WAF - naming and infra cleanup. networking adjustments (WIP)

Author: Seth

infra/main.bicep

@@ -1,7 +1,11 @@
 @minLength(3)
-@maxLength(20)
-@description('A unique application/env name for all resources in this deployment. This should be 3-20 characters long')
-param environmentName string
+@maxLength(16)
+@description('A unique application/solution name for all resources in this deployment. This should be 3-16 characters long.')
+param solutionName string
+
+@maxLength(5)
+@description('A unique token for the solution. This is used to ensure resource names are unique for global resources. Defaults to a 5-character substring of the unique string generated from the subscription ID, resource group name, and solution name.')
+param solutionUniqueToken string = substring(uniqueString(subscription().id, resourceGroup().name, solutionName), 0, 5)
 
 @minLength(3)
 @description('Azure region for all services.')
@@ -57,14 +61,10 @@ param enablePrivateNetworking bool = false
 param tags object = {}
 
 var allTags = union({
-  'azd-env-name': environmentName
+  'azd-env-name': solutionName
 }, tags)
 
-var resourcesName = trim(replace(replace(replace(replace(replace(environmentName, '-', ''), '_', ''), '.', ''),'/', ''), ' ', ''))
-var resourcesToken = substring(uniqueString(subscription().id, location, resourcesName), 0, 5)
-var uniqueResourcesName = '${resourcesName}${resourcesToken}'
-
-var appStorageContainerName = 'appstorage'
+var resourcesName = trim(replace(replace(replace(replace(replace('${solutionName}${solutionUniqueToken}', '-', ''), '_', ''), '.', ''),'/', ''), ' ', ''))
 
 var modelDeployment =  {
   name: 'gpt-4o'
@@ -98,14 +98,6 @@ module aiFoundryIdentity 'br/public:avm/res/managed-identity/user-assigned-ident
   }
 }
 
-// used for foundry to create and approve managed virtual network and approve private endpoint connections
-// Ref: https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/configure-managed-network?tabs=portal#approval-of-private-endpoints
-var foundryNetworkConnectionApproverRoleAssignment = {
-  principalId: aiFoundryIdentity.outputs.principalId
-  principalType: 'ServicePrincipal'
-  roleDefinitionIdOrName: 'b556d68e-0be0-4f35-a333-ad7ee1ce17ea' // Azure AI Enterprise Network Connection Approver
-}
-
 module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.2' = if (enableMonitoring || enablePrivateNetworking) {
   name: take('log-analytics-${resourcesName}-deployment', 64)
   params: {
@@ -139,45 +131,12 @@ module network 'modules/network.bicep' = if (enablePrivateNetworking) {
   }
 }
 
-module storageAccount 'modules/storageAccount.bicep' = {
-  name: take('storage-account-${resourcesName}-deployment', 64)
-  #disable-next-line no-unnecessary-dependson
-  dependsOn: [logAnalyticsWorkspace, network] // required due to optional flags that could change dependency
-  params: {
-    name: take('st${uniqueResourcesName}', 24)
-    location: location
-    tags: allTags
-    skuName: enableRedundancy ? 'Standard_GZRS' : 'Standard_LRS'
-    logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
-    privateNetworking: enablePrivateNetworking ? {
-      virtualNetworkResourceId: network.outputs.vnetResourceId
-      subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'data')).resourceId
-    } : null
-    containers: [
-        {
-          name: appStorageContainerName
-          properties: {
-            publicAccess: 'None'
-          }
-        }
-      ]
-    roleAssignments: [
-      {
-        principalId: appIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionIdOrName: 'Storage Blob Data Contributor'
-      }
-      foundryNetworkConnectionApproverRoleAssignment
-    ]
-  }
-}
-
-module azureAiServices 'modules/aiServices.bicep' = {
+module aiServices 'modules/aiServices.bicep' = {
   name: take('aiservices-${resourcesName}-deployment', 64)
   #disable-next-line no-unnecessary-dependson
   dependsOn: [logAnalyticsWorkspace, network] // required due to optional flags that could change dependency
   params: {
-    name: 'ais-${uniqueResourcesName}'
+    name: 'ais-${resourcesName}'
     location: azureAiServiceLocation
     sku: 'S0'
     kind: 'AIServices'
@@ -190,7 +149,7 @@ module azureAiServices 'modules/aiServices.bicep' = {
     // ---------------------
     // privateNetworking: enablePrivateNetworking ? {
     //   virtualNetworkResourceId: network.outputs.vnetResourceId
-    //   subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'ai')).resourceId
+    //   subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'peps')).resourceId
     // } : null
     // ---------------------
     roleAssignments: [
@@ -204,32 +163,64 @@ module azureAiServices 'modules/aiServices.bicep' = {
         principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Cognitive Services OpenAI Contributor'
       }
-      foundryNetworkConnectionApproverRoleAssignment
     ]
     tags: allTags
   }
 }
 
