infra: enable system-assigned identity, add all toolkit modules, sync private-dns-zone and app-service updates

- Enable system-assigned managed identity on all 3 container apps (backend, frontend, processor) in both avm and bicep flavors
- Add all missing toolkit core modules (29 modules: ai-services, ai-search, app-service, container-instance, container-registry, function-app, kubernetes, cosmos-db-mongo, event-grid, event-hub, postgresql, sql-database, app-configuration, managed-identity, fabric-capacity, portal-dashboard, workbook, key-vault, etc.)
- Sync private-dns-zone.bicep with latest toolkit (added A records param, updated deployment name)
- Sync app-service.bicep with latest toolkit (added vnet routing, private endpoints params)
- Remove dead parameter files (bicep/main.parameters.json, bicep/main.waf.parameters.json)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Prachig-Microsoft

infra/avm/main.bicep

@@ -334,6 +334,7 @@ module ca_backend_api './modules/compute/container-app.bicep' = {
     location: solutionLocation
     tags: union(existingTags, tags, { TemplateName: 'Container Migration' })
     environmentResourceId: containerAppEnv.outputs.resourceId
+    managedIdentities: { systemAssigned: true }
     ingressExternal: true
     ingressTargetPort: 80
     enableTelemetry: enableTelemetry
@@ -387,6 +388,7 @@ module ca_frontend './modules/compute/container-app.bicep' = {
     location: solutionLocation
     tags: union(existingTags, tags, { TemplateName: 'Container Migration' })
     environmentResourceId: containerAppEnv.outputs.resourceId
+    managedIdentities: { systemAssigned: true }
     ingressExternal: true
     ingressTargetPort: 3000
     enableTelemetry: enableTelemetry
@@ -422,6 +424,7 @@ module ca_processor './modules/compute/container-app.bicep' = {
     location: solutionLocation
     tags: union(existingTags, tags, { TemplateName: 'Container Migration' })
     environmentResourceId: containerAppEnv.outputs.resourceId
+    managedIdentities: { systemAssigned: true }
     ingressExternal: false
     ingressTargetPort: 8080
     ingressAllowInsecure: true

infra/avm/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "1299675852282484186"
+      "templateHash": "12751579259960962504"
     }
   },
   "parameters": {
@@ -22725,6 +22725,11 @@
           "environmentResourceId": {
             "value": "[reference('containerAppEnv').outputs.resourceId.value]"
           },
+          "managedIdentities": {
+            "value": {
+              "systemAssigned": true
+            }
+          },
           "ingressExternal": {
             "value": true
           },
@@ -24646,6 +24651,11 @@
           "environmentResourceId": {
             "value": "[reference('containerAppEnv').outputs.resourceId.value]"
           },
+          "managedIdentities": {
+            "value": {
+              "systemAssigned": true
+            }
+          },
           "ingressExternal": {
             "value": true
           },
@@ -26493,6 +26503,11 @@
           "environmentResourceId": {
             "value": "[reference('containerAppEnv').outputs.resourceId.value]"
           },
+          "managedIdentities": {
+            "value": {
+              "systemAssigned": true
+            }
+          },
           "ingressExternal": {
             "value": false
           },

