diff --git a/.env.sample b/.env.sample
index 7c0e45ba0..7a2667a8d 100644
--- a/.env.sample
+++ b/.env.sample
@@ -23,16 +23,16 @@ AZURE_AI_IMAGE_MODEL_DEPLOYMENT=gpt-image-1-mini
# Azure OpenAI Configuration
# =============================================================================
AI_FOUNDRY_RESOURCE_ID=/subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/Microsoft.CognitiveServices/accounts/your-aif-account
-AZURE_EXISTING_AI_PROJECT_RESOURCE_ID=/subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/Microsoft.CognitiveServices/accounts/your-aif-account/projects/your-project-name
+AZURE_EXISTING_AIPROJECT_RESOURCE_ID=/subscriptions/your-subscription-id/resourceGroups/your-resource-group/providers/Microsoft.CognitiveServices/accounts/your-aif-account/projects/your-project-name
# Your Azure OpenAI endpoint (e.g., https://your-resource.openai.azure.com/)
AZURE_OPENAI_ENDPOINT=https://your-openai.openai.azure.com/
# Model deployments
-AZURE_OPENAI_GPT_MODEL=gpt-5.1
+AZURE_ENV_GPT_MODEL_NAME=gpt-5.1
# Image Generation Model Configuration
# Supported models: gpt-image-1-mini or gpt-image-1.5
-AZURE_OPENAI_IMAGE_MODEL=gpt-image-1-mini
+AZURE_ENV_IMAGE_MODEL_NAME=gpt-image-1-mini
# For gpt-image-1-mini or gpt-image-1.5, the endpoint is the same as the main OpenAI endpoint, but you can specify a different one if needed
AZURE_OPENAI_GPT_IMAGE_ENDPOINT=https://your-openai.openai.azure.com
@@ -43,7 +43,7 @@ AZURE_OPENAI_IMAGE_SIZE=1024x1024
AZURE_OPENAI_IMAGE_QUALITY=medium
# API versions
-AZURE_OPENAI_API_VERSION=2024-06-01
+AZURE_ENV_OPENAI_API_VERSION=2024-06-01
AZURE_OPENAI_PREVIEW_API_VERSION=2024-02-01
# Generation parameters
diff --git a/.github/workflows/azd-template-validation.yml b/.github/workflows/azd-template-validation.yml
new file mode 100644
index 000000000..d4e0ec858
--- /dev/null
+++ b/.github/workflows/azd-template-validation.yml
@@ -0,0 +1,43 @@
+name: AZD Template Validation
+on:
+ schedule:
+ - cron: '30 1 * * 4' # Every Thursday at 7:00 AM IST (1:30 AM UTC)
+ workflow_dispatch:
+
+permissions:
+ contents: read
+ id-token: write
+ pull-requests: write
+jobs:
+ template_validation:
+ runs-on: ubuntu-latest
+ environment: production
+ name: azd template validation
+ env:
+ GH_TOKEN: ${{ github.token }}
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set timestamp
+ shell: bash
+ run: echo "HHMM=$(date -u +'%H%M')" >> "$GITHUB_ENV"
+
+ - name: Validate Azure Template
+ uses: microsoft/template-validation-action@v0.4.3
+ with:
+ validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
+ validateTests: ${{ vars.TEMPLATE_VALIDATE_TESTS }}
+ useDevContainer: ${{ vars.TEMPLATE_USE_DEV_CONTAINER }}
+ id: validation
+ env:
+ AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+ AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+ AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }}-${{ env.HHMM }}
+ AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ secrets.AZURE_ENV_AI_SERVICE_LOCATION }}
+ AZURE_AI_MODEL_CAPACITY: 1
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: print result
+ run: cat ${{ steps.validation.outputs.resultFile }}
\ No newline at end of file
diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml
index d2a5231f4..a60e8c405 100644
--- a/.github/workflows/azure-dev.yml
+++ b/.github/workflows/azure-dev.yml
@@ -1,52 +1,80 @@
-name: Azure Template Validation
+name: Azure Dev Deploy
on:
workflow_dispatch:
push:
branches:
- main
+ paths:
+ - 'infra/**'
+ - 'azure*.yaml'
+ - '.github/workflows/azure-dev.yml'
+
permissions:
contents: read
id-token: write
- pull-requests: write
jobs:
- template_validation_job:
+ deploy:
runs-on: ubuntu-latest
+ name: azd deploy
environment: production
- name: Template validation
-
+ env:
+ AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+ AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+ AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }}
+ AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ secrets.AZURE_ENV_AI_SERVICE_LOCATION }}
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ secrets.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ secrets.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
+ AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
+
steps:
- # Step 1: Checkout the code from your repository
- - name: Checkout code
+ - name: Checkout Code
uses: actions/checkout@v4
- # Step 2: Pre-authenticate Azure for azd validation
- - name: Login to Azure
+ - name: Set timestamp and env name
shell: bash
run: |
- az login --service-principal -u "${{ secrets.AZURE_CLIENT_ID }}" -p "${{ secrets.AZURE_CLIENT_SECRET }}" --tenant "${{ secrets.AZURE_TENANT_ID }}"
- az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-
- # Step 3: Validate the Azure template using microsoft/template-validation-action
- - name: Validate Azure Template
- uses: microsoft/template-validation-action@v0.4.3
+ HHMM=$(date -u +'%H%M')
+ echo "AZURE_ENV_NAME=${AZURE_ENV_NAME}-${HHMM}" >> "$GITHUB_ENV"
+
+ - name: Install azd
+ uses: Azure/setup-azd@v2
+
+ - name: Login to Azure
+ uses: azure/login@v2
with:
- workingDirectory: .
- validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
- useDevContainer: ${{ vars.TEMPLATE_USE_DEV_CONTAINER }}
- validateTests: ${{ vars.TEMPLATE_VALIDATE_TESTS }}
- id: validation
- env:
- AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
- AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
- AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }}
- AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION: ${{ secrets.AZURE_ENV_OPENAI_LOCATION }}
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- # Step 4: Print the result of the validation
- - name: Print result
- run: cat ${{ steps.validation.outputs.resultFile }}
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ - name: Login to AZD
+ shell: bash
+ run: |
+ azd auth login \
+ --client-id "$AZURE_CLIENT_ID" \
+ --federated-credential-provider "github" \
+ --tenant-id "$AZURE_TENANT_ID"
+
+ - name: Provision and Deploy
+ shell: bash
+ run: |
+ if ! azd env select "$AZURE_ENV_NAME"; then
+ azd env new "$AZURE_ENV_NAME" --subscription "$AZURE_SUBSCRIPTION_ID" --location "$AZURE_LOCATION" --no-prompt
+ fi
+
+ azd config set defaults.subscription "$AZURE_SUBSCRIPTION_ID"
+
+
+ if [[ -n "${AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID:-}" ]]; then
+ azd env set AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID "$AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID"
+ fi
+
+ if [[ -n "${AZURE_EXISTING_AIPROJECT_RESOURCE_ID:-}" ]]; then
+ azd env set AZURE_EXISTING_AIPROJECT_RESOURCE_ID "$AZURE_EXISTING_AIPROJECT_RESOURCE_ID"
+ fi
+
+ azd up --no-prompt
+
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ac9b1b756..06d632978 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,6 +14,10 @@ on:
schedule:
- cron: '17 11 * * 0'
+concurrency:
+ group: codeql-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
analyze:
name: Analyze
diff --git a/.github/workflows/deploy-orchestrator.yml b/.github/workflows/deploy-orchestrator.yml
index 6eb99bc6f..d6e31a9ab 100644
--- a/.github/workflows/deploy-orchestrator.yml
+++ b/.github/workflows/deploy-orchestrator.yml
@@ -42,12 +42,12 @@ on:
required: false
default: 'GoldenPath-Testing'
type: string
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID:
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID:
description: 'Log Analytics Workspace ID (Optional)'
required: false
default: ''
type: string
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID:
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID:
description: 'AI Project Resource ID (Optional)'
required: false
default: ''
@@ -61,7 +61,7 @@ on:
description: 'Trigger type (workflow_dispatch, pull_request, schedule)'
required: true
type: string
- image_model_choice:
+ AZURE_ENV_IMAGE_MODEL_NAME:
description: 'Image model to deploy (gpt-image-1-mini, gpt-image-1.5, none)'
required: false
default: 'gpt-image-1-mini'
@@ -91,12 +91,12 @@ jobs:
EXP: ${{ inputs.EXP }}
build_docker_image: ${{ inputs.build_docker_image }}
existing_webapp_url: ${{ inputs.existing_webapp_url }}
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
- docker_image_tag: ${{ needs.docker-build.outputs.IMAGE_TAG }}
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
+ docker_image_tag: ${{ needs.docker-build.outputs.AZURE_ENV_IMAGE_TAG }}
run_e2e_tests: ${{ inputs.run_e2e_tests }}
cleanup_resources: ${{ inputs.cleanup_resources }}
- image_model_choice: ${{ inputs.image_model_choice }}
+ AZURE_ENV_IMAGE_MODEL_NAME: ${{ inputs.AZURE_ENV_IMAGE_MODEL_NAME }}
secrets: inherit
e2e-test:
@@ -119,9 +119,9 @@ jobs:
existing_webapp_url: ${{ inputs.existing_webapp_url }}
RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
AZURE_LOCATION: ${{ needs.deploy.outputs.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION: ${{ needs.deploy.outputs.AZURE_ENV_OPENAI_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ needs.deploy.outputs.AZURE_ENV_AI_SERVICE_LOCATION }}
ENV_NAME: ${{ needs.deploy.outputs.ENV_NAME }}
- IMAGE_TAG: ${{ needs.deploy.outputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ needs.deploy.outputs.AZURE_ENV_IMAGE_TAG }}
secrets: inherit
send-notification:
diff --git a/.github/workflows/deploy-v2.yml b/.github/workflows/deploy-v2.yml
index c6933c4c1..38d0d0090 100644
--- a/.github/workflows/deploy-v2.yml
+++ b/.github/workflows/deploy-v2.yml
@@ -6,8 +6,10 @@ on:
paths:
- 'src/**'
- '!src/tests/**'
+ - '!src/pytest.ini'
- 'infra/**/*.bicep'
- 'infra/**/*.json'
+ - 'infra/scripts/**'
- '*.yaml'
- 'scripts/**'
- '.github/workflows/deploy-*.yml'
@@ -85,12 +87,12 @@ on:
- 'Smoke-Testing'
- 'None'
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID:
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID:
description: 'Log Analytics Workspace ID (Optional)'
required: false
default: ''
type: string
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID:
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID:
description: 'AI Project Resource ID (Optional)'
required: false
default: ''
@@ -100,7 +102,7 @@ on:
required: false
default: ''
type: string
- image_model_choice:
+ AZURE_ENV_IMAGE_MODEL_NAME:
description: 'Image Model to Deploy'
required: false
default: 'gpt-image-1-mini'
@@ -130,10 +132,10 @@ jobs:
build_docker_image: ${{ steps.validate.outputs.build_docker_image }}
cleanup_resources: ${{ steps.validate.outputs.cleanup_resources }}
run_e2e_tests: ${{ steps.validate.outputs.run_e2e_tests }}
- azure_env_log_analytics_workspace_id: ${{ steps.validate.outputs.azure_env_log_analytics_workspace_id }}
- azure_existing_ai_project_resource_id: ${{ steps.validate.outputs.azure_existing_ai_project_resource_id }}
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ steps.validate.outputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ steps.validate.outputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
existing_webapp_url: ${{ steps.validate.outputs.existing_webapp_url }}
- image_model_choice: ${{ steps.validate.outputs.image_model_choice }}
+ AZURE_ENV_IMAGE_MODEL_NAME: ${{ steps.validate.outputs.AZURE_ENV_IMAGE_MODEL_NAME }}
steps:
- name: Validate Workflow Input Parameters
id: validate
@@ -147,10 +149,10 @@ jobs:
INPUT_BUILD_DOCKER_IMAGE: ${{ github.event.inputs.build_docker_image }}
INPUT_CLEANUP_RESOURCES: ${{ github.event.inputs.cleanup_resources }}
INPUT_RUN_E2E_TESTS: ${{ github.event.inputs.run_e2e_tests }}
- INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ github.event.inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ github.event.inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ github.event.inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ github.event.inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
INPUT_EXISTING_WEBAPP_URL: ${{ github.event.inputs.existing_webapp_url }}
- INPUT_IMAGE_MODEL_CHOICE: ${{ github.event.inputs.image_model_choice }}
+ INPUT_IMAGE_MODEL_CHOICE: ${{ github.event.inputs.AZURE_ENV_IMAGE_MODEL_NAME }}
run: |
echo "đ Validating workflow input parameters..."
VALIDATION_FAILED=false
@@ -242,32 +244,32 @@ jobs:
echo "â
run_e2e_tests: '$TEST_OPTION' is valid"
fi
- # Validate AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID (optional, Azure Resource ID format)
- if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
- echo "â ERROR: AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID (optional, Azure Resource ID format)
+ if [[ -n "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" ]]; then
+ if [[ ! "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
+ echo "â ERROR: AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}"
- echo " Got: '$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID'"
+ echo " Got: '$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Valid Resource ID format"
+ echo "â
AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: Valid Resource ID format"
fi
else
- echo "â
AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Not provided (optional)"
+ echo "â
AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: Not provided (optional)"
fi
- # Validate AZURE_EXISTING_AI_PROJECT_RESOURCE_ID (optional, Azure Resource ID format)
- if [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
- echo "â ERROR: AZURE_EXISTING_AI_PROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_EXISTING_AIPROJECT_RESOURCE_ID (optional, Azure Resource ID format)
+ if [[ -n "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" ]]; then
+ if [[ ! "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
+ echo "â ERROR: AZURE_EXISTING_AIPROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.CognitiveServices/accounts/{accountName}/projects/{projectName}"
- echo " Got: '$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID'"
+ echo " Got: '$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Valid Resource ID format"
+ echo "â
AZURE_EXISTING_AIPROJECT_RESOURCE_ID: Valid Resource ID format"
fi
else
- echo "â
AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Not provided (optional)"
+ echo "â
AZURE_EXISTING_AIPROJECT_RESOURCE_ID: Not provided (optional)"
fi
# Validate existing_webapp_url (optional, must start with https)
@@ -302,19 +304,19 @@ jobs:
echo "build_docker_image=$BUILD_DOCKER" >> $GITHUB_OUTPUT
echo "cleanup_resources=$CLEANUP_RESOURCES" >> $GITHUB_OUTPUT
echo "run_e2e_tests=$TEST_OPTION" >> $GITHUB_OUTPUT
- echo "azure_env_log_analytics_workspace_id=$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" >> $GITHUB_OUTPUT
- echo "azure_existing_ai_project_resource_id=$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" >> $GITHUB_OUTPUT
+ echo "AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID=$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" >> $GITHUB_OUTPUT
+ echo "AZURE_EXISTING_AIPROJECT_RESOURCE_ID=$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" >> $GITHUB_OUTPUT
echo "existing_webapp_url=$INPUT_EXISTING_WEBAPP_URL" >> $GITHUB_OUTPUT
- # Validate and output image_model_choice
+ # Validate and output AZURE_ENV_IMAGE_MODEL_NAME
IMAGE_MODEL="${INPUT_IMAGE_MODEL_CHOICE:-gpt-image-1-mini}"
ALLOWED_MODELS=("gpt-image-1-mini" "gpt-image-1.5" "none")
if [[ ! " ${ALLOWED_MODELS[@]} " =~ " ${IMAGE_MODEL} " ]]; then
- echo "â ERROR: image_model_choice '$IMAGE_MODEL' is invalid. Allowed: ${ALLOWED_MODELS[*]}"
+ echo "â ERROR: AZURE_ENV_IMAGE_MODEL_NAME '$IMAGE_MODEL' is invalid. Allowed: ${ALLOWED_MODELS[*]}"
exit 1
fi
- echo "â
image_model_choice: '$IMAGE_MODEL' is valid"
- echo "image_model_choice=$IMAGE_MODEL" >> $GITHUB_OUTPUT
+ echo "â
AZURE_ENV_IMAGE_MODEL_NAME: '$IMAGE_MODEL' is valid"
+ echo "AZURE_ENV_IMAGE_MODEL_NAME=$IMAGE_MODEL" >> $GITHUB_OUTPUT
Run:
needs: validate-inputs
@@ -329,9 +331,9 @@ jobs:
build_docker_image: ${{ needs.validate-inputs.outputs.build_docker_image == 'true' }}
cleanup_resources: ${{ needs.validate-inputs.outputs.cleanup_resources == 'true' }}
run_e2e_tests: ${{ needs.validate-inputs.outputs.run_e2e_tests || 'GoldenPath-Testing' }}
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ needs.validate-inputs.outputs.azure_env_log_analytics_workspace_id || '' }}
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ needs.validate-inputs.outputs.azure_existing_ai_project_resource_id || '' }}
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ needs.validate-inputs.outputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID || '' }}
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ needs.validate-inputs.outputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID || '' }}
existing_webapp_url: ${{ needs.validate-inputs.outputs.existing_webapp_url || '' }}
trigger_type: ${{ github.event_name }}
- image_model_choice: ${{ needs.validate-inputs.outputs.image_model_choice || 'gpt-image-1-mini' }}
+ AZURE_ENV_IMAGE_MODEL_NAME: ${{ needs.validate-inputs.outputs.AZURE_ENV_IMAGE_MODEL_NAME || 'gpt-image-1-mini' }}
secrets: inherit
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index ba82c1654..56c978126 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -32,6 +32,11 @@ permissions:
contents: read
actions: read
id-token: write # Required for OIDC-based Azure authentication
+
+concurrency:
+ group: docker-build-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
build-and-push:
runs-on: ubuntu-latest
diff --git a/.github/workflows/job-cleanup-deployment.yml b/.github/workflows/job-cleanup-deployment.yml
index c06039378..de81dae14 100644
--- a/.github/workflows/job-cleanup-deployment.yml
+++ b/.github/workflows/job-cleanup-deployment.yml
@@ -28,7 +28,7 @@ on:
description: 'Azure Location'
required: true
type: string
- AZURE_ENV_OPENAI_LOCATION:
+ AZURE_ENV_AI_SERVICE_LOCATION:
description: 'Azure OpenAI Location'
required: true
type: string
@@ -36,7 +36,7 @@ on:
description: 'Environment Name'
required: true
type: string
- IMAGE_TAG:
+ AZURE_ENV_IMAGE_TAG:
description: 'Docker Image Tag'
required: true
type: string
@@ -49,9 +49,9 @@ jobs:
env:
RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
ENV_NAME: ${{ inputs.ENV_NAME }}
- IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
steps:
- name: Login to Azure (OIDC)
uses: azure/login@v2
diff --git a/.github/workflows/job-deploy-linux.yml b/.github/workflows/job-deploy-linux.yml
index 6cfa7f910..fe8db94fe 100644
--- a/.github/workflows/job-deploy-linux.yml
+++ b/.github/workflows/job-deploy-linux.yml
@@ -6,7 +6,7 @@ on:
ENV_NAME:
required: true
type: string
- AZURE_ENV_OPENAI_LOCATION:
+ AZURE_ENV_AI_SERVICE_LOCATION:
required: true
type: string
AZURE_LOCATION:
@@ -15,7 +15,7 @@ on:
RESOURCE_GROUP_NAME:
required: true
type: string
- IMAGE_TAG:
+ AZURE_ENV_IMAGE_TAG:
required: true
type: string
BUILD_DOCKER_IMAGE:
@@ -28,10 +28,10 @@ on:
required: false
type: string
default: 'false'
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID:
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID:
required: false
type: string
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID:
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID:
required: false
type: string
outputs:
@@ -52,15 +52,15 @@ jobs:
shell: bash
env:
INPUT_ENV_NAME: ${{ inputs.ENV_NAME }}
- INPUT_AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
+ INPUT_AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
INPUT_AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
- INPUT_IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ INPUT_AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
INPUT_BUILD_DOCKER_IMAGE: ${{ inputs.BUILD_DOCKER_IMAGE }}
INPUT_EXP: ${{ inputs.EXP }}
INPUT_WAF_ENABLED: ${{ inputs.WAF_ENABLED }}
- INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
run: |
echo "đ Validating workflow input parameters..."
VALIDATION_FAILED=false
@@ -76,15 +76,15 @@ jobs:
echo "â
ENV_NAME: '$INPUT_ENV_NAME' is valid"
fi
- # Validate AZURE_ENV_OPENAI_LOCATION (required, Azure region format)
- if [[ -z "$INPUT_AZURE_ENV_OPENAI_LOCATION" ]]; then
- echo "â ERROR: AZURE_ENV_OPENAI_LOCATION is required but not provided"
+ # Validate AZURE_ENV_AI_SERVICE_LOCATION (required, Azure region format)
+ if [[ -z "$INPUT_AZURE_ENV_AI_SERVICE_LOCATION" ]]; then
+ echo "â ERROR: AZURE_ENV_AI_SERVICE_LOCATION is required but not provided"
VALIDATION_FAILED=true
- elif [[ ! "$INPUT_AZURE_ENV_OPENAI_LOCATION" =~ ^[a-z0-9]+$ ]]; then
- echo "â ERROR: AZURE_ENV_OPENAI_LOCATION '$INPUT_AZURE_ENV_OPENAI_LOCATION' is invalid. Must contain only lowercase letters and numbers"
+ elif [[ ! "$INPUT_AZURE_ENV_AI_SERVICE_LOCATION" =~ ^[a-z0-9]+$ ]]; then
+ echo "â ERROR: AZURE_ENV_AI_SERVICE_LOCATION '$INPUT_AZURE_ENV_AI_SERVICE_LOCATION' is invalid. Must contain only lowercase letters and numbers"
VALIDATION_FAILED=true
else
- echo "â
AZURE_ENV_OPENAI_LOCATION: '$INPUT_AZURE_ENV_OPENAI_LOCATION' is valid"
+ echo "â
AZURE_ENV_AI_SERVICE_LOCATION: '$INPUT_AZURE_ENV_AI_SERVICE_LOCATION' is valid"
fi
# Validate AZURE_LOCATION (required, Azure region format)
@@ -112,15 +112,15 @@ jobs:
echo "â
RESOURCE_GROUP_NAME: '$INPUT_RESOURCE_GROUP_NAME' is valid"
fi
- # Validate IMAGE_TAG (required, Docker tag pattern)
- if [[ -z "$INPUT_IMAGE_TAG" ]]; then
- echo "â ERROR: IMAGE_TAG is required but not provided"
+ # Validate AZURE_ENV_IMAGE_TAG (required, Docker tag pattern)
+ if [[ -z "$INPUT_AZURE_ENV_IMAGE_TAG" ]]; then
+ echo "â ERROR: AZURE_ENV_IMAGE_TAG is required but not provided"
VALIDATION_FAILED=true
- elif [[ ! "$INPUT_IMAGE_TAG" =~ ^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$ ]]; then
- echo "â ERROR: IMAGE_TAG '$INPUT_IMAGE_TAG' is invalid. Must start with alphanumeric or underscore, max 128 characters"
+ elif [[ ! "$INPUT_AZURE_ENV_IMAGE_TAG" =~ ^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$ ]]; then
+ echo "â ERROR: AZURE_ENV_IMAGE_TAG '$INPUT_AZURE_ENV_IMAGE_TAG' is invalid. Must start with alphanumeric or underscore, max 128 characters"
VALIDATION_FAILED=true
else
- echo "â
IMAGE_TAG: '$INPUT_IMAGE_TAG' is valid"
+ echo "â
AZURE_ENV_IMAGE_TAG: '$INPUT_AZURE_ENV_IMAGE_TAG' is valid"
fi
# Validate BUILD_DOCKER_IMAGE (required, must be 'true' or 'false')
@@ -147,27 +147,27 @@ jobs:
echo "â
WAF_ENABLED: '$INPUT_WAF_ENABLED' is valid"
fi
- # Validate AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID (optional, if provided must be valid Resource ID)
- if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
- echo "â ERROR: AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID (optional, if provided must be valid Resource ID)
+ if [[ -n "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" ]]; then
+ if [[ ! "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
+ echo "â ERROR: AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}"
- echo " Got: '$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID'"
+ echo " Got: '$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Valid Resource ID format"
+ echo "â
AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: Valid Resource ID format"
fi
fi
- # Validate AZURE_EXISTING_AI_PROJECT_RESOURCE_ID (optional, if provided must be valid Resource ID)
- if [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
- echo "â ERROR: AZURE_EXISTING_AI_PROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_EXISTING_AIPROJECT_RESOURCE_ID (optional, if provided must be valid Resource ID)
+ if [[ -n "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" ]]; then
+ if [[ ! "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
+ echo "â ERROR: AZURE_EXISTING_AIPROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.CognitiveServices/accounts/{accountName}/projects/{projectName}"
- echo " Got: '$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID'"
+ echo " Got: '$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Valid Resource ID format"
+ echo "â
AZURE_EXISTING_AIPROJECT_RESOURCE_ID: Valid Resource ID format"
fi
fi
@@ -215,14 +215,14 @@ jobs:
shell: bash
env:
ENV_NAME: ${{ inputs.ENV_NAME }}
- AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
- IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
BUILD_DOCKER_IMAGE: ${{ inputs.BUILD_DOCKER_IMAGE }}
EXP: ${{ inputs.EXP }}
- INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
run: |
set -e
@@ -235,17 +235,17 @@ jobs:
# Set additional parameters
azd env set AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
- azd env set AZURE_ENV_OPENAI_LOCATION="$AZURE_ENV_OPENAI_LOCATION"
+ azd env set AZURE_ENV_AI_SERVICE_LOCATION="$AZURE_ENV_AI_SERVICE_LOCATION"
azd env set AZURE_LOCATION="$AZURE_LOCATION"
azd env set AZURE_RESOURCE_GROUP="$RESOURCE_GROUP_NAME"
- azd env set IMAGE_TAG="$IMAGE_TAG"
+ azd env set AZURE_ENV_IMAGE_TAG="$AZURE_ENV_IMAGE_TAG"
# Set ACR name only when building Docker image
if [[ "$BUILD_DOCKER_IMAGE" == "true" ]]; then
# Extract ACR name from login server and set as environment variable
- ACR_NAME=$(echo "${{ secrets.ACR_TEST_LOGIN_SERVER }}" | cut -d'.' -f1)
- azd env set ACR_NAME="$ACR_NAME"
- echo "Set ACR name to: $ACR_NAME"
+ AZURE_ENV_CONTAINER_REGISTRY_NAME=$(echo "${{ secrets.ACR_TEST_LOGIN_SERVER }}" | cut -d'.' -f1)
+ azd env set AZURE_ENV_CONTAINER_REGISTRY_NAME="$AZURE_ENV_CONTAINER_REGISTRY_NAME"
+ echo "Set ACR name to: $AZURE_ENV_CONTAINER_REGISTRY_NAME"
else
echo "Skipping ACR name configuration (using existing image)"
fi
@@ -254,25 +254,25 @@ jobs:
echo "â
EXP ENABLED - Setting EXP parameters..."