+var appStorageContainerName = 'appstorage'
+
+module storageAccount 'modules/storageAccount.bicep' = {
+  name: take('storage-account-${resourcesName}-deployment', 64)
+  #disable-next-line no-unnecessary-dependson
+  dependsOn: [logAnalyticsWorkspace, network] // required due to optional flags that could change dependency
+  params: {
+    name: take('st${resourcesName}', 24)
+    location: location
+    tags: allTags
+    skuName: enableRedundancy ? 'Standard_GZRS' : 'Standard_LRS'
+    logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
+    privateNetworking: enablePrivateNetworking ? {
+      virtualNetworkResourceId: network.outputs.vnetResourceId
+      subnetResourceId: network.outputs.subnetPrivateEndpointsResourceId
+    } : null
+    containers: [
+        {
+          name: appStorageContainerName
+          properties: {
+            publicAccess: 'None'
+          }
+        }
+      ]
+    roleAssignments: [
+      {
+        principalId: appIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'Storage Blob Data Contributor'
+      }
+    ]
+  }
+}
+
 module keyVault 'modules/keyVault.bicep' = {
   name: take('keyvault-${resourcesName}-deployment', 64)
   #disable-next-line no-unnecessary-dependson
   dependsOn: [logAnalyticsWorkspace, network] // required due to optional flags that could change dependency
   params: {
-    name: take('kv-${uniqueResourcesName}', 24)
+    name: take('kv-${resourcesName}', 24)
     location: location
     sku: 'standard'
     logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
     privateNetworking: enablePrivateNetworking ? {
       virtualNetworkResourceId: network.outputs.vnetResourceId
-      subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'data')).resourceId
+      subnetResourceId: network.outputs.subnetPrivateEndpointsResourceId
     } : null 
     roleAssignments: [
       {
         principalId: aiFoundryIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Key Vault Reader'
       }
-      foundryNetworkConnectionApproverRoleAssignment
     ]
     tags: allTags
   }
@@ -248,10 +239,10 @@ module azureAifoundry 'modules/aiFoundry.bicep' = {
     keyVaultResourceId: keyVault.outputs.resourceId
     userAssignedIdentityResourceId: aiFoundryIdentity.outputs.resourceId
     logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
-    aiServicesName: azureAiServices.outputs.name
+    aiServicesName: aiServices.outputs.name
     privateNetworking: enablePrivateNetworking ? {
       virtualNetworkResourceId: network.outputs.vnetResourceId
-      subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'ai')).resourceId
+      subnetResourceId: network.outputs.subnetPrivateEndpointsResourceId
     } : null
     roleAssignments: [
       {
@@ -269,19 +260,16 @@ module cosmosDb 'modules/cosmosDb.bicep' = {
   #disable-next-line no-unnecessary-dependson
   dependsOn: [logAnalyticsWorkspace, network] // required due to optional flags that could change dependency
   params: {
-    name: 'cosmos-${uniqueResourcesName}'
+    name: 'cosmos-${resourcesName}'
     location: location
     dataAccessIdentityPrincipalId: appIdentity.outputs.principalId
     logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
     zoneRedundant: enableRedundancy
     secondaryLocation: enableRedundancy && !empty(secondaryLocation) ? secondaryLocation : ''
     privateNetworking: enablePrivateNetworking ? {
       virtualNetworkResourceId: network.outputs.vnetResourceId
-      subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'data')).resourceId
+      subnetResourceId: network.outputs.subnetPrivateEndpointsResourceId
     } : null
-    roleAssignments: [
-      foundryNetworkConnectionApproverRoleAssignment
-    ]
     tags: allTags
   }
 }
@@ -298,7 +286,7 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
     location: location
     zoneRedundant: enableRedundancy && enablePrivateNetworking
     publicNetworkAccess: 'Enabled' // public access required for frontend
-    infrastructureSubnetResourceId: enablePrivateNetworking ? first(filter(network.outputs.subnets, s => s.name == 'web')).resourceId : null
+    infrastructureSubnetResourceId: enablePrivateNetworking ? network.outputs.subnetWebResourceId : null
     managedIdentities: {
       userAssignedResourceIds: [
         appIdentity.outputs.resourceId
@@ -325,7 +313,7 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
 module containerAppFrontend 'br/public:avm/res/app/container-app:0.17.0' = {
   name: take('container-app-frontend-${resourcesName}-deployment', 64)
   params: {
-    name: take('ca-${uniqueResourcesName}frontend', 32)
+    name: take('ca-${resourcesName}frontend', 32)
     location: location
     environmentResourceId: containerAppsEnvironment.outputs.resourceId
     managedIdentities: {
@@ -374,7 +362,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.17.0' = {
   #disable-next-line no-unnecessary-dependson
   dependsOn: [applicationInsights] // required due to optional flags that could change dependency
   params: {
-    name: take('ca-${uniqueResourcesName}backend', 32)
+    name: take('ca-${resourcesName}backend', 32)
     location: location
     environmentResourceId: containerAppsEnvironment.outputs.resourceId
     managedIdentities: {
@@ -417,7 +405,7 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.17.0' = {
           }
           {
             name: 'AZURE_OPENAI_ENDPOINT'
-            value: 'https://${azureAiServices.outputs.name}.openai.azure.com/'
+            value: 'https://${aiServices.outputs.name}.openai.azure.com/'
           }
           {
             name: 'MIGRATOR_AGENT_MODEL_DEPLOY'

