diff --git a/infra/main.json b/infra/main.json index 96fd338cb..6bdd380ef 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.44.1.10279", - "templateHash": "9418658342402137838" + "templateHash": "13944072795230568058" }, "name": "Multi-Agent Custom Automation Engine", - "description": "This module contains the resources required to deploy the [Multi-Agent Custom Automation Engine solution accelerator](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator) for both Sandbox environments and WAF aligned environments.\n\n> **Note:** This module is not intended for broad, generic use, as it was designed by the Commercial Solution Areas CTO team, as a Microsoft Solution Accelerator. Feature requests and bug fix requests are welcome if they support the needs of this organization but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case. This module will likely be updated to leverage AVM resource modules in the future. This may result in breaking changes in upcoming versions when these features are implemented.\n" + "description": "This module contains the resources required to deploy the [Multi-Agent Custom Automation Engine solution accelerator](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator) for both Sandbox environments and WAF aligned environments.\r\n\r\n> **Note:** This module is not intended for broad, generic use, as it was designed by the Commercial Solution Areas CTO team, as a Microsoft Solution Accelerator. Feature requests and bug fix requests are welcome if they support the needs of this organization but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case. This module will likely be updated to leverage AVM resource modules in the future. This may result in breaking changes in upcoming versions when these features are implemented.\r\n" }, "parameters": { "solutionName": { @@ -64,9 +64,7 @@ "azd": { "type": "location", "usageName": [ - "OpenAI.GlobalStandard.gpt4.1, 50", - "OpenAI.GlobalStandard.o4-mini, 50", - "OpenAI.GlobalStandard.gpt4.1-mini, 50" + "OpenAI.GlobalStandard.gpt-4o, 150" ] }, "description": "Required. Location for all AI service resources. This should be one of the supported Azure AI Service locations." @@ -74,7 +72,7 @@ }, "gptModelName": { "type": "string", - "defaultValue": "gpt-4.1-mini", + "defaultValue": "gpt-4o", "minLength": 1, "metadata": { "description": "Optional. Name of the GPT model to deploy:" @@ -82,56 +80,19 @@ }, "gptModelVersion": { "type": "string", - "defaultValue": "2025-04-14", + "defaultValue": "2024-08-06", "metadata": { - "description": "Optional. Version of the GPT model to deploy. Defaults to 2025-04-14." + "description": "Optional. Version of the GPT model to deploy. Defaults to 2024-08-06." } }, - "gpt4_1ModelName": { - "type": "string", - "defaultValue": "gpt-4.1", - "minLength": 1, - "metadata": { - "description": "Optional. Name of the GPT model to deploy:" - } - }, - "gpt4_1ModelVersion": { - "type": "string", - "defaultValue": "2025-04-14", - "metadata": { - "description": "Optional. Version of the GPT model to deploy. Defaults to 2025-04-14." - } - }, - "gptReasoningModelName": { - "type": "string", - "defaultValue": "o4-mini", - "minLength": 1, - "metadata": { - "description": "Optional. Name of the GPT Reasoning model to deploy:" - } - }, - "gptReasoningModelVersion": { - "type": "string", - "defaultValue": "2025-04-16", - "metadata": { - "description": "Optional. Version of the GPT Reasoning model to deploy. Defaults to 2025-04-16." - } - }, - "azureOpenaiAPIVersion": { - "type": "string", - "defaultValue": "2024-12-01-preview", - "metadata": { - "description": "Optional. Version of the Azure OpenAI service to deploy. Defaults to 2024-12-01-preview." - } - }, - "azureAiAgentAPIVersion": { + "azureopenaiVersion": { "type": "string", "defaultValue": "2025-01-01-preview", "metadata": { - "description": "Optional. Version of the Azure AI Agent API version. Defaults to 2025-01-01-preview." + "description": "Optional. Version of the Azure OpenAI service to deploy. Defaults to 2025-01-01-preview." } }, - "gpt4_1ModelDeploymentType": { + "gptModelDeploymentType": { "type": "string", "defaultValue": "GlobalStandard", "allowedValues": [ @@ -143,49 +104,11 @@ "description": "Optional. GPT model deployment type. Defaults to GlobalStandard." } }, - "deploymentType": { - "type": "string", - "defaultValue": "GlobalStandard", - "allowedValues": [ - "Standard", - "GlobalStandard" - ], - "minLength": 1, - "metadata": { - "description": "Optional. GPT model deployment type. Defaults to GlobalStandard." - } - }, - "gptReasoningModelDeploymentType": { - "type": "string", - "defaultValue": "GlobalStandard", - "allowedValues": [ - "Standard", - "GlobalStandard" - ], - "minLength": 1, - "metadata": { - "description": "Optional. GPT model deployment type. Defaults to GlobalStandard." - } - }, - "gptDeploymentCapacity": { - "type": "int", - "defaultValue": 50, - "metadata": { - "description": "Optional. AI model deployment token capacity. Defaults to 50 for optimal performance." - } - }, - "gpt4_1ModelCapacity": { + "gptModelCapacity": { "type": "int", - "defaultValue": 50, + "defaultValue": 150, "metadata": { - "description": "Optional. AI model deployment token capacity. Defaults to 50 for optimal performance." - } - }, - "gptReasoningModelCapacity": { - "type": "int", - "defaultValue": 50, - "metadata": { - "description": "Optional. AI model deployment token capacity. Defaults to 50 for optimal performance." + "description": "Optional. AI model deployment token capacity. Defaults to 150 for optimal performance." } }, "tags": { @@ -226,27 +149,20 @@ "description": "Optional. Enable private networking for applicable resources, aligned with the Well Architected Framework recommendations. Defaults to false." } }, - "vmAdminUsername": { + "virtualMachineAdminUsername": { "type": "securestring", - "nullable": true, + "defaultValue": "[take(newGuid(), 20)]", "metadata": { "description": "Optional. The user name for the administrator account of the virtual machine. Allows to customize credentials if `enablePrivateNetworking` is set to true." } }, - "vmAdminPassword": { + "virtualMachineAdminPassword": { "type": "securestring", - "nullable": true, + "defaultValue": "[newGuid()]", "metadata": { "description": "Optional. The password for the administrator account of the virtual machine. Allows to customize credentials if `enablePrivateNetworking` is set to true." } }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_D2s_v5", - "metadata": { - "description": "Optional. The size of the virtual machine. Defaults to Standard_D2s_v5." - } - }, "backendContainerRegistryHostname": { "type": "string", "defaultValue": "biabcontainerreg.azurecr.io", @@ -263,7 +179,7 @@ }, "backendContainerImageTag": { "type": "string", - "defaultValue": "latest_v4", + "defaultValue": "latest_2025-07-22_895", "metadata": { "description": "Optional. The Container Image Tag to deploy on the backend." } @@ -284,32 +200,11 @@ }, "frontendContainerImageTag": { "type": "string", - "defaultValue": "latest_v4", + "defaultValue": "latest_2025-07-22_895", "metadata": { "description": "Optional. The Container Image Tag to deploy on the frontend." } }, - "MCPContainerRegistryHostname": { - "type": "string", - "defaultValue": "biabcontainerreg.azurecr.io", - "metadata": { - "description": "Optional. The Container Registry hostname where the docker images for the MCP are located." - } - }, - "MCPContainerImageName": { - "type": "string", - "defaultValue": "macaemcp", - "metadata": { - "description": "Optional. The Container Image Name to deploy on the MCP." - } - }, - "MCPContainerImageTag": { - "type": "string", - "defaultValue": "latest_v4", - "metadata": { - "description": "Optional. The Container Image Tag to deploy on the MCP." - } - }, "enableTelemetry": { "type": "bool", "defaultValue": true, @@ -324,7 +219,7 @@ "description": "Optional. Resource ID of an existing Log Analytics Workspace." } }, - "existingFoundryProjectResourceId": { + "existingAiFoundryAiProjectResourceId": { "type": "string", "defaultValue": "", "metadata": { @@ -337,43 +232,9 @@ "metadata": { "description": "Tag, Created by user name" } - }, - "storageContainerNameRetailCustomer": { - "type": "string", - "defaultValue": "retail-dataset-customer" - }, - "storageContainerNameRetailOrder": { - "type": "string", - "defaultValue": "retail-dataset-order" - }, - "storageContainerNameRFPSummary": { - "type": "string", - "defaultValue": "rfp-summary-dataset" - }, - "storageContainerNameRFPRisk": { - "type": "string", - "defaultValue": "rfp-risk-dataset" - }, - "storageContainerNameRFPCompliance": { - "type": "string", - "defaultValue": "rfp-compliance-dataset" - }, - "storageContainerNameContractSummary": { - "type": "string", - "defaultValue": "contract-summary-dataset" - }, - "storageContainerNameContractRisk": { - "type": "string", - "defaultValue": "contract-risk-dataset" - }, - "storageContainerNameContractCompliance": { - "type": "string", - "defaultValue": "contract-compliance-dataset" } }, "variables": { - "deployerInfo": "[deployer()]", - "deployingUserPrincipalId": "[variables('deployerInfo').objectId]", "solutionSuffix": "[toLower(trim(replace(replace(replace(replace(replace(replace(format('{0}{1}', parameters('solutionName'), parameters('solutionUniqueText')), '-', ''), '_', ''), '.', ''), '/', ''), ' ', ''), '*', '')))]", "cosmosDbZoneRedundantHaRegionPairs": { "australiaeast": "uksouth", @@ -402,8 +263,6 @@ }, "replicaLocation": "[variables('replicaRegionPairs')[parameters('location')]]", "allTags": "[union(createObject('azd-env-name', parameters('solutionName')), parameters('tags'))]", - "existingTags": "[coalesce(resourceGroup().tags, createObject())]", - "deployerPrincipalType": "[if(contains(deployer(), 'userPrincipalName'), 'User', 'ServicePrincipal')]", "useExistingLogAnalytics": "[not(empty(parameters('existingLogAnalyticsWorkspaceId')))]", "existingLawSubscription": "[if(variables('useExistingLogAnalytics'), split(parameters('existingLogAnalyticsWorkspaceId'), '/')[2], '')]", "existingLawResourceGroup": "[if(variables('useExistingLogAnalytics'), split(parameters('existingLogAnalyticsWorkspaceId'), '/')[4], '')]", @@ -415,63 +274,39 @@ "bastionResourceName": "[format('bas-{0}', variables('solutionSuffix'))]", "maintenanceConfigurationResourceName": "[format('mc-{0}', variables('solutionSuffix'))]", "dataCollectionRulesResourceName": "[format('dcr-{0}', variables('solutionSuffix'))]", - "dcrLogAnalyticsDestinationName": "[format('la-{0}-destination', variables('logAnalyticsWorkspaceResourceName'))]", "proximityPlacementGroupResourceName": "[format('ppg-{0}', variables('solutionSuffix'))]", "virtualMachineResourceName": "[format('vm-{0}', variables('solutionSuffix'))]", "virtualMachineAvailabilityZone": 1, + "virtualMachineSize": "Standard_D2s_v3", "privateDnsZones": [ "privatelink.cognitiveservices.azure.com", "privatelink.openai.azure.com", "privatelink.services.ai.azure.com", - "privatelink.documents.azure.com", - "privatelink.blob.core.windows.net", - "privatelink.search.windows.net" + "privatelink.documents.azure.com" ], "dnsZoneIndex": { "cognitiveServices": 0, "openAI": 1, "aiServices": 2, - "cosmosDb": 3, - "blob": 4, - "search": 5 + "cosmosDb": 3 }, "aiRelatedDnsZoneIndices": [ "[variables('dnsZoneIndex').cognitiveServices]", "[variables('dnsZoneIndex').openAI]", "[variables('dnsZoneIndex').aiServices]" ], - "useExistingAiFoundryAiProject": "[not(empty(parameters('existingFoundryProjectResourceId')))]", - "aiFoundryAiServicesResourceGroupName": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingFoundryProjectResourceId'), '/')[4], resourceGroup().name)]", - "aiFoundryAiServicesSubscriptionId": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingFoundryProjectResourceId'), '/')[2], subscription().subscriptionId)]", - "aiFoundryAiServicesResourceName": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingFoundryProjectResourceId'), '/')[8], format('aif-{0}', variables('solutionSuffix')))]", - "aiFoundryAiProjectResourceName": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingFoundryProjectResourceId'), '/')[10], format('proj-{0}', variables('solutionSuffix')))]", + "useExistingAiFoundryAiProject": "[not(empty(parameters('existingAiFoundryAiProjectResourceId')))]", + "aiFoundryAiServicesResourceGroupName": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingAiFoundryAiProjectResourceId'), '/')[4], format('rg-{0}', variables('solutionSuffix')))]", + "aiFoundryAiServicesSubscriptionId": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingAiFoundryAiProjectResourceId'), '/')[2], subscription().id)]", + "aiFoundryAiServicesResourceName": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingAiFoundryAiProjectResourceId'), '/')[8], format('aif-{0}', variables('solutionSuffix')))]", + "aiFoundryAiProjectResourceName": "[if(variables('useExistingAiFoundryAiProject'), split(parameters('existingAiFoundryAiProjectResourceId'), '/')[10], format('proj-{0}', variables('solutionSuffix')))]", "aiFoundryAiServicesModelDeployment": { "format": "OpenAI", "name": "[parameters('gptModelName')]", "version": "[parameters('gptModelVersion')]", "sku": { - "name": "[parameters('deploymentType')]", - "capacity": "[parameters('gptDeploymentCapacity')]" - }, - "raiPolicyName": "Microsoft.Default" - }, - "aiFoundryAiServices4_1ModelDeployment": { - "format": "OpenAI", - "name": "[parameters('gpt4_1ModelName')]", - "version": "[parameters('gpt4_1ModelVersion')]", - "sku": { - "name": "[parameters('gpt4_1ModelDeploymentType')]", - "capacity": "[parameters('gpt4_1ModelCapacity')]" - }, - "raiPolicyName": "Microsoft.Default" - }, - "aiFoundryAiServicesReasoningModelDeployment": { - "format": "OpenAI", - "name": "[parameters('gptReasoningModelName')]", - "version": "[parameters('gptReasoningModelVersion')]", - "sku": { - "name": "[parameters('gptReasoningModelDeploymentType')]", - "capacity": "[parameters('gptReasoningModelCapacity')]" + "name": "[parameters('gptModelDeploymentType')]", + "capacity": "[parameters('gptModelCapacity')]" }, "raiPolicyName": "Microsoft.Default" }, @@ -481,34 +316,22 @@ "cosmosDbDatabaseMemoryContainerName": "memory", "containerAppEnvironmentResourceName": "[format('cae-{0}', variables('solutionSuffix'))]", "containerAppResourceName": "[format('ca-{0}', variables('solutionSuffix'))]", - "containerAppMcpResourceName": "[format('ca-mcp-{0}', variables('solutionSuffix'))]", "webServerFarmResourceName": "[format('asp-{0}', variables('solutionSuffix'))]", - "webSiteResourceName": "[format('app-{0}', variables('solutionSuffix'))]", - "storageAccountName": "[replace(format('st{0}', variables('solutionSuffix')), '-', '')]", - "searchServiceName": "[format('srch-{0}', variables('solutionSuffix'))]", - "aiSearchIndexNameForContractSummary": "contract-summary-doc-index", - "aiSearchIndexNameForContractRisk": "contract-risk-doc-index", - "aiSearchIndexNameForContractCompliance": "contract-compliance-doc-index", - "aiSearchIndexNameForRetailCustomer": "macae-retail-customer-index", - "aiSearchIndexNameForRetailOrder": "macae-retail-order-index", - "aiSearchIndexNameForRFPSummary": "macae-rfp-summary-index", - "aiSearchIndexNameForRFPRisk": "macae-rfp-risk-index", - "aiSearchIndexNameForRFPCompliance": "macae-rfp-compliance-index", - "aiSearchConnectionName": "[format('aifp-srch-connection-{0}', variables('solutionSuffix'))]" + "webSiteResourceName": "[format('app-{0}', variables('solutionSuffix'))]" }, "resources": { "resourceGroupTags": { "type": "Microsoft.Resources/tags", - "apiVersion": "2023-07-01", + "apiVersion": "2021-04-01", "name": "default", "properties": { - "tags": "[union(variables('existingTags'), variables('allTags'), createObject('TemplateName', 'MACAE', 'Type', if(parameters('enablePrivateNetworking'), 'WAF', 'Non-WAF'), 'CreatedBy', parameters('createdBy'), 'DeploymentName', deployment().name, 'SolutionSuffix', variables('solutionSuffix')))]" + "tags": "[shallowMerge(createArray(variables('allTags'), createObject('TemplateName', 'MACAE', 'Type', if(parameters('enablePrivateNetworking'), 'WAF', 'Non-WAF'), 'CreatedBy', parameters('createdBy'))))]" } }, "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2024-03-01", "name": "[format('46d3xbcp.ptn.sa-multiagentcustauteng.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", @@ -529,7 +352,7 @@ "condition": "[variables('useExistingLogAnalytics')]", "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2020-08-01", "subscriptionId": "[variables('existingLawSubscription')]", "resourceGroup": "[variables('existingLawResourceGroup')]", "name": "[variables('existingLawName')]" @@ -538,7 +361,7 @@ "condition": "[variables('useExistingAiFoundryAiProject')]", "existing": true, "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2025-12-01", + "apiVersion": "2025-06-01", "subscriptionId": "[variables('aiFoundryAiServicesSubscriptionId')]", "resourceGroup": "[variables('aiFoundryAiServicesResourceGroupName')]", "name": "[variables('aiFoundryAiServicesResourceName')]" @@ -547,20 +370,11 @@ "condition": "[variables('useExistingAiFoundryAiProject')]", "existing": true, "type": "Microsoft.CognitiveServices/accounts/projects", - "apiVersion": "2025-12-01", + "apiVersion": "2025-06-01", "subscriptionId": "[variables('aiFoundryAiServicesSubscriptionId')]", "resourceGroup": "[variables('aiFoundryAiServicesResourceGroupName')]", "name": "[format('{0}/{1}', variables('aiFoundryAiServicesResourceName'), variables('aiFoundryAiProjectResourceName'))]" }, - "searchService": { - "type": "Microsoft.Search/searchServices", - "apiVersion": "2025-05-01", - "name": "[variables('searchServiceName')]", - "location": "[parameters('location')]", - "sku": { - "name": "[if(parameters('enableScalability'), 'standard', 'basic')]" - } - }, "logAnalyticsWorkspace": { "condition": "[and(parameters('enableMonitoring'), not(variables('useExistingLogAnalytics')))]", "type": "Microsoft.Resources/deployments", @@ -602,7 +416,7 @@ } ] }, - "dailyQuotaGb": "[if(parameters('enableRedundancy'), createObject('value', '150'), createObject('value', null()))]", + "dailyQuotaGb": "[if(parameters('enableRedundancy'), createObject('value', 150), createObject('value', null()))]", "replication": "[if(parameters('enableRedundancy'), createObject('value', createObject('enabled', true(), 'location', variables('replicaLocation'))), createObject('value', null()))]", "publicNetworkAccessForIngestion": "[if(parameters('enablePrivateNetworking'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]", "publicNetworkAccessForQuery": "[if(parameters('enablePrivateNetworking'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]", @@ -615,8 +429,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "14099489006827800075" + "version": "0.36.1.42791", + "templateHash": "1749032521457140145" }, "name": "Log Analytics Workspaces", "description": "This module deploys a Log Analytics Workspace." @@ -807,21 +621,21 @@ "name": { "type": "string", "metadata": { - "description": "Required. Name of the linked service. E.g., 'Automation' for an automation account, or 'Cluster' for a Log Analytics Cluster." + "description": "Required. Name of the linked service." } }, "resourceId": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The resource id of the resource that will be linked to the workspace. This should be used for linking resources which require read access (e.g., Automation Accounts)." + "description": "Optional. The resource id of the resource that will be linked to the workspace. This should be used for linking resources which require read access." } }, "writeAccessResourceId": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The resource id of the resource that will be linked to the workspace. This should be used for linking resources which require write access (e.g., Log Analytics Clusters)." + "description": "Optional. The resource id of the resource that will be linked to the workspace. This should be used for linking resources which require write access." } } }, @@ -1057,7 +871,7 @@ "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.OperationalInsights/workspaces/dataSources@2025-07-01#properties/tags" + "source": "Microsoft.OperationalInsights/workspaces/dataSources@2025-02-01#properties/tags" }, "description": "Optional. Tags to configure in the resource." }, @@ -1109,19 +923,15 @@ "retentionInDays": { "type": "int", "nullable": true, - "minValue": 4, - "maxValue": 730, "metadata": { - "description": "Optional. The retention in days for the table. Don't provide to use the default workspace retention." + "description": "Optional. The retention in days for the table." } }, "totalRetentionInDays": { "type": "int", "nullable": true, - "minValue": 4, - "maxValue": 2555, "metadata": { - "description": "Optional. The total retention in days for the table. Don't provide use the default table retention." + "description": "Optional. The total retention in days for the table." } }, "roleAssignments": { @@ -1314,19 +1124,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -1354,7 +1157,7 @@ "metadata": { "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -1461,7 +1264,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -1609,7 +1412,7 @@ "Standard" ], "metadata": { - "description": "Optional. The name of the SKU. Must be 'LACluster' to be linked to a Log Analytics cluster." + "description": "Optional. The name of the SKU." } }, "skuCapacityReservationLevel": { @@ -1718,17 +1521,11 @@ } }, "dailyQuotaGb": { - "type": "string", - "defaultValue": "-1", - "metadata": { - "description": "Optional. The workspace daily quota for ingestion in GB. Supports decimal values. Example: '0.5' for 0.5 GB, '2' for 2 GB. Default is '-1' (no limit)." - } - }, - "defaultDataCollectionRuleResourceId": { - "type": "string", - "nullable": true, + "type": "int", + "defaultValue": -1, + "minValue": -1, "metadata": { - "description": "Optional. The resource ID of the default Data Collection Rule to use for this workspace. Note: the default DCR is not applicable on workspace creation and the workspace must be listed as a destination in the DCR." + "description": "Optional. The workspace daily quota for ingestion." } }, "publicNetworkAccessForIngestion": { @@ -1736,8 +1533,7 @@ "defaultValue": "Enabled", "allowedValues": [ "Enabled", - "Disabled", - "SecuredByPerimeter" + "Disabled" ], "metadata": { "description": "Optional. The network access type for accessing Log Analytics ingestion." @@ -1748,8 +1544,7 @@ "defaultValue": "Enabled", "allowedValues": [ "Enabled", - "Disabled", - "SecuredByPerimeter" + "Disabled" ], "metadata": { "description": "Optional. The network access type for accessing Log Analytics query." @@ -1814,7 +1609,7 @@ "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.OperationalInsights/workspaces@2025-07-01#properties/tags" + "source": "Microsoft.OperationalInsights/workspaces@2025-02-01#properties/tags" }, "description": "Optional. Tags of the resource." }, @@ -1858,7 +1653,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.operationalinsights-workspace.{0}.{1}', replace('0.15.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.operationalinsights-workspace.{0}.{1}', replace('0.12.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -1876,7 +1671,7 @@ }, "logAnalyticsWorkspace": { "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -1894,13 +1689,12 @@ }, "retentionInDays": "[parameters('dataRetention')]", "workspaceCapping": { - "dailyQuotaGb": "[json(parameters('dailyQuotaGb'))]" + "dailyQuotaGb": "[parameters('dailyQuotaGb')]" }, "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]", "forceCmkForQuery": "[parameters('forceCmkForQuery')]", - "replication": "[parameters('replication')]", - "defaultDataCollectionRuleResourceId": "[parameters('defaultDataCollectionRuleResourceId')]" + "replication": "[parameters('replication')]" }, "identity": "[variables('identity')]" }, @@ -1948,7 +1742,7 @@ "logAnalyticsWorkspace_sentinelOnboarding": { "condition": "[and(not(empty(filter(coalesce(parameters('gallerySolutions'), createArray()), lambda('item', startsWith(lambdaVariables('item').name, 'SecurityInsights'))))), parameters('onboardWorkspaceToSentinel'))]", "type": "Microsoft.SecurityInsights/onboardingStates", - "apiVersion": "2025-09-01", + "apiVersion": "2024-03-01", "scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]", "name": "default", "properties": {}, @@ -1964,7 +1758,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "logAnalyticsWorkspace" @@ -1998,8 +1792,8 @@ "count": "[length(coalesce(parameters('storageInsightsConfigs'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-StorageInsightsConfig-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-StorageInsightsConfig-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2026,8 +1820,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "140290971998938797" + "version": "0.36.1.42791", + "templateHash": "1306323182548882150" }, "name": "Log Analytics Workspace Storage Insight Configs", "description": "This module deploys a Log Analytics Workspace Storage Insight Config." @@ -2076,7 +1870,7 @@ "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs@2025-07-01#properties/tags" + "source": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs@2025-02-01#properties/tags" }, "description": "Optional. Tags to configure in the resource." }, @@ -2087,18 +1881,18 @@ "storageAccount": { "existing": true, "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", + "apiVersion": "2024-01-01", "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" }, "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('logAnalyticsWorkspaceName')]" }, "storageinsightconfig": { "type": "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", "tags": "[parameters('tags')]", "properties": { @@ -2106,7 +1900,7 @@ "tables": "[parameters('tables')]", "storageAccount": { "id": "[parameters('storageAccountResourceId')]", - "key": "[listKeys('storageAccount', '2025-06-01').keys[0].value]" + "key": "[listKeys('storageAccount', '2024-01-01').keys[0].value]" } } } @@ -2146,8 +1940,8 @@ "count": "[length(coalesce(parameters('linkedServices'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-LinkedService-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-LinkedService-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2174,8 +1968,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "14482465616812596213" + "version": "0.36.1.42791", + "templateHash": "5230241501765697269" }, "name": "Log Analytics Workspace Linked Services", "description": "This module deploys a Log Analytics Workspace Linked Service." @@ -2211,7 +2005,7 @@ "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.OperationalInsights/workspaces/linkedServices@2025-07-01#properties/tags" + "source": "Microsoft.OperationalInsights/workspaces/linkedServices@2025-02-01#properties/tags" }, "description": "Optional. Tags to configure in the resource." }, @@ -2222,12 +2016,12 @@ "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('logAnalyticsWorkspaceName')]" }, "linkedService": { "type": "Microsoft.OperationalInsights/workspaces/linkedServices", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", "tags": "[parameters('tags')]", "properties": { @@ -2271,8 +2065,8 @@ "count": "[length(coalesce(parameters('linkedStorageAccounts'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-LinkedStorageAccount-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-LinkedStorageAccount-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2296,8 +2090,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "14864721709229272590" + "version": "0.36.1.42791", + "templateHash": "10372135754202496594" }, "name": "Log Analytics Workspace Linked Storage Accounts", "description": "This module deploys a Log Analytics Workspace Linked Storage Account." @@ -2336,12 +2130,12 @@ "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('logAnalyticsWorkspaceName')]" }, "linkedStorageAccount": { "type": "Microsoft.OperationalInsights/workspaces/linkedStorageAccounts", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", "properties": { "storageAccountIds": "[parameters('storageAccountIds')]" @@ -2383,8 +2177,8 @@ "count": "[length(coalesce(parameters('savedSearches'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-SavedSearch-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-SavedSearch-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2395,7 +2189,7 @@ "value": "[parameters('name')]" }, "name": { - "value": "[format('{0}{1}', coalesce(parameters('savedSearches'), createArray())[copyIndex()].name, uniqueString(subscription().id, resourceGroup().id))]" + "value": "[format('{0}{1}', coalesce(parameters('savedSearches'), createArray())[copyIndex()].name, uniqueString(deployment().name))]" }, "etag": { "value": "[tryGet(coalesce(parameters('savedSearches'), createArray())[copyIndex()], 'etag')]" @@ -2429,8 +2223,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "17904092372918022238" + "version": "0.36.1.42791", + "templateHash": "9015459905306126128" }, "name": "Log Analytics Workspace Saved Searches", "description": "This module deploys a Log Analytics Workspace Saved Search." @@ -2470,7 +2264,7 @@ "type": "array", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.OperationalInsights/workspaces/savedSearches@2025-07-01#properties/properties/properties/tags" + "source": "Microsoft.OperationalInsights/workspaces/savedSearches@2025-02-01#properties/properties/properties/tags" }, "description": "Optional. Tags to configure in the resource." }, @@ -2509,12 +2303,12 @@ "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('logAnalyticsWorkspaceName')]" }, "savedSearch": { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", "properties": { "etag": "[parameters('etag')]", @@ -2564,8 +2358,8 @@ "count": "[length(coalesce(parameters('dataExports'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-DataExport-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-DataExport-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2595,8 +2389,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "17943947755417749524" + "version": "0.36.1.42791", + "templateHash": "8586520532175356447" }, "name": "Log Analytics Workspace Data Exports", "description": "This module deploys a Log Analytics Workspace Data Export." @@ -2678,12 +2472,12 @@ "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('workspaceName')]" }, "dataExport": { "type": "Microsoft.OperationalInsights/workspaces/dataExports", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", "properties": { "destination": "[parameters('destination')]", @@ -2727,8 +2521,8 @@ "count": "[length(coalesce(parameters('dataSources'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-DataSource-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-DataSource-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2788,8 +2582,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "15360290236166491819" + "version": "0.36.1.42791", + "templateHash": "8336916453932906250" }, "name": "Log Analytics Workspace Datasources", "description": "This module deploys a Log Analytics Workspace Data Source." @@ -2828,7 +2622,7 @@ "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.OperationalInsights/workspaces/dataSources@2025-07-01#properties/tags" + "source": "Microsoft.OperationalInsights/workspaces/dataSources@2025-02-01#properties/tags" }, "description": "Optional. Tags to configure in the resource." }, @@ -2916,12 +2710,12 @@ "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('logAnalyticsWorkspaceName')]" }, "dataSource": { "type": "Microsoft.OperationalInsights/workspaces/dataSources", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('logAnalyticsWorkspaceName'), parameters('name'))]", "kind": "[parameters('kind')]", "tags": "[parameters('tags')]", @@ -2975,8 +2769,8 @@ "count": "[length(coalesce(parameters('tables'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-Table-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-Table-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -3018,8 +2812,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "18383178824663161801" + "version": "0.36.1.42791", + "templateHash": "315390662258960765" }, "name": "Log Analytics Workspace Tables", "description": "This module deploys a Log Analytics Workspace Table." @@ -3303,11 +3097,11 @@ }, "retentionInDays": { "type": "int", - "nullable": true, - "minValue": 4, + "defaultValue": -1, + "minValue": -1, "maxValue": 730, "metadata": { - "description": "Optional. The table retention in days, between 4 and 730. Don't provide to use the default workspace retention." + "description": "Optional. The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention." } }, "schema": { @@ -3326,11 +3120,11 @@ }, "totalRetentionInDays": { "type": "int", - "nullable": true, - "minValue": 4, + "defaultValue": -1, + "minValue": -1, "maxValue": 2555, "metadata": { - "description": "Optional. The table total retention in days, between 4 and 2555. Don't provide use the default table retention." + "description": "Optional. The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention." } }, "roleAssignments": { @@ -3368,20 +3162,20 @@ "workspace": { "existing": true, "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[parameters('workspaceName')]" }, "table": { "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2025-07-01", + "apiVersion": "2025-02-01", "name": "[format('{0}/{1}', parameters('workspaceName'), parameters('name'))]", "properties": { "plan": "[parameters('plan')]", "restoredLogs": "[parameters('restoredLogs')]", - "retentionInDays": "[coalesce(parameters('retentionInDays'), -1)]", + "retentionInDays": "[parameters('retentionInDays')]", "schema": "[parameters('schema')]", "searchResults": "[parameters('searchResults')]", - "totalRetentionInDays": "[coalesce(parameters('totalRetentionInDays'), -1)]" + "totalRetentionInDays": "[parameters('totalRetentionInDays')]" } }, "table_roleAssignments": { @@ -3443,8 +3237,8 @@ }, "condition": "[not(empty(parameters('gallerySolutions')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-LAW-Solution-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-LAW-Solution-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -3659,7 +3453,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('logAnalyticsWorkspace', '2025-07-01', 'full').location]" + "value": "[reference('logAnalyticsWorkspace', '2025-02-01', 'full').location]" }, "systemAssignedMIPrincipalId": { "type": "string", @@ -3667,21 +3461,21 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[tryGet(tryGet(reference('logAnalyticsWorkspace', '2025-07-01', 'full'), 'identity'), 'principalId')]" + "value": "[tryGet(tryGet(reference('logAnalyticsWorkspace', '2025-02-01', 'full'), 'identity'), 'principalId')]" }, "primarySharedKey": { "type": "securestring", "metadata": { "description": "The primary shared key of the log analytics workspace." }, - "value": "[listKeys('logAnalyticsWorkspace', '2025-07-01').primarySharedKey]" + "value": "[listKeys('logAnalyticsWorkspace', '2025-02-01').primarySharedKey]" }, "secondarySharedKey": { "type": "securestring", "metadata": { "description": "The secondary shared key of the log analytics workspace." }, - "value": "[listKeys('logAnalyticsWorkspace', '2025-07-01').secondarySharedKey]" + "value": "[listKeys('logAnalyticsWorkspace', '2025-02-01').secondarySharedKey]" } } } @@ -3722,7 +3516,8 @@ "flowType": { "value": "Bluefield" }, - "workspaceResourceId": "[if(parameters('enableMonitoring'), if(variables('useExistingLogAnalytics'), createObject('value', parameters('existingLogAnalyticsWorkspaceId')), createObject('value', reference('logAnalyticsWorkspace').outputs.resourceId.value)), createObject('value', ''))]" + "workspaceResourceId": "[if(parameters('enableMonitoring'), if(variables('useExistingLogAnalytics'), createObject('value', parameters('existingLogAnalyticsWorkspaceId')), createObject('value', reference('logAnalyticsWorkspace').outputs.resourceId.value)), createObject('value', ''))]", + "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)))), createObject('value', null()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -3731,8 +3526,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "17358780145253914698" + "version": "0.33.93.31351", + "templateHash": "5735496719243704506" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance." @@ -3856,7 +3651,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" } } }, @@ -3881,19 +3676,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -3968,7 +3756,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" } } } @@ -4095,25 +3883,6 @@ "description": "Optional. The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone." } }, - "immediatePurgeDataOn30Days": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Purge data immediately after 30 days." - } - }, - "ingestionMode": { - "type": "string", - "nullable": true, - "allowedValues": [ - "ApplicationInsights", - "ApplicationInsightsWithDiagnosticSettings", - "LogAnalytics" - ], - "metadata": { - "description": "Optional. Indicates the flow of the ingestion." - } - }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", @@ -4140,13 +3909,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/components@2020-02-02#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -4191,7 +3957,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.insights-component.{0}.{1}', replace('0.7.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.insights-component.{0}.{1}', replace('0.6.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -4225,9 +3991,7 @@ "RetentionInDays": "[parameters('retentionInDays')]", "SamplingPercentage": "[parameters('samplingPercentage')]", "Flow_Type": "[parameters('flowType')]", - "Request_Source": "[parameters('requestSource')]", - "ImmediatePurgeDataOn30Days": "[parameters('immediatePurgeDataOn30Days')]", - "IngestionMode": "[parameters('ingestionMode')]" + "Request_Source": "[parameters('requestSource')]" } }, "appInsights_roleAssignments": { @@ -4260,7 +4024,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "appInsights" @@ -4310,7 +4074,7 @@ "linkedStorageAccount": { "condition": "[not(empty(parameters('linkedStorageAccountResourceId')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-appInsights-linkedStorageAccount', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -4331,8 +4095,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "5059808225314360251" + "version": "0.33.93.31351", + "templateHash": "10861379689695100897" }, "name": "Application Insights Linked Storage Account", "description": "This component deploys an Application Insights Linked Storage Account." @@ -4478,8 +4242,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "7591858083424858339" + "version": "0.34.44.8038", + "templateHash": "16707109626832623586" }, "name": "User Assigned Identities", "description": "This module deploys a User Assigned Identity." @@ -4542,19 +4306,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -4677,13 +4434,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -4691,17 +4445,6 @@ "metadata": { "description": "Optional. Enable/Disable usage telemetry for module." } - }, - "isolationScope": { - "type": "string", - "nullable": true, - "allowedValues": [ - "None", - "Regional" - ], - "metadata": { - "description": "Optional. Enum to configure regional restrictions on identity assignment, as necessary. Allowed values: \"None\", \"Regional\"." - } } }, "variables": { @@ -4727,7 +4470,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('0.5.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.managedidentity-userassignedidentity.{0}.{1}', replace('0.4.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -4748,8 +4491,7 @@ "apiVersion": "2024-11-30", "name": "[parameters('name')]", "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": "[if(not(equals(parameters('isolationScope'), null())), createObject('isolationScope', parameters('isolationScope')), createObject())]" + "tags": "[parameters('tags')]" }, "userAssignedIdentity_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", @@ -4759,7 +4501,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "userAssignedIdentity" @@ -4795,8 +4537,8 @@ "batchSize": 1 }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-UserMSI-FederatedIdentityCred-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-UserMSI-FederatedIdentityCred-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -4825,8 +4567,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "1387931959101373036" + "version": "0.34.44.8038", + "templateHash": "13656021764446440473" }, "name": "User Assigned Identity Federated Identity Credential", "description": "This module deploys a User Assigned Identity Federated Identity Credential." @@ -4966,9 +4708,6 @@ "name": { "value": "[format('vnet-{0}', variables('solutionSuffix'))]" }, - "location": { - "value": "[parameters('location')]" - }, "tags": { "value": "[parameters('tags')]" }, @@ -4980,6 +4719,9 @@ "10.0.0.0/8" ] }, + "location": { + "value": "[parameters('location')]" + }, "logAnalyticsWorkspaceId": "[if(variables('useExistingLogAnalytics'), createObject('value', parameters('existingLogAnalyticsWorkspaceId')), createObject('value', reference('logAnalyticsWorkspace').outputs.resourceId.value))]", "resourceSuffix": { "value": "[variables('solutionSuffix')]" @@ -4993,7 +4735,7 @@ "_generator": { "name": "bicep", "version": "0.44.1.10279", - "templateHash": "16578961703143216826" + "templateHash": "15378480928367949502" } }, "definitions": { @@ -5432,8 +5174,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "7311263652424030280" + "version": "0.33.93.31351", + "templateHash": "2305747478751645177" }, "name": "Network Security Groups", "description": "This module deploys a Network security Group (NSG)." @@ -5692,7 +5434,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if only logs are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -5717,19 +5459,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -5804,7 +5539,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -5869,13 +5604,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/networkSecurityGroups@2025-05-01#properties/tags" - }, "description": "Optional. Tags of the NSG resource." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -5907,7 +5639,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.5.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-networksecuritygroup.{0}.{1}', replace('0.5.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -5925,7 +5657,7 @@ }, "networkSecurityGroup": { "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2025-05-01", + "apiVersion": "2023-11-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -5963,11 +5695,11 @@ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "networkSecurityGroup" @@ -5980,7 +5712,7 @@ }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { "copy": [ @@ -6012,7 +5744,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/networkSecurityGroups', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -6055,7 +5787,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('networkSecurityGroup', '2025-05-01', 'full').location]" + "value": "[reference('networkSecurityGroup', '2023-11-01', 'full').location]" } } } @@ -6123,8 +5855,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "11272001757446231867" + "version": "0.35.1.17967", + "templateHash": "16195883788906927531" }, "name": "Virtual Networks", "description": "This module deploys a Virtual Network (vNet)." @@ -6230,9 +5962,6 @@ "description": "Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false." } } - }, - "metadata": { - "__bicep_export!": true } }, "subnetType": { @@ -6406,9 +6135,6 @@ "description": "Optional. Set this property to Tenant to allow sharing subnet with other subscriptions in your AAD tenant. This property can only be set if defaultOutboundAccess is set to false, both properties can only be set if subnet is empty." } } - }, - "metadata": { - "__bicep_export!": true } }, "diagnosticSettingFullType": { @@ -6554,19 +6280,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } }, @@ -6790,17 +6509,6 @@ "metadata": { "description": "Optional. Indicates if VM protection is enabled for all the subnets in the virtual network." } - }, - "enablePrivateEndpointVNetPolicies": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Basic", - "Disabled" - ], - "metadata": { - "description": "Optional. Enables high scale private endpoints for the virtual network. This is necessary if the virtual network requires more than 1000 private endpoints or is peered to virtual networks with a total of more than 4000 private endpoints." - } } }, "variables": { @@ -6826,7 +6534,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-virtualnetwork.{0}.{1}', replace('0.8.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-virtualnetwork.{0}.{1}', replace('0.7.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -6856,19 +6564,18 @@ "enableDdosProtection": "[not(empty(parameters('ddosProtectionPlanResourceId')))]", "encryption": "[if(equals(parameters('vnetEncryption'), true()), createObject('enabled', parameters('vnetEncryption'), 'enforcement', parameters('vnetEncryptionEnforcement')), null())]", "flowTimeoutInMinutes": "[if(not(equals(parameters('flowTimeoutInMinutes'), 0)), parameters('flowTimeoutInMinutes'), null())]", - "enableVmProtection": "[parameters('enableVmProtection')]", - "privateEndpointVNetPolicies": "[parameters('enablePrivateEndpointVNetPolicies')]" + "enableVmProtection": "[parameters('enableVmProtection')]" } }, "virtualNetwork_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "virtualNetwork" @@ -6881,7 +6588,7 @@ }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { "copy": [ @@ -6922,7 +6629,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -6945,8 +6652,8 @@ "batchSize": 1 }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-subnet-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-subnet-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -7015,8 +6722,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "13992200806189615656" + "version": "0.35.1.17967", + "templateHash": "9728353654559466189" }, "name": "Virtual Network Subnets", "description": "This module deploys a Virtual Network Subnet." @@ -7272,7 +6979,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-virtualnetworksubnet.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", + "name": "[format('46d3xbcp.res.network-virtualnetworksubnet.{0}.{1}', replace('0.1.2', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -7330,7 +7037,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -7402,8 +7109,8 @@ "count": "[length(coalesce(parameters('peerings'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-virtualNetworkPeering-local-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-virtualNetworkPeering-local-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -7441,8 +7148,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "6939030350004475953" + "version": "0.35.1.17967", + "templateHash": "11179987886456111827" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering." @@ -7557,8 +7264,8 @@ }, "condition": "[coalesce(tryGet(coalesce(parameters('peerings'), createArray())[copyIndex()], 'remotePeeringEnabled'), false())]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-virtualNetworkPeering-remote-{1}', uniqueString(subscription().id, resourceGroup().id, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-virtualNetworkPeering-remote-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "subscriptionId": "[split(coalesce(parameters('peerings'), createArray())[copyIndex()].remoteVirtualNetworkResourceId, '/')[2]]", "resourceGroup": "[split(coalesce(parameters('peerings'), createArray())[copyIndex()].remoteVirtualNetworkResourceId, '/')[4]]", "properties": { @@ -7598,8 +7305,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "6939030350004475953" + "version": "0.35.1.17967", + "templateHash": "11179987886456111827" }, "name": "Virtual Network Peerings", "description": "This module deploys a Virtual Network Peering." @@ -7845,9 +7552,6 @@ "virtualNetworkResourceId": { "value": "[tryGet(tryGet(tryGet(if(parameters('enablePrivateNetworking'), reference('virtualNetwork'), null()), 'outputs'), 'resourceId'), 'value')]" }, - "availabilityZones": { - "value": [] - }, "publicIPAddressObject": { "value": { "name": "[format('pip-bas{0}', variables('solutionSuffix'))]", @@ -7879,327 +7583,13 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "7741601918225805390" + "version": "0.36.177.2456", + "templateHash": "13495809792504478069" }, "name": "Bastion Hosts", "description": "This module deploys a Bastion Host." }, "definitions": { - "publicIPAddressObjectType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Public IP Address." - } - }, - "publicIpPrefixResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "allowedValues": [ - "Dynamic", - "Static" - ], - "nullable": true, - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "availabilityZones": { - "type": "array", - "items": { - "type": "int" - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." - } - }, - "publicIPAddressVersion": { - "type": "string", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "nullable": true, - "metadata": { - "description": "Optional. IP address version." - } - }, - "dnsSettings": { - "$ref": "#/definitions/dnsSettingsType", - "nullable": true, - "metadata": { - "description": "Optional. The DNS settings of the public IP address." - } - }, - "ipTags": { - "type": "array", - "items": { - "$ref": "#/definitions/ipTagType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The list of tags associated with the public IP address." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "skuName": { - "type": "string", - "allowedValues": [ - "Basic", - "Standard" - ], - "nullable": true, - "metadata": { - "description": "Optional. Name of a public IP address SKU." - } - }, - "skuTier": { - "type": "string", - "allowedValues": [ - "Global", - "Regional" - ], - "nullable": true, - "metadata": { - "description": "Optional. Tier of a public IP address SKU." - } - }, - "ddosSettings": { - "$ref": "#/definitions/ddosSettingsType", - "nullable": true, - "metadata": { - "description": "Optional. The DDoS protection plan configuration associated with the public IP address." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Location for the Public IP resource." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create for the Public IP resource." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable usage telemetry for the Public IP module." - } - }, - "idleTimeoutInMinutes": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Idle timeout in minutes for the Public IP resource." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2024-07-01#properties/tags" - }, - "description": "Optional. Tags to apply to the Public IP resource." - }, - "nullable": true - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Diagnostic settings for the Public IP resource." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided." - } - }, - "ddosSettingsType": { - "type": "object", - "properties": { - "ddosProtectionPlan": { - "type": "object", - "properties": { - "id": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The DDoS protection plan associated with the public IP address." - } - }, - "protectionMode": { - "type": "string", - "allowedValues": [ - "Enabled" - ], - "metadata": { - "description": "Required. The DDoS protection policy customizations." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.10.0" - } - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, "diagnosticSettingLogsOnlyType": { "type": "object", "properties": { @@ -8293,72 +7683,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if only logs are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "dnsSettingsType": { - "type": "object", - "properties": { - "domainNameLabel": { - "type": "string", - "metadata": { - "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." - } - }, - "domainNameLabelScope": { - "type": "string", - "allowedValues": [ - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "nullable": true, - "metadata": { - "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." - } - }, - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." - } - }, - "reverseFqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.10.0" - } - } - }, - "ipTagType": { - "type": "object", - "properties": { - "ipTagType": { - "type": "string", - "metadata": { - "description": "Required. The IP tag type." - } - }, - "tag": { - "type": "string", - "metadata": { - "description": "Required. The IP tag." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.10.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -8383,19 +7708,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -8470,7 +7788,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -8503,7 +7821,7 @@ } }, "publicIPAddressObject": { - "$ref": "#/definitions/publicIPAddressObjectType", + "type": "object", "defaultValue": { "name": "[format('{0}-pip', parameters('name'))]" }, @@ -8609,13 +7927,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/bastionHosts@2024-07-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -8629,7 +7944,11 @@ "items": { "type": "int" }, - "defaultValue": [], + "defaultValue": [ + 1, + 2, + 3 + ], "allowedValues": [ 1, 2, @@ -8662,7 +7981,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-bastionhost.{0}.{1}', replace('0.8.2', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-bastionhost.{0}.{1}', replace('0.7.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -8680,7 +7999,7 @@ }, "azureBastion": { "type": "Microsoft.Network/bastionHosts", - "apiVersion": "2025-01-01", + "apiVersion": "2024-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[coalesce(parameters('tags'), createObject())]", @@ -8701,7 +8020,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "azureBastion" @@ -8764,8 +8083,8 @@ "publicIPAddress": { "condition": "[and(and(empty(parameters('bastionSubnetPublicIpResourceId')), not(equals(parameters('skuName'), 'Developer'))), not(parameters('enablePrivateOnlyBastion')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Bastion-PIP', uniqueString(subscription().id, resourceGroup().id, parameters('location')))]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -8787,18 +8106,6 @@ "diagnosticSettings": { "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]" }, - "ddosSettings": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'ddosSettings')]" - }, - "dnsSettings": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'dnsSettings')]" - }, - "idleTimeoutInMinutes": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'idleTimeoutInMinutes')]" - }, - "ipTags": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'ipTags')]" - }, "publicIPAddressVersion": { "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPAddressVersion')]" }, @@ -8806,7 +8113,7 @@ "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPAllocationMethod')]" }, "publicIpPrefixResourceId": { - "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIpPrefixResourceId')]" + "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId')]" }, "roleAssignments": { "value": "[tryGet(parameters('publicIPAddressObject'), 'roleAssignments')]" @@ -8820,8 +8127,8 @@ "tags": { "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]" }, - "availabilityZones": { - "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'availabilityZones'), if(not(empty(parameters('availabilityZones'))), parameters('availabilityZones'), null()))]" + "zones": { + "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'zones'), if(not(empty(parameters('availabilityZones'))), parameters('availabilityZones'), null()))]" } }, "template": { @@ -8831,8 +8138,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "16564959277054027786" + "version": "0.33.93.31351", + "templateHash": "5168739580767459761" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address." @@ -9049,7 +8356,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } }, @@ -9074,19 +8381,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } }, @@ -9161,7 +8461,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } } @@ -9191,7 +8491,7 @@ "description": "Optional. The public IP address allocation method." } }, - "availabilityZones": { + "zones": { "type": "array", "items": { "type": "int" @@ -9274,17 +8574,6 @@ "description": "Optional. The DDoS protection plan configuration associated with the public IP address." } }, - "deleteOption": { - "type": "string", - "nullable": true, - "allowedValues": [ - "Delete", - "Detach" - ], - "metadata": { - "description": "Optional. The delete option for the public IP address." - } - }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", @@ -9318,13 +8607,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "diagnosticSettings": { "type": "array", @@ -9363,7 +8649,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.10.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.8.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -9381,7 +8667,7 @@ }, "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2025-01-01", + "apiVersion": "2024-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -9389,7 +8675,7 @@ "name": "[parameters('skuName')]", "tier": "[parameters('skuTier')]" }, - "zones": "[map(parameters('availabilityZones'), lambda('zone', string(lambdaVariables('zone'))))]", + "zones": "[map(parameters('zones'), lambda('zone', string(lambdaVariables('zone'))))]", "properties": { "ddosSettings": "[parameters('ddosSettings')]", "dnsSettings": "[parameters('dnsSettings')]", @@ -9397,8 +8683,7 @@ "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", "publicIPPrefix": "[if(not(empty(parameters('publicIpPrefixResourceId'))), createObject('id', parameters('publicIpPrefixResourceId')), null())]", "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "ipTags": "[parameters('ipTags')]", - "deleteOption": "[parameters('deleteOption')]" + "ipTags": "[parameters('ipTags')]" } }, "publicIpAddress_lock": { @@ -9409,7 +8694,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "publicIpAddress" @@ -9513,7 +8798,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('publicIpAddress', '2025-01-01', 'full').location]" + "value": "[reference('publicIpAddress', '2024-05-01', 'full').location]" } } } @@ -9547,7 +8832,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('azureBastion', '2025-01-01', 'full').location]" + "value": "[reference('azureBastion', '2024-05-01', 'full').location]" }, "ipConfAzureBastionSubnet": { "type": "object", @@ -9631,8 +8916,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "14895287194406877557" + "version": "0.34.44.8038", + "templateHash": "16060601297152129929" }, "name": "Maintenance Configurations", "description": "This module deploys a Maintenance Configuration." @@ -9659,19 +8944,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -9746,7 +9024,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -9767,13 +9045,10 @@ }, "extensionProperties": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Maintenance/maintenanceConfigurations@2023-04-01#properties/properties/properties/extensionProperties" - }, "description": "Optional. Gets or sets extensionProperties of the maintenanceConfiguration." - }, - "defaultValue": {} + } }, "location": { "type": "string", @@ -9791,23 +9066,25 @@ }, "maintenanceScope": { "type": "string", + "defaultValue": "Host", + "allowedValues": [ + "Host", + "OSImage", + "Extension", + "InGuestPatch", + "SQLDB", + "SQLManagedInstance" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Maintenance/maintenanceConfigurations@2023-04-01#properties/properties/properties/maintenanceScope" - }, "description": "Optional. Gets or sets maintenanceScope of the configuration." - }, - "defaultValue": "Host" + } }, "maintenanceWindow": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Maintenance/maintenanceConfigurations@2023-04-01#properties/properties/properties/maintenanceWindow" - }, "description": "Optional. Definition of a MaintenanceWindow." - }, - "defaultValue": {} + } }, "namespace": { "type": "string", @@ -9828,33 +9105,29 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Maintenance/maintenanceConfigurations@2023-04-01#properties/tags" - }, "description": "Optional. Gets or sets tags of the resource." - }, - "nullable": true + } }, "visibility": { "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "Custom", + "Public" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Maintenance/maintenanceConfigurations@2023-04-01#properties/properties/properties/visibility" - }, "description": "Optional. Gets or sets the visibility of the configuration. The default value is 'Custom'." - }, - "nullable": true + } }, "installPatches": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Maintenance/maintenanceConfigurations@2023-04-01#properties/properties/properties/installPatches" - }, "description": "Optional. Configuration settings for VM guest patching with Azure Update Manager." - }, - "defaultValue": {} + } } }, "variables": { @@ -9878,8 +9151,8 @@ "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.maintenance-maintenanceconfiguration.{0}.{1}', replace('0.4.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.maintenance-maintenanceconfiguration.{0}.{1}', replace('0.3.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -9914,11 +9187,11 @@ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name'))]", + "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "maintenanceConfiguration" @@ -9931,7 +9204,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name'))]", + "scope": "[format('Microsoft.Maintenance/maintenanceConfigurations/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Maintenance/maintenanceConfigurations', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -10000,7 +9273,7 @@ "enableTelemetry": { "value": "[parameters('enableTelemetry')]" }, - "location": "[if(variables('useExistingLogAnalytics'), createObject('value', reference('existingLogAnalyticsWorkspace', '2025-07-01', 'full').location), createObject('value', reference('logAnalyticsWorkspace').outputs.location.value))]", + "location": "[if(variables('useExistingLogAnalytics'), createObject('value', reference('existingLogAnalyticsWorkspace', '2020-08-01', 'full').location), createObject('value', reference('logAnalyticsWorkspace').outputs.location.value))]", "dataCollectionRuleProperties": { "value": { "kind": "Windows", @@ -10066,10 +9339,19 @@ { "name": "SecurityAuditEvents", "streams": [ - "Microsoft-Event" + "Microsoft-WindowsEvent" + ], + "eventLogName": "Security", + "eventTypes": [ + { + "eventType": "Audit Success" + }, + { + "eventType": "Audit Failure" + } ], "xPathQueries": [ - "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]" + "Security!*[System[(EventID=4624 or EventID=4625)]]" ] } ] @@ -10078,7 +9360,7 @@ "logAnalytics": [ { "workspaceResourceId": "[if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)]", - "name": "[variables('dcrLogAnalyticsDestinationName')]" + "name": "la--1264800308" } ] }, @@ -10088,20 +9370,10 @@ "Microsoft-Perf" ], "destinations": [ - "[variables('dcrLogAnalyticsDestinationName')]" + "la--1264800308" ], "transformKql": "source", "outputStream": "Microsoft-Perf" - }, - { - "streams": [ - "Microsoft-Event" - ], - "destinations": [ - "[variables('dcrLogAnalyticsDestinationName')]" - ], - "transformKql": "source", - "outputStream": "Microsoft-Event" } ] } @@ -10114,8 +9386,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "2441324888126124697" + "version": "0.36.177.2456", + "templateHash": "2876269346663744311" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule." @@ -10140,18 +9412,12 @@ }, "Direct": { "$ref": "#/definitions/directDcrPropertiesType" - }, - "WorkspaceTransforms": { - "$ref": "#/definitions/workspaceTransformsDcrPropertiesType" - }, - "PlatformTelemetry": { - "$ref": "#/definitions/platformTelemetryDcrPropertiesType" } } }, "metadata": { "__bicep_export!": true, - "description": "Required. The type for data collection rule properties. Depending on the kind, the properties will be different." + "description": "The type for data collection rule properties. Depending on the kind, the properties will be different." } }, "linuxDcrPropertiesType": { @@ -10163,33 +9429,24 @@ "Linux" ], "metadata": { - "description": "Required. The kind of the resource." + "description": "Required. The platform type specifies the type of resources this rule can apply to." } }, "dataSources": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataSources" - }, "description": "Required. Specification of data sources that will be collected." } }, "dataFlows": { "type": "array", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataFlows" - }, "description": "Required. The specification of data flows." } }, "destinations": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations" - }, "description": "Required. Specification of destinations that can be used in data flows." } }, @@ -10202,13 +9459,10 @@ }, "streamDeclarations": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/streamDeclarations" - }, "description": "Optional. Declaration of custom streams used in this rule." - }, - "nullable": true + } }, "description": { "type": "string", @@ -10231,33 +9485,24 @@ "Windows" ], "metadata": { - "description": "Required. The kind of the resource." + "description": "Required. The platform type specifies the type of resources this rule can apply to." } }, "dataSources": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataSources" - }, "description": "Required. Specification of data sources that will be collected." } }, "dataFlows": { "type": "array", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataFlows" - }, "description": "Required. The specification of data flows." } }, "destinations": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations" - }, "description": "Required. Specification of destinations that can be used in data flows." } }, @@ -10270,13 +9515,10 @@ }, "streamDeclarations": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/streamDeclarations" - }, "description": "Optional. Declaration of custom streams used in this rule." - }, - "nullable": true + } }, "description": { "type": "string", @@ -10299,33 +9541,24 @@ "All" ], "metadata": { - "description": "Required. The kind of the resource." + "description": "Required. The platform type specifies the type of resources this rule can apply to." } }, "dataSources": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataSources" - }, "description": "Required. Specification of data sources that will be collected." } }, "dataFlows": { "type": "array", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataFlows" - }, "description": "Required. The specification of data flows." } }, "destinations": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations" - }, "description": "Required. Specification of destinations that can be used in data flows." } }, @@ -10338,13 +9571,10 @@ }, "streamDeclarations": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/streamDeclarations" - }, "description": "Optional. Declaration of custom streams used in this rule." - }, - "nullable": true + } }, "description": { "type": "string", @@ -10367,7 +9597,7 @@ "AgentSettings" ], "metadata": { - "description": "Required. The kind of the resource." + "description": "Required. The platform type specifies the type of resources this rule can apply to." } }, "description": { @@ -10438,24 +9668,18 @@ "Direct" ], "metadata": { - "description": "Required. The kind of the resource." + "description": "Required. The platform type specifies the type of resources this rule can apply to." } }, "dataFlows": { "type": "array", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataFlows" - }, "description": "Required. The specification of data flows." } }, "destinations": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations" - }, "description": "Required. Specification of destinations that can be used in data flows." } }, @@ -10469,9 +9693,6 @@ "streamDeclarations": { "type": "object", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/streamDeclarations" - }, "description": "Required. Declaration of custom streams used in this rule." } }, @@ -10487,136 +9708,6 @@ "description": "The type for the properties of the 'Direct' data collection rule." } }, - "workspaceTransformsDcrPropertiesType": { - "type": "object", - "properties": { - "kind": { - "type": "string", - "allowedValues": [ - "WorkspaceTransforms" - ], - "metadata": { - "description": "Required. The kind of the resource." - } - }, - "dataFlows": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataFlows" - }, - "description": "Required. The specification of data flows. Should include a separate dataflow for each table that will have a transformation. Use a where clause in the query if only certain records should be transformed." - } - }, - "destinations": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations" - }, - "description": "Required. Specification of destinations that can be used in data flows. For WorkspaceTransforms, only one Log Analytics workspace destination is supported." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Description of the data collection rule." - } - } - }, - "metadata": { - "description": "The type for the properties of the 'WorkspaceTransforms' data collection rule." - } - }, - "platformTelemetryDcrPropertiesType": { - "type": "object", - "properties": { - "kind": { - "type": "string", - "allowedValues": [ - "PlatformTelemetry" - ], - "metadata": { - "description": "Required. The kind of the resource." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Description of the data collection rule." - } - }, - "dataSources": { - "type": "object", - "properties": { - "platformTelemetry": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataSources/properties/platformTelemetry" - }, - "description": "Required. The list of platform telemetry configurations." - } - } - }, - "metadata": { - "description": "Required. Specification of data sources that will be collected." - } - }, - "destinations": { - "type": "object", - "properties": { - "logAnalytics": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations/properties/logAnalytics" - }, - "description": "Optional. The list of Log Analytics destinations." - }, - "nullable": true - }, - "storageAccounts": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations/properties/storageAccounts" - }, - "description": "Optional. The list of Storage Account destinations." - }, - "nullable": true - }, - "eventHubs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/destinations/properties/eventHubs" - }, - "description": "Optional. The list of Event Hub destinations." - }, - "nullable": true - } - }, - "metadata": { - "description": "Required. Specification of destinations. Choose a single destination type of either logAnalytics, storageAccounts, or eventHubs." - } - }, - "dataFlows": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/dataFlows" - }, - "description": "Required. The specification of data flows." - } - } - }, - "metadata": { - "description": "The type for the properties of the 'PlatformTelemetry' data collection rule." - } - }, "lockType": { "type": "object", "properties": { @@ -10638,19 +9729,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -10678,7 +9762,7 @@ "metadata": { "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -10753,7 +9837,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -10811,23 +9895,13 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/tags" - }, "description": "Optional. Resource tags." - }, - "nullable": true + } } }, "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { @@ -10837,15 +9911,14 @@ "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" }, - "dataCollectionRulePropertiesUnion": "[union(createObject('description', tryGet(parameters('dataCollectionRuleProperties'), 'description')), if(contains(createArray('Linux', 'Windows', 'All', 'PlatformTelemetry'), parameters('dataCollectionRuleProperties').kind), createObject('dataSources', parameters('dataCollectionRuleProperties').dataSources), createObject()), if(contains(createArray('Linux', 'Windows', 'All', 'Direct', 'WorkspaceTransforms', 'PlatformTelemetry'), parameters('dataCollectionRuleProperties').kind), createObject('dataFlows', parameters('dataCollectionRuleProperties').dataFlows, 'destinations', parameters('dataCollectionRuleProperties').destinations), createObject()), if(contains(createArray('Linux', 'Windows', 'All', 'Direct', 'WorkspaceTransforms'), parameters('dataCollectionRuleProperties').kind), createObject('dataCollectionEndpointId', tryGet(parameters('dataCollectionRuleProperties'), 'dataCollectionEndpointResourceId'), 'streamDeclarations', tryGet(parameters('dataCollectionRuleProperties'), 'streamDeclarations')), createObject()), if(equals(parameters('dataCollectionRuleProperties').kind, 'AgentSettings'), createObject('agentSettings', parameters('dataCollectionRuleProperties').agentSettings), createObject()))]", - "enableReferencedModulesTelemetry": false + "dataCollectionRulePropertiesUnion": "[union(createObject('description', tryGet(parameters('dataCollectionRuleProperties'), 'description')), if(or(or(equals(parameters('dataCollectionRuleProperties').kind, 'Linux'), equals(parameters('dataCollectionRuleProperties').kind, 'Windows')), equals(parameters('dataCollectionRuleProperties').kind, 'All')), createObject('dataSources', parameters('dataCollectionRuleProperties').dataSources), createObject()), if(or(or(or(equals(parameters('dataCollectionRuleProperties').kind, 'Linux'), equals(parameters('dataCollectionRuleProperties').kind, 'Windows')), equals(parameters('dataCollectionRuleProperties').kind, 'All')), equals(parameters('dataCollectionRuleProperties').kind, 'Direct')), createObject('dataFlows', parameters('dataCollectionRuleProperties').dataFlows, 'destinations', parameters('dataCollectionRuleProperties').destinations, 'dataCollectionEndpointId', tryGet(parameters('dataCollectionRuleProperties'), 'dataCollectionEndpointResourceId'), 'streamDeclarations', tryGet(parameters('dataCollectionRuleProperties'), 'streamDeclarations')), createObject()), if(equals(parameters('dataCollectionRuleProperties').kind, 'AgentSettings'), createObject('agentSettings', parameters('dataCollectionRuleProperties').agentSettings), createObject()))]" }, "resources": { "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.insights-datacollectionrule.{0}.{1}', replace('0.11.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.insights-datacollectionrule.{0}.{1}', replace('0.6.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -10864,7 +9937,7 @@ "dataCollectionRule": { "condition": "[not(equals(parameters('dataCollectionRuleProperties').kind, 'All'))]", "type": "Microsoft.Insights/dataCollectionRules", - "apiVersion": "2024-03-11", + "apiVersion": "2023-03-11", "name": "[parameters('name')]", "kind": "[parameters('dataCollectionRuleProperties').kind]", "location": "[parameters('location')]", @@ -10875,18 +9948,18 @@ "dataCollectionRuleAll": { "condition": "[equals(parameters('dataCollectionRuleProperties').kind, 'All')]", "type": "Microsoft.Insights/dataCollectionRules", - "apiVersion": "2024-03-11", + "apiVersion": "2023-03-11", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "properties": "[variables('dataCollectionRulePropertiesUnion')]" }, - "dataCollectionRule_conditionalScopeLock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "dataCollectionRule_conditionalScopeResources": { + "condition": "[or(and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None'))), not(empty(coalesce(parameters('roleAssignments'), createArray()))))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-DCR-Lock', uniqueString(deployment().name, parameters('location')))]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-DCR-ConditionalScope', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -10894,8 +9967,14 @@ "mode": "Incremental", "parameters": { "dataCollectionRuleName": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), createObject('value', parameters('name')), createObject('value', parameters('name')))]", + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, "lock": { "value": "[parameters('lock')]" + }, + "roleAssignments": { + "value": "[parameters('roleAssignments')]" } }, "template": { @@ -10905,8 +9984,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "2876136109547890997" + "version": "0.36.177.2456", + "templateHash": "17062698556609624183" } }, "definitions": { @@ -10931,189 +10010,36 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } - } - }, - "parameters": { - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } }, - "dataCollectionRuleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Data Collection Rule to assign the role(s) to." - } - } - }, - "resources": { - "dataCollectionRule": { - "existing": true, - "type": "Microsoft.Insights/dataCollectionRules", - "apiVersion": "2024-03-11", - "name": "[parameters('dataCollectionRuleName')]" - }, - "dataCollectionRule_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('dataCollectionRuleName')))]", + "roleAssignmentType": { + "type": "object", "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - } - } - } - } - }, - "dependsOn": [ - "dataCollectionRule", - "dataCollectionRuleAll" - ] - }, - "dataCollectionRule_roleAssignments": { - "copy": { - "name": "dataCollectionRule_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-DCR-RoleAssignments-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "resourceId": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), createObject('value', resourceId('Microsoft.Insights/dataCollectionRules', parameters('name'))), createObject('value', resourceId('Microsoft.Insights/dataCollectionRules', parameters('name'))))]", - "name": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name')]" - }, - "roleDefinitionId": { - "value": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]" - }, - "principalId": { - "value": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]" - }, - "description": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]" - }, - "principalType": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "14634305923902101494" - }, - "name": "Resource-scoped role assignment", - "description": "This module deploys a Role Assignment for a specific resource." - }, - "parameters": { - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The scope for the role assignment, fully qualified resourceId." - } - }, - "name": { - "type": "string", - "defaultValue": "[guid(parameters('resourceId'), parameters('principalId'), if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))))]", - "metadata": { - "description": "Optional. The unique guid name for the role assignment." - } - }, - "roleDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. The role definition ID for the role assignment." - } - }, - "roleName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The name for the role, used for logging." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of role assignment." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "$fxv#0": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "scope": { - "type": "string" - }, "name": { - "type": "string" + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } }, - "roleDefinitionId": { - "type": "string" + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } }, "principalId": { - "type": "string" + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } }, "principalType": { "type": "string", @@ -11122,122 +10048,130 @@ "ForeignGroup", "Group", "ServicePrincipal", - "User", - "" + "User" ], - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The principal type of the assigned principal ID." } }, "description": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[[parameters('scope')]", - "name": "[[parameters('name')]", - "properties": { - "roleDefinitionId": "[[parameters('roleDefinitionId')]", - "principalId": "[[parameters('principalId')]", - "principalType": "[[parameters('principalType')]", - "description": "[[parameters('description')]" + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." } - } - ], - "outputs": { - "roleAssignmentId": { + }, + "condition": { "type": "string", - "value": "[[extensionResourceId(parameters('scope'), 'Microsoft.Authorization/roleAssignments', parameters('name'))]" - } - } - } - }, - "resources": [ - { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.ptn.authorization-resourceroleassignment.{0}.{1}', replace('0.1.2', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2023-07-01", - "name": "[format('{0}-ResourceRoleAssignment', guid(parameters('resourceId'), parameters('principalId'), parameters('roleDefinitionId')))]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "Outer" }, - "template": "[variables('$fxv#0')]", - "parameters": { - "scope": { - "value": "[parameters('resourceId')]" - }, - "name": { - "value": "[parameters('name')]" - }, - "roleDefinitionId": { - "value": "[if(contains(parameters('roleDefinitionId'), '/providers/Microsoft.Authorization/roleDefinitions/'), parameters('roleDefinitionId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId')))]" - }, - "principalId": { - "value": "[parameters('principalId')]" - }, - "principalType": { - "value": "[parameters('principalType')]" - }, - "description": { - "value": "[parameters('description')]" + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." } } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The GUID of the Role Assignment." + }, + "parameters": { + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" }, - "value": "[parameters('name')]" + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } }, - "roleName": { - "type": "string", + "builtInRoleNames": { + "type": "object", + "defaultValue": {}, "metadata": { - "description": "The name for the role, used for logging." - }, - "value": "[parameters('roleName')]" + "description": "Optional. Built-in role names." + } }, - "resourceId": { - "type": "string", + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { - "description": "The resource ID of the Role Assignment." - }, - "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-ResourceRoleAssignment', guid(parameters('resourceId'), parameters('principalId'), parameters('roleDefinitionId')))), '2023-07-01').outputs.roleAssignmentId.value]" + "description": "Optional. The lock settings of the service." + } }, - "resourceGroupName": { + "dataCollectionRuleName": { "type": "string", "metadata": { - "description": "The name of the resource group the role assignment was applied at." + "description": "Required. Name of the Data Collection Rule to assign the role(s) to." + } + } + }, + "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(parameters('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ] + }, + "resources": { + "dataCollectionRule": { + "existing": true, + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2023-03-11", + "name": "[parameters('dataCollectionRuleName')]" + }, + "dataCollectionRule_roleAssignments": { + "copy": { + "name": "dataCollectionRule_roleAssignments", + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" }, - "value": "[resourceGroup().name]" + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('dataCollectionRuleName'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceGroup().id, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "properties": { + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + } + }, + "dataCollectionRule_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Insights/dataCollectionRules/{0}', parameters('dataCollectionRuleName'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('dataCollectionRuleName')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + } } } } @@ -11275,7 +10209,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), reference('dataCollectionRuleAll', '2024-03-11', 'full').location, reference('dataCollectionRule', '2024-03-11', 'full').location)]" + "value": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), reference('dataCollectionRuleAll', '2023-03-11', 'full').location, reference('dataCollectionRule', '2023-03-11', 'full').location)]" }, "systemAssignedMIPrincipalId": { "type": "string", @@ -11283,27 +10217,7 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), tryGet(tryGet(if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), reference('dataCollectionRuleAll', '2024-03-11', 'full'), null()), 'identity'), 'principalId'), tryGet(tryGet(if(not(equals(parameters('dataCollectionRuleProperties').kind, 'All')), reference('dataCollectionRule', '2024-03-11', 'full'), null()), 'identity'), 'principalId'))]" - }, - "endpoints": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Insights/dataCollectionRules@2024-03-11#properties/properties/properties/endpoints", - "output": true - }, - "description": "The endpoints of the dataCollectionRule, if created." - }, - "nullable": true, - "value": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), tryGet(reference('dataCollectionRuleAll'), 'endpoints'), tryGet(reference('dataCollectionRule'), 'endpoints'))]" - }, - "immutableId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The ImmutableId of the dataCollectionRule." - }, - "value": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), tryGet(reference('dataCollectionRuleAll'), 'immutableId'), tryGet(reference('dataCollectionRule'), 'immutableId'))]" + "value": "[if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), tryGet(tryGet(if(equals(parameters('dataCollectionRuleProperties').kind, 'All'), reference('dataCollectionRuleAll', '2023-03-11', 'full'), null()), 'identity'), 'principalId'), tryGet(tryGet(if(not(equals(parameters('dataCollectionRuleProperties').kind, 'All')), reference('dataCollectionRule', '2023-03-11', 'full'), null()), 'identity'), 'principalId'))]" } } } @@ -11342,7 +10256,7 @@ "intent": { "value": { "vmSizes": [ - "[parameters('vmSize')]" + "[variables('virtualMachineSize')]" ] } } @@ -11354,8 +10268,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.37.4.10188", - "templateHash": "14590939924256334253" + "version": "0.36.177.2456", + "templateHash": "710462462329438227" }, "name": "Proximity Placement Groups", "description": "This module deploys a Proximity Placement Group." @@ -11382,19 +10296,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -11518,13 +10425,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/proximityPlacementGroups@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the proximity placement group resource." - }, - "nullable": true + } }, "availabilityZone": { "type": "int", @@ -11540,13 +10444,10 @@ }, "colocationStatus": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/proximityPlacementGroups@2024-11-01#properties/properties/properties/colocationStatus" - }, "description": "Optional. Describes colocation status of the Proximity Placement Group." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -11557,13 +10458,10 @@ }, "intent": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/proximityPlacementGroups@2024-11-01#properties/properties/properties/intent" - }, "description": "Optional. Specifies the user intent of the proximity placement group." - }, - "nullable": true + } } }, "variables": { @@ -11587,7 +10485,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.compute-proximityplacementgroup.{0}.{1}', replace('0.4.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.compute-proximityplacementgroup.{0}.{1}', replace('0.4.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -11624,7 +10522,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "proximityPlacementGroup" @@ -11716,13 +10614,13 @@ "value": "Windows" }, "vmSize": { - "value": "[parameters('vmSize')]" + "value": "[variables('virtualMachineSize')]" }, "adminUsername": { - "value": "[coalesce(parameters('vmAdminUsername'), 'JumpboxAdminUser')]" + "value": "[parameters('virtualMachineAdminUsername')]" }, "adminPassword": { - "value": "[coalesce(parameters('vmAdminPassword'), 'JumpboxAdminP@ssw0rd1234!')]" + "value": "[parameters('virtualMachineAdminPassword')]" }, "patchMode": { "value": "AutomaticByPlatform" @@ -11821,8 +10719,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "17174537341033050778" + "version": "0.36.177.2456", + "templateHash": "4862190245661245221" }, "name": "Virtual Machines", "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs." @@ -11925,13 +10823,6 @@ "metadata": { "description": "Optional. Specifies the customer managed disk encryption set resource id for the managed disk." } - }, - "resourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the resource id of a pre-existing managed disk. If the disk should be created, this property should be empty." - } } }, "metadata": { @@ -12043,7 +10934,7 @@ "description": "Optional. Specifies the customer managed disk encryption set resource id for the managed disk." } }, - "resourceId": { + "id": { "type": "string", "nullable": true, "metadata": { @@ -12057,13 +10948,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/disks@2025-01-02#properties/tags" - }, "description": "Optional. The tags of the public IP address. Valid only when creating a new managed disk." - }, - "nullable": true + } } }, "metadata": { @@ -12550,160 +11438,6 @@ "description": "The type describing the network interface configuration output." } }, - "extensionCustomScriptConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the virtual machine extension. Defaults to `CustomScriptExtension`." - } - }, - "typeHandlerVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the version of the script handler. Defaults to `1.10` for Windows and `2.1` for Linux." - } - }, - "autoUpgradeMinorVersion": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. Defaults to `true`." - } - }, - "forceUpdateTag": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." - } - }, - "settings": { - "type": "object", - "properties": { - "commandToExecute": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Conditional. The entry point script to run. If the command contains any credentials, use the same property of the `protectedSettings` instead. Required if `protectedSettings.commandToExecute` is not provided." - } - }, - "fileUris": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. URLs for files to be downloaded. If URLs are sensitive, for example, if they contain keys, this field should be specified in `protectedSettings`." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The configuration of the custom script extension. Note: You can provide any property either in the `settings` or `protectedSettings` but not both. If your property contains secrets, use `protectedSettings`." - } - }, - "protectedSettings": { - "type": "secureObject", - "properties": { - "commandToExecute": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Conditional. The entry point script to run. Use this property if your command contains secrets such as passwords or if your file URIs are sensitive. Required if `settings.commandToExecute` is not provided." - } - }, - "storageAccountName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of storage account. If you specify storage credentials, all fileUris values must be URLs for Azure blobs.." - } - }, - "storageAccountKey": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The access key of the storage account." - } - }, - "managedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity for downloading files. Must not be used in conjunction with the `storageAccountName` or `storageAccountKey` property. If you want to use the VM's system assigned identity, set the `value` to an empty string." - } - }, - "fileUris": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. URLs for files to be downloaded." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The configuration of the custom script extension. Note: You can provide any property either in the `settings` or `protectedSettings` but not both. If your property contains secrets, use `protectedSettings`." - } - }, - "supressFailures": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). Defaults to `false`." - } - }, - "enableAutomaticUpgrade": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. Defaults to `false`." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a 'CustomScriptExtension' extension." - } - }, "_1.applicationGatewayBackendAddressPoolsType": { "type": "object", "properties": { @@ -12856,7 +11590,7 @@ "type": "object", "properties": { "backendAddressPool": { - "$ref": "#/definitions/_1.subResourceType", + "$ref": "#/definitions/subResourceType", "nullable": true, "metadata": { "description": "Optional. A reference to backendAddressPool resource." @@ -12884,7 +11618,7 @@ } }, "frontendIPConfiguration": { - "$ref": "#/definitions/_1.subResourceType", + "$ref": "#/definitions/subResourceType", "nullable": true, "metadata": { "description": "Optional. A reference to frontend IP addresses." @@ -12937,24 +11671,6 @@ } } }, - "_1.subResourceType": { - "type": "object", - "properties": { - "id": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the sub resource." - } - } - }, - "metadata": { - "description": "The type for the sub resource.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1" - } - } - }, "_1.virtualNetworkTapType": { "type": "object", "properties": { @@ -13071,29 +11787,171 @@ } } }, - "_2.ipTagType": { + "_3.publicIPConfigurationType": { "type": "object", "properties": { - "ipTagType": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Public IP Address." + } + }, + "publicIPAddressResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID of the public IP address." + } + }, + "diagnosticSettings": { + "type": "array", + "items": { + "$ref": "#/definitions/diagnosticSettingFullType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Diagnostic settings for the public IP address." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The idle timeout in minutes." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the public IP address." + } + }, + "idleTimeoutInMinutes": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. The idle timeout of the public IP address." + } + }, + "ddosSettings": { + "$ref": "#/definitions/_2.ddosSettingsType", + "nullable": true, + "metadata": { + "description": "Optional. The DDoS protection plan configuration associated with the public IP address." + } + }, + "dnsSettings": { + "$ref": "#/definitions/_2.dnsSettingsType", + "nullable": true, + "metadata": { + "description": "Optional. The DNS settings of the public IP address." + } + }, + "publicIPAddressVersion": { + "type": "string", + "allowedValues": [ + "IPv4", + "IPv6" + ], + "nullable": true, + "metadata": { + "description": "Optional. The public IP address version." + } + }, + "publicIPAllocationMethod": { + "type": "string", + "allowedValues": [ + "Dynamic", + "Static" + ], + "nullable": true, + "metadata": { + "description": "Optional. The public IP address allocation method." + } + }, + "publicIpPrefixResourceId": { "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "publicIpNameSuffix": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name suffix of the public IP address resource." + } + }, + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Basic", + "Standard" + ], + "nullable": true, "metadata": { - "description": "Required. The IP tag type." + "description": "Optional. The SKU name of the public IP address." } }, - "tag": { + "skuTier": { "type": "string", + "allowedValues": [ + "Global", + "Regional" + ], + "nullable": true, "metadata": { - "description": "Required. The IP tag." + "description": "Optional. The SKU tier of the public IP address." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. The tags of the public IP address." + } + }, + "zones": { + "type": "array", + "allowedValues": [ + 1, + 2, + 3 + ], + "nullable": true, + "metadata": { + "description": "Optional. The zones of the public IP address." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for the module." } } }, "metadata": { + "description": "The type for the public IP address configuration.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0" + "sourceTemplate": "modules/nic-configuration.bicep" } } }, - "_3.diagnosticSettingFullType": { + "diagnosticSettingFullType": { "type": "object", "properties": { "name": { @@ -13211,418 +12069,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "_3.lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "_3.roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "_4.publicIPConfigurationType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Public IP Address." - } - }, - "publicIPAddressResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the public IP address." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/_3.diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Diagnostic settings for the public IP address." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The idle timeout in minutes." - } - }, - "lock": { - "$ref": "#/definitions/_3.lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the public IP address." - } - }, - "idleTimeoutInMinutes": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The idle timeout of the public IP address." - } - }, - "ddosSettings": { - "$ref": "#/definitions/_2.ddosSettingsType", - "nullable": true, - "metadata": { - "description": "Optional. The DDoS protection plan configuration associated with the public IP address." - } - }, - "dnsSettings": { - "$ref": "#/definitions/_2.dnsSettingsType", - "nullable": true, - "metadata": { - "description": "Optional. The DNS settings of the public IP address." - } - }, - "publicIPAddressVersion": { - "type": "string", - "allowedValues": [ - "IPv4", - "IPv6" - ], - "nullable": true, - "metadata": { - "description": "Optional. The public IP address version." - } - }, - "publicIPAllocationMethod": { - "type": "string", - "allowedValues": [ - "Dynamic", - "Static" - ], - "nullable": true, - "metadata": { - "description": "Optional. The public IP address allocation method." - } - }, - "publicIpPrefixResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "publicIpNameSuffix": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name suffix of the public IP address resource." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/_3.roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "skuName": { - "type": "string", - "allowedValues": [ - "Basic", - "Standard" - ], - "nullable": true, - "metadata": { - "description": "Optional. The SKU name of the public IP address." - } - }, - "skuTier": { - "type": "string", - "allowedValues": [ - "Global", - "Regional" - ], - "nullable": true, - "metadata": { - "description": "Optional. The SKU tier of the public IP address." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2024-07-01#properties/tags" - }, - "description": "Optional. The tags of the public IP address." - }, - "nullable": true - }, - "availabilityZones": { - "type": "array", - "allowedValues": [ - 1, - 2, - 3 - ], - "nullable": true, - "metadata": { - "description": "Optional. The zones of the public IP address." - } - }, - "ipTags": { - "type": "array", - "items": { - "$ref": "#/definitions/_2.ipTagType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The list of tags associated with the public IP address." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for the module." - } - } - }, - "metadata": { - "description": "The type for the public IP address configuration.", - "__bicep_imported_from!": { - "sourceTemplate": "modules/nic-configuration.bicep" - } - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -13691,7 +12138,7 @@ } }, "gatewayLoadBalancer": { - "$ref": "#/definitions/_1.subResourceType", + "$ref": "#/definitions/subResourceType", "nullable": true, "metadata": { "description": "Optional. The gateway load balancer settings." @@ -13729,7 +12176,7 @@ } }, "pipConfiguration": { - "$ref": "#/definitions/_4.publicIPConfigurationType", + "$ref": "#/definitions/_3.publicIPConfigurationType", "nullable": true, "metadata": { "description": "Optional. The public IP address configuration." @@ -13738,7 +12185,7 @@ "diagnosticSettings": { "type": "array", "items": { - "$ref": "#/definitions/_3.diagnosticSettingFullType" + "$ref": "#/definitions/diagnosticSettingFullType" }, "nullable": true, "metadata": { @@ -13747,13 +12194,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/networkInterfaces@2024-07-01#properties/tags" - }, "description": "Optional. The tags of the public IP address." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -13791,19 +12235,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -13831,7 +12268,7 @@ "metadata": { "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -13860,9 +12297,8 @@ } }, "metadata": { - "description": "The type for the network interface IP configuration output.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.3" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1" } } }, @@ -13937,7 +12373,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -13955,7 +12391,7 @@ "metadata": { "description": "The type for the sub resource.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.3" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1" } } } @@ -13982,20 +12418,22 @@ }, "encryptionAtHost": { "type": "bool", - "defaultValue": false, + "defaultValue": true, "metadata": { "description": "Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs." } }, "securityType": { "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "ConfidentialVM", + "TrustedLaunch" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines@2025-04-01#properties/properties/properties/securityProfile/properties/securityType" - }, "description": "Optional. Specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set." - }, - "nullable": true + } }, "secureBootEnabled": { "type": "bool", @@ -14012,14 +12450,10 @@ } }, "imageReference": { - "type": "object", + "$ref": "#/definitions/imageReferenceType", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines@2025-04-01#properties/properties/properties/storageProfile/properties/imageReference" - }, - "description": "Conditional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. Required if not creating the VM from an existing os-disk via the `osDisk.managedDisk.resourceId` parameter." - }, - "nullable": true + "description": "Required. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image." + } }, "plan": { "$ref": "#/definitions/planType", @@ -14060,16 +12494,15 @@ }, "adminUsername": { "type": "securestring", - "nullable": true, "metadata": { - "description": "Conditional. Administrator username. Required if no pre-existing OS-Disk is provided (osDisk.managedDisk.resourceId is not empty)." + "description": "Required. Administrator username." } }, "adminPassword": { "type": "securestring", "defaultValue": "", "metadata": { - "description": "Optional. When specifying a Windows Virtual Machine, and no pre-existing OS-Disk is provided (osDisk.managedDisk.resourceId is not empty), this value should be passed." + "description": "Optional. When specifying a Windows Virtual Machine, this value should be passed." } }, "userData": { @@ -14126,7 +12559,7 @@ "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars." } }, - "dedicatedHostResourceId": { + "dedicatedHostId": { "type": "string", "defaultValue": "", "metadata": { @@ -14135,12 +12568,13 @@ }, "licenseType": { "type": "string", - "nullable": true, + "defaultValue": "", "allowedValues": [ "RHEL_BYOS", "SLES_BYOS", "Windows_Client", - "Windows_Server" + "Windows_Server", + "" ], "metadata": { "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises." @@ -14355,10 +12789,13 @@ } }, "extensionCustomScriptConfig": { - "$ref": "#/definitions/extensionCustomScriptConfigType", - "nullable": true, + "type": "object", + "defaultValue": { + "enabled": false, + "fileData": [] + }, "metadata": { - "description": "Optional. The configuration for the [Custom Script] extension." + "description": "Optional. The configuration for the [Custom Script] extension. Must at least contain the [\"enabled\": true] property to be executed." } }, "extensionNvidiaGpuDriverWindows": { @@ -14395,6 +12832,13 @@ "description": "Optional. The guest configuration for the virtual machine. Needs the Guest Configuration extension to be enabled." } }, + "extensionCustomScriptProtectedSetting": { + "type": "secureObject", + "defaultValue": {}, + "metadata": { + "description": "Optional. An object that contains the extension specific protected settings." + } + }, "extensionGuestConfigurationExtensionProtectedSettings": { "type": "secureObject", "defaultValue": {}, @@ -14428,13 +12872,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -14443,6 +12884,20 @@ "description": "Optional. Enable/Disable usage telemetry for module." } }, + "baseTime": { + "type": "string", + "defaultValue": "[utcNow('u')]", + "metadata": { + "description": "Generated. Do not provide a value! This date value is used to generate a registration token." + } + }, + "sasTokenValidityLength": { + "type": "string", + "defaultValue": "PT8H", + "metadata": { + "description": "Optional. SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours." + } + }, "osType": { "type": "string", "allowedValues": [ @@ -14634,6 +13089,13 @@ "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), null(), variables('additionalUnattendContentFormatted'))]", "winRM": "[if(not(empty(parameters('winRMListeners'))), createObject('listeners', parameters('winRMListeners')), null())]" }, + "accountSasProperties": { + "signedServices": "b", + "signedPermission": "r", + "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", + "signedResourceTypes": "o", + "signedProtocol": "https" + }, "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(if(parameters('extensionAadJoinConfig').enabled, true(), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false())), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { @@ -14655,16 +13117,14 @@ "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]" - }, - "aadJoinSettings": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'settings'), createObject())]", - "filteredAadJoinSettings": "[if(and(contains(variables('aadJoinSettings'), 'mdmId'), empty(variables('aadJoinSettings').mdmId)), reduce(items(variables('aadJoinSettings')), createObject(), lambda('cur', 'item', if(equals(lambdaVariables('item').key, 'mdmId'), lambdaVariables('cur'), union(lambdaVariables('cur'), createObject(format('{0}', lambdaVariables('item').key), lambdaVariables('item').value))))), variables('aadJoinSettings'))]" + } }, "resources": { "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-07-01", - "name": "[format('46d3xbcp.res.compute-virtualmachine.{0}.{1}', replace('0.22.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.compute-virtualmachine.{0}.{1}', replace('0.17.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -14685,25 +13145,25 @@ "name": "managedDataDisks", "count": "[length(coalesce(parameters('dataDisks'), createArray()))]" }, - "condition": "[and(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'resourceId')), not(equals(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'createOption'), 'Empty'), 'FromImage')))]", + "condition": "[empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'id'))]", "type": "Microsoft.Compute/disks", - "apiVersion": "2025-01-02", + "apiVersion": "2024-03-02", "name": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex(), 1), 2, '0')))]", "location": "[parameters('location')]", "sku": { "name": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'storageAccountType')]" }, "properties": { - "diskSizeGB": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskSizeGB')]", + "diskSizeGB": "[coalesce(parameters('dataDisks'), createArray())[copyIndex()].diskSizeGB]", "creationData": { - "createOption": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'createOption'), 'Empty')]" + "createOption": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'createoption'), 'Empty')]" }, "diskIOPSReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskIOPSReadWrite')]", "diskMBpsReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskMBpsReadWrite')]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]", "networkAccessPolicy": "[parameters('networkAccessPolicy')]" }, - "zones": "[if(and(not(equals(parameters('availabilityZone'), -1)), not(contains(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'storageAccountType'), ''), 'ZRS'))), array(string(parameters('availabilityZone'))), null())]", + "zones": "[if(and(not(equals(parameters('availabilityZone'), -1)), not(contains(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'storageAccountType'), 'ZRS'))), array(string(parameters('availabilityZone'))), null())]", "tags": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" }, "vm": { @@ -14719,7 +13179,11 @@ "hardwareProfile": { "vmSize": "[parameters('vmSize')]" }, - "securityProfile": "[shallowMerge(createArray(if(parameters('encryptionAtHost'), createObject('encryptionAtHost', parameters('encryptionAtHost')), createObject()), createObject('securityType', parameters('securityType'), 'uefiSettings', if(equals(parameters('securityType'), 'TrustedLaunch'), createObject('secureBootEnabled', parameters('secureBootEnabled'), 'vTpmEnabled', parameters('vTpmEnabled')), null()))))]", + "securityProfile": { + "encryptionAtHost": "[if(parameters('encryptionAtHost'), parameters('encryptionAtHost'), null())]", + "securityType": "[parameters('securityType')]", + "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), createObject('secureBootEnabled', parameters('secureBootEnabled'), 'vTpmEnabled', parameters('vTpmEnabled')), null())]" + }, "storageProfile": { "copy": [ { @@ -14727,28 +13191,30 @@ "count": "[length(coalesce(parameters('dataDisks'), createArray()))]", "input": { "lun": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'lun'), copyIndex('dataDisks'))]", - "name": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'))), last(split(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.resourceId, '/')), coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0'))))]", - "createOption": "[if(equals(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createOption'), 'Empty'), 'FromImage'), 'FromImage', if(or(not(equals(if(and(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId')), not(equals(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createOption'), 'Empty'), 'FromImage'))), resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null()), null())), not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId')))), 'Attach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createOption'), 'Empty')))]", - "deleteOption": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'))), 'Detach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'deleteOption'), 'Delete'))]", - "caching": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'))), 'None', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'caching'), 'ReadOnly'))]", - "diskSizeGB": "[if(equals(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createOption'), 'Empty'), 'FromImage'), null(), tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'diskSizeGB'))]", - "managedDisk": "[if(equals(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createOption'), 'Empty'), 'FromImage'), createObject('storageAccountType', tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'storageAccountType'), 'diskEncryptionSet', if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSetResourceId'))), createObject('id', coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.diskEncryptionSetResourceId), null())), createObject('id', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'), if(and(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId')), not(equals(coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createOption'), 'Empty'), 'FromImage'))), resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null())), 'diskEncryptionSet', if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSetResourceId'))), createObject('id', coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.diskEncryptionSetResourceId), null())))]" + "name": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id'))), last(split(coalesce(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.id, ''), '/')), coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0'))))]", + "createOption": "[if(or(not(equals(if(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id')), resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null()), null())), not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id')))), 'Attach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createoption'), 'Empty'))]", + "deleteOption": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id'))), 'Detach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'deleteOption'), 'Delete'))]", + "caching": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id'))), 'None', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'caching'), 'ReadOnly'))]", + "managedDisk": { + "id": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id'), if(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'id')), resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null()))]", + "diskEncryptionSet": "[if(contains(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSet'), createObject('id', coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id), null())]" + } } } ], "imageReference": "[parameters('imageReference')]", "osDisk": { - "name": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), last(split(parameters('osDisk').managedDisk.resourceId, '/')), coalesce(tryGet(parameters('osDisk'), 'name'), format('{0}-disk-os-01', parameters('name'))))]", - "createOption": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), 'Attach', coalesce(tryGet(parameters('osDisk'), 'createOption'), 'FromImage'))]", - "osType": "[parameters('osType')]", - "deleteOption": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), 'Detach', coalesce(tryGet(parameters('osDisk'), 'deleteOption'), 'Delete'))]", + "name": "[coalesce(tryGet(parameters('osDisk'), 'name'), format('{0}-disk-os-01', parameters('name')))]", + "createOption": "[coalesce(tryGet(parameters('osDisk'), 'createOption'), 'FromImage')]", + "deleteOption": "[coalesce(tryGet(parameters('osDisk'), 'deleteOption'), 'Delete')]", "diffDiskSettings": "[if(empty(coalesce(tryGet(parameters('osDisk'), 'diffDiskSettings'), createObject())), null(), createObject('option', 'Local', 'placement', parameters('osDisk').diffDiskSettings.placement))]", "diskSizeGB": "[tryGet(parameters('osDisk'), 'diskSizeGB')]", - "caching": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), 'None', coalesce(tryGet(parameters('osDisk'), 'caching'), 'ReadOnly'))]", + "caching": "[coalesce(tryGet(parameters('osDisk'), 'caching'), 'ReadOnly')]", "managedDisk": { "storageAccountType": "[tryGet(parameters('osDisk').managedDisk, 'storageAccountType')]", - "diskEncryptionSet": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'diskEncryptionSetResourceId'))), createObject('id', tryGet(parameters('osDisk').managedDisk, 'diskEncryptionSetResourceId')), null())]", - "id": "[tryGet(parameters('osDisk').managedDisk, 'resourceId')]" + "diskEncryptionSet": { + "id": "[tryGet(parameters('osDisk').managedDisk, 'diskEncryptionSetResourceId')]" + } } } }, @@ -14756,7 +13222,16 @@ "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]", "hibernationEnabled": "[parameters('hibernationEnabled')]" }, - "osProfile": "[if(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId')), createObject('computerName', parameters('computerName'), 'adminUsername', parameters('adminUsername'), 'adminPassword', parameters('adminPassword'), 'customData', if(not(empty(parameters('customData'))), base64(parameters('customData')), null()), 'windowsConfiguration', if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null()), 'linuxConfiguration', if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null()), 'secrets', parameters('certificatesToBeInstalled'), 'allowExtensionOperations', parameters('allowExtensionOperations')), null())]", + "osProfile": { + "computerName": "[parameters('computerName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "customData": "[if(not(empty(parameters('customData'))), base64(parameters('customData')), null())]", + "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null())]", + "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null())]", + "secrets": "[parameters('certificatesToBeInstalled')]", + "allowExtensionOperations": "[parameters('allowExtensionOperations')]" + }, "networkProfile": { "copy": [ { @@ -14786,8 +13261,8 @@ "priority": "[parameters('priority')]", "evictionPolicy": "[if(and(not(empty(parameters('priority'))), not(equals(parameters('priority'), 'Regular'))), parameters('evictionPolicy'), null())]", "billingProfile": "[if(and(not(empty(parameters('priority'))), not(empty(parameters('maxPriceForLowPriorityVm')))), createObject('maxPrice', json(parameters('maxPriceForLowPriorityVm'))), null())]", - "host": "[if(not(empty(parameters('dedicatedHostResourceId'))), createObject('id', parameters('dedicatedHostResourceId')), null())]", - "licenseType": "[parameters('licenseType')]", + "host": "[if(not(empty(parameters('dedicatedHostId'))), createObject('id', parameters('dedicatedHostId')), null())]", + "licenseType": "[if(not(empty(parameters('licenseType'))), parameters('licenseType'), null())]", "userData": "[if(not(empty(parameters('userData'))), base64(parameters('userData')), null())]" }, "dependsOn": [ @@ -14799,7 +13274,7 @@ "condition": "[not(empty(parameters('maintenanceConfigurationResourceId')))]", "type": "Microsoft.Maintenance/configurationAssignments", "apiVersion": "2023-04-01", - "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[format('{0}assignment', parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -14814,7 +13289,7 @@ "condition": "[not(empty(parameters('configurationProfile')))]", "type": "Microsoft.Automanage/configurationProfileAssignments", "apiVersion": "2022-05-04", - "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "default", "properties": { "configurationProfile": "[parameters('configurationProfile')]" @@ -14829,7 +13304,6 @@ "apiVersion": "2018-09-15", "name": "[format('shutdown-computevm-{0}', parameters('name'))]", "location": "[parameters('location')]", - "tags": "[coalesce(tryGet(parameters('autoShutdownConfig'), 'tags'), parameters('tags'))]", "properties": { "status": "[coalesce(tryGet(parameters('autoShutdownConfig'), 'status'), 'Disabled')]", "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", @@ -14851,8 +13325,8 @@ }, "condition": "[parameters('extensionMonitoringAgentConfig').enabled]", "type": "Microsoft.Insights/dataCollectionRuleAssociations", - "apiVersion": "2024-03-11", - "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", + "apiVersion": "2023-03-11", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[parameters('extensionMonitoringAgentConfig').dataCollectionRuleAssociations[copyIndex()].name]", "properties": { "dataCollectionRuleId": "[parameters('extensionMonitoringAgentConfig').dataCollectionRuleAssociations[copyIndex()].dataCollectionRuleResourceId]" @@ -14862,20 +13336,11 @@ "vm_azureMonitorAgentExtension" ] }, - "cseIdentity": { - "condition": "[not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'managedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2024-11-30", - "subscriptionId": "[split(parameters('extensionCustomScriptConfig').protectedSettings.managedIdentityResourceId, '/')[2]]", - "resourceGroup": "[split(parameters('extensionCustomScriptConfig').protectedSettings.managedIdentityResourceId, '/')[4]]", - "name": "[last(split(parameters('extensionCustomScriptConfig').protectedSettings.managedIdentityResourceId, '/'))]" - }, "AzureWindowsBaseline": { "condition": "[not(empty(parameters('guestConfiguration')))]", "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments", - "apiVersion": "2024-04-05", - "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", + "apiVersion": "2020-06-25", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('guestConfiguration'), 'name'), 'AzureWindowsBaseline')]", "location": "[parameters('location')]", "properties": { @@ -14890,11 +13355,11 @@ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "vm" @@ -14907,7 +13372,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]", + "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -14928,7 +13393,7 @@ "count": "[length(parameters('nicConfigurations'))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-Nic-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -14981,8 +13446,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "5982155361487304817" + "version": "0.36.177.2456", + "templateHash": "2776867808756314911" } }, "definitions": { @@ -15118,15 +13583,12 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2024-07-01#properties/tags" - }, "description": "Optional. The tags of the public IP address." - }, - "nullable": true + } }, - "availabilityZones": { + "zones": { "type": "array", "allowedValues": [ 1, @@ -15138,16 +13600,6 @@ "description": "Optional. The zones of the public IP address." } }, - "ipTags": { - "type": "array", - "items": { - "$ref": "#/definitions/ipTagType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The list of tags associated with the public IP address." - } - }, "enableTelemetry": { "type": "bool", "nullable": true, @@ -15282,13 +13734,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/networkInterfaces@2024-07-01#properties/tags" - }, "description": "Optional. The tags of the public IP address." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -15586,7 +14035,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -15778,19 +14227,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -15895,7 +14337,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -16047,7 +14489,7 @@ }, "condition": "[and(not(empty(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'))), empty(tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'publicIPAddressResourceId')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-publicIP-{1}', deployment().name, copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -16097,14 +14539,11 @@ "tags": { "value": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex()], 'tags'), parameters('tags'))]" }, - "availabilityZones": { - "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'availabilityZones')]" + "zones": { + "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'zones')]" }, "enableTelemetry": { "value": "[coalesce(coalesce(tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'enableTelemetry'), tryGet(parameters('ipConfigurations')[copyIndex()], 'enableTelemetry')), parameters('enableTelemetry'))]" - }, - "ipTags": { - "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'ipTags')]" } }, "template": { @@ -16114,13 +14553,106 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "5349747633189946992" + "version": "0.33.93.31351", + "templateHash": "5168739580767459761" }, "name": "Public IP Addresses", "description": "This module deploys a Public IP Address." }, "definitions": { + "dnsSettingsType": { + "type": "object", + "properties": { + "domainNameLabel": { + "type": "string", + "metadata": { + "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." + } + }, + "domainNameLabelScope": { + "type": "string", + "allowedValues": [ + "NoReuse", + "ResourceGroupReuse", + "SubscriptionReuse", + "TenantReuse" + ], + "nullable": true, + "metadata": { + "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN." + } + }, + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." + } + }, + "reverseFqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "ddosSettingsType": { + "type": "object", + "properties": { + "ddosProtectionPlan": { + "type": "object", + "properties": { + "id": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address." + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The DDoS protection plan associated with the public IP address." + } + }, + "protectionMode": { + "type": "string", + "allowedValues": [ + "Enabled" + ], + "metadata": { + "description": "Required. The DDoS protection policy customizations." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "ipTagType": { + "type": "object", + "properties": { + "ipTagType": { + "type": "string", + "metadata": { + "description": "Required. The IP tag type." + } + }, + "tag": { + "type": "string", + "metadata": { + "description": "Required. The IP tag." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, "diagnosticSettingFullType": { "type": "object", "properties": { @@ -16239,7 +14771,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } }, @@ -16264,19 +14796,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } }, @@ -16351,7 +14876,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } } } @@ -16372,15 +14897,16 @@ }, "publicIPAllocationMethod": { "type": "string", + "defaultValue": "Static", + "allowedValues": [ + "Dynamic", + "Static" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/properties/properties/publicIPAllocationMethod" - }, "description": "Optional. The public IP address allocation method." - }, - "defaultValue": "Static" + } }, - "availabilityZones": { + "zones": { "type": "array", "items": { "type": "int" @@ -16401,33 +14927,31 @@ }, "publicIPAddressVersion": { "type": "string", + "defaultValue": "IPv4", + "allowedValues": [ + "IPv4", + "IPv6" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/properties/properties/publicIPAddressVersion" - }, "description": "Optional. IP address version." - }, - "defaultValue": "IPv4" + } }, "dnsSettings": { - "type": "object", + "$ref": "#/definitions/dnsSettingsType", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/properties/properties/dnsSettings" - }, "description": "Optional. The DNS settings of the public IP address." - }, - "nullable": true + } }, "ipTags": { "type": "array", + "items": { + "$ref": "#/definitions/ipTagType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/properties/properties/ipTags" - }, "description": "Optional. The list of tags associated with the public IP address." - }, - "nullable": true + } }, "lock": { "$ref": "#/definitions/lockType", @@ -16438,43 +14962,32 @@ }, "skuName": { "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Basic", + "Standard" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/sku/properties/name" - }, "description": "Optional. Name of a public IP address SKU." - }, - "defaultValue": "Standard" + } }, "skuTier": { "type": "string", + "defaultValue": "Regional", + "allowedValues": [ + "Global", + "Regional" + ], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/sku/properties/tier" - }, "description": "Optional. Tier of a public IP address SKU." - }, - "defaultValue": "Regional" + } }, "ddosSettings": { - "type": "object", + "$ref": "#/definitions/ddosSettingsType", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/properties/properties/ddosSettings" - }, "description": "Optional. The DDoS protection plan configuration associated with the public IP address." - }, - "nullable": true - }, - "deleteOption": { - "type": "string", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/properties/properties/deleteOption" - }, - "description": "Optional. The delete option for the public IP address." - }, - "nullable": true + } }, "location": { "type": "string", @@ -16509,13 +15022,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "diagnosticSettings": { "type": "array", @@ -16554,7 +15064,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.12.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.8.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -16572,7 +15082,7 @@ }, "publicIpAddress": { "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2025-01-01", + "apiVersion": "2024-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -16580,7 +15090,7 @@ "name": "[parameters('skuName')]", "tier": "[parameters('skuTier')]" }, - "zones": "[map(parameters('availabilityZones'), lambda('zone', string(lambdaVariables('zone'))))]", + "zones": "[map(parameters('zones'), lambda('zone', string(lambdaVariables('zone'))))]", "properties": { "ddosSettings": "[parameters('ddosSettings')]", "dnsSettings": "[parameters('dnsSettings')]", @@ -16588,8 +15098,7 @@ "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", "publicIPPrefix": "[if(not(empty(parameters('publicIpPrefixResourceId'))), createObject('id', parameters('publicIpPrefixResourceId')), null())]", "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]", - "ipTags": "[parameters('ipTags')]", - "deleteOption": "[parameters('deleteOption')]" + "ipTags": "[parameters('ipTags')]" } }, "publicIpAddress_lock": { @@ -16600,7 +15109,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "publicIpAddress" @@ -16704,7 +15213,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('publicIpAddress', '2025-01-01', 'full').location]" + "value": "[reference('publicIpAddress', '2024-05-01', 'full').location]" } } } @@ -16712,7 +15221,7 @@ }, "networkInterface": { "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-NetworkInterface', deployment().name)]", "properties": { "expressionEvaluationOptions": { @@ -16768,8 +15277,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "272838238520810437" + "version": "0.34.44.8038", + "templateHash": "8196054567469390015" }, "name": "Network Interface", "description": "This module deploys a Network Interface." @@ -17193,8 +15702,7 @@ } }, "metadata": { - "__bicep_export!": true, - "description": "The type for the network interface IP configuration output." + "__bicep_export!": true } }, "diagnosticSettingFullType": { @@ -17340,19 +15848,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -17448,13 +15949,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/networkInterfaces@2024-07-01#properties/tags" - }, "description": "Optional. Resource tags." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -17600,7 +16098,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-networkinterface.{0}.{1}', replace('0.5.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-networkinterface.{0}.{1}', replace('0.5.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -17628,7 +16126,7 @@ "name": "ipConfigurations", "count": "[length(parameters('ipConfigurations'))]", "input": { - "name": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'name'), format('ipconfig{0}', padLeft(add(copyIndex('ipConfigurations'), 1), 2, '0')))]", + "name": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'name'), format('ipconfig0{0}', add(copyIndex('ipConfigurations'), 1)))]", "properties": { "primary": "[if(equals(copyIndex('ipConfigurations'), 0), true(), false())]", "privateIPAllocationMethod": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAllocationMethod')]", @@ -17665,7 +16163,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "networkInterface" @@ -17805,7 +16303,7 @@ "vm_domainJoinExtension": { "condition": "[and(contains(parameters('extensionDomainJoinConfig'), 'enabled'), parameters('extensionDomainJoinConfig').enabled)]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-DomainJoin', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -17838,7 +16336,7 @@ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), false())]" }, "settings": { - "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'settings'), createObject('Name', tryGet(parameters('extensionDomainJoinConfig'), 'domainName'), 'OUPath', tryGet(parameters('extensionDomainJoinConfig'), 'ouPath'), 'User', tryGet(parameters('extensionDomainJoinConfig'), 'user'), 'Restart', tryGet(parameters('extensionDomainJoinConfig'), 'restart'), 'Options', tryGet(parameters('extensionDomainJoinConfig'), 'options')))]" + "value": "[parameters('extensionDomainJoinConfig').settings]" }, "supressFailures": { "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'supressFailures'), false())]" @@ -17859,8 +16357,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -17911,21 +16409,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -17945,45 +16443,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -17993,12 +16468,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -18029,7 +16502,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -18041,7 +16514,7 @@ "vm_aadJoinExtension": { "condition": "[parameters('extensionAadJoinConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-AADLogin', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -18071,7 +16544,9 @@ "enableAutomaticUpgrade": { "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'enableAutomaticUpgrade'), false())]" }, - "settings": "[if(not(empty(variables('filteredAadJoinSettings'))), createObject('value', variables('filteredAadJoinSettings')), createObject('value', null()))]", + "settings": { + "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'settings'), createObject())]" + }, "supressFailures": { "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'supressFailures'), false())]" }, @@ -18086,8 +16561,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -18138,21 +16613,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -18172,45 +16647,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -18220,12 +16672,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -18256,7 +16706,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -18269,7 +16719,7 @@ "vm_microsoftAntiMalwareExtension": { "condition": "[parameters('extensionAntiMalwareConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-MicrosoftAntiMalware', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -18318,8 +16768,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -18370,21 +16820,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -18404,45 +16854,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -18452,12 +16879,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -18488,7 +16913,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -18501,7 +16926,7 @@ "vm_azureMonitorAgentExtension": { "condition": "[parameters('extensionMonitoringAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-AzureMonitorAgent', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -18531,9 +16956,6 @@ "enableAutomaticUpgrade": { "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), false())]" }, - "settings": { - "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'settings'), createObject())]" - }, "supressFailures": { "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'supressFailures'), false())]" }, @@ -18548,8 +16970,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -18600,21 +17022,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -18634,45 +17056,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -18682,12 +17081,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -18718,7 +17115,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -18731,7 +17128,7 @@ "vm_dependencyAgentExtension": { "condition": "[parameters('extensionDependencyAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-DependencyAgent', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -18780,8 +17177,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -18832,21 +17229,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -18866,45 +17263,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -18914,12 +17288,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -18950,7 +17322,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -18963,7 +17335,7 @@ "vm_networkWatcherAgentExtension": { "condition": "[parameters('extensionNetworkWatcherAgentConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-NetworkWatcherAgent', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -19007,8 +17379,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -19059,21 +17431,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -19093,45 +17465,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -19141,12 +17490,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -19177,7 +17524,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -19190,7 +17537,7 @@ "vm_desiredStateConfigurationExtension": { "condition": "[parameters('extensionDSCConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -19242,8 +17589,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -19294,21 +17641,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -19328,45 +17675,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -19376,12 +17700,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -19412,7 +17734,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -19423,9 +17745,9 @@ ] }, "vm_customScriptExtension": { - "condition": "[not(empty(parameters('extensionCustomScriptConfig')))]", + "condition": "[parameters('extensionCustomScriptConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-CustomScriptExtension', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -19453,11 +17775,16 @@ "enableAutomaticUpgrade": { "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), false())]" }, - "forceUpdateTag": { - "value": "[tryGet(parameters('extensionCustomScriptConfig'), 'forceUpdateTag')]" - }, - "provisionAfterExtensions": { - "value": "[tryGet(parameters('extensionCustomScriptConfig'), 'provisionAfterExtensions')]" + "settings": { + "value": { + "copy": [ + { + "name": "fileUris", + "count": "[length(parameters('extensionCustomScriptConfig').fileData)]", + "input": "[if(contains(parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')], 'storageAccountId'), format('{0}?{1}', parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].uri, listAccountSas(parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].storageAccountId, '2019-04-01', variables('accountSasProperties')).accountSasToken), parameters('extensionCustomScriptConfig').fileData[copyIndex('fileUris')].uri)]" + } + ] + } }, "supressFailures": { "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'supressFailures'), false())]" @@ -19465,14 +17792,8 @@ "tags": { "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'tags'), parameters('tags'))]" }, - "protectedSettingsFromKeyVault": { - "value": "[tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettingsFromKeyVault')]" - }, - "settings": { - "value": "[shallowMerge(createArray(if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'settings'), 'commandToExecute'))), createObject('commandToExecute', tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'settings'), 'commandToExecute')), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'settings'), 'fileUris'))), createObject('fileUris', tryGet(parameters('extensionCustomScriptConfig'), 'settings', 'fileUris')), createObject())))]" - }, "protectedSettings": { - "value": "[shallowMerge(createArray(if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'commandToExecute'))), createObject('commandToExecute', tryGet(parameters('extensionCustomScriptConfig').protectedSettings, 'commandToExecute')), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'storageAccountName'))), createObject('storageAccountName', parameters('extensionCustomScriptConfig').protectedSettings.storageAccountName), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'storageAccountKey'))), createObject('storageAccountKey', parameters('extensionCustomScriptConfig').protectedSettings.storageAccountKey), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'fileUris'))), createObject('fileUris', parameters('extensionCustomScriptConfig').protectedSettings.fileUris), createObject()), if(not(equals(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'managedIdentityResourceId'), null())), createObject('managedIdentity', if(not(empty(tryGet(parameters('extensionCustomScriptConfig').protectedSettings, 'managedIdentityResourceId'))), createObject('clientId', reference('cseIdentity').clientId), createObject())), createObject())))]" + "value": "[parameters('extensionCustomScriptProtectedSetting')]" } }, "template": { @@ -19482,8 +17803,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -19534,21 +17855,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -19568,45 +17889,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -19616,12 +17914,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -19652,20 +17948,20 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } }, "dependsOn": [ - "cseIdentity", - "vm" + "vm", + "vm_desiredStateConfigurationExtension" ] }, "vm_azureDiskEncryptionExtension": { "condition": "[parameters('extensionAzureDiskEncryptionConfig').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-AzureDiskEncryption', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -19715,8 +18011,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -19767,21 +18063,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -19801,45 +18097,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -19849,12 +18122,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -19885,7 +18156,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -19898,7 +18169,7 @@ "vm_nvidiaGpuDriverWindowsExtension": { "condition": "[parameters('extensionNvidiaGpuDriverWindows').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-NvidiaGpuDriverWindows', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -19944,8 +18215,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -19996,21 +18267,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -20030,45 +18301,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -20078,12 +18326,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -20114,7 +18360,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -20127,7 +18373,7 @@ "vm_hostPoolRegistrationExtension": { "condition": "[parameters('extensionHostPoolRegistration').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-HostPoolRegistration', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -20165,20 +18411,12 @@ "configurationFunction": "[parameters('extensionHostPoolRegistration').configurationFunction]", "properties": { "hostPoolName": "[parameters('extensionHostPoolRegistration').hostPoolName]", + "registrationInfoToken": "[parameters('extensionHostPoolRegistration').registrationInfoToken]", "aadJoin": true - } - } - }, - "protectedSettings": { - "value": { - "properties": { - "registrationInfoToken": "[parameters('extensionHostPoolRegistration').registrationInfoToken]" - } + }, + "supressFailures": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'supressFailures'), false())]" } }, - "supressFailures": { - "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'supressFailures'), false())]" - }, "tags": { "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'tags'), parameters('tags'))]" } @@ -20190,8 +18428,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -20242,21 +18480,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -20276,45 +18514,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -20324,12 +18539,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -20360,7 +18573,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -20373,7 +18586,7 @@ "vm_azureGuestConfigurationExtension": { "condition": "[parameters('extensionGuestConfigurationExtension').enabled]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-GuestConfiguration', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -20424,8 +18637,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3581830278162851734" + "version": "0.36.177.2456", + "templateHash": "3746146591166938391" }, "name": "Virtual Machine Extensions", "description": "This module deploys a Virtual Machine Extension." @@ -20476,21 +18689,21 @@ }, "forceUpdateTag": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed." } }, "settings": { "type": "object", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific settings." } }, "protectedSettings": { "type": "secureObject", - "nullable": true, + "defaultValue": {}, "metadata": { "description": "Optional. Any object that contains the extension specific protected settings." } @@ -20510,45 +18723,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "protectedSettingsFromKeyVault": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault" - }, - "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault." - }, - "nullable": true - }, - "provisionAfterExtensions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions" - }, - "description": "Optional. Collection of extension names after which this extension needs to be provisioned." - }, - "nullable": true + } } }, "resources": { "virtualMachine": { "existing": true, "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[parameters('virtualMachineName')]" }, "extension": { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2024-11-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -20558,12 +18748,10 @@ "typeHandlerVersion": "[parameters('typeHandlerVersion')]", "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]", "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]", - "forceUpdateTag": "[parameters('forceUpdateTag')]", - "settings": "[parameters('settings')]", - "protectedSettings": "[parameters('protectedSettings')]", - "suppressFailures": "[parameters('supressFailures')]", - "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]", - "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]" + "forceUpdateTag": "[if(not(empty(parameters('forceUpdateTag'))), parameters('forceUpdateTag'), null())]", + "settings": "[if(not(empty(parameters('settings'))), parameters('settings'), null())]", + "protectedSettings": "[if(not(empty(parameters('protectedSettings'))), parameters('protectedSettings'), null())]", + "suppressFailures": "[parameters('supressFailures')]" } } }, @@ -20594,7 +18782,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('extension', '2024-11-01', 'full').location]" + "value": "[reference('extension', '2022-11-01', 'full').location]" } } } @@ -20607,7 +18795,7 @@ "vm_backup": { "condition": "[not(empty(parameters('backupVaultName')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-VM-Backup', uniqueString(deployment().name, parameters('location')))]", "resourceGroup": "[parameters('backupVaultResourceGroup')]", "properties": { @@ -20644,8 +18832,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "17448691641471706096" + "version": "0.36.177.2456", + "templateHash": "4883720476465660475" }, "name": "Recovery Service Vaults Protection Container Protected Item", "description": "This module deploys a Recovery Services Vault Protection Container Protected Item." @@ -20710,7 +18898,7 @@ "resources": [ { "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", - "apiVersion": "2025-02-01", + "apiVersion": "2023-01-01", "name": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -20857,8 +19045,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "18337341331267624582" + "version": "0.34.44.8038", + "templateHash": "4533956061065498344" }, "name": "Private DNS Zones", "description": "This module deploys a Private DNS zone." @@ -20875,13 +19063,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -20902,13 +19087,21 @@ }, "aRecords": { "type": "array", + "items": { + "type": "object", + "properties": { + "ipv4Address": { + "type": "string", + "metadata": { + "description": "Required. The IPv4 address of this A record." + } + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/aRecords" - }, "description": "Optional. The list of A records in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -20927,13 +19120,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -20954,13 +19144,21 @@ }, "aaaaRecords": { "type": "array", + "items": { + "type": "object", + "properties": { + "ipv6Address": { + "type": "string", + "metadata": { + "description": "Required. The IPv6 address of this AAAA record." + } + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/aaaaRecords" - }, "description": "Optional. The list of AAAA records in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -20979,13 +19177,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21006,13 +19201,18 @@ }, "cnameRecord": { "type": "object", + "properties": { + "cname": { + "type": "string", + "metadata": { + "description": "Required. The canonical name of the CNAME record." + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/cnameRecord" - }, "description": "Optional. The CNAME record in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -21031,13 +19231,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21058,13 +19255,27 @@ }, "mxRecords": { "type": "array", + "items": { + "type": "object", + "properties": { + "exchange": { + "type": "string", + "metadata": { + "description": "Required. The domain name of the mail host for this MX record." + } + }, + "preference": { + "type": "int", + "metadata": { + "description": "Required. The preference value for this MX record." + } + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/mxRecords" - }, "description": "Optional. The list of MX records in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -21083,13 +19294,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21110,13 +19318,21 @@ }, "ptrRecords": { "type": "array", + "items": { + "type": "object", + "properties": { + "ptrdname": { + "type": "string", + "metadata": { + "description": "Required. The PTR target domain name for this PTR record." + } + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/ptrRecords" - }, "description": "Optional. The list of PTR records in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -21135,13 +19351,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21162,13 +19375,54 @@ }, "soaRecord": { "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/soaRecord" + "properties": { + "email": { + "type": "string", + "metadata": { + "description": "Required. The email contact for this SOA record." + } }, - "description": "Optional. The SOA record in the record set." + "expireTime": { + "type": "int", + "metadata": { + "description": "Required. The expire time for this SOA record." + } + }, + "host": { + "type": "string", + "metadata": { + "description": "Required. The domain name of the authoritative name server for this SOA record." + } + }, + "minimumTtl": { + "type": "int", + "metadata": { + "description": "Required. The minimum value for this SOA record. By convention this is used to determine the negative caching duration." + } + }, + "refreshTime": { + "type": "int", + "metadata": { + "description": "Required. The refresh value for this SOA record." + } + }, + "retryTime": { + "type": "int", + "metadata": { + "description": "Required. The retry time for this SOA record." + } + }, + "serialNumber": { + "type": "int", + "metadata": { + "description": "Required. The serial number for this SOA record." + } + } }, - "nullable": true + "nullable": true, + "metadata": { + "description": "Optional. The SOA record in the record set." + } } }, "metadata": { @@ -21187,13 +19441,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21214,13 +19465,39 @@ }, "srvRecords": { "type": "array", + "items": { + "type": "object", + "properties": { + "priority": { + "type": "int", + "metadata": { + "description": "Required. The priority value for this SRV record." + } + }, + "weight": { + "type": "int", + "metadata": { + "description": "Required. The weight value for this SRV record." + } + }, + "port": { + "type": "int", + "metadata": { + "description": "Required. The port value for this SRV record." + } + }, + "target": { + "type": "string", + "metadata": { + "description": "Required. The target domain name for this SRV record." + } + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/srvRecords" - }, "description": "Optional. The list of SRV records in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -21239,13 +19516,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata of the record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21266,13 +19540,24 @@ }, "txtRecords": { "type": "array", + "items": { + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The text value of this TXT record." + } + } + } + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/txtRecords" - }, "description": "Optional. The list of TXT records in the record set." - }, - "nullable": true + } } }, "metadata": { @@ -21314,13 +19599,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01#properties/tags" - }, "description": "Optional. Resource tags." - }, - "nullable": true + } }, "resolutionPolicy": { "type": "string", @@ -21360,19 +19642,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -21603,15 +19878,14 @@ "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - }, - "enableReferencedModulesTelemetry": false + } }, "resources": { "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-privatednszone.{0}.{1}', replace('0.8.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.network-privatednszone.{0}.{1}', replace('0.7.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -21638,11 +19912,11 @@ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "privateDnsZone" @@ -21655,7 +19929,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -21676,7 +19950,7 @@ "count": "[length(coalesce(parameters('a'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-ARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -21701,9 +19975,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('a'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -21713,8 +19984,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "7372385900111002873" + "version": "0.34.44.8038", + "templateHash": "18243374258187942664" }, "name": "Private DNS Zone A record", "description": "This module deploys a Private DNS Zone A record." @@ -21811,23 +20082,17 @@ }, "aRecords": { "type": "array", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/aRecords" - }, "description": "Optional. The list of A records in the record set." - }, - "nullable": true + } }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -21836,13 +20101,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -21873,26 +20131,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonea.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -21916,7 +20154,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -21967,7 +20205,7 @@ "count": "[length(coalesce(parameters('aaaa'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-AAAARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -21992,9 +20230,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('aaaa'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -22004,8 +20239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "14405855828972373002" + "version": "0.34.44.8038", + "templateHash": "7322684246075092047" }, "name": "Private DNS Zone AAAA record", "description": "This module deploys a Private DNS Zone AAAA record." @@ -22102,23 +20337,17 @@ }, "aaaaRecords": { "type": "array", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/aaaaRecords" - }, "description": "Optional. The list of AAAA records in the record set." - }, - "nullable": true + } }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -22127,13 +20356,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -22164,26 +20386,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszoneaaaa.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -22207,7 +20409,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -22258,7 +20460,7 @@ "count": "[length(coalesce(parameters('cname'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-CNAMERecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -22283,9 +20485,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('cname'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -22295,8 +20494,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "13818627461335065928" + "version": "0.34.44.8038", + "templateHash": "5264706240021075859" }, "name": "Private DNS Zone CNAME record", "description": "This module deploys a Private DNS Zone CNAME record." @@ -22393,23 +20592,17 @@ }, "cnameRecord": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/cnameRecord" - }, "description": "Optional. A CNAME record." - }, - "nullable": true + } }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -22418,13 +20611,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -22455,26 +20641,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonecname.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -22498,7 +20664,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -22549,7 +20715,7 @@ "count": "[length(coalesce(parameters('mx'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-MXRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -22574,9 +20740,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('mx'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -22586,8 +20749,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "2977624679479439942" + "version": "0.34.44.8038", + "templateHash": "13758189936483275969" }, "name": "Private DNS Zone MX record", "description": "This module deploys a Private DNS Zone MX record." @@ -22684,23 +20847,17 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "mxRecords": { "type": "array", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/mxRecords" - }, "description": "Optional. The list of MX records in the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -22709,13 +20866,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -22746,26 +20896,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonemx.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -22789,7 +20919,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -22840,7 +20970,7 @@ "count": "[length(coalesce(parameters('ptr'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-PTRRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -22865,9 +20995,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('ptr'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -22877,8 +21004,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "15286275176817336979" + "version": "0.34.44.8038", + "templateHash": "11955164584650609753" }, "name": "Private DNS Zone PTR record", "description": "This module deploys a Private DNS Zone PTR record." @@ -22975,23 +21102,17 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "ptrRecords": { "type": "array", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/ptrRecords" - }, "description": "Optional. The list of PTR records in the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -23000,13 +21121,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -23037,26 +21151,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszoneptr.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -23080,7 +21174,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -23131,7 +21225,7 @@ "count": "[length(coalesce(parameters('soa'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-SOARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -23156,9 +21250,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('soa'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -23168,8 +21259,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "4837447718856535826" + "version": "0.34.44.8038", + "templateHash": "14626715835033259725" }, "name": "Private DNS Zone SOA record", "description": "This module deploys a Private DNS Zone SOA record." @@ -23266,23 +21357,17 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "soaRecord": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/soaRecord" - }, "description": "Optional. A SOA record." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -23291,13 +21376,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -23328,26 +21406,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonesoa.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -23371,7 +21429,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -23422,7 +21480,7 @@ "count": "[length(coalesce(parameters('srv'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-SRVRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -23447,9 +21505,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('srv'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -23459,8 +21514,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "15028912535488490265" + "version": "0.34.44.8038", + "templateHash": "6510442308165042737" }, "name": "Private DNS Zone SRV record", "description": "This module deploys a Private DNS Zone SRV record." @@ -23557,23 +21612,17 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "srvRecords": { "type": "array", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/srvRecords" - }, "description": "Optional. The list of SRV records in the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -23582,13 +21631,6 @@ "description": "Optional. The TTL (time-to-live) of the records in the record set." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "roleAssignments": { "type": "array", "items": { @@ -23619,26 +21661,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonesrv.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -23662,7 +21684,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -23713,7 +21735,7 @@ "count": "[length(coalesce(parameters('txt'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-TXTRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -23738,9 +21760,6 @@ }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('txt'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -23750,8 +21769,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "7641583415110009849" + "version": "0.34.44.8038", + "templateHash": "170623042781622569" }, "name": "Private DNS Zone TXT record", "description": "This module deploys a Private DNS Zone TXT record." @@ -23848,13 +21867,10 @@ }, "metadata": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/metadata" - }, "description": "Optional. The metadata attached to the record set." - }, - "nullable": true + } }, "ttl": { "type": "int", @@ -23865,19 +21881,9 @@ }, "txtRecords": { "type": "array", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/txtRecords" - }, "description": "Optional. The list of TXT records in the record set." - }, - "nullable": true - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." } }, "roleAssignments": { @@ -23910,26 +21916,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonetxt.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -23953,7 +21939,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]", + "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', parameters('privateDnsZoneName'), parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -24004,7 +21990,7 @@ "count": "[length(coalesce(parameters('virtualNetworkLinks'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateDnsZone-VNetLink-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -24032,9 +22018,6 @@ }, "resolutionPolicy": { "value": "[tryGet(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()], 'resolutionPolicy')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -24044,20 +22027,13 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "7392770862892927923" + "version": "0.34.44.8038", + "templateHash": "725891200086243555" }, "name": "Private DNS Zone Virtual Network Link", "description": "This module deploys a Private DNS Zone Virtual Network Link." }, "parameters": { - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, "privateDnsZoneName": { "type": "string", "metadata": { @@ -24080,13 +22056,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "registrationEnabled": { "type": "bool", @@ -24110,26 +22083,6 @@ } }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.nw-privdnszonevnetlink.{0}.{1}', replace('0.1.0', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "privateDnsZone": { "existing": true, "type": "Microsoft.Network/privateDnsZones", @@ -24254,32 +22207,6 @@ "name": "[variables('aiFoundryAiServicesModelDeployment').sku.name]", "capacity": "[variables('aiFoundryAiServicesModelDeployment').sku.capacity]" } - }, - { - "name": "[variables('aiFoundryAiServices4_1ModelDeployment').name]", - "model": { - "format": "[variables('aiFoundryAiServices4_1ModelDeployment').format]", - "name": "[variables('aiFoundryAiServices4_1ModelDeployment').name]", - "version": "[variables('aiFoundryAiServices4_1ModelDeployment').version]" - }, - "raiPolicyName": "[variables('aiFoundryAiServices4_1ModelDeployment').raiPolicyName]", - "sku": { - "name": "[variables('aiFoundryAiServices4_1ModelDeployment').sku.name]", - "capacity": "[variables('aiFoundryAiServices4_1ModelDeployment').sku.capacity]" - } - }, - { - "name": "[variables('aiFoundryAiServicesReasoningModelDeployment').name]", - "model": { - "format": "[variables('aiFoundryAiServicesReasoningModelDeployment').format]", - "name": "[variables('aiFoundryAiServicesReasoningModelDeployment').name]", - "version": "[variables('aiFoundryAiServicesReasoningModelDeployment').version]" - }, - "raiPolicyName": "[variables('aiFoundryAiServicesReasoningModelDeployment').raiPolicyName]", - "sku": { - "name": "[variables('aiFoundryAiServicesReasoningModelDeployment').sku.name]", - "capacity": "[variables('aiFoundryAiServicesReasoningModelDeployment').sku.capacity]" - } } ] }, @@ -24311,7 +22238,7 @@ "_generator": { "name": "bicep", "version": "0.44.1.10279", - "templateHash": "9937220877261080488" + "templateHash": "8388310902652207735" } }, "definitions": { @@ -24487,7 +22414,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -24591,7 +22518,7 @@ "cognitiveService": { "existing": true, "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2025-12-01", + "apiVersion": "2025-06-01", "name": "[parameters('name')]" }, "cognitiveService_deployments": { @@ -24602,7 +22529,7 @@ "batchSize": 1 }, "type": "Microsoft.CognitiveServices/accounts/deployments", - "apiVersion": "2025-12-01", + "apiVersion": "2024-10-01", "name": "[format('{0}/{1}', parameters('name'), coalesce(tryGet(coalesce(parameters('deployments'), createArray())[copyIndex()], 'name'), format('{0}-deployments', parameters('name'))))]", "properties": { "model": "[coalesce(parameters('deployments'), createArray())[copyIndex()].model]", @@ -24689,32 +22616,6 @@ "name": "[variables('aiFoundryAiServicesModelDeployment').sku.name]", "capacity": "[variables('aiFoundryAiServicesModelDeployment').sku.capacity]" } - }, - { - "name": "[variables('aiFoundryAiServices4_1ModelDeployment').name]", - "model": { - "format": "[variables('aiFoundryAiServices4_1ModelDeployment').format]", - "name": "[variables('aiFoundryAiServices4_1ModelDeployment').name]", - "version": "[variables('aiFoundryAiServices4_1ModelDeployment').version]" - }, - "raiPolicyName": "[variables('aiFoundryAiServices4_1ModelDeployment').raiPolicyName]", - "sku": { - "name": "[variables('aiFoundryAiServices4_1ModelDeployment').sku.name]", - "capacity": "[variables('aiFoundryAiServices4_1ModelDeployment').sku.capacity]" - } - }, - { - "name": "[variables('aiFoundryAiServicesReasoningModelDeployment').name]", - "model": { - "format": "[variables('aiFoundryAiServicesReasoningModelDeployment').format]", - "name": "[variables('aiFoundryAiServicesReasoningModelDeployment').name]", - "version": "[variables('aiFoundryAiServicesReasoningModelDeployment').version]" - }, - "raiPolicyName": "[variables('aiFoundryAiServicesReasoningModelDeployment').raiPolicyName]", - "sku": { - "name": "[variables('aiFoundryAiServicesReasoningModelDeployment').sku.name]", - "capacity": "[variables('aiFoundryAiServicesReasoningModelDeployment').sku.capacity]" - } } ] }, @@ -24748,24 +22649,11 @@ "roleDefinitionIdOrName": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", "principalId": "[reference('userAssignedIdentity').outputs.principalId.value]", "principalType": "ServicePrincipal" - }, - { - "roleDefinitionIdOrName": "53ca6127-db72-4b80-b1b0-d745d6d5456d", - "principalId": "[variables('deployingUserPrincipalId')]", - "principalType": "[variables('deployerPrincipalType')]" - }, - { - "roleDefinitionIdOrName": "64702f94-c441-49e6-a78b-ef80e0188fee", - "principalId": "[variables('deployingUserPrincipalId')]", - "principalType": "[variables('deployerPrincipalType')]" } ] }, "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)))), createObject('value', null()))]", - "publicNetworkAccess": "[if(parameters('enablePrivateNetworking'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]", - "privateEndpoints": { - "value": [] - } + "publicNetworkAccess": "[if(parameters('enablePrivateNetworking'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -27303,11 +25191,11 @@ "userAssignedIdentity" ] }, - "aiFoundryPrivateEndpoint": { + "aiServicesPrivateEndpoint": { "condition": "[and(parameters('enablePrivateNetworking'), not(variables('useExistingAiFoundryAiProject')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", - "name": "[take(format('pep-{0}-deployment', variables('aiFoundryAiServicesResourceName')), 64)]", + "name": "[take(format('avm.res.network.private-endpoint.pep-{0}', variables('aiFoundryAiServicesResourceName')), 64)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -27317,19 +25205,22 @@ "name": { "value": "[format('pep-{0}', variables('aiFoundryAiServicesResourceName'))]" }, - "customNetworkInterfaceName": { - "value": "[format('nic-{0}', variables('aiFoundryAiServicesResourceName'))]" - }, "location": { "value": "[parameters('location')]" }, - "tags": { - "value": "[parameters('tags')]" + "subnetResourceId": { + "value": "[reference('virtualNetwork').outputs.backendSubnetResourceId.value]" + }, + "customNetworkInterfaceName": { + "value": "[format('nic-{0}', variables('aiFoundryAiServicesResourceName'))]" + }, + "enableTelemetry": { + "value": "[parameters('enableTelemetry')]" }, "privateLinkServiceConnections": { "value": [ { - "name": "[format('pep-{0}-connection', variables('aiFoundryAiServicesResourceName'))]", + "name": "[format('pep-{0}', variables('aiFoundryAiServicesResourceName'))]", "properties": { "privateLinkServiceId": "[reference('aiFoundryAiServices').outputs.resourceId.value]", "groupIds": [ @@ -27357,8 +25248,8 @@ ] } }, - "subnetResourceId": { - "value": "[reference('virtualNetwork').outputs.backendSubnetResourceId.value]" + "tags": { + "value": "[parameters('tags')]" } }, "template": { @@ -27368,8 +25259,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "18436885663402767850" + "version": "0.34.44.8038", + "templateHash": "12389807800450456797" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint." @@ -27396,8 +25287,115 @@ } }, "metadata": { - "__bicep_export!": true, - "description": "The type of a private dns zone group." + "__bicep_export!": true + } + }, + "ipConfigurationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "privateLinkServiceConnectionType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string array `[]`." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "customDnsConfigType": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. FQDN that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." + } + } + }, + "metadata": { + "__bicep_export!": true } }, "lockType": { @@ -27421,19 +25419,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -27455,7 +25446,6 @@ } }, "metadata": { - "description": "The type of a private DNS zone group configuration.", "__bicep_imported_from!": { "sourceTemplate": "private-dns-zone-group/main.bicep" } @@ -27532,7 +25522,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -27569,23 +25559,13 @@ }, "ipConfigurations": { "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/ipConfigurations" - }, - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + "items": { + "$ref": "#/definitions/ipConfigurationType" }, - "nullable": true - }, - "ipVersionType": { - "type": "string", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/ipVersionType" - }, - "description": "Optional. Specifies the IP version type for the private IPs of the private endpoint. If not defined, this defaults to IPv4." - }, - "defaultValue": "IPv4" + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } }, "privateDnsZoneGroup": { "$ref": "#/definitions/privateDnsZoneGroupType", @@ -27620,43 +25600,40 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/tags" - }, "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - }, - "nullable": true + } }, "customDnsConfigs": { "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/customDnsConfigs" - }, "description": "Optional. Custom DNS configurations." - }, - "nullable": true + } }, "manualPrivateLinkServiceConnections": { "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/manualPrivateLinkServiceConnections" - }, "description": "Conditional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. Required if `privateLinkServiceConnections` is empty." - }, - "nullable": true + } }, "privateLinkServiceConnections": { "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/privateLinkServiceConnections" - }, "description": "Conditional. A grouping of information about the connection to the remote resource. Required if `manualPrivateLinkServiceConnections` is empty." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -27691,8 +25668,8 @@ "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.12.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.11.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -27710,7 +25687,7 @@ }, "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2025-05-01", + "apiVersion": "2024-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -27731,19 +25708,18 @@ "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", "subnet": { "id": "[parameters('subnetResourceId')]" - }, - "ipVersionType": "[parameters('ipVersionType')]" + } } }, "privateEndpoint_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "privateEndpoint" @@ -27756,7 +25732,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -27774,7 +25750,7 @@ "privateEndpoint_privateDnsZoneGroup": { "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { @@ -27799,8 +25775,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "9935179114830442414" + "version": "0.34.44.8038", + "templateHash": "13997305779829540948" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group." @@ -27824,8 +25800,7 @@ } }, "metadata": { - "__bicep_export!": true, - "description": "The type of a private DNS zone group configuration." + "__bicep_export!": true } } }, @@ -27855,30 +25830,33 @@ } } }, + "variables": { + "copy": [ + { + "name": "privateDnsZoneConfigsVar", + "count": "[length(parameters('privateDnsZoneConfigs'))]", + "input": { + "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId, '/')))]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId]" + } + } + } + ] + }, "resources": { "privateEndpoint": { "existing": true, "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2025-05-01", + "apiVersion": "2024-05-01", "name": "[parameters('privateEndpointName')]" }, "privateDnsZoneGroup": { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2025-05-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDnsZoneConfigs'))]", - "input": { - "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId, '/')))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId]" - } - } - } - ] + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigsVar')]" } } }, @@ -27939,15 +25917,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('privateEndpoint', '2025-05-01', 'full').location]" + "value": "[reference('privateEndpoint', '2024-05-01', 'full').location]" }, "customDnsConfigs": { "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/customDnsConfigs", - "output": true - }, "description": "The custom DNS configurations of the private endpoint." }, "value": "[reference('privateEndpoint').customDnsConfigs]" @@ -27975,8 +25952,8 @@ }, "dependsOn": [ "aiFoundryAiServices", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]", + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]", "virtualNetwork" ] @@ -28015,7 +25992,7 @@ "_generator": { "name": "bicep", "version": "0.44.1.10279", - "templateHash": "8001462637037527844" + "templateHash": "17583890660337391402" } }, "parameters": { @@ -28056,7 +26033,7 @@ "resources": [ { "type": "Microsoft.CognitiveServices/accounts/projects", - "apiVersion": "2025-12-01", + "apiVersion": "2025-06-01", "name": "[format('{0}/{1}', parameters('aiServicesName'), parameters('name'))]", "tags": "[parameters('tags')]", "location": "[parameters('location')]", @@ -28084,26 +26061,18 @@ }, "value": "[resourceId('Microsoft.CognitiveServices/accounts/projects', parameters('aiServicesName'), parameters('name'))]" }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. Principal ID of the AI project managed identity." - }, - "value": "[reference(resourceId('Microsoft.CognitiveServices/accounts/projects', parameters('aiServicesName'), parameters('name')), '2025-12-01', 'full').identity.principalId]" - }, "apiEndpoint": { "type": "string", "metadata": { "description": "Required. API endpoint for the AI project." }, - "value": "[reference(resourceId('Microsoft.CognitiveServices/accounts/projects', parameters('aiServicesName'), parameters('name')), '2025-12-01').endpoints['AI Foundry API']]" + "value": "[reference(resourceId('Microsoft.CognitiveServices/accounts/projects', parameters('aiServicesName'), parameters('name')), '2025-06-01').endpoints['AI Foundry API']]" } } } }, "dependsOn": [ - "aiFoundryAiServices", - "aiFoundryPrivateEndpoint" + "aiFoundryAiServices" ] }, "cosmosDb": { @@ -28145,7 +26114,7 @@ } ] }, - "sqlRoleDefinitions": { + "dataPlaneRoleDefinitions": { "value": [ { "roleName": "Cosmos DB SQL Data Contributor", @@ -28157,9 +26126,6 @@ "assignments": [ { "principalId": "[reference('userAssignedIdentity').outputs.principalId.value]" - }, - { - "principalId": "[variables('deployingUserPrincipalId')]" } ] } @@ -28175,7 +26141,7 @@ "privateEndpoints": "[if(parameters('enablePrivateNetworking'), createObject('value', createArray(createObject('name', format('pep-{0}', variables('cosmosDbResourceName')), 'customNetworkInterfaceName', format('nic-{0}', variables('cosmosDbResourceName')), 'privateDnsZoneGroup', createObject('privateDnsZoneGroupConfigs', createArray(createObject('privateDnsZoneResourceId', reference(format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cosmosDb)).outputs.resourceId.value))), 'service', 'Sql', 'subnetResourceId', reference('virtualNetwork').outputs.backendSubnetResourceId.value))), createObject('value', createArray()))]", "zoneRedundant": "[if(parameters('enableRedundancy'), createObject('value', true()), createObject('value', false()))]", "capabilitiesToAdd": "[if(parameters('enableRedundancy'), createObject('value', null()), createObject('value', createArray('EnableServerless')))]", - "enableAutomaticFailover": "[if(parameters('enableRedundancy'), createObject('value', true()), createObject('value', false()))]", + "automaticFailover": "[if(parameters('enableRedundancy'), createObject('value', true()), createObject('value', false()))]", "failoverLocations": "[if(parameters('enableRedundancy'), createObject('value', createArray(createObject('failoverPriority', 0, 'isZoneRedundant', true(), 'locationName', parameters('location')), createObject('failoverPriority', 1, 'isZoneRedundant', true(), 'locationName', variables('cosmosDbHaLocation')))), createObject('value', createArray(createObject('locationName', parameters('location'), 'failoverPriority', 0, 'isZoneRedundant', parameters('enableRedundancy')))))]" }, "template": { @@ -28185,8 +26151,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "1772014800591596213" + "version": "0.35.1.17967", + "templateHash": "8020152823352819436" }, "name": "Azure Cosmos DB account", "description": "This module deploys an Azure Cosmos DB account. The API used for the account is determined by the child resources that are deployed." @@ -28284,7 +26250,7 @@ "description": "The type for the failover location." } }, - "sqlRoleAssignmentType": { + "dataPlaneRoleAssignmentType": { "type": "object", "properties": { "name": { @@ -28305,13 +26271,6 @@ "metadata": { "description": "Required. The unique identifier for the associated Microsoft Entra ID principal to which access is being granted through this role-based access control assignment. The tenant ID for the principal is inferred using the tenant associated with the subscription." } - }, - "scope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The data plane resource id for which access is being granted through this Role Assignment. Defaults to the root of the database account, but can also be scoped to e.g., the container and database level." - } } }, "metadata": { @@ -28319,7 +26278,7 @@ "description": "The type for an Azure Cosmos DB for NoSQL native role-based access control assignment." } }, - "sqlRoleDefinitionType": { + "dataPlaneRoleDefinitionType": { "type": "object", "properties": { "name": { @@ -28340,9 +26299,9 @@ "items": { "type": "string" }, - "minLength": 1, + "nullable": true, "metadata": { - "description": "Required. An array of data actions that are allowed." + "description": "Optional. An array of data actions that are allowed." } }, "assignableScopes": { @@ -28358,7 +26317,7 @@ "assignments": { "type": "array", "items": { - "$ref": "#/definitions/nestedSqlRoleAssignmentType" + "$ref": "#/definitions/sqlRoleAssignmentType" }, "nullable": true, "metadata": { @@ -28371,6 +26330,178 @@ "description": "The type for an Azure Cosmos DB for NoSQL or Table native role-based access control definition." } }, + "sqlDatabaseType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the database ." + } + }, + "throughput": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Request units per second. Will be ignored if `autoscaleSettingsMaxThroughput` is used. Setting throughput at the database level is only recommended for development/test or when workload across all containers in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level. Defaults to 400." + } + }, + "autoscaleSettingsMaxThroughput": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Specifies the autoscale settings and represents maximum throughput the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If the value is not set, then autoscale will be disabled. Setting throughput at the database level is only recommended for development/test or when workload across all containers in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." + } + }, + "containers": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the container." + } + }, + "paths": { + "type": "array", + "items": { + "type": "string" + }, + "minLength": 1, + "maxLength": 3, + "metadata": { + "description": "Required. List of paths using which data within the container can be partitioned. For kind=MultiHash it can be up to 3. For anything else it needs to be exactly 1." + } + }, + "analyticalStorageTtl": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Default to 0. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store." + } + }, + "autoscaleSettingsMaxThroughput": { + "type": "int", + "nullable": true, + "maxValue": 1000000, + "metadata": { + "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to null, then autoscale will be disabled. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level." + } + }, + "conflictResolutionPolicy": { + "type": "object", + "properties": { + "conflictResolutionPath": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The conflict resolution path in the case of LastWriterWins mode. Required if `mode` is set to 'LastWriterWins'." + } + }, + "conflictResolutionProcedure": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The procedure to resolve conflicts in the case of custom mode. Required if `mode` is set to 'Custom'." + } + }, + "mode": { + "type": "string", + "allowedValues": [ + "Custom", + "LastWriterWins" + ], + "metadata": { + "description": "Required. Indicates the conflict resolution mode." + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." + } + }, + "defaultTtl": { + "type": "int", + "nullable": true, + "minValue": -1, + "maxValue": 2147483647, + "metadata": { + "description": "Optional. Default to -1. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to \"-1\", it is equal to infinity, and items don't expire by default." + } + }, + "indexingPolicy": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Indexing policy of the container." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "Hash", + "MultiHash" + ], + "nullable": true, + "metadata": { + "description": "Optional. Default to Hash. Indicates the kind of algorithm used for partitioning." + } + }, + "version": { + "type": "int", + "allowedValues": [ + 1, + 2 + ], + "nullable": true, + "metadata": { + "description": "Optional. Default to 1 for Hash and 2 for MultiHash - 1 is not allowed for MultiHash. Version of the partition key definition." + } + }, + "throughput": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Default to 400. Request Units per second. Will be ignored if autoscaleSettingsMaxThroughput is used." + } + }, + "uniqueKeyPolicyKeys": { + "type": "array", + "items": { + "type": "object", + "properties": { + "paths": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. List of paths must be unique for each document in the Azure Cosmos DB service." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. Set of containers to deploy in the database." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for an Azure Cosmos DB for NoSQL database." + } + }, "networkRestrictionType": { "type": "object", "properties": { @@ -28423,1380 +26554,562 @@ "metadata": { "description": "Optional. List of virtual network access control list (ACL) rules configured for the account." } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for the network restriction." + } + }, + "_1.privateEndpointCustomDnsConfigType": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. FQDN that resolves to private endpoint IP address." + } }, - "networkAclBypassResourceIds": { + "ipAddresses": { "type": "array", "items": { "type": "string" }, - "nullable": true, "metadata": { - "description": "Optional. An array that contains the Resource Ids for Network Acl Bypass for the Cosmos DB account." + "description": "Required. A list of private IP addresses of the private endpoint." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for the network restriction." + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } }, - "gremlinDatabaseType": { + "_1.privateEndpointIpConfigurationType": { "type": "object", "properties": { "name": { "type": "string", "metadata": { - "description": "Required. Name of the Gremlin database." + "description": "Required. The name of the resource that is unique within a resource group." } }, - "tags": { + "properties": { "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases@2024-11-15#properties/tags" + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } }, - "description": "Optional. Tags of the Gremlin database resource." - }, - "nullable": true - }, - "graphs": { - "type": "array", - "items": { - "$ref": "#/definitions/graphType" + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } }, - "nullable": true, - "metadata": { - "description": "Optional. Array of graphs to deploy in the Gremlin database." - } - }, - "maxThroughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. Setting throughput at the database level is only recommended for development/test or when workload across all graphs in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the graph level and not at the database level." - } - }, - "throughput": { - "type": "int", - "nullable": true, "metadata": { - "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. Setting throughput at the database level is only recommended for development/test or when workload across all graphs in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the graph level and not at the database level." + "description": "Required. Properties of private endpoint IP configurations." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for a gremlin databae." + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } }, - "mongoDbType": { + "_1.privateEndpointPrivateDnsZoneGroupType": { "type": "object", "properties": { "name": { "type": "string", - "metadata": { - "description": "Required. Name of the mongodb database." - } - }, - "throughput": { - "type": "int", "nullable": true, "metadata": { - "description": "Optional. Request Units per second. Setting throughput at the database level is only recommended for development/test or when workload across all collections in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." + "description": "Optional. The name of the Private DNS Zone Group." } }, - "collections": { + "privateDnsZoneGroupConfigs": { "type": "array", "items": { - "$ref": "#/definitions/collectionType" + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS Zone Group config." + } + }, + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." + } + } + } }, - "nullable": true, "metadata": { - "description": "Optional. Collections in the mongodb database." + "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones." } - }, - "autoscaleSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases@2025-04-15#properties/properties/properties/options/properties/autoscaleSettings" - }, - "description": "Optional. Specifies the Autoscale settings. Note: Either throughput or autoscaleSettings is required, but not both." - }, - "nullable": true - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true } }, "metadata": { - "__bicep_export!": true, - "description": "The type for a mongo databae." + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } }, - "sqlDatabaseType": { + "diagnosticSettingFullType": { "type": "object", "properties": { "name": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. Name of the SQL database ." + "description": "Optional. The name of the diagnostic setting." } }, - "containers": { + "logCategoriesAndGroups": { "type": "array", "items": { - "$ref": "#/definitions/containerType" + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } }, "nullable": true, "metadata": { - "description": "Optional. Array of containers to deploy in the SQL database." + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." } }, - "throughput": { - "type": "int", + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, "nullable": true, "metadata": { - "description": "Optional. Request units per second. Will be ignored if autoscaleSettingsMaxThroughput is used. Setting throughput at the database level is only recommended for development/test or when workload across all containers in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], "nullable": true, "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to null, then autoscale will be disabled. Setting throughput at the database level is only recommended for development/test or when workload across all containers in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." } }, - "tags": { - "type": "object", + "workspaceResourceId": { + "type": "string", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the SQL database resource." - }, - "nullable": true - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a sql database." - } - }, - "tableType": { - "type": "object", - "properties": { - "name": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. Name of the table." + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." } }, - "tags": { - "type": "object", + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/tables@2025-04-15#properties/tags" - }, - "description": "Optional. Tags for the table." - }, - "nullable": true + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } }, - "maxThroughput": { - "type": "int", + "eventHubName": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored." + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." } }, - "throughput": { - "type": "int", + "marketplacePartnerResourceId": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`." + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for a table." + "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } }, - "cassandraStandaloneRoleAssignmentType": { + "lockType": { "type": "object", "properties": { "name": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The unique name of the role assignment." + "description": "Optional. Specify the name of lock." } }, - "roleDefinitionId": { + "kind": { "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, "metadata": { - "description": "Required. The unique identifier of the Azure Cosmos DB for Apache Cassandra native role-based access control definition." + "description": "Optional. Specify the type of lock." } - }, - "principalId": { - "type": "string", + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } + } + }, + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, "metadata": { - "description": "Required. The unique identifier for the associated Microsoft Entra ID principal to which access is being granted through this role-based access control assignment. The tenant ID for the principal is inferred using the tenant associated with the subscription." + "description": "Optional. Enables system assigned managed identity on the resource." } }, - "scope": { - "type": "string", + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, "nullable": true, "metadata": { - "description": "Optional. The data plane resource path for which access is being granted through this role-based access control assignment. Defaults to the current account." + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for an Azure Cosmos DB for Apache Cassandra native role-based access control assignment." + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } }, - "cassandraRoleDefinitionType": { + "privateEndpointMultiServiceType": { "type": "object", "properties": { "name": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The unique identifier of the role-based access control definition." + "description": "Optional. The name of the private endpoint." } }, - "roleName": { + "location": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. A user-friendly name for the role-based access control definition. Must be unique for the database account." + "description": "Optional. The location to deploy the private endpoint to." } }, - "dataActions": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. An array of data actions that are allowed. Note: Valid data action strings are currently undocumented (API version 2025-05-01-preview). Expected to follow format similar to SQL RBAC once documented by Microsoft." - } - }, - "notDataActions": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. An array of data actions that are denied. Note: Unlike SQL RBAC, Cassandra supports deny rules for granular access control. Valid data action strings are currently undocumented (API version 2025-05-01-preview)." - } - }, - "assignableScopes": { - "type": "array", - "items": { - "type": "string" - }, + "privateLinkServiceConnectionName": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition." + "description": "Optional. The name of the private link connection to create." } }, - "assignments": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraRoleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. An array of role-based access control assignments to be created for the definition." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an Azure Cosmos DB for Apache Cassandra native role-based access control definition." - } - }, - "cassandraKeyspaceType": { - "type": "object", - "properties": { - "name": { + "service": { "type": "string", "metadata": { - "description": "Required. Name of the Cassandra keyspace." + "description": "Required. The subresource to deploy the private endpoint for. For example \"blob\", \"table\", \"queue\" or \"file\" for a Storage Account's Private Endpoints." } }, - "tables": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraTableType" - }, - "nullable": true, + "subnetResourceId": { + "type": "string", "metadata": { - "description": "Optional. Array of Cassandra tables to deploy in the keyspace." + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." } }, - "views": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraViewType" - }, + "resourceGroupResourceId": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Array of Cassandra views (materialized views) to deploy in the keyspace." + "description": "Optional. The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + "privateDnsZoneGroup": { + "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", "nullable": true, "metadata": { - "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. Setting throughput at the keyspace level is only recommended for development/test or when workload across all tables in the shared throughput keyspace is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the table level and not at the keyspace level." + "description": "Optional. The private DNS zone group to configure for the private endpoint." } }, - "throughput": { - "type": "int", + "isManualConnection": { + "type": "bool", "nullable": true, "metadata": { - "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `autoscaleSettingsMaxThroughput`. Setting throughput at the keyspace level is only recommended for development/test or when workload across all tables in the shared throughput keyspace is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the table level and not at the keyspace level." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces@2024-11-15#properties/tags" - }, - "description": "Optional. Tags of the Cassandra keyspace resource." - }, - "nullable": true - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an Azure Cosmos DB Cassandra keyspace." - } - }, - "defaultIdentityType": { - "type": "object", - "discriminator": { - "propertyName": "name", - "mapping": { - "FirstPartyIdentity": { - "$ref": "#/definitions/defaultIdentityFirstPartyType" - }, - "SystemAssignedIdentity": { - "$ref": "#/definitions/defaultIdentitySystemAssignedType" - }, - "UserAssignedIdentity": { - "$ref": "#/definitions/defaultIdentityUserAssignedType" - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the default identity." - } - }, - "defaultIdentityFirstPartyType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "allowedValues": [ - "FirstPartyIdentity" - ], - "metadata": { - "description": "Required. The type of default identity to use." - } - } - } - }, - "defaultIdentitySystemAssignedType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "allowedValues": [ - "SystemAssignedIdentity" - ], - "metadata": { - "description": "Required. The type of default identity to use." - } - } - } - }, - "defaultIdentityUserAssignedType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "allowedValues": [ - "UserAssignedIdentity" - ], - "metadata": { - "description": "Required. The type of default identity to use." + "description": "Optional. If Manual Private Link Connection is required." } }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the user assigned identity to use as the default identity." - } - } - } - }, - "_1.privateEndpointCustomDnsConfigType": { - "type": "object", - "properties": { - "fqdn": { + "manualConnectionRequestMessage": { "type": "string", "nullable": true, + "maxLength": 140, "metadata": { - "description": "Optional. FQDN that resolves to private endpoint IP address." + "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." } }, - "ipAddresses": { + "customDnsConfigs": { "type": "array", "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private IP addresses of the private endpoint." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "_1.privateEndpointIpConfigurationType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private IP address obtained from the private endpoint's subnet." - } - } + "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType" }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "_1.privateEndpointPrivateDnsZoneGroupType": { - "type": "object", - "properties": { - "name": { - "type": "string", "nullable": true, "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." + "description": "Optional. Custom DNS configurations." } }, - "privateDnsZoneGroupConfigs": { + "ipConfigurations": { "type": "array", "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS Zone Group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - } + "$ref": "#/definitions/_1.privateEndpointIpConfigurationType" }, - "metadata": { - "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "cassandraRoleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The unique identifier of the role assignment." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The unique identifier for the associated AAD principal." - } - }, - "scope": { - "type": "string", "nullable": true, "metadata": { - "description": "Optional. The data plane resource path for which access is being granted. Defaults to the current account." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "cassandra-role-definition/main.bicep" - } - } - }, - "cassandraTableType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the table." - } - }, - "schema": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables@2024-11-15#properties/properties/properties/resource/properties/schema" - }, - "description": "Required. Schema definition for the table." + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables@2024-11-15#properties/tags" - }, - "description": "Optional. Tags for the table." + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" }, - "nullable": true - }, - "defaultTtl": { - "type": "int", "nullable": true, "metadata": { - "description": "Optional. Default TTL (Time To Live) in seconds for data in the table." + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." } }, - "analyticalStorageTtl": { - "type": "int", + "customNetworkInterfaceName": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Analytical TTL for the table." + "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, - "throughput": { - "type": "int", + "lock": { + "$ref": "#/definitions/lockType", "nullable": true, "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput." + "description": "Optional. Specify the type of lock." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, "nullable": true, "metadata": { - "description": "Optional. Maximum autoscale throughput for the table. Cannot be used with throughput." - } - } - }, - "metadata": { - "description": "The type of a Cassandra table.", - "__bicep_imported_from!": { - "sourceTemplate": "cassandra-keyspace/main.bicep", - "originalIdentifier": "tableType" - } - } - }, - "cassandraViewType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the view." - } - }, - "viewDefinition": { - "type": "string", - "metadata": { - "description": "Required. View definition (CQL statement)." + "description": "Optional. Array of role assignments to create." } }, "tags": { "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views@2025-05-01-preview#properties/tags" - }, - "description": "Optional. Tags for the view." - }, - "nullable": true - }, - "throughput": { - "type": "int", "nullable": true, "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput." + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + "enableTelemetry": { + "type": "bool", "nullable": true, "metadata": { - "description": "Optional. Maximum autoscale throughput for the view. Cannot be used with throughput." + "description": "Optional. Enable/Disable usage telemetry for module." } } }, "metadata": { - "description": "The type of a Cassandra view (materialized view).", + "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can NOT be assumed (i.e., for services that have more than one subresource, like Storage Account with Blob (blob, table, queue, file, ...).", "__bicep_imported_from!": { - "sourceTemplate": "cassandra-keyspace/main.bicep", - "originalIdentifier": "viewType" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, - "collectionType": { + "roleAssignmentType": { "type": "object", "properties": { "name": { "type": "string", - "metadata": { - "description": "Required. Name of the collection." - } - }, - "throughput": { - "type": "int", "nullable": true, "metadata": { - "description": "Optional. Request Units per second. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." - } - }, - "indexes": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2025-04-15#properties/properties/properties/resource/properties/indexes" - }, - "description": "Required. Indexes for the collection." + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." } }, - "shardKey": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2025-04-15#properties/properties/properties/resource/properties/shardKey" - }, - "description": "Required. ShardKey for the collection." - } - } - }, - "metadata": { - "description": "The type of a collection.", - "__bicep_imported_from!": { - "sourceTemplate": "mongodb-database/main.bicep" - } - } - }, - "containerType": { - "type": "object", - "properties": { - "name": { + "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. Name of the container." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "analyticalStorageTtl": { - "type": "int", - "nullable": true, + "principalId": { + "type": "string", "metadata": { - "description": "Optional. Default to 0. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store." + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." } }, - "conflictResolutionPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/conflictResolutionPolicy" - }, - "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." - }, - "nullable": true - }, - "defaultTtl": { - "type": "int", + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], "nullable": true, - "minValue": -1, - "maxValue": 2147483647, "metadata": { - "description": "Optional. Default to -1. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to \"-1\", it is equal to infinity, and items don't expire by default." + "description": "Optional. The principal type of the assigned principal ID." } }, - "throughput": { - "type": "int", + "description": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Default to 400. Request Units per second. Will be ignored if autoscaleSettingsMaxThroughput is used. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." + "description": "Optional. The description of the role assignment." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + "condition": { + "type": "string", "nullable": true, - "maxValue": 1000000, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to null, then autoscale will be disabled. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the SQL Database resource." - }, - "nullable": true - }, - "paths": { - "type": "array", - "items": { - "type": "string" - }, - "minLength": 1, - "maxLength": 3, "metadata": { - "description": "Required. List of paths using which data within the container can be partitioned. For kind=MultiHash it can be up to 3. For anything else it needs to be exactly 1." + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, - "indexingPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/indexingPolicy" - }, - "description": "Optional. Indexing policy of the container." - }, - "nullable": true - }, - "uniqueKeyPolicyKeys": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/uniqueKeyPolicy/properties/uniqueKeys" - }, - "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." - }, - "nullable": true - }, - "kind": { + "conditionVersion": { "type": "string", "allowedValues": [ - "Hash", - "MultiHash" + "2.0" ], "nullable": true, "metadata": { - "description": "Optional. Default to Hash. Indicates the kind of algorithm used for partitioning." + "description": "Optional. Version of the condition." } }, - "version": { - "type": "int", - "allowedValues": [ - 1, - 2 - ], + "delegatedManagedIdentityResourceId": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Default to 1 for Hash and 2 for MultiHash - 1 is not allowed for MultiHash. Version of the partition key definition." + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, "metadata": { - "description": "The type of a container.", + "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "sql-database/main.bicep" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, - "customerManagedKeyAndVaultOnlyType": { + "sqlRoleAssignmentType": { "type": "object", "properties": { - "keyVaultResourceId": { + "name": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + "description": "Optional. Name unique identifier of the SQL Role Assignment." } }, - "keyName": { + "principalId": { "type": "string", "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." + "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." } } }, "metadata": { - "description": "An AVM-aligned type for a customer-managed key. To be used if only the key vault & key may be specified.", + "description": "The type for the SQL Role Assignments.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" + "sourceTemplate": "sql-role-definition/main.bicep" } } + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the account." + } }, - "diagnosticSettingFullType": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Defaults to the current resource group scope location. Location for all resources." + } + }, + "tags": { "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "graphType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the graph." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the Gremlin graph resource." - }, - "nullable": true - }, - "indexingPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/properties/properties/resource/properties/indexingPolicy" - }, - "description": "Optional. Indexing policy of the graph." - }, - "nullable": true - }, - "partitionKeyPaths": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/properties/properties/resource/properties/partitionKey/properties/paths" - }, - "description": "Optional. List of paths using which data within the container can be partitioned." - }, - "nullable": true - } - }, - "metadata": { - "description": "The type of a graph.", - "__bicep_imported_from!": { - "sourceTemplate": "gremlin-database/main.bicep" - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "managedIdentityAllType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "nestedSqlRoleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name unique identifier of the SQL Role Assignment." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." - } - }, - "scope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The data plane resource id for which access is being granted through this Role Assignment. Defaults to the root of the database account, but can also be scoped to e.g., the container and database level." - } - } - }, - "metadata": { - "description": "The type for the SQL Role Assignments.", - "__bicep_imported_from!": { - "sourceTemplate": "sql-role-definition/main.bicep", - "originalIdentifier": "sqlRoleAssignmentType" - } - } - }, - "privateEndpointMultiServiceType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "privateLinkServiceConnectionName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private link connection to create." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The subresource to deploy the private endpoint for. For example \"blob\", \"table\", \"queue\" or \"file\" for a Storage Account's Private Endpoints." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "resourceGroupResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used." - } - }, - "privateDnsZoneGroup": { - "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone group to configure for the private endpoint." - } - }, - "isManualConnection": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. If Manual Private Link Connection is required." - } - }, - "manualConnectionRequestMessage": { - "type": "string", - "nullable": true, - "maxLength": 140, - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "$ref": "#/definitions/_1.privateEndpointIpConfigurationType" - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-07-01#properties/tags" - }, - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can NOT be assumed (i.e., for services that have more than one subresource, like Storage Account with Blob (blob, table, queue, file, ...).", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the account." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Defaults to the current resource group scope location. Location for all resources." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts@2024-11-15#properties/tags" + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.DocumentDB/databaseAccounts@2024-11-15#properties/tags" }, "description": "Optional. Tags for the resource." }, @@ -29864,7 +27177,7 @@ "description": "Optional. Flag to indicate whether to enable storage analytics. Defaults to false." } }, - "enableAutomaticFailover": { + "automaticFailover": { "type": "bool", "defaultValue": true, "metadata": { @@ -29938,9 +27251,6 @@ }, "mongodbDatabases": { "type": "array", - "items": { - "$ref": "#/definitions/mongoDbType" - }, "nullable": true, "metadata": { "description": "Optional. Configuration for databases when using Azure Cosmos DB for MongoDB RU." @@ -29948,9 +27258,6 @@ }, "gremlinDatabases": { "type": "array", - "items": { - "$ref": "#/definitions/gremlinDatabaseType" - }, "nullable": true, "metadata": { "description": "Optional. Configuration for databases when using Azure Cosmos DB for Apache Gremlin." @@ -29958,24 +27265,11 @@ }, "tables": { "type": "array", - "items": { - "$ref": "#/definitions/tableType" - }, "nullable": true, "metadata": { "description": "Optional. Configuration for databases when using Azure Cosmos DB for Table." } }, - "cassandraKeyspaces": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraKeyspaceType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Configuration for keyspaces when using Azure Cosmos DB for Apache Cassandra." - } - }, "enableTelemetry": { "type": "bool", "defaultValue": true, @@ -30007,46 +27301,26 @@ "description": "Optional. An array of control plane Azure role-based access control assignments." } }, - "sqlRoleDefinitions": { + "dataPlaneRoleDefinitions": { "type": "array", "items": { - "$ref": "#/definitions/sqlRoleDefinitionType" + "$ref": "#/definitions/dataPlaneRoleDefinitionType" }, "nullable": true, "metadata": { "description": "Optional. Configurations for Azure Cosmos DB for NoSQL native role-based access control definitions. Allows the creations of custom role definitions." } }, - "sqlRoleAssignments": { + "dataPlaneRoleAssignments": { "type": "array", "items": { - "$ref": "#/definitions/sqlRoleAssignmentType" + "$ref": "#/definitions/dataPlaneRoleAssignmentType" }, "nullable": true, "metadata": { "description": "Optional. Configurations for Azure Cosmos DB for NoSQL native role-based access control assignments." } }, - "cassandraRoleDefinitions": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraRoleDefinitionType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Configurations for Azure Cosmos DB for Apache Cassandra native role-based access control definitions. Allows the creations of custom role definitions." - } - }, - "cassandraRoleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraStandaloneRoleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Azure Cosmos DB for Apache Cassandra native data plane role-based access control assignments. Each assignment references a role definition unique identifier and a principal identifier." - } - }, "diagnosticSettings": { "type": "array", "items": { @@ -30161,70 +27435,6 @@ "metadata": { "description": "Optional. Setting that indicates the minimum allowed TLS version. Azure Cosmos DB for MongoDB RU and Apache Cassandra only work with TLS 1.2 or later. Defaults to \"Tls12\" (TLS 1.2)." } - }, - "enableBurstCapacity": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Flag to indicate enabling/disabling of Burst Capacity feature on the account. Cannot be enabled for serverless accounts." - } - }, - "enableCassandraConnector": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables the cassandra connector on the Cosmos DB C* account." - } - }, - "enablePartitionMerge": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag to enable/disable the 'Partition Merge' feature on the account." - } - }, - "enablePerRegionPerPartitionAutoscale": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag to enable/disable the 'PerRegionPerPartitionAutoscale' feature on the account." - } - }, - "analyticalStorageConfiguration": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts@2025-04-15#properties/properties/properties/analyticalStorageConfiguration" - }, - "description": "Optional. Analytical storage specific properties." - }, - "nullable": true - }, - "cors": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts@2025-04-15#properties/properties/properties/cors" - }, - "description": "Optional. The CORS policy for the Cosmos DB database account." - }, - "nullable": true - }, - "defaultIdentity": { - "$ref": "#/definitions/defaultIdentityType", - "defaultValue": { - "name": "FirstPartyIdentity" - }, - "metadata": { - "description": "Optional. The default identity for accessing key vault used in features like customer managed keys. Use `FirstPartyIdentity` to use the tenant-level CosmosDB enterprise application. The default identity needs to be explicitly set by the users." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyAndVaultOnlyType", - "nullable": true, - "metadata": { - "description": "Optional. The customer managed key definition. If specified, the parameter `defaultIdentity` must be configured as well." - } } }, "variables": { @@ -30237,7 +27447,7 @@ ], "enableReferencedModulesTelemetry": false, "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(variables('formattedUserAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(variables('formattedUserAssignedIdentities'))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInControlPlaneRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", @@ -30249,24 +27459,14 @@ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "isHSMManagedCMK": "[equals(tryGet(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), ''), '/'), 7), 'managedHSMs')]" + } }, "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(and(not(empty(parameters('customerManagedKey'))), not(variables('isHSMManagedCMK'))), and(not(empty(parameters('customerManagedKey'))), not(variables('isHSMManagedCMK'))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2024-11-01", - "subscriptionId": "[split(parameters('customerManagedKey').keyVaultResourceId, '/')[2]]", - "resourceGroup": "[split(parameters('customerManagedKey').keyVaultResourceId, '/')[4]]", - "name": "[format('{0}/{1}', last(split(parameters('customerManagedKey').keyVaultResourceId, '/')), parameters('customerManagedKey').keyName)]" - }, "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-07-01", - "name": "[format('46d3xbcp.res.documentdb-databaseaccount.{0}.{1}', replace('0.19.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.documentdb-databaseaccount.{0}.{1}', replace('0.15.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -30282,37 +27482,25 @@ } } }, - "cMKKeyVault": { - "condition": "[and(not(empty(parameters('customerManagedKey'))), not(variables('isHSMManagedCMK')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2024-11-01", - "subscriptionId": "[split(parameters('customerManagedKey').keyVaultResourceId, '/')[2]]", - "resourceGroup": "[split(parameters('customerManagedKey').keyVaultResourceId, '/')[4]]", - "name": "[last(split(parameters('customerManagedKey').keyVaultResourceId, '/'))]" - }, "databaseAccount": { "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "kind": "[if(not(empty(parameters('mongodbDatabases'))), 'MongoDB', 'GlobalDocumentDB')]", - "properties": "[shallowMerge(createArray(createObject('enableBurstCapacity', if(not(contains(coalesce(parameters('capabilitiesToAdd'), createArray()), 'EnableServerless')), parameters('enableBurstCapacity'), false()), 'databaseAccountOfferType', parameters('databaseAccountOfferType'), 'analyticalStorageConfiguration', parameters('analyticalStorageConfiguration'), 'defaultIdentity', if(and(not(empty(parameters('defaultIdentity'))), not(equals(tryGet(parameters('defaultIdentity'), 'name'), 'UserAssignedIdentity'))), parameters('defaultIdentity').name, format('UserAssignedIdentity={0}', tryGet(parameters('defaultIdentity'), 'resourceId'))), 'keyVaultKeyUri', if(not(empty(parameters('customerManagedKey'))), if(not(variables('isHSMManagedCMK')), format('{0}', reference('cMKKeyVault::cMKKey').keyUri), format('https://{0}.managedhsm.azure.net/keys/{1}', last(split(parameters('customerManagedKey').keyVaultResourceId, '/')), parameters('customerManagedKey').keyName)), null()), 'enablePartitionMerge', parameters('enablePartitionMerge'), 'enablePerRegionPerPartitionAutoscale', parameters('enablePerRegionPerPartitionAutoscale'), 'backupPolicy', shallowMerge(createArray(createObject('type', parameters('backupPolicyType')), if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject()), if(equals(parameters('backupPolicyType'), 'Periodic'), createObject('periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))), createObject()))), 'capabilities', map(coalesce(parameters('capabilitiesToAdd'), createArray()), lambda('capability', createObject('name', lambdaVariables('capability'))))), if(not(empty(parameters('cors'))), createObject('cors', parameters('cors')), createObject()), if(contains(coalesce(parameters('capabilitiesToAdd'), createArray()), 'EnableCassandra'), createObject('connectorOffer', if(parameters('enableCassandraConnector'), 'Small', null()), 'enableCassandraConnector', parameters('enableCassandraConnector')), createObject()), createObject('minimalTlsVersion', parameters('minimumTlsVersion'), 'capacity', createObject('totalThroughputLimit', parameters('totalThroughputLimit')), 'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Disabled'), 'locations', if(not(empty(parameters('failoverLocations'))), map(parameters('failoverLocations'), lambda('failoverLocation', createObject('failoverPriority', lambdaVariables('failoverLocation').failoverPriority, 'locationName', lambdaVariables('failoverLocation').locationName, 'isZoneRedundant', coalesce(tryGet(lambdaVariables('failoverLocation'), 'isZoneRedundant'), true())))), createArray(createObject('failoverPriority', 0, 'locationName', parameters('location'), 'isZoneRedundant', parameters('zoneRedundant'))))), if(or(or(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('tables')))), not(empty(parameters('cassandraKeyspaces')))), createObject('consistencyPolicy', shallowMerge(createArray(createObject('defaultConsistencyLevel', parameters('defaultConsistencyLevel')), if(equals(parameters('defaultConsistencyLevel'), 'BoundedStaleness'), createObject('maxStalenessPrefix', parameters('maxStalenessPrefix'), 'maxIntervalInSeconds', parameters('maxIntervalInSeconds')), createObject()))), 'enableMultipleWriteLocations', parameters('enableMultipleWriteLocations'), 'ipRules', map(coalesce(tryGet(parameters('networkRestrictions'), 'ipRules'), createArray()), lambda('ipRule', createObject('ipAddressOrRange', lambdaVariables('ipRule')))), 'virtualNetworkRules', map(coalesce(tryGet(parameters('networkRestrictions'), 'virtualNetworkRules'), createArray()), lambda('rule', createObject('id', lambdaVariables('rule').subnetResourceId, 'ignoreMissingVNetServiceEndpoint', false()))), 'networkAclBypass', coalesce(tryGet(parameters('networkRestrictions'), 'networkAclBypass'), 'None'), 'networkAclBypassResourceIds', tryGet(parameters('networkRestrictions'), 'networkAclBypassResourceIds'), 'isVirtualNetworkFilterEnabled', or(not(empty(tryGet(parameters('networkRestrictions'), 'ipRules'))), not(empty(tryGet(parameters('networkRestrictions'), 'virtualNetworkRules')))), 'enableFreeTier', parameters('enableFreeTier'), 'enableAutomaticFailover', parameters('enableAutomaticFailover'), 'enableAnalyticalStorage', parameters('enableAnalyticalStorage')), createObject()), if(or(or(not(empty(parameters('mongodbDatabases'))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('cassandraKeyspaces')))), createObject('disableLocalAuth', false(), 'disableKeyBasedMetadataWriteAccess', false()), createObject('disableLocalAuth', parameters('disableLocalAuthentication'), 'disableKeyBasedMetadataWriteAccess', parameters('disableKeyBasedMetadataWriteAccess'))), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject())))]", - "dependsOn": [ - "cMKKeyVault::cMKKey" - ] + "properties": "[shallowMerge(createArray(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType'), 'backupPolicy', shallowMerge(createArray(createObject('type', parameters('backupPolicyType')), if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject()), if(equals(parameters('backupPolicyType'), 'Periodic'), createObject('periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))), createObject()))), 'capabilities', map(coalesce(parameters('capabilitiesToAdd'), createArray()), lambda('capability', createObject('name', lambdaVariables('capability')))), 'minimalTlsVersion', parameters('minimumTlsVersion'), 'capacity', createObject('totalThroughputLimit', parameters('totalThroughputLimit')), 'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Disabled')), if(or(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('tables')))), createObject('consistencyPolicy', shallowMerge(createArray(createObject('defaultConsistencyLevel', parameters('defaultConsistencyLevel')), if(equals(parameters('defaultConsistencyLevel'), 'BoundedStaleness'), createObject('maxStalenessPrefix', parameters('maxStalenessPrefix'), 'maxIntervalInSeconds', parameters('maxIntervalInSeconds')), createObject()))), 'enableMultipleWriteLocations', parameters('enableMultipleWriteLocations'), 'locations', if(not(empty(parameters('failoverLocations'))), map(parameters('failoverLocations'), lambda('failoverLocation', createObject('failoverPriority', lambdaVariables('failoverLocation').failoverPriority, 'locationName', lambdaVariables('failoverLocation').locationName, 'isZoneRedundant', coalesce(tryGet(lambdaVariables('failoverLocation'), 'isZoneRedundant'), true())))), createArray(createObject('failoverPriority', 0, 'locationName', parameters('location'), 'isZoneRedundant', parameters('zoneRedundant')))), 'ipRules', map(coalesce(tryGet(parameters('networkRestrictions'), 'ipRules'), createArray()), lambda('ipRule', createObject('ipAddressOrRange', lambdaVariables('ipRule')))), 'virtualNetworkRules', map(coalesce(tryGet(parameters('networkRestrictions'), 'virtualNetworkRules'), createArray()), lambda('rule', createObject('id', lambdaVariables('rule').subnetResourceId, 'ignoreMissingVNetServiceEndpoint', false()))), 'networkAclBypass', coalesce(tryGet(parameters('networkRestrictions'), 'networkAclBypass'), 'None'), 'isVirtualNetworkFilterEnabled', or(not(empty(tryGet(parameters('networkRestrictions'), 'ipRules'))), not(empty(tryGet(parameters('networkRestrictions'), 'virtualNetworkRules')))), 'enableFreeTier', parameters('enableFreeTier'), 'enableAutomaticFailover', parameters('automaticFailover'), 'enableAnalyticalStorage', parameters('enableAnalyticalStorage')), createObject()), if(or(not(empty(parameters('mongodbDatabases'))), not(empty(parameters('gremlinDatabases')))), createObject('disableLocalAuth', false(), 'disableKeyBasedMetadataWriteAccess', false()), createObject('disableLocalAuth', parameters('disableLocalAuthentication'), 'disableKeyBasedMetadataWriteAccess', parameters('disableKeyBasedMetadataWriteAccess'))), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject())))]" }, "databaseAccount_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]", + "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "databaseAccount" @@ -30325,7 +27513,7 @@ }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]", + "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { "copy": [ @@ -30366,7 +27554,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]", + "scope": "[format('Microsoft.DocumentDB/databaseAccounts/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -30387,7 +27575,7 @@ "count": "[length(coalesce(parameters('sqlDatabases'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-sqldb-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('sqlDatabases'), createArray())[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { @@ -30418,133 +27606,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "3972888645334640168" + "version": "0.35.1.17967", + "templateHash": "6801379641184405078" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account." }, - "definitions": { - "containerType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the container." - } - }, - "analyticalStorageTtl": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Default to 0. Indicates how long data should be retained in the analytical store, for a container. Analytical store is enabled when ATTL is set with a value other than 0. If the value is set to -1, the analytical store retains all historical data, irrespective of the retention of the data in the transactional store." - } - }, - "conflictResolutionPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/conflictResolutionPolicy" - }, - "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." - }, - "nullable": true - }, - "defaultTtl": { - "type": "int", - "nullable": true, - "minValue": -1, - "maxValue": 2147483647, - "metadata": { - "description": "Optional. Default to -1. Default time to live (in seconds). With Time to Live or TTL, Azure Cosmos DB provides the ability to delete items automatically from a container after a certain time period. If the value is set to \"-1\", it is equal to infinity, and items don't expire by default." - } - }, - "throughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Default to 400. Request Units per second. Will be ignored if autoscaleSettingsMaxThroughput is used. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "nullable": true, - "maxValue": 1000000, - "metadata": { - "description": "Optional. Specifies the Autoscale settings and represents maximum throughput, the resource can scale up to. The autoscale throughput should have valid throughput values between 1000 and 1000000 inclusive in increments of 1000. If value is set to null, then autoscale will be disabled. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the container level and not at the database level." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the SQL Database resource." - }, - "nullable": true - }, - "paths": { - "type": "array", - "items": { - "type": "string" - }, - "minLength": 1, - "maxLength": 3, - "metadata": { - "description": "Required. List of paths using which data within the container can be partitioned. For kind=MultiHash it can be up to 3. For anything else it needs to be exactly 1." - } - }, - "indexingPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/indexingPolicy" - }, - "description": "Optional. Indexing policy of the container." - }, - "nullable": true - }, - "uniqueKeyPolicyKeys": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/uniqueKeyPolicy/properties/uniqueKeys" - }, - "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." - }, - "nullable": true - }, - "kind": { - "type": "string", - "allowedValues": [ - "Hash", - "MultiHash" - ], - "nullable": true, - "metadata": { - "description": "Optional. Default to Hash. Indicates the kind of algorithm used for partitioning." - } - }, - "version": { - "type": "int", - "allowedValues": [ - 1, - 2 - ], - "nullable": true, - "metadata": { - "description": "Optional. Default to 1 for Hash and 2 for MultiHash - 1 is not allowed for MultiHash. Version of the partition key definition." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a container." - } - } - }, "parameters": { "databaseAccountName": { "type": "string", @@ -30561,7 +27628,7 @@ "containers": { "type": "array", "items": { - "$ref": "#/definitions/containerType" + "type": "object" }, "nullable": true, "metadata": { @@ -30584,25 +27651,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15#properties/tags" - }, "description": "Optional. Tags of the SQL database resource." - }, - "nullable": true + } } }, "resources": { "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[parameters('databaseAccountName')]" }, "sqlDatabase": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", "tags": "[parameters('tags')]", "properties": { @@ -30621,7 +27685,7 @@ "count": "[length(coalesce(parameters('containers'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-sqldb-{1}', uniqueString(deployment().name, parameters('name')), coalesce(parameters('containers'), createArray())[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { @@ -30674,8 +27738,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "4781880351108045502" + "version": "0.35.1.17967", + "templateHash": "5467755913632158534" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account." @@ -30708,17 +27772,14 @@ }, "conflictResolutionPolicy": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/conflictResolutionPolicy" - }, "description": "Optional. The conflict resolution policy for the container. Conflicts and conflict resolution policies are applicable if the Azure Cosmos DB account is configured with multiple write regions." - }, - "nullable": true + } }, "defaultTtl": { "type": "int", - "nullable": true, + "defaultValue": -1, "minValue": -1, "maxValue": 2147483647, "metadata": { @@ -30742,13 +27803,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/tags" - }, "description": "Optional. Tags of the SQL Database resource." - }, - "nullable": true + } }, "paths": { "type": "array", @@ -30763,23 +27821,17 @@ }, "indexingPolicy": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/indexingPolicy" - }, "description": "Optional. Indexing policy of the container." - }, - "nullable": true + } }, "uniqueKeyPolicyKeys": { "type": "array", + "defaultValue": [], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2025-04-15#properties/properties/properties/resource/properties/uniqueKeyPolicy/properties/uniqueKeys" - }, "description": "Optional. The unique key policy configuration containing a list of unique keys that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service." - }, - "nullable": true + } }, "kind": { "type": "string", @@ -30811,28 +27863,29 @@ "count": "[length(parameters('paths'))]", "input": "[if(startsWith(parameters('paths')[copyIndex('partitionKeyPaths')], '/'), parameters('paths')[copyIndex('partitionKeyPaths')], format('/{0}', parameters('paths')[copyIndex('partitionKeyPaths')]))]" } - ] + ], + "containerResourceParams": "[union(createObject('conflictResolutionPolicy', parameters('conflictResolutionPolicy'), 'defaultTtl', parameters('defaultTtl'), 'id', parameters('name'), 'indexingPolicy', if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null()), 'partitionKey', createObject('paths', variables('partitionKeyPaths'), 'kind', parameters('kind'), 'version', if(equals(parameters('kind'), 'MultiHash'), 2, parameters('version'))), 'uniqueKeyPolicy', if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())), if(not(equals(parameters('analyticalStorageTtl'), 0)), createObject('analyticalStorageTtl', parameters('analyticalStorageTtl')), createObject()))]" }, "resources": { "databaseAccount::sqlDatabase": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('sqlDatabaseName'))]" }, "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[parameters('databaseAccountName')]" }, "container": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('sqlDatabaseName'), parameters('name'))]", "tags": "[parameters('tags')]", "properties": { - "resource": "[shallowMerge(createArray(createObject('conflictResolutionPolicy', parameters('conflictResolutionPolicy'), 'id', parameters('name'), 'indexingPolicy', parameters('indexingPolicy'), 'partitionKey', createObject('paths', variables('partitionKeyPaths'), 'kind', parameters('kind'), 'version', if(equals(parameters('kind'), 'MultiHash'), 2, parameters('version'))), 'uniqueKeyPolicy', if(not(empty(parameters('uniqueKeyPolicyKeys'))), createObject('uniqueKeys', parameters('uniqueKeyPolicyKeys')), null())), if(not(equals(parameters('analyticalStorageTtl'), 0)), createObject('analyticalStorageTtl', parameters('analyticalStorageTtl')), createObject()), if(not(equals(parameters('defaultTtl'), null())), createObject('defaultTtl', parameters('defaultTtl')), createObject())))]", + "resource": "[variables('containerResourceParams')]", "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', if(and(equals(parameters('autoscaleSettingsMaxThroughput'), null()), not(equals(parameters('throughput'), -1))), parameters('throughput'), null()), 'autoscaleSettings', if(not(equals(parameters('autoscaleSettingsMaxThroughput'), null())), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null())))]" }, "dependsOn": [ @@ -30902,10 +27955,10 @@ "databaseAccount_sqlRoleDefinitions": { "copy": { "name": "databaseAccount_sqlRoleDefinitions", - "count": "[length(coalesce(parameters('sqlRoleDefinitions'), createArray()))]" + "count": "[length(coalesce(parameters('dataPlaneRoleDefinitions'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-sqlrd-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -30917,22 +27970,19 @@ "value": "[parameters('name')]" }, "name": { - "value": "[tryGet(coalesce(parameters('sqlRoleDefinitions'), createArray())[copyIndex()], 'name')]" + "value": "[tryGet(coalesce(parameters('dataPlaneRoleDefinitions'), createArray())[copyIndex()], 'name')]" }, "dataActions": { - "value": "[coalesce(parameters('sqlRoleDefinitions'), createArray())[copyIndex()].dataActions]" + "value": "[tryGet(coalesce(parameters('dataPlaneRoleDefinitions'), createArray())[copyIndex()], 'dataActions')]" }, "roleName": { - "value": "[coalesce(parameters('sqlRoleDefinitions'), createArray())[copyIndex()].roleName]" + "value": "[coalesce(parameters('dataPlaneRoleDefinitions'), createArray())[copyIndex()].roleName]" }, "assignableScopes": { - "value": "[tryGet(coalesce(parameters('sqlRoleDefinitions'), createArray())[copyIndex()], 'assignableScopes')]" + "value": "[tryGet(coalesce(parameters('dataPlaneRoleDefinitions'), createArray())[copyIndex()], 'assignableScopes')]" }, "sqlRoleAssignments": { - "value": "[tryGet(coalesce(parameters('sqlRoleDefinitions'), createArray())[copyIndex()], 'assignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[tryGet(coalesce(parameters('dataPlaneRoleDefinitions'), createArray())[copyIndex()], 'assignments')]" } }, "template": { @@ -30942,8 +27992,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "8514367433037227852" + "version": "0.35.1.17967", + "templateHash": "12119240119487993734" }, "name": "DocumentDB Database Account SQL Role Definitions.", "description": "This module deploys a SQL Role Definision in a CosmosDB Account." @@ -30964,13 +28014,6 @@ "metadata": { "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." } - }, - "scope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The data plane resource id for which access is being granted through this Role Assignment. Defaults to the root of the database account, but can also be scoped to e.g., the container and database level." - } } }, "metadata": { @@ -31004,9 +28047,9 @@ "items": { "type": "string" }, - "minLength": 1, + "defaultValue": [], "metadata": { - "description": "Required. An array of data actions that are allowed." + "description": "Optional. An array of data actions that are allowed." } }, "assignableScopes": { @@ -31028,39 +28071,9 @@ "metadata": { "description": "Optional. An array of SQL Role Assignments to be created for the SQL Role Definition." } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } } }, - "variables": { - "enableReferencedModulesTelemetry": false - }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.doctdb-dbacct-sqlroledefinition.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", @@ -31070,7 +28083,7 @@ "sqlRoleDefinition": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions", "apiVersion": "2024-11-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName'))))]", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), 'sql-role')))]", "properties": { "assignableScopes": "[coalesce(parameters('assignableScopes'), createArray(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))))]", "permissions": [ @@ -31088,7 +28101,7 @@ "count": "[length(coalesce(parameters('sqlRoleAssignments'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-sqlra-{1}', uniqueString(deployment().name), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -31099,17 +28112,14 @@ "databaseAccountName": { "value": "[parameters('databaseAccountName')]" }, - "roleDefinitionIdOrName": { - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName'))))]" + "roleDefinitionId": { + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), 'sql-role')))]" }, "principalId": { "value": "[coalesce(parameters('sqlRoleAssignments'), createArray())[copyIndex()].principalId]" }, "name": { "value": "[tryGet(coalesce(parameters('sqlRoleAssignments'), createArray())[copyIndex()], 'name')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" } }, "template": { @@ -31119,8 +28129,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "11817543900771838380" + "version": "0.35.1.17967", + "templateHash": "11941443499827753966" }, "name": "DocumentDB Database Account SQL Role Assignments.", "description": "This module deploys a SQL Role Assignment in a CosmosDB Account." @@ -31145,56 +28155,14 @@ "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." } }, - "roleDefinitionIdOrName": { + "roleDefinitionId": { "type": "string", "metadata": { "description": "Required. The unique identifier of the associated SQL Role Definition." } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "scope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The data plane resource id for which access is being granted through this Role Assignment. Defaults to the root of the database account, but can also be scoped to e.g., the container and database level." - } } }, - "variables": { - "builtInDataPlaneRoleNames": { - "Cosmos DB Built-in Data Reader": "[format('{0}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000001', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))]", - "Cosmos DB Built-in Data Contributor": "[format('{0}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))]" - }, - "formattedRoleDefinition": "[coalesce(tryGet(variables('builtInDataPlaneRoleNames'), parameters('roleDefinitionIdOrName')), if(contains(parameters('roleDefinitionIdOrName'), '/sqlRoleDefinitions/'), parameters('roleDefinitionIdOrName'), format('{0}/sqlRoleDefinitions/{1}', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('roleDefinitionIdOrName'))))]", - "formattedScope": "[replace(replace(coalesce(parameters('scope'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))), '/sqlDatabases/', '/dbs/'), '/containers/', '/colls/')]" - }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.doctdb-dbacct-sqlroleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", @@ -31204,11 +28172,11 @@ "sqlRoleAssignment": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", "apiVersion": "2024-11-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(variables('formattedRoleDefinition'), parameters('principalId'), variables('formattedScope'))))]", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]", "properties": { "principalId": "[parameters('principalId')]", - "roleDefinitionId": "[variables('formattedRoleDefinition')]", - "scope": "[variables('formattedScope')]" + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]" } } }, @@ -31218,14 +28186,14 @@ "metadata": { "description": "The name of the SQL Role Assignment." }, - "value": "[coalesce(parameters('name'), guid(variables('formattedRoleDefinition'), parameters('principalId'), variables('formattedScope')))]" + "value": "[coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))))]" }, "resourceId": { "type": "string", "metadata": { "description": "The resource ID of the SQL Role Assignment." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments', parameters('databaseAccountName'), coalesce(parameters('name'), guid(variables('formattedRoleDefinition'), parameters('principalId'), variables('formattedScope'))))]" + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]" }, "resourceGroupName": { "type": "string", @@ -31248,14 +28216,14 @@ "metadata": { "description": "The name of the SQL Role Definition." }, - "value": "[coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName')))]" + "value": "[coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), 'sql-role'))]" }, "resourceId": { "type": "string", "metadata": { "description": "The resource ID of the SQL Role Definition." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName'))))]" + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), 'sql-role')))]" }, "resourceGroupName": { "type": "string", @@ -31281,10 +28249,10 @@ "databaseAccount_sqlRoleAssignments": { "copy": { "name": "databaseAccount_sqlRoleAssignments", - "count": "[length(coalesce(parameters('sqlRoleAssignments'), createArray()))]" + "count": "[length(coalesce(parameters('dataPlaneRoleAssignments'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-sqlra-{1}', uniqueString(deployment().name), copyIndex())]", "properties": { "expressionEvaluationOptions": { @@ -31295,20 +28263,14 @@ "databaseAccountName": { "value": "[parameters('name')]" }, - "roleDefinitionIdOrName": { - "value": "[coalesce(parameters('sqlRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]" + "roleDefinitionId": { + "value": "[coalesce(parameters('dataPlaneRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]" }, "principalId": { - "value": "[coalesce(parameters('sqlRoleAssignments'), createArray())[copyIndex()].principalId]" + "value": "[coalesce(parameters('dataPlaneRoleAssignments'), createArray())[copyIndex()].principalId]" }, "name": { - "value": "[tryGet(coalesce(parameters('sqlRoleAssignments'), createArray())[copyIndex()], 'name')]" - }, - "scope": { - "value": "[tryGet(coalesce(parameters('sqlRoleAssignments'), createArray())[copyIndex()], 'scope')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": "[tryGet(coalesce(parameters('dataPlaneRoleAssignments'), createArray())[copyIndex()], 'name')]" } }, "template": { @@ -31318,8 +28280,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "11817543900771838380" + "version": "0.35.1.17967", + "templateHash": "11941443499827753966" }, "name": "DocumentDB Database Account SQL Role Assignments.", "description": "This module deploys a SQL Role Assignment in a CosmosDB Account." @@ -31344,56 +28306,14 @@ "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." } }, - "roleDefinitionIdOrName": { + "roleDefinitionId": { "type": "string", "metadata": { "description": "Required. The unique identifier of the associated SQL Role Definition." } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "scope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The data plane resource id for which access is being granted through this Role Assignment. Defaults to the root of the database account, but can also be scoped to e.g., the container and database level." - } } }, - "variables": { - "builtInDataPlaneRoleNames": { - "Cosmos DB Built-in Data Reader": "[format('{0}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000001', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))]", - "Cosmos DB Built-in Data Contributor": "[format('{0}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))]" - }, - "formattedRoleDefinition": "[coalesce(tryGet(variables('builtInDataPlaneRoleNames'), parameters('roleDefinitionIdOrName')), if(contains(parameters('roleDefinitionIdOrName'), '/sqlRoleDefinitions/'), parameters('roleDefinitionIdOrName'), format('{0}/sqlRoleDefinitions/{1}', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('roleDefinitionIdOrName'))))]", - "formattedScope": "[replace(replace(coalesce(parameters('scope'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))), '/sqlDatabases/', '/dbs/'), '/containers/', '/colls/')]" - }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.doctdb-dbacct-sqlroleassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", @@ -31403,11 +28323,11 @@ "sqlRoleAssignment": { "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", "apiVersion": "2024-11-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(variables('formattedRoleDefinition'), parameters('principalId'), variables('formattedScope'))))]", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]", "properties": { "principalId": "[parameters('principalId')]", - "roleDefinitionId": "[variables('formattedRoleDefinition')]", - "scope": "[variables('formattedScope')]" + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]" } } }, @@ -31417,14 +28337,14 @@ "metadata": { "description": "The name of the SQL Role Assignment." }, - "value": "[coalesce(parameters('name'), guid(variables('formattedRoleDefinition'), parameters('principalId'), variables('formattedScope')))]" + "value": "[coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))))]" }, "resourceId": { "type": "string", "metadata": { "description": "The resource ID of the SQL Role Assignment." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments', parameters('databaseAccountName'), coalesce(parameters('name'), guid(variables('formattedRoleDefinition'), parameters('principalId'), variables('formattedScope'))))]" + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]" }, "resourceGroupName": { "type": "string", @@ -31437,19 +28357,17 @@ } }, "dependsOn": [ - "databaseAccount", - "databaseAccount_sqlDatabases", - "databaseAccount_sqlRoleDefinitions" + "databaseAccount" ] }, - "databaseAccount_cassandraRoleDefinitions": { + "databaseAccount_mongodbDatabases": { "copy": { - "name": "databaseAccount_cassandraRoleDefinitions", - "count": "[length(coalesce(parameters('cassandraRoleDefinitions'), createArray()))]" + "name": "databaseAccount_mongodbDatabases", + "count": "[length(coalesce(parameters('mongodbDatabases'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-cassandra-rd-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-mongodb-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -31460,22 +28378,16 @@ "value": "[parameters('name')]" }, "name": { - "value": "[tryGet(coalesce(parameters('cassandraRoleDefinitions'), createArray())[copyIndex()], 'name')]" - }, - "roleName": { - "value": "[coalesce(parameters('cassandraRoleDefinitions'), createArray())[copyIndex()].roleName]" - }, - "dataActions": { - "value": "[tryGet(coalesce(parameters('cassandraRoleDefinitions'), createArray())[copyIndex()], 'dataActions')]" + "value": "[coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()].name]" }, - "notDataActions": { - "value": "[tryGet(coalesce(parameters('cassandraRoleDefinitions'), createArray())[copyIndex()], 'notDataActions')]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" }, - "assignableScopes": { - "value": "[tryGet(coalesce(parameters('cassandraRoleDefinitions'), createArray())[copyIndex()], 'assignableScopes')]" + "collections": { + "value": "[tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'collections')]" }, - "cassandraRoleAssignments": { - "value": "[tryGet(coalesce(parameters('cassandraRoleDefinitions'), createArray())[copyIndex()], 'assignments')]" + "throughput": { + "value": "[tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'throughput')]" } }, "template": { @@ -31485,100 +28397,44 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "10787709019875067397" + "version": "0.35.1.17967", + "templateHash": "16911349070369924403" }, - "name": "DocumentDB Database Account Cassandra Role Definitions.", - "description": "This module deploys a Cassandra Role Definition in a CosmosDB Account." - }, - "definitions": { - "cassandraRoleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The unique identifier of the role assignment." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The unique identifier for the associated AAD principal." - } - }, - "scope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The data plane resource path for which access is being granted. Defaults to the current account." - } - } - }, - "metadata": { - "__bicep_export!": true - } - } + "name": "DocumentDB Database Account MongoDB Databases", + "description": "This module deploys a MongoDB Database within a CosmosDB Account." }, "parameters": { "databaseAccountName": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." } }, "name": { "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The unique identifier of the Role Definition." - } - }, - "roleName": { - "type": "string", - "metadata": { - "description": "Required. A user-friendly name for the Role Definition. Must be unique for the database account." - } - }, - "dataActions": { - "type": "array", - "items": { - "type": "string" - }, - "defaultValue": [], "metadata": { - "description": "Optional. An array of data actions that are allowed. Note: Valid data action strings for Cassandra API are currently undocumented (as of API version 2025-05-01-preview). Please refer to official Azure documentation once available." + "description": "Required. Name of the mongodb database." } }, - "notDataActions": { - "type": "array", - "items": { - "type": "string" - }, - "defaultValue": [], + "throughput": { + "type": "int", + "defaultValue": 400, "metadata": { - "description": "Optional. An array of data actions that are denied. Note: Unlike SQL RBAC, Cassandra RBAC supports deny rules (notDataActions) for granular access control. Valid data action strings are currently undocumented (as of API version 2025-05-01-preview)." + "description": "Optional. Request Units per second. Setting throughput at the database level is only recommended for development/test or when workload across all collections in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." } }, - "assignableScopes": { + "collections": { "type": "array", - "items": { - "type": "string" - }, "nullable": true, "metadata": { - "description": "Optional. A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Keyspace. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist. Defaults to the current account." + "description": "Optional. Collections in the mongodb database." } }, - "cassandraRoleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/cassandraRoleAssignmentType" - }, + "tags": { + "type": "object", "nullable": true, "metadata": { - "description": "Optional. An array of Cassandra Role Assignments to be created for the Cassandra Role Definition." + "description": "Optional. Tags of the resource." } } }, @@ -31589,30 +28445,29 @@ "apiVersion": "2024-11-15", "name": "[parameters('databaseAccountName')]" }, - "cassandraRoleDefinition": { - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraRoleDefinitions", - "apiVersion": "2025-05-01-preview", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName'))))]", + "mongodbDatabase": { + "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", + "apiVersion": "2024-11-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", + "tags": "[parameters('tags')]", "properties": { - "assignableScopes": "[coalesce(parameters('assignableScopes'), createArray(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))))]", - "permissions": [ - { - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "roleName": "[parameters('roleName')]", - "type": "CustomRole" - } + "resource": { + "id": "[parameters('name')]" + }, + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]" + }, + "dependsOn": [ + "databaseAccount" + ] }, - "databaseAccount_cassandraRoleAssignments": { + "mongodbDatabase_collections": { "copy": { - "name": "databaseAccount_cassandraRoleAssignments", - "count": "[length(coalesce(parameters('cassandraRoleAssignments'), createArray()))]" + "name": "mongodbDatabase_collections", + "count": "[length(coalesce(parameters('collections'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-cassandra-ra-{1}', uniqueString(deployment().name), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-collection-{1}', uniqueString(deployment().name, parameters('name')), coalesce(parameters('collections'), createArray())[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -31622,103 +28477,107 @@ "databaseAccountName": { "value": "[parameters('databaseAccountName')]" }, - "roleDefinitionId": { - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraRoleDefinitions', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName'))))]" - }, - "principalId": { - "value": "[coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()].principalId]" + "mongodbDatabaseName": { + "value": "[parameters('name')]" }, "name": { - "value": "[tryGet(coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()], 'name')]" + "value": "[coalesce(parameters('collections'), createArray())[copyIndex()].name]" + }, + "indexes": { + "value": "[coalesce(parameters('collections'), createArray())[copyIndex()].indexes]" + }, + "shardKey": { + "value": "[coalesce(parameters('collections'), createArray())[copyIndex()].shardKey]" }, - "scope": { - "value": "[tryGet(coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()], 'scope')]" + "throughput": { + "value": "[tryGet(coalesce(parameters('collections'), createArray())[copyIndex()], 'throughput')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "14764024820910071147" + "version": "0.35.1.17967", + "templateHash": "7802955893269337475" }, - "name": "DocumentDB Database Account Cassandra Role Assignments.", - "description": "This module deploys a Cassandra Role Assignment in a CosmosDB Account." + "name": "DocumentDB Database Account MongoDB Database Collections", + "description": "This module deploys a MongoDB Database Collection." }, "parameters": { "databaseAccountName": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." } }, - "name": { + "mongodbDatabaseName": { "type": "string", - "nullable": true, "metadata": { - "description": "Optional. Name unique identifier of the Cassandra Role Assignment." + "description": "Conditional. The name of the parent mongodb database. Required if the template is used in a standalone deployment." } }, - "principalId": { + "name": { "type": "string", "metadata": { - "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." + "description": "Required. Name of the collection." } }, - "roleDefinitionId": { - "type": "string", + "throughput": { + "type": "int", + "defaultValue": 400, "metadata": { - "description": "Required. The unique identifier of the associated Cassandra Role Definition." + "description": "Optional. Request Units per second. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." } }, - "scope": { - "type": "string", - "nullable": true, + "indexes": { + "type": "array", + "metadata": { + "description": "Required. Indexes for the collection." + } + }, + "shardKey": { + "type": "object", "metadata": { - "description": "Optional. The data plane resource path for which access is being granted through this Cassandra Role Assignment. Defaults to the current account." + "description": "Required. ShardKey for the collection." } } }, - "resources": { - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections", "apiVersion": "2024-11-15", - "name": "[parameters('databaseAccountName')]" - }, - "cassandraRoleAssignment": { - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraRoleAssignments", - "apiVersion": "2025-05-01-preview", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]", + "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]", "properties": { - "principalId": "[parameters('principalId')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "scope": "[coalesce(parameters('scope'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))]" + "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2024-11-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]", + "resource": { + "id": "[parameters('name')]", + "indexes": "[parameters('indexes')]", + "shardKey": "[parameters('shardKey')]" + } } } - }, + ], "outputs": { "name": { "type": "string", "metadata": { - "description": "The name of the Cassandra Role Assignment." + "description": "The name of the mongodb database collection." }, - "value": "[coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))))]" + "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the Cassandra Role Assignment." + "description": "The resource ID of the mongodb database collection." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraRoleAssignments', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]" + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The name of the resource group the Cassandra Role Assignment was created in." + "description": "The name of the resource group the mongodb database collection was created in." }, "value": "[resourceGroup().name]" } @@ -31726,7 +28585,7 @@ } }, "dependsOn": [ - "cassandraRoleDefinition" + "mongodbDatabase" ] } }, @@ -31734,21 +28593,21 @@ "name": { "type": "string", "metadata": { - "description": "The name of the cassandra role definition." + "description": "The name of the mongodb database." }, - "value": "[coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName')))]" + "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the cassandra role definition." + "description": "The resource ID of the mongodb database." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraRoleDefinitions', parameters('databaseAccountName'), coalesce(parameters('name'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('databaseAccountName'), parameters('roleName'))))]" + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', parameters('databaseAccountName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The name of the resource group the cassandra role definition was created in." + "description": "The name of the resource group the mongodb database was created in." }, "value": "[resourceGroup().name]" } @@ -31759,14 +28618,14 @@ "databaseAccount" ] }, - "databaseAccount_cassandraRoleAssignments": { + "databaseAccount_gremlinDatabases": { "copy": { - "name": "databaseAccount_cassandraRoleAssignments", - "count": "[length(coalesce(parameters('cassandraRoleAssignments'), createArray()))]" + "name": "databaseAccount_gremlinDatabases", + "count": "[length(coalesce(parameters('gremlinDatabases'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-cassandra-ra-{1}', uniqueString(deployment().name), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-gremlin-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -31776,17 +28635,20 @@ "databaseAccountName": { "value": "[parameters('name')]" }, - "roleDefinitionId": { - "value": "[coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]" + "name": { + "value": "[coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()].name]" }, - "principalId": { - "value": "[coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()].principalId]" + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" }, - "name": { - "value": "[tryGet(coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()], 'name')]" + "graphs": { + "value": "[tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'graphs')]" + }, + "maxThroughput": { + "value": "[tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'maxThroughput')]" }, - "scope": { - "value": "[tryGet(coalesce(parameters('cassandraRoleAssignments'), createArray())[copyIndex()], 'scope')]" + "throughput": { + "value": "[tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'throughput')]" } }, "template": { @@ -31796,43 +28658,51 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "14764024820910071147" + "version": "0.35.1.17967", + "templateHash": "4743052544503629108" }, - "name": "DocumentDB Database Account Cassandra Role Assignments.", - "description": "This module deploys a Cassandra Role Assignment in a CosmosDB Account." + "name": "DocumentDB Database Account Gremlin Databases", + "description": "This module deploys a Gremlin Database within a CosmosDB Account." }, "parameters": { - "databaseAccountName": { + "name": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." + "description": "Required. Name of the Gremlin database." } }, - "name": { - "type": "string", + "tags": { + "type": "object", "nullable": true, "metadata": { - "description": "Optional. Name unique identifier of the Cassandra Role Assignment." + "description": "Optional. Tags of the Gremlin database resource." } }, - "principalId": { + "databaseAccountName": { "type": "string", "metadata": { - "description": "Required. The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription." + "description": "Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment." } }, - "roleDefinitionId": { - "type": "string", + "graphs": { + "type": "array", + "defaultValue": [], "metadata": { - "description": "Required. The unique identifier of the associated Cassandra Role Definition." + "description": "Optional. Array of graphs to deploy in the Gremlin database." } }, - "scope": { - "type": "string", + "maxThroughput": { + "type": "int", + "defaultValue": 4000, + "metadata": { + "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. Setting throughput at the database level is only recommended for development/test or when workload across all graphs in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the graph level and not at the database level." + } + }, + "throughput": { + "type": "int", "nullable": true, "metadata": { - "description": "Optional. The data plane resource path for which access is being granted through this Cassandra Role Assignment. Defaults to the current account." + "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. Setting throughput at the database level is only recommended for development/test or when workload across all graphs in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the graph level and not at the database level." } } }, @@ -31843,544 +28713,29 @@ "apiVersion": "2024-11-15", "name": "[parameters('databaseAccountName')]" }, - "cassandraRoleAssignment": { - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraRoleAssignments", - "apiVersion": "2025-05-01-preview", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]", + "gremlinDatabase": { + "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", + "apiVersion": "2024-11-15", + "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", + "tags": "[parameters('tags')]", "properties": { - "principalId": "[parameters('principalId')]", - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "scope": "[coalesce(parameters('scope'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the Cassandra Role Assignment." + "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), null()), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', parameters('throughput')))]", + "resource": { + "id": "[parameters('name')]" + } }, - "value": "[coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))))]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Cassandra Role Assignment." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraRoleAssignments', parameters('databaseAccountName'), coalesce(parameters('name'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')))))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Cassandra Role Assignment was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "databaseAccount", - "databaseAccount_cassandraKeyspaces", - "databaseAccount_cassandraRoleDefinitions" - ] - }, - "databaseAccount_mongodbDatabases": { - "copy": { - "name": "databaseAccount_mongodbDatabases", - "count": "[length(coalesce(parameters('mongodbDatabases'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-mongodb-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "collections": { - "value": "[tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'collections')]" - }, - "throughput": { - "value": "[tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'throughput')]" - }, - "autoscaleSettings": { - "value": "[tryGet(coalesce(parameters('mongodbDatabases'), createArray())[copyIndex()], 'autoscaleSettings')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "13897098552792121791" - }, - "name": "DocumentDB Database Account MongoDB Databases", - "description": "This module deploys a MongoDB Database within a CosmosDB Account." - }, - "definitions": { - "collectionType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the collection." - } - }, - "throughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Request Units per second. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." - } - }, - "indexes": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2025-04-15#properties/properties/properties/resource/properties/indexes" - }, - "description": "Required. Indexes for the collection." - } - }, - "shardKey": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2025-04-15#properties/properties/properties/resource/properties/shardKey" - }, - "description": "Required. ShardKey for the collection." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a collection." - } - } - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the mongodb database." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request Units per second. Setting throughput at the database level is only recommended for development/test or when workload across all collections in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." - } - }, - "collections": { - "type": "array", - "items": { - "$ref": "#/definitions/collectionType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Collections in the mongodb database." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "autoscaleSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases@2025-04-15#properties/properties/properties/options/properties/autoscaleSettings" - }, - "description": "Optional. Specifies the Autoscale settings. Note: Either throughput or autoscaleSettings is required, but not both." - }, - "nullable": true - } - }, - "resources": { - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "mongodbDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", - "apiVersion": "2025-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput'), 'autoscaleSettings', parameters('autoscaleSettings')))]" - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "mongodbDatabase_collections": { - "copy": { - "name": "mongodbDatabase_collections", - "count": "[length(coalesce(parameters('collections'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-collection-{1}', uniqueString(deployment().name, parameters('name')), coalesce(parameters('collections'), createArray())[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "mongodbDatabaseName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('collections'), createArray())[copyIndex()].name]" - }, - "indexes": { - "value": "[coalesce(parameters('collections'), createArray())[copyIndex()].indexes]" - }, - "shardKey": { - "value": "[coalesce(parameters('collections'), createArray())[copyIndex()].shardKey]" - }, - "throughput": { - "value": "[tryGet(coalesce(parameters('collections'), createArray())[copyIndex()], 'throughput')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "16151461445994734468" - }, - "name": "DocumentDB Database Account MongoDB Database Collections", - "description": "This module deploys a MongoDB Database Collection." - }, - "parameters": { - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cosmos DB database account. Required if the template is used in a standalone deployment." - } - }, - "mongodbDatabaseName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent mongodb database. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the collection." - } - }, - "throughput": { - "type": "int", - "defaultValue": 400, - "metadata": { - "description": "Optional. Request Units per second. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the collection level and not at the database level." - } - }, - "indexes": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2025-04-15#properties/properties/properties/resource/properties/indexes" - }, - "description": "Required. Indexes for the collection." - } - }, - "shardKey": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections@2025-04-15#properties/properties/properties/resource/properties/shardKey" - }, - "description": "Required. ShardKey for the collection." - } - } - }, - "resources": [ - { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections", - "apiVersion": "2025-04-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]", - "properties": { - "options": "[if(contains(reference(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), '2025-04-15').capabilities, createObject('name', 'EnableServerless')), null(), createObject('throughput', parameters('throughput')))]", - "resource": { - "id": "[parameters('name')]", - "indexes": "[parameters('indexes')]", - "shardKey": "[parameters('shardKey')]" - } - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database collection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database collection." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections', parameters('databaseAccountName'), parameters('mongodbDatabaseName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database collection was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "mongodbDatabase" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the mongodb database." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the mongodb database." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', parameters('databaseAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the mongodb database was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_gremlinDatabases": { - "copy": { - "name": "databaseAccount_gremlinDatabases", - "count": "[length(coalesce(parameters('gremlinDatabases'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-gremlin-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "databaseAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()].name]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "graphs": { - "value": "[tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'graphs')]" - }, - "maxThroughput": { - "value": "[tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'maxThroughput')]" - }, - "throughput": { - "value": "[tryGet(coalesce(parameters('gremlinDatabases'), createArray())[copyIndex()], 'throughput')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "11959636451300474346" - }, - "name": "DocumentDB Database Account Gremlin Databases", - "description": "This module deploys a Gremlin Database within a CosmosDB Account." - }, - "definitions": { - "graphType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the graph." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/tags" - }, - "description": "Optional. Tags of the Gremlin graph resource." - }, - "nullable": true - }, - "indexingPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/properties/properties/resource/properties/indexingPolicy" - }, - "description": "Optional. Indexing policy of the graph." - }, - "nullable": true - }, - "partitionKeyPaths": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/properties/properties/resource/properties/partitionKey/properties/paths" - }, - "description": "Optional. List of paths using which data within the container can be partitioned." - }, - "nullable": true - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a graph." - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Gremlin database." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases@2024-11-15#properties/tags" - }, - "description": "Optional. Tags of the Gremlin database resource." - }, - "nullable": true - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Gremlin database. Required if the template is used in a standalone deployment." - } - }, - "graphs": { - "type": "array", - "items": { - "$ref": "#/definitions/graphType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of graphs to deploy in the Gremlin database." - } - }, - "maxThroughput": { - "type": "int", - "defaultValue": 4000, - "metadata": { - "description": "Optional. Represents maximum throughput, the resource can scale up to. Cannot be set together with `throughput`. If `throughput` is set to something else than -1, this autoscale setting is ignored. Setting throughput at the database level is only recommended for development/test or when workload across all graphs in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the graph level and not at the database level." - } - }, - "throughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Request Units per second (for example 10000). Cannot be set together with `maxThroughput`. Setting throughput at the database level is only recommended for development/test or when workload across all graphs in the shared throughput database is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the graph level and not at the database level." - } - } - }, - "resources": { - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", - "name": "[parameters('databaseAccountName')]" - }, - "gremlinDatabase": { - "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2025-04-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), null()), createObject('maxThroughput', parameters('maxThroughput')), null()), 'throughput', parameters('throughput')))]", - "resource": { - "id": "[parameters('name')]" - } - }, - "dependsOn": [ - "databaseAccount" - ] + "dependsOn": [ + "databaseAccount" + ] }, "gremlinDatabase_gremlinGraphs": { "copy": { "name": "gremlinDatabase_gremlinGraphs", - "count": "[length(coalesce(parameters('graphs'), createArray()))]" + "count": "[length(parameters('graphs'))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-gremlindb-{1}', uniqueString(deployment().name, parameters('name')), coalesce(parameters('graphs'), createArray())[copyIndex()].name)]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-gremlindb-{1}', uniqueString(deployment().name, parameters('name')), parameters('graphs')[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -32388,7 +28743,7 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[coalesce(parameters('graphs'), createArray())[copyIndex()].name]" + "value": "[parameters('graphs')[copyIndex()].name]" }, "gremlinDatabaseName": { "value": "[parameters('name')]" @@ -32397,11 +28752,9 @@ "value": "[parameters('databaseAccountName')]" }, "indexingPolicy": { - "value": "[tryGet(coalesce(parameters('graphs'), createArray())[copyIndex()], 'indexingPolicy')]" + "value": "[tryGet(parameters('graphs')[copyIndex()], 'indexingPolicy')]" }, - "partitionKeyPaths": { - "value": "[tryGet(coalesce(parameters('graphs'), createArray())[copyIndex()], 'partitionKeyPaths')]" - } + "partitionKeyPaths": "[if(not(empty(parameters('graphs')[copyIndex()].partitionKeyPaths)), createObject('value', parameters('graphs')[copyIndex()].partitionKeyPaths), createObject('value', createArray()))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -32410,8 +28763,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "10487122333182352122" + "version": "0.35.1.17967", + "templateHash": "9587717186996793648" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph." @@ -32425,13 +28778,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/tags" - }, "description": "Optional. Tags of the Gremlin graph resource." - }, - "nullable": true + } }, "databaseAccountName": { "type": "string", @@ -32447,49 +28797,43 @@ }, "indexingPolicy": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/properties/properties/resource/properties/indexingPolicy" - }, "description": "Optional. Indexing policy of the graph." - }, - "nullable": true + } }, "partitionKeyPaths": { "type": "array", + "defaultValue": [], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs@2025-04-15#properties/properties/properties/resource/properties/partitionKey/properties/paths" - }, "description": "Optional. List of paths using which data within the container can be partitioned." - }, - "nullable": true + } } }, "resources": { "databaseAccount::gremlinDatabase": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'))]" }, "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[parameters('databaseAccountName')]" }, "gremlinGraph": { "type": "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('gremlinDatabaseName'), parameters('name'))]", "tags": "[parameters('tags')]", "properties": { "resource": { "id": "[parameters('name')]", - "indexingPolicy": "[parameters('indexingPolicy')]", + "indexingPolicy": "[if(not(empty(parameters('indexingPolicy'))), parameters('indexingPolicy'), null())]", "partitionKey": { - "paths": "[parameters('partitionKeyPaths')]" + "paths": "[if(not(empty(parameters('partitionKeyPaths'))), parameters('partitionKeyPaths'), null())]" } } } @@ -32560,7 +28904,7 @@ "count": "[length(coalesce(parameters('tables'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-table-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('tables'), createArray())[copyIndex()].name)]", "properties": { "expressionEvaluationOptions": { @@ -32591,8 +28935,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "1787500858429182824" + "version": "0.35.1.17967", + "templateHash": "14106261468136691896" }, "name": "Azure Cosmos DB account tables", "description": "This module deploys a table within an Azure Cosmos DB Account." @@ -32606,13 +28950,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/tables@2025-04-15#properties/tags" - }, "description": "Optional. Tags for the table." - }, - "nullable": true + } }, "databaseAccountName": { "type": "string", @@ -32639,12 +28980,12 @@ "databaseAccount": { "existing": true, "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[parameters('databaseAccountName')]" }, "table": { "type": "Microsoft.DocumentDB/databaseAccounts/tables", - "apiVersion": "2025-04-15", + "apiVersion": "2024-11-15", "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", "tags": "[parameters('tags')]", "properties": { @@ -32687,161 +29028,333 @@ "databaseAccount" ] }, - "databaseAccount_cassandraKeyspaces": { + "databaseAccount_privateEndpoints": { "copy": { - "name": "databaseAccount_cassandraKeyspaces", - "count": "[length(coalesce(parameters('cassandraKeyspaces'), createArray()))]" + "name": "databaseAccount_privateEndpoints", + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-cassandradb-{1}', uniqueString(deployment().name, parameters('location')), coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()].name)]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-dbAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "subscriptionId": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[4]]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "databaseAccountName": { - "value": "[parameters('name')]" - }, "name": { - "value": "[coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()].name]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex()))]" }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), 'groupIds', createArray(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service))))), createObject('value', null()))]", + "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), 'groupIds', createArray(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", + "subnetResourceId": { + "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, - "tables": { - "value": "[tryGet(coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()], 'tables')]" + "enableTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" }, - "views": { - "value": "[tryGet(coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()], 'views')]" + "location": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, - "autoscaleSettingsMaxThroughput": { - "value": "[tryGet(coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()], 'autoscaleSettingsMaxThroughput')]" + "lock": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" }, - "throughput": { - "value": "[tryGet(coalesce(parameters('cassandraKeyspaces'), createArray())[copyIndex()], 'throughput')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "15257396763463366586" - }, - "name": "DocumentDB Database Account Cassandra Keyspaces", - "description": "This module deploys a Cassandra Keyspace within a CosmosDB Account." + "privateDnsZoneGroup": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroup')]" }, - "definitions": { - "tableType": { + "roleAssignments": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" + }, + "tags": { + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" + }, + "customDnsConfigs": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" + }, + "ipConfigurations": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" + }, + "applicationSecurityGroupResourceIds": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" + }, + "customNetworkInterfaceName": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.33.13.18514", + "templateHash": "15954548978129725136" + }, + "name": "Private Endpoints", + "description": "This module deploys a Private Endpoint." + }, + "definitions": { + "privateDnsZoneGroupType": { "type": "object", "properties": { "name": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. Name of the table." + "description": "Optional. The name of the Private DNS Zone Group." } }, - "schema": { - "type": "object", + "privateDnsZoneGroupConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/privateDnsZoneGroupConfigType" + }, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables@2024-11-15#properties/properties/properties/resource/properties/schema" - }, - "description": "Required. Schema definition for the table." + "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "ipConfigurationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." } }, - "tags": { + "properties": { "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables@2024-11-15#properties/tags" + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } }, - "description": "Optional. Tags for the table." + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } }, - "nullable": true + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "privateLinkServiceConnectionType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } }, - "defaultTtl": { - "type": "int", + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string array `[]`." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "customDnsConfigType": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Default TTL (Time To Live) in seconds for data in the table." + "description": "Optional. FQDN that resolves to private endpoint IP address." } }, - "analyticalStorageTtl": { - "type": "int", + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Analytical TTL for the table." + "description": "Optional. Specify the name of lock." } }, - "throughput": { - "type": "int", + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], "nullable": true, "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput." + "description": "Optional. Specify the type of lock." } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } + } + }, + "privateDnsZoneGroupConfigType": { + "type": "object", + "properties": { + "name": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Maximum autoscale throughput for the table. Cannot be used with throughput." + "description": "Optional. The name of the private DNS zone group config." + } + }, + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type of a Cassandra table." + "__bicep_imported_from!": { + "sourceTemplate": "private-dns-zone-group/main.bicep" + } } }, - "viewType": { + "roleAssignmentType": { "type": "object", "properties": { "name": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. Name of the view." + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." } }, - "viewDefinition": { + "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. View definition (CQL statement)." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "tags": { - "type": "object", + "principalId": { + "type": "string", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views@2025-05-01-preview#properties/tags" - }, - "description": "Optional. Tags for the view." - }, - "nullable": true + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } }, - "throughput": { - "type": "int", + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], "nullable": true, "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput." + "description": "Optional. The principal type of the assigned principal ID." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Maximum autoscale throughput for the view. Cannot be used with throughput." + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type of a Cassandra view (materialized view)." + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } } } }, @@ -32849,90 +29362,227 @@ "name": { "type": "string", "metadata": { - "description": "Required. Name of the Cassandra keyspace." + "description": "Required. Name of the private endpoint resource to create." } }, - "tags": { - "type": "object", + "subnetResourceId": { + "type": "string", "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces@2024-11-15#properties/tags" - }, - "description": "Optional. Tags of the Cassandra keyspace resource." + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } }, - "databaseAccountName": { + "customNetworkInterfaceName": { "type": "string", + "nullable": true, "metadata": { - "description": "Conditional. The name of the parent Cosmos DB account. Required if the template is used in a standalone deployment." + "description": "Optional. The custom name of the network interface attached to the private endpoint." } }, - "tables": { + "ipConfigurations": { "type": "array", "items": { - "$ref": "#/definitions/tableType" + "$ref": "#/definitions/ipConfigurationType" }, - "defaultValue": [], + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "privateDnsZoneGroup": { + "$ref": "#/definitions/privateDnsZoneGroupType", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS zone group to configure for the private endpoint." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { - "description": "Optional. Array of Cassandra tables to deploy in the keyspace." + "description": "Optional. The lock settings of the service." } }, - "views": { + "roleAssignments": { "type": "array", "items": { - "$ref": "#/definitions/viewType" + "$ref": "#/definitions/roleAssignmentType" }, - "defaultValue": [], + "nullable": true, "metadata": { - "description": "Optional. Array of Cassandra views (materialized views) to deploy in the keyspace." + "description": "Optional. Array of role assignments to create." } }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "defaultValue": 4000, + "tags": { + "type": "object", + "nullable": true, "metadata": { - "description": "Optional. Maximum autoscale throughput for the keyspace. If not set, autoscale will be disabled. Setting throughput at the keyspace level is only recommended for development/test or when workload across all tables in the shared throughput keyspace is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the table level." + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." } }, - "throughput": { - "type": "int", + "customDnsConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, + "nullable": true, + "metadata": { + "description": "Conditional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. Required if `privateLinkServiceConnections` is empty." + } + }, + "privateLinkServiceConnections": { + "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, "nullable": true, "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput. Setting throughput at the keyspace level is only recommended for development/test or when workload across all tables in the shared throughput keyspace is uniform. For best performance for large production workloads, it is recommended to set dedicated throughput (autoscale or manual) at the table level." + "description": "Conditional. A grouping of information about the connection to the remote resource. Required if `manualPrivateLinkServiceConnections` is empty." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" } + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" } }, "resources": { - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2024-11-15", - "name": "[parameters('databaseAccountName')]" + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.10.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } }, - "cassandraKeyspace": { - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces", - "apiVersion": "2024-11-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('name'))]", + "privateEndpoint": { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(equals(parameters('throughput'), null()), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null()), 'throughput', parameters('throughput')))]", - "resource": { - "id": "[parameters('name')]" + "copy": [ + { + "name": "applicationSecurityGroups", + "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", + "input": { + "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" + } + } + ], + "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", + "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", + "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", + "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", + "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", + "subnet": { + "id": "[parameters('subnetResourceId')]" } + } + }, + "privateEndpoint_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ - "databaseAccount" + "privateEndpoint" ] }, - "cassandraKeyspace_tables": { + "privateEndpoint_roleAssignments": { "copy": { - "name": "cassandraKeyspace_tables", - "count": "[length(parameters('tables'))]" + "name": "privateEndpoint_roleAssignments", + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "properties": { + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, + "dependsOn": [ + "privateEndpoint" + ] + }, + "privateEndpoint_privateDnsZoneGroup": { + "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-cassandradb-{1}', uniqueString(deployment().name, parameters('name')), parameters('tables')[copyIndex()].name)]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -32940,31 +29590,13 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[parameters('tables')[copyIndex()].name]" + "value": "[tryGet(parameters('privateDnsZoneGroup'), 'name')]" }, - "cassandraKeyspaceName": { + "privateEndpointName": { "value": "[parameters('name')]" }, - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "schema": { - "value": "[parameters('tables')[copyIndex()].schema]" - }, - "analyticalStorageTtl": { - "value": "[tryGet(parameters('tables')[copyIndex()], 'analyticalStorageTtl')]" - }, - "throughput": { - "value": "[tryGet(parameters('tables')[copyIndex()], 'throughput')]" - }, - "autoscaleSettingsMaxThroughput": { - "value": "[tryGet(parameters('tables')[copyIndex()], 'autoscaleSettingsMaxThroughput')]" - }, - "defaultTtl": { - "value": "[tryGet(parameters('tables')[copyIndex()], 'defaultTtl')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('tables')[copyIndex()], 'tags'), parameters('tags'))]" + "privateDnsZoneConfigs": { + "value": "[parameters('privateDnsZoneGroup').privateDnsZoneGroupConfigs]" } }, "template": { @@ -32974,296 +29606,110 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "15998065591386988132" + "version": "0.33.13.18514", + "templateHash": "5440815542537978381" }, - "name": "DocumentDB Database Account Cassandra Keyspaces Tables", - "description": "This module deploys a Cassandra Table within a Cassandra Keyspace in a CosmosDB Account." + "name": "Private Endpoint Private DNS Zone Groups", + "description": "This module deploys a Private Endpoint Private DNS Zone Group." }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Cassandra table." - } - }, - "tags": { + "definitions": { + "privateDnsZoneGroupConfigType": { "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables@2024-11-15#properties/tags" + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group config." + } }, - "description": "Optional. Tags of the Cassandra table resource." + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." + } + } }, - "nullable": true - }, - "databaseAccountName": { - "type": "string", "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." + "__bicep_export!": true } - }, - "cassandraKeyspaceName": { + } + }, + "parameters": { + "privateEndpointName": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent Cassandra Keyspace. Required if the template is used in a standalone deployment." - } - }, - "schema": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables@2024-11-15#properties/properties/properties/resource/properties/schema" - }, - "description": "Required. Schema definition for the Cassandra table." + "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." } }, - "analyticalStorageTtl": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Analytical TTL for the table. Default to 0 (disabled). Analytical store is enabled when set to a value other than 0. If set to -1, analytical store retains all historical data." - } - }, - "throughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput. If not specified, the table will inherit throughput from the keyspace." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Maximum autoscale throughput for the table. Cannot be used with throughput. If not specified, the table will inherit throughput from the keyspace." - } - }, - "defaultTtl": { - "type": "int", - "defaultValue": 0, + "privateDnsZoneConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/privateDnsZoneGroupConfigType" + }, + "minLength": 1, + "maxLength": 5, "metadata": { - "description": "Optional. Default time to live in seconds. Default to 0 (disabled). If set to -1, items do not expire." + "description": "Required. Array of private DNS zone configurations of the private DNS zone group. A DNS zone group can support up to 5 DNS zones." } - } - }, - "resources": { - "databaseAccount::cassandraKeyspace": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces", - "apiVersion": "2024-11-15", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('cassandraKeyspaceName'))]" }, - "databaseAccount": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2024-11-15", - "name": "[parameters('databaseAccountName')]" - }, - "cassandraTable": { - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables", - "apiVersion": "2024-11-15", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('cassandraKeyspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('name')]", - "schema": "[parameters('schema')]", - "defaultTtl": "[parameters('defaultTtl')]", - "analyticalStorageTtl": "[parameters('analyticalStorageTtl')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(and(equals(parameters('throughput'), null()), not(equals(parameters('autoscaleSettingsMaxThroughput'), null()))), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null()), 'throughput', parameters('throughput')))]" - }, - "dependsOn": [ - "databaseAccount" - ] - } - }, - "outputs": { "name": { "type": "string", + "defaultValue": "default", "metadata": { - "description": "The name of the Cassandra table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Cassandra table." - }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables', parameters('databaseAccountName'), parameters('cassandraKeyspaceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Cassandra table was created in." - }, - "value": "[resourceGroup().name]" + "description": "Optional. The name of the private DNS zone group." + } } - } - } - }, - "dependsOn": [ - "cassandraKeyspace" - ] - }, - "cassandraKeyspace_views": { - "copy": { - "name": "cassandraKeyspace_views", - "count": "[length(parameters('views'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-cassandraview-{1}', uniqueString(deployment().name, parameters('name')), parameters('views')[copyIndex()].name)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('views')[copyIndex()].name]" - }, - "cassandraKeyspaceName": { - "value": "[parameters('name')]" - }, - "databaseAccountName": { - "value": "[parameters('databaseAccountName')]" - }, - "viewDefinition": { - "value": "[parameters('views')[copyIndex()].viewDefinition]" - }, - "throughput": { - "value": "[tryGet(parameters('views')[copyIndex()], 'throughput')]" - }, - "autoscaleSettingsMaxThroughput": { - "value": "[tryGet(parameters('views')[copyIndex()], 'autoscaleSettingsMaxThroughput')]" - }, - "tags": { - "value": "[coalesce(tryGet(parameters('views')[copyIndex()], 'tags'), parameters('tags'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "6617803098467821091" - }, - "name": "DocumentDB Database Account Cassandra Keyspaces Views", - "description": "This module deploys a Cassandra View (Materialized View) within a Cassandra Keyspace in a CosmosDB Account." }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Cassandra view." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views@2025-05-01-preview#properties/tags" - }, - "description": "Optional. Tags of the Cassandra view resource." - }, - "nullable": true - }, - "databaseAccountName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Database Account. Required if the template is used in a standalone deployment." - } - }, - "cassandraKeyspaceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Cassandra Keyspace. Required if the template is used in a standalone deployment." - } - }, - "viewDefinition": { - "type": "string", - "metadata": { - "description": "Required. View definition of the Cassandra view. This is the CQL statement that defines the materialized view." - } - }, - "throughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Request units per second. Cannot be used with autoscaleSettingsMaxThroughput." - } - }, - "autoscaleSettingsMaxThroughput": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Maximum autoscale throughput for the view. Cannot be used with throughput." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." + "variables": { + "copy": [ + { + "name": "privateDnsZoneConfigsVar", + "count": "[length(parameters('privateDnsZoneConfigs'))]", + "input": { + "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId, '/')))]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId]" + } + } } - } + ] }, "resources": { - "databaseAccount::cassandraKeyspace": { - "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces", - "apiVersion": "2025-05-01-preview", - "name": "[format('{0}/{1}', parameters('databaseAccountName'), parameters('cassandraKeyspaceName'))]" - }, - "databaseAccount": { + "privateEndpoint": { "existing": true, - "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2025-05-01-preview", - "name": "[parameters('databaseAccountName')]" + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-11-01", + "name": "[parameters('privateEndpointName')]" }, - "cassandraView": { - "type": "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views", - "apiVersion": "2025-05-01-preview", - "name": "[format('{0}/{1}/{2}', parameters('databaseAccountName'), parameters('cassandraKeyspaceName'), parameters('name'))]", - "tags": "[parameters('tags')]", - "location": "[parameters('location')]", + "privateDnsZoneGroup": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", "properties": { - "resource": { - "id": "[parameters('name')]", - "viewDefinition": "[parameters('viewDefinition')]" - }, - "options": "[if(contains(reference('databaseAccount').capabilities, createObject('name', 'EnableServerless')), createObject(), createObject('autoscaleSettings', if(and(equals(parameters('throughput'), null()), not(equals(parameters('autoscaleSettingsMaxThroughput'), null()))), createObject('maxThroughput', parameters('autoscaleSettingsMaxThroughput')), null()), 'throughput', parameters('throughput')))]" - }, - "dependsOn": [ - "databaseAccount" - ] + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigsVar')]" + } } }, "outputs": { "name": { "type": "string", "metadata": { - "description": "The name of the Cassandra view." + "description": "The name of the private endpoint DNS zone group." }, "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the Cassandra view." + "description": "The resource ID of the private endpoint DNS zone group." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/views', parameters('databaseAccountName'), parameters('cassandraKeyspaceName'), parameters('name'))]" + "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The name of the resource group the Cassandra view was created in." + "description": "The resource group the private endpoint DNS zone group was deployed into." }, "value": "[resourceGroup().name]" } @@ -33271,689 +29717,64 @@ } }, "dependsOn": [ - "cassandraKeyspace" + "privateEndpoint" ] } }, "outputs": { - "name": { + "resourceGroupName": { "type": "string", "metadata": { - "description": "The name of the Cassandra keyspace." + "description": "The resource group the private endpoint was deployed into." }, - "value": "[parameters('name')]" + "value": "[resourceGroup().name]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the Cassandra keyspace." + "description": "The resource ID of the private endpoint." }, - "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces', parameters('databaseAccountName'), parameters('name'))]" + "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" }, - "resourceGroupName": { + "name": { "type": "string", "metadata": { - "description": "The name of the resource group the Cassandra keyspace was created in." + "description": "The name of the private endpoint." }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "databaseAccount" - ] - }, - "databaseAccount_privateEndpoints": { - "copy": { - "name": "databaseAccount_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-dbAccount-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex()))]" - }, - "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), 'groupIds', createArray(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service))))), createObject('value', null()))]", - "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name')), 'groupIds', createArray(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroup": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroup')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "16604612898799598358" + "value": "[parameters('name')]" }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint." - }, - "definitions": { - "privateDnsZoneGroupType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." - } - }, - "privateDnsZoneGroupConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" - }, - "metadata": { - "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - } - }, + "location": { + "type": "string", "metadata": { - "__bicep_export!": true, - "description": "The type of a private dns zone group." - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } + "description": "The location the resource was deployed into." }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } + "value": "[reference('privateEndpoint', '2023-11-01', 'full').location]" }, - "privateDnsZoneGroupConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } + "customDnsConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" }, "metadata": { - "description": "The type of a private DNS zone group configuration.", - "__bicep_imported_from!": { - "sourceTemplate": "private-dns-zone-group/main.bicep" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } + "description": "The custom DNS configurations of the private endpoint." }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } + "value": "[reference('privateEndpoint').customDnsConfigs]" }, - "applicationSecurityGroupResourceIds": { + "networkInterfaceResourceIds": { "type": "array", "items": { "type": "string" }, - "nullable": true, "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/ipConfigurations" - }, - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + "description": "The resource IDs of the network interfaces associated with the private endpoint." }, - "nullable": true - }, - "privateDnsZoneGroup": { - "$ref": "#/definitions/privateDnsZoneGroupType", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone group to configure for the private endpoint." - } + "value": "[map(reference('privateEndpoint').networkInterfaces, lambda('nic', lambdaVariables('nic').id))]" }, - "location": { + "groupId": { "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/tags" - }, - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - }, - "nullable": true - }, - "customDnsConfigs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/customDnsConfigs" - }, - "description": "Optional. Custom DNS configurations." - }, - "nullable": true - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/manualPrivateLinkServiceConnections" - }, - "description": "Conditional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. Required if `privateLinkServiceConnections` is empty." - }, - "nullable": true - }, - "privateLinkServiceConnections": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/privateLinkServiceConnections" - }, - "description": "Conditional. A grouping of information about the connection to the remote resource. Required if `manualPrivateLinkServiceConnections` is empty." - }, - "nullable": true - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.11.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2024-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[tryGet(parameters('privateDnsZoneGroup'), 'name')]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "privateDnsZoneConfigs": { - "value": "[parameters('privateDnsZoneGroup').privateDnsZoneGroupConfigs]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "24141742673128945" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group." - }, - "definitions": { - "privateDnsZoneGroupConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a private DNS zone group configuration." - } - } - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDnsZoneConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" - }, - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone configurations of the private DNS zone group. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - } - }, - "resources": { - "privateEndpoint": { - "existing": true, - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2024-10-01", - "name": "[parameters('privateEndpointName')]" - }, - "privateDnsZoneGroup": { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2024-10-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDnsZoneConfigs'))]", - "input": { - "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId, '/')))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId]" - } - } - } - ] - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2024-10-01', 'full').location]" - }, - "customDnsConfigs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/customDnsConfigs", - "output": true - }, - "description": "The custom DNS configurations of the private endpoint." - }, - "value": "[reference('privateEndpoint').customDnsConfigs]" - }, - "networkInterfaceResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "The resource IDs of the network interfaces associated with the private endpoint." - }, - "value": "[map(reference('privateEndpoint').networkInterfaces, lambda('nic', lambdaVariables('nic').id))]" - }, - "groupId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The group Id for the private endpoint Group." + "description": "The group Id for the private endpoint Group." }, "value": "[coalesce(tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'manualPrivateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0), tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'privateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0))]" } @@ -33993,14 +29814,14 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[tryGet(tryGet(reference('databaseAccount', '2025-04-15', 'full'), 'identity'), 'principalId')]" + "value": "[tryGet(tryGet(reference('databaseAccount', '2024-11-15', 'full'), 'identity'), 'principalId')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('databaseAccount', '2025-04-15', 'full').location]" + "value": "[reference('databaseAccount', '2024-11-15', 'full').location]" }, "endpoint": { "type": "string", @@ -34033,56 +29854,56 @@ "metadata": { "description": "The primary read-write key." }, - "value": "[listKeys('databaseAccount', '2025-04-15').primaryMasterKey]" + "value": "[listKeys('databaseAccount', '2024-11-15').primaryMasterKey]" }, "primaryReadOnlyKey": { "type": "securestring", "metadata": { "description": "The primary read-only key." }, - "value": "[listKeys('databaseAccount', '2025-04-15').primaryReadonlyMasterKey]" + "value": "[listKeys('databaseAccount', '2024-11-15').primaryReadonlyMasterKey]" }, "primaryReadWriteConnectionString": { "type": "securestring", "metadata": { "description": "The primary read-write connection string." }, - "value": "[listConnectionStrings('databaseAccount', '2025-04-15').connectionStrings[0].connectionString]" + "value": "[listConnectionStrings('databaseAccount', '2024-11-15').connectionStrings[0].connectionString]" }, "primaryReadOnlyConnectionString": { "type": "securestring", "metadata": { "description": "The primary read-only connection string." }, - "value": "[listConnectionStrings('databaseAccount', '2025-04-15').connectionStrings[2].connectionString]" + "value": "[listConnectionStrings('databaseAccount', '2024-11-15').connectionStrings[2].connectionString]" }, "secondaryReadWriteKey": { "type": "securestring", "metadata": { "description": "The secondary read-write key." }, - "value": "[listKeys('databaseAccount', '2025-04-15').secondaryMasterKey]" + "value": "[listKeys('databaseAccount', '2024-11-15').secondaryMasterKey]" }, "secondaryReadOnlyKey": { "type": "securestring", "metadata": { "description": "The secondary read-only key." }, - "value": "[listKeys('databaseAccount', '2025-04-15').secondaryReadonlyMasterKey]" + "value": "[listKeys('databaseAccount', '2024-11-15').secondaryReadonlyMasterKey]" }, "secondaryReadWriteConnectionString": { "type": "securestring", "metadata": { "description": "The secondary read-write connection string." }, - "value": "[listConnectionStrings('databaseAccount', '2025-04-15').connectionStrings[1].connectionString]" + "value": "[listConnectionStrings('databaseAccount', '2024-11-15').connectionStrings[1].connectionString]" }, "secondaryReadOnlyConnectionString": { "type": "securestring", "metadata": { "description": "The secondary read-only connection string." }, - "value": "[listConnectionStrings('databaseAccount', '2025-04-15').connectionStrings[3].connectionString]" + "value": "[listConnectionStrings('databaseAccount', '2024-11-15').connectionStrings[3].connectionString]" } } } @@ -34116,10 +29937,14 @@ "enableTelemetry": { "value": "[parameters('enableTelemetry')]" }, - "publicNetworkAccess": "[if(parameters('enablePrivateNetworking'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]", - "internal": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]", + "publicNetworkAccess": { + "value": "Enabled" + }, + "internal": { + "value": false + }, "infrastructureSubnetResourceId": "[if(parameters('enablePrivateNetworking'), createObject('value', tryGet(tryGet(tryGet(if(parameters('enablePrivateNetworking'), reference('virtualNetwork'), null()), 'outputs'), 'containerSubnetResourceId'), 'value')), createObject('value', null()))]", - "appLogsConfiguration": "[if(parameters('enableMonitoring'), createObject('value', createObject('destination', 'log-analytics', 'logAnalyticsWorkspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value))), createObject('value', null()))]", + "appLogsConfiguration": "[if(parameters('enableMonitoring'), createObject('value', createObject('destination', 'log-analytics', 'logAnalyticsConfiguration', createObject('customerId', if(variables('useExistingLogAnalytics'), reference('existingLogAnalyticsWorkspace').customerId, reference('logAnalyticsWorkspace').outputs.logAnalyticsWorkspaceId.value), 'sharedKey', if(variables('useExistingLogAnalytics'), listKeys('existingLogAnalyticsWorkspace', '2020-08-01').primarySharedKey, listOutputsWithSecureValues('logAnalyticsWorkspace', '2025-04-01').primarySharedKey)))), createObject('value', null()))]", "appInsightsConnectionString": "[if(parameters('enableMonitoring'), createObject('value', reference('applicationInsights').outputs.connectionString.value), createObject('value', null()))]", "zoneRedundant": "[if(parameters('enableRedundancy'), createObject('value', true()), createObject('value', false()))]", "infrastructureResourceGroupName": "[if(parameters('enableRedundancy'), createObject('value', format('{0}-infra', resourceGroup().name)), createObject('value', null()))]", @@ -34132,8 +29957,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "16720885128976229647" + "version": "0.35.1.17967", + "templateHash": "10777649424390064640" }, "name": "App ManagedEnvironments", "description": "This module deploys an App Managed Environment (also known as a Container App Environment)." @@ -34168,7 +29993,7 @@ } }, "certificatePassword": { - "type": "securestring", + "type": "string", "nullable": true, "metadata": { "description": "Optional. The password of the certificate." @@ -34180,23 +30005,6 @@ "metadata": { "description": "Optional. A key vault reference." } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location for the resource." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments/certificates@2025-10-02-preview#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true } }, "metadata": { @@ -34233,7 +30041,7 @@ "description": "Required. Storage account name." } }, - "name": { + "shareName": { "type": "string", "metadata": { "description": "Required. File share name." @@ -34246,61 +30054,45 @@ } }, "appLogsConfigurationType": { - "type": "object", - "discriminator": { - "propertyName": "destination", - "mapping": { - "azure-monitor": { - "$ref": "#/definitions/appLogsConfigurationMonitorType" - }, - "log-analytics": { - "$ref": "#/definitions/appLogsConfigurationLawType" - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the App Logs Configuration." - } - }, - "appLogsConfigurationMonitorType": { - "type": "object", - "properties": { - "destination": { - "type": "string", - "allowedValues": [ - "azure-monitor" - ], - "metadata": { - "description": "Required. The destination of the logs." - } - } - }, - "metadata": { - "description": "The type for the App Logs Configuration if using azure-monitor." - } - }, - "appLogsConfigurationLawType": { "type": "object", "properties": { "destination": { "type": "string", "allowedValues": [ - "log-analytics" + "azure-monitor", + "log-analytics", + "none" ], + "nullable": true, "metadata": { - "description": "Required. The destination of the logs." + "description": "Optional. The destination of the logs." } }, - "logAnalyticsWorkspaceResourceId": { - "type": "string", + "logAnalyticsConfiguration": { + "type": "object", + "properties": { + "customerId": { + "type": "string", + "metadata": { + "description": "Required. The Log Analytics Workspace ID." + } + }, + "sharedKey": { + "type": "securestring", + "metadata": { + "description": "Required. The shared key of the Log Analytics workspace." + } + } + }, + "nullable": true, "metadata": { - "description": "Required. Existing Log Analytics Workspace resource ID." + "description": "Conditional. The Log Analytics configuration. Required if `destination` is `log-analytics`." } } }, "metadata": { - "description": "The type for the App Logs Configuration if using log-analytics." + "__bicep_export!": true, + "description": "The type for the App Logs Configuration." } }, "certificateKeyVaultPropertiesType": { @@ -34347,19 +30139,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -34483,13 +30268,10 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-10-02-preview#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } }, "managedIdentities": { "$ref": "#/definitions/managedIdentityAllType", @@ -34522,46 +30304,6 @@ "description": "Optional. Application Insights connection string." } }, - "daprConfiguration": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-10-02-preview#properties/properties/properties/daprConfiguration" - }, - "description": "Optional. The configuration of Dapr component." - }, - "nullable": true - }, - "ingressConfiguration": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-10-02-preview#properties/properties/properties/ingressConfiguration" - }, - "description": "Optional. Ingress configuration for the Managed Environment." - }, - "nullable": true - }, - "kedaConfiguration": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-10-02-preview#properties/properties/properties/kedaConfiguration" - }, - "description": "Optional. The configuration of Keda component." - }, - "nullable": true - }, - "peerAuthentication": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-10-02-preview#properties/properties/properties/peerAuthentication" - }, - "description": "Optional. Peer authentication settings for the Managed Environment." - }, - "nullable": true - }, "daprAIConnectionString": { "type": "securestring", "defaultValue": "", @@ -34585,7 +30327,7 @@ }, "infrastructureSubnetResourceId": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Conditional. Resource ID of a subnet for infrastructure components. This is used to deploy the environment into a virtual network. Must not overlap with any other provided IP ranges. Required if \"internal\" is set to true. Required if zoneRedundant is set to true to make the resource WAF compliant." } @@ -34594,7 +30336,7 @@ "type": "bool", "defaultValue": false, "metadata": { - "description": "Conditional. Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then \"infrastructureSubnetResourceId\" must be provided. Required if zoneRedundant is set to true to make the resource WAF compliant." + "description": "Conditional. Boolean indicating the environment only has an internal load balancer. These environments do not have a public static IP resource. If set to true, then \"infrastructureSubnetId\" must be provided. Required if zoneRedundant is set to true to make the resource WAF compliant." } }, "platformReservedCidr": { @@ -34645,7 +30387,7 @@ }, "certificateValue": { "type": "securestring", - "nullable": true, + "defaultValue": "", "metadata": { "description": "Optional. Certificate to use for the custom domain. PFX or PEM." } @@ -34666,23 +30408,17 @@ }, "openTelemetryConfiguration": { "type": "object", + "defaultValue": {}, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-02-02-preview#properties/properties/properties/openTelemetryConfiguration" - }, "description": "Optional. Open Telemetry configuration." - }, - "nullable": true + } }, "workloadProfiles": { "type": "array", + "defaultValue": [], "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments@2025-10-02-preview#properties/properties/properties/workloadProfiles" - }, "description": "Conditional. Workload profiles configured for the Managed Environment. Required if zoneRedundant is set to true to make the resource WAF compliant." - }, - "nullable": true + } }, "infrastructureResourceGroupName": { "type": "string", @@ -34725,7 +30461,7 @@ } ], "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(variables('formattedUserAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(variables('formattedUserAssignedIdentities'))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", @@ -34735,11 +30471,27 @@ } }, "resources": { + "managedEnvironment::storage": { + "copy": { + "name": "managedEnvironment::storage", + "count": "[length(coalesce(parameters('storages'), createArray()))]" + }, + "type": "Microsoft.App/managedEnvironments/storages", + "apiVersion": "2024-10-02-preview", + "name": "[format('{0}/{1}', parameters('name'), coalesce(parameters('storages'), createArray())[copyIndex()].shareName)]", + "properties": { + "nfsAzureFile": "[if(equals(coalesce(parameters('storages'), createArray())[copyIndex()].kind, 'NFS'), createObject('accessMode', coalesce(parameters('storages'), createArray())[copyIndex()].accessMode, 'server', format('{0}.file.{1}', coalesce(parameters('storages'), createArray())[copyIndex()].storageAccountName, environment().suffixes.storage), 'shareName', format('/{0}/{1}', coalesce(parameters('storages'), createArray())[copyIndex()].storageAccountName, coalesce(parameters('storages'), createArray())[copyIndex()].shareName)), null())]", + "azureFile": "[if(equals(coalesce(parameters('storages'), createArray())[copyIndex()].kind, 'SMB'), createObject('accessMode', coalesce(parameters('storages'), createArray())[copyIndex()].accessMode, 'accountName', coalesce(parameters('storages'), createArray())[copyIndex()].storageAccountName, 'accountKey', listkeys(resourceId('Microsoft.Storage/storageAccounts', coalesce(parameters('storages'), createArray())[copyIndex()].storageAccountName), '2023-01-01').keys[0].value, 'shareName', coalesce(parameters('storages'), createArray())[copyIndex()].shareName), null())]" + }, + "dependsOn": [ + "managedEnvironment" + ] + }, "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-11-01", - "name": "[format('46d3xbcp.res.app-managedenvironment.{0}.{1}', replace('0.13.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.app-managedenvironment.{0}.{1}', replace('0.11.2', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -34755,18 +30507,9 @@ } } }, - "logAnalyticsWorkspace": { - "condition": "[not(empty(tryGet(parameters('appLogsConfiguration'), 'logAnalyticsWorkspaceResourceId')))]", - "existing": true, - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2025-02-01", - "subscriptionId": "[split(tryGet(parameters('appLogsConfiguration'), 'logAnalyticsWorkspaceResourceId'), '/')[2]]", - "resourceGroup": "[split(tryGet(parameters('appLogsConfiguration'), 'logAnalyticsWorkspaceResourceId'), '/')[4]]", - "name": "[last(split(tryGet(parameters('appLogsConfiguration'), 'logAnalyticsWorkspaceResourceId'), '/'))]" - }, "managedEnvironment": { "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2025-10-02-preview", + "apiVersion": "2024-10-02-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -34775,20 +30518,16 @@ "appInsightsConfiguration": { "connectionString": "[parameters('appInsightsConnectionString')]" }, - "daprConfiguration": "[parameters('daprConfiguration')]", - "ingressConfiguration": "[parameters('ingressConfiguration')]", - "kedaConfiguration": "[parameters('kedaConfiguration')]", - "peerAuthentication": "[parameters('peerAuthentication')]", - "appLogsConfiguration": "[if(not(empty(parameters('appLogsConfiguration'))), shallowMerge(createArray(createObject('destination', parameters('appLogsConfiguration').destination), if(not(empty(tryGet(parameters('appLogsConfiguration'), 'logAnalyticsWorkspaceResourceId'))), createObject('logAnalyticsConfiguration', createObject('customerId', reference('logAnalyticsWorkspace').customerId, 'sharedKey', listKeys('logAnalyticsWorkspace', '2025-02-01').primarySharedKey)), createObject()))), null())]", + "appLogsConfiguration": "[parameters('appLogsConfiguration')]", "daprAIConnectionString": "[parameters('daprAIConnectionString')]", "daprAIInstrumentationKey": "[parameters('daprAIInstrumentationKey')]", "customDomainConfiguration": { "certificatePassword": "[parameters('certificatePassword')]", - "certificateValue": "[parameters('certificateValue')]", + "certificateValue": "[if(not(empty(parameters('certificateValue'))), parameters('certificateValue'), null())]", "dnsSuffix": "[parameters('dnsSuffix')]", "certificateKeyVaultProperties": "[if(not(empty(tryGet(parameters('certificate'), 'certificateKeyVaultProperties'))), createObject('identity', tryGet(parameters('certificate'), 'certificateKeyVaultProperties', 'identityResourceId'), 'keyVaultUrl', tryGet(parameters('certificate'), 'certificateKeyVaultProperties', 'keyVaultUrl')), null())]" }, - "openTelemetryConfiguration": "[parameters('openTelemetryConfiguration')]", + "openTelemetryConfiguration": "[if(not(empty(parameters('openTelemetryConfiguration'))), parameters('openTelemetryConfiguration'), null())]", "peerTrafficConfiguration": { "encryption": { "enabled": "[parameters('peerTrafficEncryption')]" @@ -34797,18 +30536,15 @@ "publicNetworkAccess": "[parameters('publicNetworkAccess')]", "vnetConfiguration": { "internal": "[parameters('internal')]", - "infrastructureSubnetId": "[parameters('infrastructureSubnetResourceId')]", + "infrastructureSubnetId": "[if(not(empty(parameters('infrastructureSubnetResourceId'))), parameters('infrastructureSubnetResourceId'), null())]", "dockerBridgeCidr": "[if(not(empty(parameters('infrastructureSubnetResourceId'))), parameters('dockerBridgeCidr'), null())]", "platformReservedCidr": "[if(and(empty(parameters('workloadProfiles')), not(empty(parameters('infrastructureSubnetResourceId')))), parameters('platformReservedCidr'), null())]", "platformReservedDnsIP": "[if(and(empty(parameters('workloadProfiles')), not(empty(parameters('infrastructureSubnetResourceId')))), parameters('platformReservedDnsIP'), null())]" }, - "workloadProfiles": "[parameters('workloadProfiles')]", + "workloadProfiles": "[if(not(empty(parameters('workloadProfiles'))), parameters('workloadProfiles'), null())]", "zoneRedundant": "[parameters('zoneRedundant')]", "infrastructureResourceGroup": "[parameters('infrastructureResourceGroupName')]" - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] + } }, "managedEnvironment_roleAssignments": { "copy": { @@ -34817,7 +30553,7 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.App/managedEnvironments', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", @@ -34836,24 +30572,21 @@ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "scope": "[format('Microsoft.App/managedEnvironments/{0}', parameters('name'))]", "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "managedEnvironment" ] }, - "managedEnvironment_storage": { - "copy": { - "name": "managedEnvironment_storage", - "count": "[length(coalesce(parameters('storages'), createArray()))]" - }, + "managedEnvironment_certificate": { + "condition": "[not(empty(parameters('certificate')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Managed-Environment-Storage-{1}', uniqueString(deployment().name), copyIndex())]", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Managed-Environment-Certificate', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -34861,19 +30594,22 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[coalesce(parameters('storages'), createArray())[copyIndex()].name]" + "value": "[coalesce(tryGet(parameters('certificate'), 'name'), format('cert-{0}', parameters('name')))]" }, "managedEnvironmentName": { "value": "[parameters('name')]" }, - "kind": { - "value": "[coalesce(parameters('storages'), createArray())[copyIndex()].kind]" + "certificateKeyVaultProperties": { + "value": "[tryGet(parameters('certificate'), 'certificateKeyVaultProperties')]" }, - "accessMode": { - "value": "[coalesce(parameters('storages'), createArray())[copyIndex()].accessMode]" + "certificateType": { + "value": "[tryGet(parameters('certificate'), 'certificateType')]" + }, + "certificateValue": { + "value": "[tryGet(parameters('certificate'), 'certificateValue')]" }, - "storageAccountName": { - "value": "[coalesce(parameters('storages'), createArray())[copyIndex()].storageAccountName]" + "certificatePassword": { + "value": "[tryGet(parameters('certificate'), 'certificatePassword')]" } }, "template": { @@ -34883,17 +30619,40 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "12148192527952992187" + "version": "0.35.1.17967", + "templateHash": "18123249047188753287" }, "name": "App ManagedEnvironments Certificates", "description": "This module deploys a App Managed Environment Certificate." }, + "definitions": { + "certificateKeyVaultPropertiesType": { + "type": "object", + "properties": { + "identityResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the identity. This is the identity that will be used to access the key vault." + } + }, + "keyVaultUrl": { + "type": "string", + "metadata": { + "description": "Required. A key vault URL referencing the wildcard certificate that will be used for the custom domain." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for the certificate's key vault properties." + } + } + }, "parameters": { "name": { "type": "string", "metadata": { - "description": "Required. The name of the file share." + "description": "Required. Name of the Container Apps Managed Environment Certificate." } }, "managedEnvironmentName": { @@ -34902,175 +30661,21 @@ "description": "Conditional. The name of the parent app managed environment. Required if the template is used in a standalone deployment." } }, - "accessMode": { + "location": { "type": "string", + "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "Required. The access mode for the storage." + "description": "Optional. Location for all Resources." } }, - "kind": { - "type": "string", - "allowedValues": [ - "NFS", - "SMB" - ], + "certificateKeyVaultProperties": { + "$ref": "#/definitions/certificateKeyVaultPropertiesType", + "nullable": true, "metadata": { - "description": "Required. Type of storage: \"SMB\" or \"NFS\"." + "description": "Optional. A key vault reference to the certificate to use for the custom domain." } }, - "storageAccountName": { - "type": "string", - "metadata": { - "description": "Required. Storage account name." - } - } - }, - "resources": { - "managedEnvironment": { - "existing": true, - "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2025-10-02-preview", - "name": "[parameters('managedEnvironmentName')]" - }, - "storage": { - "type": "Microsoft.App/managedEnvironments/storages", - "apiVersion": "2025-10-02-preview", - "name": "[format('{0}/{1}', parameters('managedEnvironmentName'), parameters('name'))]", - "properties": { - "nfsAzureFile": "[if(equals(parameters('kind'), 'NFS'), createObject('accessMode', parameters('accessMode'), 'server', format('{0}.file.{1}', parameters('storageAccountName'), environment().suffixes.storage), 'shareName', format('/{0}/{1}', parameters('storageAccountName'), parameters('name'))), null())]", - "azureFile": "[if(equals(parameters('kind'), 'SMB'), createObject('accessMode', parameters('accessMode'), 'accountName', parameters('storageAccountName'), 'accountKey', listkeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2025-01-01').keys[0].value, 'shareName', parameters('name')), null())]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the file share." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the file share." - }, - "value": "[resourceId('Microsoft.App/managedEnvironments/storages', parameters('managedEnvironmentName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the file share was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "managedEnvironment" - ] - }, - "managedEnvironment_certificate": { - "condition": "[not(empty(parameters('certificate')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Managed-Environment-Certificate', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(tryGet(parameters('certificate'), 'name'), format('cert-{0}', parameters('name')))]" - }, - "managedEnvironmentName": { - "value": "[parameters('name')]" - }, - "certificateKeyVaultProperties": { - "value": "[tryGet(parameters('certificate'), 'certificateKeyVaultProperties')]" - }, - "certificateType": { - "value": "[tryGet(parameters('certificate'), 'certificateType')]" - }, - "certificateValue": { - "value": "[tryGet(parameters('certificate'), 'certificateValue')]" - }, - "certificatePassword": { - "value": "[tryGet(parameters('certificate'), 'certificatePassword')]" - }, - "location": { - "value": "[tryGet(parameters('certificate'), 'location')]" - }, - "tags": { - "value": "[tryGet(parameters('certificate'), 'tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "3685452564310390968" - }, - "name": "App ManagedEnvironments Certificates", - "description": "This module deploys a App Managed Environment Certificate." - }, - "definitions": { - "certificateKeyVaultPropertiesType": { - "type": "object", - "properties": { - "identityResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the identity. This is the identity that will be used to access the key vault." - } - }, - "keyVaultUrl": { - "type": "string", - "metadata": { - "description": "Required. A key vault URL referencing the wildcard certificate that will be used for the custom domain." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the certificate's key vault properties." - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Container Apps Managed Environment Certificate." - } - }, - "managedEnvironmentName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent app managed environment. Required if the template is used in a standalone deployment." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "certificateKeyVaultProperties": { - "$ref": "#/definitions/certificateKeyVaultPropertiesType", - "nullable": true, - "metadata": { - "description": "Optional. A key vault reference to the certificate to use for the custom domain." - } - }, - "certificateType": { + "certificateType": { "type": "string", "nullable": true, "allowedValues": [ @@ -35097,25 +30702,22 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/managedEnvironments/certificates@2025-10-02-preview#properties/tags" - }, "description": "Optional. Tags of the resource." - }, - "nullable": true + } } }, "resources": { "managedEnvironment": { "existing": true, "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2025-10-02-preview", + "apiVersion": "2024-10-02-preview", "name": "[parameters('managedEnvironmentName')]" }, "managedEnvironmentCertificate": { "type": "Microsoft.App/managedEnvironments/certificates", - "apiVersion": "2025-10-02-preview", + "apiVersion": "2024-10-02-preview", "name": "[format('{0}/{1}', parameters('managedEnvironmentName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -35145,7 +30747,7 @@ "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group the certificate was deployed into." + "description": "The resource group the batch account was deployed into." }, "value": "[resourceGroup().name]" } @@ -35170,7 +30772,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('managedEnvironment', '2025-10-02-preview', 'full').location]" + "value": "[reference('managedEnvironment', '2024-10-02-preview', 'full').location]" }, "name": { "type": "string", @@ -35192,7 +30794,7 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[tryGet(tryGet(reference('managedEnvironment', '2025-10-02-preview', 'full'), 'identity'), 'principalId')]" + "value": "[tryGet(tryGet(reference('managedEnvironment', '2024-10-02-preview', 'full'), 'identity'), 'principalId')]" }, "defaultDomain": { "type": "string", @@ -35220,15 +30822,15 @@ }, "dependsOn": [ "applicationInsights", + "existingLogAnalyticsWorkspace", "logAnalyticsWorkspace", "virtualNetwork" ] }, - "caeDnsZone": { - "condition": "[parameters('enablePrivateNetworking')]", + "containerApp": { "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", - "name": "avm.res.network.private-dns-zone.cae", + "name": "[take(format('avm.res.app.container-app.{0}', variables('containerAppResourceName')), 64)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -35236,32 +30838,135 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[reference('containerAppEnvironment').outputs.defaultDomain.value]" + "value": "[variables('containerAppResourceName')]" }, "tags": { "value": "[parameters('tags')]" }, + "location": { + "value": "[parameters('location')]" + }, "enableTelemetry": { "value": "[parameters('enableTelemetry')]" }, - "a": { - "value": [ - { - "name": "*", - "aRecords": [ - { - "ipv4Address": "[reference('containerAppEnvironment').outputs.staticIp.value]" + "environmentResourceId": { + "value": "[reference('containerAppEnvironment').outputs.resourceId.value]" + }, + "managedIdentities": { + "value": { + "userAssignedResourceIds": [ + "[reference('userAssignedIdentity').outputs.resourceId.value]" + ] + } + }, + "ingressTargetPort": { + "value": 8000 + }, + "ingressExternal": { + "value": true + }, + "activeRevisionsMode": { + "value": "Single" + }, + "corsPolicy": { + "value": { + "allowedOrigins": [ + "[format('https://{0}.azurewebsites.net', variables('webSiteResourceName'))]", + "[format('http://{0}.azurewebsites.net', variables('webSiteResourceName'))]" + ] + } + }, + "scaleSettings": { + "value": { + "maxReplicas": "[if(parameters('enableScalability'), 3, 1)]", + "minReplicas": "[if(parameters('enableScalability'), 2, 1)]", + "rules": [ + { + "name": "http-scaler", + "http": { + "metadata": { + "concurrentRequests": "100" + } } - ], - "ttl": 300 - } - ] + } + ] + } }, - "virtualNetworkLinks": { + "containers": { "value": [ { - "name": "[take(format('vnetlink-{0}-cae', variables('virtualNetworkResourceName')), 80)]", - "virtualNetworkResourceId": "[reference('virtualNetwork').outputs.resourceId.value]" + "name": "backend", + "image": "[format('{0}/{1}:{2}', parameters('backendContainerRegistryHostname'), parameters('backendContainerImageName'), parameters('backendContainerImageTag'))]", + "resources": { + "cpu": "2.0", + "memory": "4.0Gi" + }, + "env": [ + { + "name": "COSMOSDB_ENDPOINT", + "value": "[format('https://{0}.documents.azure.com:443/', variables('cosmosDbResourceName'))]" + }, + { + "name": "COSMOSDB_DATABASE", + "value": "[variables('cosmosDbDatabaseName')]" + }, + { + "name": "COSMOSDB_CONTAINER", + "value": "[variables('cosmosDbDatabaseMemoryContainerName')]" + }, + { + "name": "AZURE_OPENAI_ENDPOINT", + "value": "[format('https://{0}.openai.azure.com/', variables('aiFoundryAiServicesResourceName'))]" + }, + { + "name": "AZURE_OPENAI_MODEL_NAME", + "value": "[variables('aiFoundryAiServicesModelDeployment').name]" + }, + { + "name": "AZURE_OPENAI_DEPLOYMENT_NAME", + "value": "[variables('aiFoundryAiServicesModelDeployment').name]" + }, + { + "name": "AZURE_OPENAI_API_VERSION", + "value": "[parameters('azureopenaiVersion')]" + }, + { + "name": "APPLICATIONINSIGHTS_INSTRUMENTATION_KEY", + "value": "[if(parameters('enableMonitoring'), reference('applicationInsights').outputs.instrumentationKey.value, '')]" + }, + { + "name": "APPLICATIONINSIGHTS_CONNECTION_STRING", + "value": "[if(parameters('enableMonitoring'), reference('applicationInsights').outputs.connectionString.value, '')]" + }, + { + "name": "AZURE_AI_SUBSCRIPTION_ID", + "value": "[subscription().subscriptionId]" + }, + { + "name": "AZURE_AI_RESOURCE_GROUP", + "value": "[resourceGroup().name]" + }, + { + "name": "AZURE_AI_PROJECT_NAME", + "value": "[if(variables('useExistingAiFoundryAiProject'), variables('aiFoundryAiProjectResourceName'), reference('aiFoundryAiServicesProject').outputs.name.value)]" + }, + { + "name": "FRONTEND_SITE_NAME", + "value": "[format('https://{0}.azurewebsites.net', variables('webSiteResourceName'))]" + }, + { + "name": "AZURE_AI_AGENT_ENDPOINT", + "value": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject').endpoints['AI Foundry API'], reference('aiFoundryAiServicesProject').outputs.apiEndpoint.value)]" + }, + { + "name": "AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME", + "value": "[variables('aiFoundryAiServicesModelDeployment').name]" + }, + { + "name": "AZURE_CLIENT_ID", + "value": "[reference('userAssignedIdentity').outputs.clientId.value]" + } + ] } ] } @@ -35273,685 +30978,847 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "4533956061065498344" + "version": "0.36.177.2456", + "templateHash": "13502451048865419001" }, - "name": "Private DNS Zones", - "description": "This module deploys a Private DNS zone." + "name": "Container Apps", + "description": "This module deploys a Container App." }, "definitions": { - "aType": { + "containerType": { "type": "object", "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata of the record." - } - }, - "ttl": { - "type": "int", + "args": { + "type": "array", + "items": { + "type": "string" + }, "nullable": true, "metadata": { - "description": "Optional. The TTL of the record." + "description": "Optional. Container start command arguments." } }, - "roleAssignments": { + "command": { "type": "array", "items": { - "$ref": "#/definitions/roleAssignmentType" + "type": "string" }, "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. Container start command." } }, - "aRecords": { + "env": { "type": "array", "items": { - "type": "object", - "properties": { - "ipv4Address": { - "type": "string", - "metadata": { - "description": "Required. The IPv4 address of this A record." - } - } - } + "$ref": "#/definitions/environmentVarType" }, "nullable": true, "metadata": { - "description": "Optional. The list of A records in the record set." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the A record." - } - }, - "aaaaType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the record." + "description": "Optional. Container environment variables." } }, - "metadata": { - "type": "object", - "nullable": true, + "image": { + "type": "string", "metadata": { - "description": "Optional. The metadata of the record." + "description": "Required. Container image tag." } }, - "ttl": { - "type": "int", + "name": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. The TTL of the record." + "description": "Optional. Custom container name." } }, - "roleAssignments": { + "probes": { "type": "array", "items": { - "$ref": "#/definitions/roleAssignmentType" + "$ref": "#/definitions/containerAppProbeType" }, "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. List of probes for the container." } }, - "aaaaRecords": { + "resources": { + "type": "object", + "metadata": { + "description": "Required. Container resource requirements." + } + }, + "volumeMounts": { "type": "array", "items": { - "type": "object", - "properties": { - "ipv6Address": { - "type": "string", - "metadata": { - "description": "Required. The IPv6 address of this AAAA record." - } - } - } + "$ref": "#/definitions/volumeMountType" }, "nullable": true, "metadata": { - "description": "Optional. The list of AAAA records in the record set." + "description": "Optional. Container volume mounts." } } }, "metadata": { "__bicep_export!": true, - "description": "The type for the AAAA record." + "description": "The type for a container." } }, - "cnameType": { + "ingressPortMappingType": { "type": "object", "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata of the record." - } - }, - "ttl": { + "exposedPort": { "type": "int", "nullable": true, "metadata": { - "description": "Optional. The TTL of the record." + "description": "Optional. Specifies the exposed port for the target port. If not specified, it defaults to target port." } }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, + "external": { + "type": "bool", "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Required. Specifies whether the app port is accessible outside of the environment." } }, - "cnameRecord": { - "type": "object", - "properties": { - "cname": { - "type": "string", - "metadata": { - "description": "Required. The canonical name of the CNAME record." - } - } - }, - "nullable": true, + "targetPort": { + "type": "int", "metadata": { - "description": "Optional. The CNAME record in the record set." + "description": "Required. Specifies the port the container listens on." } } }, "metadata": { "__bicep_export!": true, - "description": "The type for the CNAME record." + "description": "The type for an ingress port mapping." } }, - "mxType": { + "serviceBindingType": { "type": "object", "properties": { "name": { "type": "string", "metadata": { - "description": "Required. The name of the record." + "description": "Required. The name of the service." } }, - "metadata": { - "type": "object", - "nullable": true, + "serviceId": { + "type": "string", "metadata": { - "description": "Optional. The metadata of the record." + "description": "Required. The service ID." } - }, - "ttl": { - "type": "int", - "nullable": true, + } + }, + "metadata": { + "description": "The type for a service binding." + } + }, + "environmentVarType": { + "type": "object", + "properties": { + "name": { + "type": "string", "metadata": { - "description": "Optional. The TTL of the record." + "description": "Required. Environment variable name." } }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, + "secretRef": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. Name of the Container App secret from which to pull the environment variable value." } }, - "mxRecords": { - "type": "array", - "items": { - "type": "object", - "properties": { - "exchange": { - "type": "string", - "metadata": { - "description": "Required. The domain name of the mail host for this MX record." - } - }, - "preference": { - "type": "int", - "metadata": { - "description": "Required. The preference value for this MX record." - } - } - } - }, + "value": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. The list of MX records in the record set." + "description": "Optional. Non-secret environment variable value." } } }, "metadata": { "__bicep_export!": true, - "description": "The type for the MX record." + "description": "The type for an environment variable." } }, - "ptrType": { + "containerAppProbeType": { "type": "object", "properties": { - "name": { - "type": "string", + "failureThreshold": { + "type": "int", + "nullable": true, + "minValue": 1, + "maxValue": 10, "metadata": { - "description": "Required. The name of the record." + "description": "Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3." } }, - "metadata": { - "type": "object", + "httpGet": { + "$ref": "#/definitions/containerAppProbeHttpGetType", "nullable": true, "metadata": { - "description": "Optional. The metadata of the record." + "description": "Optional. HTTPGet specifies the http request to perform." } }, - "ttl": { + "initialDelaySeconds": { "type": "int", "nullable": true, + "minValue": 1, + "maxValue": 60, "metadata": { - "description": "Optional. The TTL of the record." + "description": "Optional. Number of seconds after the container has started before liveness probes are initiated." } }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, + "periodSeconds": { + "type": "int", "nullable": true, + "minValue": 1, + "maxValue": 240, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. How often (in seconds) to perform the probe. Default to 10 seconds." } }, - "ptrRecords": { - "type": "array", - "items": { - "type": "object", - "properties": { - "ptrdname": { - "type": "string", - "metadata": { - "description": "Required. The PTR target domain name for this PTR record." - } - } - } - }, - "nullable": true, + "successThreshold": { + "type": "int", + "nullable": true, + "minValue": 1, + "maxValue": 10, "metadata": { - "description": "Optional. The list of PTR records in the record set." + "description": "Optional. Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup." + } + }, + "tcpSocket": { + "$ref": "#/definitions/containerAppProbeTcpSocketType", + "nullable": true, + "metadata": { + "description": "Optional. The TCP socket specifies an action involving a TCP port. TCP hooks not yet supported." + } + }, + "terminationGracePeriodSeconds": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate. Maximum value is 3600 seconds (1 hour)." + } + }, + "timeoutSeconds": { + "type": "int", + "nullable": true, + "minValue": 1, + "maxValue": 240, + "metadata": { + "description": "Optional. Number of seconds after which the probe times out. Defaults to 1 second." + } + }, + "type": { + "type": "string", + "allowedValues": [ + "Liveness", + "Readiness", + "Startup" + ], + "nullable": true, + "metadata": { + "description": "Optional. The type of probe." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for the PTR record." + "description": "The type for a container app probe." } }, - "soaType": { + "corsPolicyType": { "type": "object", "properties": { - "name": { - "type": "string", + "allowCredentials": { + "type": "bool", + "nullable": true, "metadata": { - "description": "Required. The name of the record." + "description": "Optional. Switch to determine whether the resource allows credentials." } }, - "metadata": { - "type": "object", + "allowedHeaders": { + "type": "array", + "items": { + "type": "string" + }, "nullable": true, "metadata": { - "description": "Optional. The metadata of the record." + "description": "Optional. Specifies the content for the access-control-allow-headers header." } }, - "ttl": { - "type": "int", + "allowedMethods": { + "type": "array", + "items": { + "type": "string" + }, "nullable": true, "metadata": { - "description": "Optional. The TTL of the record." + "description": "Optional. Specifies the content for the access-control-allow-methods header." } }, - "roleAssignments": { + "allowedOrigins": { "type": "array", "items": { - "$ref": "#/definitions/roleAssignmentType" + "type": "string" }, "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. Specifies the content for the access-control-allow-origins header." } }, - "soaRecord": { - "type": "object", - "properties": { - "email": { - "type": "string", - "metadata": { - "description": "Required. The email contact for this SOA record." - } - }, - "expireTime": { - "type": "int", - "metadata": { - "description": "Required. The expire time for this SOA record." - } - }, - "host": { - "type": "string", - "metadata": { - "description": "Required. The domain name of the authoritative name server for this SOA record." - } - }, - "minimumTtl": { - "type": "int", - "metadata": { - "description": "Required. The minimum value for this SOA record. By convention this is used to determine the negative caching duration." - } - }, - "refreshTime": { - "type": "int", - "metadata": { - "description": "Required. The refresh value for this SOA record." - } - }, - "retryTime": { - "type": "int", - "metadata": { - "description": "Required. The retry time for this SOA record." - } - }, - "serialNumber": { - "type": "int", - "metadata": { - "description": "Required. The serial number for this SOA record." - } - } + "exposeHeaders": { + "type": "array", + "items": { + "type": "string" }, "nullable": true, "metadata": { - "description": "Optional. The SOA record in the record set." + "description": "Optional. Specifies the content for the access-control-expose-headers header." + } + }, + "maxAge": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Specifies the content for the access-control-max-age header." } } }, "metadata": { "__bicep_export!": true, - "description": "The type for the SOA record." + "description": "The type for a CORS policy." } }, - "srvType": { + "containerAppProbeHttpGetType": { "type": "object", "properties": { - "name": { + "host": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The name of the record." + "description": "Optional. Host name to connect to. Defaults to the pod IP." } }, - "metadata": { - "type": "object", + "httpHeaders": { + "type": "array", + "items": { + "$ref": "#/definitions/containerAppProbeHttpGetHeadersItemType" + }, "nullable": true, "metadata": { - "description": "Optional. The metadata of the record." + "description": "Optional. HTTP headers to set in the request." } }, - "ttl": { - "type": "int", - "nullable": true, + "path": { + "type": "string", "metadata": { - "description": "Optional. The TTL of the record." + "description": "Required. Path to access on the HTTP server." } }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, + "port": { + "type": "int", "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Required. Name or number of the port to access on the container." } }, - "srvRecords": { - "type": "array", - "items": { - "type": "object", - "properties": { - "priority": { - "type": "int", - "metadata": { - "description": "Required. The priority value for this SRV record." - } - }, - "weight": { - "type": "int", - "metadata": { - "description": "Required. The weight value for this SRV record." - } - }, - "port": { - "type": "int", - "metadata": { - "description": "Required. The port value for this SRV record." - } - }, - "target": { - "type": "string", - "metadata": { - "description": "Required. The target domain name for this SRV record." - } - } - } - }, + "scheme": { + "type": "string", + "allowedValues": [ + "HTTP", + "HTTPS" + ], "nullable": true, "metadata": { - "description": "Optional. The list of SRV records in the record set." + "description": "Optional. Scheme to use for connecting to the host. Defaults to HTTP." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for the SRV record." + "description": "The type for a container app probe HTTP GET." } }, - "txtType": { + "containerAppProbeHttpGetHeadersItemType": { "type": "object", "properties": { "name": { "type": "string", "metadata": { - "description": "Required. The name of the record." + "description": "Required. Name of the header." } }, - "metadata": { - "type": "object", + "value": { + "type": "string", + "metadata": { + "description": "Required. Value of the header." + } + } + }, + "metadata": { + "description": "The type for a container app probe HTTP GET header." + } + }, + "containerAppProbeTcpSocketType": { + "type": "object", + "properties": { + "host": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. The metadata of the record." + "description": "Optional. Host name to connect to, defaults to the pod IP." } }, - "ttl": { + "port": { + "type": "int", + "minValue": 1, + "maxValue": 65535, + "metadata": { + "description": "Required. Number of the port to access on the container. Name must be an IANA_SVC_NAME." + } + } + }, + "metadata": { + "description": "The type for a container app probe TCP socket." + } + }, + "scaleType": { + "type": "object", + "properties": { + "maxReplicas": { + "type": "int", + "metadata": { + "description": "Required. The maximum number of replicas." + } + }, + "minReplicas": { + "type": "int", + "metadata": { + "description": "Required. The minimum number of replicas." + } + }, + "cooldownPeriod": { "type": "int", "nullable": true, "metadata": { - "description": "Optional. The TTL of the record." + "description": "Optional. The cooldown period in seconds." } }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, + "pollingInterval": { + "type": "int", "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. The polling interval in seconds." } }, - "txtRecords": { + "rules": { "type": "array", "items": { - "type": "object", - "properties": { - "value": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. The text value of this TXT record." - } - } - } + "$ref": "#/definitions/scaleRuleType" }, "nullable": true, "metadata": { - "description": "Optional. The list of TXT records in the record set." + "description": "Optional. The scaling rules." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for the TXT record." + "description": "The scale settings for the Container App." } }, - "virtualNetworkLinkType": { + "scaleRuleType": { "type": "object", "properties": { "name": { - "type": "string", - "nullable": true, - "minLength": 1, - "maxLength": 80, - "metadata": { - "description": "Optional. The resource name." - } - }, - "virtualNetworkResourceId": { "type": "string", "metadata": { - "description": "Required. The resource ID of the virtual network to link." + "description": "Required. The name of the scaling rule." } }, - "location": { - "type": "string", + "custom": { + "type": "object", "nullable": true, "metadata": { - "description": "Optional. The Azure Region where the resource lives." + "description": "Optional. The custom scaling rule." } }, - "registrationEnabled": { - "type": "bool", + "azureQueue": { + "type": "object", "nullable": true, "metadata": { - "description": "Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?." + "description": "Optional. The Azure Queue based scaling rule." } }, - "tags": { + "http": { "type": "object", "nullable": true, "metadata": { - "description": "Optional. Resource tags." + "description": "Optional. The HTTP requests based scaling rule." } }, - "resolutionPolicy": { - "type": "string", - "allowedValues": [ - "Default", - "NxDomainRedirect" - ], + "tcp": { + "type": "object", "nullable": true, "metadata": { - "description": "Optional. The resolution type of the private-dns-zone fallback machanism." + "description": "Optional. The TCP based scaling rule." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type for the virtual network link." + "description": "The scaling rules for the Container App." } }, - "lockType": { + "volumeMountType": { "type": "object", "properties": { - "name": { + "mountPath": { "type": "string", - "nullable": true, "metadata": { - "description": "Optional. Specify the name of lock." + "description": "Required. Path within the container at which the volume should be mounted.Must not contain ':'." } }, - "kind": { + "subPath": { "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], "nullable": true, "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Optional. Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root)." + } + }, + "volumeName": { + "type": "string", + "metadata": { + "description": "Required. This must match the Name of a Volume." } } }, "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } + "description": "The type for a volume mount." } }, - "roleAssignmentType": { + "secretType": { "type": "object", "properties": { - "name": { + "identity": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + "description": "Optional. Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity." } }, - "roleDefinitionIdOrName": { + "keyVaultUrl": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + "description": "Conditional. The URL of the Azure Key Vault secret referenced by the Container App. Required if `value` is null." } }, - "principalId": { + "name": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + "description": "Optional. The name of the container app secret." } }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], + "value": { + "type": "securestring", "nullable": true, "metadata": { - "description": "Optional. The principal type of the assigned principal ID." + "description": "Conditional. The container app secret value, if not fetched from the Key Vault. Required if `keyVaultUrl` is not null." } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for a secret." + } + }, + "authConfigType": { + "type": "object", + "properties": { + "encryptionSettings": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/encryptionSettings" + }, + "description": "Optional. The configuration settings of the secrets references of encryption key and signing key for ContainerApp Service Authentication/Authorization." + }, + "nullable": true }, - "description": { + "globalValidation": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/globalValidation" + }, + "description": "Optional. The configuration settings that determines the validation flow of users using Service Authentication and/or Authorization." + }, + "nullable": true + }, + "httpSettings": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/httpSettings" + }, + "description": "Optional. The configuration settings of the HTTP requests for authentication and authorization requests made against ContainerApp Service Authentication/Authorization." + }, + "nullable": true + }, + "identityProviders": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/identityProviders" + }, + "description": "Optional. The configuration settings of each of the identity providers used to configure ContainerApp Service Authentication/Authorization." + }, + "nullable": true + }, + "login": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/login" + }, + "description": "Optional. The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization." + }, + "nullable": true + }, + "platform": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/platform" + }, + "description": "Optional. The configuration settings of the platform of ContainerApp Service Authentication/Authorization." + }, + "nullable": true + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for the container app's authentication configuration." + } + }, + "diagnosticSettingMetricsOnlyType": { + "type": "object", + "properties": { + "name": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The description of the role assignment." + "description": "Optional. The name of diagnostic setting." } }, - "condition": { - "type": "string", + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, "nullable": true, "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, - "conditionVersion": { + "logAnalyticsDestinationType": { "type": "string", "allowedValues": [ - "2.0" + "AzureDiagnostics", + "Dedicated" ], "nullable": true, "metadata": { - "description": "Optional. Version of the condition." + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." } }, - "delegatedManagedIdentityResourceId": { + "workspaceResourceId": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a diagnostic setting. To be used if only metrics are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + } + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." } } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } } } }, @@ -35959,135 +31826,359 @@ "name": { "type": "string", "metadata": { - "description": "Required. Private DNS zone name." + "description": "Required. Name of the Container App." } }, - "a": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "disableIngress": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Bool to disable all ingress traffic for the container app." + } + }, + "ingressExternal": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Bool indicating if the App exposes an external HTTP endpoint." + } + }, + "clientCertificateMode": { + "type": "string", + "defaultValue": "ignore", + "allowedValues": [ + "accept", + "ignore", + "require" + ], + "metadata": { + "description": "Optional. Client certificate mode for mTLS." + } + }, + "corsPolicy": { + "$ref": "#/definitions/corsPolicyType", + "nullable": true, + "metadata": { + "description": "Optional. Object userd to configure CORS policy." + } + }, + "stickySessionsAffinity": { + "type": "string", + "defaultValue": "none", + "allowedValues": [ + "none", + "sticky" + ], + "metadata": { + "description": "Optional. Bool indicating if the Container App should enable session affinity." + } + }, + "ingressTransport": { + "type": "string", + "defaultValue": "auto", + "allowedValues": [ + "auto", + "http", + "http2", + "tcp" + ], + "metadata": { + "description": "Optional. Ingress transport protocol." + } + }, + "service": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/service" + }, + "description": "Optional. Dev ContainerApp service type." + }, + "nullable": true + }, + "includeAddOns": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Toggle to include the service configuration." + } + }, + "additionalPortMappings": { "type": "array", "items": { - "$ref": "#/definitions/aType" + "$ref": "#/definitions/ingressPortMappingType" }, "nullable": true, "metadata": { - "description": "Optional. Array of A records." + "description": "Optional. Settings to expose additional ports on container app." } }, - "aaaa": { + "ingressAllowInsecure": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections." + } + }, + "ingressTargetPort": { + "type": "int", + "defaultValue": 80, + "metadata": { + "description": "Optional. Target Port in containers for traffic from ingress." + } + }, + "scaleSettings": { + "$ref": "#/definitions/scaleType", + "defaultValue": { + "maxReplicas": 10, + "minReplicas": 3 + }, + "metadata": { + "description": "Optional. The scaling settings of the service." + } + }, + "serviceBinds": { "type": "array", "items": { - "$ref": "#/definitions/aaaaType" + "$ref": "#/definitions/serviceBindingType" }, "nullable": true, "metadata": { - "description": "Optional. Array of AAAA records." + "description": "Optional. List of container app services bound to the app." } }, - "cname": { + "activeRevisionsMode": { + "type": "string", + "defaultValue": "Single", + "allowedValues": [ + "Multiple", + "Single" + ], + "metadata": { + "description": "Optional. Controls how active revisions are handled for the Container app." + } + }, + "environmentResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of environment." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "registries": { "type": "array", - "items": { - "$ref": "#/definitions/cnameType" + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/registries" + }, + "description": "Optional. Collection of private container registry credentials for containers used by the Container app." }, + "nullable": true + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", "nullable": true, "metadata": { - "description": "Optional. Array of CNAME records." + "description": "Optional. The managed identity definition for this resource." } }, - "mx": { + "roleAssignments": { "type": "array", "items": { - "$ref": "#/definitions/mxType" + "$ref": "#/definitions/roleAssignmentType" }, "nullable": true, "metadata": { - "description": "Optional. Array of MX records." + "description": "Optional. Array of role assignments to create." } }, - "ptr": { + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "customDomains": { "type": "array", - "items": { - "$ref": "#/definitions/ptrType" + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/ingress/properties/customDomains" + }, + "description": "Optional. Custom domain bindings for Container App hostnames." }, - "nullable": true, + "nullable": true + }, + "exposedPort": { + "type": "int", + "defaultValue": 0, "metadata": { - "description": "Optional. Array of PTR records." + "description": "Optional. Exposed Port in containers for TCP traffic from ingress." } }, - "soa": { + "ipSecurityRestrictions": { "type": "array", - "items": { - "$ref": "#/definitions/soaType" + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/ingress/properties/ipSecurityRestrictions" + }, + "description": "Optional. Rules to restrict incoming IP address." }, - "nullable": true, + "nullable": true + }, + "trafficLabel": { + "type": "string", + "defaultValue": "label-1", "metadata": { - "description": "Optional. Array of SOA records." + "description": "Optional. Associates a traffic label with a revision. Label name should be consist of lower case alphanumeric characters or dashes." } }, - "srv": { + "trafficLatestRevision": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Indicates that the traffic weight belongs to a latest stable revision." + } + }, + "trafficRevisionName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of a revision." + } + }, + "trafficWeight": { + "type": "int", + "defaultValue": 100, + "metadata": { + "description": "Optional. Traffic weight assigned to a revision." + } + }, + "dapr": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/dapr" + }, + "description": "Optional. Dapr configuration for the Container App." + }, + "nullable": true + }, + "identitySettings": { "type": "array", - "items": { - "$ref": "#/definitions/srvType" + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/identitySettings" + }, + "description": "Optional. Settings for Managed Identities that are assigned to the Container App. If a Managed Identity is not specified here, default settings will be used." }, - "nullable": true, + "nullable": true + }, + "maxInactiveRevisions": { + "type": "int", + "defaultValue": 0, "metadata": { - "description": "Optional. Array of SRV records." + "description": "Optional. Max inactive revisions a Container App can have." } }, - "txt": { + "runtime": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/configuration/properties/runtime" + }, + "description": "Optional. Runtime configuration for the Container App." + }, + "nullable": true + }, + "containers": { "type": "array", "items": { - "$ref": "#/definitions/txtType" + "$ref": "#/definitions/containerType" }, - "nullable": true, "metadata": { - "description": "Optional. Array of TXT records." + "description": "Required. List of container definitions for the Container App." } }, - "virtualNetworkLinks": { + "initContainersTemplate": { + "type": "array", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/template/properties/initContainers" + }, + "description": "Optional. List of specialized containers that run before app containers." + }, + "nullable": true + }, + "secrets": { "type": "array", "items": { - "$ref": "#/definitions/virtualNetworkLinkType" + "$ref": "#/definitions/secretType" }, "nullable": true, "metadata": { - "description": "Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'virtualNetworkResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource ID of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet." + "description": "Optional. The secrets of the Container App." } }, - "location": { + "revisionSuffix": { "type": "string", - "defaultValue": "global", + "defaultValue": "", "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." + "description": "Optional. User friendly suffix that is appended to the revision name." } }, - "roleAssignments": { + "volumes": { "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." - } + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps@2025-01-01#properties/properties/properties/template/properties/volumes" + }, + "description": "Optional. List of volume definitions for the Container App." + }, + "nullable": true }, - "tags": { - "type": "object", - "nullable": true, + "workloadProfileName": { + "type": "string", + "defaultValue": "", "metadata": { - "description": "Optional. Tags of the resource." + "description": "Optional. Workload profile name to pin for container app execution." } }, - "lock": { - "$ref": "#/definitions/lockType", + "authConfig": { + "$ref": "#/definitions/authConfigType", "nullable": true, "metadata": { - "description": "Optional. The lock settings of the service." + "description": "Optional. The name of the Container App Auth configs." } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, + "diagnosticSettings": { + "type": "array", + "items": { + "$ref": "#/definitions/diagnosticSettingMetricsOnlyType" + }, + "nullable": true, "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." + "description": "Optional. The diagnostic settings of the service." } } }, @@ -36099,13 +32190,15 @@ "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" } ], + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { + "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": { @@ -36113,7 +32206,7 @@ "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-privatednszone.{0}.{1}', replace('0.7.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "name": "[format('46d3xbcp.res.app-containerapp.{0}.{1}', replace('0.18.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -36129,36 +32222,60 @@ } } }, - "privateDnsZone": { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", + "containerApp": { + "type": "Microsoft.App/containerApps", + "apiVersion": "2025-01-01", "name": "[parameters('name')]", + "tags": "[parameters('tags')]", "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - "privateDnsZone_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "identity": "[variables('identity')]", "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" - }, + "environmentId": "[parameters('environmentResourceId')]", + "workloadProfileName": "[parameters('workloadProfileName')]", + "template": { + "containers": "[parameters('containers')]", + "initContainers": "[if(not(empty(parameters('initContainersTemplate'))), parameters('initContainersTemplate'), null())]", + "revisionSuffix": "[parameters('revisionSuffix')]", + "scale": "[parameters('scaleSettings')]", + "serviceBinds": "[if(and(parameters('includeAddOns'), not(empty(parameters('serviceBinds')))), parameters('serviceBinds'), null())]", + "volumes": "[if(not(empty(parameters('volumes'))), parameters('volumes'), null())]" + }, + "configuration": { + "activeRevisionsMode": "[parameters('activeRevisionsMode')]", + "dapr": "[if(not(empty(parameters('dapr'))), parameters('dapr'), null())]", + "identitySettings": "[if(not(empty(parameters('identitySettings'))), parameters('identitySettings'), null())]", + "ingress": "[if(parameters('disableIngress'), null(), createObject('additionalPortMappings', parameters('additionalPortMappings'), 'allowInsecure', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('ingressAllowInsecure'), false()), 'customDomains', if(not(empty(parameters('customDomains'))), parameters('customDomains'), null()), 'corsPolicy', if(and(not(equals(parameters('corsPolicy'), null())), not(equals(parameters('ingressTransport'), 'tcp'))), createObject('allowCredentials', coalesce(tryGet(parameters('corsPolicy'), 'allowCredentials'), false()), 'allowedHeaders', coalesce(tryGet(parameters('corsPolicy'), 'allowedHeaders'), createArray()), 'allowedMethods', coalesce(tryGet(parameters('corsPolicy'), 'allowedMethods'), createArray()), 'allowedOrigins', coalesce(tryGet(parameters('corsPolicy'), 'allowedOrigins'), createArray()), 'exposeHeaders', coalesce(tryGet(parameters('corsPolicy'), 'exposeHeaders'), createArray()), 'maxAge', tryGet(parameters('corsPolicy'), 'maxAge')), null()), 'clientCertificateMode', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('clientCertificateMode'), null()), 'exposedPort', parameters('exposedPort'), 'external', parameters('ingressExternal'), 'ipSecurityRestrictions', if(not(empty(parameters('ipSecurityRestrictions'))), parameters('ipSecurityRestrictions'), null()), 'targetPort', parameters('ingressTargetPort'), 'stickySessions', createObject('affinity', parameters('stickySessionsAffinity')), 'traffic', if(not(equals(parameters('ingressTransport'), 'tcp')), createArray(createObject('label', parameters('trafficLabel'), 'latestRevision', parameters('trafficLatestRevision'), 'revisionName', parameters('trafficRevisionName'), 'weight', parameters('trafficWeight'))), null()), 'transport', parameters('ingressTransport')))]", + "service": "[if(and(parameters('includeAddOns'), not(empty(parameters('service')))), parameters('service'), null())]", + "maxInactiveRevisions": "[parameters('maxInactiveRevisions')]", + "registries": "[if(not(empty(parameters('registries'))), parameters('registries'), null())]", + "secrets": "[parameters('secrets')]", + "runtime": "[if(not(empty(parameters('runtime'))), parameters('runtime'), null())]" + } + } + }, + "containerApp_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, "dependsOn": [ - "privateDnsZone" + "containerApp" ] }, - "privateDnsZone_roleAssignments": { + "containerApp_roleAssignments": { "copy": { - "name": "privateDnsZone_roleAssignments", + "name": "containerApp_roleAssignments", "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", @@ -36169,40 +32286,72 @@ "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ - "privateDnsZone" + "containerApp" ] }, - "privateDnsZone_A": { + "containerApp_diagnosticSettings": { "copy": { - "name": "privateDnsZone_A", - "count": "[length(coalesce(parameters('a'), createArray()))]" + "name": "containerApp_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" + }, + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.App/containerApps/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + } + ], + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, + "dependsOn": [ + "containerApp" + ] + }, + "containerAppAuthConfigs": { + "condition": "[not(empty(parameters('authConfig')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-ARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-auth-config', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "privateDnsZoneName": { + "containerAppName": { "value": "[parameters('name')]" }, - "name": { - "value": "[coalesce(parameters('a'), createArray())[copyIndex()].name]" + "encryptionSettings": { + "value": "[tryGet(parameters('authConfig'), 'encryptionSettings')]" }, - "aRecords": { - "value": "[tryGet(coalesce(parameters('a'), createArray())[copyIndex()], 'aRecords')]" + "globalValidation": { + "value": "[tryGet(parameters('authConfig'), 'globalValidation')]" }, - "metadata": { - "value": "[tryGet(coalesce(parameters('a'), createArray())[copyIndex()], 'metadata')]" + "httpSettings": { + "value": "[tryGet(parameters('authConfig'), 'httpSettings')]" }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('a'), createArray())[copyIndex()], 'ttl'), 3600)]" + "identityProviders": { + "value": "[tryGet(parameters('authConfig'), 'identityProviders')]" }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('a'), createArray())[copyIndex()], 'roleAssignments')]" + "login": { + "value": "[tryGet(parameters('authConfig'), 'login')]" + }, + "platform": { + "value": "[tryGet(parameters('authConfig'), 'platform')]" } }, "template": { @@ -36212,211 +32361,120 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "18243374258187942664" + "version": "0.36.177.2456", + "templateHash": "9975390462196064744" }, - "name": "Private DNS Zone A record", - "description": "This module deploys a Private DNS Zone A record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } + "name": "Container App Auth Configs", + "description": "This module deploys Container App Auth Configs." }, "parameters": { - "privateDnsZoneName": { + "containerAppName": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent Container App. Required if the template is used in a standalone deployment." } }, - "name": { - "type": "string", + "encryptionSettings": { + "type": "object", "metadata": { - "description": "Required. The name of the A record." - } + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/encryptionSettings" + }, + "description": "Optional. The configuration settings of the secrets references of encryption key and signing key for ContainerApp Service Authentication/Authorization." + }, + "nullable": true }, - "aRecords": { - "type": "array", - "nullable": true, + "globalValidation": { + "type": "object", "metadata": { - "description": "Optional. The list of A records in the record set." - } + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/globalValidation" + }, + "description": "Optional. The configuration settings that determines the validation flow of users using Service Authentication and/or Authorization." + }, + "nullable": true }, - "metadata": { + "httpSettings": { "type": "object", - "nullable": true, "metadata": { - "description": "Optional. The metadata attached to the record set." - } + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/httpSettings" + }, + "description": "Optional. The configuration settings of the HTTP requests for authentication and authorization requests made against ContainerApp Service Authentication/Authorization." + }, + "nullable": true }, - "ttl": { - "type": "int", - "defaultValue": 3600, + "identityProviders": { + "type": "object", "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/identityProviders" + }, + "description": "Optional. The configuration settings of each of the identity providers used to configure ContainerApp Service Authentication/Authorization." + }, + "nullable": true }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" + "login": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/login" + }, + "description": "Optional. The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization." }, - "nullable": true, + "nullable": true + }, + "platform": { + "type": "object", "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + "__bicep_resource_derived_type!": { + "source": "Microsoft.App/containerApps/authConfigs@2025-01-01#properties/properties/properties/platform" + }, + "description": "Optional. The configuration settings of the platform of ContainerApp Service Authentication/Authorization." + }, + "nullable": true } }, "resources": { - "privateDnsZone": { + "containerApp": { "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" + "type": "Microsoft.App/containerApps", + "apiVersion": "2025-01-01", + "name": "[parameters('containerAppName')]" }, - "A": { - "type": "Microsoft.Network/privateDnsZones/A", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", + "containerAppAuthConfigs": { + "type": "Microsoft.App/containerApps/authConfigs", + "apiVersion": "2025-01-01", + "name": "[format('{0}/{1}', parameters('containerAppName'), 'current')]", "properties": { - "aRecords": "[parameters('aRecords')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" + "encryptionSettings": "[parameters('encryptionSettings')]", + "globalValidation": "[parameters('globalValidation')]", + "httpSettings": "[parameters('httpSettings')]", + "identityProviders": "[parameters('identityProviders')]", + "login": "[parameters('login')]", + "platform": "[parameters('platform')]" } - }, - "A_roleAssignments": { - "copy": { - "name": "A_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/A/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "A" - ] } }, "outputs": { "name": { "type": "string", "metadata": { - "description": "The name of the deployed A record." + "description": "The name of the set of Container App Auth configs." }, - "value": "[parameters('name')]" + "value": "current" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the deployed A record." + "description": "The resource ID of the set of Container App Auth configs." }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/A', parameters('privateDnsZoneName'), parameters('name'))]" + "value": "[resourceId('Microsoft.App/containerApps/authConfigs', parameters('containerAppName'), 'current')]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group of the deployed A record." + "description": "The resource group containing the set of Container App Auth configs." }, "value": "[resourceGroup().name]" } @@ -36424,16290 +32482,640 @@ } }, "dependsOn": [ - "privateDnsZone" + "containerApp" ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Container App." + }, + "value": "[resourceId('Microsoft.App/containerApps', parameters('name'))]" }, - "privateDnsZone_AAAA": { - "copy": { - "name": "privateDnsZone_AAAA", - "count": "[length(coalesce(parameters('aaaa'), createArray()))]" + "fqdn": { + "type": "string", + "metadata": { + "description": "The configuration of ingress fqdn." }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-AAAARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "value": "[if(parameters('disableIngress'), 'IngressDisabled', reference('containerApp').configuration.ingress.fqdn)]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the Container App was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the Container App." + }, + "value": "[parameters('name')]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[tryGet(tryGet(reference('containerApp', '2025-01-01', 'full'), 'identity'), 'principalId')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference('containerApp', '2025-01-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "aiFoundryAiServicesProject", + "applicationInsights", + "containerAppEnvironment", + "existingAiFoundryAiServicesProject", + "userAssignedIdentity" + ] + }, + "webServerFarm": { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2025-04-01", + "name": "[take(format('avm.res.web.serverfarm.{0}', variables('webServerFarmResourceName')), 64)]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[variables('webServerFarmResourceName')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "enableTelemetry": { + "value": "[parameters('enableTelemetry')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "reserved": { + "value": true + }, + "kind": { + "value": "linux" + }, + "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)))), createObject('value', null()))]", + "skuName": "[if(or(parameters('enableScalability'), parameters('enableRedundancy')), createObject('value', 'P1v3'), createObject('value', 'B3'))]", + "skuCapacity": "[if(parameters('enableScalability'), createObject('value', 3), createObject('value', 1))]", + "zoneRedundant": "[if(parameters('enableRedundancy'), createObject('value', true()), createObject('value', false()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.36.177.2456", + "templateHash": "16945786131371363466" + }, + "name": "App Service Plan", + "description": "This module deploys an App Service Plan." + }, + "definitions": { + "diagnosticSettingMetricsOnlyType": { + "type": "object", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of diagnostic setting." + } }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('aaaa'), createArray())[copyIndex()].name]" - }, - "aaaaRecords": { - "value": "[tryGet(coalesce(parameters('aaaa'), createArray())[copyIndex()], 'aaaaRecords')]" + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } }, + "nullable": true, "metadata": { - "value": "[tryGet(coalesce(parameters('aaaa'), createArray())[copyIndex()], 'metadata')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('aaaa'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('aaaa'), createArray())[copyIndex()], 'roleAssignments')]" + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." } }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "7322684246075092047" - }, - "name": "Private DNS Zone AAAA record", - "description": "This module deploys a Private DNS Zone AAAA record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the AAAA record." - } - }, - "aaaaRecords": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The list of AAAA records in the record set." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "AAAA": { - "type": "Microsoft.Network/privateDnsZones/AAAA", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "aaaaRecords": "[parameters('aaaaRecords')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - } - }, - "AAAA_roleAssignments": { - "copy": { - "name": "AAAA_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/AAAA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "AAAA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed AAAA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed AAAA record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/AAAA', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed AAAA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_CNAME": { - "copy": { - "name": "privateDnsZone_CNAME", - "count": "[length(coalesce(parameters('cname'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-CNAMERecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('cname'), createArray())[copyIndex()].name]" - }, - "cnameRecord": { - "value": "[tryGet(coalesce(parameters('cname'), createArray())[copyIndex()], 'cnameRecord')]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('cname'), createArray())[copyIndex()], 'metadata')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('cname'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('cname'), createArray())[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "5264706240021075859" - }, - "name": "Private DNS Zone CNAME record", - "description": "This module deploys a Private DNS Zone CNAME record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the CNAME record." - } - }, - "cnameRecord": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. A CNAME record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "CNAME": { - "type": "Microsoft.Network/privateDnsZones/CNAME", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "cnameRecord": "[parameters('cnameRecord')]", - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]" - } - }, - "CNAME_roleAssignments": { - "copy": { - "name": "CNAME_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/CNAME/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "CNAME" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed CNAME record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed CNAME record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/CNAME', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed CNAME record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_MX": { - "copy": { - "name": "privateDnsZone_MX", - "count": "[length(coalesce(parameters('mx'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-MXRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('mx'), createArray())[copyIndex()].name]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('mx'), createArray())[copyIndex()], 'metadata')]" - }, - "mxRecords": { - "value": "[tryGet(coalesce(parameters('mx'), createArray())[copyIndex()], 'mxRecords')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('mx'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('mx'), createArray())[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "13758189936483275969" - }, - "name": "Private DNS Zone MX record", - "description": "This module deploys a Private DNS Zone MX record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the MX record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "mxRecords": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The list of MX records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "MX": { - "type": "Microsoft.Network/privateDnsZones/MX", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "mxRecords": "[parameters('mxRecords')]", - "ttl": "[parameters('ttl')]" - } - }, - "MX_roleAssignments": { - "copy": { - "name": "MX_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/MX/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "MX" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed MX record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed MX record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/MX', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed MX record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_PTR": { - "copy": { - "name": "privateDnsZone_PTR", - "count": "[length(coalesce(parameters('ptr'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-PTRRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('ptr'), createArray())[copyIndex()].name]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('ptr'), createArray())[copyIndex()], 'metadata')]" - }, - "ptrRecords": { - "value": "[tryGet(coalesce(parameters('ptr'), createArray())[copyIndex()], 'ptrRecords')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('ptr'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('ptr'), createArray())[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "11955164584650609753" - }, - "name": "Private DNS Zone PTR record", - "description": "This module deploys a Private DNS Zone PTR record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the PTR record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ptrRecords": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The list of PTR records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "PTR": { - "type": "Microsoft.Network/privateDnsZones/PTR", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "ptrRecords": "[parameters('ptrRecords')]", - "ttl": "[parameters('ttl')]" - } - }, - "PTR_roleAssignments": { - "copy": { - "name": "PTR_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/PTR/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "PTR" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed PTR record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed PTR record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/PTR', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed PTR record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_SOA": { - "copy": { - "name": "privateDnsZone_SOA", - "count": "[length(coalesce(parameters('soa'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-SOARecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('soa'), createArray())[copyIndex()].name]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('soa'), createArray())[copyIndex()], 'metadata')]" - }, - "soaRecord": { - "value": "[tryGet(coalesce(parameters('soa'), createArray())[copyIndex()], 'soaRecord')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('soa'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('soa'), createArray())[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "14626715835033259725" - }, - "name": "Private DNS Zone SOA record", - "description": "This module deploys a Private DNS Zone SOA record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SOA record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "soaRecord": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. A SOA record." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "SOA": { - "type": "Microsoft.Network/privateDnsZones/SOA", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "soaRecord": "[parameters('soaRecord')]", - "ttl": "[parameters('ttl')]" - } - }, - "SOA_roleAssignments": { - "copy": { - "name": "SOA_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SOA/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SOA" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SOA record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SOA record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/SOA', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SOA record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_SRV": { - "copy": { - "name": "privateDnsZone_SRV", - "count": "[length(coalesce(parameters('srv'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-SRVRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('srv'), createArray())[copyIndex()].name]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('srv'), createArray())[copyIndex()], 'metadata')]" - }, - "srvRecords": { - "value": "[tryGet(coalesce(parameters('srv'), createArray())[copyIndex()], 'srvRecords')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('srv'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('srv'), createArray())[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "6510442308165042737" - }, - "name": "Private DNS Zone SRV record", - "description": "This module deploys a Private DNS Zone SRV record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the SRV record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "srvRecords": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The list of SRV records in the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "SRV": { - "type": "Microsoft.Network/privateDnsZones/SRV", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "srvRecords": "[parameters('srvRecords')]", - "ttl": "[parameters('ttl')]" - } - }, - "SRV_roleAssignments": { - "copy": { - "name": "SRV_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/SRV/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "SRV" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed SRV record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed SRV record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/SRV', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed SRV record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_TXT": { - "copy": { - "name": "privateDnsZone_TXT", - "count": "[length(coalesce(parameters('txt'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-TXTRecord-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('txt'), createArray())[copyIndex()].name]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('txt'), createArray())[copyIndex()], 'metadata')]" - }, - "txtRecords": { - "value": "[tryGet(coalesce(parameters('txt'), createArray())[copyIndex()], 'txtRecords')]" - }, - "ttl": { - "value": "[coalesce(tryGet(coalesce(parameters('txt'), createArray())[copyIndex()], 'ttl'), 3600)]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('txt'), createArray())[copyIndex()], 'roleAssignments')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "170623042781622569" - }, - "name": "Private DNS Zone TXT record", - "description": "This module deploys a Private DNS Zone TXT record." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" - } - } - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the TXT record." - } - }, - "metadata": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The metadata attached to the record set." - } - }, - "ttl": { - "type": "int", - "defaultValue": 3600, - "metadata": { - "description": "Optional. The TTL (time-to-live) of the records in the record set." - } - }, - "txtRecords": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. The list of TXT records in the record set." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "TXT": { - "type": "Microsoft.Network/privateDnsZones/TXT", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]", - "ttl": "[parameters('ttl')]", - "txtRecords": "[parameters('txtRecords')]" - } - }, - "TXT_roleAssignments": { - "copy": { - "name": "TXT_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateDnsZones/{0}/TXT/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "TXT" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed TXT record." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed TXT record." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/TXT', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed TXT record." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - }, - "privateDnsZone_virtualNetworkLinks": { - "copy": { - "name": "privateDnsZone_virtualNetworkLinks", - "count": "[length(coalesce(parameters('virtualNetworkLinks'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateDnsZone-VNetLink-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()], 'name'), format('{0}-vnetlink', last(split(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()].virtualNetworkResourceId, '/'))))]" - }, - "virtualNetworkResourceId": { - "value": "[coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()].virtualNetworkResourceId]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()], 'location'), 'global')]" - }, - "registrationEnabled": { - "value": "[coalesce(tryGet(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()], 'registrationEnabled'), false())]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "resolutionPolicy": { - "value": "[tryGet(coalesce(parameters('virtualNetworkLinks'), createArray())[copyIndex()], 'resolutionPolicy')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "725891200086243555" - }, - "name": "Private DNS Zone Virtual Network Link", - "description": "This module deploys a Private DNS Zone Virtual Network Link." - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Private DNS zone. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "[format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/')))]", - "metadata": { - "description": "Optional. The name of the virtual network link." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "registrationEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?." - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Required. Link to another virtual network resource ID." - } - }, - "resolutionPolicy": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resolution policy on the virtual network link. Only applicable for virtual network links to privatelink zones, and for A,AAAA,CNAME queries. When set to `NxDomainRedirect`, Azure DNS resolver falls back to public resolution if private dns query resolution results in non-existent domain response. `Default` is configured as the default option." - } - } - }, - "resources": { - "privateDnsZone": { - "existing": true, - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]" - }, - "virtualNetworkLink": { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2024-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), parameters('name'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": "[parameters('registrationEnabled')]", - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - }, - "resolutionPolicy": "[parameters('resolutionPolicy')]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed virtual network link." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed virtual network link." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones/virtualNetworkLinks', parameters('privateDnsZoneName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed virtual network link." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('virtualNetworkLink', '2024-06-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "privateDnsZone" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private DNS zone was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private DNS zone." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private DNS zone." - }, - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateDnsZone', '2020-06-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "containerAppEnvironment", - "virtualNetwork" - ] - }, - "containerApp": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('avm.res.app.container-app.{0}', variables('containerAppResourceName')), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('containerAppResourceName')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableTelemetry": { - "value": "[parameters('enableTelemetry')]" - }, - "environmentResourceId": { - "value": "[reference('containerAppEnvironment').outputs.resourceId.value]" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "[reference('userAssignedIdentity').outputs.resourceId.value]" - ] - } - }, - "ingressTargetPort": { - "value": 8000 - }, - "ingressExternal": { - "value": true - }, - "activeRevisionsMode": { - "value": "Single" - }, - "ingressAllowInsecure": { - "value": false - }, - "corsPolicy": { - "value": { - "allowedOrigins": [ - "[format('https://{0}.azurewebsites.net', variables('webSiteResourceName'))]", - "[format('http://{0}.azurewebsites.net', variables('webSiteResourceName'))]" - ], - "allowedMethods": [ - "GET", - "POST", - "PUT", - "DELETE", - "OPTIONS" - ] - } - }, - "scaleSettings": { - "value": { - "maxReplicas": "[if(parameters('enableScalability'), 3, 1)]", - "minReplicas": "[if(parameters('enableScalability'), 1, 1)]", - "rules": [ - { - "name": "http-scaler", - "http": { - "metadata": { - "concurrentRequests": "100" - } - } - } - ] - } - }, - "containers": { - "value": [ - { - "name": "backend", - "image": "[format('{0}/{1}:{2}', parameters('backendContainerRegistryHostname'), parameters('backendContainerImageName'), parameters('backendContainerImageTag'))]", - "resources": { - "cpu": "2.0", - "memory": "4.0Gi" - }, - "env": [ - { - "name": "COSMOSDB_ENDPOINT", - "value": "[format('https://{0}.documents.azure.com:443/', variables('cosmosDbResourceName'))]" - }, - { - "name": "COSMOSDB_DATABASE", - "value": "[variables('cosmosDbDatabaseName')]" - }, - { - "name": "COSMOSDB_CONTAINER", - "value": "[variables('cosmosDbDatabaseMemoryContainerName')]" - }, - { - "name": "AZURE_OPENAI_ENDPOINT", - "value": "[format('https://{0}.openai.azure.com/', variables('aiFoundryAiServicesResourceName'))]" - }, - { - "name": "AZURE_OPENAI_MODEL_NAME", - "value": "[variables('aiFoundryAiServicesModelDeployment').name]" - }, - { - "name": "AZURE_OPENAI_DEPLOYMENT_NAME", - "value": "[variables('aiFoundryAiServicesModelDeployment').name]" - }, - { - "name": "AZURE_OPENAI_RAI_DEPLOYMENT_NAME", - "value": "[variables('aiFoundryAiServices4_1ModelDeployment').name]" - }, - { - "name": "AZURE_OPENAI_API_VERSION", - "value": "[parameters('azureOpenaiAPIVersion')]" - }, - { - "name": "APPLICATIONINSIGHTS_INSTRUMENTATION_KEY", - "value": "[if(parameters('enableMonitoring'), reference('applicationInsights').outputs.instrumentationKey.value, '')]" - }, - { - "name": "APPLICATIONINSIGHTS_CONNECTION_STRING", - "value": "[if(parameters('enableMonitoring'), reference('applicationInsights').outputs.connectionString.value, '')]" - }, - { - "name": "AZURE_AI_SUBSCRIPTION_ID", - "value": "[variables('aiFoundryAiServicesSubscriptionId')]" - }, - { - "name": "AZURE_AI_RESOURCE_GROUP", - "value": "[variables('aiFoundryAiServicesResourceGroupName')]" - }, - { - "name": "AZURE_AI_PROJECT_NAME", - "value": "[if(variables('useExistingAiFoundryAiProject'), variables('aiFoundryAiProjectResourceName'), reference('aiFoundryAiServicesProject').outputs.name.value)]" - }, - { - "name": "FRONTEND_SITE_NAME", - "value": "[format('https://{0}.azurewebsites.net', variables('webSiteResourceName'))]" - }, - { - "name": "AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME", - "value": "[variables('aiFoundryAiServicesModelDeployment').name]" - }, - { - "name": "APP_ENV", - "value": "Prod" - }, - { - "name": "AZURE_AI_SEARCH_CONNECTION_NAME", - "value": "[variables('aiSearchConnectionName')]" - }, - { - "name": "AZURE_AI_SEARCH_ENDPOINT", - "value": "[reference('searchServiceUpdate').outputs.endpoint.value]" - }, - { - "name": "AZURE_COGNITIVE_SERVICES", - "value": "https://cognitiveservices.azure.com/.default" - }, - { - "name": "AZURE_BING_CONNECTION_NAME", - "value": "binggrnd" - }, - { - "name": "BING_CONNECTION_NAME", - "value": "binggrnd" - }, - { - "name": "REASONING_MODEL_NAME", - "value": "[variables('aiFoundryAiServicesReasoningModelDeployment').name]" - }, - { - "name": "MCP_SERVER_ENDPOINT", - "value": "[format('https://{0}/mcp', reference('containerAppMcp').outputs.fqdn.value)]" - }, - { - "name": "MCP_SERVER_NAME", - "value": "MacaeMcpServer" - }, - { - "name": "MCP_SERVER_DESCRIPTION", - "value": "MCP server with greeting, HR, and planning tools" - }, - { - "name": "AZURE_TENANT_ID", - "value": "[tenant().tenantId]" - }, - { - "name": "AZURE_CLIENT_ID", - "value": "[reference('userAssignedIdentity').outputs.clientId.value]" - }, - { - "name": "SUPPORTED_MODELS", - "value": "[[\"o3\",\"o4-mini\",\"gpt-4.1\",\"gpt-4.1-mini\"]" - }, - { - "name": "AZURE_STORAGE_BLOB_URL", - "value": "[reference('avmStorageAccount').outputs.serviceEndpoints.value.blob]" - }, - { - "name": "AZURE_AI_PROJECT_ENDPOINT", - "value": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject').endpoints['AI Foundry API'], reference('aiFoundryAiServicesProject').outputs.apiEndpoint.value)]" - }, - { - "name": "AZURE_AI_AGENT_ENDPOINT", - "value": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject').endpoints['AI Foundry API'], reference('aiFoundryAiServicesProject').outputs.apiEndpoint.value)]" - }, - { - "name": "AZURE_AI_AGENT_API_VERSION", - "value": "[parameters('azureAiAgentAPIVersion')]" - }, - { - "name": "AZURE_AI_AGENT_PROJECT_CONNECTION_STRING", - "value": "[format('{0}.services.ai.azure.com;{1};{2};{3}', variables('aiFoundryAiServicesResourceName'), variables('aiFoundryAiServicesSubscriptionId'), variables('aiFoundryAiServicesResourceGroupName'), variables('aiFoundryAiProjectResourceName'))]" - }, - { - "name": "AZURE_BASIC_LOGGING_LEVEL", - "value": "INFO" - }, - { - "name": "AZURE_PACKAGE_LOGGING_LEVEL", - "value": "WARNING" - }, - { - "name": "AZURE_LOGGING_PACKAGES", - "value": "" - } - ] - } - ] - }, - "secrets": { - "value": [] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.42.1.51946", - "templateHash": "14994565436716579607" - }, - "name": "Container Apps", - "description": "This module deploys a Container App." - }, - "definitions": { - "ingressPortMappingType": { - "type": "object", - "properties": { - "exposedPort": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the exposed port for the target port. If not specified, it defaults to target port." - } - }, - "external": { - "type": "bool", - "metadata": { - "description": "Required. Specifies whether the app port is accessible outside of the environment." - } - }, - "targetPort": { - "type": "int", - "metadata": { - "description": "Required. Specifies the port the container listens on." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an ingress port mapping." - } - }, - "serviceBindingType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service." - } - }, - "serviceId": { - "type": "string", - "metadata": { - "description": "Required. The service ID." - } - } - }, - "metadata": { - "description": "The type for a service binding." - } - }, - "environmentVarType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Environment variable name." - } - }, - "secretRef": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the Container App secret from which to pull the environment variable value." - } - }, - "value": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Non-secret environment variable value." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an environment variable." - } - }, - "containerAppProbeType": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 10, - "metadata": { - "description": "Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3." - } - }, - "httpGet": { - "$ref": "#/definitions/containerAppProbeHttpGetType", - "nullable": true, - "metadata": { - "description": "Optional. HTTPGet specifies the http request to perform." - } - }, - "initialDelaySeconds": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 60, - "metadata": { - "description": "Optional. Number of seconds after the container has started before liveness probes are initiated." - } - }, - "periodSeconds": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 240, - "metadata": { - "description": "Optional. How often (in seconds) to perform the probe. Default to 10 seconds." - } - }, - "successThreshold": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 10, - "metadata": { - "description": "Optional. Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup." - } - }, - "tcpSocket": { - "$ref": "#/definitions/containerAppProbeTcpSocketType", - "nullable": true, - "metadata": { - "description": "Optional. The TCP socket specifies an action involving a TCP port. TCP hooks not yet supported." - } - }, - "terminationGracePeriodSeconds": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate. Maximum value is 3600 seconds (1 hour)." - } - }, - "timeoutSeconds": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 240, - "metadata": { - "description": "Optional. Number of seconds after which the probe times out. Defaults to 1 second." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Liveness", - "Readiness", - "Startup" - ], - "nullable": true, - "metadata": { - "description": "Optional. The type of probe." - } - } - }, - "metadata": { - "description": "The type for a container app probe." - } - }, - "corsPolicyType": { - "type": "object", - "properties": { - "allowCredentials": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Switch to determine whether the resource allows credentials." - } - }, - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-allow-headers header." - } - }, - "allowedMethods": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-allow-methods header." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-allow-origins header." - } - }, - "exposeHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-expose-headers header." - } - }, - "maxAge": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-max-age header." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a CORS policy." - } - }, - "containerAppProbeHttpGetType": { - "type": "object", - "properties": { - "host": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Host name to connect to. Defaults to the pod IP." - } - }, - "httpHeaders": { - "type": "array", - "items": { - "$ref": "#/definitions/containerAppProbeHttpGetHeadersItemType" - }, - "nullable": true, - "metadata": { - "description": "Optional. HTTP headers to set in the request." - } - }, - "path": { - "type": "string", - "metadata": { - "description": "Required. Path to access on the HTTP server." - } - }, - "port": { - "type": "int", - "metadata": { - "description": "Required. Name or number of the port to access on the container." - } - }, - "scheme": { - "type": "string", - "allowedValues": [ - "HTTP", - "HTTPS" - ], - "nullable": true, - "metadata": { - "description": "Optional. Scheme to use for connecting to the host. Defaults to HTTP." - } - } - }, - "metadata": { - "description": "The type for a container app probe HTTP GET." - } - }, - "containerAppProbeHttpGetHeadersItemType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the header." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Value of the header." - } - } - }, - "metadata": { - "description": "The type for a container app probe HTTP GET header." - } - }, - "containerAppProbeTcpSocketType": { - "type": "object", - "properties": { - "host": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Host name to connect to, defaults to the pod IP." - } - }, - "port": { - "type": "int", - "minValue": 1, - "maxValue": 65535, - "metadata": { - "description": "Required. Number of the port to access on the container. Name must be an IANA_SVC_NAME." - } - } - }, - "metadata": { - "description": "The type for a container app probe TCP socket." - } - }, - "scaleType": { - "type": "object", - "properties": { - "maxReplicas": { - "type": "int", - "metadata": { - "description": "Required. The maximum number of replicas." - } - }, - "minReplicas": { - "type": "int", - "metadata": { - "description": "Required. The minimum number of replicas." - } - }, - "cooldownPeriod": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The cooldown period in seconds." - } - }, - "pollingInterval": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The polling interval in seconds." - } - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/scaleRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The scaling rules." - } - } - }, - "metadata": { - "description": "The scale settings for the Container App." - } - }, - "scaleRuleType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the scaling rule." - } - }, - "custom": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The custom scaling rule." - } - }, - "azureQueue": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The Azure Queue based scaling rule." - } - }, - "http": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The HTTP requests based scaling rule." - } - }, - "tcp": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The TCP based scaling rule." - } - } - }, - "metadata": { - "description": "The scaling rules for the Container App." - } - }, - "volumeMountType": { - "type": "object", - "properties": { - "mountPath": { - "type": "string", - "metadata": { - "description": "Required. Path within the container at which the volume should be mounted.Must not contain ':'." - } - }, - "subPath": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root)." - } - }, - "volumeName": { - "type": "string", - "metadata": { - "description": "Required. This must match the Name of a Volume." - } - } - }, - "metadata": { - "description": "The type for a volume mount." - } - }, - "secretType": { - "type": "object", - "properties": { - "identity": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity." - } - }, - "keyVaultUrl": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Conditional. The URL of the Azure Key Vault secret referenced by the Container App. Required if `value` is null." - } - }, - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the container app secret." - } - }, - "value": { - "type": "securestring", - "nullable": true, - "metadata": { - "description": "Conditional. The container app secret value, if not fetched from the Key Vault. Required if `keyVaultUrl` is not null." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a secret." - } - }, - "authConfigType": { - "type": "object", - "properties": { - "encryptionSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/encryptionSettings" - }, - "description": "Optional. The configuration settings of the secrets references of encryption key and signing key for ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "globalValidation": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/globalValidation" - }, - "description": "Optional. The configuration settings that determines the validation flow of users using Service Authentication and/or Authorization." - }, - "nullable": true - }, - "httpSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/httpSettings" - }, - "description": "Optional. The configuration settings of the HTTP requests for authentication and authorization requests made against ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "identityProviders": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/identityProviders" - }, - "description": "Optional. The configuration settings of each of the identity providers used to configure ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "login": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/login" - }, - "description": "Optional. The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "platform": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/platform" - }, - "description": "Optional. The configuration settings of the platform of ContainerApp Service Authentication/Authorization." - }, - "nullable": true - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the container app's authentication configuration." - } - }, - "diagnosticSettingMetricsOnlyType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if only metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "managedIdentityAllType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Container App." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "kind": { - "type": "string", - "defaultValue": "containerapps", - "allowedValues": [ - "containerapps", - "workflowapp", - "functionapp" - ], - "metadata": { - "description": "Optional. Metadata used to render different experiences for resources of the same type." - } - }, - "disableIngress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Bool to disable all ingress traffic for the container app." - } - }, - "ingressExternal": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Bool indicating if the App exposes an external HTTP endpoint." - } - }, - "clientCertificateMode": { - "type": "string", - "defaultValue": "ignore", - "allowedValues": [ - "accept", - "ignore", - "require" - ], - "metadata": { - "description": "Optional. Client certificate mode for mTLS." - } - }, - "corsPolicy": { - "$ref": "#/definitions/corsPolicyType", - "nullable": true, - "metadata": { - "description": "Optional. Object userd to configure CORS policy." - } - }, - "stickySessionsAffinity": { - "type": "string", - "defaultValue": "none", - "allowedValues": [ - "none", - "sticky" - ], - "metadata": { - "description": "Optional. Bool indicating if the Container App should enable session affinity." - } - }, - "ingressTransport": { - "type": "string", - "defaultValue": "auto", - "allowedValues": [ - "auto", - "http", - "http2", - "tcp" - ], - "metadata": { - "description": "Optional. Ingress transport protocol." - } - }, - "service": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/service" - }, - "description": "Optional. Dev ContainerApp service type." - }, - "nullable": true - }, - "includeAddOns": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Toggle to include the service configuration." - } - }, - "additionalPortMappings": { - "type": "array", - "items": { - "$ref": "#/definitions/ingressPortMappingType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Settings to expose additional ports on container app." - } - }, - "ingressAllowInsecure": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections." - } - }, - "ingressTargetPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. Target Port in containers for traffic from ingress." - } - }, - "scaleSettings": { - "$ref": "#/definitions/scaleType", - "defaultValue": { - "maxReplicas": 10, - "minReplicas": 3 - }, - "metadata": { - "description": "Optional. The scaling settings of the service." - } - }, - "serviceBinds": { - "type": "array", - "items": { - "$ref": "#/definitions/serviceBindingType" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of container app services bound to the app." - } - }, - "activeRevisionsMode": { - "type": "string", - "defaultValue": "Single", - "allowedValues": [ - "Multiple", - "Single" - ], - "metadata": { - "description": "Optional. Controls how active revisions are handled for the Container app." - } - }, - "environmentResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of environment." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "registries": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/registries" - }, - "description": "Optional. Collection of private container registry credentials for containers used by the Container app." - }, - "nullable": true - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentityAllType", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "customDomains": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/ingress/properties/customDomains" - }, - "description": "Optional. Custom domain bindings for Container App hostnames." - }, - "nullable": true - }, - "exposedPort": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Exposed Port in containers for TCP traffic from ingress." - } - }, - "ipSecurityRestrictions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/ingress/properties/ipSecurityRestrictions" - }, - "description": "Optional. Rules to restrict incoming IP address." - }, - "nullable": true - }, - "traffic": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/ingress/properties/traffic" - }, - "description": "Optional. Traffic weight configuration for routing traffic across revisions. Each entry specifies a revision (or latest) and its traffic percentage. Supports blue-green and canary deployment patterns." - }, - "nullable": true - }, - "dapr": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/dapr" - }, - "description": "Optional. Dapr configuration for the Container App." - }, - "nullable": true - }, - "identitySettings": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/identitySettings" - }, - "description": "Optional. Settings for Managed Identities that are assigned to the Container App. If a Managed Identity is not specified here, default settings will be used." - }, - "nullable": true - }, - "maxInactiveRevisions": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Max inactive revisions a Container App can have." - } - }, - "runtime": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/runtime" - }, - "description": "Optional. Runtime configuration for the Container App." - }, - "nullable": true - }, - "containers": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/template/properties/containers" - }, - "description": "Required. List of container definitions for the Container App." - } - }, - "terminationGracePeriodSeconds": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The termination grace period for the container app." - } - }, - "initContainersTemplate": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/template/properties/initContainers" - }, - "description": "Optional. List of specialized containers that run before app containers." - }, - "nullable": true - }, - "secrets": { - "type": "array", - "items": { - "$ref": "#/definitions/secretType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The secrets of the Container App." - } - }, - "revisionSuffix": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User friendly suffix that is appended to the revision name." - } - }, - "volumes": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/template/properties/volumes" - }, - "description": "Optional. List of volume definitions for the Container App." - }, - "nullable": true - }, - "workloadProfileName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Workload profile name to pin for container app execution." - } - }, - "authConfig": { - "$ref": "#/definitions/authConfigType", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Container App Auth configs." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingMetricsOnlyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(variables('formattedUserAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(variables('formattedUserAssignedIdentities'))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.app-containerapp.{0}.{1}', replace('0.22.