# Set EXP variables dynamically
- if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then
- EXP_LOG_ANALYTICS_ID="$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID"
+ if [[ -n "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" ]]; then
+ EXP_LOG_ANALYTICS_ID="$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID"
else
- EXP_LOG_ANALYTICS_ID="${{ secrets.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}"
+ EXP_LOG_ANALYTICS_ID="${{ secrets.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}"
fi
- if [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then
- EXP_AI_PROJECT_ID="$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID"
+ if [[ -n "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" ]]; then
+ EXP_AI_PROJECT_ID="$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID"
else
- EXP_AI_PROJECT_ID="${{ secrets.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}"
+ EXP_AI_PROJECT_ID="${{ secrets.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}"
fi
- echo "AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: $EXP_LOG_ANALYTICS_ID"
- echo "AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: $EXP_AI_PROJECT_ID"
- azd env set AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID="$EXP_LOG_ANALYTICS_ID"
- azd env set AZURE_EXISTING_AI_PROJECT_RESOURCE_ID="$EXP_AI_PROJECT_ID"
+ echo "AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: $EXP_LOG_ANALYTICS_ID"
+ echo "AZURE_EXISTING_AIPROJECT_RESOURCE_ID: $EXP_AI_PROJECT_ID"
+ azd env set AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID="$EXP_LOG_ANALYTICS_ID"
+ azd env set AZURE_EXISTING_AIPROJECT_RESOURCE_ID="$EXP_AI_PROJECT_ID"
else
echo "â EXP DISABLED - Skipping EXP parameters"
- if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]] || [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then
+ if [[ -n "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" ]] || [[ -n "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" ]]; then
echo "â ī¸ Warning: EXP parameter values provided but EXP is disabled. These values will be ignored."
fi
fi
@@ -292,8 +292,8 @@ jobs:
WAF_ENABLED: ${{ inputs.WAF_ENABLED }}
EXP: ${{ inputs.EXP }}
AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
- IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
+ AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
JOB_STATUS: ${{ job.status }}
WEB_APP_URL: ${{ steps.get_output_linux.outputs.WEB_APP_URL }}
run: |
@@ -323,8 +323,8 @@ jobs:
echo "| **Configuration Type** | \`$CONFIG_TYPE\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Azure Region (Infrastructure)** | \`$AZURE_LOCATION\` |" >> $GITHUB_STEP_SUMMARY
- echo "| **Azure OpenAI Region** | \`$AZURE_ENV_OPENAI_LOCATION\` |" >> $GITHUB_STEP_SUMMARY
- echo "| **Docker Image Tag** | \`$IMAGE_TAG\` |" >> $GITHUB_STEP_SUMMARY
+ echo "| **Azure OpenAI Region** | \`$AZURE_ENV_AI_SERVICE_LOCATION\` |" >> $GITHUB_STEP_SUMMARY
+ echo "| **Docker Image Tag** | \`$AZURE_ENV_IMAGE_TAG\` |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [[ "$JOB_STATUS" == "success" ]]; then
diff --git a/.github/workflows/job-deploy-windows.yml b/.github/workflows/job-deploy-windows.yml
index ed8cf5a8a..0fcb88467 100644
--- a/.github/workflows/job-deploy-windows.yml
+++ b/.github/workflows/job-deploy-windows.yml
@@ -6,7 +6,7 @@ on:
ENV_NAME:
required: true
type: string
- AZURE_ENV_OPENAI_LOCATION:
+ AZURE_ENV_AI_SERVICE_LOCATION:
required: true
type: string
AZURE_LOCATION:
@@ -15,7 +15,7 @@ on:
RESOURCE_GROUP_NAME:
required: true
type: string
- IMAGE_TAG:
+ AZURE_ENV_IMAGE_TAG:
required: true
type: string
BUILD_DOCKER_IMAGE:
@@ -28,10 +28,10 @@ on:
required: false
type: string
default: 'false'
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID:
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID:
required: false
type: string
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID:
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID:
required: false
type: string
outputs:
@@ -53,15 +53,15 @@ jobs:
shell: bash
env:
INPUT_ENV_NAME: ${{ inputs.ENV_NAME }}
- INPUT_AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
+ INPUT_AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
INPUT_AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
INPUT_RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
- INPUT_IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ INPUT_AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
INPUT_BUILD_DOCKER_IMAGE: ${{ inputs.BUILD_DOCKER_IMAGE }}
INPUT_EXP: ${{ inputs.EXP }}
INPUT_WAF_ENABLED: ${{ inputs.WAF_ENABLED }}
- INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
run: |
echo "đ Validating workflow input parameters..."
VALIDATION_FAILED=false
@@ -77,15 +77,15 @@ jobs:
echo "â
ENV_NAME: '$INPUT_ENV_NAME' is valid"
fi
- # Validate AZURE_ENV_OPENAI_LOCATION (required, Azure region format)
- if [[ -z "$INPUT_AZURE_ENV_OPENAI_LOCATION" ]]; then
- echo "â ERROR: AZURE_ENV_OPENAI_LOCATION is required but not provided"
+ # Validate AZURE_ENV_AI_SERVICE_LOCATION (required, Azure region format)
+ if [[ -z "$INPUT_AZURE_ENV_AI_SERVICE_LOCATION" ]]; then
+ echo "â ERROR: AZURE_ENV_AI_SERVICE_LOCATION is required but not provided"
VALIDATION_FAILED=true
- elif [[ ! "$INPUT_AZURE_ENV_OPENAI_LOCATION" =~ ^[a-z0-9]+$ ]]; then
- echo "â ERROR: AZURE_ENV_OPENAI_LOCATION '$INPUT_AZURE_ENV_OPENAI_LOCATION' is invalid. Must contain only lowercase letters and numbers"
+ elif [[ ! "$INPUT_AZURE_ENV_AI_SERVICE_LOCATION" =~ ^[a-z0-9]+$ ]]; then
+ echo "â ERROR: AZURE_ENV_AI_SERVICE_LOCATION '$INPUT_AZURE_ENV_AI_SERVICE_LOCATION' is invalid. Must contain only lowercase letters and numbers"
VALIDATION_FAILED=true
else
- echo "â
AZURE_ENV_OPENAI_LOCATION: '$INPUT_AZURE_ENV_OPENAI_LOCATION' is valid"
+ echo "â
AZURE_ENV_AI_SERVICE_LOCATION: '$INPUT_AZURE_ENV_AI_SERVICE_LOCATION' is valid"
fi
# Validate AZURE_LOCATION (required, Azure region format)
@@ -113,15 +113,15 @@ jobs:
echo "â
RESOURCE_GROUP_NAME: '$INPUT_RESOURCE_GROUP_NAME' is valid"
fi
- # Validate IMAGE_TAG (required, Docker tag pattern)
- if [[ -z "$INPUT_IMAGE_TAG" ]]; then
- echo "â ERROR: IMAGE_TAG is required but not provided"
+ # Validate AZURE_ENV_IMAGE_TAG (required, Docker tag pattern)
+ if [[ -z "$INPUT_AZURE_ENV_IMAGE_TAG" ]]; then
+ echo "â ERROR: AZURE_ENV_IMAGE_TAG is required but not provided"
VALIDATION_FAILED=true
- elif [[ ! "$INPUT_IMAGE_TAG" =~ ^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$ ]]; then
- echo "â ERROR: IMAGE_TAG '$INPUT_IMAGE_TAG' is invalid. Must start with alphanumeric or underscore, max 128 characters"
+ elif [[ ! "$INPUT_AZURE_ENV_IMAGE_TAG" =~ ^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$ ]]; then
+ echo "â ERROR: AZURE_ENV_IMAGE_TAG '$INPUT_AZURE_ENV_IMAGE_TAG' is invalid. Must start with alphanumeric or underscore, max 128 characters"
VALIDATION_FAILED=true
else
- echo "â
IMAGE_TAG: '$INPUT_IMAGE_TAG' is valid"
+ echo "â
AZURE_ENV_IMAGE_TAG: '$INPUT_AZURE_ENV_IMAGE_TAG' is valid"
fi
# Validate BUILD_DOCKER_IMAGE (required, must be 'true' or 'false')
@@ -148,27 +148,27 @@ jobs:
echo "â
WAF_ENABLED: '$INPUT_WAF_ENABLED' is valid"
fi
- # Validate AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID (optional, if provided must be valid Resource ID)
- if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
- echo "â ERROR: AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID (optional, if provided must be valid Resource ID)
+ if [[ -n "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" ]]; then
+ if [[ ! "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
+ echo "â ERROR: AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}"
- echo " Got: '$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID'"
+ echo " Got: '$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Valid Resource ID format"
+ echo "â
AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: Valid Resource ID format"
fi
fi
- # Validate AZURE_EXISTING_AI_PROJECT_RESOURCE_ID (optional, if provided must be valid Resource ID)
- if [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
- echo "â ERROR: AZURE_EXISTING_AI_PROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_EXISTING_AIPROJECT_RESOURCE_ID (optional, if provided must be valid Resource ID)
+ if [[ -n "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" ]]; then
+ if [[ ! "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
+ echo "â ERROR: AZURE_EXISTING_AIPROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.CognitiveServices/accounts/{accountName}/projects/{projectName}"
- echo " Got: '$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID'"
+ echo " Got: '$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Valid Resource ID format"
+ echo "â
AZURE_EXISTING_AIPROJECT_RESOURCE_ID: Valid Resource ID format"
fi
fi
@@ -218,14 +218,14 @@ jobs:
shell: pwsh
env:
ENV_NAME: ${{ inputs.ENV_NAME }}
- AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
RESOURCE_GROUP_NAME: ${{ inputs.RESOURCE_GROUP_NAME }}
- IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
BUILD_DOCKER_IMAGE: ${{ inputs.BUILD_DOCKER_IMAGE }}
EXP: ${{ inputs.EXP }}
- INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
run: |
$ErrorActionPreference = "Stop"
@@ -238,17 +238,17 @@ jobs:
# Set additional parameters
azd env set AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
- azd env set AZURE_ENV_OPENAI_LOCATION="$env:AZURE_ENV_OPENAI_LOCATION"
+ azd env set AZURE_ENV_AI_SERVICE_LOCATION="$env:AZURE_ENV_AI_SERVICE_LOCATION"
azd env set AZURE_LOCATION="$env:AZURE_LOCATION"
azd env set AZURE_RESOURCE_GROUP="$env:RESOURCE_GROUP_NAME"
- azd env set IMAGE_TAG="$env:IMAGE_TAG"
+ azd env set AZURE_ENV_IMAGE_TAG="$env:AZURE_ENV_IMAGE_TAG"
# Set ACR name only when building Docker image
if ($env:BUILD_DOCKER_IMAGE -eq "true") {
# Extract ACR name from login server (e.g., myacr.azurecr.io -> myacr)
- $ACR_NAME = ("${{ secrets.ACR_TEST_LOGIN_SERVER }}").Split('.')[0]
- azd env set ACR_NAME="$ACR_NAME"
- Write-Host "Set ACR name to: $ACR_NAME"
+ $AZURE_ENV_CONTAINER_REGISTRY_NAME = ("${{ secrets.ACR_TEST_LOGIN_SERVER }}").Split('.')[0]
+ azd env set AZURE_ENV_CONTAINER_REGISTRY_NAME="$AZURE_ENV_CONTAINER_REGISTRY_NAME"
+ Write-Host "Set ACR name to: $AZURE_ENV_CONTAINER_REGISTRY_NAME"
} else {
Write-Host "Skipping ACR name configuration (using existing image)"
}
@@ -257,22 +257,22 @@ jobs:
Write-Host "â
EXP ENABLED - Setting EXP parameters..."
# Set EXP variables dynamically
- if ($env:INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID -ne "") {
- $EXP_LOG_ANALYTICS_ID = $env:INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID
+ if ($env:INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID -ne "") {
+ $EXP_LOG_ANALYTICS_ID = $env:INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID
} else {
- $EXP_LOG_ANALYTICS_ID = "${{ secrets.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}"
+ $EXP_LOG_ANALYTICS_ID = "${{ secrets.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}"
}
- if ($env:INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID -ne "") {
- $EXP_AI_PROJECT_ID = $env:INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID
+ if ($env:INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID -ne "") {
+ $EXP_AI_PROJECT_ID = $env:INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID
} else {
- $EXP_AI_PROJECT_ID = "${{ secrets.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}"
+ $EXP_AI_PROJECT_ID = "${{ secrets.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}"
}
- Write-Host "AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: $EXP_LOG_ANALYTICS_ID"
- Write-Host "AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: $EXP_AI_PROJECT_ID"
- azd env set AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID="$EXP_LOG_ANALYTICS_ID"
- azd env set AZURE_EXISTING_AI_PROJECT_RESOURCE_ID="$EXP_AI_PROJECT_ID"
+ Write-Host "AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: $EXP_LOG_ANALYTICS_ID"
+ Write-Host "AZURE_EXISTING_AIPROJECT_RESOURCE_ID: $EXP_AI_PROJECT_ID"
+ azd env set AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID="$EXP_LOG_ANALYTICS_ID"
+ azd env set AZURE_EXISTING_AIPROJECT_RESOURCE_ID="$EXP_AI_PROJECT_ID"
} else {
Write-Host "â EXP DISABLED - Skipping EXP parameters"
}
@@ -296,8 +296,8 @@ jobs:
WAF_ENABLED: ${{ inputs.WAF_ENABLED }}
EXP: ${{ inputs.EXP }}
AZURE_LOCATION: ${{ inputs.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION: ${{ inputs.AZURE_ENV_OPENAI_LOCATION }}
- IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ inputs.AZURE_ENV_AI_SERVICE_LOCATION }}
+ AZURE_ENV_IMAGE_TAG: ${{ inputs.AZURE_ENV_IMAGE_TAG }}
JOB_STATUS: ${{ job.status }}
WEB_APPURL: ${{ steps.get_output_windows.outputs.WEB_APPURL }}
run: |
@@ -325,8 +325,8 @@ jobs:
echo "| **Configuration Type** | \`$CONFIG_TYPE\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Azure Region (Infrastructure)** | \`$AZURE_LOCATION\` |" >> $GITHUB_STEP_SUMMARY
- echo "| **Azure OpenAI Region** | \`$AZURE_ENV_OPENAI_LOCATION\` |" >> $GITHUB_STEP_SUMMARY
- echo "| **Docker Image Tag** | \`$IMAGE_TAG\` |" >> $GITHUB_STEP_SUMMARY
+ echo "| **Azure OpenAI Region** | \`$AZURE_ENV_AI_SERVICE_LOCATION\` |" >> $GITHUB_STEP_SUMMARY
+ echo "| **Docker Image Tag** | \`$AZURE_ENV_IMAGE_TAG\` |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [[ "$JOB_STATUS" == "success" ]]; then
echo "### â
Deployment Details" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/job-deploy.yml b/.github/workflows/job-deploy.yml
index 429aca483..4adbc36bc 100644
--- a/.github/workflows/job-deploy.yml
+++ b/.github/workflows/job-deploy.yml
@@ -51,12 +51,12 @@ on:
required: false
default: ''
type: string
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID:
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID:
description: 'Log Analytics Workspace ID (Optional)'
required: false
default: ''
type: string
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID:
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID:
description: 'AI Project Resource ID (Optional)'
required: false
default: ''
@@ -66,7 +66,7 @@ on:
required: false
default: ''
type: string
- image_model_choice:
+ AZURE_ENV_IMAGE_MODEL_NAME:
description: 'Image model to deploy (gpt-image-1-mini, gpt-image-1.5, none)'
required: false
default: 'gpt-image-1-mini'
@@ -84,12 +84,12 @@ on:
AZURE_LOCATION:
description: "Azure Location"
value: ${{ jobs.azure-setup.outputs.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION:
+ AZURE_ENV_AI_SERVICE_LOCATION:
description: "Azure OpenAI Location"
- value: ${{ jobs.azure-setup.outputs.AZURE_ENV_OPENAI_LOCATION }}
- IMAGE_TAG:
+ value: ${{ jobs.azure-setup.outputs.AZURE_ENV_AI_SERVICE_LOCATION }}
+ AZURE_ENV_IMAGE_TAG:
description: "Docker Image Tag Used"
- value: ${{ jobs.azure-setup.outputs.IMAGE_TAG }}
+ value: ${{ jobs.azure-setup.outputs.AZURE_ENV_IMAGE_TAG }}
QUOTA_FAILED:
description: "Quota Check Failed Flag"
value: ${{ jobs.azure-setup.outputs.QUOTA_FAILED || 'false' }}
@@ -103,6 +103,7 @@ env:
CLEANUP_RESOURCES: ${{ inputs.trigger_type != 'workflow_dispatch' || inputs.cleanup_resources }}
RUN_E2E_TESTS: ${{ inputs.trigger_type == 'workflow_dispatch' && (inputs.run_e2e_tests || 'GoldenPath-Testing') || 'GoldenPath-Testing' }}
BUILD_DOCKER_IMAGE: ${{ inputs.trigger_type == 'workflow_dispatch' && (inputs.build_docker_image || false) || false }}
+ RG_TAGS: ${{ vars.RG_TAGS }}
jobs:
azure-setup:
@@ -114,8 +115,8 @@ jobs:
RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }}
ENV_NAME: ${{ steps.generate_env_name.outputs.ENV_NAME }}
AZURE_LOCATION: ${{ steps.set_region.outputs.AZURE_LOCATION }}
- AZURE_ENV_OPENAI_LOCATION: ${{ steps.set_region.outputs.AZURE_ENV_OPENAI_LOCATION }}
- IMAGE_TAG: ${{ steps.determine_image_tag.outputs.IMAGE_TAG }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ steps.set_region.outputs.AZURE_ENV_AI_SERVICE_LOCATION }}
+ AZURE_ENV_IMAGE_TAG: ${{ steps.determine_image_tag.outputs.AZURE_ENV_IMAGE_TAG }}
QUOTA_FAILED: ${{ steps.quota_failure_output.outputs.QUOTA_FAILED }}
EXP_ENABLED: ${{ steps.configure_exp.outputs.EXP_ENABLED }}
@@ -132,8 +133,8 @@ jobs:
INPUT_EXP: ${{ inputs.EXP }}
INPUT_CLEANUP_RESOURCES: ${{ inputs.cleanup_resources }}
INPUT_RUN_E2E_TESTS: ${{ inputs.run_e2e_tests }}
- INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
INPUT_EXISTING_WEBAPP_URL: ${{ inputs.existing_webapp_url }}
INPUT_DOCKER_IMAGE_TAG: ${{ inputs.docker_image_tag }}
run: |
@@ -229,27 +230,27 @@ jobs:
fi
fi
- # Validate AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID (Azure Resource ID format)
- if [[ -n "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
- echo "â ERROR: AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID (Azure Resource ID format)
+ if [[ -n "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" ]]; then
+ if [[ ! "$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/[Mm]icrosoft\.[Oo]perational[Ii]nsights/[Ww]orkspaces/[^/]+$ ]]; then
+ echo "â ERROR: AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}"
- echo " Got: '$INPUT_AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID'"
+ echo " Got: '$INPUT_AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: Valid Resource ID format"
+ echo "â
AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: Valid Resource ID format"
fi
fi
- # Validate AZURE_EXISTING_AI_PROJECT_RESOURCE_ID (Azure Resource ID format)
- if [[ -n "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" ]]; then
- if [[ ! "$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
- echo "â ERROR: AZURE_EXISTING_AI_PROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
+ # Validate AZURE_EXISTING_AIPROJECT_RESOURCE_ID (Azure Resource ID format)
+ if [[ -n "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" ]]; then
+ if [[ ! "$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID" =~ ^/subscriptions/[a-fA-F0-9-]+/[Rr]esource[Gg]roups/[^/]+/providers/([Mm]icrosoft\.[Mm]achine[Ll]earning[Ss]ervices/([Ww]orkspaces|[Pp]rojects)/[^/]+|[Mm]icrosoft\.[Cc]ognitive[Ss]ervices/[Aa]ccounts/[^/]+/[Pp]rojects/[^/]+)$ ]]; then
+ echo "â ERROR: AZURE_EXISTING_AIPROJECT_RESOURCE_ID is invalid. Must be a valid Azure Resource ID format:"
echo " /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.CognitiveServices/accounts/{accountName}/projects/{projectName}"
- echo " Got: '$INPUT_AZURE_EXISTING_AI_PROJECT_RESOURCE_ID'"
+ echo " Got: '$INPUT_AZURE_EXISTING_AIPROJECT_RESOURCE_ID'"
VALIDATION_FAILED=true
else
- echo "â
AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: Valid Resource ID format"
+ echo "â
AZURE_EXISTING_AIPROJECT_RESOURCE_ID: Valid Resource ID format"
fi
fi
@@ -293,8 +294,8 @@ jobs:
shell: bash
env:
INPUT_EXP: ${{ inputs.EXP }}
- INPUT_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- INPUT_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ INPUT_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ INPUT_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
run: |
echo "đ Validating EXP configuration..."
@@ -334,7 +335,7 @@ jobs:
env:
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
- IMAGE_MODEL_CHOICE: ${{ inputs.image_model_choice || 'gpt-image-1-mini' }}
+ AZURE_ENV_IMAGE_MODEL_NAME: ${{ inputs.AZURE_ENV_IMAGE_MODEL_NAME || 'gpt-image-1-mini' }}
IMAGE_MODEL_MIN_CAPACITY: ${{ env.IMAGE_MODEL_MIN_CAPACITY }}
AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
run: |
@@ -478,8 +479,8 @@ jobs:
run: |
echo "Selected Region from OpenAI Quota Check: $VALID_REGION"
echo "Selected Region from Search Quota Check: $SEARCH_VALID_REGION"
- echo "AZURE_ENV_OPENAI_LOCATION=$VALID_REGION" >> $GITHUB_ENV
- echo "AZURE_ENV_OPENAI_LOCATION=$VALID_REGION" >> $GITHUB_OUTPUT
+ echo "AZURE_ENV_AI_SERVICE_LOCATION=$VALID_REGION" >> $GITHUB_ENV
+ echo "AZURE_ENV_AI_SERVICE_LOCATION=$VALID_REGION" >> $GITHUB_OUTPUT
if [[ "${{ inputs.trigger_type }}" == "workflow_dispatch" && -n "$INPUT_AZURE_LOCATION" ]]; then
# Manual trigger: use user's region if it passed search quota, otherwise use search-validated region
@@ -532,7 +533,7 @@ jobs:
rg_exists=$(az group exists --name $RESOURCE_GROUP_NAME)
if [ "$rg_exists" = "false" ]; then
echo "đĻ Resource group does not exist. Creating new resource group '$RESOURCE_GROUP_NAME' in location '$AZURE_LOCATION'..."
- az group create --name $RESOURCE_GROUP_NAME --location $AZURE_LOCATION || { echo "â Error creating resource group"; exit 1; }
+ az group create --name $RESOURCE_GROUP_NAME --location $AZURE_LOCATION --tags ${{ env.RG_TAGS }} || { echo "â Error creating resource group"; exit 1; }
echo "â
Resource group '$RESOURCE_GROUP_NAME' created successfully."
else
echo "â
Resource group '$RESOURCE_GROUP_NAME' already exists. Deploying to existing resource group."