infra/modules/aiFoundry.bicep

@@ -31,6 +31,7 @@ param aiServicesName string
 @description('Optional. Values to establish private networking for the AI Foundry resources.')
 param privateNetworking machineLearningPrivateNetworkingType?
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
@@ -86,7 +87,7 @@ module hub 'br/public:avm/res/machine-learning-services/workspace:0.12.1' = {
     publicNetworkAccess: privateNetworking != null ? 'Disabled' : 'Enabled'
     managedNetworkSettings: {
       isolationMode: privateNetworking != null ? 'AllowInternetOutbound' : 'Disabled'
-      outboundRules: {
+      outboundRules: privateNetworking != null ? {
         cog_services_pep: {
           category: 'UserDefined'
           destination: {
@@ -96,8 +97,8 @@ module hub 'br/public:avm/res/machine-learning-services/workspace:0.12.1' = {
           }
           type: 'PrivateEndpoint'
         }
-      }
-    }
+      } : null
+    } 
     managedIdentities: {
       systemAssigned: true
     }
@@ -168,8 +169,6 @@ resource projectReference 'Microsoft.MachineLearningServices/workspaces@2024-10-
   dependsOn: [project]
 }
 
-import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
-
 output projectName string = project.outputs.name
 output hubName string = hub.outputs.name
 output projectConnectionString string = '${split(projectReference.properties.discoveryUrl, '/')[2]};${subscription().subscriptionId};${resourceGroup().name};${projectReference.name}'

infra/modules/aiServices.bicep

@@ -51,9 +51,11 @@ param sku string = 'S0'
 @description('Optional. The resource ID of the Log Analytics workspace to use for diagnostic settings.')
 param logAnalyticsWorkspaceResourceId string?
 
+import { deploymentType } from 'br/public:avm/res/cognitive-services/account:0.10.2'
 @description('Optional. Specifies the OpenAI deployments to create.')
 param deployments deploymentType[] = []
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
@@ -107,7 +109,7 @@ module cognitiveService 'br/public:avm/res/cognitive-services/account:0.10.2' =
     }
     deployments: deployments
     customSubDomainName: name
-    disableLocalAuth: false // TODO - verify if this should remain false or be set dynamically via privateNetworking
+    disableLocalAuth: false
     publicNetworkAccess: privateNetworking != null ? 'Disabled' : 'Enabled'
     diagnosticSettings: !empty(logAnalyticsWorkspaceResourceId) ? [
       {
@@ -133,9 +135,6 @@ module cognitiveService 'br/public:avm/res/cognitive-services/account:0.10.2' =
   }
 }
 
-import { deploymentType } from 'br/public:avm/res/cognitive-services/account:0.10.2'
-import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
-
 output resourceId string = cognitiveService.outputs.resourceId
 output name string = cognitiveService.outputs.name
 output systemAssignedMIPrincipalId string? = cognitiveService.outputs.?systemAssignedMIPrincipalId

infra/modules/cosmosDb.bicep

@@ -19,9 +19,11 @@ param zoneRedundant bool
 @description('Optional. The secondary location for the Cosmos DB Account for failover and multiple writes.')
 param secondaryLocation string?
 
+import { resourcePrivateNetworkingType } from 'customTypes.bicep'
 @description('Optional. Values to establish private networking for the Cosmos DB resource.')
 param privateNetworking resourcePrivateNetworkingType?
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
@@ -143,9 +145,6 @@ module cosmosAccount 'br/public:avm/res/document-db/database-account:0.15.0' = {
   }
 }
 
-import { resourcePrivateNetworkingType } from 'customTypes.bicep'
-import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
-
 output resourceId string = cosmosAccount.outputs.resourceId
 output name string = cosmosAccount.outputs.name
 output endpoint string = cosmosAccount.outputs.endpoint

infra/modules/keyVault.bicep

@@ -17,12 +17,15 @@ param sku string = 'premium'
 @description('Optional. Resource ID of the Log Analytics workspace to use for diagnostic settings.')
 param logAnalyticsWorkspaceResourceId string?
 
+import { resourcePrivateNetworkingType } from 'customTypes.bicep'
 @description('Optional. Values to establish private networking for the Key Vault resource.')
 param privateNetworking resourcePrivateNetworkingType?
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
+import { secretType } from 'br/public:avm/res/key-vault/vault:0.12.1'
 @description('Optional. Array of secrets to create in the Key Vault.')
 param secrets secretType[]?
 
@@ -85,9 +88,5 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
   }
 }
 
-import { resourcePrivateNetworkingType } from 'customTypes.bicep'
-import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
-import { secretType } from 'br/public:avm/res/key-vault/vault:0.12.1'
-
 output resourceId string = keyvault.outputs.resourceId
 output name string = keyvault.outputs.name