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "containerApp": { - "type": "Microsoft.App/containerApps", - "apiVersion": "2026-01-01", - "name": "[parameters('name')]", - "tags": "[parameters('tags')]", - "kind": "[parameters('kind')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "properties": { - "environmentId": "[parameters('environmentResourceId')]", - "workloadProfileName": "[parameters('workloadProfileName')]", - "template": { - "containers": "[parameters('containers')]", - "terminationGracePeriodSeconds": "[parameters('terminationGracePeriodSeconds')]", - "initContainers": "[parameters('initContainersTemplate')]", - "revisionSuffix": "[parameters('revisionSuffix')]", - "scale": "[parameters('scaleSettings')]", - "serviceBinds": "[if(parameters('includeAddOns'), parameters('serviceBinds'), null())]", - "volumes": "[parameters('volumes')]" - }, - "configuration": { - "activeRevisionsMode": "[parameters('activeRevisionsMode')]", - "dapr": "[parameters('dapr')]", - "identitySettings": "[parameters('identitySettings')]", - "ingress": "[if(parameters('disableIngress'), null(), createObject('additionalPortMappings', parameters('additionalPortMappings'), 'allowInsecure', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('ingressAllowInsecure'), false()), 'customDomains', parameters('customDomains'), 'corsPolicy', if(and(not(equals(parameters('corsPolicy'), null())), not(equals(parameters('ingressTransport'), 'tcp'))), createObject('allowCredentials', coalesce(tryGet(parameters('corsPolicy'), 'allowCredentials'), false()), 'allowedHeaders', coalesce(tryGet(parameters('corsPolicy'), 'allowedHeaders'), createArray()), 'allowedMethods', coalesce(tryGet(parameters('corsPolicy'), 'allowedMethods'), createArray()), 'allowedOrigins', coalesce(tryGet(parameters('corsPolicy'), 'allowedOrigins'), createArray()), 'exposeHeaders', coalesce(tryGet(parameters('corsPolicy'), 'exposeHeaders'), createArray()), 'maxAge', tryGet(parameters('corsPolicy'), 'maxAge')), null()), 'clientCertificateMode', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('clientCertificateMode'), null()), 'exposedPort', parameters('exposedPort'), 'external', parameters('ingressExternal'), 'ipSecurityRestrictions', parameters('ipSecurityRestrictions'), 'targetPort', parameters('ingressTargetPort'), 'stickySessions', createObject('affinity', parameters('stickySessionsAffinity')), 'traffic', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('traffic'), null()), 'transport', parameters('ingressTransport')))]", - "service": "[if(parameters('includeAddOns'), parameters('service'), null())]", - "maxInactiveRevisions": "[parameters('maxInactiveRevisions')]", - "registries": "[parameters('registries')]", - "secrets": "[parameters('secrets')]", - "runtime": "[parameters('runtime')]" - } - } - }, - "containerApp_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.App/containerApps', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerApp_roleAssignments": { - "copy": { - "name": "containerApp_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.App/containerApps', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerApp_diagnosticSettings": { - "copy": { - "name": "containerApp_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.App/containerApps', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerAppAuthConfigs": { - "condition": "[not(empty(parameters('authConfig')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-auth-config', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "containerAppName": { - "value": "[parameters('name')]" - }, - "encryptionSettings": { - "value": "[tryGet(parameters('authConfig'), 'encryptionSettings')]" - }, - "globalValidation": { - "value": "[tryGet(parameters('authConfig'), 'globalValidation')]" - }, - "httpSettings": { - "value": "[tryGet(parameters('authConfig'), 'httpSettings')]" - }, - "identityProviders": { - "value": "[tryGet(parameters('authConfig'), 'identityProviders')]" - }, - "login": { - "value": "[tryGet(parameters('authConfig'), 'login')]" - }, - "platform": { - "value": "[tryGet(parameters('authConfig'), 'platform')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.42.1.51946", - "templateHash": "12173377941230147433" - }, - "name": "Container App Auth Configs", - "description": "This module deploys Container App Auth Configs." - }, - "parameters": { - "containerAppName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Container App. Required if the template is used in a standalone deployment." - } - }, - "encryptionSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/encryptionSettings" - }, - "description": "Optional. The configuration settings of the secrets references of encryption key and signing key for ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "globalValidation": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/globalValidation" - }, - "description": "Optional. The configuration settings that determines the validation flow of users using Service Authentication and/or Authorization." - }, - "nullable": true - }, - "httpSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/httpSettings" - }, - "description": "Optional. The configuration settings of the HTTP requests for authentication and authorization requests made against ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "identityProviders": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/identityProviders" - }, - "description": "Optional. The configuration settings of each of the identity providers used to configure ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "login": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/login" - }, - "description": "Optional. The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "platform": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/platform" - }, - "description": "Optional. The configuration settings of the platform of ContainerApp Service Authentication/Authorization." - }, - "nullable": true - } - }, - "resources": { - "containerApp": { - "existing": true, - "type": "Microsoft.App/containerApps", - "apiVersion": "2026-01-01", - "name": "[parameters('containerAppName')]" - }, - "containerAppAuthConfigs": { - "type": "Microsoft.App/containerApps/authConfigs", - "apiVersion": "2026-01-01", - "name": "[format('{0}/{1}', parameters('containerAppName'), 'current')]", - "properties": { - "encryptionSettings": "[parameters('encryptionSettings')]", - "globalValidation": "[parameters('globalValidation')]", - "httpSettings": "[parameters('httpSettings')]", - "identityProviders": "[parameters('identityProviders')]", - "login": "[parameters('login')]", - "platform": "[parameters('platform')]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the set of Container App Auth configs." - }, - "value": "current" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the set of Container App Auth configs." - }, - "value": "[resourceId('Microsoft.App/containerApps/authConfigs', parameters('containerAppName'), 'current')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group containing the set of Container App Auth configs." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "containerApp" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Container App." - }, - "value": "[resourceId('Microsoft.App/containerApps', parameters('name'))]" - }, - "fqdn": { - "type": "string", - "metadata": { - "description": "The configuration of ingress fqdn." - }, - "value": "[if(parameters('disableIngress'), 'IngressDisabled', reference('containerApp').configuration.ingress.fqdn)]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Container App was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Container App." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[tryGet(tryGet(reference('containerApp', '2026-01-01', 'full'), 'identity'), 'principalId')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('containerApp', '2026-01-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "aiFoundryAiServicesProject", - "applicationInsights", - "avmStorageAccount", - "containerAppEnvironment", - "containerAppMcp", - "existingAiFoundryAiServicesProject", - "searchServiceUpdate", - "userAssignedIdentity" - ] - }, - "containerAppMcp": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('avm.res.app.container-app.{0}', variables('containerAppMcpResourceName')), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('containerAppMcpResourceName')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "enableTelemetry": { - "value": "[parameters('enableTelemetry')]" - }, - "environmentResourceId": { - "value": "[reference('containerAppEnvironment').outputs.resourceId.value]" - }, - "managedIdentities": { - "value": { - "userAssignedResourceIds": [ - "[reference('userAssignedIdentity').outputs.resourceId.value]" - ] - } - }, - "ingressTargetPort": { - "value": 9000 - }, - "ingressExternal": { - "value": true - }, - "activeRevisionsMode": { - "value": "Single" - }, - "ingressAllowInsecure": { - "value": false - }, - "corsPolicy": { - "value": { - "allowedOrigins": [ - "[format('https://{0}.azurewebsites.net', variables('webSiteResourceName'))]", - "[format('http://{0}.azurewebsites.net', variables('webSiteResourceName'))]" - ] - } - }, - "scaleSettings": { - "value": { - "maxReplicas": "[if(parameters('enableScalability'), 3, 1)]", - "minReplicas": "[if(parameters('enableScalability'), 1, 1)]", - "rules": [ - { - "name": "http-scaler", - "http": { - "metadata": { - "concurrentRequests": "100" - } - } - } - ] - } - }, - "containers": { - "value": [ - { - "name": "mcp", - "image": "[format('{0}/{1}:{2}', parameters('MCPContainerRegistryHostname'), parameters('MCPContainerImageName'), parameters('MCPContainerImageTag'))]", - "resources": { - "cpu": "2.0", - "memory": "4.0Gi" - }, - "env": [ - { - "name": "HOST", - "value": "0.0.0.0" - }, - { - "name": "PORT", - "value": "9000" - }, - { - "name": "DEBUG", - "value": "false" - }, - { - "name": "SERVER_NAME", - "value": "MacaeMcpServer" - }, - { - "name": "ENABLE_AUTH", - "value": "false" - }, - { - "name": "TENANT_ID", - "value": "[tenant().tenantId]" - }, - { - "name": "CLIENT_ID", - "value": "[reference('userAssignedIdentity').outputs.clientId.value]" - }, - { - "name": "JWKS_URI", - "value": "[format('https://login.microsoftonline.com/{0}/discovery/v2.0/keys', tenant().tenantId)]" - }, - { - "name": "ISSUER", - "value": "[format('https://sts.windows.net/{0}/', tenant().tenantId)]" - }, - { - "name": "AUDIENCE", - "value": "[format('api://{0}', reference('userAssignedIdentity').outputs.clientId.value)]" - }, - { - "name": "DATASET_PATH", - "value": "./datasets" - } - ] - } - ] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.42.1.51946", - "templateHash": "14994565436716579607" - }, - "name": "Container Apps", - "description": "This module deploys a Container App." - }, - "definitions": { - "ingressPortMappingType": { - "type": "object", - "properties": { - "exposedPort": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the exposed port for the target port. If not specified, it defaults to target port." - } - }, - "external": { - "type": "bool", - "metadata": { - "description": "Required. Specifies whether the app port is accessible outside of the environment." - } - }, - "targetPort": { - "type": "int", - "metadata": { - "description": "Required. Specifies the port the container listens on." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an ingress port mapping." - } - }, - "serviceBindingType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the service." - } - }, - "serviceId": { - "type": "string", - "metadata": { - "description": "Required. The service ID." - } - } - }, - "metadata": { - "description": "The type for a service binding." - } - }, - "environmentVarType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Environment variable name." - } - }, - "secretRef": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the Container App secret from which to pull the environment variable value." - } - }, - "value": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Non-secret environment variable value." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an environment variable." - } - }, - "containerAppProbeType": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 10, - "metadata": { - "description": "Optional. Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3." - } - }, - "httpGet": { - "$ref": "#/definitions/containerAppProbeHttpGetType", - "nullable": true, - "metadata": { - "description": "Optional. HTTPGet specifies the http request to perform." - } - }, - "initialDelaySeconds": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 60, - "metadata": { - "description": "Optional. Number of seconds after the container has started before liveness probes are initiated." - } - }, - "periodSeconds": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 240, - "metadata": { - "description": "Optional. How often (in seconds) to perform the probe. Default to 10 seconds." - } - }, - "successThreshold": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 10, - "metadata": { - "description": "Optional. Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup." - } - }, - "tcpSocket": { - "$ref": "#/definitions/containerAppProbeTcpSocketType", - "nullable": true, - "metadata": { - "description": "Optional. The TCP socket specifies an action involving a TCP port. TCP hooks not yet supported." - } - }, - "terminationGracePeriodSeconds": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate. Maximum value is 3600 seconds (1 hour)." - } - }, - "timeoutSeconds": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 240, - "metadata": { - "description": "Optional. Number of seconds after which the probe times out. Defaults to 1 second." - } - }, - "type": { - "type": "string", - "allowedValues": [ - "Liveness", - "Readiness", - "Startup" - ], - "nullable": true, - "metadata": { - "description": "Optional. The type of probe." - } - } - }, - "metadata": { - "description": "The type for a container app probe." - } - }, - "corsPolicyType": { - "type": "object", - "properties": { - "allowCredentials": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Switch to determine whether the resource allows credentials." - } - }, - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-allow-headers header." - } - }, - "allowedMethods": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-allow-methods header." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-allow-origins header." - } - }, - "exposeHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-expose-headers header." - } - }, - "maxAge": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Specifies the content for the access-control-max-age header." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a CORS policy." - } - }, - "containerAppProbeHttpGetType": { - "type": "object", - "properties": { - "host": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Host name to connect to. Defaults to the pod IP." - } - }, - "httpHeaders": { - "type": "array", - "items": { - "$ref": "#/definitions/containerAppProbeHttpGetHeadersItemType" - }, - "nullable": true, - "metadata": { - "description": "Optional. HTTP headers to set in the request." - } - }, - "path": { - "type": "string", - "metadata": { - "description": "Required. Path to access on the HTTP server." - } - }, - "port": { - "type": "int", - "metadata": { - "description": "Required. Name or number of the port to access on the container." - } - }, - "scheme": { - "type": "string", - "allowedValues": [ - "HTTP", - "HTTPS" - ], - "nullable": true, - "metadata": { - "description": "Optional. Scheme to use for connecting to the host. Defaults to HTTP." - } - } - }, - "metadata": { - "description": "The type for a container app probe HTTP GET." - } - }, - "containerAppProbeHttpGetHeadersItemType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the header." - } - }, - "value": { - "type": "string", - "metadata": { - "description": "Required. Value of the header." - } - } - }, - "metadata": { - "description": "The type for a container app probe HTTP GET header." - } - }, - "containerAppProbeTcpSocketType": { - "type": "object", - "properties": { - "host": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Host name to connect to, defaults to the pod IP." - } - }, - "port": { - "type": "int", - "minValue": 1, - "maxValue": 65535, - "metadata": { - "description": "Required. Number of the port to access on the container. Name must be an IANA_SVC_NAME." - } - } - }, - "metadata": { - "description": "The type for a container app probe TCP socket." - } - }, - "scaleType": { - "type": "object", - "properties": { - "maxReplicas": { - "type": "int", - "metadata": { - "description": "Required. The maximum number of replicas." - } - }, - "minReplicas": { - "type": "int", - "metadata": { - "description": "Required. The minimum number of replicas." - } - }, - "cooldownPeriod": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The cooldown period in seconds." - } - }, - "pollingInterval": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The polling interval in seconds." - } - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/scaleRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The scaling rules." - } - } - }, - "metadata": { - "description": "The scale settings for the Container App." - } - }, - "scaleRuleType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the scaling rule." - } - }, - "custom": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The custom scaling rule." - } - }, - "azureQueue": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The Azure Queue based scaling rule." - } - }, - "http": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The HTTP requests based scaling rule." - } - }, - "tcp": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. The TCP based scaling rule." - } - } - }, - "metadata": { - "description": "The scaling rules for the Container App." - } - }, - "volumeMountType": { - "type": "object", - "properties": { - "mountPath": { - "type": "string", - "metadata": { - "description": "Required. Path within the container at which the volume should be mounted.Must not contain ':'." - } - }, - "subPath": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root)." - } - }, - "volumeName": { - "type": "string", - "metadata": { - "description": "Required. This must match the Name of a Volume." - } - } - }, - "metadata": { - "description": "The type for a volume mount." - } - }, - "secretType": { - "type": "object", - "properties": { - "identity": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity." - } - }, - "keyVaultUrl": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Conditional. The URL of the Azure Key Vault secret referenced by the Container App. Required if `value` is null." - } - }, - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the container app secret." - } - }, - "value": { - "type": "securestring", - "nullable": true, - "metadata": { - "description": "Conditional. The container app secret value, if not fetched from the Key Vault. Required if `keyVaultUrl` is not null." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a secret." - } - }, - "authConfigType": { - "type": "object", - "properties": { - "encryptionSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/encryptionSettings" - }, - "description": "Optional. The configuration settings of the secrets references of encryption key and signing key for ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "globalValidation": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/globalValidation" - }, - "description": "Optional. The configuration settings that determines the validation flow of users using Service Authentication and/or Authorization." - }, - "nullable": true - }, - "httpSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/httpSettings" - }, - "description": "Optional. The configuration settings of the HTTP requests for authentication and authorization requests made against ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "identityProviders": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/identityProviders" - }, - "description": "Optional. The configuration settings of each of the identity providers used to configure ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "login": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/login" - }, - "description": "Optional. The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "platform": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/platform" - }, - "description": "Optional. The configuration settings of the platform of ContainerApp Service Authentication/Authorization." - }, - "nullable": true - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the container app's authentication configuration." - } - }, - "diagnosticSettingMetricsOnlyType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if only metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "managedIdentityAllType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the Container App." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "kind": { - "type": "string", - "defaultValue": "containerapps", - "allowedValues": [ - "containerapps", - "workflowapp", - "functionapp" - ], - "metadata": { - "description": "Optional. Metadata used to render different experiences for resources of the same type." - } - }, - "disableIngress": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Bool to disable all ingress traffic for the container app." - } - }, - "ingressExternal": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Bool indicating if the App exposes an external HTTP endpoint." - } - }, - "clientCertificateMode": { - "type": "string", - "defaultValue": "ignore", - "allowedValues": [ - "accept", - "ignore", - "require" - ], - "metadata": { - "description": "Optional. Client certificate mode for mTLS." - } - }, - "corsPolicy": { - "$ref": "#/definitions/corsPolicyType", - "nullable": true, - "metadata": { - "description": "Optional. Object userd to configure CORS policy." - } - }, - "stickySessionsAffinity": { - "type": "string", - "defaultValue": "none", - "allowedValues": [ - "none", - "sticky" - ], - "metadata": { - "description": "Optional. Bool indicating if the Container App should enable session affinity." - } - }, - "ingressTransport": { - "type": "string", - "defaultValue": "auto", - "allowedValues": [ - "auto", - "http", - "http2", - "tcp" - ], - "metadata": { - "description": "Optional. Ingress transport protocol." - } - }, - "service": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/service" - }, - "description": "Optional. Dev ContainerApp service type." - }, - "nullable": true - }, - "includeAddOns": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Toggle to include the service configuration." - } - }, - "additionalPortMappings": { - "type": "array", - "items": { - "$ref": "#/definitions/ingressPortMappingType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Settings to expose additional ports on container app." - } - }, - "ingressAllowInsecure": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections." - } - }, - "ingressTargetPort": { - "type": "int", - "defaultValue": 80, - "metadata": { - "description": "Optional. Target Port in containers for traffic from ingress." - } - }, - "scaleSettings": { - "$ref": "#/definitions/scaleType", - "defaultValue": { - "maxReplicas": 10, - "minReplicas": 3 - }, - "metadata": { - "description": "Optional. The scaling settings of the service." - } - }, - "serviceBinds": { - "type": "array", - "items": { - "$ref": "#/definitions/serviceBindingType" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of container app services bound to the app." - } - }, - "activeRevisionsMode": { - "type": "string", - "defaultValue": "Single", - "allowedValues": [ - "Multiple", - "Single" - ], - "metadata": { - "description": "Optional. Controls how active revisions are handled for the Container app." - } - }, - "environmentResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of environment." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "registries": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/registries" - }, - "description": "Optional. Collection of private container registry credentials for containers used by the Container app." - }, - "nullable": true - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentityAllType", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "customDomains": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/ingress/properties/customDomains" - }, - "description": "Optional. Custom domain bindings for Container App hostnames." - }, - "nullable": true - }, - "exposedPort": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Exposed Port in containers for TCP traffic from ingress." - } - }, - "ipSecurityRestrictions": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/ingress/properties/ipSecurityRestrictions" - }, - "description": "Optional. Rules to restrict incoming IP address." - }, - "nullable": true - }, - "traffic": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/ingress/properties/traffic" - }, - "description": "Optional. Traffic weight configuration for routing traffic across revisions. Each entry specifies a revision (or latest) and its traffic percentage. Supports blue-green and canary deployment patterns." - }, - "nullable": true - }, - "dapr": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/dapr" - }, - "description": "Optional. Dapr configuration for the Container App." - }, - "nullable": true - }, - "identitySettings": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/identitySettings" - }, - "description": "Optional. Settings for Managed Identities that are assigned to the Container App. If a Managed Identity is not specified here, default settings will be used." - }, - "nullable": true - }, - "maxInactiveRevisions": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Max inactive revisions a Container App can have." - } - }, - "runtime": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/configuration/properties/runtime" - }, - "description": "Optional. Runtime configuration for the Container App." - }, - "nullable": true - }, - "containers": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/template/properties/containers" - }, - "description": "Required. List of container definitions for the Container App." - } - }, - "terminationGracePeriodSeconds": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The termination grace period for the container app." - } - }, - "initContainersTemplate": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/template/properties/initContainers" - }, - "description": "Optional. List of specialized containers that run before app containers." - }, - "nullable": true - }, - "secrets": { - "type": "array", - "items": { - "$ref": "#/definitions/secretType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The secrets of the Container App." - } - }, - "revisionSuffix": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User friendly suffix that is appended to the revision name." - } - }, - "volumes": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps@2026-01-01#properties/properties/properties/template/properties/volumes" - }, - "description": "Optional. List of volume definitions for the Container App." - }, - "nullable": true - }, - "workloadProfileName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Workload profile name to pin for container app execution." - } - }, - "authConfig": { - "$ref": "#/definitions/authConfigType", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Container App Auth configs." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingMetricsOnlyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(variables('formattedUserAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(variables('formattedUserAssignedIdentities'))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "ContainerApp Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.app-containerapp.{0}.{1}', replace('0.22.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "containerApp": { - "type": "Microsoft.App/containerApps", - "apiVersion": "2026-01-01", - "name": "[parameters('name')]", - "tags": "[parameters('tags')]", - "kind": "[parameters('kind')]", - "location": "[parameters('location')]", - "identity": "[variables('identity')]", - "properties": { - "environmentId": "[parameters('environmentResourceId')]", - "workloadProfileName": "[parameters('workloadProfileName')]", - "template": { - "containers": "[parameters('containers')]", - "terminationGracePeriodSeconds": "[parameters('terminationGracePeriodSeconds')]", - "initContainers": "[parameters('initContainersTemplate')]", - "revisionSuffix": "[parameters('revisionSuffix')]", - "scale": "[parameters('scaleSettings')]", - "serviceBinds": "[if(parameters('includeAddOns'), parameters('serviceBinds'), null())]", - "volumes": "[parameters('volumes')]" - }, - "configuration": { - "activeRevisionsMode": "[parameters('activeRevisionsMode')]", - "dapr": "[parameters('dapr')]", - "identitySettings": "[parameters('identitySettings')]", - "ingress": "[if(parameters('disableIngress'), null(), createObject('additionalPortMappings', parameters('additionalPortMappings'), 'allowInsecure', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('ingressAllowInsecure'), false()), 'customDomains', parameters('customDomains'), 'corsPolicy', if(and(not(equals(parameters('corsPolicy'), null())), not(equals(parameters('ingressTransport'), 'tcp'))), createObject('allowCredentials', coalesce(tryGet(parameters('corsPolicy'), 'allowCredentials'), false()), 'allowedHeaders', coalesce(tryGet(parameters('corsPolicy'), 'allowedHeaders'), createArray()), 'allowedMethods', coalesce(tryGet(parameters('corsPolicy'), 'allowedMethods'), createArray()), 'allowedOrigins', coalesce(tryGet(parameters('corsPolicy'), 'allowedOrigins'), createArray()), 'exposeHeaders', coalesce(tryGet(parameters('corsPolicy'), 'exposeHeaders'), createArray()), 'maxAge', tryGet(parameters('corsPolicy'), 'maxAge')), null()), 'clientCertificateMode', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('clientCertificateMode'), null()), 'exposedPort', parameters('exposedPort'), 'external', parameters('ingressExternal'), 'ipSecurityRestrictions', parameters('ipSecurityRestrictions'), 'targetPort', parameters('ingressTargetPort'), 'stickySessions', createObject('affinity', parameters('stickySessionsAffinity')), 'traffic', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('traffic'), null()), 'transport', parameters('ingressTransport')))]", - "service": "[if(parameters('includeAddOns'), parameters('service'), null())]", - "maxInactiveRevisions": "[parameters('maxInactiveRevisions')]", - "registries": "[parameters('registries')]", - "secrets": "[parameters('secrets')]", - "runtime": "[parameters('runtime')]" - } - } - }, - "containerApp_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.App/containerApps', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerApp_roleAssignments": { - "copy": { - "name": "containerApp_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.App/containerApps', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.App/containerApps', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerApp_diagnosticSettings": { - "copy": { - "name": "containerApp_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.App/containerApps', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "containerApp" - ] - }, - "containerAppAuthConfigs": { - "condition": "[not(empty(parameters('authConfig')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-auth-config', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "containerAppName": { - "value": "[parameters('name')]" - }, - "encryptionSettings": { - "value": "[tryGet(parameters('authConfig'), 'encryptionSettings')]" - }, - "globalValidation": { - "value": "[tryGet(parameters('authConfig'), 'globalValidation')]" - }, - "httpSettings": { - "value": "[tryGet(parameters('authConfig'), 'httpSettings')]" - }, - "identityProviders": { - "value": "[tryGet(parameters('authConfig'), 'identityProviders')]" - }, - "login": { - "value": "[tryGet(parameters('authConfig'), 'login')]" - }, - "platform": { - "value": "[tryGet(parameters('authConfig'), 'platform')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.42.1.51946", - "templateHash": "12173377941230147433" - }, - "name": "Container App Auth Configs", - "description": "This module deploys Container App Auth Configs." - }, - "parameters": { - "containerAppName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Container App. Required if the template is used in a standalone deployment." - } - }, - "encryptionSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/encryptionSettings" - }, - "description": "Optional. The configuration settings of the secrets references of encryption key and signing key for ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "globalValidation": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/globalValidation" - }, - "description": "Optional. The configuration settings that determines the validation flow of users using Service Authentication and/or Authorization." - }, - "nullable": true - }, - "httpSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/httpSettings" - }, - "description": "Optional. The configuration settings of the HTTP requests for authentication and authorization requests made against ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "identityProviders": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/identityProviders" - }, - "description": "Optional. The configuration settings of each of the identity providers used to configure ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "login": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/login" - }, - "description": "Optional. The configuration settings of the login flow of users using ContainerApp Service Authentication/Authorization." - }, - "nullable": true - }, - "platform": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.App/containerApps/authConfigs@2026-01-01#properties/properties/properties/platform" - }, - "description": "Optional. The configuration settings of the platform of ContainerApp Service Authentication/Authorization." - }, - "nullable": true - } - }, - "resources": { - "containerApp": { - "existing": true, - "type": "Microsoft.App/containerApps", - "apiVersion": "2026-01-01", - "name": "[parameters('containerAppName')]" - }, - "containerAppAuthConfigs": { - "type": "Microsoft.App/containerApps/authConfigs", - "apiVersion": "2026-01-01", - "name": "[format('{0}/{1}', parameters('containerAppName'), 'current')]", - "properties": { - "encryptionSettings": "[parameters('encryptionSettings')]", - "globalValidation": "[parameters('globalValidation')]", - "httpSettings": "[parameters('httpSettings')]", - "identityProviders": "[parameters('identityProviders')]", - "login": "[parameters('login')]", - "platform": "[parameters('platform')]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the set of Container App Auth configs." - }, - "value": "current" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the set of Container App Auth configs." - }, - "value": "[resourceId('Microsoft.App/containerApps/authConfigs', parameters('containerAppName'), 'current')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group containing the set of Container App Auth configs." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "containerApp" - ] - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Container App." - }, - "value": "[resourceId('Microsoft.App/containerApps', parameters('name'))]" - }, - "fqdn": { - "type": "string", - "metadata": { - "description": "The configuration of ingress fqdn." - }, - "value": "[if(parameters('disableIngress'), 'IngressDisabled', reference('containerApp').configuration.ingress.fqdn)]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the Container App was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Container App." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[tryGet(tryGet(reference('containerApp', '2026-01-01', 'full'), 'identity'), 'principalId')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('containerApp', '2026-01-01', 'full').location]" - } - } - } - }, - "dependsOn": [ - "containerAppEnvironment", - "userAssignedIdentity" - ] - }, - "webServerFarm": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('avm.res.web.serverfarm.{0}', variables('webServerFarmResourceName')), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('webServerFarmResourceName')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "enableTelemetry": { - "value": "[parameters('enableTelemetry')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "reserved": { - "value": true - }, - "kind": { - "value": "linux" - }, - "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)))), createObject('value', null()))]", - "skuName": "[if(or(parameters('enableScalability'), parameters('enableRedundancy')), createObject('value', 'P1v4'), createObject('value', 'B3'))]", - "skuCapacity": "[if(parameters('enableScalability'), createObject('value', 3), createObject('value', 1))]", - "zoneRedundant": "[if(parameters('enableRedundancy'), createObject('value', true()), createObject('value', false()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.40.2.10011", - "templateHash": "17925345736511474747" - }, - "name": "App Service Plan", - "description": "This module deploys an App Service Plan." - }, - "definitions": { - "diagnosticSettingMetricsOnlyType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if only metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "managedIdentityAllType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 60, - "metadata": { - "description": "Required. Name of the app service plan." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "skuName": { - "type": "string", - "defaultValue": "P1v3", - "metadata": { - "example": " 'F1'\n 'B1'\n 'P1v3'\n 'I1v2'\n 'FC1'\n ", - "description": "Optional. The name of the SKU will Determine the tier, size, family of the App Service Plan. This defaults to P1v3 to leverage availability zones." - } - }, - "skuCapacity": { - "type": "int", - "defaultValue": 3, - "metadata": { - "description": "Optional. Number of workers associated with the App Service Plan. This defaults to 3, to leverage availability zones." - } - }, - "kind": { - "type": "string", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/kind" - }, - "description": "Optional. Kind of server OS." - }, - "defaultValue": "app" - }, - "reserved": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/reserved" - }, - "description": "Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true." - }, - "defaultValue": "[equals(parameters('kind'), 'linux')]" - }, - "appServiceEnvironmentResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource ID of the App Service Environment to use for the App Service Plan." - } - }, - "workerTierName": { - "type": "string", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/workerTierName" - }, - "description": "Optional. Target worker tier assigned to the App Service plan." - }, - "nullable": true - }, - "perSiteScaling": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/perSiteScaling" - }, - "description": "Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan." - }, - "defaultValue": false - }, - "elasticScaleEnabled": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/elasticScaleEnabled" - }, - "description": "Optional. Enable/Disable ElasticScaleEnabled App Service Plan." - }, - "defaultValue": "[greater(parameters('maximumElasticWorkerCount'), 1)]" - }, - "maximumElasticWorkerCount": { - "type": "int", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/maximumElasticWorkerCount" - }, - "description": "Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan." - }, - "defaultValue": 1 - }, - "targetWorkerCount": { - "type": "int", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/targetWorkerCount" - }, - "description": "Optional. Scaling worker count." - }, - "defaultValue": 0 - }, - "targetWorkerSize": { - "type": "int", - "defaultValue": 0, - "allowedValues": [ - 0, - 1, - 2 - ], - "metadata": { - "description": "Optional. The instance size of the hosting plan (small, medium, or large)." - } - }, - "zoneRedundant": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/zoneRedundant" - }, - "description": "Optional. Zone Redundant server farms can only be used on Premium or ElasticPremium SKU tiers within ZRS Supported regions (https://learn.microsoft.com/en-us/azure/storage/common/redundancy-regions-zrs)." - }, - "defaultValue": "[if(or(startsWith(parameters('skuName'), 'P'), startsWith(parameters('skuName'), 'EP')), true(), false())]" - }, - "hyperV": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/hyperV" - }, - "description": "Optional. If Hyper-V container app service plan true, false otherwise." - }, - "nullable": true - }, - "virtualNetworkSubnetId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the subnet to integrate the App Service Plan with for VNet integration." - } - }, - "isCustomMode": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/isCustomMode" - }, - "description": "Optional. Set to true to enable Managed Instance custom mode. Required for App Service Managed Instance plans." - }, - "defaultValue": false - }, - "rdpEnabled": { - "type": "bool", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/rdpEnabled" - }, - "description": "Optional. Whether RDP is enabled for Managed Instance plans. Only applicable when isCustomMode is true. Requires a Bastion host deployed in the VNet." - }, - "nullable": true - }, - "installScripts": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/installScripts" - }, - "description": "Optional. A list of install scripts for Managed Instance plans. Only applicable when isCustomMode is true." - }, - "nullable": true - }, - "planDefaultIdentity": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/planDefaultIdentity" - }, - "description": "Optional. The default identity configuration for Managed Instance plans. Only applicable when isCustomMode is true." - }, - "nullable": true - }, - "registryAdapters": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/registryAdapters" - }, - "description": "Optional. A list of registry adapters for Managed Instance plans. Only applicable when isCustomMode is true." - }, - "nullable": true - }, - "storageMounts": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/properties/properties/storageMounts" - }, - "description": "Optional. A list of storage mounts for Managed Instance plans. Only applicable when isCustomMode is true." - }, - "nullable": true - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentityAllType", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/serverfarms@2025-03-01#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingMetricsOnlyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" - }, - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.web-serverfarm.{0}.{1}', replace('0.7.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "appServicePlan": { - "type": "Microsoft.Web/serverfarms", - "apiVersion": "2025-03-01", - "name": "[parameters('name')]", - "kind": "[parameters('kind')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "sku": "[if(equals(parameters('skuName'), 'FC1'), createObject('name', parameters('skuName'), 'tier', 'FlexConsumption'), createObject('name', parameters('skuName'), 'capacity', parameters('skuCapacity')))]", - "properties": { - "workerTierName": "[parameters('workerTierName')]", - "hostingEnvironmentProfile": "[if(not(equals(parameters('appServiceEnvironmentResourceId'), null())), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", - "perSiteScaling": "[parameters('perSiteScaling')]", - "maximumElasticWorkerCount": "[parameters('maximumElasticWorkerCount')]", - "elasticScaleEnabled": "[parameters('elasticScaleEnabled')]", - "reserved": "[parameters('reserved')]", - "targetWorkerCount": "[parameters('targetWorkerCount')]", - "targetWorkerSizeId": "[parameters('targetWorkerSize')]", - "zoneRedundant": "[parameters('zoneRedundant')]", - "hyperV": "[parameters('hyperV')]", - "isCustomMode": "[parameters('isCustomMode')]", - "network": "[if(not(equals(parameters('virtualNetworkSubnetId'), null())), createObject('virtualNetworkSubnetId', parameters('virtualNetworkSubnetId')), null())]", - "rdpEnabled": "[if(parameters('isCustomMode'), parameters('rdpEnabled'), null())]", - "installScripts": "[if(parameters('isCustomMode'), parameters('installScripts'), null())]", - "planDefaultIdentity": "[if(parameters('isCustomMode'), parameters('planDefaultIdentity'), null())]", - "registryAdapters": "[if(parameters('isCustomMode'), parameters('registryAdapters'), null())]", - "storageMounts": "[if(parameters('isCustomMode'), parameters('storageMounts'), null())]" - } - }, - "appServicePlan_diagnosticSettings": { - "copy": { - "name": "appServicePlan_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "appServicePlan" - ] - }, - "appServicePlan_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "appServicePlan" - ] - }, - "appServicePlan_roleAssignments": { - "copy": { - "name": "appServicePlan_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Web/serverfarms', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "appServicePlan" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the app service plan was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the app service plan." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the app service plan." - }, - "value": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('appServicePlan', '2025-03-01', 'full').location]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[tryGet(tryGet(reference('appServicePlan', '2025-03-01', 'full'), 'identity'), 'principalId')]" - } - } - } - }, - "dependsOn": [ - "logAnalyticsWorkspace" - ] - }, - "webSite": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('module.web-sites.{0}', variables('webSiteResourceName')), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('webSiteResourceName')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "kind": { - "value": "app,linux,container" - }, - "serverFarmResourceId": { - "value": "[tryGet(reference('webServerFarm'), 'outputs', 'resourceId', 'value')]" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "siteConfig": { - "value": { - "linuxFxVersion": "[format('DOCKER|{0}/{1}:{2}', parameters('frontendContainerRegistryHostname'), parameters('frontendContainerImageName'), parameters('frontendContainerImageTag'))]", - "minTlsVersion": "1.2" - } - }, - "configs": { - "value": [ - { - "name": "appsettings", - "properties": { - "SCM_DO_BUILD_DURING_DEPLOYMENT": "true", - "DOCKER_REGISTRY_SERVER_URL": "[format('https://{0}', parameters('frontendContainerRegistryHostname'))]", - "WEBSITES_PORT": "3000", - "WEBSITES_CONTAINER_START_TIME_LIMIT": "1800", - "BACKEND_API_URL": "[format('https://{0}', reference('containerApp').outputs.fqdn.value)]", - "AUTH_ENABLED": "false", - "PROXY_API_REQUESTS": "[if(parameters('enablePrivateNetworking'), 'true', 'false')]" - }, - "applicationInsightResourceId": "[if(parameters('enableMonitoring'), reference('applicationInsights').outputs.resourceId.value, null())]" - } - ] - }, - "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)))), createObject('value', null()))]", - "outboundVnetRouting": "[if(parameters('enablePrivateNetworking'), createObject('value', createObject('applicationTraffic', true(), 'imagePullTraffic', true())), createObject('value', null()))]", - "virtualNetworkSubnetId": "[if(parameters('enablePrivateNetworking'), createObject('value', reference('virtualNetwork').outputs.webserverfarmSubnetResourceId.value), createObject('value', null()))]", - "publicNetworkAccess": { - "value": "Enabled" - }, - "e2eEncryptionEnabled": { - "value": true - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.44.1.10279", - "templateHash": "7693002176758630395" - } - }, - "definitions": { - "outboundVnetRoutingType": { - "type": "object", - "properties": { - "allTraffic": { - "type": "bool", - "nullable": true - }, - "applicationTraffic": { - "type": "bool", - "nullable": true - }, - "backupRestoreTraffic": { - "type": "bool", - "nullable": true - }, - "contentShareTraffic": { - "type": "bool", - "nullable": true - }, - "imagePullTraffic": { - "type": "bool", - "nullable": true - } - } - }, - "appSettingsConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "allowedValues": [ - "appsettings" - ], - "metadata": { - "description": "Required. The type of config." - } - }, - "storageAccountUseIdentityAuthentication": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. If the provided storage account requires Identity based authentication ('allowSharedKeyAccess' is set to false). When set to true, the minimum role assignment required for the App Service Managed Identity to the storage account is 'Storage Blob Data Owner'." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "applicationInsightResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the application insight to leverage for this resource." - } - }, - "retainCurrentAppSettings": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. The retain the current app settings. Defaults to true." - } - }, - "properties": { - "type": "object", - "properties": {}, - "additionalProperties": { - "type": "string", - "metadata": { - "description": "Required. An app settings key-value pair." - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of an app settings configuration." - } - }, - "_1.lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "_1.privateEndpointCustomDnsConfigType": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. FQDN that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private IP addresses of the private endpoint." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "_1.privateEndpointIpConfigurationType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private IP address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "_1.privateEndpointPrivateDnsZoneGroupType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." - } - }, - "privateDnsZoneGroupConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS Zone Group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - } - }, - "metadata": { - "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "_1.roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "managedIdentityAllType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "privateEndpointSingleServiceType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private Endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the Private Endpoint to." - } - }, - "privateLinkServiceConnectionName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private link connection to create." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The subresource to deploy the Private Endpoint for. For example \"vault\" for a Key Vault Private Endpoint." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "resourceGroupResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used." - } - }, - "privateDnsZoneGroup": { - "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS Zone Group to configure for the Private Endpoint." - } - }, - "isManualConnection": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. If Manual Private Link Connection is required." - } - }, - "manualConnectionRequestMessage": { - "type": "string", - "nullable": true, - "maxLength": 140, - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "$ref": "#/definitions/_1.privateEndpointIpConfigurationType" - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the Private Endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the Private Endpoint." - } - }, - "lock": { - "$ref": "#/definitions/_1.lockType", - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/_1.roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-07-01#properties/tags" - }, - "description": "Optional. Tags to be applied on all resources/Resource Groups in this deployment." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the site." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "functionapp", - "functionapp,linux", - "functionapp,workflowapp", - "functionapp,workflowapp,linux", - "functionapp,linux,container", - "functionapp,linux,container,azurecontainerapps", - "app,linux", - "app", - "linux,api", - "api", - "app,linux,container", - "app,container,windows" - ], - "metadata": { - "description": "Required. Type of site to deploy." - } - }, - "serverFarmResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the app service plan to use for the site." - } - }, - "managedEnvironmentId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Azure Resource Manager ID of the customers selected Managed Environment on which to host this app." - } - }, - "httpsOnly": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests." - } - }, - "clientAffinityEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. If client affinity is enabled." - } - }, - "appServiceEnvironmentResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the app service environment to use for this resource." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentityAllType", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "keyVaultAccessIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the assigned identity to be used to access a key vault with." - } - }, - "storageAccountRequired": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Checks if Customer provided storage account is required." - } - }, - "virtualNetworkSubnetId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}." - } - }, - "outboundVnetRouting": { - "$ref": "#/definitions/outboundVnetRoutingType", - "nullable": true, - "metadata": { - "description": "Optional. Configuration for outbound virtual network routing. Replaces the legacy vnetContentShareEnabled, vnetImagePullEnabled, and vnetRouteAllEnabled properties." - } - }, - "scmSiteAlsoStopped": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Stop SCM (KUDU) site when the app is stopped." - } - }, - "siteConfig": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/sites@2025-03-01#properties/properties/properties/siteConfig" - }, - "description": "Optional. The site config object. The defaults are set to the following values: alwaysOn: true, minTlsVersion: '1.2', ftpsState: 'FtpsOnly'." - }, - "defaultValue": { - "alwaysOn": true, - "minTlsVersion": "1.2", - "ftpsState": "FtpsOnly" - } - }, - "configs": { - "type": "array", - "items": { - "$ref": "#/definitions/appSettingsConfigType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The web site config." - } - }, - "functionAppConfig": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/sites@2025-03-01#properties/properties/properties/functionAppConfig" - }, - "description": "Optional. The Function App configuration object." - }, - "nullable": true - }, - "privateEndpoints": { - "type": "array", - "items": { - "$ref": "#/definitions/privateEndpointSingleServiceType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "clientCertEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. To enable client certificate authentication (TLS mutual authentication)." - } - }, - "clientCertExclusionPaths": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Client certificate authentication comma-separated exclusion paths." - } - }, - "clientCertMode": { - "type": "string", - "defaultValue": "Optional", - "allowedValues": [ - "Optional", - "OptionalInteractiveUser", - "Required" - ], - "metadata": { - "description": "Optional. This composes with ClientCertEnabled setting.\n- ClientCertEnabled=false means ClientCert is ignored.\n- ClientCertEnabled=true and ClientCertMode=Required means ClientCert is required.\n- ClientCertEnabled=true and ClientCertMode=Optional means ClientCert is optional or accepted.\n" - } - }, - "cloningInfo": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/sites@2025-03-01#properties/properties/properties/cloningInfo" - }, - "description": "Optional. If specified during app creation, the app is cloned from a source app." - }, - "nullable": true - }, - "containerSize": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Size of the function container." - } - }, - "dailyMemoryTimeQuota": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only)." - } - }, - "enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Setting this value to false disables the app (takes the app offline)." - } - }, - "hostNameSslStates": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/sites@2025-03-01#properties/properties/properties/hostNameSslStates" - }, - "description": "Optional. Hostname SSL states are used to manage the SSL bindings for app's hostnames." - }, - "nullable": true - }, - "hyperV": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Hyper-V sandbox." - } - }, - "redundancyMode": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "ActiveActive", - "Failover", - "GeoRedundant", - "Manual", - "None" - ], - "metadata": { - "description": "Optional. Site redundancy mode." - } - }, - "publicNetworkAccess": { - "type": "string", - "nullable": true, - "allowedValues": [ - "Enabled", - "Disabled" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." - } - }, - "e2eEncryptionEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. End to End Encryption Setting." - } - }, - "dnsConfiguration": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Web/sites@2025-03-01#properties/properties/properties/dnsConfiguration" - }, - "description": "Optional. Property to configure various DNS related settings for a site." - }, - "nullable": true - }, - "autoGeneratedDomainNameLabelScope": { - "type": "string", - "nullable": true, - "allowedValues": [ - "NoReuse", - "ResourceGroupReuse", - "SubscriptionReuse", - "TenantReuse" - ], - "metadata": { - "description": "Optional. Specifies the scope of uniqueness for the default hostname during resource creation." - } - } - }, - "variables": { - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" - }, - "resources": { - "app": { - "type": "Microsoft.Web/sites", - "apiVersion": "2025-03-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "kind": "[parameters('kind')]", - "tags": "[parameters('tags')]", - "identity": "[variables('identity')]", - "properties": { - "managedEnvironmentId": "[if(not(empty(parameters('managedEnvironmentId'))), parameters('managedEnvironmentId'), null())]", - "serverFarmId": "[parameters('serverFarmResourceId')]", - "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", - "httpsOnly": "[parameters('httpsOnly')]", - "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", - "storageAccountRequired": "[parameters('storageAccountRequired')]", - "keyVaultReferenceIdentity": "[parameters('keyVaultAccessIdentityResourceId')]", - "virtualNetworkSubnetId": "[parameters('virtualNetworkSubnetId')]", - "siteConfig": "[parameters('siteConfig')]", - "functionAppConfig": "[parameters('functionAppConfig')]", - "clientCertEnabled": "[parameters('clientCertEnabled')]", - "clientCertExclusionPaths": "[parameters('clientCertExclusionPaths')]", - "clientCertMode": "[parameters('clientCertMode')]", - "cloningInfo": "[parameters('cloningInfo')]", - "containerSize": "[parameters('containerSize')]", - "dailyMemoryTimeQuota": "[parameters('dailyMemoryTimeQuota')]", - "enabled": "[parameters('enabled')]", - "hostNameSslStates": "[parameters('hostNameSslStates')]", - "hyperV": "[parameters('hyperV')]", - "redundancyMode": "[parameters('redundancyMode')]", - "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]", - "outboundVnetRouting": "[parameters('outboundVnetRouting')]", - "scmSiteAlsoStopped": "[parameters('scmSiteAlsoStopped')]", - "endToEndEncryptionEnabled": "[parameters('e2eEncryptionEnabled')]", - "dnsConfiguration": "[parameters('dnsConfiguration')]", - "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]" - } - }, - "app_diagnosticSettings": { - "copy": { - "name": "app_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Web/sites', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - }, - { - "name": "logs", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", - "input": { - "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", - "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "app" - ] - }, - "app_config": { - "copy": { - "name": "app_config", - "count": "[length(coalesce(parameters('configs'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Site-Config-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "appName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('configs'), createArray())[copyIndex()].name]" - }, - "applicationInsightResourceId": { - "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'applicationInsightResourceId')]" - }, - "storageAccountResourceId": { - "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'storageAccountResourceId')]" - }, - "storageAccountUseIdentityAuthentication": { - "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'storageAccountUseIdentityAuthentication')]" - }, - "properties": { - "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'properties')]" - }, - "currentAppSettings": "[if(and(coalesce(tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'retainCurrentAppSettings'), true()), equals(coalesce(parameters('configs'), createArray())[copyIndex()].name, 'appsettings')), createObject('value', list(format('{0}/config/appsettings', resourceId('Microsoft.Web/sites', parameters('name'))), '2025-03-01').properties), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.44.1.10279", - "templateHash": "16045336481224683590" - }, - "name": "Site App Settings", - "description": "This module deploys a Site App Setting." - }, - "parameters": { - "appName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "allowedValues": [ - "appsettings", - "authsettings", - "authsettingsV2", - "azurestorageaccounts", - "backup", - "connectionstrings", - "logs", - "metadata", - "pushsettings", - "slotConfigNames", - "web" - ], - "metadata": { - "description": "Required. The name of the config." - } - }, - "properties": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The properties of the config. Note: This parameter is highly dependent on the config type, defined by its name." - } - }, - "storageAccountUseIdentityAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If the provided storage account requires Identity based authentication ('allowSharedKeyAccess' is set to false). When set to true, the minimum role assignment required for the App Service Managed Identity to the storage account is 'Storage Blob Data Owner'." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." - } - }, - "applicationInsightResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the application insight to leverage for this resource." - } - }, - "currentAppSettings": { - "type": "object", - "properties": {}, - "additionalProperties": { - "type": "string", - "metadata": { - "description": "Required. The key-values pairs of the current app settings." - } - }, - "defaultValue": {}, - "metadata": { - "description": "Optional. The current app settings." - } - } - }, - "resources": { - "applicationInsights": { - "condition": "[not(empty(parameters('applicationInsightResourceId')))]", - "existing": true, - "type": "Microsoft.Insights/components", - "apiVersion": "2020-02-02", - "subscriptionId": "[split(parameters('applicationInsightResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('applicationInsightResourceId'), '/')[4]]", - "name": "[last(split(parameters('applicationInsightResourceId'), '/'))]" - }, - "storageAccount": { - "condition": "[not(empty(parameters('storageAccountResourceId')))]", - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-08-01", - "subscriptionId": "[split(parameters('storageAccountResourceId'), '/')[2]]", - "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", - "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" - }, - "app": { - "existing": true, - "type": "Microsoft.Web/sites", - "apiVersion": "2025-03-01", - "name": "[parameters('appName')]" - }, - "config": { - "type": "Microsoft.Web/sites/config", - "apiVersion": "2025-03-01", - "name": "[format('{0}/{1}', parameters('appName'), parameters('name'))]", - "properties": "[union(parameters('currentAppSettings'), parameters('properties'), if(and(not(empty(parameters('storageAccountResourceId'))), not(parameters('storageAccountUseIdentityAuthentication'))), createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', last(split(parameters('storageAccountResourceId'), '/')), listKeys('storageAccount', '2025-08-01').keys[0].value, environment().suffixes.storage)), if(and(not(empty(parameters('storageAccountResourceId'))), parameters('storageAccountUseIdentityAuthentication')), createObject('AzureWebJobsStorage__accountName', last(split(parameters('storageAccountResourceId'), '/')), 'AzureWebJobsStorage__blobServiceUri', reference('storageAccount').primaryEndpoints.blob, 'AzureWebJobsStorage__queueServiceUri', reference('storageAccount').primaryEndpoints.queue, 'AzureWebJobsStorage__tableServiceUri', reference('storageAccount').primaryEndpoints.table), createObject())), if(not(empty(parameters('applicationInsightResourceId'))), createObject('APPLICATIONINSIGHTS_CONNECTION_STRING', reference('applicationInsights').ConnectionString), createObject()))]", - "dependsOn": [ - "applicationInsights", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site config." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site config." - }, - "value": "[resourceId('Microsoft.Web/sites/config', parameters('appName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site config was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "app" - ] - }, - "app_privateEndpoints": { - "copy": { - "name": "app_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" - }, - "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Web/sites', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')))))), createObject('value', null()))]", - "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Web/sites', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableTelemetry": { - "value": false - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), null())]" - }, - "privateDnsZoneGroup": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroup')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "18436885663402767850" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint." - }, - "definitions": { - "privateDnsZoneGroupType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." - } - }, - "privateDnsZoneGroupConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" - }, - "metadata": { - "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a private dns zone group." - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - }, - "privateDnsZoneGroupConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - }, - "metadata": { - "description": "The type of a private DNS zone group configuration.", - "__bicep_imported_from!": { - "sourceTemplate": "private-dns-zone-group/main.bicep" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.7.0" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/ipConfigurations" - }, - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - }, - "nullable": true - }, - "ipVersionType": { - "type": "string", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/ipVersionType" - }, - "description": "Optional. Specifies the IP version type for the private IPs of the private endpoint. If not defined, this defaults to IPv4." - }, - "defaultValue": "IPv4" - }, - "privateDnsZoneGroup": { - "$ref": "#/definitions/privateDnsZoneGroupType", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone group to configure for the private endpoint." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/tags" - }, - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - }, - "nullable": true - }, - "customDnsConfigs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/customDnsConfigs" - }, - "description": "Optional. Custom DNS configurations." - }, - "nullable": true - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/manualPrivateLinkServiceConnections" - }, - "description": "Conditional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. Required if `privateLinkServiceConnections` is empty." - }, - "nullable": true - }, - "privateLinkServiceConnections": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/privateLinkServiceConnections" - }, - "description": "Conditional. A grouping of information about the connection to the remote resource. Required if `manualPrivateLinkServiceConnections` is empty." - }, - "nullable": true - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.12.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2025-05-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", - "subnet": { - "id": "[parameters('subnetResourceId')]" - }, - "ipVersionType": "[parameters('ipVersionType')]" - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[tryGet(parameters('privateDnsZoneGroup'), 'name')]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "privateDnsZoneConfigs": { - "value": "[parameters('privateDnsZoneGroup').privateDnsZoneGroupConfigs]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "9935179114830442414" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group." - }, - "definitions": { - "privateDnsZoneGroupConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a private DNS zone group configuration." - } - } - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDnsZoneConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" - }, - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone configurations of the private DNS zone group. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - } - }, - "resources": { - "privateEndpoint": { - "existing": true, - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2025-05-01", - "name": "[parameters('privateEndpointName')]" - }, - "privateDnsZoneGroup": { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2025-05-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDnsZoneConfigs'))]", - "input": { - "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId, '/')))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId]" - } - } - } - ] - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2025-05-01', 'full').location]" - }, - "customDnsConfigs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2025-05-01#properties/properties/properties/customDnsConfigs", - "output": true - }, - "description": "The custom DNS configurations of the private endpoint." - }, - "value": "[reference('privateEndpoint').customDnsConfigs]" - }, - "networkInterfaceResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "The resource IDs of the network interfaces associated with the private endpoint." - }, - "value": "[map(reference('privateEndpoint').networkInterfaces, lambda('nic', lambdaVariables('nic').id))]" - }, - "groupId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The group Id for the private endpoint Group." - }, - "value": "[coalesce(tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'manualPrivateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0), tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'privateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0))]" - } - } - } - }, - "dependsOn": [ - "app" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the site." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the site." - }, - "value": "[resourceId('Microsoft.Web/sites', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the site was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[tryGet(tryGet(reference('app', '2025-03-01', 'full'), 'identity'), 'principalId')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('app', '2025-03-01', 'full').location]" - }, - "defaultHostname": { - "type": "string", - "metadata": { - "description": "Default hostname of the app." - }, - "value": "[reference('app').defaultHostName]" - }, - "customDomainVerificationId": { - "type": "string", - "metadata": { - "description": "Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification." - }, - "value": "[reference('app').customDomainVerificationId]" - }, - "outboundIpAddresses": { - "type": "string", - "metadata": { - "description": "The outbound IP addresses of the app." - }, - "value": "[reference('app').outboundIpAddresses]" - } - } - } - }, - "dependsOn": [ - "applicationInsights", - "containerApp", - "logAnalyticsWorkspace", - "virtualNetwork", - "webServerFarm" - ] - }, - "avmStorageAccount": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('avm.res.storage.storage-account.{0}', variables('storageAccountName')), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[variables('storageAccountName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "minimumTlsVersion": { - "value": "TLS1_2" - }, - "enableTelemetry": { - "value": "[parameters('enableTelemetry')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "accessTier": { - "value": "Hot" - }, - "supportsHttpsTrafficOnly": { - "value": true - }, - "requireInfrastructureEncryption": { - "value": true - }, - "roleAssignments": { - "value": [ - { - "principalId": "[reference('userAssignedIdentity').outputs.principalId.value]", - "roleDefinitionIdOrName": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "principalType": "ServicePrincipal" - }, - { - "principalId": "[variables('deployingUserPrincipalId')]", - "roleDefinitionIdOrName": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "principalType": "[variables('deployerPrincipalType')]" - } - ] - }, - "networkAcls": { - "value": { - "bypass": "AzureServices", - "defaultAction": "[if(parameters('enablePrivateNetworking'), 'Deny', 'Allow')]" - } - }, - "allowBlobPublicAccess": { - "value": false - }, - "publicNetworkAccess": "[if(parameters('enablePrivateNetworking'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]", - "privateEndpoints": "[if(parameters('enablePrivateNetworking'), createObject('value', createArray(createObject('name', format('pep-blob-{0}', variables('solutionSuffix')), 'customNetworkInterfaceName', format('nic-blob-{0}', variables('solutionSuffix')), 'privateDnsZoneGroup', createObject('privateDnsZoneGroupConfigs', createArray(createObject('name', 'storage-dns-zone-group-blob', 'privateDnsZoneResourceId', reference(format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').blob)).outputs.resourceId.value))), 'subnetResourceId', reference('virtualNetwork').outputs.backendSubnetResourceId.value, 'service', 'blob'))), createObject('value', createArray()))]", - "blobServices": { - "value": { - "automaticSnapshotPolicyEnabled": true, - "containerDeleteRetentionPolicyDays": 10, - "containerDeleteRetentionPolicyEnabled": true, - "containers": [ - { - "name": "[parameters('storageContainerNameRetailCustomer')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameRetailOrder')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameRFPSummary')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameRFPRisk')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameRFPCompliance')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameContractSummary')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameContractRisk')]", - "publicAccess": "None" - }, - { - "name": "[parameters('storageContainerNameContractCompliance')]", - "publicAccess": "None" - } - ], - "deleteRetentionPolicyDays": 9, - "deleteRetentionPolicyEnabled": true, - "lastAccessTimeTrackingPolicyEnabled": true - } - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "1254456195180100771" - }, - "name": "Storage Accounts", - "description": "This module deploys a Storage Account." - }, - "definitions": { - "privateEndpointOutputType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - } - }, - "groupId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The group Id for the private endpoint Group." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "FQDN that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "A list of private IP addresses of the private endpoint." - } - } - } - }, - "metadata": { - "description": "The custom DNS configurations of the private endpoint." - } - }, - "networkInterfaceResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "The IDs of the network interfaces associated with the private endpoint." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the private endpoints output." - } - }, - "networkAclsType": { - "type": "object", - "properties": { - "resourceAccessRules": { - "type": "array", - "items": { - "type": "object", - "properties": { - "tenantId": { - "type": "string", - "metadata": { - "description": "Required. The ID of the tenant in which the resource resides in." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the target service. Can also contain a wildcard, if multiple services e.g. in a resource group should be included." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Sets the resource access rules. Array entries must consist of \"tenantId\" and \"resourceId\" fields only." - } - }, - "bypass": { - "type": "string", - "allowedValues": [ - "AzureServices", - "AzureServices, Logging", - "AzureServices, Logging, Metrics", - "AzureServices, Metrics", - "Logging", - "Logging, Metrics", - "Metrics", - "None" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, \"Logging, Metrics\"), or None to bypass none of those traffics." - } - }, - "virtualNetworkRules": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Sets the virtual network rules." - } - }, - "ipRules": { - "type": "array", - "nullable": true, - "metadata": { - "description": "Optional. Sets the IP ACL rules." - } - }, - "defaultAction": { - "type": "string", - "allowedValues": [ - "Allow", - "Deny" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specifies the default action of allow or deny when no other rules match." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for the network configuration." - } - }, - "secretsExportConfigurationType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The key vault name where to store the keys and connection strings generated by the modules." - } - }, - "accessKey1Name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The accessKey1 secret name to create." - } - }, - "connectionString1Name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The connectionString1 secret name to create." - } - }, - "accessKey2Name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The accessKey2 secret name to create." - } - }, - "connectionString2Name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The connectionString2 secret name to create." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of the exported secrets." - } - }, - "localUserType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the local user used for SFTP Authentication." - } - }, - "hasSharedKey": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Indicates whether shared key exists. Set it to false to remove existing shared key." - } - }, - "hasSshKey": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH key exists. Set it to false to remove existing SSH key." - } - }, - "hasSshPassword": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH password exists. Set it to false to remove existing SSH password." - } - }, - "homeDirectory": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The local user home directory." - } - }, - "permissionScopes": { - "type": "array", - "items": { - "$ref": "#/definitions/permissionScopeType" - }, - "metadata": { - "description": "Required. The permission scopes of the local user." - } - }, - "sshAuthorizedKeys": { - "type": "array", - "items": { - "$ref": "#/definitions/sshAuthorizedKeyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The local user SSH authorized keys for SFTP." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a local user." - } - }, - "blobServiceType": { - "type": "object", - "properties": { - "automaticSnapshotPolicyEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Automatic Snapshot is enabled if set to true." - } - }, - "changeFeedEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service." - } - }, - "changeFeedRetentionInDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 146000, - "metadata": { - "description": "Optional. Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. If left blank, it indicates an infinite retention of the change feed." - } - }, - "containerDeleteRetentionPolicyEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled." - } - }, - "containerDeleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted item should be retained." - } - }, - "containerDeleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/blobCorsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "defaultServiceVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions." - } - }, - "deleteRetentionPolicyEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. The blob service properties for blob soft delete." - } - }, - "deleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted blob should be retained." - } - }, - "deleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "isVersioningEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Use versioning to automatically maintain previous versions of your blobs. Cannot be enabled for ADLS Gen2 storage accounts." - } - }, - "versionDeletePolicyDays": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. Number of days to keep a version before deleting. If set, a lifecycle management policy will be created to handle deleting previous versions." - } - }, - "lastAccessTimeTrackingPolicyEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled." - } - }, - "restorePolicyEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled." - } - }, - "restorePolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "metadata": { - "description": "Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days." - } - }, - "containers": { - "type": "array", - "items": { - "$ref": "#/definitions/containerType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Blob containers to create." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a blob service." - } - }, - "fileServiceType": { - "type": "object", - "properties": { - "protocolSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/fileServices@2024-01-01#properties/properties/properties/protocolSettings" - }, - "description": "Optional. Protocol settings for file service." - }, - "nullable": true - }, - "shareDeleteRetentionPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/fileServices@2024-01-01#properties/properties/properties/shareDeleteRetentionPolicy" - }, - "description": "Optional. The service properties for soft delete." - }, - "nullable": true - }, - "shares": { - "type": "array", - "items": { - "$ref": "#/definitions/fileShareType" - }, - "nullable": true, - "metadata": { - "description": "Optional. File shares to create." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/fileCorsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a file service." - } - }, - "queueServiceType": { - "type": "object", - "properties": { - "queues": { - "type": "array", - "items": { - "$ref": "#/definitions/queueType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Queues to create." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/queueCorsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a queue service." - } - }, - "tableServiceType": { - "type": "object", - "properties": { - "tables": { - "type": "array", - "items": { - "$ref": "#/definitions/tableType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Tables to create." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/tableCorsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a table service." - } - }, - "objectReplicationPolicyType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the object replication policy. If not provided, a GUID will be generated." - } - }, - "destinationStorageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the destination storage account." - } - }, - "enableMetrics": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Indicates whether metrics are enabled for the object replication policy." - } - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/objectReplicationPolicyRuleType" - }, - "metadata": { - "description": "Required. The storage account object replication rules." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of an object replication policy." - } - }, - "_1.immutabilityPolicyType": { - "type": "object", - "properties": { - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. Defaults to false." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive. Defaults to false." - } - } - }, - "metadata": { - "description": "The type for an immutability policy.", - "__bicep_imported_from!": { - "sourceTemplate": "blob-service/container/main.bicep" - } - } - }, - "_2.privateEndpointCustomDnsConfigType": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. FQDN that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private IP addresses of the private endpoint." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "_2.privateEndpointIpConfigurationType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private IP address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "_2.privateEndpointPrivateDnsZoneGroupType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." - } - }, - "privateDnsZoneGroupConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS Zone Group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - } - }, - "metadata": { - "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "_2.secretSetOutputType": { - "type": "object", - "properties": { - "secretResourceId": { - "type": "string", - "metadata": { - "description": "The resourceId of the exported secret." - } - }, - "secretUri": { - "type": "string", - "metadata": { - "description": "The secret URI of the exported secret." - } - }, - "secretUriWithVersion": { - "type": "string", - "metadata": { - "description": "The secret URI with version of the exported secret." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for the output of the secret set via the secrets export feature.