infra/avm/modules/ai/ai-search.bicep

@@ -0,0 +1,121 @@
+// ============================================================================
+// Module: AI Search
+// Description: Deploys Azure AI Search with a two-step pattern:
+//   Step 1: Plain Bicep resource for fast initial creation (name, location, SKU)
+//   Step 2: AVM module update to enable managed identity & full configuration
+// This reduces deployment time by making the resource available immediately
+// while identity enablement proceeds separately.
+// AVM Module: avm/res/search/search-service:0.12.0
+// WAF: https://learn.microsoft.com/azure/well-architected/service-guides/azure-cognitive-search
+// ============================================================================
+
+@description('Solution name suffix used to derive the resource name.')
+@minLength(3)
+param solutionName string
+
+@description('Optional. Override name for the search service. Defaults to srch-{solutionName}.')
+param name string = 'srch-${solutionName}'
+
+@description('Azure region for the resource.')
+param location string
+
+@description('Tags to apply to the resource.')
+param tags object = {}
+
+@description('SKU name for the search service.')
+@allowed(['free', 'basic', 'standard', 'standard2', 'standard3', 'storage_optimized_l1', 'storage_optimized_l2'])
+param skuName string = 'basic'
+
+@description('Number of replicas.')
+param replicaCount int = 1
+
+@description('Number of partitions.')
+param partitionCount int = 1
+
+@description('Hosting mode.')
+@allowed(['Default', 'HighDensity'])
+param hostingMode string = 'Default'
+
+@description('Semantic search tier.')
+@allowed(['disabled', 'free', 'standard'])
+param semanticSearch string = 'free'
+
+@description('Whether to disable local authentication.')
+param disableLocalAuth bool = true
+
+@description('Managed identity type for the search service.')
+param managedIdentityType string = 'SystemAssigned'
+
+@description('Public network access setting.')
+param publicNetworkAccess string = 'Enabled'
+
+// --- WAF: Telemetry ---
+@description('Optional. Enable/Disable usage telemetry for module.')
+param enableTelemetry bool = true
+
+// --- WAF: Monitoring ---
+@description('Diagnostic settings for monitoring.')
+param diagnosticSettings array = []
+
+// --- WAF: Private Networking ---
+@description('Private endpoint configurations.')
+param privateEndpoints array = []
+
+// --- Role Assignments ---
+@description('Optional. Array of role assignments to create on the AI Search service.')
+param roleAssignments array = []
+
+// ============================================================================
+// Step 1: Initial resource creation (plain Bicep — fast)
+// ============================================================================
+resource searchService 'Microsoft.Search/searchServices@2025-05-01' = {
+  name: name
+  location: location
+  sku: {
+    name: skuName
+  }
+}
+
+// ============================================================================
+// Step 2: AVM update — enables identity & full configuration
+// ============================================================================
+module searchServiceUpdate 'br/public:avm/res/search/search-service:0.12.0' = {
+  name: take('avm.res.search.update.${name}', 64)
+  params: {
+    name: name
+    location: location
+    tags: tags
+    enableTelemetry: enableTelemetry
+    sku: skuName
+    replicaCount: replicaCount
+    partitionCount: partitionCount
+    hostingMode: hostingMode
+    semanticSearch: semanticSearch
+    disableLocalAuth: disableLocalAuth
+    publicNetworkAccess: publicNetworkAccess
+    managedIdentities: {
+      systemAssigned: managedIdentityType == 'SystemAssigned'
+    }
+    diagnosticSettings: !empty(diagnosticSettings) ? diagnosticSettings : []
+    privateEndpoints: privateEndpoints
+    roleAssignments: !empty(roleAssignments) ? roleAssignments : []
+  }
+  dependsOn: [
+    searchService
+  ]
+}
+
+// ============================================================================
+// Outputs
+// ============================================================================
+@description('Resource ID of the AI Search service.')
+output resourceId string = searchService.id
+
+@description('Name of the AI Search service.')
+output name string = searchService.name
+
+@description('Endpoint URL of the AI Search service.')
+output endpoint string = 'https://${searchService.name}.search.windows.net'
+
+@description('System-assigned identity principal ID.')
+output identityPrincipalId string = searchServiceUpdate.outputs.?systemAssignedMIPrincipalId ?? ''