@@ -559,8 +560,8 @@ jobs:
run: |
if [[ "${{ env.BUILD_DOCKER_IMAGE }}" == "true" ]]; then
if [[ -n "$INPUT_DOCKER_IMAGE_TAG" ]]; then
- IMAGE_TAG="$INPUT_DOCKER_IMAGE_TAG"
- echo "đ Using Docker image tag from build job: $IMAGE_TAG"
+ AZURE_ENV_IMAGE_TAG="$INPUT_DOCKER_IMAGE_TAG"
+ echo "đ Using Docker image tag from build job: $AZURE_ENV_IMAGE_TAG"
else
echo "â Docker build job failed or was skipped, but BUILD_DOCKER_IMAGE is true"
exit 1
@@ -572,24 +573,24 @@ jobs:
# Determine image tag based on branch
if [[ "$BRANCH_NAME" == "main" ]]; then
- IMAGE_TAG="latest"
+ AZURE_ENV_IMAGE_TAG="latest"
echo "Using main branch - image tag: latest"
elif [[ "$BRANCH_NAME" == "dev" ]]; then
- IMAGE_TAG="dev"
+ AZURE_ENV_IMAGE_TAG="dev"
echo "Using dev branch - image tag: dev"
elif [[ "$BRANCH_NAME" == "demo" ]]; then
- IMAGE_TAG="demo"
+ AZURE_ENV_IMAGE_TAG="demo"
echo "Using demo branch - image tag: demo"
else
- IMAGE_TAG="latest"
+ AZURE_ENV_IMAGE_TAG="latest"
echo "Using default for branch '$BRANCH_NAME' - image tag: latest"
fi
- echo "Using existing Docker image tag: $IMAGE_TAG"
+ echo "Using existing Docker image tag: $AZURE_ENV_IMAGE_TAG"
fi
- echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
- echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_OUTPUT
+ echo "AZURE_ENV_IMAGE_TAG=$AZURE_ENV_IMAGE_TAG" >> $GITHUB_ENV
+ echo "AZURE_ENV_IMAGE_TAG=$AZURE_ENV_IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Generate Unique Environment Name
id: generate_env_name
@@ -645,15 +646,15 @@ jobs:
uses: ./.github/workflows/job-deploy-linux.yml
with:
ENV_NAME: ${{ needs.azure-setup.outputs.ENV_NAME }}
- AZURE_ENV_OPENAI_LOCATION: ${{ needs.azure-setup.outputs.AZURE_ENV_OPENAI_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ needs.azure-setup.outputs.AZURE_ENV_AI_SERVICE_LOCATION }}
AZURE_LOCATION: ${{ needs.azure-setup.outputs.AZURE_LOCATION }}
RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
- IMAGE_TAG: ${{ needs.azure-setup.outputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ needs.azure-setup.outputs.AZURE_ENV_IMAGE_TAG }}
BUILD_DOCKER_IMAGE: ${{ inputs.build_docker_image || 'false' }}
EXP: ${{ needs.azure-setup.outputs.EXP_ENABLED }}
WAF_ENABLED: ${{ inputs.waf_enabled == true && 'true' || 'false' }}
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
secrets: inherit
deploy-windows:
@@ -663,13 +664,13 @@ jobs:
uses: ./.github/workflows/job-deploy-windows.yml
with:
ENV_NAME: ${{ needs.azure-setup.outputs.ENV_NAME }}
- AZURE_ENV_OPENAI_LOCATION: ${{ needs.azure-setup.outputs.AZURE_ENV_OPENAI_LOCATION }}
+ AZURE_ENV_AI_SERVICE_LOCATION: ${{ needs.azure-setup.outputs.AZURE_ENV_AI_SERVICE_LOCATION }}
AZURE_LOCATION: ${{ needs.azure-setup.outputs.AZURE_LOCATION }}
RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
- IMAGE_TAG: ${{ needs.azure-setup.outputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ needs.azure-setup.outputs.AZURE_ENV_IMAGE_TAG }}
BUILD_DOCKER_IMAGE: ${{ inputs.build_docker_image || 'false' }}
EXP: ${{ needs.azure-setup.outputs.EXP_ENABLED }}
WAF_ENABLED: ${{ inputs.waf_enabled == true && 'true' || 'false' }}
- AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID: ${{ inputs.AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID }}
- AZURE_EXISTING_AI_PROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AI_PROJECT_RESOURCE_ID }}
+ AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID: ${{ inputs.AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID }}
+ AZURE_EXISTING_AIPROJECT_RESOURCE_ID: ${{ inputs.AZURE_EXISTING_AIPROJECT_RESOURCE_ID }}
secrets: inherit
diff --git a/.github/workflows/job-docker-build.yml b/.github/workflows/job-docker-build.yml
index 3773ea285..48266fab7 100644
--- a/.github/workflows/job-docker-build.yml
+++ b/.github/workflows/job-docker-build.yml
@@ -13,9 +13,9 @@ on:
default: false
type: boolean
outputs:
- IMAGE_TAG:
+ AZURE_ENV_IMAGE_TAG:
description: "Generated Docker Image Tag"
- value: ${{ jobs.docker-build.outputs.IMAGE_TAG }}
+ value: ${{ jobs.docker-build.outputs.AZURE_ENV_IMAGE_TAG }}
env:
BRANCH_NAME: ${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest
environment: production
outputs:
- IMAGE_TAG: ${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}
+ AZURE_ENV_IMAGE_TAG: ${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}
steps:
- name: Checkout Code
uses: actions/checkout@v6
@@ -41,8 +41,8 @@ jobs:
BRANCH_NAME="${{ github.head_ref || github.ref_name }}"
CLEAN_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/[^a-zA-Z0-9._-]/-/g' | sed 's/--*/-/g' | sed 's/^-\|-$//g')
UNIQUE_TAG="${CLEAN_BRANCH_NAME}-${TIMESTAMP}-${RUN_ID}"
- echo "IMAGE_TAG=$UNIQUE_TAG" >> $GITHUB_ENV
- echo "IMAGE_TAG=$UNIQUE_TAG" >> $GITHUB_OUTPUT
+ echo "AZURE_ENV_IMAGE_TAG=$UNIQUE_TAG" >> $GITHUB_ENV
+ echo "AZURE_ENV_IMAGE_TAG=$UNIQUE_TAG" >> $GITHUB_OUTPUT
echo "Generated unique Docker tag: $UNIQUE_TAG"
- name: Set up Docker Buildx
@@ -69,8 +69,8 @@ jobs:
file: ./src/app/WebApp.Dockerfile
push: true
tags: |
- ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-app:${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}
- ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-app:${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}_${{ github.run_number }}
+ ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-app:${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}
+ ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-app:${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}_${{ github.run_number }}
- name: Build and Push Docker Image for Backend Server
id: build_push_backend
@@ -82,26 +82,26 @@ jobs:
file: ./src/backend/ApiApp.Dockerfile
push: true
tags: |
- ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-api:${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}
- ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-api:${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}_${{ github.run_number }}
+ ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-api:${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}
+ ${{ secrets.ACR_TEST_LOGIN_SERVER }}/content-gen-api:${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}_${{ github.run_number }}
- name: Verify Docker Image Build
shell: bash
run: |
echo "â
Docker images successfully built and pushed"
- echo "Image tag: ${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}"
+ echo "Image tag: ${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}"
- name: Generate Docker Build Summary
if: always()
shell: bash
run: |
- ACR_NAME=$(echo "${{ secrets.ACR_TEST_LOGIN_SERVER }}")
+ AZURE_ENV_CONTAINER_REGISTRY_SERVER=$(echo "${{ secrets.ACR_TEST_LOGIN_SERVER }}")
echo "## đŗ Docker Build Job Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| **Job Status** | ${{ job.status == 'success' && 'â
Success' || 'â Failed' }} |" >> $GITHUB_STEP_SUMMARY
- echo "| **Image Tag** | \`${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}\` |" >> $GITHUB_STEP_SUMMARY
+ echo "| **Image Tag** | \`${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| **Branch** | ${{ env.BRANCH_NAME }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [[ "${{ job.status }}" == "success" ]]; then
@@ -109,8 +109,8 @@ jobs:
echo "Successfully built and pushed Docker images to ACR:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Built Images:**" >> $GITHUB_STEP_SUMMARY
- echo "- \`${ACR_NAME}/content-gen-app:${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}\`" >> $GITHUB_STEP_SUMMARY
- echo "- \`${ACR_NAME}/content-gen-api:${{ steps.generate_docker_tag.outputs.IMAGE_TAG }}\`" >> $GITHUB_STEP_SUMMARY
+ echo "- \`${AZURE_ENV_CONTAINER_REGISTRY_SERVER}/content-gen-app:${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}\`" >> $GITHUB_STEP_SUMMARY
+ echo "- \`${AZURE_ENV_CONTAINER_REGISTRY_SERVER}/content-gen-api:${{ steps.generate_docker_tag.outputs.AZURE_ENV_IMAGE_TAG }}\`" >> $GITHUB_STEP_SUMMARY
else
echo "### â Build Failed" >> $GITHUB_STEP_SUMMARY
echo "- Docker build process encountered an error" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
index 8e739ab4a..592930f82 100644
--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -2,6 +2,18 @@ name: PyLint
on:
push:
+ branches:
+ - main
+ - dev
+ paths:
+ - 'src/backend/**/*.py'
+ - 'src/backend/requirements*.txt'
+ - '.flake8'
+ - '.github/workflows/pylint.yml'
+ pull_request:
+ branches:
+ - main
+ - dev
paths:
- 'src/backend/**/*.py'
- 'src/backend/requirements*.txt'
@@ -12,6 +24,10 @@ permissions:
contents: read
actions: read
+concurrency:
+ group: pylint-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
build:
runs-on: ubuntu-latest
@@ -25,6 +41,8 @@ jobs:
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
+ cache: 'pip'
+ cache-dependency-path: src/backend/requirements*.txt
- name: Install dependencies
run: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 47b1faa1c..82573ca99 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,8 +6,9 @@ on:
- main
- dev
paths:
- - '**/*.py'
+ - 'src/**/*.py'
- 'src/backend/requirements*.txt'
+ - 'src/pytest.ini'
- '.github/workflows/test.yml'
pull_request:
types:
@@ -19,14 +20,19 @@ on:
- main
- dev
paths:
- - '**/*.py'
+ - 'src/**/*.py'
- 'src/backend/requirements*.txt'
+ - 'src/pytest.ini'
- '.github/workflows/test.yml'
permissions:
contents: read
actions: read
+concurrency:
+ group: test-${{ github.ref }}
+ cancel-in-progress: true
+
jobs:
backend_tests:
runs-on: ubuntu-latest
@@ -39,6 +45,8 @@ jobs:
uses: actions/setup-python@v6
with:
python-version: "3.11"
+ cache: 'pip'
+ cache-dependency-path: src/backend/requirements*.txt
- name: Install Backend Dependencies
run: |
diff --git a/.github/workflows/validate-bicep-params.yml b/.github/workflows/validate-bicep-params.yml
new file mode 100644
index 000000000..bcb03f097
--- /dev/null
+++ b/.github/workflows/validate-bicep-params.yml
@@ -0,0 +1,108 @@
+name: Validate Bicep Parameters
+
+permissions:
+ contents: read
+
+on:
+ schedule:
+ - cron: '30 6 * * 3' # Wednesday 12:00 PM IST (6:30 AM UTC)
+ pull_request:
+ branches:
+ - main
+ - dev
+ paths:
+ - 'infra/**/*.bicep'
+ - 'infra/**/*.parameters.json'
+ - 'infra/scripts/validate_bicep_params.py'
+ workflow_dispatch:
+
+env:
+ accelerator_name: "Content Generation"
+
+jobs:
+ validate:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+
+ - name: Set up Python
+ uses: actions/setup-python@v5
+ with:
+ python-version: '3.11'
+
+ - name: Validate infra/ parameters
+ id: validate_infra
+ continue-on-error: true
+ run: |
+ set +e
+ python infra/scripts/validate_bicep_params.py --dir infra --strict --no-color --json-output infra_results.json 2>&1 | tee infra_output.txt
+ EXIT_CODE=${PIPESTATUS[0]}
+ set -e
+ echo "## Infra Param Validation" >> "$GITHUB_STEP_SUMMARY"
+ echo '```' >> "$GITHUB_STEP_SUMMARY"
+ cat infra_output.txt >> "$GITHUB_STEP_SUMMARY"
+ echo '```' >> "$GITHUB_STEP_SUMMARY"
+ exit $EXIT_CODE
+
+ - name: Set overall result
+ id: result
+ run: |
+ if [[ "${{ steps.validate_infra.outcome }}" == "failure" ]]; then
+ echo "status=failure" >> "$GITHUB_OUTPUT"
+ else
+ echo "status=success" >> "$GITHUB_OUTPUT"
+ fi
+
+ - name: Upload validation results
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: bicep-validation-results
+ path: |
+ infra_results.json
+ retention-days: 30
+
+ - name: Send schedule notification on failure
+ if: github.event_name == 'schedule' && steps.result.outputs.status == 'failure'
+ env:
+ LOGICAPP_URL: ${{ secrets.EMAILNOTIFICATION_LOGICAPP_URL_TA }}
+ GITHUB_REPOSITORY: ${{ github.repository }}
+ GITHUB_RUN_ID: ${{ github.run_id }}
+ ACCELERATOR_NAME: ${{ env.accelerator_name }}
+ run: |
+ RUN_URL="https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+ INFRA_OUTPUT=$(sed 's/&/\&/g; s//\>/g' infra_output.txt)
+
+ jq -n \
+ --arg name "${ACCELERATOR_NAME}" \
+ --arg infra "$INFRA_OUTPUT" \
+ --arg url "$RUN_URL" \
+ '{subject: ("Bicep Parameter Validation Report - " + $name + " - Issues Detected"), body: ("Dear Team,
The scheduled Bicep Parameter Validation for " + $name + " has detected parameter mapping errors.
infra/ Results:
" + $infra + "
Run URL: " + $url + "
Please fix the parameter mapping issues at your earliest convenience.
Best regards,
Your Automation Team
")}' \
+ | curl -X POST "${LOGICAPP_URL}" \
+ -H "Content-Type: application/json" \
+ -d @- || echo "Failed to send notification"
+
+ - name: Send schedule notification on success
+ if: github.event_name == 'schedule' && steps.result.outputs.status == 'success'
+ env:
+ LOGICAPP_URL: ${{ secrets.EMAILNOTIFICATION_LOGICAPP_URL_TA }}
+ GITHUB_REPOSITORY: ${{ github.repository }}
+ GITHUB_RUN_ID: ${{ github.run_id }}
+ ACCELERATOR_NAME: ${{ env.accelerator_name }}
+ run: |
+ RUN_URL="https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+ INFRA_OUTPUT=$(sed 's/&/\&/g; s//\>/g' infra_output.txt)
+
+ jq -n \
+ --arg name "${ACCELERATOR_NAME}" \
+ --arg infra "$INFRA_OUTPUT" \
+ --arg url "$RUN_URL" \
+ '{subject: ("Bicep Parameter Validation Report - " + $name + " - Passed"), body: ("Dear Team,
The scheduled Bicep Parameter Validation for " + $name + " has completed successfully. All parameter mappings are valid.
infra/ Results:
" + $infra + "
Run URL: " + $url + "
Best regards,
Your Automation Team
")}' \
+ | curl -X POST "${LOGICAPP_URL}" \
+ -H "Content-Type: application/json" \
+ -d @- || echo "Failed to send notification"
+
+ - name: Fail if errors found
+ if: steps.result.outputs.status == 'failure'
+ run: exit 1
diff --git a/README.md b/README.md
index 8ac7b64b4..1b6c55592 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,8 @@ Follow the quick deploy steps on the deployment guide to deploy this solution to
+> **Note**: Some tenants may have additional security restrictions that run periodically and could impact the application (e.g., blocking public network access). If you experience issues or the application stops working, check if these restrictions are the cause. In such cases, consider deploying the WAF-supported version to ensure compliance. To configure, [Click here](./docs/AZD_DEPLOYMENT.md#3-choose-deployment-configuration).
+
> â ī¸ **Important: Check Azure OpenAI Quota Availability**
To ensure sufficient quota is available in your subscription, please follow [quota check instructions guide](./docs/QuotaCheck.md) before you deploy the solution.
diff --git a/azure.yaml b/azure.yaml
index 521778a24..e0fda8a98 100644
--- a/azure.yaml
+++ b/azure.yaml
@@ -8,6 +8,7 @@ metadata:
requiredVersions:
azd: '>= 1.18.0 != 1.23.9'
+ bicep: '>= 0.33.0'
parameters:
solutionPrefix:
@@ -66,7 +67,7 @@ hooks:
Write-Host "AI Search Index: " -NoNewline
Write-Host "$env:AZURE_AI_SEARCH_PRODUCTS_INDEX" -ForegroundColor Cyan
Write-Host "AI Service Location: " -NoNewline
- Write-Host "$env:AZURE_ENV_OPENAI_LOCATION" -ForegroundColor Cyan
+ Write-Host "$env:AZURE_ENV_AI_SERVICE_LOCATION" -ForegroundColor Cyan
Write-Host "Container Instance: " -NoNewline
Write-Host "$env:CONTAINER_INSTANCE_NAME" -ForegroundColor Cyan
@@ -112,11 +113,11 @@ hooks:
echo "Storage Account: $AZURE_BLOB_ACCOUNT_NAME"
echo "AI Search Service: $AI_SEARCH_SERVICE_NAME"
echo "AI Search Index: $AZURE_AI_SEARCH_PRODUCTS_INDEX"
- echo "AI Service Location: $AZURE_ENV_OPENAI_LOCATION"
+ echo "AI Service Location: $AZURE_ENV_AI_SERVICE_LOCATION"
echo "Container Instance: $CONTAINER_INSTANCE_NAME"
echo ""
- echo "Container Registry: $ACR_NAME"
+ echo "Container Registry: $AZURE_ENV_CONTAINER_REGISTRY_NAME"
# Run post-deploy script to upload sample data and create search index
echo ""
diff --git a/azure_custom.yaml b/azure_custom.yaml
index 3b7bb0261..f2a7e530f 100644
--- a/azure_custom.yaml
+++ b/azure_custom.yaml
@@ -1,48 +1,236 @@
-environment:
- name: document-generation
- location: eastus
-
-name: document-generation
+name: content-generation
metadata:
- template: document-generation@1.0
+ template: content-generation@1.22
requiredVersions:
azd: '>= 1.18.0 != 1.23.9'
-parameters:
- solutionPrefix:
- type: string
- default: bs-azdtest
- otherLocation:
- type: string
- default: eastus2
- baseUrl:
- type: string
- default: 'https://github.com/microsoft/document-generation-solution-accelerator'
+infra:
+ path: ./infra
+ module: main
services:
- webapp:
- project: ./src
- language: py
+ frontend:
+ project: ./src/app/frontend-server
+ language: js
host: appservice
dist: ./dist
+ resourceName: ${APP_SERVICE_NAME}
hooks:
prepackage:
windows:
shell: pwsh
- run: ../infra/scripts/package_webapp.ps1
- interactive: true
+ run: ../../../infra/scripts/package_frontend.ps1
continueOnError: false
posix:
shell: sh
- run: bash ../infra/scripts/package_webapp.sh
- interactive: true
+ run: chmod +x ../../../infra/scripts/package_frontend.sh && ../../../infra/scripts/package_frontend.sh
continueOnError: false
-deployment:
- mode: Incremental
- template: ./infra/main.bicep # Path to the main.bicep file inside the 'deployment' folder
- parameters:
- solutionPrefix: ${parameters.solutionPrefix}
- otherLocation: ${parameters.otherLocation}
- baseUrl: ${parameters.baseUrl}
+hooks:
+ preprovision:
+ windows:
+ shell: pwsh
+ run: |
+ Write-Host "Preparing deployment..." -ForegroundColor Cyan
+
+ # Check if this is first run (ACR doesn't exist yet)
+ # Set AZURE_ENV_IMAGE_TAG='none' to skip ACI deployment until image is built
+ if (-not $env:AZURE_ENV_CONTAINER_REGISTRY_NAME) {
+ Write-Host "First deployment - ACI will be deployed after image build" -ForegroundColor Yellow
+ azd env set AZURE_ENV_IMAGE_TAG none
+ }
+ continueOnError: false
+ posix:
+ shell: sh
+ run: |
+ echo "Preparing deployment..."
+
+ # Check if this is first run (ACR doesn't exist yet)
+ if [ -z "$AZURE_ENV_CONTAINER_REGISTRY_NAME" ]; then
+ echo "First deployment - ACI will be deployed after image build"
+ azd env set AZURE_ENV_IMAGE_TAG none
+ fi
+ continueOnError: false
+
+ postprovision:
+ windows:
+ shell: pwsh
+ run: |
+ $acrName = $env:AZURE_ENV_CONTAINER_REGISTRY_NAME
+ $resourceGroup = $env:RESOURCE_GROUP_NAME
+ $backendImage = $env:BACKEND_IMAGE_NAME
+ $appServiceName = $env:APP_SERVICE_NAME
+
+ if (-not $acrName -or -not $resourceGroup -or -not $appServiceName) {
+ Write-Host "ERROR: Missing required environment variables" -ForegroundColor Red
+ exit 1
+ }
+
+ # Check if ACI already exists (reads from persisted azd env)
+ $aciName = azd env get-value CONTAINER_INSTANCE_NAME 2>$null
+ $global:LASTEXITCODE = 0
+
+ # ===== Build Backend Image (ACR Build) =====
+ Write-Host ""
+ Write-Host "===== Building Backend Image =====" -ForegroundColor Yellow
+ Write-Host "Registry: $acrName" -ForegroundColor Cyan
+ Write-Host "Image: ${backendImage}:latest" -ForegroundColor Cyan
+
+ az acr login --name $acrName 2>$null
+ az acr build --registry $acrName --image "${backendImage}:latest" --file ./src/backend/ApiApp.Dockerfile ./src/backend
+ if ($LASTEXITCODE -ne 0) {
+ Write-Host "Failed to build container image" -ForegroundColor Red
+ exit 1
+ }
+ Write-Host "Container image built and pushed successfully!" -ForegroundColor Green
+
+ # ===== Deploy ACI if not already deployed =====
+ if (-not $aciName) {
+ Write-Host ""
+ Write-Host "===== Deploying Container Instance =====" -ForegroundColor Yellow
+ azd env set AZURE_ENV_IMAGE_TAG latest
+
+ # Use az deployment instead of azd provision to avoid hook recursion
+ # Pass parameters inline (main.parameters.json uses AZD ${VAR} syntax not supported by az CLI)
+ Write-Host "Deploying ACI via Bicep..." -ForegroundColor Cyan
+
+ az deployment group create `
+ --resource-group $resourceGroup `
+ --template-file ./infra/main.bicep `
+ --parameters solutionName=$env:AZURE_ENV_NAME `
+ --parameters location=$env:AZURE_LOCATION `
+ --parameters azureAiServiceLocation=$env:AZURE_ENV_AI_SERVICE_LOCATION `
+ --parameters imageTag=latest `
+ --query "properties.outputs" -o json | Out-Null
+
+ if ($LASTEXITCODE -eq 0) {
+ # Refresh azd env with new outputs
+ azd env refresh --no-prompt 2>$null
+ Write-Host "Container Instance deployed successfully!" -ForegroundColor Green
+ } else {
+ Write-Host "Container Instance deployment failed" -ForegroundColor Red
+ }
+ } else {
+ Write-Host ""
+ Write-Host "Container Instance: $aciName" -ForegroundColor Cyan
+ }
+
+ Write-Host ""
+ Write-Host "===== Postprovision Complete - Frontend will deploy next =====" -ForegroundColor Green
+
+ # Ensure postprovision exits successfully so frontend deploys
+ exit 0
+ interactive: true
+ continueOnError: false
+
+ posix:
+ shell: sh
+ run: |
+ ACR_NAME="$AZURE_ENV_CONTAINER_REGISTRY_NAME"
+ RESOURCE_GROUP="$RESOURCE_GROUP_NAME"
+ BACKEND_IMAGE="$BACKEND_IMAGE_NAME"
+ APP_SERVICE="$APP_SERVICE_NAME"
+
+ if [ -z "$ACR_NAME" ] || [ -z "$RESOURCE_GROUP" ] || [ -z "$APP_SERVICE" ]; then
+ echo "ERROR: Missing required environment variables"
+ exit 1
+ fi
+
+ # Check if ACI already exists (reads from persisted azd env)
+ ACI_NAME=$(azd env get-value CONTAINER_INSTANCE_NAME 2>/dev/null || echo "")
+
+ # ===== Build Backend Image (ACR Build) =====
+ echo ""
+ echo "===== Building Backend Image ====="
+ echo "Registry: $ACR_NAME"
+ echo "Image: $BACKEND_IMAGE:latest"
+
+ if az acr build --registry "$ACR_NAME" --image "$BACKEND_IMAGE:latest" --file ./src/backend/ApiApp.Dockerfile ./src/backend; then
+ echo "Container image built and pushed successfully!"
+ else
+ echo "Failed to build container image"
+ exit 1
+ fi
+
+ # ===== Deploy ACI if not already deployed =====
+ if [ -z "$ACI_NAME" ]; then
+ echo ""
+ echo "===== Deploying Container Instance ====="
+ azd env set AZURE_ENV_IMAGE_TAG latest
+
+ # Use az deployment instead of azd provision to avoid hook recursion
+ # Pass parameters inline (main.parameters.json uses AZD ${VAR} syntax not supported by az CLI)
+ echo "Deploying ACI via Bicep..."
+ if az deployment group create \
+ --resource-group "$RESOURCE_GROUP" \
+ --template-file ./infra/main.bicep \
+ --parameters solutionName="$AZURE_ENV_NAME" \
+ --parameters location="$AZURE_LOCATION" \
+ --parameters azureAiServiceLocation="$AZURE_ENV_AI_SERVICE_LOCATION" \
+ --parameters imageTag=latest \
+ --query "properties.outputs" -o json > /dev/null; then
+ # Refresh azd env with new outputs
+ azd env refresh --no-prompt 2>/dev/null
+ echo "Container Instance deployed successfully!"
+ else
+ echo "Container Instance deployment failed"
+ fi
+ else
+ echo ""
+ echo "Container Instance: $ACI_NAME"
+ fi
+
+ echo ""
+ echo "===== Postprovision Complete - Frontend will deploy next ====="
+
+ # Ensure postprovision exits successfully so frontend deploys
+ exit 0
+ interactive: true
+ continueOnError: false
+
+ postdeploy:
+ windows:
+ shell: pwsh
+ run: |
+ Write-Host "===== Running Post-Deploy Script =====" -ForegroundColor Yellow
+ $python = "python"
+ if (Test-Path "./.venv/Scripts/python.exe") { $python = "./.venv/Scripts/python.exe" }
+ & $python -m pip install -r ./scripts/requirements-post-deploy.txt --quiet 2>$null
+
+ if (Test-Path "./scripts/post_deploy.py") {
+ & $python ./scripts/post_deploy.py --skip-tests
+ if ($LASTEXITCODE -eq 0) {
+ Write-Host "Post-deploy script completed successfully!" -ForegroundColor Green
+ } else {
+ Write-Host "Post-deploy script completed with warnings" -ForegroundColor Yellow
+ }
+ }
+
+ Write-Host ""
+ Write-Host "===== Deployment Complete =====" -ForegroundColor Green
+ Write-Host "Access the web application:" -ForegroundColor White
+ Write-Host " $env:WEB_APP_URL" -ForegroundColor Cyan
+ interactive: true
+ continueOnError: false
+
+ posix:
+ shell: sh
+ run: |
+ echo "===== Running Post-Deploy Script ====="
+ PYTHON="python3"
+ if [ -f "./.venv/bin/python" ]; then PYTHON="./.venv/bin/python"; fi
+ $PYTHON -m pip install -r ./scripts/requirements-post-deploy.txt --quiet 2>/dev/null
+
+ if [ -f "./scripts/post_deploy.py" ]; then
+ $PYTHON ./scripts/post_deploy.py --skip-tests \
+ && echo "Post-deploy script completed successfully!" \
+ || echo "Post-deploy script completed with warnings"
+ fi
+
+ echo ""
+ echo "===== Deployment Complete ====="
+ echo "Access the web application:"
+ echo " $WEB_APP_URL"
+ interactive: true
+ continueOnError: false
diff --git a/docs/AZD_DEPLOYMENT.md b/docs/AZD_DEPLOYMENT.md
index 942fba86f..019483934 100644
--- a/docs/AZD_DEPLOYMENT.md
+++ b/docs/AZD_DEPLOYMENT.md
@@ -124,14 +124,14 @@ This single command will:
```bash
# Set the resource ID of your existing AI Project
-azd env set AZURE_EXISTING_AI_PROJECT_RESOURCE_ID "/subscriptions//resourceGroups//providers/Microsoft.MachineLearningServices/workspaces/"
+azd env set AZURE_EXISTING_AIPROJECT_RESOURCE_ID "/subscriptions//resourceGroups//providers/Microsoft.MachineLearningServices/workspaces/"
```
### Reuse Existing Log Analytics Workspace
```bash
# Set the resource ID of your existing Log Analytics workspace
-azd env set AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID "/subscriptions//resourceGroups//providers/Microsoft.OperationalInsights/workspaces/"
+azd env set AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID "/subscriptions//resourceGroups//providers/Microsoft.OperationalInsights/workspaces/"
```
## Post-Deployment
@@ -227,7 +227,7 @@ Error: The model 'gpt-4o' is not available in region 'westeurope'
**Solution**: Set a different region for AI Services:
```bash
-azd env set AZURE_ENV_OPENAI_LOCATION eastus
+azd env set AZURE_ENV_AI_SERVICE_LOCATION eastus2
```
#### 3. Container Build Fails
@@ -309,8 +309,39 @@ When `enablePrivateNetworking` is enabled:
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
```
+## Deploy Local Changes
+
+If you've made local modifications to the code and want to deploy them to Azure, follow these steps to swap the configuration files:
+
+> **Note**: To set up and run the application locally for development, see the [Local Development Guide](LocalDevelopmentSetup.md).
+
+### Step 1: Rename Azure Configuration Files
+
+In the root directory:
+
+1. Rename `azure.yaml` to `azure_custom2.yaml`
+2. Rename `azure_custom.yaml` to `azure.yaml`
+
+### Step 2: Rename Infrastructure Files
+
+In the `infra` directory:
+
+1. Rename `main.bicep` to `main_custom2.bicep`
+2. Rename `main_custom.bicep` to `main.bicep`
+
+### Step 3: Deploy Changes
+
+Run the deployment command:
+
+```bash
+azd up
+```
+
+> **Note**: These custom files are configured to deploy your local code changes instead of pulling from the GitHub repository.