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "blobCorsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "description": "The type for a cors rule.", - "__bicep_imported_from!": { - "sourceTemplate": "blob-service/main.bicep", - "originalIdentifier": "corsRuleType" - } - } - }, - "containerType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Storage Container to deploy." - } - }, - "defaultEncryptionScope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Default the container to use specified encryption scope for all writes." - } - }, - "denyEncryptionScopeOverride": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Block override of encryption scope from the container default." - } - }, - "enableNfsV3AllSquash": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable NFSv3 all squash on blob container." - } - }, - "enableNfsV3RootSquash": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable NFSv3 root squash on blob container." - } - }, - "immutableStorageWithVersioningEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process." - } - }, - "immutabilityPolicy": { - "$ref": "#/definitions/_1.immutabilityPolicyType", - "nullable": true, - "metadata": { - "description": "Optional. Configure immutability policy." - } - }, - "metadata": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/blobServices/containers@2024-01-01#properties/properties/properties/metadata" - }, - "description": "Optional. A name-value pair to associate with the container as metadata." - }, - "nullable": true - }, - "publicAccess": { - "type": "string", - "allowedValues": [ - "Blob", - "Container", - "None" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "description": "The type of a storage container.", - "__bicep_imported_from!": { - "sourceTemplate": "blob-service/main.bicep" - } - } - }, - "customerManagedKeyWithAutoRotateType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using version as per 'autoRotationEnabled' setting." - } - }, - "autoRotationEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable auto-rotating to the latest key version. Default is `true`. If set to `false`, the latest key version at the time of the deployment is used." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a customer-managed key. To be used if the resource type supports auto-rotation of the customer-managed key.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "diagnosticSettingMetricsOnlyType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if only metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "fileCorsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "description": "The type for a cors rule.", - "__bicep_imported_from!": { - "sourceTemplate": "file-service/main.bicep", - "originalIdentifier": "corsRuleType" - } - } - }, - "fileShareType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the file share." - } - }, - "accessTier": { - "type": "string", - "allowedValues": [ - "Cool", - "Hot", - "Premium", - "TransactionOptimized" - ], - "nullable": true, - "metadata": { - "description": "Optional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to \"Premium\"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool." - } - }, - "enabledProtocols": { - "type": "string", - "allowedValues": [ - "NFS", - "SMB" - ], - "nullable": true, - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - } - }, - "rootSquash": { - "type": "string", - "allowedValues": [ - "AllSquash", - "NoRootSquash", - "RootSquash" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - } - }, - "shareQuota": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB)." - } - }, - "provisionedBandwidthMibps": { - "type": "int", - "nullable": true, - "maxValue": 10340, - "metadata": { - "description": "Optional. The provisioned bandwidth of the share, in mebibytes per second. Only applicable to FileStorage storage accounts (premium file shares). Must be between 0 and 10340." - } - }, - "provisionedIops": { - "type": "int", - "nullable": true, - "maxValue": 102400, - "metadata": { - "description": "Optional. The provisioned IOPS of the share. Only applicable to FileStorage storage accounts (premium file shares). Must be between 0 and 102400." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "description": "The type for a file share.", - "__bicep_imported_from!": { - "sourceTemplate": "file-service/main.bicep" - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "managedIdentityAllType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "objectReplicationPolicyRuleType": { - "type": "object", - "properties": { - "ruleId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The ID of the rule. Auto-generated on destination account. Required for source account." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Required. The name of the source container." - } - }, - "destinationContainerName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the destination container. If not provided, the same name as the source container will be used." - } - }, - "filters": { - "type": "object", - "properties": { - "prefixMatch": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The prefix to match for the replication policy rule." - } - }, - "minCreationTime": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The minimum creation time to match for the replication policy rule." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The filters for the object replication policy rule." - } - } - }, - "metadata": { - "description": "The type of an object replication policy rule.", - "__bicep_imported_from!": { - "sourceTemplate": "object-replication-policy/policy/main.bicep" - } - } - }, - "permissionScopeType": { - "type": "object", - "properties": { - "permissions": { - "type": "string", - "metadata": { - "description": "Required. The permissions for the local user. Possible values include: Read (r), Write (w), Delete (d), List (l), and Create (c)." - } - }, - "resourceName": { - "type": "string", - "metadata": { - "description": "Required. The name of resource, normally the container name or the file share name, used by the local user." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service used by the local user, e.g. blob, file." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "local-user/main.bicep" - } - } - }, - "privateEndpointMultiServiceType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "privateLinkServiceConnectionName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private link connection to create." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The subresource to deploy the private endpoint for. For example \"blob\", \"table\", \"queue\" or \"file\" for a Storage Account's Private Endpoints." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "resourceGroupResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used." - } - }, - "privateDnsZoneGroup": { - "$ref": "#/definitions/_2.privateEndpointPrivateDnsZoneGroupType", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone group to configure for the private endpoint." - } - }, - "isManualConnection": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. If Manual Private Link Connection is required." - } - }, - "manualConnectionRequestMessage": { - "type": "string", - "nullable": true, - "maxLength": 140, - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/_2.privateEndpointCustomDnsConfigType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "$ref": "#/definitions/_2.privateEndpointIpConfigurationType" - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-07-01#properties/tags" - }, - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can NOT be assumed (i.e., for services that have more than one subresource, like Storage Account with Blob (blob, table, queue, file, ...).", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "queueCorsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "description": "The type for a cors rule.", - "__bicep_imported_from!": { - "sourceTemplate": "queue-service/main.bicep", - "originalIdentifier": "corsRuleType" - } - } - }, - "queueType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the queue." - } - }, - "metadata": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/queueServices/queues@2024-01-01#properties/properties/properties/metadata" - }, - "description": "Optional. Metadata to set on the queue." - }, - "nullable": true - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "description": "The type for a queue.", - "__bicep_imported_from!": { - "sourceTemplate": "queue-service/main.bicep" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "secretsOutputType": { - "type": "object", - "properties": {}, - "additionalProperties": { - "$ref": "#/definitions/_2.secretSetOutputType", - "metadata": { - "description": "An exported secret's references." - } - }, - "metadata": { - "description": "A map of the exported secrets", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "sshAuthorizedKeyType": { - "type": "object", - "properties": { - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Description used to store the function/usage of the key." - } - }, - "key": { - "type": "securestring", - "metadata": { - "description": "Required. SSH public key base64 encoded. The format should be: '{keyType} {keyData}', e.g. ssh-rsa AAAABBBB." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "local-user/main.bicep" - } - } - }, - "tableCorsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "description": "The type for a cors rule.", - "__bicep_imported_from!": { - "sourceTemplate": "table-service/main.bicep", - "originalIdentifier": "corsRuleType" - } - } - }, - "tableType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the table." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "description": "The type for a table.", - "__bicep_imported_from!": { - "sourceTemplate": "table-service/main.bicep" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. Name of the Storage Account. Must be lower-case." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "extendedLocationZone": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Extended Zone location (ex 'losangeles'). When supplied, the storage account will be created in the specified zone under the parent location. The extended zone must be available in the supplied parent location." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentityAllType", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "kind": { - "type": "string", - "defaultValue": "StorageV2", - "allowedValues": [ - "Storage", - "StorageV2", - "BlobStorage", - "FileStorage", - "BlockBlobStorage" - ], - "metadata": { - "description": "Optional. Type of Storage Account to create." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard_GRS", - "allowedValues": [ - "Standard_LRS", - "Standard_ZRS", - "Standard_GRS", - "Standard_GZRS", - "Standard_RAGRS", - "Standard_RAGZRS", - "StandardV2_LRS", - "StandardV2_ZRS", - "StandardV2_GRS", - "StandardV2_GZRS", - "Premium_LRS", - "Premium_ZRS", - "PremiumV2_LRS", - "PremiumV2_ZRS" - ], - "metadata": { - "description": "Optional. Storage Account Sku Name - note: certain V2 SKUs require the use of: kind = FileStorage." - } - }, - "accessTier": { - "type": "string", - "defaultValue": "Hot", - "allowedValues": [ - "Premium", - "Hot", - "Cool", - "Cold" - ], - "metadata": { - "description": "Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The \"Premium\" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type." - } - }, - "largeFileSharesState": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "Enabled" - ], - "metadata": { - "description": "Optional. Allow large file shares if set to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares)." - } - }, - "azureFilesIdentityBasedAuthentication": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts@2025-01-01#properties/properties/properties/azureFilesIdentityBasedAuthentication" - }, - "description": "Optional. Provides the identity based authentication settings for Azure Files." - }, - "nullable": true - }, - "defaultToOAuthAuthentication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. A boolean flag which indicates whether the default authentication is OAuth or not." - } - }, - "allowSharedKeyAccess": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true." - } - }, - "privateEndpoints": { - "type": "array", - "items": { - "$ref": "#/definitions/privateEndpointMultiServiceType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." - } - }, - "managementPolicyRules": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/managementPolicies@2025-01-01#properties/properties/properties/policy/properties/rules" - }, - "description": "Optional. The Storage Account ManagementPolicies Rules." - }, - "nullable": true - }, - "networkAcls": { - "$ref": "#/definitions/networkAclsType", - "nullable": true, - "metadata": { - "description": "Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. If in use, bypass needs to be supplied. For security reasons, it is recommended to set the DefaultAction Deny." - } - }, - "requireInfrastructureEncryption": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true." - } - }, - "allowCrossTenantReplication": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Allow or disallow cross AAD tenant object replication." - } - }, - "customDomainName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Sets the custom domain name assigned to the storage account. Name is the CNAME source." - } - }, - "customDomainUseSubDomainName": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether indirect CName validation is enabled. This should only be set on updates." - } - }, - "dnsEndpointType": { - "type": "string", - "nullable": true, - "allowedValues": [ - "AzureDnsZone", - "Standard" - ], - "metadata": { - "description": "Optional. Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier." - } - }, - "blobServices": { - "$ref": "#/definitions/blobServiceType", - "defaultValue": "[if(not(equals(parameters('kind'), 'FileStorage')), createObject('containerDeleteRetentionPolicyEnabled', true(), 'containerDeleteRetentionPolicyDays', 7, 'deleteRetentionPolicyEnabled', true(), 'deleteRetentionPolicyDays', 6), createObject())]", - "metadata": { - "description": "Optional. Blob service and containers to deploy." - } - }, - "fileServices": { - "$ref": "#/definitions/fileServiceType", - "defaultValue": {}, - "metadata": { - "description": "Optional. File service and shares to deploy." - } - }, - "queueServices": { - "$ref": "#/definitions/queueServiceType", - "defaultValue": {}, - "metadata": { - "description": "Optional. Queue service and queues to create." - } - }, - "tableServices": { - "$ref": "#/definitions/tableServiceType", - "defaultValue": {}, - "metadata": { - "description": "Optional. Table service and tables to create." - } - }, - "allowBlobPublicAccess": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false." - } - }, - "minimumTlsVersion": { - "type": "string", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_3" - ], - "metadata": { - "description": "Optional. Set the minimum TLS version on request to storage. The TLS versions 1.0 and 1.1 are deprecated and not supported anymore." - } - }, - "enableHierarchicalNamespace": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Conditional. If true, enables Hierarchical Namespace for the storage account. Required if enableSftp or enableNfsV3 is set to true." - } - }, - "enableSftp": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true." - } - }, - "localUsers": { - "type": "array", - "items": { - "$ref": "#/definitions/localUserType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Local users to deploy for SFTP authentication." - } - }, - "isLocalUserEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enables local users feature, if set to true." - } - }, - "enableNfsV3": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingMetricsOnlyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts@2025-01-01#properties/tags" - }, - "description": "Optional. Tags of the resource." - }, - "nullable": true - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "allowedCopyScope": { - "type": "string", - "nullable": true, - "allowedValues": [ - "AAD", - "PrivateLink" - ], - "metadata": { - "description": "Optional. Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet." - } - }, - "publicNetworkAccess": { - "type": "string", - "nullable": true, - "allowedValues": [ - "Enabled", - "Disabled", - "SecuredByPerimeter" - ], - "metadata": { - "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set." - } - }, - "supportsHttpsTrafficOnly": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Allows HTTPS traffic only to storage service if sets to true." - } - }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyWithAutoRotateType", - "nullable": true, - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, - "sasExpirationPeriod": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The SAS expiration period. DD.HH:MM:SS." - } - }, - "sasExpirationAction": { - "type": "string", - "defaultValue": "Log", - "allowedValues": [ - "Block", - "Log" - ], - "metadata": { - "description": "Optional. The SAS expiration action. Allowed values are Block and Log." - } - }, - "keyType": { - "type": "string", - "nullable": true, - "allowedValues": [ - "Account", - "Service" - ], - "metadata": { - "description": "Optional. The keyType to use with Queue & Table services." - } - }, - "secretsExportConfiguration": { - "$ref": "#/definitions/secretsExportConfigurationType", - "nullable": true, - "metadata": { - "description": "Optional. Key vault reference and secret settings for the module's secrets export." - } - }, - "immutableStorageWithVersioning": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts@2025-01-01#properties/properties/properties/immutableStorageWithVersioning" - }, - "description": "Optional. The property is immutable and can only be set to true at the account creation time. When set to true, it enables object level immutability for all the new containers in the account by default. Cannot be enabled for ADLS Gen2 storage accounts." - }, - "nullable": true - }, - "objectReplicationPolicies": { - "type": "array", - "items": { - "$ref": "#/definitions/objectReplicationPolicyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Object replication policies for the storage account." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "enableReferencedModulesTelemetry": false, - "immutabilityValidation": "[if(and(equals(parameters('enableHierarchicalNamespace'), true()), not(empty(parameters('immutableStorageWithVersioning')))), fail('Configuration error: Immutable storage with versioning cannot be enabled when hierarchical namespace is enabled.'), null())]", - "supportsBlobService": "[or(or(or(equals(parameters('kind'), 'BlockBlobStorage'), equals(parameters('kind'), 'BlobStorage')), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", - "supportsFileService": "[or(or(equals(parameters('kind'), 'FileStorage'), equals(parameters('kind'), 'StorageV2')), equals(parameters('kind'), 'Storage'))]", - "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data Privileged Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69566ab7-960f-475b-8e7c-b3118f30c6bd')]", - "Storage File Data Privileged Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b8eda974-7b85-4f76-af95-65846b26df6d')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "formattedManagementPolicies": "[union(coalesce(parameters('managementPolicyRules'), createArray()), if(and(and(not(empty(parameters('blobServices'))), coalesce(tryGet(parameters('blobServices'), 'isVersioningEnabled'), false())), not(equals(tryGet(parameters('blobServices'), 'versionDeletePolicyDays'), null()))), createArray(createObject('name', 'DeletePreviousVersions (auto-created)', 'enabled', true(), 'type', 'Lifecycle', 'definition', createObject('actions', createObject('version', createObject('delete', createObject('daysAfterCreationGreaterThan', parameters('blobServices').versionDeletePolicyDays))), 'filters', createObject('blobTypes', createArray('blockBlob', 'appendBlob'))))), createArray()))]", - "isHSMManagedCMK": "[equals(tryGet(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), ''), '/'), 7), 'managedHSMs')]" - }, - "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(and(not(variables('isHSMManagedCMK')), not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2024-11-01", - "subscriptionId": "[split(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '/')), tryGet(parameters('customerManagedKey'), 'keyName'))]" - }, - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.storage-storageaccount.{0}.{1}', replace('0.32.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "cMKKeyVault": { - "condition": "[and(not(variables('isHSMManagedCMK')), not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2025-05-01", - "subscriptionId": "[split(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '/')[4]]", - "name": "[last(split(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '/'))]" - }, - "cMKUserAssignedIdentity": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", - "existing": true, - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2024-11-30", - "subscriptionId": "[split(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '/')[2]]", - "resourceGroup": "[split(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '/')[4]]", - "name": "[last(split(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '/'))]" - }, - "storageAccount": { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "extendedLocation": "[if(not(empty(parameters('extendedLocationZone'))), createObject('name', parameters('extendedLocationZone'), 'type', 'EdgeZone'), null())]", - "kind": "[parameters('kind')]", - "sku": { - "name": "[parameters('skuName')]" - }, - "identity": "[variables('identity')]", - "tags": "[parameters('tags')]", - "properties": "[shallowMerge(createArray(createObject('allowSharedKeyAccess', parameters('allowSharedKeyAccess'), 'defaultToOAuthAuthentication', parameters('defaultToOAuthAuthentication'), 'allowCrossTenantReplication', parameters('allowCrossTenantReplication'), 'allowedCopyScope', parameters('allowedCopyScope'), 'customDomain', createObject('name', parameters('customDomainName'), 'useSubDomainName', parameters('customDomainUseSubDomainName')), 'dnsEndpointType', parameters('dnsEndpointType'), 'isLocalUserEnabled', parameters('isLocalUserEnabled'), 'encryption', union(createObject('keySource', if(not(empty(parameters('customerManagedKey'))), 'Microsoft.Keyvault', 'Microsoft.Storage'), 'services', createObject('blob', if(variables('supportsBlobService'), createObject('enabled', true()), null()), 'file', if(variables('supportsFileService'), createObject('enabled', true()), null()), 'table', createObject('enabled', true(), 'keyType', parameters('keyType')), 'queue', createObject('enabled', true(), 'keyType', parameters('keyType'))), 'keyvaultproperties', if(not(empty(parameters('customerManagedKey'))), createObject('keyname', parameters('customerManagedKey').keyName, 'keyvaulturi', if(not(variables('isHSMManagedCMK')), reference('cMKKeyVault').vaultUri, format('https://{0}.managedhsm.azure.net/', last(split(parameters('customerManagedKey').keyVaultResourceId, '/')))), 'keyversion', if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVersion'))), parameters('customerManagedKey').keyVersion, if(coalesce(tryGet(parameters('customerManagedKey'), 'autoRotationEnabled'), true()), null(), if(not(variables('isHSMManagedCMK')), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/')), fail('Managed HSM CMK encryption requires either specifying the ''keyVersion'' or omitting the ''autoRotationEnabled'' property. Setting ''autoRotationEnabled'' to false without a ''keyVersion'' is not allowed.'))))), null()), 'identity', createObject('userAssignedIdentity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '/')[2], split(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '/'))), null()))), if(parameters('requireInfrastructureEncryption'), createObject('requireInfrastructureEncryption', if(not(equals(parameters('kind'), 'Storage')), parameters('requireInfrastructureEncryption'), null())), createObject())), 'accessTier', if(and(not(equals(parameters('kind'), 'Storage')), not(equals(parameters('kind'), 'BlockBlobStorage'))), parameters('accessTier'), null()), 'sasPolicy', if(not(empty(parameters('sasExpirationPeriod'))), createObject('expirationAction', parameters('sasExpirationAction'), 'sasExpirationPeriod', parameters('sasExpirationPeriod')), null()), 'supportsHttpsTrafficOnly', parameters('supportsHttpsTrafficOnly'), 'isSftpEnabled', parameters('enableSftp'), 'isNfsV3Enabled', if(parameters('enableNfsV3'), parameters('enableNfsV3'), ''), 'largeFileSharesState', if(or(equals(parameters('skuName'), 'Standard_LRS'), equals(parameters('skuName'), 'Standard_ZRS')), parameters('largeFileSharesState'), null()), 'minimumTlsVersion', parameters('minimumTlsVersion'), 'networkAcls', if(not(empty(parameters('networkAcls'))), union(createObject('resourceAccessRules', tryGet(parameters('networkAcls'), 'resourceAccessRules'), 'defaultAction', coalesce(tryGet(parameters('networkAcls'), 'defaultAction'), 'Deny'), 'virtualNetworkRules', tryGet(parameters('networkAcls'), 'virtualNetworkRules'), 'ipRules', tryGet(parameters('networkAcls'), 'ipRules')), if(contains(parameters('networkAcls'), 'bypass'), createObject('bypass', tryGet(parameters('networkAcls'), 'bypass')), createObject())), createObject('bypass', 'AzureServices', 'defaultAction', 'Deny')), 'allowBlobPublicAccess', parameters('allowBlobPublicAccess'), 'publicNetworkAccess', if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(and(not(empty(parameters('privateEndpoints'))), empty(parameters('networkAcls'))), 'Disabled', null()))), if(not(empty(parameters('azureFilesIdentityBasedAuthentication'))), createObject('azureFilesIdentityBasedAuthentication', parameters('azureFilesIdentityBasedAuthentication')), createObject()), if(not(equals(parameters('enableHierarchicalNamespace'), null())), createObject('isHnsEnabled', parameters('enableHierarchicalNamespace')), createObject()), createObject('immutableStorageWithVersioning', parameters('immutableStorageWithVersioning'))))]", - "dependsOn": [ - "cMKKeyVault", - "cMKKeyVault::cMKKey" - ] - }, - "storageAccount_diagnosticSettings": { - "copy": { - "name": "storageAccount_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_roleAssignments": { - "copy": { - "name": "storageAccount_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_privateEndpoints": { - "copy": { - "name": "storageAccount_privateEndpoints", - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-sa-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "subscriptionId": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex()))]" - }, - "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Storage/storageAccounts', parameters('name')), 'groupIds', createArray(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service))))), createObject('value', null()))]", - "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '/')), coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service, copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Storage/storageAccounts', parameters('name')), 'groupIds', createArray(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].service), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", - "subnetResourceId": { - "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - }, - "location": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" - }, - "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" - }, - "privateDnsZoneGroup": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroup')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "tags": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'tags'), parameters('tags'))]" - }, - "customDnsConfigs": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customDnsConfigs')]" - }, - "ipConfigurations": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'ipConfigurations')]" - }, - "applicationSecurityGroupResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'applicationSecurityGroupResourceIds')]" - }, - "customNetworkInterfaceName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'customNetworkInterfaceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "16604612898799598358" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint." - }, - "definitions": { - "privateDnsZoneGroupType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." - } - }, - "privateDnsZoneGroupConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" - }, - "metadata": { - "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a private dns zone group." - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "privateDnsZoneGroupConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - }, - "metadata": { - "description": "The type of a private DNS zone group configuration.", - "__bicep_imported_from!": { - "sourceTemplate": "private-dns-zone-group/main.bicep" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/ipConfigurations" - }, - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - }, - "nullable": true - }, - "privateDnsZoneGroup": { - "$ref": "#/definitions/privateDnsZoneGroupType", - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone group to configure for the private endpoint." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, - "metadata": { - "description": "Optional. The lock settings of the service." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/tags" - }, - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - }, - "nullable": true - }, - "customDnsConfigs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/customDnsConfigs" - }, - "description": "Optional. Custom DNS configurations." - }, - "nullable": true - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/manualPrivateLinkServiceConnections" - }, - "description": "Conditional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. Required if `privateLinkServiceConnections` is empty." - }, - "nullable": true - }, - "privateLinkServiceConnections": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/privateLinkServiceConnections" - }, - "description": "Conditional. A grouping of information about the connection to the remote resource. Required if `manualPrivateLinkServiceConnections` is empty." - }, - "nullable": true - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.11.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "privateEndpoint": { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2024-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "copy": [ - { - "name": "applicationSecurityGroups", - "count": "[length(coalesce(parameters('applicationSecurityGroupResourceIds'), createArray()))]", - "input": { - "id": "[coalesce(parameters('applicationSecurityGroupResourceIds'), createArray())[copyIndex('applicationSecurityGroups')]]" - } - } - ], - "customDnsConfigs": "[coalesce(parameters('customDnsConfigs'), createArray())]", - "customNetworkInterfaceName": "[coalesce(parameters('customNetworkInterfaceName'), '')]", - "ipConfigurations": "[coalesce(parameters('ipConfigurations'), createArray())]", - "manualPrivateLinkServiceConnections": "[coalesce(parameters('manualPrivateLinkServiceConnections'), createArray())]", - "privateLinkServiceConnections": "[coalesce(parameters('privateLinkServiceConnections'), createArray())]", - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - "privateEndpoint_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_roleAssignments": { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "privateEndpoint" - ] - }, - "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[tryGet(parameters('privateDnsZoneGroup'), 'name')]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "privateDnsZoneConfigs": { - "value": "[parameters('privateDnsZoneGroup').privateDnsZoneGroupConfigs]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "24141742673128945" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group." - }, - "definitions": { - "privateDnsZoneGroupConfigType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a private DNS zone group configuration." - } - } - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDnsZoneConfigs": { - "type": "array", - "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" - }, - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone configurations of the private DNS zone group. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - } - }, - "resources": { - "privateEndpoint": { - "existing": true, - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2024-10-01", - "name": "[parameters('privateEndpointName')]" - }, - "privateDnsZoneGroup": { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2024-10-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDnsZoneConfigs'))]", - "input": { - "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId, '/')))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId]" - } - } - } - ] - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "privateEndpoint" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference('privateEndpoint', '2024-10-01', 'full').location]" - }, - "customDnsConfigs": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/customDnsConfigs", - "output": true - }, - "description": "The custom DNS configurations of the private endpoint." - }, - "value": "[reference('privateEndpoint').customDnsConfigs]" - }, - "networkInterfaceResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "The resource IDs of the network interfaces associated with the private endpoint." - }, - "value": "[map(reference('privateEndpoint').networkInterfaces, lambda('nic', lambdaVariables('nic').id))]" - }, - "groupId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "The group Id for the private endpoint Group." - }, - "value": "[coalesce(tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'manualPrivateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0), tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'privateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0))]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_managementPolicies": { - "condition": "[not(empty(coalesce(variables('formattedManagementPolicies'), createArray())))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-ManagementPolicies', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "rules": { - "value": "[variables('formattedManagementPolicies')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "4000605059554016072" - }, - "name": "Storage Account Management Policies", - "description": "This module deploys a Storage Account Management Policy." - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "rules": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/managementPolicies@2025-06-01#properties/properties/properties/policy/properties/rules" - }, - "description": "Required. The Storage Account ManagementPolicies Rules." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-mgmtpolicy.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]", - "properties": { - "policy": { - "rules": "[parameters('rules')]" - } - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed management policy." - }, - "value": "default" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed management policy." - }, - "value": "default" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed management policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount", - "storageAccount_blobServices" - ] - }, - "storageAccount_localUsers": { - "copy": { - "name": "storageAccount_localUsers", - "count": "[length(coalesce(parameters('localUsers'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-LocalUsers-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('localUsers'), createArray())[copyIndex()].name]" - }, - "hasSshKey": { - "value": "[coalesce(parameters('localUsers'), createArray())[copyIndex()].hasSshKey]" - }, - "hasSshPassword": { - "value": "[coalesce(parameters('localUsers'), createArray())[copyIndex()].hasSshPassword]" - }, - "permissionScopes": { - "value": "[coalesce(parameters('localUsers'), createArray())[copyIndex()].permissionScopes]" - }, - "hasSharedKey": { - "value": "[tryGet(coalesce(parameters('localUsers'), createArray())[copyIndex()], 'hasSharedKey')]" - }, - "homeDirectory": { - "value": "[tryGet(coalesce(parameters('localUsers'), createArray())[copyIndex()], 'homeDirectory')]" - }, - "sshAuthorizedKeys": { - "value": "[tryGet(coalesce(parameters('localUsers'), createArray())[copyIndex()], 'sshAuthorizedKeys')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "1801226901235196767" - }, - "name": "Storage Account Local Users", - "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication." - }, - "definitions": { - "sshAuthorizedKeyType": { - "type": "object", - "properties": { - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Description used to store the function/usage of the key." - } - }, - "key": { - "type": "securestring", - "metadata": { - "description": "Required. SSH public key base64 encoded. The format should be: '{keyType} {keyData}', e.g. ssh-rsa AAAABBBB." - } - } - }, - "metadata": { - "__bicep_export!": true - } - }, - "permissionScopeType": { - "type": "object", - "properties": { - "permissions": { - "type": "string", - "metadata": { - "description": "Required. The permissions for the local user. Possible values include: Read (r), Write (w), Delete (d), List (l), and Create (c)." - } - }, - "resourceName": { - "type": "string", - "metadata": { - "description": "Required. The name of resource, normally the container name or the file share name, used by the local user." - } - }, - "service": { - "type": "string", - "metadata": { - "description": "Required. The service used by the local user, e.g. blob, file." - } - } - }, - "metadata": { - "__bicep_export!": true - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the local user used for SFTP Authentication." - } - }, - "hasSharedKey": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Indicates whether shared key exists. Set it to false to remove existing shared key." - } - }, - "hasSshKey": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH key exists. Set it to false to remove existing SSH key." - } - }, - "hasSshPassword": { - "type": "bool", - "metadata": { - "description": "Required. Indicates whether SSH password exists. Set it to false to remove existing SSH password." - } - }, - "homeDirectory": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The local user home directory." - } - }, - "permissionScopes": { - "type": "array", - "items": { - "$ref": "#/definitions/permissionScopeType" - }, - "metadata": { - "description": "Required. The permission scopes of the local user." - } - }, - "sshAuthorizedKeys": { - "type": "array", - "items": { - "$ref": "#/definitions/sshAuthorizedKeyType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The local user SSH authorized keys for SFTP." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-localuser.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('storageAccountName')]" - }, - "localUsers": { - "type": "Microsoft.Storage/storageAccounts/localUsers", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "hasSharedKey": "[parameters('hasSharedKey')]", - "hasSshKey": "[parameters('hasSshKey')]", - "hasSshPassword": "[parameters('hasSshPassword')]", - "homeDirectory": "[parameters('homeDirectory')]", - "permissionScopes": "[parameters('permissionScopes')]", - "sshAuthorizedKeys": "[parameters('sshAuthorizedKeys')]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed local user." - }, - "value": "[parameters('name')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed local user." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed local user." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/localUsers', parameters('storageAccountName'), parameters('name'))]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_blobServices": { - "condition": "[not(empty(parameters('blobServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-BlobServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "containers": { - "value": "[tryGet(parameters('blobServices'), 'containers')]" - }, - "automaticSnapshotPolicyEnabled": { - "value": "[tryGet(parameters('blobServices'), 'automaticSnapshotPolicyEnabled')]" - }, - "changeFeedEnabled": { - "value": "[tryGet(parameters('blobServices'), 'changeFeedEnabled')]" - }, - "changeFeedRetentionInDays": { - "value": "[tryGet(parameters('blobServices'), 'changeFeedRetentionInDays')]" - }, - "containerDeleteRetentionPolicyEnabled": { - "value": "[tryGet(parameters('blobServices'), 'containerDeleteRetentionPolicyEnabled')]" - }, - "containerDeleteRetentionPolicyDays": { - "value": "[tryGet(parameters('blobServices'), 'containerDeleteRetentionPolicyDays')]" - }, - "containerDeleteRetentionPolicyAllowPermanentDelete": { - "value": "[tryGet(parameters('blobServices'), 'containerDeleteRetentionPolicyAllowPermanentDelete')]" - }, - "corsRules": { - "value": "[tryGet(parameters('blobServices'), 'corsRules')]" - }, - "defaultServiceVersion": { - "value": "[tryGet(parameters('blobServices'), 'defaultServiceVersion')]" - }, - "deleteRetentionPolicyAllowPermanentDelete": { - "value": "[tryGet(parameters('blobServices'), 'deleteRetentionPolicyAllowPermanentDelete')]" - }, - "deleteRetentionPolicyEnabled": { - "value": "[tryGet(parameters('blobServices'), 'deleteRetentionPolicyEnabled')]" - }, - "deleteRetentionPolicyDays": { - "value": "[tryGet(parameters('blobServices'), 'deleteRetentionPolicyDays')]" - }, - "isVersioningEnabled": { - "value": "[tryGet(parameters('blobServices'), 'isVersioningEnabled')]" - }, - "lastAccessTimeTrackingPolicyEnabled": { - "value": "[tryGet(parameters('blobServices'), 'lastAccessTimeTrackingPolicyEnabled')]" - }, - "restorePolicyEnabled": { - "value": "[tryGet(parameters('blobServices'), 'restorePolicyEnabled')]" - }, - "restorePolicyDays": { - "value": "[tryGet(parameters('blobServices'), 'restorePolicyDays')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('blobServices'), 'diagnosticSettings')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "468225492069709453" - }, - "name": "Storage Account blob Services", - "description": "This module deploys a Storage Account Blob Service." - }, - "definitions": { - "corsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a cors rule." - } - }, - "containerType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Storage Container to deploy." - } - }, - "defaultEncryptionScope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Default the container to use specified encryption scope for all writes." - } - }, - "denyEncryptionScopeOverride": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Block override of encryption scope from the container default." - } - }, - "enableNfsV3AllSquash": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable NFSv3 all squash on blob container." - } - }, - "enableNfsV3RootSquash": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable NFSv3 root squash on blob container." - } - }, - "immutableStorageWithVersioningEnabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process." - } - }, - "immutabilityPolicy": { - "$ref": "#/definitions/immutabilityPolicyType", - "nullable": true, - "metadata": { - "description": "Optional. Configure immutability policy." - } - }, - "metadata": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/blobServices/containers@2024-01-01#properties/properties/properties/metadata" - }, - "description": "Optional. A name-value pair to associate with the container as metadata." - }, - "nullable": true - }, - "publicAccess": { - "type": "string", - "allowedValues": [ - "Blob", - "Container", - "None" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of a storage container." - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "immutabilityPolicyType": { - "type": "object", - "properties": { - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. Defaults to false." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive. Defaults to false." - } - } - }, - "metadata": { - "description": "The type for an immutability policy.", - "__bicep_imported_from!": { - "sourceTemplate": "container/main.bicep" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "automaticSnapshotPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Automatic Snapshot is enabled if set to true." - } - }, - "changeFeedEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The blob service properties for change feed events. Indicates whether change feed event logging is enabled for the Blob service." - } - }, - "changeFeedRetentionInDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 146000, - "metadata": { - "description": "Optional. Indicates whether change feed event logging is enabled for the Blob service. Indicates the duration of changeFeed retention in days. If left blank, it indicates an infinite retention of the change feed." - } - }, - "containerDeleteRetentionPolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for container soft delete. Indicates whether DeleteRetentionPolicy is enabled." - } - }, - "containerDeleteRetentionPolicyDays": { - "type": "int", - "nullable": true, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted item should be retained." - } - }, - "containerDeleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/corsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "defaultServiceVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Indicates the default version to use for requests to the Blob service if an incoming request's version is not specified. Possible values include version 2008-10-27 and all more recent versions." - } - }, - "deleteRetentionPolicyEnabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. The blob service properties for blob soft delete." - } - }, - "deleteRetentionPolicyDays": { - "type": "int", - "defaultValue": 7, - "minValue": 1, - "maxValue": 365, - "metadata": { - "description": "Optional. Indicates the number of days that the deleted blob should be retained." - } - }, - "deleteRetentionPolicyAllowPermanentDelete": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used with blob restore policy. This property only applies to blob service and does not apply to containers or file share." - } - }, - "isVersioningEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Use versioning to automatically maintain previous versions of your blobs. Cannot be enabled for ADLS Gen2 storage accounts." - } - }, - "lastAccessTimeTrackingPolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The blob service property to configure last access time based tracking policy. When set to true last access time based tracking is enabled." - } - }, - "restorePolicyEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. The blob service properties for blob restore policy. If point-in-time restore is enabled, then versioning, change feed, and blob soft delete must also be enabled." - } - }, - "restorePolicyDays": { - "type": "int", - "defaultValue": 7, - "minValue": 1, - "metadata": { - "description": "Optional. How long this blob can be restored. It should be less than DeleteRetentionPolicy days." - } - }, - "containers": { - "type": "array", - "items": { - "$ref": "#/definitions/containerType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Blob containers to create." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false, - "name": "default" - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-01-01", - "name": "[parameters('storageAccountName')]" - }, - "blobServices": { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": { - "automaticSnapshotPolicyEnabled": "[parameters('automaticSnapshotPolicyEnabled')]", - "changeFeed": "[if(parameters('changeFeedEnabled'), createObject('enabled', true(), 'retentionInDays', parameters('changeFeedRetentionInDays')), null())]", - "containerDeleteRetentionPolicy": { - "enabled": "[parameters('containerDeleteRetentionPolicyEnabled')]", - "days": "[parameters('containerDeleteRetentionPolicyDays')]", - "allowPermanentDelete": "[if(equals(parameters('containerDeleteRetentionPolicyEnabled'), true()), parameters('containerDeleteRetentionPolicyAllowPermanentDelete'), null())]" - }, - "cors": "[if(not(equals(parameters('corsRules'), null())), createObject('corsRules', parameters('corsRules')), null())]", - "defaultServiceVersion": "[parameters('defaultServiceVersion')]", - "deleteRetentionPolicy": { - "enabled": "[parameters('deleteRetentionPolicyEnabled')]", - "days": "[parameters('deleteRetentionPolicyDays')]", - "allowPermanentDelete": "[if(and(parameters('deleteRetentionPolicyEnabled'), parameters('deleteRetentionPolicyAllowPermanentDelete')), true(), null())]" - }, - "isVersioningEnabled": "[parameters('isVersioningEnabled')]", - "lastAccessTimeTrackingPolicy": "[if(and(not(equals(reference('storageAccount', '2025-01-01', 'full').kind, 'Storage')), empty(tryGet(reference('storageAccount', '2025-01-01', 'full'), 'extendedLocation'))), createObject('enable', parameters('lastAccessTimeTrackingPolicyEnabled'), 'name', if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 'AccessTimeTracking', null()), 'trackingGranularityInDays', if(equals(parameters('lastAccessTimeTrackingPolicyEnabled'), true()), 1, null())), null())]", - "restorePolicy": "[if(parameters('restorePolicyEnabled'), createObject('enabled', true(), 'days', parameters('restorePolicyDays')), null())]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "blobServices_diagnosticSettings": { - "copy": { - "name": "blobServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - }, - { - "name": "logs", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", - "input": { - "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", - "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "blobServices" - ] - }, - "blobServices_container": { - "copy": { - "name": "blobServices_container", - "count": "[length(coalesce(parameters('containers'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Container-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "blobServiceName": { - "value": "[variables('name')]" - }, - "name": { - "value": "[coalesce(parameters('containers'), createArray())[copyIndex()].name]" - }, - "defaultEncryptionScope": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'defaultEncryptionScope')]" - }, - "denyEncryptionScopeOverride": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'denyEncryptionScopeOverride')]" - }, - "enableNfsV3AllSquash": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'enableNfsV3AllSquash')]" - }, - "enableNfsV3RootSquash": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'enableNfsV3RootSquash')]" - }, - "immutableStorageWithVersioningEnabled": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'immutableStorageWithVersioningEnabled')]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'metadata')]" - }, - "publicAccess": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'publicAccess')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "immutabilityPolicy": { - "value": "[tryGet(coalesce(parameters('containers'), createArray())[copyIndex()], 'immutabilityPolicy')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "273904034769611992" - }, - "name": "Storage Account Blob Containers", - "description": "This module deploys a Storage Account Blob Container." - }, - "definitions": { - "immutabilityPolicyType": { - "type": "object", - "properties": { - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. Defaults to false." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive. Defaults to false." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for an immutability policy." - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "blobServiceName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the parent Blob Service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the Storage Container to deploy." - } - }, - "defaultEncryptionScope": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Default the container to use specified encryption scope for all writes." - } - }, - "denyEncryptionScopeOverride": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Block override of encryption scope from the container default." - } - }, - "enableNfsV3AllSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 all squash on blob container." - } - }, - "enableNfsV3RootSquash": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable NFSv3 root squash on blob container." - } - }, - "immutableStorageWithVersioningEnabled": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This is an immutable property, when set to true it enables object level immutability at the container level. The property is immutable and can only be set to true at the container creation time. Existing containers must undergo a migration process." - } - }, - "immutabilityPolicy": { - "$ref": "#/definitions/immutabilityPolicyType", - "nullable": true, - "metadata": { - "description": "Optional. Configure immutability policy." - } - }, - "metadata": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/blobServices/containers@2024-01-01#properties/properties/properties/metadata" - }, - "description": "Optional. A name-value pair to associate with the container as metadata." - }, - "defaultValue": {} - }, - "publicAccess": { - "type": "string", - "defaultValue": "None", - "allowedValues": [ - "Container", - "Blob", - "None" - ], - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - }, - "enableReferencedModulesTelemetry": false - }, - "resources": { - "storageAccount::blobServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('blobServiceName'))]" - }, - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-blobcontainer.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-01-01", - "name": "[parameters('storageAccountName')]" - }, - "container": { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('blobServiceName'), parameters('name'))]", - "properties": { - "defaultEncryptionScope": "[parameters('defaultEncryptionScope')]", - "denyEncryptionScopeOverride": "[parameters('denyEncryptionScopeOverride')]", - "enableNfsV3AllSquash": "[if(equals(parameters('enableNfsV3AllSquash'), true()), parameters('enableNfsV3AllSquash'), null())]", - "enableNfsV3RootSquash": "[if(equals(parameters('enableNfsV3RootSquash'), true()), parameters('enableNfsV3RootSquash'), null())]", - "immutableStorageWithVersioning": "[if(parameters('immutableStorageWithVersioningEnabled'), createObject('enabled', parameters('immutableStorageWithVersioningEnabled')), null())]", - "metadata": "[parameters('metadata')]", - "publicAccess": "[parameters('publicAccess')]" - } - }, - "container_roleAssignments": { - "copy": { - "name": "container_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), parameters('blobServiceName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), parameters('blobServiceName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "container" - ] - }, - "container_immutabilityPolicy": { - "condition": "[not(empty(coalesce(parameters('immutabilityPolicy'), createObject())))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('{0}-ImmutPol', deployment().name), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "containerName": { - "value": "[parameters('name')]" - }, - "immutabilityPeriodSinceCreationInDays": { - "value": "[tryGet(parameters('immutabilityPolicy'), 'immutabilityPeriodSinceCreationInDays')]" - }, - "allowProtectedAppendWrites": { - "value": "[tryGet(parameters('immutabilityPolicy'), 'allowProtectedAppendWrites')]" - }, - "allowProtectedAppendWritesAll": { - "value": "[tryGet(parameters('immutabilityPolicy'), 'allowProtectedAppendWritesAll')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "15304742179563677019" - }, - "name": "Storage Account Blob Container Immutability Policies", - "description": "This module deploys a Storage Account Blob Container Immutability Policy." - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent container to apply the policy to. Required if the template is used in a standalone deployment." - } - }, - "immutabilityPeriodSinceCreationInDays": { - "type": "int", - "defaultValue": 365, - "metadata": { - "description": "Optional. The immutability period for the blobs in the container since the policy creation, in days." - } - }, - "allowProtectedAppendWrites": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive. Defaults to false." - } - }, - "allowProtectedAppendWritesAll": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. This property can only be changed for unlocked time-based retention policies. When enabled, new blocks can be written to both \"Append and Block Blobs\" while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. This property cannot be changed with ExtendImmutabilityPolicy API. The \"allowProtectedAppendWrites\" and \"allowProtectedAppendWritesAll\" properties are mutually exclusive. Defaults to false." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-containerimmutpolicy.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]", - "properties": { - "immutabilityPeriodSinceCreationInDays": "[parameters('immutabilityPeriodSinceCreationInDays')]", - "allowProtectedAppendWrites": "[parameters('allowProtectedAppendWrites')]", - "allowProtectedAppendWritesAll": "[parameters('allowProtectedAppendWritesAll')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed immutability policy." - }, - "value": "default" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed immutability policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies', parameters('storageAccountName'), 'default', parameters('containerName'), 'default')]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed immutability policy." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "container" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed container." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed container." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices/containers', parameters('storageAccountName'), parameters('blobServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed container." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "blobServices" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed blob service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed blob service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the deployed blob service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_fileServices": { - "condition": "[not(empty(parameters('fileServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-FileServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('fileServices'), 'diagnosticSettings')]" - }, - "protocolSettings": { - "value": "[tryGet(parameters('fileServices'), 'protocolSettings')]" - }, - "shareDeleteRetentionPolicy": { - "value": "[tryGet(parameters('fileServices'), 'shareDeleteRetentionPolicy')]" - }, - "shares": { - "value": "[tryGet(parameters('fileServices'), 'shares')]" - }, - "corsRules": { - "value": "[tryGet(parameters('fileServices'), 'corsRules')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "17583198711200998285" - }, - "name": "Storage Account File Share Services", - "description": "This module deploys a Storage Account File Share Service." - }, - "definitions": { - "corsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a cors rule." - } - }, - "fileShareType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the file share." - } - }, - "accessTier": { - "type": "string", - "allowedValues": [ - "Cool", - "Hot", - "Premium", - "TransactionOptimized" - ], - "nullable": true, - "metadata": { - "description": "Optional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to \"Premium\"). GpV2 account can choose between TransactionOptimized (default), Hot, and Cool." - } - }, - "enabledProtocols": { - "type": "string", - "allowedValues": [ - "NFS", - "SMB" - ], - "nullable": true, - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - } - }, - "rootSquash": { - "type": "string", - "allowedValues": [ - "AllSquash", - "NoRootSquash", - "RootSquash" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - } - }, - "shareQuota": { - "type": "int", - "nullable": true, - "metadata": { - "description": "Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB)." - } - }, - "provisionedBandwidthMibps": { - "type": "int", - "nullable": true, - "maxValue": 10340, - "metadata": { - "description": "Optional. The provisioned bandwidth of the share, in mebibytes per second. Only applicable to FileStorage storage accounts (premium file shares). Must be between 0 and 10340." - } - }, - "provisionedIops": { - "type": "int", - "nullable": true, - "maxValue": 102400, - "metadata": { - "description": "Optional. The provisioned IOPS of the share. Only applicable to FileStorage storage accounts (premium file shares). Must be between 0 and 102400." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a file share." - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the file service." - } - }, - "protocolSettings": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/fileServices@2024-01-01#properties/properties/properties/protocolSettings" - }, - "description": "Optional. Protocol settings for file service." - }, - "defaultValue": {} - }, - "shareDeleteRetentionPolicy": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/fileServices@2024-01-01#properties/properties/properties/shareDeleteRetentionPolicy" - }, - "description": "Optional. The service properties for soft delete." - }, - "defaultValue": { - "enabled": true, - "days": 7 - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/corsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - }, - "shares": { - "type": "array", - "items": { - "$ref": "#/definitions/fileShareType" - }, - "nullable": true, - "metadata": { - "description": "Optional. File shares to create." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('storageAccountName')]" - }, - "fileServices": { - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "cors": "[if(not(equals(parameters('corsRules'), null())), createObject('corsRules', parameters('corsRules')), null())]", - "protocolSettings": "[parameters('protocolSettings')]", - "shareDeleteRetentionPolicy": "[parameters('shareDeleteRetentionPolicy')]" - } - }, - "fileServices_diagnosticSettings": { - "copy": { - "name": "fileServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - }, - { - "name": "logs", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", - "input": { - "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", - "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "fileServices" - ] - }, - "fileServices_shares": { - "copy": { - "name": "fileServices_shares", - "count": "[length(coalesce(parameters('shares'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-FileShare-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "fileServicesName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('shares'), createArray())[copyIndex()].name]" - }, - "accessTier": { - "value": "[coalesce(tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'accessTier'), if(equals(reference('storageAccount', '2025-06-01', 'full').kind, 'FileStorage'), if(startsWith(reference('storageAccount', '2025-06-01', 'full').sku.name, 'PremiumV2_'), null(), 'Premium'), 'TransactionOptimized'))]" - }, - "enabledProtocols": { - "value": "[tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'enabledProtocols')]" - }, - "rootSquash": { - "value": "[tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'rootSquash')]" - }, - "shareQuota": { - "value": "[tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'shareQuota')]" - }, - "provisionedBandwidthMibps": { - "value": "[tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'provisionedBandwidthMibps')]" - }, - "provisionedIops": { - "value": "[tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'provisionedIops')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('shares'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "10353179772982843397" - }, - "name": "Storage Account File Shares", - "description": "This module deploys a Storage Account File Share." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "fileServicesName": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Conditional. The name of the parent file service. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the file share to create." - } - }, - "accessTier": { - "type": "string", - "nullable": true, - "allowedValues": [ - "Premium", - "Hot", - "Cool", - "TransactionOptimized" - ], - "metadata": { - "description": "Conditional. Access tier for specific share. Required if the Storage Account kind is set to FileStorage (should be set to \"Premium\"). GpV2 account can choose between TransactionOptimized, Hot, and Cool." - } - }, - "shareQuota": { - "type": "int", - "defaultValue": 5120, - "metadata": { - "description": "Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5120 (5TB). For Large File Shares, the maximum size is 102400 (100TB)." - } - }, - "enabledProtocols": { - "type": "string", - "defaultValue": "SMB", - "allowedValues": [ - "NFS", - "SMB" - ], - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - } - }, - "rootSquash": { - "type": "string", - "defaultValue": "NoRootSquash", - "allowedValues": [ - "AllSquash", - "NoRootSquash", - "RootSquash" - ], - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - } - }, - "provisionedBandwidthMibps": { - "type": "int", - "nullable": true, - "minValue": 0, - "maxValue": 10340, - "metadata": { - "description": "Optional. The provisioned bandwidth of the share, in mebibytes per second. Only applicable to FileStorage storage accounts (premium file shares). Must be between 0 and 10340." - } - }, - "provisionedIops": { - "type": "int", - "nullable": true, - "minValue": 0, - "maxValue": 102400, - "metadata": { - "description": "Optional. The provisioned IOPS of the share. Only applicable to FileStorage storage accounts (premium file shares). Must be between 0 and 102400." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage File Data SMB Share Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::fileService": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('fileServicesName'))]" - }, - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-fileshare.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-01-01", - "name": "[parameters('storageAccountName')]" - }, - "fileShare": { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]", - "properties": { - "accessTier": "[parameters('accessTier')]", - "shareQuota": "[parameters('shareQuota')]", - "rootSquash": "[if(equals(parameters('enabledProtocols'), 'NFS'), parameters('rootSquash'), null())]", - "enabledProtocols": "[parameters('enabledProtocols')]", - "provisionedBandwidthMibps": "[if(equals(reference('storageAccount', '2025-01-01', 'full').kind, 'FileStorage'), parameters('provisionedBandwidthMibps'), null())]", - "provisionedIops": "[if(equals(reference('storageAccount', '2025-01-01', 'full').kind, 'FileStorage'), parameters('provisionedIops'), null())]" - }, - "dependsOn": [ - "storageAccount" - ] - }, - "fileShare_roleAssignments": { - "copy": { - "name": "fileShare_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Share-Rbac-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "scope": { - "value": "[replace(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), '/shares/', '/fileshares/')]" - }, - "name": { - "value": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]" - }, - "roleDefinitionId": { - "value": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]" - }, - "principalId": { - "value": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]" - }, - "principalType": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]" - }, - "condition": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]" - }, - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), createObject('value', coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0')), createObject('value', null()))]", - "delegatedManagedIdentityResourceId": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "description": { - "value": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "scope": { - "type": "string", - "metadata": { - "description": "Required. The scope to deploy the role assignment to." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the role assignment." - } - }, - "roleDefinitionId": { - "type": "string", - "metadata": { - "description": "Required. The role definition Id to assign." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User", - "" - ], - "defaultValue": "", - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "defaultValue": "2.0", - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[parameters('scope')]", - "name": "[parameters('name')]", - "properties": { - "roleDefinitionId": "[parameters('roleDefinitionId')]", - "principalId": "[parameters('principalId')]", - "description": "[parameters('description')]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "fileShare" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices/shares', parameters('storageAccountName'), parameters('fileServicesName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "fileServices", - "storageAccount" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed file share service." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed file share service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('storageAccountName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed file share service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_queueServices": { - "condition": "[not(empty(parameters('queueServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-QueueServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('queueServices'), 'diagnosticSettings')]" - }, - "queues": { - "value": "[tryGet(parameters('queueServices'), 'queues')]" - }, - "corsRules": { - "value": "[tryGet(parameters('queueServices'), 'corsRules')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "9644461291744477521" - }, - "name": "Storage Account Queue Services", - "description": "This module deploys a Storage Account Queue Service." - }, - "definitions": { - "corsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a cors rule." - } - }, - "queueType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the queue." - } - }, - "metadata": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/queueServices/queues@2024-01-01#properties/properties/properties/metadata" - }, - "description": "Optional. Metadata to set on the queue." - }, - "nullable": true - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a queue." - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "queues": { - "type": "array", - "items": { - "$ref": "#/definitions/queueType" - }, - "defaultValue": [], - "metadata": { - "description": "Optional. Queues to create." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/corsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('storageAccountName')]" - }, - "queueServices": { - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": { - "cors": "[if(not(equals(parameters('corsRules'), null())), createObject('corsRules', parameters('corsRules')), null())]" - } - }, - "queueServices_diagnosticSettings": { - "copy": { - "name": "queueServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/queueServices', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - }, - { - "name": "logs", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", - "input": { - "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", - "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "queueServices" - ] - }, - "queueServices_queues": { - "copy": { - "name": "queueServices_queues", - "count": "[length(coalesce(parameters('queues'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Queue-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "name": { - "value": "[coalesce(parameters('queues'), createArray())[copyIndex()].name]" - }, - "metadata": { - "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'metadata')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('queues'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "12812824360066955039" - }, - "name": "Storage Account Queues", - "description": "This module deploys a Storage Account Queue." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the storage queue to deploy." - } - }, - "metadata": { - "type": "object", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/queueServices/queues@2024-01-01#properties/properties/properties/metadata" - }, - "description": "Optional. A name-value pair that represents queue metadata." - }, - "defaultValue": {} - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Queue Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '19e7f393-937e-4f77-808e-94535e297925')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::queueServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/queueServices", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]" - }, - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-queue.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('storageAccountName')]" - }, - "queue": { - "type": "Microsoft.Storage/storageAccounts/queueServices/queues", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]", - "properties": { - "metadata": "[parameters('metadata')]" - } - }, - "queue_roleAssignments": { - "copy": { - "name": "queue_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "queue" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices/queues', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed queue service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed queue service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/queueServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed queue service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_tableServices": { - "condition": "[not(empty(parameters('tableServices')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-TableServices', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "diagnosticSettings": { - "value": "[tryGet(parameters('tableServices'), 'diagnosticSettings')]" - }, - "tables": { - "value": "[tryGet(parameters('tableServices'), 'tables')]" - }, - "corsRules": { - "value": "[tryGet(parameters('tableServices'), 'corsRules')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "10320403358700650147" - }, - "name": "Storage Account Table Services", - "description": "This module deploys a Storage Account Table Service." - }, - "definitions": { - "corsRuleType": { - "type": "object", - "properties": { - "allowedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of headers allowed to be part of the cross-origin request." - } - }, - "allowedMethods": { - "type": "array", - "allowedValues": [ - "CONNECT", - "DELETE", - "GET", - "HEAD", - "MERGE", - "OPTIONS", - "PATCH", - "POST", - "PUT", - "TRACE" - ], - "metadata": { - "description": "Required. A list of HTTP methods that are allowed to be executed by the origin." - } - }, - "allowedOrigins": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of origin domains that will be allowed via CORS, or \"*\" to allow all domains." - } - }, - "exposedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of response headers to expose to CORS clients." - } - }, - "maxAgeInSeconds": { - "type": "int", - "metadata": { - "description": "Required. The number of seconds that the client/browser should cache a preflight response." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a cors rule." - } - }, - "tableType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the table." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type for a table." - } - }, - "diagnosticSettingFullType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "tables": { - "type": "array", - "items": { - "$ref": "#/definitions/tableType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Tables to create." - } - }, - "corsRules": { - "type": "array", - "items": { - "$ref": "#/definitions/corsRuleType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The List of CORS rules. You can include up to five CorsRule elements in the request." - } - }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, - "nullable": true, - "metadata": { - "description": "Optional. The diagnostic settings of the service." - } - } - }, - "variables": { - "name": "default", - "enableReferencedModulesTelemetry": false - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('storageAccountName')]" - }, - "tableServices": { - "type": "Microsoft.Storage/storageAccounts/tableServices", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), variables('name'))]", - "properties": { - "cors": "[if(not(equals(parameters('corsRules'), null())), createObject('corsRules', parameters('corsRules')), null())]" - } - }, - "tableServices_diagnosticSettings": { - "copy": { - "name": "tableServices_diagnosticSettings", - "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" - }, - "type": "Microsoft.Insights/diagnosticSettings", - "apiVersion": "2021-05-01-preview", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/tableServices', parameters('storageAccountName'), variables('name'))]", - "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', variables('name')))]", - "properties": { - "copy": [ - { - "name": "metrics", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", - "input": { - "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", - "timeGrain": null - } - }, - { - "name": "logs", - "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]", - "input": { - "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]", - "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]", - "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]" - } - } - ], - "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", - "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", - "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", - "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", - "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", - "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" - }, - "dependsOn": [ - "tableServices" - ] - }, - "tableServices_tables": { - "copy": { - "name": "tableServices_tables", - "count": "[length(coalesce(parameters('tables'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Table-{1}', deployment().name, copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('tables'), createArray())[copyIndex()].name]" - }, - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "roleAssignments": { - "value": "[tryGet(coalesce(parameters('tables'), createArray())[copyIndex()], 'roleAssignments')]" - }, - "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "11362260974696477885" - }, - "name": "Storage Account Table", - "description": "This module deploys a Storage Account Table." - }, - "definitions": { - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - } - }, - "parameters": { - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - } - }, - "roleAssignments": { - "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" - }, - "nullable": true, - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the table." - } - }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Storage Account Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Table Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", - "Storage Table Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76199698-9eea-4c19-bc75-cec21354c6b6')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "storageAccount::tableServices": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts/tableServices", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), 'default')]" - }, - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.storage-table.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-06-01", - "name": "[parameters('storageAccountName')]" - }, - "table": { - "type": "Microsoft.Storage/storageAccounts/tableServices/tables", - "apiVersion": "2025-06-01", - "name": "[format('{0}/{1}/{2}', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "table_roleAssignments": { - "copy": { - "name": "table_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[resourceId('Microsoft.Storage/storageAccounts/tableServices/tables', parameters('storageAccountName'), 'default', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Storage/storageAccounts/tableServices/tables', parameters('storageAccountName'), 'default', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", - "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" - }, - "dependsOn": [ - "table" - ] - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed table." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed table." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices/tables', parameters('storageAccountName'), 'default', parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed table." - }, - "value": "[resourceGroup().name]" - } - } - } - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed table service." - }, - "value": "[variables('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed table service." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/tableServices', parameters('storageAccountName'), variables('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group of the deployed table service." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "secretsExport": { - "condition": "[not(equals(parameters('secretsExportConfiguration'), null()))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-secrets-kv', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[split(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "keyVaultName": { - "value": "[last(split(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '/'))]" - }, - "secretsToSet": { - "value": "[union(createArray(), if(contains(parameters('secretsExportConfiguration'), 'accessKey1Name'), createArray(createObject('name', tryGet(parameters('secretsExportConfiguration'), 'accessKey1Name'), 'value', listKeys('storageAccount', '2025-06-01').keys[0].value)), createArray()), if(contains(parameters('secretsExportConfiguration'), 'connectionString1Name'), createArray(createObject('name', tryGet(parameters('secretsExportConfiguration'), 'connectionString1Name'), 'value', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('name'), listKeys('storageAccount', '2025-06-01').keys[0].value, environment().suffixes.storage))), createArray()), if(contains(parameters('secretsExportConfiguration'), 'accessKey2Name'), createArray(createObject('name', tryGet(parameters('secretsExportConfiguration'), 'accessKey2Name'), 'value', listKeys('storageAccount', '2025-06-01').keys[1].value)), createArray()), if(contains(parameters('secretsExportConfiguration'), 'connectionString2Name'), createArray(createObject('name', tryGet(parameters('secretsExportConfiguration'), 'connectionString2Name'), 'value', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('name'), listKeys('storageAccount', '2025-06-01').keys[1].value, environment().suffixes.storage))), createArray()))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "13227497656004178962" - } - }, - "definitions": { - "secretSetOutputType": { - "type": "object", - "properties": { - "secretResourceId": { - "type": "string", - "metadata": { - "description": "The resourceId of the exported secret." - } - }, - "secretUri": { - "type": "string", - "metadata": { - "description": "The secret URI of the exported secret." - } - }, - "secretUriWithVersion": { - "type": "string", - "metadata": { - "description": "The secret URI with version of the exported secret." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for the output of the secret set via the secrets export feature.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" - } - } - }, - "secretToSetType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret to set." - } - }, - "value": { - "type": "securestring", - "metadata": { - "description": "Required. The value of the secret to set." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for the secret to set via the secrets export feature.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" - } - } - } - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Required. The name of the Key Vault to set the ecrets in." - } - }, - "secretsToSet": { - "type": "array", - "items": { - "$ref": "#/definitions/secretToSetType" - }, - "metadata": { - "description": "Required. The secrets to set in the Key Vault." - } - } - }, - "resources": { - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2024-11-01", - "name": "[parameters('keyVaultName')]" - }, - "secrets": { - "copy": { - "name": "secrets", - "count": "[length(parameters('secretsToSet'))]" - }, - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2024-11-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('secretsToSet')[copyIndex()].name)]", - "properties": { - "value": "[parameters('secretsToSet')[copyIndex()].value]" - } - } - }, - "outputs": { - "secretsSet": { - "type": "array", - "items": { - "$ref": "#/definitions/secretSetOutputType" - }, - "metadata": { - "description": "The references to the secrets exported to the provided Key Vault." - }, - "copy": { - "count": "[length(range(0, length(coalesce(parameters('secretsToSet'), createArray()))))]", - "input": { - "secretResourceId": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretsToSet')[range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()]].name)]", - "secretUri": "[reference(format('secrets[{0}]', range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()])).secretUri]", - "secretUriWithVersion": "[reference(format('secrets[{0}]', range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()])).secretUriWithVersion]" - } - } - } - } - } - }, - "dependsOn": [ - "storageAccount" - ] - }, - "storageAccount_objectReplicationPolicies": { - "copy": { - "name": "storageAccount_objectReplicationPolicies", - "count": "[length(coalesce(parameters('objectReplicationPolicies'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-Storage-ObjRepPolicy-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "storageAccountName": { - "value": "[parameters('name')]" - }, - "destinationAccountResourceId": { - "value": "[coalesce(parameters('objectReplicationPolicies'), createArray())[copyIndex()].destinationStorageAccountResourceId]" - }, - "enableMetrics": { - "value": "[coalesce(tryGet(coalesce(parameters('objectReplicationPolicies'), createArray())[copyIndex()], 'enableMetrics'), false())]" - }, - "rules": { - "value": "[tryGet(coalesce(parameters('objectReplicationPolicies'), createArray())[copyIndex()], 'rules')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "1894366578172550759" - }, - "name": "Storage Account Object Replication Policy", - "description": "This module deploys a Storage Account Object Replication Policy for both the source account and destination account." - }, - "definitions": { - "objectReplicationPolicyRuleType": { - "type": "object", - "properties": { - "ruleId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The ID of the rule. Auto-generated on destination account. Required for source account." