Merge pull request #84 from Azure-Samples/avm_updates

Use AVM for Keyvault, Private DNS Zones, VNET and Private Endpoints

Author: tonybaloney

{{cookiecutter.__src_folder_name}}/infra/aca.bicep

@@ -23,27 +23,27 @@ param dbserverPassword string
 param postgresServiceId string
 {% endif %}
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}
+
 resource webIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: identityName
   location: location
 }
 
-resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
-  name: keyVaultName
-}
-
-// Give the app access to KeyVault
-module webKeyVaultAccess './core/security/keyvault-access.bicep' = {
-  name: 'web-keyvault-access'
+module keyVaultRoleAssignment 'core/security/role.bicep' = {
+  name: 'webRoleAssignment'
   params: {
-    keyVaultName: keyVault.name
     principalId: webIdentity.properties.principalId
+    roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User
   }
 }
 
 {% if cookiecutter.project_host == "aca" %}
 module app 'core/host/container-app-upsert.bicep' = {
   name: '${serviceName}-container-app-module'
+  dependsOn: [keyVaultRoleAssignment]
   params: {
     name: name
     location: location

{{cookiecutter.__src_folder_name}}/infra/appservice.bicep

@@ -11,6 +11,7 @@ param dbserverDomainName string
 param dbserverUser string
 param dbserverDatabaseName string
 {% endif %}
+param virtualNetworkSubnetId string = ''
 
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = {
   name: applicationInsightsName
@@ -60,15 +61,17 @@ module web 'core/host/appservice.bicep' = {
       AZURE_COSMOS_CONNECTION_STRING: '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=AZURE-COSMOS-CONNECTION-STRING)'
       {% endif %}
     }
+    virtualNetworkSubnetId: virtualNetworkSubnetId
   }
 }
 
 // Give the app access to KeyVault
-module webKeyVaultAccess './core/security/keyvault-access.bicep' = {
+module webKeyVaultAccess './core/security/role.bicep' = {
   name: 'web-keyvault-access'
   params: {
-    keyVaultName: keyVaultName
     principalId: web.outputs.identityPrincipalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: '00482a5a-887f-4fb3-b363-3b7fe8e74483'
   }
 }
 

{{cookiecutter.__src_folder_name}}/infra/core/host/appservice.bicep

@@ -36,6 +36,7 @@ param scmDoBuildDuringDeployment bool = false
 param use32BitWorkerProcess bool = false
 param ftpsState string = 'FtpsOnly'
 param healthCheckPath string = ''
+param virtualNetworkSubnetId string = ''
 
 resource appService 'Microsoft.Web/sites@2022-03-01' = {
   name: name
@@ -65,6 +66,7 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
     }
     clientAffinityEnabled: clientAffinityEnabled
     httpsOnly: true
+    virtualNetworkSubnetId: virtualNetworkSubnetId
   }
 
   identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }

{{cookiecutter.__src_folder_name}}/infra/core/host/container-apps-environment.bicep

@@ -7,34 +7,49 @@ param containerAppsEnvironmentName string
 param containerRegistryName string
 param containerRegistryResourceGroupName string = ''
 param containerRegistryAdminUserEnabled bool = false
-param logAnalyticsWorkspaceName string
-param applicationInsightsName string = ''
+param logAnalyticsWorkspaceResourceId string
+param applicationInsightsName string = '' // Not used here, was used for DAPR
+param virtualNetworkSubnetId string = ''
 
-module containerAppsEnvironment 'container-apps-environment.bicep' = {
+@description('Optional user assigned identity IDs to assign to the resource')
+param userAssignedIdentityResourceIds array = []
+
+module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.5.2' = {
   name: '${name}-container-apps-environment'
   params: {
+    // Required parameters
+    logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
+
+    managedIdentities: empty(userAssignedIdentityResourceIds) ? {
+      systemAssigned: true
+    } : {
+      userAssignedResourceIds: userAssignedIdentityResourceIds
+    }
+
     name: containerAppsEnvironmentName
+    // Non-required parameters
+    infrastructureResourceGroupName: containerRegistryResourceGroupName
+    infrastructureSubnetId: virtualNetworkSubnetId
+    // internal: true
     location: location
     tags: tags
-    logAnalyticsWorkspaceName: logAnalyticsWorkspaceName
-    applicationInsightsName: applicationInsightsName
   }
 }
 
-module containerRegistry 'container-registry.bicep' = {
+module containerRegistry 'br/public:avm/res/container-registry/registry:0.3.1' = {
   name: '${name}-container-registry'
   scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
   params: {
     name: containerRegistryName
     location: location
-    adminUserEnabled: containerRegistryAdminUserEnabled
+    acrAdminUserEnabled: containerRegistryAdminUserEnabled
     tags: tags
   }
 }
 
 output defaultDomain string = containerAppsEnvironment.outputs.defaultDomain
 output environmentName string = containerAppsEnvironment.outputs.name
-output environmentId string = containerAppsEnvironment.outputs.id
+output environmentId string = containerAppsEnvironment.outputs.resourceId
 
 output registryLoginServer string = containerRegistry.outputs.loginServer
 output registryName string = containerRegistry.outputs.name