+
## Related Documentation
- [Deployment Guide](DEPLOYMENT.md)
+- [Local Development Guide](LocalDevelopmentSetup.md)
- [Image Generation Configuration](IMAGE_GENERATION.md)
- [Azure Developer CLI Documentation](https://learn.microsoft.com/azure/developer/azure-developer-cli/)
diff --git a/docs/CustomizingAzdParameters.md b/docs/CustomizingAzdParameters.md
index e3c6bb117..3542f8c45 100644
--- a/docs/CustomizingAzdParameters.md
+++ b/docs/CustomizingAzdParameters.md
@@ -10,19 +10,27 @@ By default this template will use the environment name as the prefix to prevent
| -------------------------------------- | ------- | ---------------------------- | ----------------------------------------------------------------------------- |
| `AZURE_LOCATION` | string | `` | Sets the Azure region for resource deployment. Allowed: `australiaeast`, `centralus`, `eastasia`, `eastus`, `eastus2`, `japaneast`, `northeurope`, `southeastasia`, `swedencentral`, `uksouth`, `westus`, `westus3`. |
| `AZURE_ENV_NAME` | string | `contentgen` | Sets the environment name prefix for all Azure resources (3-15 characters). |
-| `SECONDARY_LOCATION` | string | `uksouth` | Specifies a secondary Azure region for database creation. |
-| `AZURE_OPENAI_GPT_MODEL` | string | `gpt-5.1` | Specifies the GPT model name to deploy. |
-| `GPT_MODEL_VERSION` | string | `2025-11-13` | Sets the GPT model version. |
-| `GPT_MODEL_DEPLOYMENT_TYPE` | string | `GlobalStandard` | Defines the model deployment type (allowed: `Standard`, `GlobalStandard`). |
-| `GPT_MODEL_CAPACITY` | integer | `150` | Sets the GPT model token capacity (minimum: `10`). |
-| `AZURE_OPENAI_IMAGE_MODEL` | string | `gpt-image-1-mini` | Image model to deploy (allowed: `gpt-image-1-mini`, `gpt-image-1.5`, `none`). |
-| `IMAGE_MODEL_CAPACITY` | integer | `1` | Sets the image model deployment capacity in RPM (minimum: `1`). |
-| `AZURE_OPENAI_API_VERSION` | string | `2025-01-01-preview` | Specifies the API version for Azure OpenAI service. |
-| `AZURE_ENV_OPENAI_LOCATION` | string | `` | Sets the Azure region for OpenAI resource deployment. |
-| `AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID` | string | `""` | Reuses an existing Log Analytics Workspace instead of creating a new one. |
-| `AZURE_EXISTING_AI_PROJECT_RESOURCE_ID`| string | `""` | Reuses an existing AI Foundry Project instead of creating a new one. |
-| `ACR_NAME` | string | `contentgencontainerreg` | Sets the existing Azure Container Registry name (without `.azurecr.io`). |
-| `IMAGE_TAG` | string | `latest` | Sets the container image tag (e.g., `latest`, `dev`, `hotfix`). |
+| `AZURE_ENV_SECONDARY_LOCATION` | string | `uksouth` | Specifies a secondary Azure region for database creation. |
+| `AZURE_ENV_GPT_MODEL_NAME` | string | `gpt-5.1` | Specifies the GPT model name to deploy. |
+| `AZURE_ENV_GPT_MODEL_VERSION` | string | `2025-11-13` | Sets the GPT model version. |
+| `AZURE_ENV_MODEL_DEPLOYMENT_TYPE` | string | `GlobalStandard` | Defines the model deployment type (allowed: `Standard`, `GlobalStandard`). |
+| `AZURE_ENV_GPT_MODEL_CAPACITY` | integer | `150` | Sets the GPT model token capacity (minimum: `10`). |
+| `AZURE_ENV_IMAGE_MODEL_NAME` | string | `gpt-image-1-mini` | Image model to deploy (allowed: `gpt-image-1-mini`, `gpt-image-1.5`, `none`). |
+| `AZURE_ENV_IMAGE_MODEL_CAPACITY` | integer | `1` | Sets the image model deployment capacity in RPM (minimum: `1`). |
+| `AZURE_ENV_OPENAI_API_VERSION` | string | `2025-01-01-preview` | Specifies the API version for Azure OpenAI service. |
+| `AZURE_ENV_AI_SERVICE_LOCATION` | string | `` | Sets the Azure region for OpenAI resource deployment. Allowed: `australiaeast`, `canadaeast`, `eastus2`, `japaneast`, `koreacentral`, `polandcentral`, `swedencentral`, `switzerlandnorth`, `uaenorth`, `uksouth`, `westus3`. |
+| `AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID` | string | `""` | Reuses an existing Log Analytics Workspace instead of creating a new one. |
+| `AZURE_EXISTING_AIPROJECT_RESOURCE_ID` | string | `""` | Reuses an existing AI Foundry Project instead of creating a new one. |
+| `enableMonitoring` | boolean | `false` | Enable Log Analytics and Application Insights (WAF-aligned). |
+| `enableScalability` | boolean | `false` | Enable auto-scaling and higher SKUs (WAF-aligned). |
+| `enableRedundancy` | boolean | `false` | Enable zone redundancy and geo-replication (WAF-aligned). |
+| `enablePrivateNetworking` | boolean | `false` | Enable VNet integration and private endpoints (WAF-aligned). |
+| `deployBastionAndJumpbox` | boolean | `false` | Deploy Azure Bastion and jumpbox admin-path resources when private networking is enabled. |
+| `AZURE_ENV_VM_SIZE` | string | `""` | Overrides the jumpbox VM size (private networking only). Must support accelerated networking and Premium SSD. |
+| `AZURE_ENV_VM_ADMIN_USERNAME` | string | `""` | Sets the jumpbox VM admin username (private networking only). |
+| `AZURE_ENV_VM_ADMIN_PASSWORD` | string | `""` | Sets the jumpbox VM admin password. Bastion and jumpbox resources are deployed only when this is set and `deployBastionAndJumpbox=true`. |
+| `AZURE_ENV_CONTAINER_REGISTRY_NAME` | string | `contentgencontainerreg` | Sets the existing Azure Container Registry name (without `.azurecr.io`). |
+| `AZURE_ENV_IMAGE_TAG` | string | `latest` | Sets the container image tag (e.g., `latest`, `dev`, `hotfix`). |
## How to Set a Parameter
@@ -36,8 +44,8 @@ azd env set
```bash
azd env set AZURE_LOCATION westus2
-azd env set AZURE_OPENAI_GPT_MODEL gpt-5.1
-azd env set GPT_MODEL_DEPLOYMENT_TYPE Standard
-azd env set AZURE_OPENAI_IMAGE_MODEL gpt-image-1-mini
-azd env set ACR_NAME contentgencontainerreg
+azd env set AZURE_ENV_GPT_MODEL_NAME gpt-5.1
+azd env set AZURE_ENV_MODEL_DEPLOYMENT_TYPE Standard
+azd env set AZURE_ENV_IMAGE_MODEL_NAME gpt-image-1-mini
+azd env set AZURE_ENV_CONTAINER_REGISTRY_NAME contentgencontainerreg
```
diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
index 187640f92..dd3b3d390 100644
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -16,6 +16,8 @@ Check the [Azure Products by Region](https://azure.microsoft.com/en-us/explore/g
Here are some example regions where the services are available: East US, East US2, Australia East, UK South, France Central.
+> **Note**: Some tenants may have additional security restrictions that run periodically and could impact the application (e.g., blocking public network access). If you experience issues or the application stops working, check if these restrictions are the cause. In such cases, consider deploying the WAF-supported version to ensure compliance. To configure, [Click here](./AZD_DEPLOYMENT.md#3-choose-deployment-configuration).
+
### **Important Note for PowerShell Users**
If you encounter issues running PowerShell scripts due to the policy of not being digitally signed, you can temporarily adjust the `ExecutionPolicy` by running the following command in an elevated PowerShell session:
@@ -218,7 +220,7 @@ az webapp config set -g $RESOURCE_GROUP -n --http20-enabled false
**Solution**:
1. Verify GPT-Image-1-mini or GPT-Image-1.5 deployment exists in Azure OpenAI resource
-2. Check `AZURE_OPENAI_IMAGE_MODEL` and `AZURE_OPENAI_GPT_IMAGE_ENDPOINT` environment variables
+2. Check `AZURE_ENV_IMAGE_MODEL_NAME` and `AZURE_OPENAI_GPT_IMAGE_ENDPOINT` environment variables
diff --git a/docs/IMAGE_GENERATION.md b/docs/IMAGE_GENERATION.md
index ed3483741..1d0f54af1 100644
--- a/docs/IMAGE_GENERATION.md
+++ b/docs/IMAGE_GENERATION.md
@@ -7,7 +7,7 @@ The accelerator supports image generation through Azure OpenAI image models:
- `gpt-image-1-mini`
- `gpt-image-1.5`
-Both models are used through `images.generate()` in the backend image agent. The selected model is controlled by `AZURE_OPENAI_IMAGE_MODEL`.
+Both models are used through `images.generate()` in the backend image agent. The selected model is controlled by `AZURE_ENV_IMAGE_MODEL_NAME`.
## Current Model Behavior
@@ -139,10 +139,10 @@ async def generate_marketing_image(
### Required Environment Variables
- `AZURE_OPENAI_ENDPOINT`
-- `AZURE_OPENAI_GPT_MODEL`
-- `AZURE_OPENAI_IMAGE_MODEL` (`gpt-image-1-mini`, `gpt-image-1.5`, or `none`)
+- `AZURE_ENV_GPT_MODEL_NAME`
+- `AZURE_ENV_IMAGE_MODEL_NAME` (`gpt-image-1-mini`, `gpt-image-1.5`, or `none`)
- `AZURE_OPENAI_GPT_IMAGE_ENDPOINT` (optional if same as main endpoint)
-- `AZURE_OPENAI_API_VERSION`
+- `AZURE_ENV_OPENAI_API_VERSION`
- `AZURE_OPENAI_IMAGE_API_VERSION`
### Optional Image Controls
@@ -155,7 +155,7 @@ async def generate_marketing_image(
The backend image generator calls Azure OpenAI with:
- `images.generate()`
-- `model` set from `AZURE_OPENAI_IMAGE_MODEL`
+- `model` set from `AZURE_ENV_IMAGE_MODEL_NAME`
- prompt text assembled from brief + product + brand constraints
- `size` and `quality` from app settings (or request overrides)
@@ -184,7 +184,7 @@ The backend image generator calls Azure OpenAI with:
### Model Availability Notes
1. Deploy either `gpt-image-1-mini` or `gpt-image-1.5` based on quota and regional availability.
-2. Set `AZURE_OPENAI_IMAGE_MODEL` to the deployed model name.
+2. Set `AZURE_ENV_IMAGE_MODEL_NAME` to the deployed model name.
3. If using a separate image endpoint, set `AZURE_OPENAI_GPT_IMAGE_ENDPOINT`.
4. Keep `AZURE_OPENAI_IMAGE_API_VERSION` aligned with the image model API version required by your deployment.
diff --git a/docs/LOCAL_DEPLOYMENT.md b/docs/LocalDevelopmentSetup.md
similarity index 96%
rename from docs/LOCAL_DEPLOYMENT.md
rename to docs/LocalDevelopmentSetup.md
index c3abd177e..addd22410 100644
--- a/docs/LOCAL_DEPLOYMENT.md
+++ b/docs/LocalDevelopmentSetup.md
@@ -147,10 +147,10 @@ Changes to source files will automatically trigger a reload.
| Variable | Required | Description |
|----------|----------|-------------|
| `AZURE_OPENAI_ENDPOINT` | Yes | Azure OpenAI endpoint URL (e.g., `https://your-resource.openai.azure.com/`) |
-| `AZURE_OPENAI_GPT_MODEL` | Yes | GPT model deployment name (e.g., `gpt-4o`, `gpt-5.1`) |
-| `AZURE_OPENAI_IMAGE_MODEL` | Yes | Image generation model (`gpt-image-1-mini` or `gpt-image-1.5`) |
+| `AZURE_ENV_GPT_MODEL_NAME` | Yes | GPT model deployment name (e.g., `gpt-4o`, `gpt-5.1`) |
+| `AZURE_ENV_IMAGE_MODEL_NAME` | Yes | Image generation model (`gpt-image-1-mini` or `gpt-image-1.5`) |
| `AZURE_OPENAI_GPT_IMAGE_ENDPOINT` | No | Separate endpoint for gpt-image-1-mini (if different from main endpoint) |
-| `AZURE_OPENAI_API_VERSION` | Yes | API version (e.g., `2024-06-01`) |
+| `AZURE_ENV_OPENAI_API_VERSION` | Yes | API version (e.g., `2024-06-01`) |
| `AZURE_OPENAI_TEMPERATURE` | No | Generation temperature (default: `0.7`) |
| `AZURE_OPENAI_MAX_TOKENS` | No | Max tokens for generation (default: `2000`) |
@@ -228,12 +228,12 @@ Changes to source files will automatically trigger a reload.
```dotenv
# Azure OpenAI
AZURE_OPENAI_ENDPOINT=https://my-openai.openai.azure.com/
-AZURE_OPENAI_GPT_MODEL=gpt-4o
-AZURE_OPENAI_IMAGE_MODEL=gpt-image-1-mini
+AZURE_ENV_GPT_MODEL_NAME=gpt-4o
+AZURE_ENV_IMAGE_MODEL_NAME=gpt-image-1-mini
AZURE_OPENAI_GPT_IMAGE_ENDPOINT=https://my-openai.openai.azure.com
AZURE_OPENAI_IMAGE_SIZE=1024x1024
AZURE_OPENAI_IMAGE_QUALITY=medium
-AZURE_OPENAI_API_VERSION=2024-06-01
+AZURE_ENV_OPENAI_API_VERSION=2024-06-01
# Cosmos DB
AZURE_COSMOS_ENDPOINT=https://my-cosmos.documents.azure.com:443/
diff --git a/docs/TECHNICAL_GUIDE.md b/docs/TECHNICAL_GUIDE.md
index ce41f325e..69a28172b 100644
--- a/docs/TECHNICAL_GUIDE.md
+++ b/docs/TECHNICAL_GUIDE.md
@@ -156,9 +156,9 @@ See `src/backend/settings.py` for all configuration options. Key settings:
| Variable | Description |
|----------|-------------|
| `AZURE_OPENAI_ENDPOINT` | Azure OpenAI endpoint for GPT model |
-| `AZURE_OPENAI_GPT_MODEL` | GPT model deployment name |
+| `AZURE_ENV_GPT_MODEL_NAME` | GPT model deployment name |
| `AZURE_OPENAI_GPT_IMAGE_ENDPOINT` | Azure OpenAI endpoint for GPT image model (if separate) |
-| `AZURE_OPENAI_IMAGE_MODEL` | GPT image model deployment name (gpt-image-1-mini) |
+| `AZURE_ENV_IMAGE_MODEL_NAME` | GPT image model deployment name (gpt-image-1-mini) |
| `AZURE_COSMOS_ENDPOINT` | Azure Cosmos DB endpoint |
| `AZURE_COSMOS_DATABASE_NAME` | Cosmos DB database name |
| `AZURE_BLOB_ACCOUNT_NAME` | Storage account name |
@@ -179,7 +179,7 @@ BRAND_SECONDARY_COLOR=#107C10
## Documentation
-- [Local Development Guide](./LOCAL_DEPLOYMENT.md) - Run locally for development
+- [Local Development Guide](./LocalDevelopmentSetup.md) - Run locally for development
- [AZD Deployment Guide](./AZD_DEPLOYMENT.md) - Deploy with Azure Developer CLI
- [Manual Deployment Guide](./DEPLOYMENT.md) - Step-by-step manual deployment
- [Image Generation Configuration](./IMAGE_GENERATION.md) - GPT image model setup
diff --git a/infra/main.bicep b/infra/main.bicep
index bea0f6861..de5c3be3c 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -107,9 +107,19 @@ param existingLogAnalyticsWorkspaceId string = ''
@description('Optional. Resource ID of an existing Foundry project.')
param azureExistingAIProjectResourceId string = ''
-@description('Optional. Deploy Azure Bastion and Jumpbox VM for private network administration.')
+@description('Optional. Deploy Azure Bastion and Jumpbox resources for private network administration.')
param deployBastionAndJumpbox bool = false
+@description('Optional. Jumpbox VM size. Must support accelerated networking and Premium SSD.')
+param vmSize string = ''
+
+@description('Optional. Jumpbox VM admin username.')
+param vmAdminUsername string = ''
+
+@description('Optional. Jumpbox VM admin password.')
+@secure()
+param vmAdminPassword string = ''
+
@description('Optional. The tags to apply to all deployed Azure resources.')
param tags object = {}
@@ -367,17 +377,111 @@ module userAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-id
}
// ========== Virtual Network and Networking Components ========== //
+var deployAdminAccessResources = enablePrivateNetworking && deployBastionAndJumpbox && !empty(vmAdminPassword)
module virtualNetwork 'modules/virtualNetwork.bicep' = if (enablePrivateNetworking) {
name: take('module.virtualNetwork.${solutionSuffix}', 64)
params: {
vnetName: 'vnet-${solutionSuffix}'
- vnetLocation: solutionLocation
- vnetAddressPrefixes: ['10.0.0.0/20']
+ addressPrefixes: ['10.0.0.0/20'] // 4096 addresses (enough for 8 /23 subnets or 16 /24)
+ location: solutionLocation
+ deployBastionAndJumpbox: deployAdminAccessResources
tags: tags
logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId
- enableTelemetry: enableTelemetry
resourceSuffix: solutionSuffix
- deployBastionAndJumpbox: deployBastionAndJumpbox
+ enableTelemetry: enableTelemetry
+ }
+}
+
+// Azure Bastion Host
+var bastionHostName = 'bas-${solutionSuffix}'
+var zoneSupportedJumpboxLocations = [
+ 'australiaeast'
+ 'centralus'
+ 'eastus'
+ 'eastus2'
+ 'japaneast'
+ 'northeurope'
+ 'southeastasia'
+ 'swedencentral'
+ 'uksouth'
+ 'westus3'
+]
+module bastionHost 'br/public:avm/res/network/bastion-host:0.8.2' = if (deployAdminAccessResources) {
+ name: take('avm.res.network.bastion-host.${bastionHostName}', 64)
+ params: {
+ name: bastionHostName
+ skuName: 'Standard'
+ location: solutionLocation
+ virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
+ diagnosticSettings: !empty(logAnalyticsWorkspaceResourceId)
+ ? [
+ {
+ name: 'bastionDiagnostics'
+ workspaceResourceId: logAnalyticsWorkspaceResourceId
+ logCategoriesAndGroups: [
+ {
+ categoryGroup: 'allLogs'
+ enabled: true
+ }
+ ]
+ }
+ ]
+ : []
+ tags: tags
+ enableTelemetry: enableTelemetry
+ publicIPAddressObject: {
+ name: 'pip-${bastionHostName}'
+ }
+ }
+}
+
+// Jumpbox Virtual Machine
+var jumpboxUniqueToken = take(uniqueString(resourceGroup().id, solutionSuffix), 10)
+var jumpboxVmName = take('vm-${jumpboxUniqueToken}', 15)
+module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.21.0' = if (deployAdminAccessResources) {
+ name: take('avm.res.compute.virtual-machine.${jumpboxVmName}', 64)
+ params: {
+ name: take(jumpboxVmName, 15)
+ enableTelemetry: enableTelemetry
+ computerName: take(jumpboxVmName, 15)
+ osType: 'Windows'
+ vmSize: empty(vmSize) ? 'Standard_D2s_v5' : vmSize
+ adminUsername: empty(vmAdminUsername) ? 'JumpboxAdminUser' : vmAdminUsername
+ adminPassword: vmAdminPassword
+ managedIdentities: {
+ userAssignedResourceIds: [
+ userAssignedIdentity.outputs.resourceId
+ ]
+ }
+ availabilityZone: contains(zoneSupportedJumpboxLocations, solutionLocation) ? 1 : -1
+ imageReference: {
+ publisher: 'microsoft-dsvm'
+ offer: 'dsvm-win-2022'
+ sku: 'winserver-2022'
+ version: 'latest'
+ }
+ nicConfigurations: [
+ {
+ name: 'nic-${jumpboxVmName}'
+ enableAcceleratedNetworking: true
+ ipConfigurations: [
+ {
+ name: 'ipconfig01'
+ subnetResourceId: virtualNetwork!.outputs.jumpboxSubnetResourceId
+ }
+ ]
+ }
+ ]
+ osDisk: {
+ caching: 'ReadWrite'
+ diskSizeGB: 128
+ managedDisk: {
+ storageAccountType: 'Premium_LRS'
+ }
+ }
+ encryptionAtHost: false // Some Azure subscriptions do not support encryption at host
+ location: solutionLocation
+ tags: tags
}
dependsOn: (enableMonitoring && !useExistingLogAnalytics) ? [logAnalyticsWorkspace] : []
}
@@ -884,10 +988,10 @@ module containerInstance 'modules/container-instance.bicep' = {
environmentVariables: [
// Azure OpenAI Settings
{ name: 'AZURE_OPENAI_ENDPOINT', value: 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/' }
- { name: 'AZURE_OPENAI_GPT_MODEL', value: gptModelName }
- { name: 'AZURE_OPENAI_IMAGE_MODEL', value: imageModelConfig[imageModelChoice].name }
+ { name: 'AZURE_ENV_GPT_MODEL_NAME', value: gptModelName }
+ { name: 'AZURE_ENV_IMAGE_MODEL_NAME', value: imageModelConfig[imageModelChoice].name }
{ name: 'AZURE_OPENAI_GPT_IMAGE_ENDPOINT', value: imageModelChoice != 'none' ? 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/' : '' }
- { name: 'AZURE_OPENAI_API_VERSION', value: azureOpenaiAPIVersion }
+ { name: 'AZURE_ENV_OPENAI_API_VERSION', value: azureOpenaiAPIVersion }
// Azure Cosmos DB Settings
{ name: 'AZURE_COSMOS_ENDPOINT', value: 'https://cosmos-${solutionSuffix}.documents.azure.com:443/' }
{ name: 'AZURE_COSMOS_DATABASE_NAME', value: cosmosDBDatabaseName }
@@ -965,7 +1069,7 @@ output AI_FOUNDRY_RG_NAME string = aiFoundryAiServicesResourceGroupName
output AI_FOUNDRY_RESOURCE_ID string = useExistingAiFoundryAiProject ? '' : aiFoundryAiServices!.outputs.resourceId
@description('Contains existing AI project resource ID.')
-output AZURE_EXISTING_AI_PROJECT_RESOURCE_ID string = azureExistingAIProjectResourceId
+output AZURE_EXISTING_AIPROJECT_RESOURCE_ID string = azureExistingAIProjectResourceId
@description('Contains AI Search Service Endpoint URL')
output AZURE_AI_SEARCH_ENDPOINT string = 'https://${aiSearch.outputs.name}.search.windows.net/'
@@ -983,16 +1087,16 @@ output AZURE_AI_SEARCH_IMAGE_INDEX string = 'product-images'
output AZURE_OPENAI_ENDPOINT string = 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
@description('Contains GPT Model')
-output AZURE_OPENAI_GPT_MODEL string = gptModelName
+output AZURE_ENV_GPT_MODEL_NAME string = gptModelName
@description('Contains Image Model (empty if none selected)')
-output AZURE_OPENAI_IMAGE_MODEL string = imageModelConfig[imageModelChoice].name
+output AZURE_ENV_IMAGE_MODEL_NAME string = imageModelConfig[imageModelChoice].name
@description('Contains Azure OpenAI GPT/Image endpoint URL (empty if no image model selected)')
output AZURE_OPENAI_GPT_IMAGE_ENDPOINT string = imageModelChoice != 'none' ? 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/' : ''
@description('Contains Azure OpenAI API Version')
-output AZURE_OPENAI_API_VERSION string = azureOpenaiAPIVersion
+output AZURE_ENV_OPENAI_API_VERSION string = azureOpenaiAPIVersion
@description('Contains OpenAI Resource')
output AZURE_OPENAI_RESOURCE string = aiFoundryAiServicesResourceName
@@ -1007,7 +1111,7 @@ output AZURE_AI_AGENT_API_VERSION string = azureAiAgentApiVersion
output AZURE_APPLICATION_INSIGHTS_CONNECTION_STRING string = (enableMonitoring && !useExistingLogAnalytics) ? applicationInsights!.outputs.connectionString : ''
@description('Contains the location used for AI Services deployment')
-output AZURE_ENV_OPENAI_LOCATION string = azureAiServiceLocation
+output AZURE_ENV_AI_SERVICE_LOCATION string = azureAiServiceLocation
@description('Contains Container Instance Name')
output CONTAINER_INSTANCE_NAME string = containerInstance.outputs.name
@@ -1019,7 +1123,7 @@ output CONTAINER_INSTANCE_IP string = containerInstance.outputs.ipAddress
output CONTAINER_INSTANCE_FQDN string = enablePrivateNetworking ? '' : containerInstance.outputs.fqdn
@description('Contains ACR Name')
-output ACR_NAME string = acrResourceName
+output AZURE_ENV_CONTAINER_REGISTRY_NAME string = acrResourceName
@description('Contains flag for Azure AI Foundry usage')
output USE_FOUNDRY bool = useFoundryMode ? true : false
diff --git a/infra/main.json b/infra/main.json
index 84293fdce..b88c84b66 100644
--- a/infra/main.json
+++ b/infra/main.json
@@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "15389484880957971429"
+ "version": "0.42.1.51946",
+ "templateHash": "15695041727004400845"
},
"name": "Intelligent Content Generation Accelerator",
"description": "Solution Accelerator for multimodal marketing content generation using Microsoft Agent Framework.\n"
@@ -173,7 +173,28 @@
"type": "bool",
"defaultValue": false,
"metadata": {
- "description": "Optional. Deploy Azure Bastion and Jumpbox VM for private network administration."
+ "description": "Optional. Deploy Azure Bastion and Jumpbox resources for private network administration."
+ }
+ },
+ "vmSize": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Jumpbox VM size. Must support accelerated networking and Premium SSD."
+ }
+ },
+ "vmAdminUsername": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Jumpbox VM admin username."
+ }
+ },
+ "vmAdminPassword": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Jumpbox VM admin password."
}
},
"tags": {
@@ -324,6 +345,22 @@
"logAnalyticsWorkspaceResourceName": "[format('log-{0}', variables('solutionSuffix'))]",
"applicationInsightsResourceName": "[format('appi-{0}', variables('solutionSuffix'))]",
"userAssignedIdentityResourceName": "[format('id-{0}', variables('solutionSuffix'))]",
+ "deployAdminAccessResources": "[and(and(parameters('enablePrivateNetworking'), parameters('deployBastionAndJumpbox')), not(empty(parameters('vmAdminPassword'))))]",
+ "bastionHostName": "[format('bas-{0}', variables('solutionSuffix'))]",
+ "zoneSupportedJumpboxLocations": [
+ "australiaeast",
+ "centralus",
+ "eastus",
+ "eastus2",
+ "japaneast",
+ "northeurope",
+ "southeastasia",
+ "swedencentral",
+ "uksouth",
+ "westus3"
+ ],
+ "jumpboxUniqueToken": "[take(uniqueString(resourceGroup().id, variables('solutionSuffix')), 10)]",
+ "jumpboxVmName": "[take(format('vm-{0}', variables('jumpboxUniqueToken')), 15)]",
"privateDnsZones": [
"privatelink.cognitiveservices.azure.com",
"privatelink.openai.azure.com",
@@ -4814,26 +4851,26 @@
"vnetName": {
"value": "[format('vnet-{0}', variables('solutionSuffix'))]"
},
- "vnetLocation": {
- "value": "[variables('solutionLocation')]"
- },
- "vnetAddressPrefixes": {
+ "addressPrefixes": {
"value": [
"10.0.0.0/20"
]
},
+ "location": {
+ "value": "[variables('solutionLocation')]"
+ },
+ "deployBastionAndJumpbox": {
+ "value": "[variables('deployAdminAccessResources')]"
+ },
"tags": {
"value": "[parameters('tags')]"
},
"logAnalyticsWorkspaceId": "[if(variables('useExistingLogAnalytics'), createObject('value', parameters('existingLogAnalyticsWorkspaceId')), if(parameters('enableMonitoring'), createObject('value', reference('logAnalyticsWorkspace').outputs.resourceId.value), createObject('value', '')))]",
- "enableTelemetry": {
- "value": "[parameters('enableTelemetry')]"
- },
"resourceSuffix": {
"value": "[variables('solutionSuffix')]"
},
- "deployBastionAndJumpbox": {
- "value": "[parameters('deployBastionAndJumpbox')]"
+ "enableTelemetry": {
+ "value": "[parameters('enableTelemetry')]"
}
},
"template": {
@@ -4842,8 +4879,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "13822613177861506290"
+ "version": "0.42.1.51946",
+ "templateHash": "3628160320006039137"
}
},
"parameters": {
@@ -4853,14 +4890,14 @@
"description": "Name of the virtual network."
}
},
- "vnetLocation": {
+ "location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Azure region to deploy resources."