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Required. The name of the source container." - } - }, - "destinationContainerName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the destination container. If not provided, the same name as the source container will be used." - } - }, - "filters": { - "type": "object", - "properties": { - "prefixMatch": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The prefix to match for the replication policy rule." - } - }, - "minCreationTime": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The minimum creation time to match for the replication policy rule." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The filters for the object replication policy rule." - } - } - }, - "metadata": { - "description": "The type of an object replication policy rule.", - "__bicep_imported_from!": { - "sourceTemplate": "policy/main.bicep" - } - } - } - }, - "parameters": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the policy." - } - }, - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. The name of the parent Storage Account." - } - }, - "destinationAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the destination storage account for replication." - } - }, - "enableMetrics": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Whether metrics are enabled for the object replication policy." - } - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/objectReplicationPolicyRuleType" - }, - "metadata": { - "description": "Required. Rules for the object replication policy." - } - } - }, - "variables": { - "destAccountResourceIdParts": "[split(parameters('destinationAccountResourceId'), '/')]", - "destAccountName": "[if(not(empty(variables('destAccountResourceIdParts'))), last(variables('destAccountResourceIdParts')), parameters('destinationAccountResourceId'))]", - "destAccountSubscription": "[if(greater(length(variables('destAccountResourceIdParts')), 2), variables('destAccountResourceIdParts')[2], subscription().subscriptionId)]", - "destAccountResourceGroupName": "[if(greater(length(variables('destAccountResourceIdParts')), 4), variables('destAccountResourceIdParts')[4], resourceGroup().name)]" - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-01-01", - "name": "[parameters('storageAccountName')]" - }, - "destinationPolicy": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('{0}-ObjRep-Policy-dest-{1}', deployment().name, variables('destAccountName')), 64)]", - "subscriptionId": "[variables('destAccountSubscription')]", - "resourceGroup": "[variables('destAccountResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('name'), 'default')]" - }, - "storageAccountName": { - "value": "[variables('destAccountName')]" - }, - "sourceStorageAccountResourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" - }, - "destinationAccountResourceId": { - "value": "[parameters('destinationAccountResourceId')]" - }, - "enableMetrics": { - "value": "[parameters('enableMetrics')]" - }, - "rules": { - "value": "[parameters('rules')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "14995722372031126283" - }, - "name": "Storage Account Object Replication Policy", - "description": "This module deploys a Storage Account Object Replication Policy for a provided storage account." - }, - "definitions": { - "objectReplicationPolicyRuleType": { - "type": "object", - "properties": { - "ruleId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The ID of the rule. Auto-generated on destination account. Required for source account." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Required. The name of the source container." - } - }, - "destinationContainerName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the destination container. If not provided, the same name as the source container will be used." - } - }, - "filters": { - "type": "object", - "properties": { - "prefixMatch": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The prefix to match for the replication policy rule." - } - }, - "minCreationTime": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The minimum creation time to match for the replication policy rule." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The filters for the object replication policy rule." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of an object replication policy rule." - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the policy." - } - }, - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. The name of the Storage Account on which to create the policy." - } - }, - "sourceStorageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the source storage account for replication." - } - }, - "destinationAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the destination storage account for replication." - } - }, - "enableMetrics": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Whether metrics are enabled for the object replication policy." - } - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/objectReplicationPolicyRuleType" - }, - "metadata": { - "description": "Required. Rules for the object replication policy." - } - } - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-01-01", - "name": "[parameters('storageAccountName')]" - }, - "objectReplicationPolicy": { - "type": "Microsoft.Storage/storageAccounts/objectReplicationPolicies", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "rules", - "count": "[length(parameters('rules'))]", - "input": { - "ruleId": "[tryGet(parameters('rules')[copyIndex('rules')], 'ruleId')]", - "sourceContainer": "[parameters('rules')[copyIndex('rules')].containerName]", - "destinationContainer": "[coalesce(tryGet(parameters('rules')[copyIndex('rules')], 'destinationContainerName'), parameters('rules')[copyIndex('rules')].containerName)]", - "filters": "[if(not(equals(tryGet(parameters('rules')[copyIndex('rules')], 'filters'), null())), createObject('prefixMatch', tryGet(tryGet(parameters('rules')[copyIndex('rules')], 'filters'), 'prefixMatch'), 'minCreationTime', tryGet(tryGet(parameters('rules')[copyIndex('rules')], 'filters'), 'minCreationTime')), null())]" - } - } - ], - "destinationAccount": "[parameters('destinationAccountResourceId')]", - "metrics": { - "enabled": "[coalesce(parameters('enableMetrics'), false())]" - }, - "sourceAccount": "[parameters('sourceStorageAccountResourceId')]" - } - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "Resource group name of the provisioned resources." - }, - "value": "[resourceGroup().name]" - }, - "objectReplicationPolicyId": { - "type": "string", - "metadata": { - "description": "Resource ID of the created Object Replication Policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/objectReplicationPolicies', parameters('storageAccountName'), parameters('name'))]" - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Policy ID of the created Object Replication Policy." - }, - "value": "[reference('objectReplicationPolicy').policyId]" - }, - "rules": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/objectReplicationPolicies@2025-01-01#properties/properties/properties/rules", - "output": true - }, - "description": "Rules created Object Replication Policy." - }, - "value": "[reference('objectReplicationPolicy').rules]" - } - } - } - } - }, - "sourcePolicy": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('{0}-ObjRep-Policy-source-{1}', deployment().name, parameters('storageAccountName')), 64)]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[reference('destinationPolicy').outputs.policyId.value]" - }, - "storageAccountName": { - "value": "[parameters('storageAccountName')]" - }, - "sourceStorageAccountResourceId": { - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" - }, - "destinationAccountResourceId": { - "value": "[parameters('destinationAccountResourceId')]" - }, - "enableMetrics": { - "value": "[parameters('enableMetrics')]" - }, - "rules": { - "copy": [ - { - "name": "value", - "count": "[length(parameters('rules'))]", - "input": "[union(parameters('rules')[copyIndex('value')], createObject('ruleId', reference('destinationPolicy').outputs.rules.value[copyIndex('value')].ruleId))]" - } - ] - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.41.2.15936", - "templateHash": "14995722372031126283" - }, - "name": "Storage Account Object Replication Policy", - "description": "This module deploys a Storage Account Object Replication Policy for a provided storage account." - }, - "definitions": { - "objectReplicationPolicyRuleType": { - "type": "object", - "properties": { - "ruleId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The ID of the rule. Auto-generated on destination account. Required for source account." - } - }, - "containerName": { - "type": "string", - "metadata": { - "description": "Required. The name of the source container." - } - }, - "destinationContainerName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the destination container. If not provided, the same name as the source container will be used." - } - }, - "filters": { - "type": "object", - "properties": { - "prefixMatch": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The prefix to match for the replication policy rule." - } - }, - "minCreationTime": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The minimum creation time to match for the replication policy rule." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The filters for the object replication policy rule." - } - } - }, - "metadata": { - "__bicep_export!": true, - "description": "The type of an object replication policy rule." - } - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the policy." - } - }, - "storageAccountName": { - "type": "string", - "maxLength": 24, - "metadata": { - "description": "Required. The name of the Storage Account on which to create the policy." - } - }, - "sourceStorageAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the source storage account for replication." - } - }, - "destinationAccountResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the destination storage account for replication." - } - }, - "enableMetrics": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Whether metrics are enabled for the object replication policy." - } - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/objectReplicationPolicyRuleType" - }, - "metadata": { - "description": "Required. Rules for the object replication policy." - } - } - }, - "resources": { - "storageAccount": { - "existing": true, - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2025-01-01", - "name": "[parameters('storageAccountName')]" - }, - "objectReplicationPolicy": { - "type": "Microsoft.Storage/storageAccounts/objectReplicationPolicies", - "apiVersion": "2025-01-01", - "name": "[format('{0}/{1}', parameters('storageAccountName'), parameters('name'))]", - "properties": { - "copy": [ - { - "name": "rules", - "count": "[length(parameters('rules'))]", - "input": { - "ruleId": "[tryGet(parameters('rules')[copyIndex('rules')], 'ruleId')]", - "sourceContainer": "[parameters('rules')[copyIndex('rules')].containerName]", - "destinationContainer": "[coalesce(tryGet(parameters('rules')[copyIndex('rules')], 'destinationContainerName'), parameters('rules')[copyIndex('rules')].containerName)]", - "filters": "[if(not(equals(tryGet(parameters('rules')[copyIndex('rules')], 'filters'), null())), createObject('prefixMatch', tryGet(tryGet(parameters('rules')[copyIndex('rules')], 'filters'), 'prefixMatch'), 'minCreationTime', tryGet(tryGet(parameters('rules')[copyIndex('rules')], 'filters'), 'minCreationTime')), null())]" - } - } - ], - "destinationAccount": "[parameters('destinationAccountResourceId')]", - "metrics": { - "enabled": "[coalesce(parameters('enableMetrics'), false())]" - }, - "sourceAccount": "[parameters('sourceStorageAccountResourceId')]" - } - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "Resource group name of the provisioned resources." - }, - "value": "[resourceGroup().name]" - }, - "objectReplicationPolicyId": { - "type": "string", - "metadata": { - "description": "Resource ID of the created Object Replication Policy." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts/objectReplicationPolicies', parameters('storageAccountName'), parameters('name'))]" - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Policy ID of the created Object Replication Policy." - }, - "value": "[reference('objectReplicationPolicy').policyId]" - }, - "rules": { - "type": "array", - "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Storage/storageAccounts/objectReplicationPolicies@2025-01-01#properties/properties/properties/rules", - "output": true - }, - "description": "Rules created Object Replication Policy." - }, - "value": "[reference('objectReplicationPolicy').rules]" - } - } - } - }, - "dependsOn": [ - "destinationPolicy" - ] - } - }, - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "Resource group name of the provisioned resources." - }, - "value": "[resourceGroup().name]" - }, - "objectReplicationPolicyId": { - "type": "string", - "metadata": { - "description": "Resource ID of the created Object Replication Policy in the source account." - }, - "value": "[reference('sourcePolicy').outputs.objectReplicationPolicyId.value]" - }, - "policyId": { - "type": "string", - "metadata": { - "description": "Policy ID of the created Object Replication Policy in the source account." - }, - "value": "[reference('sourcePolicy').outputs.policyId.value]" - } + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." } } }, - "dependsOn": [ - "storageAccount", - "storageAccount_blobServices" - ] + "metadata": { + "description": "An AVM-aligned type for a diagnostic setting. To be used if only metrics are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + } + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "notes": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the notes of the lock." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + } + } + }, + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0" + } + } } }, - "outputs": { - "resourceId": { + "parameters": { + "name": { "type": "string", + "minLength": 1, + "maxLength": 60, "metadata": { - "description": "The resource ID of the deployed storage account." - }, - "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" + "description": "Required. Name of the app service plan." + } }, - "name": { + "skuName": { "type": "string", + "defaultValue": "P1v3", "metadata": { - "description": "The name of the deployed storage account." - }, - "value": "[parameters('name')]" + "example": " 'F1'\n 'B1'\n 'P1v3'\n 'I1v2'\n 'FC1'\n ", + "description": "Optional. The name of the SKU will Determine the tier, size, family of the App Service Plan. This defaults to P1v3 to leverage availability zones." + } }, - "resourceGroupName": { + "skuCapacity": { + "type": "int", + "defaultValue": 3, + "metadata": { + "description": "Optional. Number of workers associated with the App Service Plan. This defaults to 3, to leverage availability zones." + } + }, + "location": { "type": "string", + "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "The resource group of the deployed storage account." - }, - "value": "[resourceGroup().name]" + "description": "Optional. Location for all resources." + } }, - "primaryBlobEndpoint": { + "kind": { "type": "string", + "defaultValue": "app", + "allowedValues": [ + "app", + "elastic", + "functionapp", + "windows", + "linux" + ], "metadata": { - "description": "The primary blob endpoint reference if blob services are deployed." - }, - "value": "[if(and(not(empty(parameters('blobServices'))), contains(parameters('blobServices'), 'containers')), reference(format('Microsoft.Storage/storageAccounts/{0}', parameters('name')), '2019-04-01').primaryEndpoints.blob, '')]" + "description": "Optional. Kind of server OS." + } }, - "systemAssignedMIPrincipalId": { + "reserved": { + "type": "bool", + "defaultValue": "[equals(parameters('kind'), 'linux')]", + "metadata": { + "description": "Conditional. Defaults to false when creating Windows/app App Service Plan. Required if creating a Linux App Service Plan and must be set to true." + } + }, + "appServiceEnvironmentResourceId": { "type": "string", - "nullable": true, + "defaultValue": "", "metadata": { - "description": "The principal ID of the system assigned identity." - }, - "value": "[tryGet(tryGet(reference('storageAccount', '2025-06-01', 'full'), 'identity'), 'principalId')]" + "description": "Optional. The Resource ID of the App Service Environment to use for the App Service Plan." + } }, - "location": { + "workerTierName": { "type": "string", + "defaultValue": "", "metadata": { - "description": "The location the resource was deployed into." + "description": "Optional. Target worker tier assigned to the App Service plan." + } + }, + "perSiteScaling": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan." + } + }, + "elasticScaleEnabled": { + "type": "bool", + "defaultValue": "[greater(parameters('maximumElasticWorkerCount'), 1)]", + "metadata": { + "description": "Optional. Enable/Disable ElasticScaleEnabled App Service Plan." + } + }, + "maximumElasticWorkerCount": { + "type": "int", + "defaultValue": 1, + "metadata": { + "description": "Optional. Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan." + } + }, + "targetWorkerCount": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Optional. Scaling worker count." + } + }, + "targetWorkerSize": { + "type": "int", + "defaultValue": 0, + "allowedValues": [ + 0, + 1, + 2 + ], + "metadata": { + "description": "Optional. The instance size of the hosting plan (small, medium, or large)." + } + }, + "zoneRedundant": { + "type": "bool", + "defaultValue": "[if(or(startsWith(parameters('skuName'), 'P'), startsWith(parameters('skuName'), 'EP')), true(), false())]", + "metadata": { + "description": "Optional. Zone Redundant server farms can only be used on Premium or ElasticPremium SKU tiers within ZRS Supported regions (https://learn.microsoft.com/en-us/azure/storage/common/redundancy-regions-zrs)." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" }, - "value": "[reference('storageAccount', '2025-06-01', 'full').location]" + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } }, - "serviceEndpoints": { + "tags": { "type": "object", "metadata": { - "description": "All service endpoints of the deployed storage account, Note Standard_LRS and Standard_ZRS accounts only have a blob service endpoint." + "__bicep_resource_derived_type!": { + "source": "Microsoft.Web/serverfarms@2024-11-01#properties/tags" + }, + "description": "Optional. Tags of the resource." }, - "value": "[reference('storageAccount').primaryEndpoints]" + "nullable": true }, - "privateEndpoints": { + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "diagnosticSettings": { "type": "array", "items": { - "$ref": "#/definitions/privateEndpointOutputType" + "$ref": "#/definitions/diagnosticSettingMetricsOnlyType" }, + "nullable": true, "metadata": { - "description": "The private endpoints of the Storage Account." - }, - "copy": { - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]", - "input": { - "name": "[reference(format('storageAccount_privateEndpoints[{0}]', copyIndex())).outputs.name.value]", - "resourceId": "[reference(format('storageAccount_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]", - "groupId": "[tryGet(tryGet(reference(format('storageAccount_privateEndpoints[{0}]', copyIndex())).outputs, 'groupId'), 'value')]", - "customDnsConfigs": "[reference(format('storageAccount_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfigs.value]", - "networkInterfaceResourceIds": "[reference(format('storageAccount_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceResourceIds.value]" + "description": "Optional. The diagnostic settings of the service." + } + } + }, + "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Web Plan Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", + "Website Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'de139f84-1756-47ae-9be6-808fbbe84772')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.web-serverfarm.{0}.{1}', replace('0.5.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } } } }, - "exportedSecrets": { - "$ref": "#/definitions/secretsOutputType", - "metadata": { - "description": "A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret's name." + "appServicePlan": { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "kind": "[parameters('kind')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": "[if(equals(parameters('skuName'), 'FC1'), createObject('name', parameters('skuName'), 'tier', 'FlexConsumption'), createObject('name', parameters('skuName'), 'capacity', parameters('skuCapacity')))]", + "properties": { + "workerTierName": "[parameters('workerTierName')]", + "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", + "perSiteScaling": "[parameters('perSiteScaling')]", + "maximumElasticWorkerCount": "[parameters('maximumElasticWorkerCount')]", + "elasticScaleEnabled": "[parameters('elasticScaleEnabled')]", + "reserved": "[parameters('reserved')]", + "targetWorkerCount": "[parameters('targetWorkerCount')]", + "targetWorkerSizeId": "[parameters('targetWorkerSize')]", + "zoneRedundant": "[parameters('zoneRedundant')]" + } + }, + "appServicePlan_diagnosticSettings": { + "copy": { + "name": "appServicePlan_diagnosticSettings", + "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" }, - "value": "[if(not(equals(parameters('secretsExportConfiguration'), null())), toObject(reference('secretsExport').outputs.secretsSet.value, lambda('secret', last(split(lambdaVariables('secret').secretResourceId, '/'))), lambda('secret', lambdaVariables('secret'))), createObject())]" + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "copy": [ + { + "name": "metrics", + "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]", + "input": { + "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]", + "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]", + "timeGrain": null + } + } + ], + "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]", + "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]", + "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]", + "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]", + "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]", + "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" + }, + "dependsOn": [ + "appServicePlan" + ] }, - "primaryAccessKey": { - "type": "securestring", + "appServicePlan_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + }, + "dependsOn": [ + "appServicePlan" + ] + }, + "appServicePlan_roleAssignments": { + "copy": { + "name": "appServicePlan_roleAssignments", + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Web/serverfarms/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Web/serverfarms', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "properties": { + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "appServicePlan" + ] + } + }, + "outputs": { + "resourceGroupName": { + "type": "string", "metadata": { - "description": "The primary access key of the storage account." + "description": "The resource group the app service plan was deployed into." }, - "value": "[listKeys('storageAccount', '2025-06-01').keys[0].value]" + "value": "[resourceGroup().name]" }, - "secondaryAccessKey": { - "type": "securestring", + "name": { + "type": "string", "metadata": { - "description": "The secondary access key of the storage account." + "description": "The name of the app service plan." }, - "value": "[listKeys('storageAccount', '2025-06-01').keys[1].value]" + "value": "[parameters('name')]" }, - "primaryConnectionString": { - "type": "securestring", + "resourceId": { + "type": "string", "metadata": { - "description": "The primary connection string of the storage account." + "description": "The resource ID of the app service plan." }, - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('name'), listKeys('storageAccount', '2025-06-01').keys[0].value, environment().suffixes.storage)]" + "value": "[resourceId('Microsoft.Web/serverfarms', parameters('name'))]" }, - "secondaryConnectionString": { - "type": "securestring", + "location": { + "type": "string", "metadata": { - "description": "The secondary connection string of the storage account." + "description": "The location the resource was deployed into." }, - "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('name'), listKeys('storageAccount', '2025-06-01').keys[1].value, environment().suffixes.storage)]" + "value": "[reference('appServicePlan', '2024-11-01', 'full').location]" } } } }, "dependsOn": [ - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').blob)]", - "userAssignedIdentity", - "virtualNetwork" + "logAnalyticsWorkspace" ] }, - "searchServiceUpdate": { + "webSite": { "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", - "name": "[take(format('avm.res.search.update.{0}', variables('solutionSuffix')), 64)]", + "name": "[take(format('module.web-sites.{0}', variables('webSiteResourceName')), 64)]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -52715,66 +33123,51 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[variables('searchServiceName')]" + "value": "[variables('webSiteResourceName')]" + }, + "tags": { + "value": "[parameters('tags')]" }, "location": { "value": "[parameters('location')]" }, - "disableLocalAuth": { - "value": true - }, - "hostingMode": { - "value": "Default" - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } + "kind": { + "value": "app,linux,container" }, - "publicNetworkAccess": { - "value": "Enabled" + "serverFarmResourceId": { + "value": "[tryGet(reference('webServerFarm'), 'outputs', 'resourceId', 'value')]" }, - "networkRuleSet": { + "siteConfig": { "value": { - "bypass": "AzureServices" + "linuxFxVersion": "[format('DOCKER|{0}/{1}:{2}', parameters('frontendContainerRegistryHostname'), parameters('frontendContainerImageName'), parameters('frontendContainerImageTag'))]", + "minTlsVersion": "1.2" } }, - "partitionCount": { - "value": 1 - }, - "replicaCount": { - "value": 1 - }, - "sku": "[if(parameters('enableScalability'), createObject('value', 'standard'), createObject('value', 'basic'))]", - "tags": { - "value": "[parameters('tags')]" - }, - "roleAssignments": { + "configs": { "value": [ { - "principalId": "[reference('userAssignedIdentity').outputs.principalId.value]", - "roleDefinitionIdOrName": "8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "principalType": "ServicePrincipal" - }, - { - "principalId": "[variables('deployingUserPrincipalId')]", - "roleDefinitionIdOrName": "8ebe5a00-799e-43f5-93ac-243d3dce84a7", - "principalType": "[variables('deployerPrincipalType')]" - }, - { - "principalId": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject', '2025-12-01', 'full').identity.principalId, reference('aiFoundryAiServicesProject').outputs.principalId.value)]", - "roleDefinitionIdOrName": "1407120a-92aa-4202-b7e9-c0e197c71c8f", - "principalType": "ServicePrincipal" - }, - { - "principalId": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject', '2025-12-01', 'full').identity.principalId, reference('aiFoundryAiServicesProject').outputs.principalId.value)]", - "roleDefinitionIdOrName": "7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "principalType": "ServicePrincipal" + "name": "appsettings", + "properties": { + "SCM_DO_BUILD_DURING_DEPLOYMENT": "true", + "DOCKER_REGISTRY_SERVER_URL": "[format('https://{0}', parameters('frontendContainerRegistryHostname'))]", + "WEBSITES_PORT": "3000", + "WEBSITES_CONTAINER_START_TIME_LIMIT": "1800", + "BACKEND_API_URL": "[format('https://{0}', reference('containerApp').outputs.fqdn.value)]", + "AUTH_ENABLED": "false" + }, + "applicationInsightResourceId": "[if(parameters('enableMonitoring'), reference('applicationInsights').outputs.resourceId.value, null())]" } ] }, - "privateEndpoints": { - "value": [] + "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), reference('logAnalyticsWorkspace').outputs.resourceId.value)))), createObject('value', null()))]", + "vnetRouteAllEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]", + "vnetImagePullEnabled": "[if(parameters('enablePrivateNetworking'), createObject('value', true()), createObject('value', false()))]", + "virtualNetworkSubnetId": "[if(parameters('enablePrivateNetworking'), createObject('value', reference('virtualNetwork').outputs.webserverfarmSubnetResourceId.value), createObject('value', null()))]", + "publicNetworkAccess": { + "value": "Enabled" + }, + "e2eEncryptionEnabled": { + "value": true } }, "template": { @@ -52784,108 +33177,98 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "6207719545398489494" - }, - "name": "Search Services", - "description": "This module deploys a Search Service." + "version": "0.44.1.10279", + "templateHash": "10032876662222912690" + } }, "definitions": { - "privateEndpointOutputType": { + "appSettingsConfigType": { "type": "object", "properties": { "name": { "type": "string", + "allowedValues": [ + "appsettings" + ], "metadata": { - "description": "The name of the private endpoint." + "description": "Required. The type of config." } }, - "resourceId": { + "storageAccountUseIdentityAuthentication": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. If the provided storage account requires Identity based authentication ('allowSharedKeyAccess' is set to false). When set to true, the minimum role assignment required for the App Service Managed Identity to the storage account is 'Storage Blob Data Owner'." + } + }, + "storageAccountResourceId": { "type": "string", + "nullable": true, "metadata": { - "description": "The resource ID of the private endpoint." + "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." } }, - "groupId": { + "applicationInsightResourceId": { "type": "string", "nullable": true, "metadata": { - "description": "The group Id for the private endpoint Group." + "description": "Optional. Resource ID of the application insight to leverage for this resource." } }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "FQDN that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "A list of private IP addresses of the private endpoint." - } - } - } - }, + "retainCurrentAppSettings": { + "type": "bool", + "nullable": true, "metadata": { - "description": "The custom DNS configurations of the private endpoint." + "description": "Optional. The retain the current app settings. Defaults to true." } }, - "networkInterfaceResourceIds": { - "type": "array", - "items": { - "type": "string" + "properties": { + "type": "object", + "properties": {}, + "additionalProperties": { + "type": "string", + "metadata": { + "description": "Required. An app settings key-value pair." + } }, + "nullable": true, "metadata": { - "description": "The IDs of the network interfaces associated with the private endpoint." + "description": "Optional. The app settings key-value pairs except for AzureWebJobsStorage, AzureWebJobsDashboard, APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING." } } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type of an app settings configuration." } }, - "secretsExportConfigurationType": { + "_1.lockType": { "type": "object", "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The key vault name where to store the API Admin keys generated by the modules." - } - }, - "primaryAdminKeyName": { + "name": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The primaryAdminKey secret name to create." + "description": "Optional. Specify the name of lock." } }, - "secondaryAdminKeyName": { + "kind": { "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], "nullable": true, "metadata": { - "description": "Optional. The secondaryAdminKey secret name to create." + "description": "Optional. Specify the type of lock." } } - } - }, - "secretsOutputType": { - "type": "object", - "properties": {}, - "additionalProperties": { - "$ref": "#/definitions/secretSetType", - "metadata": { - "description": "An exported secret's references." + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -52911,7 +33294,7 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -52953,7 +33336,7 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -52994,7 +33377,82 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" + } + } + }, + "_1.roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -53116,44 +33574,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for a lock.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -53181,7 +33602,7 @@ "metadata": { "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -53289,7 +33710,7 @@ } }, "lock": { - "$ref": "#/definitions/lockType", + "$ref": "#/definitions/_1.lockType", "nullable": true, "metadata": { "description": "Optional. Specify the type of lock." @@ -53298,7 +33719,7 @@ "roleAssignments": { "type": "array", "items": { - "$ref": "#/definitions/roleAssignmentType" + "$ref": "#/definitions/_1.roleAssignmentType" }, "nullable": true, "metadata": { @@ -53309,9 +33730,6 @@ "type": "object", "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-07-01#properties/tags" - }, "description": "Optional. Tags to be applied on all resources/Resource Groups in this deployment." } }, @@ -53326,219 +33744,169 @@ "metadata": { "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the site." + } }, - "roleAssignmentType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "An AVM-aligned type for a role assignment.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" - } + "description": "Optional. Location for all Resources." } }, - "secretSetType": { - "type": "object", - "properties": { - "secretResourceId": { - "type": "string", - "metadata": { - "description": "The resourceId of the exported secret." - } - }, - "secretUri": { - "type": "string", - "metadata": { - "description": "The secret URI of the exported secret." - } - } - }, + "kind": { + "type": "string", + "allowedValues": [ + "functionapp", + "functionapp,linux", + "functionapp,workflowapp", + "functionapp,workflowapp,linux", + "functionapp,linux,container", + "functionapp,linux,container,azurecontainerapps", + "app,linux", + "app", + "linux,api", + "api", + "app,linux,container", + "app,container,windows" + ], "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "modules/keyVaultExport.bicep" - } + "description": "Required. Type of site to deploy." } - } - }, - "parameters": { - "name": { + }, + "serverFarmResourceId": { "type": "string", "metadata": { - "description": "Required. The name of the Azure Cognitive Search service to create or update. Search service names must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and must be between 2 and 60 characters in length. Search service names must be globally unique since they are part of the service URI (https://.search.windows.net). You cannot change the service name after the service is created." + "description": "Required. The resource ID of the app service plan to use for the site." } }, - "authOptions": { - "type": "object", + "managedEnvironmentId": { + "type": "string", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Search/searchServices@2025-05-01#properties/properties/properties/authOptions" - }, - "description": "Optional. Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true." - }, - "nullable": true + "description": "Optional. Azure Resource Manager ID of the customers selected Managed Environment on which to host this app." + } }, - "disableLocalAuth": { + "httpsOnly": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'authOptions' are defined." + "description": "Optional. Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests." } }, - "enableTelemetry": { + "clientAffinityEnabled": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." + "description": "Optional. If client affinity is enabled." } }, - "computeType": { + "appServiceEnvironmentResourceId": { "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Confidential", - "Default" - ], + "nullable": true, "metadata": { - "description": "Optional. The compute type of the search service." + "description": "Optional. The resource ID of the app service environment to use for this resource." } }, - "cmkEnforcement": { - "type": "string", - "defaultValue": "Unspecified", - "allowedValues": [ - "Disabled", - "Enabled", - "Unspecified" - ], + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, "metadata": { - "description": "Optional. Describes a policy that determines how resources within the search service are to be encrypted with Customer Managed Keys." + "description": "Optional. The managed identity definition for this resource." } }, - "dataExfiltrationProtections": { - "type": "array", - "items": { - "type": "string" - }, + "keyVaultAccessIdentityResourceId": { + "type": "string", "nullable": true, - "allowedValues": [ - "All" - ], "metadata": { - "description": "Optional. A list of data exfiltration scenarios that are explicitly disallowed for the search service. Currently, the only supported value is 'All' to disable all possible data export scenarios with more fine grained controls planned for the future." + "description": "Optional. The resource ID of the assigned identity to be used to access a key vault with." } }, - "hostingMode": { - "type": "string", - "defaultValue": "Default", - "allowedValues": [ - "Default", - "HighDensity" - ], + "storageAccountRequired": { + "type": "bool", + "defaultValue": false, "metadata": { - "description": "Optional. Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'." + "description": "Optional. Checks if Customer provided storage account is required." } }, - "location": { + "virtualNetworkSubnetId": { "type": "string", - "defaultValue": "[resourceGroup().location]", + "nullable": true, "metadata": { - "description": "Optional. Location for all Resources." + "description": "Optional. Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}." } }, - "lock": { - "$ref": "#/definitions/lockType", - "nullable": true, + "vnetContentShareEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. To enable accessing content over virtual network." + } + }, + "vnetImagePullEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. To enable pulling image over Virtual Network." + } + }, + "vnetRouteAllEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied." + } + }, + "scmSiteAlsoStopped": { + "type": "bool", + "defaultValue": false, "metadata": { - "description": "Optional. The lock settings for all Resources in the solution." + "description": "Optional. Stop SCM (KUDU) site when the app is stopped." } }, - "networkRuleSet": { + "siteConfig": { "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.Search/searchServices@2025-05-01#properties/properties/properties/networkRuleSet" + "source": "Microsoft.Web/sites@2024-04-01#properties/properties/properties/siteConfig" }, - "description": "Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached." + "description": "Optional. The site config object. The defaults are set to the following values: alwaysOn: true, minTlsVersion: '1.2', ftpsState: 'FtpsOnly'." }, - "nullable": true + "defaultValue": { + "alwaysOn": true, + "minTlsVersion": "1.2", + "ftpsState": "FtpsOnly" + } }, - "partitionCount": { - "type": "int", - "defaultValue": 1, - "minValue": 1, - "maxValue": 12, + "configs": { + "type": "array", + "items": { + "$ref": "#/definitions/appSettingsConfigType" + }, + "nullable": true, "metadata": { - "description": "Optional. The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3." + "description": "Optional. The web site config." } }, + "functionAppConfig": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.Web/sites@2024-04-01#properties/properties/properties/functionAppConfig" + }, + "description": "Optional. The Function App configuration object." + }, + "nullable": true + }, "privateEndpoints": { "type": "array", "items": { @@ -53549,183 +33917,205 @@ "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } }, - "sharedPrivateLinkResources": { + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "diagnosticSettings": { "type": "array", - "defaultValue": [], + "items": { + "$ref": "#/definitions/diagnosticSettingFullType" + }, + "nullable": true, "metadata": { - "description": "Optional. The sharedPrivateLinkResources to create as part of the search Service." + "description": "Optional. The diagnostic settings of the service." } }, - "publicNetworkAccess": { + "clientCertEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. To enable client certificate authentication (TLS mutual authentication)." + } + }, + "clientCertExclusionPaths": { "type": "string", - "defaultValue": "Enabled", + "nullable": true, + "metadata": { + "description": "Optional. Client certificate authentication comma-separated exclusion paths." + } + }, + "clientCertMode": { + "type": "string", + "defaultValue": "Optional", "allowedValues": [ - "Enabled", - "Disabled" + "Optional", + "OptionalInteractiveUser", + "Required" ], "metadata": { - "description": "Optional. This value can be set to 'Enabled' to avoid breaking changes on existing customer resources and templates. If set to 'Disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method." + "description": "Optional. This composes with ClientCertEnabled setting.\n- ClientCertEnabled=false means ClientCert is ignored.\n- ClientCertEnabled=true and ClientCertMode=Required means ClientCert is required.\n- ClientCertEnabled=true and ClientCertMode=Optional means ClientCert is optional or accepted.\n" } }, - "secretsExportConfiguration": { - "$ref": "#/definitions/secretsExportConfigurationType", + "cloningInfo": { + "type": "object", + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.Web/sites@2024-04-01#properties/properties/properties/cloningInfo" + }, + "description": "Optional. If specified during app creation, the app is cloned from a source app." + }, + "nullable": true + }, + "containerSize": { + "type": "int", "nullable": true, "metadata": { - "description": "Optional. Key vault reference and secret settings for the module's secrets export." + "description": "Optional. Size of the function container." } }, - "replicaCount": { + "dailyMemoryTimeQuota": { "type": "int", - "defaultValue": 3, - "minValue": 1, - "maxValue": 12, + "nullable": true, "metadata": { - "description": "Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU." + "description": "Optional. Maximum allowed daily memory-time quota (applicable on dynamic apps only)." } }, - "roleAssignments": { + "enabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Setting this value to false disables the app (takes the app offline)." + } + }, + "hostNameSslStates": { "type": "array", - "items": { - "$ref": "#/definitions/roleAssignmentType" + "metadata": { + "__bicep_resource_derived_type!": { + "source": "Microsoft.Web/sites@2024-04-01#properties/properties/properties/hostNameSslStates" + }, + "description": "Optional. Hostname SSL states are used to manage the SSL bindings for app's hostnames." }, - "nullable": true, + "nullable": true + }, + "hyperV": { + "type": "bool", + "defaultValue": false, "metadata": { - "description": "Optional. Array of role assignments to create." + "description": "Optional. Hyper-V sandbox." } }, - "semanticSearch": { + "redundancyMode": { "type": "string", - "nullable": true, + "defaultValue": "None", "allowedValues": [ - "disabled", - "free", - "standard" + "ActiveActive", + "Failover", + "GeoRedundant", + "Manual", + "None" ], "metadata": { - "description": "Optional. Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations." + "description": "Optional. Site redundancy mode." } }, - "sku": { + "publicNetworkAccess": { "type": "string", - "defaultValue": "standard", + "nullable": true, "allowedValues": [ - "basic", - "free", - "standard", - "standard2", - "standard3", - "storage_optimized_l1", - "storage_optimized_l2" + "Enabled", + "Disabled" ], "metadata": { - "description": "Optional. Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentityAllType", - "nullable": true, - "metadata": { - "description": "Optional. The managed identity definition for this resource." + "description": "Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set." } }, - "diagnosticSettings": { - "type": "array", - "items": { - "$ref": "#/definitions/diagnosticSettingFullType" - }, + "e2eEncryptionEnabled": { + "type": "bool", "nullable": true, "metadata": { - "description": "Optional. The diagnostic settings of the service." + "description": "Optional. End to End Encryption Setting." } }, - "tags": { + "dnsConfiguration": { "type": "object", "metadata": { "__bicep_resource_derived_type!": { - "source": "Microsoft.Search/searchServices@2025-05-01#properties/tags" + "source": "Microsoft.Web/sites@2024-04-01#properties/properties/properties/dnsConfiguration" }, - "description": "Optional. Tags to help categorize the resource in the Azure portal." + "description": "Optional. Property to configure various DNS related settings for a site." }, "nullable": true + }, + "autoGeneratedDomainNameLabelScope": { + "type": "string", + "nullable": true, + "allowedValues": [ + "NoReuse", + "ResourceGroupReuse", + "SubscriptionReuse", + "TenantReuse" + ], + "metadata": { + "description": "Optional. Specifies the scope of uniqueness for the default hostname during resource creation." + } } }, "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" - } - ], - "enableReferencedModulesTelemetry": false, "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', '')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Search Index Data Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7')]", - "Search Index Data Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1407120a-92aa-4202-b7e9-c0e197c71c8f')]", - "Search Service Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]" }, "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.search-searchservice.{0}.{1}', replace('0.12.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" - } - } - } - } - }, - "searchService": { - "type": "Microsoft.Search/searchServices", - "apiVersion": "2025-05-01", + "app": { + "type": "Microsoft.Web/sites", + "apiVersion": "2024-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", - "sku": { - "name": "[parameters('sku')]" - }, + "kind": "[parameters('kind')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "properties": { - "authOptions": "[parameters('authOptions')]", - "disableLocalAuth": "[parameters('disableLocalAuth')]", - "encryptionWithCmk": { - "enforcement": "[parameters('cmkEnforcement')]" - }, - "hostingMode": "[parameters('hostingMode')]", - "networkRuleSet": "[parameters('networkRuleSet')]", - "partitionCount": "[parameters('partitionCount')]", - "replicaCount": "[parameters('replicaCount')]", - "publicNetworkAccess": "[toLower(parameters('publicNetworkAccess'))]", - "semanticSearch": "[parameters('semanticSearch')]", - "computeType": "[parameters('computeType')]", - "dataExfiltrationProtections": "[parameters('dataExfiltrationProtections')]" + "managedEnvironmentId": "[if(not(empty(parameters('managedEnvironmentId'))), parameters('managedEnvironmentId'), null())]", + "serverFarmId": "[parameters('serverFarmResourceId')]", + "clientAffinityEnabled": "[parameters('clientAffinityEnabled')]", + "httpsOnly": "[parameters('httpsOnly')]", + "hostingEnvironmentProfile": "[if(not(empty(parameters('appServiceEnvironmentResourceId'))), createObject('id', parameters('appServiceEnvironmentResourceId')), null())]", + "storageAccountRequired": "[parameters('storageAccountRequired')]", + "keyVaultReferenceIdentity": "[parameters('keyVaultAccessIdentityResourceId')]", + "virtualNetworkSubnetId": "[parameters('virtualNetworkSubnetId')]", + "siteConfig": "[parameters('siteConfig')]", + "functionAppConfig": "[parameters('functionAppConfig')]", + "clientCertEnabled": "[parameters('clientCertEnabled')]", + "clientCertExclusionPaths": "[parameters('clientCertExclusionPaths')]", + "clientCertMode": "[parameters('clientCertMode')]", + "cloningInfo": "[parameters('cloningInfo')]", + "containerSize": "[parameters('containerSize')]", + "dailyMemoryTimeQuota": "[parameters('dailyMemoryTimeQuota')]", + "enabled": "[parameters('enabled')]", + "hostNameSslStates": "[parameters('hostNameSslStates')]", + "hyperV": "[parameters('hyperV')]", + "redundancyMode": "[parameters('redundancyMode')]", + "publicNetworkAccess": "[if(not(empty(parameters('publicNetworkAccess'))), parameters('publicNetworkAccess'), if(not(empty(parameters('privateEndpoints'))), 'Disabled', 'Enabled'))]", + "vnetContentShareEnabled": "[parameters('vnetContentShareEnabled')]", + "vnetImagePullEnabled": "[parameters('vnetImagePullEnabled')]", + "vnetRouteAllEnabled": "[parameters('vnetRouteAllEnabled')]", + "scmSiteAlsoStopped": "[parameters('scmSiteAlsoStopped')]", + "endToEndEncryptionEnabled": "[parameters('e2eEncryptionEnabled')]", + "dnsConfiguration": "[parameters('dnsConfiguration')]", + "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]" } }, - "searchService_diagnosticSettings": { + "app_diagnosticSettings": { "copy": { - "name": "searchService_diagnosticSettings", + "name": "app_diagnosticSettings", "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]" }, "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", - "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", + "scope": "[resourceId('Microsoft.Web/sites', parameters('name'))]", "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]", "properties": { "copy": [ @@ -53756,53 +34146,198 @@ "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]" }, "dependsOn": [ - "searchService" - ] - }, - "searchService_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", - "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" - }, - "dependsOn": [ - "searchService" + "app" ] }, - "searchService_roleAssignments": { + "app_config": { "copy": { - "name": "searchService_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" + "name": "app_config", + "count": "[length(coalesce(parameters('configs'), createArray()))]" }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Search/searchServices', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2025-04-01", + "name": "[format('{0}-Site-Config-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "appName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('configs'), createArray())[copyIndex()].name]" + }, + "applicationInsightResourceId": { + "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'applicationInsightResourceId')]" + }, + "storageAccountResourceId": { + "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'storageAccountResourceId')]" + }, + "storageAccountUseIdentityAuthentication": { + "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'storageAccountUseIdentityAuthentication')]" + }, + "properties": { + "value": "[tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'properties')]" + }, + "currentAppSettings": "[if(coalesce(tryGet(coalesce(parameters('configs'), createArray())[copyIndex()], 'retainCurrentAppSettings'), and(true(), equals(coalesce(parameters('configs'), createArray())[copyIndex()].name, 'appsettings'))), createObject('value', list(format('{0}/config/appsettings', resourceId('Microsoft.Web/sites', parameters('name'))), '2023-12-01').properties), createObject('value', createObject()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.44.1.10279", + "templateHash": "13783254618840971873" + }, + "name": "Site App Settings", + "description": "This module deploys a Site App Setting." + }, + "parameters": { + "appName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent site resource. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "allowedValues": [ + "appsettings", + "authsettings", + "authsettingsV2", + "azurestorageaccounts", + "backup", + "connectionstrings", + "logs", + "metadata", + "pushsettings", + "slotConfigNames", + "web" + ], + "metadata": { + "description": "Required. The name of the config." + } + }, + "properties": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The properties of the config. Note: This parameter is highly dependent on the config type, defined by its name." + } + }, + "storageAccountUseIdentityAuthentication": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. If the provided storage account requires Identity based authentication ('allowSharedKeyAccess' is set to false). When set to true, the minimum role assignment required for the App Service Managed Identity to the storage account is 'Storage Blob Data Owner'." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Required if app of kind functionapp. Resource ID of the storage account to manage triggers and logging function executions." + } + }, + "applicationInsightResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the application insight to leverage for this resource." + } + }, + "currentAppSettings": { + "type": "object", + "properties": {}, + "additionalProperties": { + "type": "string", + "metadata": { + "description": "Required. The key-values pairs of the current app settings." + } + }, + "defaultValue": {}, + "metadata": { + "description": "Optional. The current app settings." + } + } + }, + "resources": { + "applicationInsights": { + "condition": "[not(empty(parameters('applicationInsightResourceId')))]", + "existing": true, + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "subscriptionId": "[split(parameters('applicationInsightResourceId'), '/')[2]]", + "resourceGroup": "[split(parameters('applicationInsightResourceId'), '/')[4]]", + "name": "[last(split(parameters('applicationInsightResourceId'), '/'))]" + }, + "storageAccount": { + "condition": "[not(empty(parameters('storageAccountResourceId')))]", + "existing": true, + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(parameters('storageAccountResourceId'), '/')[2]]", + "resourceGroup": "[split(parameters('storageAccountResourceId'), '/')[4]]", + "name": "[last(split(parameters('storageAccountResourceId'), '/'))]" + }, + "app": { + "existing": true, + "type": "Microsoft.Web/sites", + "apiVersion": "2023-12-01", + "name": "[parameters('appName')]" + }, + "config": { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2024-04-01", + "name": "[format('{0}/{1}', parameters('appName'), parameters('name'))]", + "properties": "[union(parameters('currentAppSettings'), parameters('properties'), if(and(not(empty(parameters('storageAccountResourceId'))), not(parameters('storageAccountUseIdentityAuthentication'))), createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', last(split(parameters('storageAccountResourceId'), '/')), listKeys('storageAccount', '2024-01-01').keys[0].value, environment().suffixes.storage)), if(and(not(empty(parameters('storageAccountResourceId'))), parameters('storageAccountUseIdentityAuthentication')), createObject('AzureWebJobsStorage__accountName', last(split(parameters('storageAccountResourceId'), '/')), 'AzureWebJobsStorage__blobServiceUri', reference('storageAccount').primaryEndpoints.blob, 'AzureWebJobsStorage__queueServiceUri', reference('storageAccount').primaryEndpoints.queue, 'AzureWebJobsStorage__tableServiceUri', reference('storageAccount').primaryEndpoints.table), createObject())), if(not(empty(parameters('applicationInsightResourceId'))), createObject('APPLICATIONINSIGHTS_CONNECTION_STRING', reference('applicationInsights').ConnectionString), createObject()))]", + "dependsOn": [ + "applicationInsights", + "storageAccount" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the site config." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the site config." + }, + "value": "[resourceId('Microsoft.Web/sites/config', parameters('appName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the site config was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } }, "dependsOn": [ - "searchService" + "app" ] }, - "searchService_privateEndpoints": { + "app_privateEndpoints": { "copy": { - "name": "searchService_privateEndpoints", + "name": "app_privateEndpoints", "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", - "name": "[format('{0}-searchService-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-app-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "subscriptionId": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[2]]", "resourceGroup": "[split(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupResourceId'), resourceGroup().id), '/')[4]]", "properties": { @@ -53812,21 +34347,21 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService'), copyIndex()))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'name'), format('pep-{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex()))]" }, - "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Search/searchServices', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService')))))), createObject('value', null()))]", - "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Search/searchServices', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'searchService')), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", + "privateLinkServiceConnections": "[if(not(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true())), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Web/sites', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')))))), createObject('value', null()))]", + "manualPrivateLinkServiceConnections": "[if(equals(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'isManualConnection'), true()), createObject('value', createArray(createObject('name', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateLinkServiceConnectionName'), format('{0}-{1}-{2}', last(split(resourceId('Microsoft.Web/sites', parameters('name')), '/')), coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites'), copyIndex())), 'properties', createObject('privateLinkServiceId', resourceId('Microsoft.Web/sites', parameters('name')), 'groupIds', createArray(coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'service'), 'sites')), 'requestMessage', coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'manualConnectionRequestMessage'), 'Manual approval required.'))))), createObject('value', null()))]", "subnetResourceId": { "value": "[coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId]" }, "enableTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" + "value": false }, "location": { "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'location'), reference(split(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()].subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location)]" }, "lock": { - "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" + "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), null())]" }, "privateDnsZoneGroup": { "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroup')]" @@ -53857,36 +34392,143 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "16604612898799598358" + "version": "0.34.44.8038", + "templateHash": "12389807800450456797" + }, + "name": "Private Endpoints", + "description": "This module deploys a Private Endpoint." + }, + "definitions": { + "privateDnsZoneGroupType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Private DNS Zone Group." + } + }, + "privateDnsZoneGroupConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/privateDnsZoneGroupConfigType" + }, + "metadata": { + "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "ipConfigurationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "privateLinkServiceConnectionType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string array `[]`." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } + } + }, + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + }, + "metadata": { + "__bicep_export!": true + } }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint." - }, - "definitions": { - "privateDnsZoneGroupType": { + "customDnsConfigType": { "type": "object", "properties": { - "name": { + "fqdn": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." + "description": "Optional. FQDN that resolves to private endpoint IP address." } }, - "privateDnsZoneGroupConfigs": { + "ipAddresses": { "type": "array", "items": { - "$ref": "#/definitions/privateDnsZoneGroupConfigType" + "type": "string" }, "metadata": { - "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + "description": "Required. A list of private IP addresses of the private endpoint." } } }, "metadata": { - "__bicep_export!": true, - "description": "The type of a private dns zone group." + "__bicep_export!": true } }, "lockType": { @@ -53910,19 +34552,12 @@ "metadata": { "description": "Optional. Specify the type of lock." } - }, - "notes": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the notes of the lock." - } } }, "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -53944,7 +34579,6 @@ } }, "metadata": { - "description": "The type of a private DNS zone group configuration.", "__bicep_imported_from!": { "sourceTemplate": "private-dns-zone-group/main.bicep" } @@ -54021,7 +34655,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -54058,13 +34692,13 @@ }, "ipConfigurations": { "type": "array", + "items": { + "$ref": "#/definitions/ipConfigurationType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/ipConfigurations" - }, "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - }, - "nullable": true + } }, "privateDnsZoneGroup": { "$ref": "#/definitions/privateDnsZoneGroupType", @@ -54099,43 +34733,40 @@ }, "tags": { "type": "object", + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/tags" - }, "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - }, - "nullable": true + } }, "customDnsConfigs": { "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/customDnsConfigs" - }, "description": "Optional. Custom DNS configurations." - }, - "nullable": true + } }, "manualPrivateLinkServiceConnections": { "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/manualPrivateLinkServiceConnections" - }, "description": "Conditional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource. Required if `privateLinkServiceConnections` is empty." - }, - "nullable": true + } }, "privateLinkServiceConnections": { "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, + "nullable": true, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/privateLinkServiceConnections" - }, "description": "Conditional. A grouping of information about the connection to the remote resource. Required if `manualPrivateLinkServiceConnections` is empty." - }, - "nullable": true + } }, "enableTelemetry": { "type": "bool", @@ -54170,8 +34801,8 @@ "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.11.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.11.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -54189,7 +34820,7 @@ }, "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2024-10-01", + "apiVersion": "2024-05-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -54221,7 +34852,7 @@ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", "properties": { "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]" + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" }, "dependsOn": [ "privateEndpoint" @@ -54252,7 +34883,7 @@ "privateEndpoint_privateDnsZoneGroup": { "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", + "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { @@ -54277,8 +34908,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.38.5.1644", - "templateHash": "24141742673128945" + "version": "0.34.44.8038", + "templateHash": "13997305779829540948" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group." @@ -54302,8 +34933,7 @@ } }, "metadata": { - "__bicep_export!": true, - "description": "The type of a private DNS zone group configuration." + "__bicep_export!": true } } }, @@ -54333,30 +34963,33 @@ } } }, + "variables": { + "copy": [ + { + "name": "privateDnsZoneConfigsVar", + "count": "[length(parameters('privateDnsZoneConfigs'))]", + "input": { + "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId, '/')))]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId]" + } + } + } + ] + }, "resources": { "privateEndpoint": { "existing": true, "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2024-10-01", + "apiVersion": "2024-05-01", "name": "[parameters('privateEndpointName')]" }, "privateDnsZoneGroup": { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2024-10-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", "properties": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDnsZoneConfigs'))]", - "input": { - "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId, '/')))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigs')].privateDnsZoneResourceId]" - } - } - } - ] + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigsVar')]" } } }, @@ -54417,15 +35050,14 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('privateEndpoint', '2024-10-01', 'full').location]" + "value": "[reference('privateEndpoint', '2024-05-01', 'full').location]" }, "customDnsConfigs": { "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, "metadata": { - "__bicep_resource_derived_type!": { - "source": "Microsoft.Network/privateEndpoints@2024-01-01#properties/properties/properties/customDnsConfigs", - "output": true - }, "description": "The custom DNS configurations of the private endpoint." }, "value": "[reference('privateEndpoint').customDnsConfigs]" @@ -54452,273 +35084,7 @@ } }, "dependsOn": [ - "searchService" - ] - }, - "searchService_sharedPrivateLinkResources": { - "copy": { - "name": "searchService_sharedPrivateLinkResources", - "count": "[length(parameters('sharedPrivateLinkResources'))]", - "mode": "serial", - "batchSize": 1 - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-searchService-SharedPrvLink-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(tryGet(parameters('sharedPrivateLinkResources')[copyIndex()], 'name'), format('spl-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('sharedPrivateLinkResources')[copyIndex()].groupId, copyIndex()))]" - }, - "searchServiceName": { - "value": "[parameters('name')]" - }, - "privateLinkResourceId": { - "value": "[parameters('sharedPrivateLinkResources')[copyIndex()].privateLinkResourceId]" - }, - "groupId": { - "value": "[parameters('sharedPrivateLinkResources')[copyIndex()].groupId]" - }, - "requestMessage": { - "value": "[parameters('sharedPrivateLinkResources')[copyIndex()].requestMessage]" - }, - "resourceRegion": { - "value": "[tryGet(parameters('sharedPrivateLinkResources')[copyIndex()], 'resourceRegion')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "2115224445601868607" - }, - "name": "Search Services Private Link Resources", - "description": "This module deploys a Search Service Private Link Resource." - }, - "parameters": { - "searchServiceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent searchServices. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the shared private link resource managed by the Azure Cognitive Search service within the specified resource group." - } - }, - "privateLinkResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource the shared private link resource is for." - } - }, - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The group ID from the provider of resource the shared private link resource is for." - } - }, - "requestMessage": { - "type": "string", - "metadata": { - "description": "Required. The request message for requesting approval of the shared private link resource." - } - }, - "resourceRegion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Can be used to specify the Azure Resource Manager location of the resource to which a shared private link is to be created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service)." - } - } - }, - "resources": { - "searchService": { - "existing": true, - "type": "Microsoft.Search/searchServices", - "apiVersion": "2025-05-01", - "name": "[parameters('searchServiceName')]" - }, - "sharedPrivateLinkResource": { - "type": "Microsoft.Search/searchServices/sharedPrivateLinkResources", - "apiVersion": "2025-05-01", - "name": "[format('{0}/{1}', parameters('searchServiceName'), parameters('name'))]", - "properties": { - "privateLinkResourceId": "[parameters('privateLinkResourceId')]", - "groupId": "[parameters('groupId')]", - "requestMessage": "[parameters('requestMessage')]", - "resourceRegion": "[parameters('resourceRegion')]" - } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the shared private link resource." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the shared private link resource." - }, - "value": "[resourceId('Microsoft.Search/searchServices/sharedPrivateLinkResources', parameters('searchServiceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the shared private link resource was created in." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "searchService" - ] - }, - "secretsExport": { - "condition": "[not(equals(parameters('secretsExportConfiguration'), null()))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[format('{0}-secrets-kv', uniqueString(deployment().name, parameters('location')))]", - "subscriptionId": "[split(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '/')[2]]", - "resourceGroup": "[split(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '/')[4]]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "keyVaultName": { - "value": "[last(split(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '/'))]" - }, - "secretsToSet": { - "value": "[union(createArray(), if(contains(parameters('secretsExportConfiguration'), 'primaryAdminKeyName'), createArray(createObject('name', tryGet(parameters('secretsExportConfiguration'), 'primaryAdminKeyName'), 'value', listAdminKeys('searchService', '2025-05-01').primaryKey)), createArray()), if(contains(parameters('secretsExportConfiguration'), 'secondaryAdminKeyName'), createArray(createObject('name', tryGet(parameters('secretsExportConfiguration'), 'secondaryAdminKeyName'), 'value', listAdminKeys('searchService', '2025-05-01').secondaryKey)), createArray()))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.39.26.7824", - "templateHash": "696453183181258843" - } - }, - "definitions": { - "secretSetType": { - "type": "object", - "properties": { - "secretResourceId": { - "type": "string", - "metadata": { - "description": "The resourceId of the exported secret." - } - }, - "secretUri": { - "type": "string", - "metadata": { - "description": "The secret URI of the exported secret." - } - } - }, - "metadata": { - "__bicep_export!": true - } - }, - "secretToSetType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the secret to set." - } - }, - "value": { - "type": "securestring", - "metadata": { - "description": "Required. The value of the secret to set." - } - } - } - } - }, - "parameters": { - "keyVaultName": { - "type": "string", - "metadata": { - "description": "Required. The name of the Key Vault to set the ecrets in." - } - }, - "secretsToSet": { - "type": "array", - "items": { - "$ref": "#/definitions/secretToSetType" - }, - "metadata": { - "description": "Required. The secrets to set in the Key Vault." - } - } - }, - "resources": { - "keyVault": { - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2024-11-01", - "name": "[parameters('keyVaultName')]" - }, - "secrets": { - "copy": { - "name": "secrets", - "count": "[length(parameters('secretsToSet'))]" - }, - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2024-11-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('secretsToSet')[copyIndex()].name)]", - "properties": { - "value": "[parameters('secretsToSet')[copyIndex()].value]" - } - } - }, - "outputs": { - "secretsSet": { - "type": "array", - "items": { - "$ref": "#/definitions/secretSetType" - }, - "metadata": { - "description": "The references to the secrets exported to the provided Key Vault." - }, - "copy": { - "count": "[length(range(0, length(coalesce(parameters('secretsToSet'), createArray()))))]", - "input": { - "secretResourceId": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretsToSet')[range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()]].name)]", - "secretUri": "[reference(format('secrets[{0}]', range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()])).secretUri]" - } - } - } - } - } - }, - "dependsOn": [ - "searchService" + "app" ] } }, @@ -54726,21 +35092,21 @@ "name": { "type": "string", "metadata": { - "description": "The name of the search service." + "description": "The name of the site." }, "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the search service." + "description": "The resource ID of the site." }, - "value": "[resourceId('Microsoft.Search/searchServices', parameters('name'))]" + "value": "[resourceId('Microsoft.Web/sites', parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The name of the resource group the search service was created in." + "description": "The resource group the site was deployed into." }, "value": "[resourceGroup().name]" }, @@ -54750,173 +35116,45 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[tryGet(tryGet(reference('searchService', '2025-05-01', 'full'), 'identity'), 'principalId')]" + "value": "[tryGet(tryGet(reference('app', '2024-04-01', 'full'), 'identity'), 'principalId')]" }, "location": { "type": "string", "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('searchService', '2025-05-01', 'full').location]" + "value": "[reference('app', '2024-04-01', 'full').location]" }, - "endpoint": { + "defaultHostname": { "type": "string", "metadata": { - "description": "The endpoint of the search service." - }, - "value": "[reference('searchService').endpoint]" - }, - "privateEndpoints": { - "type": "array", - "items": { - "$ref": "#/definitions/privateEndpointOutputType" - }, - "metadata": { - "description": "The private endpoints of the search service." - }, - "copy": { - "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]", - "input": { - "name": "[reference(format('searchService_privateEndpoints[{0}]', copyIndex())).outputs.name.value]", - "resourceId": "[reference(format('searchService_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]", - "groupId": "[tryGet(tryGet(reference(format('searchService_privateEndpoints[{0}]', copyIndex())).outputs, 'groupId'), 'value')]", - "customDnsConfigs": "[reference(format('searchService_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfigs.value]", - "networkInterfaceResourceIds": "[reference(format('searchService_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceResourceIds.value]" - } - } - }, - "exportedSecrets": { - "$ref": "#/definitions/secretsOutputType", - "metadata": { - "description": "A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret's name." + "description": "Default hostname of the app." }, - "value": "[if(not(equals(parameters('secretsExportConfiguration'), null())), toObject(reference('secretsExport').outputs.secretsSet.value, lambda('secret', last(split(lambdaVariables('secret').secretResourceId, '/'))), lambda('secret', lambdaVariables('secret'))), createObject())]" + "value": "[reference('app').defaultHostName]" }, - "primaryKey": { - "type": "securestring", + "customDomainVerificationId": { + "type": "string", "metadata": { - "description": "The primary admin API key of the search service." + "description": "Unique identifier that verifies the custom domains assigned to the app. Customer will add this ID to a txt record for verification." }, - "value": "[listAdminKeys('searchService', '2025-05-01').primaryKey]" + "value": "[reference('app').customDomainVerificationId]" }, - "secondaryKey": { - "type": "securestring", + "outboundIpAddresses": { + "type": "string", "metadata": { - "description": "The secondaryKey admin API key of the search service." + "description": "The outbound IP addresses of the app." }, - "value": "[listAdminKeys('searchService', '2025-05-01').secondaryKey]" + "value": "[reference('app').outboundIpAddresses]" } } } }, "dependsOn": [ - "aiFoundryAiServicesProject", - "existingAiFoundryAiServicesProject", - "searchService", - "userAssignedIdentity" - ] - }, - "aiSearchFoundryConnection": { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2025-04-01", - "name": "[take(format('aifp-srch-connection.{0}', variables('solutionSuffix')), 64)]", - "subscriptionId": "[variables('aiFoundryAiServicesSubscriptionId')]", - "resourceGroup": "[variables('aiFoundryAiServicesResourceGroupName')]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "aiFoundryProjectName": "[if(variables('useExistingAiFoundryAiProject'), createObject('value', variables('aiFoundryAiProjectResourceName')), createObject('value', reference('aiFoundryAiServicesProject').outputs.name.value))]", - "aiFoundryName": { - "value": "[variables('aiFoundryAiServicesResourceName')]" - }, - "aifSearchConnectionName": { - "value": "[variables('aiSearchConnectionName')]" - }, - "searchServiceResourceId": { - "value": "[resourceId('Microsoft.Search/searchServices', variables('searchServiceName'))]" - }, - "searchServiceLocation": { - "value": "[reference('searchService', '2025-05-01', 'full').location]" - }, - "searchServiceName": { - "value": "[variables('searchServiceName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.44.1.10279", - "templateHash": "1221855634359106261" - } - }, - "parameters": { - "aifSearchConnectionName": { - "type": "string", - "metadata": { - "description": "Name of the AI Foundry search connection" - } - }, - "searchServiceName": { - "type": "string", - "metadata": { - "description": "Name of the Azure AI Search service" - } - }, - "searchServiceResourceId": { - "type": "string", - "metadata": { - "description": "Resource ID of the Azure AI Search service" - } - }, - "searchServiceLocation": { - "type": "string", - "metadata": { - "description": "Location/region of the Azure AI Search service" - } - }, - "aiFoundryName": { - "type": "string", - "metadata": { - "description": "Name of the AI Foundry account" - } - }, - "aiFoundryProjectName": { - "type": "string", - "metadata": { - "description": "Name of the AI Foundry project" - } - } - }, - "resources": [ - { - "type": "Microsoft.CognitiveServices/accounts/projects/connections", - "apiVersion": "2025-12-01", - "name": "[format('{0}/{1}/{2}', parameters('aiFoundryName'), parameters('aiFoundryProjectName'), parameters('aifSearchConnectionName'))]", - "properties": { - "category": "CognitiveSearch", - "target": "[format('https://{0}.search.windows.net', parameters('searchServiceName'))]", - "authType": "AAD", - "isSharedToAll": true, - "metadata": { - "ApiType": "Azure", - "ResourceId": "[parameters('searchServiceResourceId')]", - "location": "[parameters('searchServiceLocation')]" - } - } - } - ] - } - }, - "dependsOn": [ - "aiFoundryAiServices", - "aiFoundryAiServicesProject", - "searchService" + "applicationInsights", + "containerApp", + "logAnalyticsWorkspace", + "virtualNetwork", + "webServerFarm" ] } }, @@ -54935,22 +35173,6 @@ }, "value": "[reference('webSite').outputs.defaultHostname.value]" }, - "AZURE_STORAGE_BLOB_URL": { - "type": "string", - "value": "[reference('avmStorageAccount').outputs.serviceEndpoints.value.blob]" - }, - "AZURE_STORAGE_ACCOUNT_NAME": { - "type": "string", - "value": "[variables('storageAccountName')]" - }, - "AZURE_AI_SEARCH_ENDPOINT": { - "type": "string", - "value": "[reference('searchServiceUpdate').outputs.endpoint.value]" - }, - "AZURE_AI_SEARCH_NAME": { - "type": "string", - "value": "[variables('searchServiceName')]" - }, "COSMOSDB_ENDPOINT": { "type": "string", "value": "[format('https://{0}.documents.azure.com:443/', variables('cosmosDbResourceName'))]" @@ -54975,13 +35197,9 @@ "type": "string", "value": "[variables('aiFoundryAiServicesModelDeployment').name]" }, - "AZURE_OPENAI_RAI_DEPLOYMENT_NAME": { - "type": "string", - "value": "[variables('aiFoundryAiServices4_1ModelDeployment').name]" - }, "AZURE_OPENAI_API_VERSION": { "type": "string", - "value": "[parameters('azureOpenaiAPIVersion')]" + "value": "[parameters('azureopenaiVersion')]" }, "AZURE_AI_SUBSCRIPTION_ID": { "type": "string", @@ -54995,141 +35213,21 @@ "type": "string", "value": "[if(variables('useExistingAiFoundryAiProject'), variables('aiFoundryAiProjectResourceName'), reference('aiFoundryAiServicesProject').outputs.name.value)]" }, - "AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME": { + "AZURE_AI_MODEL_DEPLOYMENT_NAME": { "type": "string", "value": "[variables('aiFoundryAiServicesModelDeployment').name]" }, - "APP_ENV": { - "type": "string", - "value": "Prod" - }, - "AI_FOUNDRY_RESOURCE_ID": { - "type": "string", - "value": "[if(not(variables('useExistingAiFoundryAiProject')), reference('aiFoundryAiServices').outputs.resourceId.value, parameters('existingFoundryProjectResourceId'))]" - }, - "COSMOSDB_ACCOUNT_NAME": { - "type": "string", - "value": "[variables('cosmosDbResourceName')]" - }, - "AZURE_SEARCH_ENDPOINT": { - "type": "string", - "value": "[reference('searchServiceUpdate').outputs.endpoint.value]" - }, - "AZURE_CLIENT_ID": { - "type": "string", - "value": "[reference('userAssignedIdentity').outputs.clientId.value]" - }, - "AZURE_TENANT_ID": { - "type": "string", - "value": "[tenant().tenantId]" - }, - "AZURE_AI_SEARCH_CONNECTION_NAME": { - "type": "string", - "value": "[variables('aiSearchConnectionName')]" - }, - "AZURE_COGNITIVE_SERVICES": { - "type": "string", - "value": "https://cognitiveservices.azure.com/.default" - }, - "REASONING_MODEL_NAME": { - "type": "string", - "value": "[variables('aiFoundryAiServicesReasoningModelDeployment').name]" - }, - "MCP_SERVER_NAME": { - "type": "string", - "value": "MacaeMcpServer" - }, - "MCP_SERVER_DESCRIPTION": { - "type": "string", - "value": "MCP server with greeting, HR, and planning tools" - }, - "SUPPORTED_MODELS": { - "type": "string", - "value": "[[\"o3\",\"o4-mini\",\"gpt-4.1\",\"gpt-4.1-mini\"]" - }, - "BACKEND_URL": { - "type": "string", - "value": "[format('https://{0}', reference('containerApp').outputs.fqdn.value)]" - }, - "AZURE_AI_PROJECT_ENDPOINT": { + "AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME": { "type": "string", - "value": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject').endpoints['AI Foundry API'], reference('aiFoundryAiServicesProject').outputs.apiEndpoint.value)]" + "value": "[variables('aiFoundryAiServicesModelDeployment').name]" }, "AZURE_AI_AGENT_ENDPOINT": { "type": "string", "value": "[if(variables('useExistingAiFoundryAiProject'), reference('existingAiFoundryAiServicesProject').endpoints['AI Foundry API'], reference('aiFoundryAiServicesProject').outputs.apiEndpoint.value)]" }, - "AZURE_AI_AGENT_API_VERSION": { - "type": "string", - "value": "[parameters('azureAiAgentAPIVersion')]" - }, - "AZURE_AI_AGENT_PROJECT_CONNECTION_STRING": { - "type": "string", - "value": "[format('{0}.services.ai.azure.com;{1};{2};{3}', variables('aiFoundryAiServicesResourceName'), variables('aiFoundryAiServicesSubscriptionId'), variables('aiFoundryAiServicesResourceGroupName'), variables('aiFoundryAiProjectResourceName'))]" - }, - "AZURE_STORAGE_CONTAINER_NAME_RETAIL_CUSTOMER": { - "type": "string", - "value": "[parameters('storageContainerNameRetailCustomer')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_RETAIL_ORDER": { - "type": "string", - "value": "[parameters('storageContainerNameRetailOrder')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_RFP_SUMMARY": { - "type": "string", - "value": "[parameters('storageContainerNameRFPSummary')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_RFP_RISK": { - "type": "string", - "value": "[parameters('storageContainerNameRFPRisk')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_RFP_COMPLIANCE": { - "type": "string", - "value": "[parameters('storageContainerNameRFPCompliance')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_CONTRACT_SUMMARY": { - "type": "string", - "value": "[parameters('storageContainerNameContractSummary')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_CONTRACT_RISK": { - "type": "string", - "value": "[parameters('storageContainerNameContractRisk')]" - }, - "AZURE_STORAGE_CONTAINER_NAME_CONTRACT_COMPLIANCE": { - "type": "string", - "value": "[parameters('storageContainerNameContractCompliance')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_RETAIL_CUSTOMER": { - "type": "string", - "value": "[variables('aiSearchIndexNameForRetailCustomer')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_RETAIL_ORDER": { - "type": "string", - "value": "[variables('aiSearchIndexNameForRetailOrder')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_RFP_SUMMARY": { - "type": "string", - "value": "[variables('aiSearchIndexNameForRFPSummary')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_RFP_RISK": { - "type": "string", - "value": "[variables('aiSearchIndexNameForRFPRisk')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_RFP_COMPLIANCE": { - "type": "string", - "value": "[variables('aiSearchIndexNameForRFPCompliance')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_CONTRACT_SUMMARY": { - "type": "string", - "value": "[variables('aiSearchIndexNameForContractSummary')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_CONTRACT_RISK": { - "type": "string", - "value": "[variables('aiSearchIndexNameForContractRisk')]" - }, - "AZURE_AI_SEARCH_INDEX_NAME_CONTRACT_COMPLIANCE": { + "APP_ENV": { "type": "string", - "value": "[variables('aiSearchIndexNameForContractCompliance')]" + "value": "Prod" } } } \ No newline at end of file