fix: enforce HTTPS-only ingress for container apps

Author: VishalS-Microsoft

infra/main.bicep

@@ -1214,6 +1214,8 @@ module containerApp 'br/public:avm/res/app/container-app:0.22.0' = {
     ingressTargetPort: 8000
     ingressExternal: true
     activeRevisionsMode: 'Single'
+    // SFI: Enforce HTTPS-only ingress. When false, HTTP requests are automatically redirected to HTTPS.
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         'https://${webSiteResourceName}.azurewebsites.net'
@@ -1422,6 +1424,8 @@ module containerAppMcp 'br/public:avm/res/app/container-app:0.22.0' = {
     ingressTargetPort: 9000
     ingressExternal: true
     activeRevisionsMode: 'Single'
+    // SFI: Enforce HTTPS-only ingress. When false, HTTP requests are automatically redirected to HTTPS.
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         'https://${webSiteResourceName}.azurewebsites.net'

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.1.21952",
-      "templateHash": "13738770643510560400"
+      "templateHash": "11424525558363523540"
     },
     "name": "Multi-Agent Custom Automation Engine",
     "description": "This module contains the resources required to deploy the [Multi-Agent Custom Automation Engine solution accelerator](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator) for both Sandbox environments and WAF aligned environments.\r\n\r\n> **Note:** This module is not intended for broad, generic use, as it was designed by the Commercial Solution Areas CTO team, as a Microsoft Solution Accelerator. Feature requests and bug fix requests are welcome if they support the needs of this organization but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case. This module will likely be updated to leverage AVM resource modules in the future. This may result in breaking changes in upcoming versions when these features are implemented.\r\n"
@@ -27974,9 +27974,9 @@
       },
       "dependsOn": [
         "aiFoundryAiServices",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "virtualNetwork"
       ]
     },
@@ -38446,6 +38446,9 @@
           "activeRevisionsMode": {
             "value": "Single"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "corsPolicy": {
             "value": {
               "allowedOrigins": [
@@ -40188,6 +40191,9 @@
           "activeRevisionsMode": {
             "value": "Single"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "corsPolicy": {
             "value": {
               "allowedOrigins": [

infra/main_custom.bicep

@@ -1241,6 +1241,8 @@ module containerApp 'br/public:avm/res/app/container-app:0.22.0' = {
     ingressTargetPort: 8000
     ingressExternal: true
     activeRevisionsMode: 'Single'
+    // SFI: Enforce HTTPS-only ingress. When false, HTTP requests are automatically redirected to HTTPS.
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         'https://${webSiteResourceName}.azurewebsites.net'
@@ -1464,6 +1466,8 @@ module containerAppMcp 'br/public:avm/res/app/container-app:0.22.0' = {
     ingressTargetPort: 9000
     ingressExternal: true
     activeRevisionsMode: 'Single'
+    // SFI: Enforce HTTPS-only ingress. When false, HTTP requests are automatically redirected to HTTPS.
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         'https://${webSiteResourceName}.azurewebsites.net'