}
},
- "vnetAddressPrefixes": {
+ "addressPrefixes": {
"type": "array",
"defaultValue": [
"10.0.0.0/20"
@@ -5032,7 +5069,7 @@
"value": "[format('{0}-{1}', tryGet(variables('vnetSubnets')[copyIndex()], 'networkSecurityGroup', 'name'), parameters('resourceSuffix'))]"
},
"location": {
- "value": "[parameters('vnetLocation')]"
+ "value": "[parameters('location')]"
},
"securityRules": {
"value": "[tryGet(variables('vnetSubnets')[copyIndex()], 'networkSecurityGroup', 'securityRules')]"
@@ -5694,10 +5731,10 @@
"value": "[parameters('vnetName')]"
},
"location": {
- "value": "[parameters('vnetLocation')]"
+ "value": "[parameters('location')]"
},
"addressPrefixes": {
- "value": "[parameters('vnetAddressPrefixes')]"
+ "value": "[parameters('addressPrefixes')]"
},
"subnets": {
"copy": [
@@ -7376,11 +7413,11 @@
},
"bastionSubnetResourceId": {
"type": "string",
- "value": "[if(and(parameters('deployBastionAndJumpbox'), contains(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'AzureBastionSubnet')), reference(resourceId('Microsoft.Resources/deployments', take(format('avm.res.network.virtual-network.{0}', parameters('vnetName')), 64)), '2025-04-01').outputs.subnetResourceIds.value[indexOf(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'AzureBastionSubnet')], '')]"
+ "value": "[if(contains(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'AzureBastionSubnet'), reference(resourceId('Microsoft.Resources/deployments', take(format('avm.res.network.virtual-network.{0}', parameters('vnetName')), 64)), '2025-04-01').outputs.subnetResourceIds.value[indexOf(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'AzureBastionSubnet')], '')]"
},
"jumpboxSubnetResourceId": {
"type": "string",
- "value": "[if(and(parameters('deployBastionAndJumpbox'), contains(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'jumpbox')), reference(resourceId('Microsoft.Resources/deployments', take(format('avm.res.network.virtual-network.{0}', parameters('vnetName')), 64)), '2025-04-01').outputs.subnetResourceIds.value[indexOf(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'jumpbox')], '')]"
+ "value": "[if(contains(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'jumpbox'), reference(resourceId('Microsoft.Resources/deployments', take(format('avm.res.network.virtual-network.{0}', parameters('vnetName')), 64)), '2025-04-01').outputs.subnetResourceIds.value[indexOf(map(variables('vnetSubnets'), lambda('subnet', lambdaVariables('subnet').name)), 'jumpbox')], '')]"
}
}
}
@@ -7389,17 +7426,11 @@
"logAnalyticsWorkspace"
]
},
- "avmPrivateDnsZones": {
- "copy": {
- "name": "avmPrivateDnsZones",
- "count": "[length(variables('privateDnsZones'))]",
- "mode": "serial",
- "batchSize": 5
- },
- "condition": "[parameters('enablePrivateNetworking')]",
+ "bastionHost": {
+ "condition": "[variables('deployAdminAccessResources')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2025-04-01",
- "name": "[take(format('avm.res.network.private-dns-zone.{0}', replace(variables('privateDnsZones')[copyIndex()], '.', '-')), 64)]",
+ "name": "[take(format('avm.res.network.bastion-host.{0}', variables('bastionHostName')), 64)]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
@@ -7407,21 +7438,28 @@
"mode": "Incremental",
"parameters": {
"name": {
- "value": "[variables('privateDnsZones')[copyIndex()]]"
+ "value": "[variables('bastionHostName')]"
+ },
+ "skuName": {
+ "value": "Standard"
+ },
+ "location": {
+ "value": "[variables('solutionLocation')]"
},
+ "virtualNetworkResourceId": {
+ "value": "[reference('virtualNetwork').outputs.resourceId.value]"
+ },
+ "diagnosticSettings": "[if(not(empty(if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), if(parameters('enableMonitoring'), reference('logAnalyticsWorkspace').outputs.resourceId.value, '')))), createObject('value', createArray(createObject('name', 'bastionDiagnostics', 'workspaceResourceId', if(variables('useExistingLogAnalytics'), parameters('existingLogAnalyticsWorkspaceId'), if(parameters('enableMonitoring'), reference('logAnalyticsWorkspace').outputs.resourceId.value, '')), 'logCategoriesAndGroups', createArray(createObject('categoryGroup', 'allLogs', 'enabled', true()))))), createObject('value', createArray()))]",
"tags": {
"value": "[parameters('tags')]"
},
"enableTelemetry": {
"value": "[parameters('enableTelemetry')]"
},
- "virtualNetworkLinks": {
- "value": [
- {
- "virtualNetworkResourceId": "[if(parameters('enablePrivateNetworking'), reference('virtualNetwork').outputs.resourceId.value, '')]",
- "registrationEnabled": false
- }
- ]
+ "publicIPAddressObject": {
+ "value": {
+ "name": "[format('pip-{0}', variables('bastionHostName'))]"
+ }
}
},
"template": {
@@ -7431,141 +7469,119 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.37.4.10188",
- "templateHash": "17921343070314002065"
+ "version": "0.39.26.7824",
+ "templateHash": "7741601918225805390"
},
- "name": "Private DNS Zones",
- "description": "This module deploys a Private DNS zone."
+ "name": "Bastion Hosts",
+ "description": "This module deploys a Bastion Host."
},
"definitions": {
- "aType": {
+ "publicIPAddressObjectType": {
"type": "object",
"properties": {
"name": {
"type": "string",
"metadata": {
- "description": "Required. The name of the record."
+ "description": "Required. The name of the Public IP Address."
}
},
- "metadata": {
- "type": "object",
+ "publicIpPrefixResourceId": {
+ "type": "string",
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
- },
- "nullable": true
+ "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix."
+ }
},
- "ttl": {
- "type": "int",
+ "publicIPAllocationMethod": {
+ "type": "string",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. The public IP address allocation method."
}
},
- "roleAssignments": {
+ "availabilityZones": {
"type": "array",
"items": {
- "$ref": "#/definitions/roleAssignmentType"
+ "type": "int"
},
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from."
}
},
- "aRecords": {
- "type": "array",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/aRecords"
- },
- "description": "Optional. The list of A records in the record set."
- },
- "nullable": true
- }
- },
- "metadata": {
- "__bicep_export!": true,
- "description": "The type for the A record."
- }
- },
- "aaaaType": {
- "type": "object",
- "properties": {
- "name": {
+ "publicIPAddressVersion": {
"type": "string",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "nullable": true,
"metadata": {
- "description": "Required. The name of the record."
+ "description": "Optional. IP address version."
}
},
- "metadata": {
- "type": "object",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
- },
- "nullable": true
- },
- "ttl": {
- "type": "int",
+ "dnsSettings": {
+ "$ref": "#/definitions/dnsSettingsType",
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. The DNS settings of the public IP address."
}
},
- "roleAssignments": {
+ "ipTags": {
"type": "array",
"items": {
- "$ref": "#/definitions/roleAssignmentType"
+ "$ref": "#/definitions/ipTagType"
},
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. The list of tags associated with the public IP address."
}
},
- "aaaaRecords": {
- "type": "array",
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/aaaaRecords"
- },
- "description": "Optional. The list of AAAA records in the record set."
- },
- "nullable": true
- }
- },
- "metadata": {
- "__bicep_export!": true,
- "description": "The type for the AAAA record."
- }
- },
- "cnameType": {
- "type": "object",
- "properties": {
- "name": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "skuName": {
"type": "string",
+ "allowedValues": [
+ "Basic",
+ "Standard"
+ ],
+ "nullable": true,
"metadata": {
- "description": "Required. The name of the record."
+ "description": "Optional. Name of a public IP address SKU."
}
},
- "metadata": {
- "type": "object",
+ "skuTier": {
+ "type": "string",
+ "allowedValues": [
+ "Global",
+ "Regional"
+ ],
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
- },
- "nullable": true
+ "description": "Optional. Tier of a public IP address SKU."
+ }
},
- "ttl": {
- "type": "int",
+ "ddosSettings": {
+ "$ref": "#/definitions/ddosSettingsType",
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. The DDoS protection plan configuration associated with the public IP address."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location for the Public IP resource."
}
},
"roleAssignments": {
@@ -7575,313 +7591,11187 @@
},
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. Array of role assignments to create for the Public IP resource."
}
},
- "cnameRecord": {
- "type": "object",
+ "enableTelemetry": {
+ "type": "bool",
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/cnameRecord"
- },
- "description": "Optional. The CNAME record in the record set."
- },
- "nullable": true
- }
- },
- "metadata": {
- "__bicep_export!": true,
- "description": "The type for the CNAME record."
- }
- },
- "mxType": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string",
+ "description": "Optional. Enable or disable usage telemetry for the Public IP module."
+ }
+ },
+ "idleTimeoutInMinutes": {
+ "type": "int",
+ "nullable": true,
"metadata": {
- "description": "Required. The name of the record."
+ "description": "Optional. Idle timeout in minutes for the Public IP resource."
}
},
- "metadata": {
+ "tags": {
"type": "object",
"metadata": {
"__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/metadata"
+ "source": "Microsoft.Network/publicIPAddresses@2024-07-01#properties/tags"
},
- "description": "Optional. The metadata of the record."
+ "description": "Optional. Tags to apply to the Public IP resource."
},
"nullable": true
},
- "ttl": {
- "type": "int",
- "nullable": true,
- "metadata": {
- "description": "Optional. The TTL of the record."
- }
- },
- "roleAssignments": {
+ "diagnosticSettings": {
"type": "array",
"items": {
- "$ref": "#/definitions/roleAssignmentType"
+ "$ref": "#/definitions/diagnosticSettingFullType"
},
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. Diagnostic settings for the Public IP resource."
}
- },
- "mxRecords": {
- "type": "array",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/mxRecords"
- },
- "description": "Optional. The list of MX records in the record set."
- },
- "nullable": true
}
},
"metadata": {
"__bicep_export!": true,
- "description": "The type for the MX record."
+ "description": "The type for the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided."
}
},
- "ptrType": {
+ "ddosSettingsType": {
"type": "object",
"properties": {
- "name": {
- "type": "string",
- "metadata": {
- "description": "Required. The name of the record."
- }
- },
- "metadata": {
+ "ddosProtectionPlan": {
"type": "object",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
+ "properties": {
+ "id": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address."
+ }
+ }
},
- "nullable": true
- },
- "ttl": {
- "type": "int",
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. The DDoS protection plan associated with the public IP address."
}
},
- "roleAssignments": {
- "type": "array",
- "items": {
- "$ref": "#/definitions/roleAssignmentType"
- },
- "nullable": true,
+ "protectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Enabled"
+ ],
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Required. The DDoS protection policy customizations."
}
- },
- "ptrRecords": {
- "type": "array",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/ptrRecords"
- },
- "description": "Optional. The list of PTR records in the record set."
- },
- "nullable": true
}
},
"metadata": {
- "__bicep_export!": true,
- "description": "The type for the PTR record."
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.10.0"
+ }
}
},
- "soaType": {
+ "diagnosticSettingFullType": {
"type": "object",
"properties": {
"name": {
"type": "string",
+ "nullable": true,
"metadata": {
- "description": "Required. The name of the record."
+ "description": "Optional. The name of the diagnostic setting."
}
},
- "metadata": {
- "type": "object",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
},
- "nullable": true
- },
- "ttl": {
- "type": "int",
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
}
},
- "roleAssignments": {
+ "metricCategories": {
"type": "array",
"items": {
- "$ref": "#/definitions/roleAssignmentType"
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
},
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
}
},
- "soaRecord": {
- "type": "object",
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/soaRecord"
- },
- "description": "Optional. The SOA record in the record set."
- },
- "nullable": true
- }
- },
- "metadata": {
- "__bicep_export!": true,
- "description": "The type for the SOA record."
- }
- },
- "srvType": {
- "type": "object",
- "properties": {
- "name": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
"type": "string",
+ "nullable": true,
"metadata": {
- "description": "Required. The name of the record."
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
}
},
- "metadata": {
- "type": "object",
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
- },
- "nullable": true
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
},
- "ttl": {
- "type": "int",
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
}
},
- "roleAssignments": {
- "type": "array",
- "items": {
- "$ref": "#/definitions/roleAssignmentType"
- },
+ "eventHubName": {
+ "type": "string",
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
}
},
- "srvRecords": {
- "type": "array",
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
"metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/srvRecords"
- },
- "description": "Optional. The list of SRV records in the record set."
- },
- "nullable": true
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
}
},
"metadata": {
- "__bicep_export!": true,
- "description": "The type for the SRV record."
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
}
},
- "txtType": {
+ "diagnosticSettingLogsOnlyType": {
"type": "object",
"properties": {
"name": {
"type": "string",
- "metadata": {
- "description": "Required. The name of the record."
- }
- },
- "metadata": {
- "type": "object",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/metadata"
- },
- "description": "Optional. The metadata of the record."
- },
- "nullable": true
- },
- "ttl": {
- "type": "int",
"nullable": true,
"metadata": {
- "description": "Optional. The TTL of the record."
+ "description": "Optional. The name of diagnostic setting."
}
},
- "roleAssignments": {
+ "logCategoriesAndGroups": {
"type": "array",
"items": {
- "$ref": "#/definitions/roleAssignmentType"
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
},
"nullable": true,
"metadata": {
- "description": "Optional. Array of role assignments to create."
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
}
},
- "txtRecords": {
- "type": "array",
- "metadata": {
- "__bicep_resource_derived_type!": {
- "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/txtRecords"
- },
- "description": "Optional. The list of TXT records in the record set."
- },
- "nullable": true
- }
- },
- "metadata": {
- "__bicep_export!": true,
- "description": "The type for the TXT record."
- }
- },
- "virtualNetworkLinkType": {
- "type": "object",
- "properties": {
- "name": {
+ "logAnalyticsDestinationType": {
"type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
"nullable": true,
- "minLength": 1,
- "maxLength": 80,
"metadata": {
- "description": "Optional. The resource name."
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
}
},
- "virtualNetworkResourceId": {
+ "workspaceResourceId": {
"type": "string",
+ "nullable": true,
"metadata": {
- "description": "Required. The resource ID of the virtual network to link."
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
}
},
- "location": {
+ "storageAccountResourceId": {
"type": "string",
"nullable": true,
"metadata": {
- "description": "Optional. The Azure Region where the resource lives."
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
}
},
- "registrationEnabled": {
- "type": "bool",
- "nullable": true,
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if only logs are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "dnsSettingsType": {
+ "type": "object",
+ "properties": {
+ "domainNameLabel": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system."
+ }
+ },
+ "domainNameLabelScope": {
+ "type": "string",
+ "allowedValues": [
+ "NoReuse",
+ "ResourceGroupReuse",
+ "SubscriptionReuse",
+ "TenantReuse"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone."
+ }
+ },
+ "reverseFqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.10.0"
+ }
+ }
+ },
+ "ipTagType": {
+ "type": "object",
+ "properties": {
+ "ipTagType": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag type."
+ }
+ },
+ "tag": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.10.0"
+ }
+ }
+ },
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of the Azure Bastion resource."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Shared services Virtual Network resource Id."
+ }
+ },
+ "bastionSubnetPublicIpResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true."
+ }
+ },
+ "publicIPAddressObject": {
+ "$ref": "#/definitions/publicIPAddressObjectType",
+ "defaultValue": {
+ "name": "[format('{0}-pip', parameters('name'))]"
+ },
+ "metadata": {
+ "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingLogsOnlyType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the service."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "skuName": {
+ "type": "string",
+ "defaultValue": "Basic",
+ "allowedValues": [
+ "Basic",
+ "Developer",
+ "Premium",
+ "Standard"
+ ],
+ "metadata": {
+ "description": "Optional. The SKU of this Bastion Host."
+ }
+ },
+ "disableCopyPaste": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable Copy Paste. For Basic and Developer SKU Copy/Paste is always enabled."
+ }
+ },
+ "enableFileCopy": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable File Copy. Not supported for Basic and Developer SKU."
+ }
+ },
+ "enableIpConnect": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable IP Connect. Not supported for Basic and Developer SKU."
+ }
+ },
+ "enableKerberos": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable Kerberos authentication. Not supported for Developer SKU."
+ }
+ },
+ "enableShareableLink": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable Shareable Link. Not supported for Basic and Developer SKU."
+ }
+ },
+ "enableSessionRecording": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled."
+ }
+ },
+ "enablePrivateOnlyBastion": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature."
+ }
+ },
+ "scaleUnits": {
+ "type": "int",
+ "defaultValue": 2,
+ "metadata": {
+ "description": "Optional. The scale units for the Bastion Host resource. The Basic and Developer SKU only support 2 scale units."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/bastionHosts@2024-07-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for module."
+ }
+ },
+ "availabilityZones": {
+ "type": "array",
+ "items": {
+ "type": "int"
+ },
+ "defaultValue": [],
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "metadata": {
+ "description": "Optional. The list of Availability zones to use for the zone-redundant resources."
+ }
+ }
+ },
+ "variables": {
+ "copy": [
+ {
+ "name": "formattedRoleAssignments",
+ "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]",
+ "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
+ }
+ ],
+ "enableReferencedModulesTelemetry": false,
+ "builtInRoleNames": {
+ "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
+ "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
+ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+ "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]",
+ "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]"
+ }
+ },
+ "resources": {
+ "avmTelemetry": {
+ "condition": "[parameters('enableTelemetry')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2024-03-01",
+ "name": "[format('46d3xbcp.res.network-bastionhost.{0}.{1}', replace('0.8.2', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [],
+ "outputs": {
+ "telemetry": {
+ "type": "String",
+ "value": "For more information, see https://aka.ms/avm/TelemetryInfo"
+ }
+ }
+ }
+ }
+ },
+ "azureBastion": {
+ "type": "Microsoft.Network/bastionHosts",
+ "apiVersion": "2025-01-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[coalesce(parameters('tags'), createObject())]",
+ "sku": {
+ "name": "[parameters('skuName')]"
+ },
+ "zones": "[if(equals(parameters('skuName'), 'Developer'), createArray(), map(parameters('availabilityZones'), lambda('zone', format('{0}', lambdaVariables('zone')))))]",
+ "properties": "[union(createObject('scaleUnits', if(or(equals(parameters('skuName'), 'Basic'), equals(parameters('skuName'), 'Developer')), 2, parameters('scaleUnits')), 'ipConfigurations', if(equals(parameters('skuName'), 'Developer'), createArray(), createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('virtualNetworkResourceId')))), if(not(parameters('enablePrivateOnlyBastion')), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value))), createObject())))))), if(equals(parameters('skuName'), 'Developer'), createObject('virtualNetwork', createObject('id', parameters('virtualNetworkResourceId'))), createObject()), if(or(or(equals(parameters('skuName'), 'Basic'), equals(parameters('skuName'), 'Standard')), equals(parameters('skuName'), 'Premium')), createObject('enableKerberos', parameters('enableKerberos')), createObject()), if(or(equals(parameters('skuName'), 'Standard'), equals(parameters('skuName'), 'Premium')), createObject('enableTunneling', if(equals(parameters('skuName'), 'Standard'), true(), if(parameters('enableSessionRecording'), false(), true())), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()), if(equals(parameters('skuName'), 'Premium'), createObject('enableSessionRecording', parameters('enableSessionRecording'), 'enablePrivateOnlyBastion', parameters('enablePrivateOnlyBastion')), createObject()))]",
+ "dependsOn": [
+ "publicIPAddress"
+ ]
+ },
+ "azureBastion_lock": {
+ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
+ "type": "Microsoft.Authorization/locks",
+ "apiVersion": "2020-05-01",
+ "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
+ "properties": {
+ "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+ "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]"
+ },
+ "dependsOn": [
+ "azureBastion"
+ ]
+ },
+ "azureBastion_diagnosticSettings": {
+ "copy": {
+ "name": "azureBastion_diagnosticSettings",
+ "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]"
+ },
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]",
+ "properties": {
+ "copy": [
+ {
+ "name": "logs",
+ "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]",
+ "input": {
+ "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]",
+ "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]",
+ "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]"
+ }
+ }
+ ],
+ "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]",
+ "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]",
+ "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]",
+ "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]",
+ "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]",
+ "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]"
+ },
+ "dependsOn": [
+ "azureBastion"
+ ]
+ },
+ "azureBastion_roleAssignments": {
+ "copy": {
+ "name": "azureBastion_roleAssignments",
+ "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]"
+ },
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/bastionHosts', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]",
+ "properties": {
+ "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]",
+ "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]",
+ "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]",
+ "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]",
+ "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]",
+ "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]",
+ "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
+ },
+ "dependsOn": [
+ "azureBastion"
+ ]
+ },
+ "publicIPAddress": {
+ "condition": "[and(and(empty(parameters('bastionSubnetPublicIpResourceId')), not(equals(parameters('skuName'), 'Developer'))), not(parameters('enablePrivateOnlyBastion')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-Bastion-PIP', uniqueString(subscription().id, resourceGroup().id, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('publicIPAddressObject').name]"
+ },
+ "enableTelemetry": {
+ "value": "[variables('enableReferencedModulesTelemetry')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "lock": {
+ "value": "[parameters('lock')]"
+ },
+ "diagnosticSettings": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'diagnosticSettings')]"
+ },
+ "ddosSettings": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'ddosSettings')]"
+ },
+ "dnsSettings": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'dnsSettings')]"
+ },
+ "idleTimeoutInMinutes": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'idleTimeoutInMinutes')]"
+ },
+ "ipTags": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'ipTags')]"
+ },
+ "publicIPAddressVersion": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPAddressVersion')]"
+ },
+ "publicIPAllocationMethod": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIPAllocationMethod')]"
+ },
+ "publicIpPrefixResourceId": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'publicIpPrefixResourceId')]"
+ },
+ "roleAssignments": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'roleAssignments')]"
+ },
+ "skuName": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'skuName')]"
+ },
+ "skuTier": {
+ "value": "[tryGet(parameters('publicIPAddressObject'), 'skuTier')]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]"
+ },
+ "availabilityZones": {
+ "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'availabilityZones'), if(not(empty(parameters('availabilityZones'))), parameters('availabilityZones'), null()))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "16564959277054027786"
+ },
+ "name": "Public IP Addresses",
+ "description": "This module deploys a Public IP Address."
+ },
+ "definitions": {
+ "dnsSettingsType": {
+ "type": "object",
+ "properties": {
+ "domainNameLabel": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system."
+ }
+ },
+ "domainNameLabelScope": {
+ "type": "string",
+ "allowedValues": [
+ "NoReuse",
+ "ResourceGroupReuse",
+ "SubscriptionReuse",
+ "TenantReuse"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone."
+ }
+ },
+ "reverseFqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true
+ }
+ },
+ "ddosSettingsType": {
+ "type": "object",
+ "properties": {
+ "ddosProtectionPlan": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan associated with the public IP address."
+ }
+ },
+ "protectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Enabled"
+ ],
+ "metadata": {
+ "description": "Required. The DDoS protection policy customizations."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true
+ }
+ },
+ "ipTagType": {
+ "type": "object",
+ "properties": {
+ "ipTagType": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag type."
+ }
+ },
+ "tag": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true
+ }
+ },
+ "diagnosticSettingFullType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the diagnostic setting."
+ }
+ },
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+ }
+ },
+ "metricCategories": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+ }
+ },
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the Public IP Address."
+ }
+ },
+ "publicIpPrefixResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix."
+ }
+ },
+ "publicIPAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "metadata": {
+ "description": "Optional. The public IP address allocation method."
+ }
+ },
+ "availabilityZones": {
+ "type": "array",
+ "items": {
+ "type": "int"
+ },
+ "defaultValue": [
+ 1,
+ 2,
+ 3
+ ],
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "metadata": {
+ "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from."
+ }
+ },
+ "publicIPAddressVersion": {
+ "type": "string",
+ "defaultValue": "IPv4",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "metadata": {
+ "description": "Optional. IP address version."
+ }
+ },
+ "dnsSettings": {
+ "$ref": "#/definitions/dnsSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DNS settings of the public IP address."
+ }
+ },
+ "ipTags": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/ipTagType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The list of tags associated with the public IP address."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "skuName": {
+ "type": "string",
+ "defaultValue": "Standard",
+ "allowedValues": [
+ "Basic",
+ "Standard"
+ ],
+ "metadata": {
+ "description": "Optional. Name of a public IP address SKU."
+ }
+ },
+ "skuTier": {
+ "type": "string",
+ "defaultValue": "Regional",
+ "allowedValues": [
+ "Global",
+ "Regional"
+ ],
+ "metadata": {
+ "description": "Optional. Tier of a public IP address SKU."
+ }
+ },
+ "ddosSettings": {
+ "$ref": "#/definitions/ddosSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan configuration associated with the public IP address."
+ }
+ },
+ "deleteOption": {
+ "type": "string",
+ "nullable": true,
+ "allowedValues": [
+ "Delete",
+ "Detach"
+ ],
+ "metadata": {
+ "description": "Optional. The delete option for the public IP address."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for module."
+ }
+ },
+ "idleTimeoutInMinutes": {
+ "type": "int",
+ "defaultValue": 4,
+ "metadata": {
+ "description": "Optional. The idle timeout of the public IP address."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/publicIPAddresses@2025-01-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the service."
+ }
+ }
+ },
+ "variables": {
+ "copy": [
+ {
+ "name": "formattedRoleAssignments",
+ "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]",
+ "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
+ }
+ ],
+ "builtInRoleNames": {
+ "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
+ "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]",
+ "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]",
+ "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]",
+ "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]",
+ "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]",
+ "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
+ "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]",
+ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+ "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]"
+ }
+ },
+ "resources": {
+ "avmTelemetry": {
+ "condition": "[parameters('enableTelemetry')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2024-03-01",
+ "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.10.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [],
+ "outputs": {
+ "telemetry": {
+ "type": "String",
+ "value": "For more information, see https://aka.ms/avm/TelemetryInfo"
+ }
+ }
+ }
+ }
+ },
+ "publicIpAddress": {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2025-01-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('skuName')]",
+ "tier": "[parameters('skuTier')]"
+ },
+ "zones": "[map(parameters('availabilityZones'), lambda('zone', string(lambdaVariables('zone'))))]",
+ "properties": {
+ "ddosSettings": "[parameters('ddosSettings')]",
+ "dnsSettings": "[parameters('dnsSettings')]",
+ "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]",
+ "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
+ "publicIPPrefix": "[if(not(empty(parameters('publicIpPrefixResourceId'))), createObject('id', parameters('publicIpPrefixResourceId')), null())]",
+ "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]",
+ "ipTags": "[parameters('ipTags')]",
+ "deleteOption": "[parameters('deleteOption')]"
+ }
+ },
+ "publicIpAddress_lock": {
+ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
+ "type": "Microsoft.Authorization/locks",
+ "apiVersion": "2020-05-01",
+ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
+ "properties": {
+ "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+ "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]"
+ },
+ "dependsOn": [
+ "publicIpAddress"
+ ]
+ },
+ "publicIpAddress_roleAssignments": {
+ "copy": {
+ "name": "publicIpAddress_roleAssignments",
+ "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]"
+ },
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]",
+ "properties": {
+ "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]",
+ "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]",
+ "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]",
+ "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]",
+ "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]",
+ "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]",
+ "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
+ },
+ "dependsOn": [
+ "publicIpAddress"
+ ]
+ },
+ "publicIpAddress_diagnosticSettings": {
+ "copy": {
+ "name": "publicIpAddress_diagnosticSettings",
+ "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]"
+ },
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]",
+ "properties": {
+ "copy": [
+ {
+ "name": "metrics",
+ "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]",
+ "input": {
+ "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]",
+ "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]",
+ "timeGrain": null
+ }
+ },
+ {
+ "name": "logs",
+ "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]",
+ "input": {
+ "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]",
+ "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]",
+ "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]"
+ }
+ }
+ ],
+ "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]",
+ "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]",
+ "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]",
+ "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]",
+ "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]",
+ "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]"
+ },
+ "dependsOn": [
+ "publicIpAddress"
+ ]
+ }
+ },
+ "outputs": {
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource group the public IP address was deployed into."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the public IP address."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the public IP address."
+ },
+ "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]"
+ },
+ "ipAddress": {
+ "type": "string",
+ "metadata": {
+ "description": "The public IP address of the public IP address resource."
+ },
+ "value": "[coalesce(tryGet(reference('publicIpAddress'), 'ipAddress'), '')]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('publicIpAddress', '2025-01-01', 'full').location]"
+ }
+ }
+ }
+ }
+ }
+ },
+ "outputs": {
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource group the Azure Bastion was deployed into."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name the Azure Bastion."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID the Azure Bastion."
+ },
+ "value": "[resourceId('Microsoft.Network/bastionHosts', parameters('name'))]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('azureBastion', '2025-01-01', 'full').location]"
+ },
+ "ipConfAzureBastionSubnet": {
+ "type": "object",
+ "metadata": {
+ "description": "The Public IPconfiguration object for the AzureBastionSubnet."
