update bicep to adhere to latest waf standards

Author: Harsh-Microsoft

infra/main.bicep

@@ -260,7 +260,7 @@ var formattedRoleAssignments = [
   })
 ]
 
-resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = {
+resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-07-01-preview' = {
   name: name
   kind: kind
   identity: identity
@@ -355,7 +355,7 @@ resource cognitiveService_diagnosticSettings 'Microsoft.Insights/diagnosticSetti
   }
 ]
 
-module cognitiveService_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.11.0' = [
+module cognitiveService_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.11.1' = [
   for (privateEndpoint, index) in (privateEndpoints ?? []): {
     name: take('${uniqueString(deployment().name, location)}-cognitiveService-PrivateEndpoint-${index}', 64)
     scope: resourceGroup(

infra/main.json

@@ -156,7 +156,7 @@ var identity = !empty(managedIdentities)
       userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
     }
   : null
-  
+
 #disable-next-line no-deployments-resources
 resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
   name: '46d3xbcp.res.cognitiveservices-account.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
@@ -176,14 +176,14 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT
   }
 }
 
-resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) {
+resource cMKKeyVault 'Microsoft.KeyVault/vaults@2025-05-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) {
   name: last(split(customerManagedKey.?keyVaultResourceId!, '/'))
   scope: resourceGroup(
     split(customerManagedKey.?keyVaultResourceId!, '/')[2],
     split(customerManagedKey.?keyVaultResourceId!, '/')[4]
   )
 
-  resource cMKKey 'keys@2023-07-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
+  resource cMKKey 'keys@2025-05-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
     name: customerManagedKey.?keyName!
   }
 }
@@ -208,7 +208,7 @@ var aiServicesPrivateDnsZoneResourceId = privateNetworking != null
   ? privateNetworking.?aiServicesPrivateDnsZoneResourceId ?? ''
   : ''
 
-resource cognitiveServiceNew 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = if(!useExistingService) {
+resource cognitiveServiceNew 'Microsoft.CognitiveServices/accounts@2025-07-01-preview' = if(!useExistingService) {
   name: name
   kind: kind
   identity: identity

infra/modules/ai-foundry/ai-services.bicep

@@ -187,7 +187,7 @@ var formattedRoleAssignments = [
 
 var enableReferencedModulesTelemetry = false
 
-resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = {
+resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-07-01-preview' existing = {
   name: name
 }
 
@@ -251,7 +251,7 @@ resource cognitiveService_diagnosticSettings 'Microsoft.Insights/diagnosticSetti
   }
 ]
 
-module cognitiveService_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.11.0' = [
+module cognitiveService_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.11.1' = [
   for (privateEndpoint, index) in (privateEndpoints ?? []): {
     name: '${uniqueString(deployment().name, location)}-cognitiveService-PrivateEndpoint-${index}'
     scope: resourceGroup(

infra/modules/ai-foundry/aifoundry.bicep

@@ -13,11 +13,11 @@ param secretsToSet secretToSetType[]
 //   Resources   //
 // ============= //
 
-resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+resource keyVault 'Microsoft.KeyVault/vaults@2025-05-01' existing = {
   name: keyVaultName
 }
 
-resource secrets 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = [
+resource secrets 'Microsoft.KeyVault/vaults/secrets@2025-05-01' = [
   for secret in secretsToSet: {
     name: secret.name
     parent: keyVault

infra/modules/ai-foundry/dependencies.bicep

@@ -27,7 +27,7 @@ resource cogServiceReference 'Microsoft.CognitiveServices/accounts@2024-10-01' e
 }
 
 // Create new AI project only if not reusing existing one
-resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if(!useExistingProject) {
+resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-07-01-preview' = if(!useExistingProject) {
   parent: cogServiceReference
   name: name
   tags: tags

infra/modules/ai-foundry/keyVaultExport.bicep

@@ -43,7 +43,7 @@ var batchContainerName = 'cmsabatch'
 var fileContainerName = 'cmsafile'
 var logContainerName = 'cmsalog'
 
-module cosmosAccount 'br/public:avm/res/document-db/database-account:0.15.0' = {
+module cosmosAccount 'br/public:avm/res/document-db/database-account:0.18.0' = {
   name: take('avm.res.document-db.database-account.${name}', 64)
   params: {
     name: name
@@ -58,7 +58,6 @@ module cosmosAccount 'br/public:avm/res/document-db/database-account:0.15.0' = {
       virtualNetworkRules: []
     }
     zoneRedundant: zoneRedundant
-    automaticFailover: !empty(secondaryLocation)
     failoverLocations: !empty(secondaryLocation)
       ? [
           {
@@ -132,7 +131,7 @@ module cosmosAccount 'br/public:avm/res/document-db/database-account:0.15.0' = {
         name: databaseName
       }
     ]
-    dataPlaneRoleAssignments: [
+    sqlRoleAssignments: [
       {
         principalId: dataAccessIdentityPrincipalId
         roleDefinitionId: sqlContributorRoleDefinition.id

infra/modules/ai-foundry/project.bicep

@@ -25,7 +25,7 @@ import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
-import { secretType } from 'br/public:avm/res/key-vault/vault:0.12.1'
+import { secretType } from 'br/public:avm/res/key-vault/vault:0.13.3'
 @description('Optional. Array of secrets to create in the Key Vault.')
 param secrets secretType[]?
 
@@ -36,7 +36,7 @@ var privateDnsZoneResourceId = privateNetworking != null
   ? privateNetworking.?privateDnsZoneResourceId ?? ''
   : ''
 
-module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
+module keyvault 'br/public:avm/res/key-vault/vault:0.13.3' = {
   name: take('avm.res.key-vault.vault.${name}', 64)
   params: {
     name: name

infra/modules/cosmosDb.bicep

@@ -43,7 +43,7 @@ var filePrivateDnsZoneResourceId = privateNetworking != null
   ? privateNetworking.?filePrivateDnsZoneResourceId ?? ''
   : ''
 
-module storageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
+module storageAccount 'br/public:avm/res/storage/storage-account:0.28.0' = {
   name: take('avm.res.storage.storage-account.${name}', 64)
   #disable-next-line no-unnecessary-dependson
   params: {
@@ -108,6 +108,10 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
     roleAssignments: roleAssignments
     blobServices: {
       containers: containers ?? []
+      deleteRetentionPolicyEnabled: true
+      deleteRetentionPolicyDays: 7
+      containerDeleteRetentionPolicyEnabled: true
+      containerDeleteRetentionPolicyDays: 7
     }
     enableTelemetry: enableTelemetry
   }