+  }
+  properties: {
     source: storageAccountId
     topicType: 'Microsoft.Storage.StorageAccounts'
-    location: location
-    diagnosticSettings: enableMonitoring
-      ? [
-          {
-            name: 'diagnosticSettings'
-            workspaceResourceId: logAnalyticsWorkspaceResourceId
-            metricCategories: [
-              {
-                category: 'AllMetrics'
-              }
-            ]
-          }
-        ]
-      : []
-    eventSubscriptions: [
-      {
-        name: name
-        deliveryWithResourceIdentity: {
-          identity: {
-            type: 'UserAssigned'
-            userAssignedIdentity: userAssignedResourceId
-          }
-          destination: {
-            endpointType: 'StorageQueue'
-            properties: {
-              queueName: queueName
-              resourceId: storageAccountId
-            }
-          }
-        }
-        eventDeliverySchema: 'EventGridSchema'
-        filter: {
-          includedEventTypes: [
-            'Microsoft.Storage.BlobCreated'
-            'Microsoft.Storage.BlobDeleted'
-          ]
-          enableAdvancedFilteringOnArrays: true
-          subjectBeginsWith: '/blobServices/default/containers/${blobContainerName}/blobs/'
-        }
-        retryPolicy: {
-          maxDeliveryAttempts: 30
-          eventTimeToLiveInMinutes: 1440
+  }
+}
+
+resource eventSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2025-02-15' = {
+  parent: systemTopic
+  name: name
+  properties: {
+    deliveryWithResourceIdentity: {
+      identity: {
+        type: 'UserAssigned'
+        userAssignedIdentity: userAssignedResourceId
+      }
+      destination: {
+        endpointType: 'StorageQueue'
+        properties: {
+          queueName: queueName
+          resourceId: storageAccountId
         }
-        expirationTimeUtc: empty(expirationTimeUtc) ? null : expirationTimeUtc
+      }
+    }
+    eventDeliverySchema: 'EventGridSchema'
+    filter: {
+      includedEventTypes: [
+        'Microsoft.Storage.BlobCreated'
+        'Microsoft.Storage.BlobDeleted'
+      ]
+      enableAdvancedFilteringOnArrays: true
+      subjectBeginsWith: '/blobServices/default/containers/${blobContainerName}/blobs/'
+    }
+    retryPolicy: {
+      maxDeliveryAttempts: 30
+      eventTimeToLiveInMinutes: 1440
+    }
+    expirationTimeUtc: empty(expirationTimeUtc) ? null : expirationTimeUtc
+  }
+}
+
+#disable-next-line use-recent-api-versions
+resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (enableMonitoring && !empty(logAnalyticsWorkspaceResourceId)) {
+  name: 'diagnosticSettings'
+  properties: {
+    workspaceId: logAnalyticsWorkspaceResourceId
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
       }
     ]
-    // Use only user-assigned identity
-    managedIdentities: { systemAssigned: false, userAssignedResourceIds: [userAssignedResourceId] }
-    tags: tags
-    enableTelemetry: enableTelemetry
   }
+  scope: systemTopic
 }
 
-output name string = avmEventGridSystemTopic.outputs.name
+output name string = systemTopic.name

infra/modules/app/eventgrid.bicep

@@ -85,7 +85,7 @@ var siteConfig = {
   cors: {
     allowedOrigins: allowedOrigins
   }
-  minTlsVersion: '1.2'
+  minTlsVersion: '1.3'
 }
 
 // Build the configs array expected by the child module (appsettings config)

infra/modules/app/web.bicep

@@ -28,6 +28,9 @@ param serverFarmResourceId string
 param managedEnvironmentId string?
 
 @description('Optional. Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests.')
+@allowed([
+  true
+])
 param httpsOnly bool = true
 
 @description('Optional. If client affinity is enabled.')
@@ -63,10 +66,10 @@ param vnetRouteAllEnabled bool = false
 @description('Optional. Stop SCM (KUDU) site when the app is stopped.')
 param scmSiteAlsoStopped bool = false
 
-@description('Optional. The site config object. The defaults are set to the following values: alwaysOn: true, minTlsVersion: \'1.2\', ftpsState: \'FtpsOnly\'.')
+@description('Optional. The site config object. The defaults are set to the following values: alwaysOn: true, minTlsVersion: \'1.3\', ftpsState: \'FtpsOnly\'.')
 param siteConfig object = {
   alwaysOn: true
-  minTlsVersion: '1.2'
+  minTlsVersion: '1.3'
   ftpsState: 'FtpsOnly'
 }
 
@@ -171,6 +174,12 @@ var identity = !empty(managedIdentities)
     }
   : null
 
+// Enforce security-critical web settings regardless of caller-provided siteConfig.
+var enforcedSiteConfig = union(siteConfig, {
+  ftpsState: 'FtpsOnly'
+  minTlsVersion: '1.3'
+})
+
 resource app 'Microsoft.Web/sites@2024-04-01' = {
   name: name
   location: location
@@ -190,7 +199,7 @@ resource app 'Microsoft.Web/sites@2024-04-01' = {
     storageAccountRequired: storageAccountRequired
     keyVaultReferenceIdentity: keyVaultAccessIdentityResourceId
     virtualNetworkSubnetId: virtualNetworkSubnetId
-    siteConfig: siteConfig
+    siteConfig: enforcedSiteConfig
     functionAppConfig: functionAppConfig
     clientCertEnabled: clientCertEnabled
     clientCertExclusionPaths: clientCertExclusionPaths

infra/modules/core/host/appservice.bicep

@@ -182,7 +182,7 @@ module functions 'appservice.bicep' = {
         allowedOrigins: allowedOrigins
       }
       healthCheckPath: healthCheckPath
-      minTlsVersion: '1.2'
+      minTlsVersion: '1.3'
       ftpsState: 'FtpsOnly'
     }
     serverFarmResourceId: serverFarmResourceId

infra/modules/core/host/functions.bicep

@@ -79,14 +79,9 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' existing
   scope: resourceGroup(split(storageAccountResourceId!, '/')[2], split(storageAccountResourceId!, '/')[4])
 }
 
-resource app 'Microsoft.Web/sites@2024-04-01' existing = {
-  name: appName
-}
-
 resource config 'Microsoft.Web/sites/config@2024-04-01' = {
-  parent: app
+  name: '${appName}/${name}'
   #disable-next-line BCP225
-  name: name
   properties: expandedProperties
 }
 

infra/modules/core/host/web-sites.config.bicep

@@ -78,21 +78,14 @@ var containerResourceParams = union(
     : {}
 )
 
-resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2025-10-15' existing = {
-  name: databaseAccountName
-
-  resource sqlDatabase 'sqlDatabases@2024-11-15' existing = {
-    name: sqlDatabaseName
-  }
-}
+var databaseAccountResourceId = resourceId('Microsoft.DocumentDB/databaseAccounts', databaseAccountName)
 
 resource container 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-10-15' = {
-  name: name
-  parent: databaseAccount::sqlDatabase
-  tags: tags
+  name: '${databaseAccountName}/${sqlDatabaseName}/${name}'
+  tags: tags ?? {}
   properties: {
     resource: containerResourceParams
-    options: contains(databaseAccount.properties.capabilities, { name: 'EnableServerless' })
+    options: contains(reference(databaseAccountResourceId, '2025-10-15', 'Full').properties.capabilities, { name: 'EnableServerless' })
       ? null
       : {
           throughput: autoscaleSettingsMaxThroughput == null && throughput != -1 ? throughput : null