+ },
+ "value": "[if(equals(parameters('skuName'), 'Developer'), createObject(), reference('azureBastion').ipConfigurations[0])]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "logAnalyticsWorkspace",
+ "virtualNetwork"
+ ]
+ },
+ "jumpboxVM": {
+ "condition": "[variables('deployAdminAccessResources')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[take(format('avm.res.compute.virtual-machine.{0}', variables('jumpboxVmName')), 64)]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[take(variables('jumpboxVmName'), 15)]"
+ },
+ "enableTelemetry": {
+ "value": "[parameters('enableTelemetry')]"
+ },
+ "computerName": {
+ "value": "[take(variables('jumpboxVmName'), 15)]"
+ },
+ "osType": {
+ "value": "Windows"
+ },
+ "vmSize": "[if(empty(parameters('vmSize')), createObject('value', 'Standard_D2s_v5'), createObject('value', parameters('vmSize')))]",
+ "adminUsername": "[if(empty(parameters('vmAdminUsername')), createObject('value', 'JumpboxAdminUser'), createObject('value', parameters('vmAdminUsername')))]",
+ "adminPassword": {
+ "value": "[parameters('vmAdminPassword')]"
+ },
+ "managedIdentities": {
+ "value": {
+ "userAssignedResourceIds": [
+ "[reference('userAssignedIdentity').outputs.resourceId.value]"
+ ]
+ }
+ },
+ "availabilityZone": "[if(contains(variables('zoneSupportedJumpboxLocations'), variables('solutionLocation')), createObject('value', 1), createObject('value', -1))]",
+ "imageReference": {
+ "value": {
+ "publisher": "microsoft-dsvm",
+ "offer": "dsvm-win-2022",
+ "sku": "winserver-2022",
+ "version": "latest"
+ }
+ },
+ "nicConfigurations": {
+ "value": [
+ {
+ "name": "[format('nic-{0}', variables('jumpboxVmName'))]",
+ "enableAcceleratedNetworking": true,
+ "ipConfigurations": [
+ {
+ "name": "ipconfig01",
+ "subnetResourceId": "[reference('virtualNetwork').outputs.jumpboxSubnetResourceId.value]"
+ }
+ ]
+ }
+ ]
+ },
+ "osDisk": {
+ "value": {
+ "caching": "ReadWrite",
+ "diskSizeGB": 128,
+ "managedDisk": {
+ "storageAccountType": "Premium_LRS"
+ }
+ }
+ },
+ "encryptionAtHost": {
+ "value": false
+ },
+ "location": {
+ "value": "[variables('solutionLocation')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "11442373542874951910"
+ },
+ "name": "Virtual Machines",
+ "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs."
+ },
+ "definitions": {
+ "osDiskType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The disk name."
+ }
+ },
+ "diskSizeGB": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the size of an empty data disk in gigabytes."
+ }
+ },
+ "createOption": {
+ "type": "string",
+ "allowedValues": [
+ "Attach",
+ "Empty",
+ "FromImage"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies how the virtual machine should be created."
+ }
+ },
+ "deleteOption": {
+ "type": "string",
+ "allowedValues": [
+ "Delete",
+ "Detach"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies whether data disk should be deleted or detached upon VM deletion."
+ }
+ },
+ "caching": {
+ "type": "string",
+ "allowedValues": [
+ "None",
+ "ReadOnly",
+ "ReadWrite"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the caching requirements."
+ }
+ },
+ "diffDiskSettings": {
+ "type": "object",
+ "properties": {
+ "placement": {
+ "type": "string",
+ "allowedValues": [
+ "CacheDisk",
+ "NvmeDisk",
+ "ResourceDisk"
+ ],
+ "metadata": {
+ "description": "Required. Specifies the ephemeral disk placement for the operating system disk."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the ephemeral Disk Settings for the operating system disk."
+ }
+ },
+ "managedDisk": {
+ "type": "object",
+ "properties": {
+ "storageAccountType": {
+ "type": "string",
+ "allowedValues": [
+ "PremiumV2_LRS",
+ "Premium_LRS",
+ "Premium_ZRS",
+ "StandardSSD_LRS",
+ "StandardSSD_ZRS",
+ "Standard_LRS",
+ "UltraSSD_LRS"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the storage account type for the managed disk."
+ }
+ },
+ "diskEncryptionSetResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the customer managed disk encryption set resource id for the managed disk."
+ }
+ },
+ "resourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the resource id of a pre-existing managed disk. If the disk should be created, this property should be empty."
+ }
+ }
+ },
+ "metadata": {
+ "description": "Required. The managed disk parameters."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing an OS disk."
+ }
+ },
+ "dataDiskType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The disk name. When attaching a pre-existing disk, this name is ignored and the name of the existing disk is used."
+ }
+ },
+ "lun": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the logical unit number of the data disk."
+ }
+ },
+ "diskSizeGB": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the size of an empty data disk in gigabytes. This property is ignored when attaching a pre-existing disk."
+ }
+ },
+ "createOption": {
+ "type": "string",
+ "allowedValues": [
+ "Attach",
+ "Empty",
+ "FromImage"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies how the virtual machine should be created. This property is automatically set to 'Attach' when attaching a pre-existing disk."
+ }
+ },
+ "deleteOption": {
+ "type": "string",
+ "allowedValues": [
+ "Delete",
+ "Detach"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies whether data disk should be deleted or detached upon VM deletion. This property is automatically set to 'Detach' when attaching a pre-existing disk."
+ }
+ },
+ "caching": {
+ "type": "string",
+ "allowedValues": [
+ "None",
+ "ReadOnly",
+ "ReadWrite"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the caching requirements. This property is automatically set to 'None' when attaching a pre-existing disk."
+ }
+ },
+ "diskIOPSReadWrite": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes. Ignored when attaching a pre-existing disk."
+ }
+ },
+ "diskMBpsReadWrite": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10. Ignored when attaching a pre-existing disk."
+ }
+ },
+ "managedDisk": {
+ "type": "object",
+ "properties": {
+ "storageAccountType": {
+ "type": "string",
+ "allowedValues": [
+ "PremiumV2_LRS",
+ "Premium_LRS",
+ "Premium_ZRS",
+ "StandardSSD_LRS",
+ "StandardSSD_ZRS",
+ "Standard_LRS",
+ "UltraSSD_LRS"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the storage account type for the managed disk. Ignored when attaching a pre-existing disk."
+ }
+ },
+ "diskEncryptionSetResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the customer managed disk encryption set resource id for the managed disk."
+ }
+ },
+ "resourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the resource id of a pre-existing managed disk. If the disk should be created, this property should be empty."
+ }
+ }
+ },
+ "metadata": {
+ "description": "Required. The managed disk parameters."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/disks@2025-01-02#properties/tags"
+ },
+ "description": "Optional. The tags of the public IP address. Valid only when creating a new managed disk."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing a data disk."
+ }
+ },
+ "publicKeyType": {
+ "type": "object",
+ "properties": {
+ "keyData": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the SSH public key data used to authenticate through ssh."
+ }
+ },
+ "path": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the full path on the created VM where ssh public key is stored. If the file already exists, the specified key is appended to the file."
+ }
+ }
+ }
+ },
+ "nicConfigurationType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the NIC configuration."
+ }
+ },
+ "nicSuffix": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The suffix to append to the NIC name."
+ }
+ },
+ "enableIPForwarding": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Indicates whether IP forwarding is enabled on this network interface."
+ }
+ },
+ "enableAcceleratedNetworking": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. If the network interface is accelerated networking enabled."
+ }
+ },
+ "deleteOption": {
+ "type": "string",
+ "allowedValues": [
+ "Delete",
+ "Detach"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify what happens to the network interface when the VM is deleted."
+ }
+ },
+ "dnsServers": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection."
+ }
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The network security group (NSG) to attach to the network interface."
+ }
+ },
+ "ipConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/ipConfigurationType"
+ },
+ "metadata": {
+ "description": "Required. The IP configurations of the network interface."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The tags of the public IP address."
+ }
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for the module."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the IP configuration."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the NIC configuration."
+ }
+ },
+ "imageReferenceType": {
+ "type": "object",
+ "properties": {
+ "communityGalleryImageId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specified the community gallery image unique id for vm deployment. This can be fetched from community gallery image GET call."
+ }
+ },
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource Id of the image reference."
+ }
+ },
+ "offer": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the offer of the platform image or marketplace image used to create the virtual machine."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The image publisher."
+ }
+ },
+ "sku": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The SKU of the image."
+ }
+ },
+ "version": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the version of the platform image or marketplace image used to create the virtual machine. The allowed formats are Major.Minor.Build or 'latest'. Even if you use 'latest', the VM image will not automatically update after deploy time even if a new version becomes available."
+ }
+ },
+ "sharedGalleryImageId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specified the shared gallery image unique id for vm deployment. This can be fetched from shared gallery image GET call."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing the image reference."
+ }
+ },
+ "planType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the plan."
+ }
+ },
+ "product": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the product of the image from the marketplace."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The publisher ID."
+ }
+ },
+ "promotionCode": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The promotion code."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "Specifies information about the marketplace image used to create the virtual machine."
+ }
+ },
+ "autoShutDownConfigType": {
+ "type": "object",
+ "properties": {
+ "status": {
+ "type": "string",
+ "allowedValues": [
+ "Disabled",
+ "Enabled"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The status of the auto shutdown configuration."
+ }
+ },
+ "timeZone": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The time zone ID (e.g. China Standard Time, Greenland Standard Time, Pacific Standard time, etc.)."
+ }
+ },
+ "dailyRecurrenceTime": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The time of day the schedule will occur."
+ }
+ },
+ "notificationSettings": {
+ "type": "object",
+ "properties": {
+ "status": {
+ "type": "string",
+ "allowedValues": [
+ "Disabled",
+ "Enabled"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The status of the notification settings."
+ }
+ },
+ "emailRecipient": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The email address to send notifications to (can be a list of semi-colon separated email addresses)."
+ }
+ },
+ "notificationLocale": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The locale to use when sending a notification (fallback for unsupported languages is EN)."
+ }
+ },
+ "webhookUrl": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The webhook URL to which the notification will be sent."
+ }
+ },
+ "timeInMinutes": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The time in minutes before shutdown to send notifications."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the schedule."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing the configuration profile."
+ }
+ },
+ "vaultSecretGroupType": {
+ "type": "object",
+ "properties": {
+ "sourceVault": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The relative URL of the Key Vault containing all of the certificates in VaultCertificates."
+ }
+ },
+ "vaultCertificates": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "certificateStore": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. For Windows VMs, specifies the certificate store on the Virtual Machine to which the certificate should be added. The specified certificate store is implicitly in the LocalMachine account. For Linux VMs, the certificate file is placed under the /var/lib/waagent directory, with the file name .crt for the X509 certificate file and .prv for private key. Both of these files are .pem formatted."
+ }
+ },
+ "certificateUrl": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. This is the URL of a certificate that has been uploaded to Key Vault as a secret."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The list of key vault references in SourceVault which contain certificates."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing the set of certificates that should be installed onto the virtual machine."
+ }
+ },
+ "vmGalleryApplicationType": {
+ "type": "object",
+ "properties": {
+ "packageReferenceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the GalleryApplicationVersion resource id on the form of /subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/applications/{application}/versions/{version}."
+ }
+ },
+ "configurationReference": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the uri to an azure blob that will replace the default configuration for the package if provided."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. If set to true, when a new Gallery Application version is available in PIR/SIG, it will be automatically updated for the VM/VMSS."
+ }
+ },
+ "order": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the order in which the packages have to be installed."
+ }
+ },
+ "tags": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies a passthrough value for more generic context."
+ }
+ },
+ "treatFailureAsDeploymentFailure": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. If true, any failure for any operation in the VmApplication will fail the deployment."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing the gallery application that should be made available to the VM/VMSS."
+ }
+ },
+ "additionalUnattendContentType": {
+ "type": "object",
+ "properties": {
+ "settingName": {
+ "type": "string",
+ "allowedValues": [
+ "AutoLogon",
+ "FirstLogonCommands"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the name of the setting to which the content applies."
+ }
+ },
+ "content": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the XML formatted content that is added to the unattend.xml file for the specified path and component. The XML must be less than 4KB and must include the root element for the setting or feature that is being inserted."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup."
+ }
+ },
+ "winRMListenerType": {
+ "type": "object",
+ "properties": {
+ "certificateUrl": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The URL of a certificate that has been uploaded to Key Vault as a secret."
+ }
+ },
+ "protocol": {
+ "type": "string",
+ "allowedValues": [
+ "Http",
+ "Https"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the protocol of WinRM listener."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing a Windows Remote Management listener."
+ }
+ },
+ "nicConfigurationOutputType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the NIC configuration."
+ }
+ },
+ "ipConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/networkInterfaceIPConfigurationOutputType"
+ },
+ "metadata": {
+ "description": "Required. List of IP configurations of the NIC configuration."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type describing the network interface configuration output."
+ }
+ },
+ "extensionCustomScriptConfigType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the virtual machine extension. Defaults to `CustomScriptExtension`."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the version of the script handler. Defaults to `1.10` for Windows and `2.1` for Linux."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true. Defaults to `true`."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "properties": {
+ "commandToExecute": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Conditional. The entry point script to run. If the command contains any credentials, use the same property of the `protectedSettings` instead. Required if `protectedSettings.commandToExecute` is not provided."
+ }
+ },
+ "fileUris": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. URLs for files to be downloaded. If URLs are sensitive, for example, if they contain keys, this field should be specified in `protectedSettings`."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The configuration of the custom script extension. Note: You can provide any property either in the `settings` or `protectedSettings` but not both. If your property contains secrets, use `protectedSettings`."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "properties": {
+ "commandToExecute": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Conditional. The entry point script to run. Use this property if your command contains secrets such as passwords or if your file URIs are sensitive. Required if `settings.commandToExecute` is not provided."
+ }
+ },
+ "storageAccountName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of storage account. If you specify storage credentials, all fileUris values must be URLs for Azure blobs.."
+ }
+ },
+ "storageAccountKey": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The access key of the storage account."
+ }
+ },
+ "managedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The managed identity for downloading files. Must not be used in conjunction with the `storageAccountName` or `storageAccountKey` property. If you want to use the VM's system assigned identity, set the `value` to an empty string."
+ }
+ },
+ "fileUris": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. URLs for files to be downloaded."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The configuration of the custom script extension. Note: You can provide any property either in the `settings` or `protectedSettings` but not both. If your property contains secrets, use `protectedSettings`."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). Defaults to `false`."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available. Defaults to `false`."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type of a 'CustomScriptExtension' extension."
+ }
+ },
+ "_1.applicationGatewayBackendAddressPoolsType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the backend address pool."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the backend address pool that is unique within an Application Gateway."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "properties": {
+ "backendAddresses": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "ipAddress": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. IP address of the backend address."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. FQDN of the backend address."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Backend addresses."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the application gateway backend address pool."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the application gateway backend address pool.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "_1.applicationSecurityGroupType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the application security group."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location of the application security group."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the application security group."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the application security group."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the application security group.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "_1.backendAddressPoolType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the backend address pool."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the backend address pool."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The properties of the backend address pool."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for a backend address pool.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "_1.inboundNatRuleType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the inbound NAT rule."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the resource that is unique within the set of inbound NAT rules used by the load balancer. This name can be used to access the resource."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "properties": {
+ "backendAddressPool": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A reference to backendAddressPool resource."
+ }
+ },
+ "backendPort": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port used for the internal endpoint. Acceptable values range from 1 to 65535."
+ }
+ },
+ "enableFloatingIP": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint."
+ }
+ },
+ "enableTcpReset": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP."
+ }
+ },
+ "frontendIPConfiguration": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A reference to frontend IP addresses."
+ }
+ },
+ "frontendPort": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values range from 1 to 65534."
+ }
+ },
+ "frontendPortRangeStart": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534."
+ }
+ },
+ "frontendPortRangeEnd": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534."
+ }
+ },
+ "protocol": {
+ "type": "string",
+ "allowedValues": [
+ "All",
+ "Tcp",
+ "Udp"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reference to the transport protocol used by the load balancing rule."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the inbound NAT rule."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the inbound NAT rule.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "_1.virtualNetworkTapType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the virtual network tap."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location of the virtual network tap."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the virtual network tap."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the virtual network tap."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the virtual network tap.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "_2.ddosSettingsType": {
+ "type": "object",
+ "properties": {
+ "ddosProtectionPlan": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan associated with the public IP address."
+ }
+ },
+ "protectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Enabled"
+ ],
+ "metadata": {
+ "description": "Required. The DDoS protection policy customizations."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0"
+ }
+ }
+ },
+ "_2.dnsSettingsType": {
+ "type": "object",
+ "properties": {
+ "domainNameLabel": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system."
+ }
+ },
+ "domainNameLabelScope": {
+ "type": "string",
+ "allowedValues": [
+ "NoReuse",
+ "ResourceGroupReuse",
+ "SubscriptionReuse",
+ "TenantReuse"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone."
+ }
+ },
+ "reverseFqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0"
+ }
+ }
+ },
+ "_2.ipTagType": {
+ "type": "object",
+ "properties": {
+ "ipTagType": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag type."
+ }
+ },
+ "tag": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0"
+ }
+ }
+ },
+ "_3.diagnosticSettingFullType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the diagnostic setting."
+ }
+ },
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+ }
+ },
+ "metricCategories": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+ }
+ },
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "_3.lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "_3.roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "_4.publicIPConfigurationType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the Public IP Address."
+ }
+ },
+ "publicIPAddressResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the public IP address."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_3.diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Diagnostic settings for the public IP address."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The idle timeout in minutes."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/_3.lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the public IP address."
+ }
+ },
+ "idleTimeoutInMinutes": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The idle timeout of the public IP address."
+ }
+ },
+ "ddosSettings": {
+ "$ref": "#/definitions/_2.ddosSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan configuration associated with the public IP address."
+ }
+ },
+ "dnsSettings": {
+ "$ref": "#/definitions/_2.dnsSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DNS settings of the public IP address."
+ }
+ },
+ "publicIPAddressVersion": {
+ "type": "string",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The public IP address version."
+ }
+ },
+ "publicIPAllocationMethod": {
+ "type": "string",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The public IP address allocation method."
+ }
+ },
+ "publicIpPrefixResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix."
+ }
+ },
+ "publicIpNameSuffix": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name suffix of the public IP address resource."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_3.roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "skuName": {
+ "type": "string",
+ "allowedValues": [
+ "Basic",
+ "Standard"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The SKU name of the public IP address."
+ }
+ },
+ "skuTier": {
+ "type": "string",
+ "allowedValues": [
+ "Global",
+ "Regional"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The SKU tier of the public IP address."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/publicIPAddresses@2024-07-01#properties/tags"
+ },
+ "description": "Optional. The tags of the public IP address."
+ },
+ "nullable": true
+ },
+ "availabilityZones": {
+ "type": "array",
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The zones of the public IP address."
+ }
+ },
+ "ipTags": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_2.ipTagType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The list of tags associated with the public IP address."
+ }
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for the module."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the public IP address configuration.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "modules/nic-configuration.bicep"
+ }
+ }
+ },
+ "diagnosticSettingFullType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the diagnostic setting."
+ }
+ },
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+ }
+ },
+ "metricCategories": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+ }
+ },
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1"
+ }
+ }
+ },
+ "ipConfigurationType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the IP configuration."
+ }
+ },
+ "privateIPAllocationMethod": {
+ "type": "string",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address allocation method."
+ }
+ },
+ "privateIPAddress": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address."
+ }
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the subnet."
+ }
+ },
+ "loadBalancerBackendAddressPools": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_1.backendAddressPoolType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The load balancer backend address pools."
+ }
+ },
+ "applicationSecurityGroups": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_1.applicationSecurityGroupType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The application security groups."
+ }
+ },
+ "applicationGatewayBackendAddressPools": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_1.applicationGatewayBackendAddressPoolsType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The application gateway backend address pools."
+ }
+ },
+ "gatewayLoadBalancer": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The gateway load balancer settings."
+ }
+ },
+ "loadBalancerInboundNatRules": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_1.inboundNatRuleType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The load balancer inbound NAT rules."
+ }
+ },
+ "privateIPAddressVersion": {
+ "type": "string",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address version."
+ }
+ },
+ "virtualNetworkTaps": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_1.virtualNetworkTapType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The virtual network taps."
+ }
+ },
+ "pipConfiguration": {
+ "$ref": "#/definitions/_4.publicIPConfigurationType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The public IP address configuration."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/_3.diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the IP configuration."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/networkInterfaces@2024-07-01#properties/tags"
+ },
+ "description": "Optional. The tags of the public IP address."
+ },
+ "nullable": true
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for the module."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the IP configuration.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "modules/nic-configuration.bicep"
+ }
+ }
+ },
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0"
+ }
+ }
+ },
+ "managedIdentityAllType": {
+ "type": "object",
+ "properties": {
+ "systemAssigned": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enables system assigned managed identity on the resource."
+ }
+ },
+ "userAssignedResourceIds": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1"
+ }
+ }
+ },
+ "networkInterfaceIPConfigurationOutputType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the IP configuration."
+ }
+ },
+ "privateIP": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The private IP address."
+ }
+ },
+ "publicIP": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The public IP address."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1"
+ }
+ }
+ },
+ "subResourceType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the sub resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the sub resource.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory."
+ }
+ },
+ "computerName": {
+ "type": "string",
+ "defaultValue": "[parameters('name')]",
+ "metadata": {
+ "description": "Optional. Can be used if the computer name needs to be different from the Azure VM resource name. If not used, the resource name will be used as computer name."
+ }
+ },
+ "vmSize": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the size for the VMs."
+ }
+ },
+ "encryptionAtHost": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs."
+ }
+ },
+ "securityType": {
+ "type": "string",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines@2025-04-01#properties/properties/properties/securityProfile/properties/securityType"
+ },
+ "description": "Optional. Specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set."
+ },
+ "nullable": true
+ },
+ "secureBootEnabled": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings."
+ }
+ },
+ "vTpmEnabled": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings."
+ }
+ },
+ "imageReference": {
+ "$ref": "#/definitions/imageReferenceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Conditional. OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. Required if not creating the VM from an existing os-disk via the `osDisk.managedDisk.resourceId` parameter."
+ }
+ },
+ "plan": {
+ "$ref": "#/definitions/planType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use."
+ }
+ },
+ "osDisk": {
+ "$ref": "#/definitions/osDiskType",
+ "metadata": {
+ "description": "Required. Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs."
+ }
+ },
+ "dataDisks": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/dataDiskType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs."
+ }
+ },
+ "ultraSSDEnabled": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled."
+ }
+ },
+ "hibernationEnabled": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. The flag that enables or disables hibernation capability on the VM."
+ }
+ },
+ "adminUsername": {
+ "type": "securestring",
+ "nullable": true,
+ "metadata": {
+ "description": "Conditional. Administrator username. Required if no pre-existing OS-Disk is provided (osDisk.managedDisk.resourceId is not empty)."
+ }
+ },
+ "adminPassword": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. When specifying a Windows Virtual Machine, and no pre-existing OS-Disk is provided (osDisk.managedDisk.resourceId is not empty), this value should be passed."
+ }
+ },
+ "userData": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. UserData for the VM, which must be base-64 encoded. Customer should not pass any secrets in here."
+ }
+ },
+ "customData": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format."
+ }
+ },
+ "certificatesToBeInstalled": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/vaultSecretGroupType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies set of certificates that should be installed onto the virtual machine."
+ }
+ },
+ "priority": {
+ "type": "string",
+ "nullable": true,
+ "allowedValues": [
+ "Regular",
+ "Low",
+ "Spot"
+ ],
+ "metadata": {
+ "description": "Optional. Specifies the priority for the virtual machine."
+ }
+ },
+ "evictionPolicy": {
+ "type": "string",
+ "defaultValue": "Deallocate",
+ "allowedValues": [
+ "Deallocate",
+ "Delete"
+ ],
+ "metadata": {
+ "description": "Optional. Specifies the eviction policy for the low priority virtual machine."
+ }
+ },
+ "maxPriceForLowPriorityVm": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars."
+ }
+ },
+ "dedicatedHostResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Specifies resource ID about the dedicated host that the virtual machine resides in."
+ }
+ },
+ "licenseType": {
+ "type": "string",
+ "nullable": true,
+ "allowedValues": [
+ "RHEL_BYOS",
+ "SLES_BYOS",
+ "Windows_Client",
+ "Windows_Server"
+ ],
+ "metadata": {
+ "description": "Optional. Specifies that the image or disk that is being used was licensed on-premises."
+ }
+ },
+ "publicKeys": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/publicKeyType"
+ },
+ "defaultValue": [],
+ "metadata": {
+ "description": "Optional. The list of SSH public keys used to authenticate with linux based VMs."
+ }
+ },
+ "managedIdentities": {
+ "$ref": "#/definitions/managedIdentityAllType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The managed identity definition for this resource. The system-assigned managed identity will automatically be enabled if extensionAadJoinConfig.enabled = \"True\"."
+ }
+ },
+ "bootDiagnostics": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled."
+ }
+ },
+ "bootDiagnosticStorageAccountName": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided."
+ }
+ },
+ "bootDiagnosticStorageAccountUri": {
+ "type": "string",
+ "defaultValue": "[format('.blob.{0}/', environment().suffixes.storage)]",
+ "metadata": {
+ "description": "Optional. Storage account boot diagnostic base URI."
+ }
+ },
+ "proximityPlacementGroupResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Resource ID of a proximity placement group."
+ }
+ },
+ "virtualMachineScaleSetResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Resource ID of a virtual machine scale set, where the VM should be added."
+ }
+ },
+ "availabilitySetResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set."
+ }
+ },
+ "galleryApplications": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/vmGalleryApplicationType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the gallery applications that should be made available to the VM/VMSS."
+ }
+ },
+ "availabilityZone": {
+ "type": "int",
+ "allowedValues": [
+ -1,
+ 1,
+ 2,
+ 3
+ ],
+ "metadata": {
+ "description": "Required. If set to 1, 2 or 3, the availability zone is hardcoded to that value. If set to -1, no zone is defined. Note that the availability zone numbers here are the logical availability zone in your Azure subscription. Different subscriptions might have a different mapping of the physical zone and logical zone. To understand more, please refer to [Physical and logical availability zones](https://learn.microsoft.com/en-us/azure/reliability/availability-zones-overview?tabs=azure-cli#physical-and-logical-availability-zones)."
+ }
+ },
+ "nicConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/nicConfigurationType"
+ },
+ "metadata": {
+ "description": "Required. Configures NICs and PIPs."
+ }
+ },
+ "backupVaultName": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Recovery service vault name to add VMs to backup."
+ }
+ },
+ "backupVaultResourceGroup": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "Optional. Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default."
+ }
+ },
+ "backupPolicyName": {
+ "type": "string",
+ "defaultValue": "DefaultPolicy",
+ "metadata": {
+ "description": "Optional. Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault."
+ }
+ },
+ "autoShutdownConfig": {
+ "$ref": "#/definitions/autoShutDownConfigType",
+ "defaultValue": {},
+ "metadata": {
+ "description": "Optional. The configuration for auto-shutdown."
+ }
+ },
+ "maintenanceConfigurationResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. The resource Id of a maintenance configuration for this VM."
+ }
+ },
+ "allowExtensionOperations": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine."
+ }
+ },
+ "extensionDomainJoinPassword": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Required if name is specified. Password of the user specified in user parameter."
+ }
+ },
+ "extensionDomainJoinConfig": {
+ "type": "secureObject",
+ "defaultValue": {},
+ "metadata": {
+ "description": "Optional. The configuration for the [Domain Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionAadJoinConfig": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [AAD Join] extension. Must at least contain the [\"enabled\": true] property to be executed. To enroll in Intune, add the setting mdmId: \"0000000a-0000-0000-c000-000000000000\"."