infra/avm/modules/ai/ai-services.bicep

@@ -0,0 +1,121 @@
+// ============================================================================
+// Module: Azure AI Services (Generic)
+// Description: AVM wrapper for Cognitive Services — supports Content Safety,
+//              Speech, Computer Vision, Document Intelligence, and others.
+// AVM Module: avm/res/cognitive-services/account:0.14.2
+// ============================================================================
+
+@description('Solution name suffix used to derive the resource name.')
+param solutionName string
+
+@description('Name prefix for the resource (e.g., cs, speech, cv, docintel).')
+param namePrefix string
+
+@description('The kind of Cognitive Service to deploy.')
+@allowed([
+  'ContentSafety'
+  'SpeechServices'
+  'ComputerVision'
+  'FormRecognizer'
+  'TextAnalytics'
+  'TextTranslation'
+  'Face'
+  'OpenAI'
+  'AIServices'
+])
+param kind string
+
+@description('Optional. Override name for the resource. Defaults to {namePrefix}-{solutionName}.')
+param name string = '${namePrefix}-${solutionName}'
+
+@description('Azure region for the resource.')
+param location string
+
+@description('Tags to apply to the resource.')
+param tags object = {}
+
+@description('Optional. Enable/Disable usage telemetry for module.')
+param enableTelemetry bool = false
+
+@description('SKU for the Cognitive Services account.')
+@allowed(['F0', 'S0', 'S1'])
+param sku string = 'S0'
+
+@description('Custom subdomain name for the account.')
+param customSubDomainName string = ''
+
+@description('Disable local (key-based) authentication.')
+param disableLocalAuth bool = true
+
+@description('Public network access setting.')
+@allowed(['Enabled', 'Disabled'])
+param publicNetworkAccess string = 'Enabled'
+
+@description('Whether to enable private networking.')
+param enablePrivateNetworking bool = false
+
+@description('Subnet resource ID for the private endpoint.')
+param privateEndpointSubnetId string = ''
+
+@description('Private DNS zone resource IDs.')
+param privateDnsZoneResourceIds array = []
+
+@description('Diagnostic settings for monitoring.')
+param diagnosticSettings array = []
+
+@description('Optional. Role assignments for the resource.')
+param roleAssignments array = []
+
+var effectiveSubDomain = !empty(customSubDomainName) ? customSubDomainName : name
+
+var privateDnsZoneConfigs = [for (zoneId, i) in privateDnsZoneResourceIds: {
+  name: 'dns-zone-${i}'
+  privateDnsZoneResourceId: zoneId
+}]
+
+// ============================================================================
+// AVM Module Deployment
+// ============================================================================
+module aiService 'br/public:avm/res/cognitive-services/account:0.14.2' = {
+  name: take('avm.res.cognitive-services.${namePrefix}.${name}', 64)
+  params: {
+    name: name
+    location: location
+    tags: tags
+    enableTelemetry: enableTelemetry
+    kind: kind
+    sku: sku
+    customSubDomainName: effectiveSubDomain
+    disableLocalAuth: disableLocalAuth
+    managedIdentities: { systemAssigned: true }
+    publicNetworkAccess: publicNetworkAccess
+    diagnosticSettings: !empty(diagnosticSettings) ? diagnosticSettings : []
+    roleAssignments: !empty(roleAssignments) ? roleAssignments : []
+    privateEndpoints: enablePrivateNetworking ? [
+      {
+        name: 'pep-${name}'
+        customNetworkInterfaceName: 'nic-${name}'
+        subnetResourceId: privateEndpointSubnetId
+        service: 'account'
+        privateDnsZoneGroup: {
+          privateDnsZoneGroupConfigs: privateDnsZoneConfigs
+        }
+      }
+    ] : []
+  }
+}
+
+// ============================================================================
+// Outputs
+// ============================================================================
+@description('Name of the AI Services account.')
+output name string = aiService.outputs.name
+
+@description('Resource ID of the AI Services account.')
+output resourceId string = aiService.outputs.resourceId
+
+@description('Endpoint of the AI Services account.')
+output endpoint string = aiService.outputs.endpoint
+
+@description('System-assigned identity principal ID.')
+output identityPrincipalId string = aiService.outputs.?systemAssignedMIPrincipalId ?? ''

infra/avm/modules/compute/app-service-plan.bicep

@@ -0,0 +1,67 @@
+// ============================================================================
+// Module: App Service Plan
+// Description: AVM wrapper for Azure App Service Plan
+// AVM Module: avm/res/web/serverfarm:0.7.0
+// ============================================================================
+
+@description('Solution name suffix used to derive the resource name.')
+param solutionName string
+
+@description('Name of the App Service Plan.')
+param name string = 'asp-${solutionName}'
+
+@description('Azure region for the resource.')
+param location string
+
+@description('Tags to apply to the resource.')
+param tags object = {}
+
+@description('SKU name for the App Service Plan.')
+@allowed(['F1', 'D1', 'B1', 'B2', 'B3', 'S1', 'S2', 'S3', 'P1', 'P2', 'P3', 'P4', 'P0v3', 'P0v4', 'P1v3', 'P1v4', 'P2v3', 'P3v3'])
+param skuName string = 'B2'
+
+@description('Whether the plan is Linux-based.')
+param reserved bool = true
+
+@description('Kind of the App Service Plan.')
+param kind string = 'linux'
+
+@description('Optional. Enable/Disable usage telemetry for module.')
+param enableTelemetry bool = true
+
+@description('Number of instances (workers).')
+param skuCapacity int = 1
+
+@description('Diagnostic settings for monitoring.')
+param diagnosticSettings array = []
+
+@description('Enable zone redundancy. Requires Premium SKU (P1v3+).')
+param zoneRedundant bool = false
+
+// ============================================================================
+// AVM Module Deployment
+// ============================================================================
+module appServicePlan 'br/public:avm/res/web/serverfarm:0.7.0' = {
+  name: take('avm.res.web.serverfarm.${name}', 64)
+  params: {
+    name: name
+    location: location
+    tags: tags
+    enableTelemetry: enableTelemetry
+    skuName: skuName
+    skuCapacity: skuCapacity
+    reserved: reserved
+    kind: kind
+    diagnosticSettings: !empty(diagnosticSettings) ? diagnosticSettings : []
+    zoneRedundant: zoneRedundant
+  }
+}
+
+// ============================================================================
+// Outputs
+// ============================================================================
+@description('Resource ID of the App Service Plan.')
+output resourceId string = appServicePlan.outputs.resourceId
+
+@description('Name of the App Service Plan.')
+output name string = appServicePlan.outputs.name