+ }
+ },
+ "extensionAntiMalwareConfig": {
+ "type": "object",
+ "defaultValue": "[if(equals(parameters('osType'), 'Windows'), createObject('enabled', true()), createObject('enabled', false()))]",
+ "metadata": {
+ "description": "Optional. The configuration for the [Anti Malware] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionMonitoringAgentConfig": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false,
+ "dataCollectionRuleAssociations": []
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionDependencyAgentConfig": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Dependency Agent] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionNetworkWatcherAgentConfig": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Network Watcher Agent] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionAzureDiskEncryptionConfig": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Azure Disk Encryption] extension. Must at least contain the [\"enabled\": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys."
+ }
+ },
+ "extensionDSCConfig": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Desired State Configuration] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionCustomScriptConfig": {
+ "$ref": "#/definitions/extensionCustomScriptConfigType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The configuration for the [Custom Script] extension."
+ }
+ },
+ "extensionNvidiaGpuDriverWindows": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Nvidia Gpu Driver Windows] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ }
+ },
+ "extensionHostPoolRegistration": {
+ "type": "secureObject",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Host Pool Registration] extension. Must at least contain the [\"enabled\": true] property to be executed. Needs a managed identity."
+ }
+ },
+ "extensionGuestConfigurationExtension": {
+ "type": "object",
+ "defaultValue": {
+ "enabled": false
+ },
+ "metadata": {
+ "description": "Optional. The configuration for the [Guest Configuration] extension. Must at least contain the [\"enabled\": true] property to be executed. Needs a managed identity."
+ }
+ },
+ "guestConfiguration": {
+ "type": "object",
+ "defaultValue": {},
+ "metadata": {
+ "description": "Optional. The guest configuration for the virtual machine. Needs the Guest Configuration extension to be enabled."
+ }
+ },
+ "extensionGuestConfigurationExtensionProtectedSettings": {
+ "type": "secureObject",
+ "defaultValue": {},
+ "metadata": {
+ "description": "Optional. An object that contains the extension specific protected settings."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for module."
+ }
+ },
+ "osType": {
+ "type": "string",
+ "allowedValues": [
+ "Windows",
+ "Linux"
+ ],
+ "metadata": {
+ "description": "Required. The chosen OS type."
+ }
+ },
+ "disablePasswordAuthentication": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Specifies whether password authentication should be disabled."
+ }
+ },
+ "provisionVMAgent": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later."
+ }
+ },
+ "enableAutomaticUpdates": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning."
+ }
+ },
+ "patchMode": {
+ "type": "string",
+ "defaultValue": "",
+ "allowedValues": [
+ "AutomaticByPlatform",
+ "AutomaticByOS",
+ "Manual",
+ "ImageDefault",
+ ""
+ ],
+ "metadata": {
+ "description": "Optional. VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'."
+ }
+ },
+ "bypassPlatformSafetyChecksOnUserSchedule": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Enables customer to schedule patching without accidental upgrades."
+ }
+ },
+ "rebootSetting": {
+ "type": "string",
+ "defaultValue": "IfRequired",
+ "allowedValues": [
+ "Always",
+ "IfRequired",
+ "Never",
+ "Unknown"
+ ],
+ "metadata": {
+ "description": "Optional. Specifies the reboot setting for all AutomaticByPlatform patch installation operations."
+ }
+ },
+ "patchAssessmentMode": {
+ "type": "string",
+ "defaultValue": "ImageDefault",
+ "allowedValues": [
+ "AutomaticByPlatform",
+ "ImageDefault"
+ ],
+ "metadata": {
+ "description": "Optional. VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours."
+ }
+ },
+ "enableHotpatching": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Enables customers to patch their Azure VMs without requiring a reboot. For enableHotpatching, the 'provisionVMAgent' must be set to true and 'patchMode' must be set to 'AutomaticByPlatform'."
+ }
+ },
+ "timeZone": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`."
+ }
+ },
+ "additionalUnattendContent": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/additionalUnattendContentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies additional XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. Contents are defined by setting name, component name, and the pass in which the content is applied."
+ }
+ },
+ "winRMListeners": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/winRMListenerType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell."
+ }
+ },
+ "configurationProfile": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. The configuration profile of automanage. Either '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction', 'providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' or the resource Id of custom profile."
+ }
+ },
+ "capacityReservationGroupResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. Capacity reservation group resource id that should be used for allocating the virtual machine vm instances provided enough capacity has been reserved."
+ }
+ },
+ "networkAccessPolicy": {
+ "type": "string",
+ "defaultValue": "DenyAll",
+ "allowedValues": [
+ "AllowAll",
+ "AllowPrivate",
+ "DenyAll"
+ ],
+ "metadata": {
+ "description": "Optional. Policy for accessing the disk via network."
+ }
+ },
+ "publicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Disabled",
+ "allowedValues": [
+ "Disabled",
+ "Enabled"
+ ],
+ "metadata": {
+ "description": "Optional. Policy for controlling export on the disk."
+ }
+ }
+ },
+ "variables": {
+ "copy": [
+ {
+ "name": "publicKeysFormatted",
+ "count": "[length(parameters('publicKeys'))]",
+ "input": {
+ "path": "[parameters('publicKeys')[copyIndex('publicKeysFormatted')].path]",
+ "keyData": "[parameters('publicKeys')[copyIndex('publicKeysFormatted')].keyData]"
+ }
+ },
+ {
+ "name": "additionalUnattendContentFormatted",
+ "count": "[length(coalesce(parameters('additionalUnattendContent'), createArray()))]",
+ "input": {
+ "settingName": "[coalesce(parameters('additionalUnattendContent'), createArray())[copyIndex('additionalUnattendContentFormatted')].settingName]",
+ "content": "[coalesce(parameters('additionalUnattendContent'), createArray())[copyIndex('additionalUnattendContentFormatted')].content]",
+ "componentName": "Microsoft-Windows-Shell-Setup",
+ "passName": "OobeSystem"
+ }
+ },
+ {
+ "name": "formattedRoleAssignments",
+ "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]",
+ "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
+ }
+ ],
+ "enableReferencedModulesTelemetry": false,
+ "linuxConfiguration": {
+ "disablePasswordAuthentication": "[parameters('disablePasswordAuthentication')]",
+ "ssh": {
+ "publicKeys": "[variables('publicKeysFormatted')]"
+ },
+ "provisionVMAgent": "[parameters('provisionVMAgent')]",
+ "patchSettings": "[if(and(parameters('provisionVMAgent'), or(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), equals(toLower(parameters('patchMode')), toLower('ImageDefault')))), createObject('patchMode', parameters('patchMode'), 'assessmentMode', parameters('patchAssessmentMode'), 'automaticByPlatformSettings', if(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), createObject('bypassPlatformSafetyChecksOnUserSchedule', parameters('bypassPlatformSafetyChecksOnUserSchedule'), 'rebootSetting', parameters('rebootSetting')), null())), null())]"
+ },
+ "windowsConfiguration": {
+ "provisionVMAgent": "[parameters('provisionVMAgent')]",
+ "enableAutomaticUpdates": "[parameters('enableAutomaticUpdates')]",
+ "patchSettings": "[if(and(parameters('provisionVMAgent'), or(or(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), equals(toLower(parameters('patchMode')), toLower('AutomaticByOS'))), equals(toLower(parameters('patchMode')), toLower('Manual')))), createObject('patchMode', parameters('patchMode'), 'assessmentMode', parameters('patchAssessmentMode'), 'enableHotpatching', if(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), parameters('enableHotpatching'), false()), 'automaticByPlatformSettings', if(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), createObject('bypassPlatformSafetyChecksOnUserSchedule', parameters('bypassPlatformSafetyChecksOnUserSchedule'), 'rebootSetting', parameters('rebootSetting')), null())), null())]",
+ "timeZone": "[if(empty(parameters('timeZone')), null(), parameters('timeZone'))]",
+ "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), null(), variables('additionalUnattendContentFormatted'))]",
+ "winRM": "[if(not(empty(parameters('winRMListeners'))), createObject('listeners', parameters('winRMListeners')), null())]"
+ },
+ "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
+ "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(if(parameters('extensionAadJoinConfig').enabled, true(), coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false())), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
+ "builtInRoleNames": {
+ "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
+ "Data Operator for Managed Disks": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '959f8984-c045-4866-89c7-12bf9737be2e')]",
+ "Desktop Virtualization Power On Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '489581de-a3bd-480d-9518-53dea7416b33')]",
+ "Desktop Virtualization Power On Off Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '40c5ff49-9181-41f8-ae61-143b0e78555e')]",
+ "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]",
+ "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]",
+ "Disk Backup Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')]",
+ "Disk Pool Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60fc6e62-5479-42d4-8bf4-67625fcc2840')]",
+ "Disk Restore Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b50d9833-a0cb-478e-945f-707fcc997c13')]",
+ "Disk Snapshot Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7efff54f-a5b4-42b5-a1c5-5411624893ce')]",
+ "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
+ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+ "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]",
+ "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]",
+ "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]",
+ "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]",
+ "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]",
+ "VM Scanner Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd24ecba3-c1f4-40fa-a7bb-4588a071e8fd')]"
+ }
+ },
+ "resources": {
+ "avmTelemetry": {
+ "condition": "[parameters('enableTelemetry')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2024-03-01",
+ "name": "[format('46d3xbcp.res.compute-virtualmachine.{0}.{1}', replace('0.21.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [],
+ "outputs": {
+ "telemetry": {
+ "type": "String",
+ "value": "For more information, see https://aka.ms/avm/TelemetryInfo"
+ }
+ }
+ }
+ }
+ },
+ "managedDataDisks": {
+ "copy": {
+ "name": "managedDataDisks",
+ "count": "[length(coalesce(parameters('dataDisks'), createArray()))]"
+ },
+ "condition": "[empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'resourceId'))]",
+ "type": "Microsoft.Compute/disks",
+ "apiVersion": "2024-03-02",
+ "name": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex(), 1), 2, '0')))]",
+ "location": "[parameters('location')]",
+ "sku": {
+ "name": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'storageAccountType')]"
+ },
+ "properties": {
+ "diskSizeGB": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskSizeGB')]",
+ "creationData": {
+ "createOption": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'createoption'), 'Empty')]"
+ },
+ "diskIOPSReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskIOPSReadWrite')]",
+ "diskMBpsReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskMBpsReadWrite')]",
+ "publicNetworkAccess": "[parameters('publicNetworkAccess')]",
+ "networkAccessPolicy": "[parameters('networkAccessPolicy')]"
+ },
+ "zones": "[if(and(not(equals(parameters('availabilityZone'), -1)), not(contains(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'storageAccountType'), 'ZRS'))), array(string(parameters('availabilityZone'))), null())]",
+ "tags": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'tags'), parameters('tags'))]"
+ },
+ "vm": {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-07-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "identity": "[variables('identity')]",
+ "tags": "[parameters('tags')]",
+ "zones": "[if(not(equals(parameters('availabilityZone'), -1)), array(string(parameters('availabilityZone'))), null())]",
+ "plan": "[parameters('plan')]",
+ "properties": {
+ "hardwareProfile": {
+ "vmSize": "[parameters('vmSize')]"
+ },
+ "securityProfile": "[shallowMerge(createArray(if(parameters('encryptionAtHost'), createObject('encryptionAtHost', parameters('encryptionAtHost')), createObject()), createObject('securityType', parameters('securityType'), 'uefiSettings', if(equals(parameters('securityType'), 'TrustedLaunch'), createObject('secureBootEnabled', parameters('secureBootEnabled'), 'vTpmEnabled', parameters('vTpmEnabled')), null()))))]",
+ "storageProfile": {
+ "copy": [
+ {
+ "name": "dataDisks",
+ "count": "[length(coalesce(parameters('dataDisks'), createArray()))]",
+ "input": {
+ "lun": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'lun'), copyIndex('dataDisks'))]",
+ "name": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'))), last(split(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.resourceId, '/')), coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0'))))]",
+ "createOption": "[if(or(not(equals(if(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId')), resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null()), null())), not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId')))), 'Attach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createoption'), 'Empty'))]",
+ "deleteOption": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'))), 'Detach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'deleteOption'), 'Delete'))]",
+ "caching": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'))), 'None', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'caching'), 'ReadOnly'))]",
+ "managedDisk": {
+ "id": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId'), if(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'resourceId')), resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null()))]",
+ "diskEncryptionSet": "[if(not(empty(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSetResourceId'))), createObject('id', coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.diskEncryptionSetResourceId), null())]"
+ }
+ }
+ }
+ ],
+ "imageReference": "[parameters('imageReference')]",
+ "osDisk": {
+ "name": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), last(split(parameters('osDisk').managedDisk.resourceId, '/')), coalesce(tryGet(parameters('osDisk'), 'name'), format('{0}-disk-os-01', parameters('name'))))]",
+ "createOption": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), 'Attach', coalesce(tryGet(parameters('osDisk'), 'createOption'), 'FromImage'))]",
+ "osType": "[parameters('osType')]",
+ "deleteOption": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), 'Detach', coalesce(tryGet(parameters('osDisk'), 'deleteOption'), 'Delete'))]",
+ "diffDiskSettings": "[if(empty(coalesce(tryGet(parameters('osDisk'), 'diffDiskSettings'), createObject())), null(), createObject('option', 'Local', 'placement', parameters('osDisk').diffDiskSettings.placement))]",
+ "diskSizeGB": "[tryGet(parameters('osDisk'), 'diskSizeGB')]",
+ "caching": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId'))), 'None', coalesce(tryGet(parameters('osDisk'), 'caching'), 'ReadOnly'))]",
+ "managedDisk": {
+ "storageAccountType": "[tryGet(parameters('osDisk').managedDisk, 'storageAccountType')]",
+ "diskEncryptionSet": "[if(not(empty(tryGet(parameters('osDisk').managedDisk, 'diskEncryptionSetResourceId'))), createObject('id', tryGet(parameters('osDisk').managedDisk, 'diskEncryptionSetResourceId')), null())]",
+ "id": "[tryGet(parameters('osDisk').managedDisk, 'resourceId')]"
+ }
+ }
+ },
+ "additionalCapabilities": {
+ "ultraSSDEnabled": "[parameters('ultraSSDEnabled')]",
+ "hibernationEnabled": "[parameters('hibernationEnabled')]"
+ },
+ "osProfile": "[if(empty(tryGet(parameters('osDisk').managedDisk, 'resourceId')), createObject('computerName', parameters('computerName'), 'adminUsername', parameters('adminUsername'), 'adminPassword', parameters('adminPassword'), 'customData', if(not(empty(parameters('customData'))), base64(parameters('customData')), null()), 'windowsConfiguration', if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null()), 'linuxConfiguration', if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null()), 'secrets', parameters('certificatesToBeInstalled'), 'allowExtensionOperations', parameters('allowExtensionOperations')), null())]",
+ "networkProfile": {
+ "copy": [
+ {
+ "name": "networkInterfaces",
+ "count": "[length(parameters('nicConfigurations'))]",
+ "input": {
+ "properties": {
+ "deleteOption": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex('networkInterfaces')], 'deleteOption'), 'Delete')]",
+ "primary": "[if(equals(copyIndex('networkInterfaces'), 0), true(), false())]"
+ },
+ "id": "[resourceId('Microsoft.Network/networkInterfaces', coalesce(tryGet(parameters('nicConfigurations')[copyIndex('networkInterfaces')], 'name'), format('{0}{1}', parameters('name'), tryGet(parameters('nicConfigurations')[copyIndex('networkInterfaces')], 'nicSuffix'))))]"
+ }
+ }
+ ]
+ },
+ "capacityReservation": "[if(not(empty(parameters('capacityReservationGroupResourceId'))), createObject('capacityReservationGroup', createObject('id', parameters('capacityReservationGroupResourceId'))), null())]",
+ "diagnosticsProfile": {
+ "bootDiagnostics": {
+ "enabled": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), true(), parameters('bootDiagnostics'))]",
+ "storageUri": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), format('https://{0}{1}', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')), null())]"
+ }
+ },
+ "applicationProfile": "[if(not(empty(parameters('galleryApplications'))), createObject('galleryApplications', parameters('galleryApplications')), null())]",
+ "availabilitySet": "[if(not(empty(parameters('availabilitySetResourceId'))), createObject('id', parameters('availabilitySetResourceId')), null())]",
+ "proximityPlacementGroup": "[if(not(empty(parameters('proximityPlacementGroupResourceId'))), createObject('id', parameters('proximityPlacementGroupResourceId')), null())]",
+ "virtualMachineScaleSet": "[if(not(empty(parameters('virtualMachineScaleSetResourceId'))), createObject('id', parameters('virtualMachineScaleSetResourceId')), null())]",
+ "priority": "[parameters('priority')]",
+ "evictionPolicy": "[if(and(not(empty(parameters('priority'))), not(equals(parameters('priority'), 'Regular'))), parameters('evictionPolicy'), null())]",
+ "billingProfile": "[if(and(not(empty(parameters('priority'))), not(empty(parameters('maxPriceForLowPriorityVm')))), createObject('maxPrice', json(parameters('maxPriceForLowPriorityVm'))), null())]",
+ "host": "[if(not(empty(parameters('dedicatedHostResourceId'))), createObject('id', parameters('dedicatedHostResourceId')), null())]",
+ "licenseType": "[parameters('licenseType')]",
+ "userData": "[if(not(empty(parameters('userData'))), base64(parameters('userData')), null())]"
+ },
+ "dependsOn": [
+ "managedDataDisks",
+ "vm_nic"
+ ]
+ },
+ "vm_configurationAssignment": {
+ "condition": "[not(empty(parameters('maintenanceConfigurationResourceId')))]",
+ "type": "Microsoft.Maintenance/configurationAssignments",
+ "apiVersion": "2023-04-01",
+ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]",
+ "name": "[format('{0}assignment', parameters('name'))]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "maintenanceConfigurationId": "[parameters('maintenanceConfigurationResourceId')]",
+ "resourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]"
+ },
+ "dependsOn": [
+ "vm"
+ ]
+ },
+ "vm_configurationProfileAssignment": {
+ "condition": "[not(empty(parameters('configurationProfile')))]",
+ "type": "Microsoft.Automanage/configurationProfileAssignments",
+ "apiVersion": "2022-05-04",
+ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]",
+ "name": "default",
+ "properties": {
+ "configurationProfile": "[parameters('configurationProfile')]"
+ },
+ "dependsOn": [
+ "vm"
+ ]
+ },
+ "vm_autoShutdownConfiguration": {
+ "condition": "[not(empty(parameters('autoShutdownConfig')))]",
+ "type": "Microsoft.DevTestLab/schedules",
+ "apiVersion": "2018-09-15",
+ "name": "[format('shutdown-computevm-{0}', parameters('name'))]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "status": "[coalesce(tryGet(parameters('autoShutdownConfig'), 'status'), 'Disabled')]",
+ "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]",
+ "taskType": "ComputeVmShutdownTask",
+ "dailyRecurrence": {
+ "time": "[coalesce(tryGet(parameters('autoShutdownConfig'), 'dailyRecurrenceTime'), '19:00')]"
+ },
+ "timeZoneId": "[coalesce(tryGet(parameters('autoShutdownConfig'), 'timeZone'), 'UTC')]",
+ "notificationSettings": "[if(contains(parameters('autoShutdownConfig'), 'notificationSettings'), createObject('status', coalesce(tryGet(parameters('autoShutdownConfig'), 'status'), 'Disabled'), 'emailRecipient', coalesce(tryGet(tryGet(parameters('autoShutdownConfig'), 'notificationSettings'), 'emailRecipient'), ''), 'notificationLocale', coalesce(tryGet(tryGet(parameters('autoShutdownConfig'), 'notificationSettings'), 'notificationLocale'), 'en'), 'webhookUrl', coalesce(tryGet(tryGet(parameters('autoShutdownConfig'), 'notificationSettings'), 'webhookUrl'), ''), 'timeInMinutes', coalesce(tryGet(tryGet(parameters('autoShutdownConfig'), 'notificationSettings'), 'timeInMinutes'), 30)), null())]"
+ },
+ "dependsOn": [
+ "vm"
+ ]
+ },
+ "vm_dataCollectionRuleAssociations": {
+ "copy": {
+ "name": "vm_dataCollectionRuleAssociations",
+ "count": "[length(parameters('extensionMonitoringAgentConfig').dataCollectionRuleAssociations)]"
+ },
+ "condition": "[parameters('extensionMonitoringAgentConfig').enabled]",
+ "type": "Microsoft.Insights/dataCollectionRuleAssociations",
+ "apiVersion": "2024-03-11",
+ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]",
+ "name": "[parameters('extensionMonitoringAgentConfig').dataCollectionRuleAssociations[copyIndex()].name]",
+ "properties": {
+ "dataCollectionRuleId": "[parameters('extensionMonitoringAgentConfig').dataCollectionRuleAssociations[copyIndex()].dataCollectionRuleResourceId]"
+ },
+ "dependsOn": [
+ "vm",
+ "vm_azureMonitorAgentExtension"
+ ]
+ },
+ "cseIdentity": {
+ "condition": "[not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'managedIdentityResourceId')))]",
+ "existing": true,
+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+ "apiVersion": "2024-11-30",
+ "subscriptionId": "[split(parameters('extensionCustomScriptConfig').protectedSettings.managedIdentityResourceId, '/')[2]]",
+ "resourceGroup": "[split(parameters('extensionCustomScriptConfig').protectedSettings.managedIdentityResourceId, '/')[4]]",
+ "name": "[last(split(parameters('extensionCustomScriptConfig').protectedSettings.managedIdentityResourceId, '/'))]"
+ },
+ "AzureWindowsBaseline": {
+ "condition": "[not(empty(parameters('guestConfiguration')))]",
+ "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
+ "apiVersion": "2024-04-05",
+ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(parameters('guestConfiguration'), 'name'), 'AzureWindowsBaseline')]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "guestConfiguration": "[parameters('guestConfiguration')]"
+ },
+ "dependsOn": [
+ "vm",
+ "vm_azureGuestConfigurationExtension"
+ ]
+ },
+ "vm_lock": {
+ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
+ "type": "Microsoft.Authorization/locks",
+ "apiVersion": "2020-05-01",
+ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
+ "properties": {
+ "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+ "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]"
+ },
+ "dependsOn": [
+ "vm"
+ ]
+ },
+ "vm_roleAssignments": {
+ "copy": {
+ "name": "vm_roleAssignments",
+ "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]"
+ },
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "scope": "[format('Microsoft.Compute/virtualMachines/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Compute/virtualMachines', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]",
+ "properties": {
+ "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]",
+ "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]",
+ "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]",
+ "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]",
+ "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]",
+ "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]",
+ "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
+ },
+ "dependsOn": [
+ "vm"
+ ]
+ },
+ "vm_nic": {
+ "copy": {
+ "name": "vm_nic",
+ "count": "[length(parameters('nicConfigurations'))]"
+ },
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-Nic-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "networkInterfaceName": {
+ "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'name'), format('{0}{1}', parameters('name'), tryGet(parameters('nicConfigurations')[copyIndex()], 'nicSuffix')))]"
+ },
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "enableIPForwarding": {
+ "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'enableIPForwarding'), false())]"
+ },
+ "enableAcceleratedNetworking": {
+ "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'enableAcceleratedNetworking'), true())]"
+ },
+ "dnsServers": "[if(contains(parameters('nicConfigurations')[copyIndex()], 'dnsServers'), if(not(empty(tryGet(parameters('nicConfigurations')[copyIndex()], 'dnsServers'))), createObject('value', tryGet(parameters('nicConfigurations')[copyIndex()], 'dnsServers')), createObject('value', createArray())), createObject('value', createArray()))]",
+ "networkSecurityGroupResourceId": {
+ "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'networkSecurityGroupResourceId'), '')]"
+ },
+ "ipConfigurations": {
+ "value": "[parameters('nicConfigurations')[copyIndex()].ipConfigurations]"
+ },
+ "lock": {
+ "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'lock'), parameters('lock'))]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex()], 'tags'), parameters('tags'))]"
+ },
+ "diagnosticSettings": {
+ "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'diagnosticSettings')]"
+ },
+ "roleAssignments": {
+ "value": "[tryGet(parameters('nicConfigurations')[copyIndex()], 'roleAssignments')]"
+ },
+ "enableTelemetry": {
+ "value": "[variables('enableReferencedModulesTelemetry')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "716745708639313461"
+ }
+ },
+ "definitions": {
+ "publicIPConfigurationType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the Public IP Address."
+ }
+ },
+ "publicIPAddressResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the public IP address."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Diagnostic settings for the public IP address."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The idle timeout in minutes."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the public IP address."
+ }
+ },
+ "idleTimeoutInMinutes": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The idle timeout of the public IP address."
+ }
+ },
+ "ddosSettings": {
+ "$ref": "#/definitions/ddosSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan configuration associated with the public IP address."
+ }
+ },
+ "dnsSettings": {
+ "$ref": "#/definitions/dnsSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DNS settings of the public IP address."
+ }
+ },
+ "publicIPAddressVersion": {
+ "type": "string",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The public IP address version."
+ }
+ },
+ "publicIPAllocationMethod": {
+ "type": "string",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The public IP address allocation method."
+ }
+ },
+ "publicIpPrefixResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix."
+ }
+ },
+ "publicIpNameSuffix": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name suffix of the public IP address resource."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "skuName": {
+ "type": "string",
+ "allowedValues": [
+ "Basic",
+ "Standard"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The SKU name of the public IP address."
+ }
+ },
+ "skuTier": {
+ "type": "string",
+ "allowedValues": [
+ "Global",
+ "Regional"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The SKU tier of the public IP address."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/publicIPAddresses@2024-07-01#properties/tags"
+ },
+ "description": "Optional. The tags of the public IP address."
+ },
+ "nullable": true
+ },
+ "availabilityZones": {
+ "type": "array",
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The zones of the public IP address."
+ }
+ },
+ "ipTags": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/ipTagType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The list of tags associated with the public IP address."
+ }
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for the module."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the public IP address configuration."
+ }
+ },
+ "ipConfigurationType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the IP configuration."
+ }
+ },
+ "privateIPAllocationMethod": {
+ "type": "string",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address allocation method."
+ }
+ },
+ "privateIPAddress": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address."
+ }
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the subnet."
+ }
+ },
+ "loadBalancerBackendAddressPools": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/backendAddressPoolType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The load balancer backend address pools."
+ }
+ },
+ "applicationSecurityGroups": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/applicationSecurityGroupType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The application security groups."
+ }
+ },
+ "applicationGatewayBackendAddressPools": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/applicationGatewayBackendAddressPoolsType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The application gateway backend address pools."
+ }
+ },
+ "gatewayLoadBalancer": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The gateway load balancer settings."
+ }
+ },
+ "loadBalancerInboundNatRules": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/inboundNatRuleType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The load balancer inbound NAT rules."
+ }
+ },
+ "privateIPAddressVersion": {
+ "type": "string",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address version."
+ }
+ },
+ "virtualNetworkTaps": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/virtualNetworkTapType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The virtual network taps."
+ }
+ },
+ "pipConfiguration": {
+ "$ref": "#/definitions/publicIPConfigurationType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The public IP address configuration."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the IP configuration."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/networkInterfaces@2024-07-01#properties/tags"
+ },
+ "description": "Optional. The tags of the public IP address."
+ },
+ "nullable": true
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for the module."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the IP configuration."
+ }
+ },
+ "applicationGatewayBackendAddressPoolsType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the backend address pool."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the backend address pool that is unique within an Application Gateway."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "properties": {
+ "backendAddresses": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "ipAddress": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. IP address of the backend address."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. FQDN of the backend address."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Backend addresses."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the application gateway backend address pool."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the application gateway backend address pool.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "applicationSecurityGroupType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the application security group."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location of the application security group."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the application security group."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the application security group."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the application security group.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "backendAddressPoolType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the backend address pool."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the backend address pool."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The properties of the backend address pool."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for a backend address pool.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "ddosSettingsType": {
+ "type": "object",
+ "properties": {
+ "ddosProtectionPlan": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan associated with the public IP address."
+ }
+ },
+ "protectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Enabled"
+ ],
+ "metadata": {
+ "description": "Required. The DDoS protection policy customizations."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0"
+ }
+ }
+ },
+ "diagnosticSettingFullType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the diagnostic setting."
+ }
+ },
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+ }
+ },
+ "metricCategories": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+ }
+ },
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "dnsSettingsType": {
+ "type": "object",
+ "properties": {
+ "domainNameLabel": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system."
+ }
+ },
+ "domainNameLabelScope": {
+ "type": "string",
+ "allowedValues": [
+ "NoReuse",
+ "ResourceGroupReuse",
+ "SubscriptionReuse",
+ "TenantReuse"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone."
+ }
+ },
+ "reverseFqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0"
+ }
+ }
+ },
+ "inboundNatRuleType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the inbound NAT rule."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the resource that is unique within the set of inbound NAT rules used by the load balancer. This name can be used to access the resource."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "properties": {
+ "backendAddressPool": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A reference to backendAddressPool resource."
+ }
+ },
+ "backendPort": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port used for the internal endpoint. Acceptable values range from 1 to 65535."
+ }
+ },
+ "enableFloatingIP": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint."
+ }
+ },
+ "enableTcpReset": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP."
+ }
+ },
+ "frontendIPConfiguration": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A reference to frontend IP addresses."
+ }
+ },
+ "frontendPort": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values range from 1 to 65534."
+ }
+ },
+ "frontendPortRangeStart": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534."
+ }
+ },
+ "frontendPortRangeEnd": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534."
+ }
+ },
+ "protocol": {
+ "type": "string",
+ "allowedValues": [
+ "All",
+ "Tcp",
+ "Udp"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reference to the transport protocol used by the load balancing rule."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the inbound NAT rule."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the inbound NAT rule.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "ipTagType": {
+ "type": "object",
+ "properties": {
+ "ipTagType": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag type."
+ }
+ },
+ "tag": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/public-ip-address:0.8.0"
+ }
+ }
+ },
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "networkInterfaceIPConfigurationOutputType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the IP configuration."
+ }
+ },
+ "privateIP": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The private IP address."
+ }
+ },
+ "publicIP": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The public IP address."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.1"
+ }
+ }
+ },
+ "subResourceType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the sub resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the sub resource.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ },
+ "virtualNetworkTapType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the virtual network tap."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location of the virtual network tap."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the virtual network tap."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the virtual network tap."
+ }
+ }
+ },
+ "metadata": {
+ "description": "The type for the virtual network tap.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/res/network/network-interface:0.5.1"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "networkInterfaceName": {
+ "type": "string"
+ },
+ "virtualMachineName": {
+ "type": "string"
+ },
+ "ipConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/ipConfigurationType"
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the resource."
+ }
+ },
+ "enableIPForwarding": {
+ "type": "bool",
+ "defaultValue": false
+ },
+ "enableAcceleratedNetworking": {
+ "type": "bool",
+ "defaultValue": false
+ },
+ "dnsServers": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "defaultValue": []
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Enable telemetry via a Globally Unique Identifier (GUID)."
+ }
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. The network security group (NSG) to attach to the network interface."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the service."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ }
+ },
+ "resources": {
+ "networkInterface_publicIPAddresses": {
+ "copy": {
+ "name": "networkInterface_publicIPAddresses",
+ "count": "[length(parameters('ipConfigurations'))]"
+ },
+ "condition": "[and(not(empty(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'))), empty(tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'publicIPAddressResourceId')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-publicIP-{1}', deployment().name, copyIndex())]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[coalesce(tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'name'), format('{0}{1}', parameters('virtualMachineName'), tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'publicIpNameSuffix')))]"
+ },
+ "diagnosticSettings": {
+ "value": "[coalesce(tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'diagnosticSettings'), tryGet(parameters('ipConfigurations')[copyIndex()], 'diagnosticSettings'))]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "lock": {
+ "value": "[parameters('lock')]"
+ },
+ "idleTimeoutInMinutes": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'idleTimeoutInMinutes')]"
+ },
+ "ddosSettings": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'ddosSettings')]"
+ },
+ "dnsSettings": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'dnsSettings')]"
+ },
+ "publicIPAddressVersion": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'publicIPAddressVersion')]"
+ },
+ "publicIPAllocationMethod": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'publicIPAllocationMethod')]"
+ },
+ "publicIpPrefixResourceId": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'publicIpPrefixResourceId')]"
+ },
+ "roleAssignments": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'roleAssignments')]"
+ },
+ "skuName": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'skuName')]"
+ },
+ "skuTier": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'skuTier')]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex()], 'tags'), parameters('tags'))]"
+ },
+ "availabilityZones": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'availabilityZones')]"
+ },
+ "enableTelemetry": {
+ "value": "[coalesce(coalesce(tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'enableTelemetry'), tryGet(parameters('ipConfigurations')[copyIndex()], 'enableTelemetry')), parameters('enableTelemetry'))]"
+ },
+ "ipTags": {
+ "value": "[tryGet(tryGet(parameters('ipConfigurations')[copyIndex()], 'pipConfiguration'), 'ipTags')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.38.5.1644",
+ "templateHash": "7550528442771433353"
+ },
+ "name": "Public IP Addresses",
+ "description": "This module deploys a Public IP Address."
+ },
+ "definitions": {
+ "dnsSettingsType": {
+ "type": "object",
+ "properties": {
+ "domainNameLabel": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system."
+ }
+ },
+ "domainNameLabelScope": {
+ "type": "string",
+ "allowedValues": [
+ "NoReuse",
+ "ResourceGroupReuse",
+ "SubscriptionReuse",
+ "TenantReuse"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The domain name label scope. If a domain name label and a domain name label scope are specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system with a hashed value includes in FQDN."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone."
+ }
+ },
+ "reverseFqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true
+ }
+ },
+ "ddosSettingsType": {
+ "type": "object",
+ "properties": {
+ "ddosProtectionPlan": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the DDOS protection plan associated with the public IP address."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan associated with the public IP address."
+ }
+ },
+ "protectionMode": {
+ "type": "string",
+ "allowedValues": [
+ "Enabled"
+ ],
+ "metadata": {
+ "description": "Required. The DDoS protection policy customizations."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true
+ }
+ },
+ "ipTagType": {
+ "type": "object",
+ "properties": {
+ "ipTagType": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag type."
+ }
+ },
+ "tag": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The IP tag."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true
+ }
+ },
+ "diagnosticSettingFullType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the diagnostic setting."
+ }
+ },
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+ }
+ },
+ "metricCategories": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+ }
+ },
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
+ }
+ }
+ },
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0"
+ }
+ }
+ },
+ "roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the Public IP Address."
+ }
+ },
+ "publicIpPrefixResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix."
+ }
+ },
+ "publicIPAllocationMethod": {
+ "type": "string",
+ "defaultValue": "Static",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "metadata": {
+ "description": "Optional. The public IP address allocation method."
+ }
+ },
+ "availabilityZones": {
+ "type": "array",
+ "items": {
+ "type": "int"
+ },
+ "defaultValue": [
+ 1,
+ 2,
+ 3
+ ],
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "metadata": {
+ "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from."
+ }
+ },
+ "publicIPAddressVersion": {
+ "type": "string",
+ "defaultValue": "IPv4",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "metadata": {
+ "description": "Optional. IP address version."
+ }
+ },
+ "dnsSettings": {
+ "$ref": "#/definitions/dnsSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DNS settings of the public IP address."
+ }
+ },
+ "ipTags": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/ipTagType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The list of tags associated with the public IP address."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "skuName": {
+ "type": "string",
+ "defaultValue": "Standard",
+ "allowedValues": [
+ "Basic",
+ "Standard"
+ ],
+ "metadata": {
+ "description": "Optional. Name of a public IP address SKU."
+ }
+ },
+ "skuTier": {
+ "type": "string",
+ "defaultValue": "Regional",
+ "allowedValues": [
+ "Global",
+ "Regional"
+ ],
+ "metadata": {
+ "description": "Optional. Tier of a public IP address SKU."
+ }
+ },
+ "ddosSettings": {
+ "$ref": "#/definitions/ddosSettingsType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The DDoS protection plan configuration associated with the public IP address."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for module."
+ }
+ },
+ "idleTimeoutInMinutes": {
+ "type": "int",
+ "defaultValue": 4,
+ "metadata": {
+ "description": "Optional. The idle timeout of the public IP address."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/publicIPAddresses@2024-10-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the service."
+ }
+ }
+ },
+ "variables": {
+ "copy": [
+ {
+ "name": "formattedRoleAssignments",
+ "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]",
+ "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
+ }
+ ],
+ "builtInRoleNames": {
+ "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
+ "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]",
+ "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]",
+ "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]",
+ "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]",
+ "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]",
+ "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
+ "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]",
+ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+ "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]"
+ }
+ },
+ "resources": {
+ "avmTelemetry": {
+ "condition": "[parameters('enableTelemetry')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2024-03-01",
+ "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.9.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [],
+ "outputs": {
+ "telemetry": {
+ "type": "String",
+ "value": "For more information, see https://aka.ms/avm/TelemetryInfo"
+ }
+ }
+ }
+ }
+ },
+ "publicIpAddress": {
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2024-05-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "sku": {
+ "name": "[parameters('skuName')]",
+ "tier": "[parameters('skuTier')]"
+ },
+ "zones": "[map(parameters('availabilityZones'), lambda('zone', string(lambdaVariables('zone'))))]",
+ "properties": {
+ "ddosSettings": "[parameters('ddosSettings')]",
+ "dnsSettings": "[parameters('dnsSettings')]",
+ "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]",
+ "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
+ "publicIPPrefix": "[if(not(empty(parameters('publicIpPrefixResourceId'))), createObject('id', parameters('publicIpPrefixResourceId')), null())]",
+ "idleTimeoutInMinutes": "[parameters('idleTimeoutInMinutes')]",
+ "ipTags": "[parameters('ipTags')]"
+ }
+ },
+ "publicIpAddress_lock": {
+ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
+ "type": "Microsoft.Authorization/locks",
+ "apiVersion": "2020-05-01",
+ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
+ "properties": {
+ "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+ "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]"
+ },
+ "dependsOn": [
+ "publicIpAddress"
+ ]
+ },
+ "publicIpAddress_roleAssignments": {
+ "copy": {
+ "name": "publicIpAddress_roleAssignments",
+ "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]"
+ },
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]",
+ "properties": {
+ "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]",
+ "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]",
+ "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]",
+ "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]",
+ "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]",
+ "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]",
+ "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
+ },
+ "dependsOn": [
+ "publicIpAddress"
+ ]
+ },
+ "publicIpAddress_diagnosticSettings": {
+ "copy": {
+ "name": "publicIpAddress_diagnosticSettings",
+ "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]"
+ },
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]",
+ "properties": {
+ "copy": [
+ {
+ "name": "metrics",
+ "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]",
+ "input": {
+ "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]",
+ "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]",
+ "timeGrain": null
+ }
+ },
+ {
+ "name": "logs",
+ "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs'))))]",
+ "input": {
+ "categoryGroup": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'categoryGroup')]",
+ "category": "[tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'category')]",
+ "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logCategoriesAndGroups'), createArray(createObject('categoryGroup', 'allLogs')))[copyIndex('logs')], 'enabled'), true())]"
+ }
+ }
+ ],
+ "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]",
+ "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]",
+ "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]",
+ "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]",
+ "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]",
+ "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]"
+ },
+ "dependsOn": [
+ "publicIpAddress"
+ ]
+ }
+ },
+ "outputs": {
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource group the public IP address was deployed into."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the public IP address."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the public IP address."
+ },
+ "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]"
+ },
+ "ipAddress": {
+ "type": "string",
+ "metadata": {
+ "description": "The public IP address of the public IP address resource."
+ },
+ "value": "[coalesce(tryGet(reference('publicIpAddress'), 'ipAddress'), '')]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('publicIpAddress', '2024-05-01', 'full').location]"
+ }
+ }
+ }
+ }
+ },
+ "networkInterface": {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-NetworkInterface', deployment().name)]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[parameters('networkInterfaceName')]"
+ },
+ "ipConfigurations": {
+ "copy": [
+ {
+ "name": "value",
+ "count": "[length(parameters('ipConfigurations'))]",
+ "input": "[createObject('name', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'name'), 'privateIPAllocationMethod', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'privateIPAllocationMethod'), 'privateIPAddress', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'privateIPAddress'), 'publicIPAddressResourceId', if(not(empty(tryGet(parameters('ipConfigurations')[copyIndex('value')], 'pipConfiguration'))), if(not(contains(coalesce(tryGet(parameters('ipConfigurations')[copyIndex('value')], 'pipConfiguration'), createObject()), 'publicIPAddressResourceId')), resourceId('Microsoft.Network/publicIPAddresses', coalesce(tryGet(tryGet(parameters('ipConfigurations')[copyIndex('value')], 'pipConfiguration'), 'name'), format('{0}{1}', parameters('virtualMachineName'), tryGet(tryGet(parameters('ipConfigurations')[copyIndex('value')], 'pipConfiguration'), 'publicIpNameSuffix')))), tryGet(parameters('ipConfigurations')[copyIndex('value')], 'pipConfiguration', 'publicIPAddressResourceId')), null()), 'subnetResourceId', parameters('ipConfigurations')[copyIndex('value')].subnetResourceId, 'loadBalancerBackendAddressPools', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'loadBalancerBackendAddressPools'), 'applicationSecurityGroups', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'applicationSecurityGroups'), 'applicationGatewayBackendAddressPools', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'applicationGatewayBackendAddressPools'), 'gatewayLoadBalancer', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'gatewayLoadBalancer'), 'loadBalancerInboundNatRules', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'loadBalancerInboundNatRules'), 'privateIPAddressVersion', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'privateIPAddressVersion'), 'virtualNetworkTaps', tryGet(parameters('ipConfigurations')[copyIndex('value')], 'virtualNetworkTaps'))]"
+ }
+ ]
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "diagnosticSettings": {
+ "value": "[parameters('diagnosticSettings')]"
+ },
+ "dnsServers": {
+ "value": "[parameters('dnsServers')]"
+ },
+ "enableAcceleratedNetworking": {
+ "value": "[parameters('enableAcceleratedNetworking')]"
+ },
+ "enableTelemetry": {
+ "value": "[parameters('enableTelemetry')]"
+ },
+ "enableIPForwarding": {
+ "value": "[parameters('enableIPForwarding')]"
+ },
+ "lock": {
+ "value": "[parameters('lock')]"
+ },
+ "networkSecurityGroupResourceId": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('value', parameters('networkSecurityGroupResourceId')), createObject('value', ''))]",
+ "roleAssignments": {
+ "value": "[parameters('roleAssignments')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.38.5.1644",
+ "templateHash": "272838238520810437"
+ },
+ "name": "Network Interface",
+ "description": "This module deploys a Network Interface."
+ },
+ "definitions": {
+ "networkInterfaceIPConfigurationType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the IP configuration."
+ }
+ },
+ "privateIPAllocationMethod": {
+ "type": "string",
+ "allowedValues": [
+ "Dynamic",
+ "Static"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address allocation method."
+ }
+ },
+ "privateIPAddress": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The private IP address."
+ }
+ },
+ "publicIPAddressResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the public IP address."
+ }
+ },
+ "subnetResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the subnet."
+ }
+ },
+ "loadBalancerBackendAddressPools": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/backendAddressPoolType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of load balancer backend address pools."
+ }
+ },
+ "loadBalancerInboundNatRules": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/inboundNatRuleType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A list of references of LoadBalancerInboundNatRules."
+ }
+ },
+ "applicationSecurityGroups": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/applicationSecurityGroupType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Application security groups in which the IP configuration is included."
+ }
+ },
+ "applicationGatewayBackendAddressPools": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/applicationGatewayBackendAddressPoolsType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reference to Application Gateway Backend Address Pools."
+ }
+ },
+ "gatewayLoadBalancer": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reference to gateway load balancer frontend IP."
+ }
+ },
+ "privateIPAddressVersion": {
+ "type": "string",
+ "allowedValues": [
+ "IPv4",
+ "IPv6"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Whether the specific IP configuration is IPv4 or IPv6."
+ }
+ },
+ "virtualNetworkTaps": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/virtualNetworkTapType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reference to Virtual Network Taps."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The resource ID of the deployed resource."
+ }
+ },
+ "backendAddressPoolType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The resource ID of the backend address pool."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the backend address pool."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The properties of the backend address pool."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for a backend address pool."
+ }
+ },
+ "applicationSecurityGroupType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the application security group."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location of the application security group."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the application security group."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the application security group."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the application security group."
+ }
+ },
+ "applicationGatewayBackendAddressPoolsType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the backend address pool."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the backend address pool that is unique within an Application Gateway."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "properties": {
+ "backendAddresses": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "ipAddress": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. IP address of the backend address."
+ }
+ },
+ "fqdn": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. FQDN of the backend address."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Backend addresses."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the application gateway backend address pool."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the application gateway backend address pool."
+ }
+ },
+ "subResourceType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the sub resource."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the sub resource."
+ }
+ },
+ "inboundNatRuleType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the inbound NAT rule."
+ }
+ },
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the resource that is unique within the set of inbound NAT rules used by the load balancer. This name can be used to access the resource."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "properties": {
+ "backendAddressPool": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A reference to backendAddressPool resource."
+ }
+ },
+ "backendPort": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port used for the internal endpoint. Acceptable values range from 1 to 65535."
+ }
+ },
+ "enableFloatingIP": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint."
+ }
+ },
+ "enableTcpReset": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP."
+ }
+ },
+ "frontendIPConfiguration": {
+ "$ref": "#/definitions/subResourceType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A reference to frontend IP addresses."
+ }
+ },
+ "frontendPort": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values range from 1 to 65534."
+ }
+ },
+ "frontendPortRangeStart": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534."
+ }
+ },
+ "frontendPortRangeEnd": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534."
+ }
+ },
+ "protocol": {
+ "type": "string",
+ "allowedValues": [
+ "All",
+ "Tcp",
+ "Udp"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The reference to the transport protocol used by the load balancing rule."
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the inbound NAT rule."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the inbound NAT rule."
+ }
+ },
+ "virtualNetworkTapType": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the virtual network tap."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Location of the virtual network tap."
+ }
+ },
+ "properties": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Properties of the virtual network tap."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Tags of the virtual network tap."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the virtual network tap."
+ }
+ },
+ "networkInterfaceIPConfigurationOutputType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the IP configuration."
+ }
+ },
+ "privateIP": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The private IP address."
+ }
+ },
+ "publicIP": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The public IP address."
+ }
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the network interface IP configuration output."
+ }
+ },
+ "diagnosticSettingFullType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of the diagnostic setting."
+ }
+ },
+ "logCategoriesAndGroups": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
+ }
+ },
+ "categoryGroup": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+ }
+ },
+ "metricCategories": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+ }
+ },
+ "enabled": {
+ "type": "bool",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+ }
+ }
+ }
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+ }
+ },
+ "logAnalyticsDestinationType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureDiagnostics",
+ "Dedicated"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "storageAccountResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "eventHubAuthorizationRuleResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+ }
+ },
+ "eventHubName": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+ }
+ },
+ "marketplacePartnerResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1"
+ }
+ }
+ },
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ },
+ "notes": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the notes of the lock."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a lock.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.6.0"
+ }
+ }
+ },
+ "roleAssignmentType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+ }
+ },
+ "roleDefinitionIdOrName": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+ }
+ },
+ "principalId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+ }
+ },
+ "principalType": {
+ "type": "string",
+ "allowedValues": [
+ "Device",
+ "ForeignGroup",
+ "Group",
+ "ServicePrincipal",
+ "User"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The principal type of the assigned principal ID."
+ }
+ },
+ "description": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The description of the role assignment."
+ }
+ },
+ "condition": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+ }
+ },
+ "conditionVersion": {
+ "type": "string",
+ "allowedValues": [
+ "2.0"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Version of the condition."
+ }
+ },
+ "delegatedManagedIdentityResourceId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Resource Id of the delegated managed identity resource."
+ }
+ }
+ },
+ "metadata": {
+ "description": "An AVM-aligned type for a role assignment.",
+ "__bicep_imported_from!": {
+ "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the network interface."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/networkInterfaces@2024-07-01#properties/tags"
+ },
+ "description": "Optional. Resource tags."
+ },
+ "nullable": true
+ },
+ "enableTelemetry": {
+ "type": "bool",
+ "defaultValue": true,
+ "metadata": {
+ "description": "Optional. Enable/Disable usage telemetry for module."
+ }
+ },
+ "enableIPForwarding": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether IP forwarding is enabled on this network interface."
+ }
+ },
+ "enableAcceleratedNetworking": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. If the network interface is accelerated networking enabled."
+ }
+ },
+ "dnsServers": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "defaultValue": [],
+ "metadata": {
+ "description": "Optional. List of DNS servers IP addresses. Use 'AzureProvidedDNS' to switch to azure provided DNS resolution. 'AzureProvidedDNS' value cannot be combined with other IPs, it must be the only value in dnsServers collection."
+ }
+ },
+ "networkSecurityGroupResourceId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional. The network security group (NSG) to attach to the network interface."
+ }
+ },
+ "auxiliaryMode": {
+ "type": "string",
+ "defaultValue": "None",
+ "allowedValues": [
+ "Floating",
+ "MaxConnections",
+ "None"
+ ],
+ "metadata": {
+ "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic."
+ }
+ },
+ "auxiliarySku": {
+ "type": "string",
+ "defaultValue": "None",
+ "allowedValues": [
+ "A1",
+ "A2",
+ "A4",
+ "A8",
+ "None"
+ ],
+ "metadata": {
+ "description": "Optional. Auxiliary sku of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic."
+ }
+ },
+ "disableTcpStateTracking": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether to disable tcp state tracking. Subscription must be registered for the Microsoft.Network/AllowDisableTcpStateTracking feature before this property can be set to true."
+ }
+ },
+ "ipConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/networkInterfaceIPConfigurationType"
+ },
+ "metadata": {
+ "description": "Required. A list of IPConfigurations of the network interface."
+ }
+ },
+ "lock": {
+ "$ref": "#/definitions/lockType",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The lock settings of the service."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "diagnosticSettings": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/diagnosticSettingFullType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The diagnostic settings of the service."
+ }
+ }
+ },
+ "variables": {
+ "copy": [
+ {
+ "name": "formattedRoleAssignments",
+ "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]",
+ "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
+ }
+ ],
+ "builtInRoleNames": {
+ "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
+ "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]",
+ "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]",
+ "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]",
+ "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
+ "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]",
+ "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+ "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]"
+ }
+ },
+ "resources": {
+ "publicIp": {
+ "copy": {
+ "name": "publicIp",
+ "count": "[length(parameters('ipConfigurations'))]"
+ },
+ "condition": "[and(contains(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressResourceId'), not(equals(tryGet(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressResourceId'), null())))]",
+ "existing": true,
+ "type": "Microsoft.Network/publicIPAddresses",
+ "apiVersion": "2024-05-01",
+ "resourceGroup": "[split(coalesce(tryGet(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressResourceId'), ''), '/')[4]]",
+ "name": "[last(split(coalesce(tryGet(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressResourceId'), ''), '/'))]"
+ },
+ "avmTelemetry": {
+ "condition": "[parameters('enableTelemetry')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2024-03-01",
+ "name": "[format('46d3xbcp.res.network-networkinterface.{0}.{1}', replace('0.5.3', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [],
+ "outputs": {
+ "telemetry": {
+ "type": "String",
+ "value": "For more information, see https://aka.ms/avm/TelemetryInfo"
+ }
+ }
+ }
+ }
+ },
+ "networkInterface": {
+ "type": "Microsoft.Network/networkInterfaces",
+ "apiVersion": "2024-05-01",
+ "name": "[parameters('name')]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "copy": [
+ {
+ "name": "ipConfigurations",
+ "count": "[length(parameters('ipConfigurations'))]",
+ "input": {
+ "name": "[coalesce(tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'name'), format('ipconfig{0}', padLeft(add(copyIndex('ipConfigurations'), 1), 2, '0')))]",
+ "properties": {
+ "primary": "[if(equals(copyIndex('ipConfigurations'), 0), true(), false())]",
+ "privateIPAllocationMethod": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAllocationMethod')]",
+ "privateIPAddress": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAddress')]",
+ "publicIPAddress": "[if(contains(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'publicIPAddressResourceId'), if(not(equals(tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'publicIPAddressResourceId'), null())), createObject('id', tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'publicIPAddressResourceId')), null()), null())]",
+ "subnet": {
+ "id": "[parameters('ipConfigurations')[copyIndex('ipConfigurations')].subnetResourceId]"
+ },
+ "loadBalancerBackendAddressPools": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'loadBalancerBackendAddressPools')]",
+ "applicationSecurityGroups": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'applicationSecurityGroups')]",
+ "applicationGatewayBackendAddressPools": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'applicationGatewayBackendAddressPools')]",
+ "gatewayLoadBalancer": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'gatewayLoadBalancer')]",
+ "loadBalancerInboundNatRules": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'loadBalancerInboundNatRules')]",
+ "privateIPAddressVersion": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'privateIPAddressVersion')]",
+ "virtualNetworkTaps": "[tryGet(parameters('ipConfigurations')[copyIndex('ipConfigurations')], 'virtualNetworkTaps')]"
+ }
+ }
+ }
+ ],
+ "auxiliaryMode": "[parameters('auxiliaryMode')]",
+ "auxiliarySku": "[parameters('auxiliarySku')]",
+ "disableTcpStateTracking": "[parameters('disableTcpStateTracking')]",
+ "dnsSettings": "[if(not(empty(parameters('dnsServers'))), createObject('dnsServers', parameters('dnsServers')), null())]",
+ "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]",
+ "enableIPForwarding": "[parameters('enableIPForwarding')]",
+ "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupResourceId'))), createObject('id', parameters('networkSecurityGroupResourceId')), null())]"
+ }
+ },
+ "networkInterface_lock": {
+ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
+ "type": "Microsoft.Authorization/locks",
+ "apiVersion": "2020-05-01",
+ "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
+ "properties": {
+ "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+ "notes": "[coalesce(tryGet(parameters('lock'), 'notes'), if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.'))]"
+ },
+ "dependsOn": [
+ "networkInterface"
+ ]
+ },
+ "networkInterface_diagnosticSettings": {
+ "copy": {
+ "name": "networkInterface_diagnosticSettings",
+ "count": "[length(coalesce(parameters('diagnosticSettings'), createArray()))]"
+ },
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'name'), format('{0}-diagnosticSettings', parameters('name')))]",
+ "properties": {
+ "copy": [
+ {
+ "name": "metrics",
+ "count": "[length(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics'))))]",
+ "input": {
+ "category": "[coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')].category]",
+ "enabled": "[coalesce(tryGet(coalesce(tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'metricCategories'), createArray(createObject('category', 'AllMetrics')))[copyIndex('metrics')], 'enabled'), true())]",
+ "timeGrain": null
+ }
+ }
+ ],
+ "storageAccountId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'storageAccountResourceId')]",
+ "workspaceId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'workspaceResourceId')]",
+ "eventHubAuthorizationRuleId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubAuthorizationRuleResourceId')]",
+ "eventHubName": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'eventHubName')]",
+ "marketplacePartnerId": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'marketplacePartnerResourceId')]",
+ "logAnalyticsDestinationType": "[tryGet(coalesce(parameters('diagnosticSettings'), createArray())[copyIndex()], 'logAnalyticsDestinationType')]"
+ },
+ "dependsOn": [
+ "networkInterface"
+ ]
+ },
+ "networkInterface_roleAssignments": {
+ "copy": {
+ "name": "networkInterface_roleAssignments",
+ "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]"
+ },
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "scope": "[format('Microsoft.Network/networkInterfaces/{0}', parameters('name'))]",
+ "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/networkInterfaces', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]",
+ "properties": {
+ "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]",
+ "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]",
+ "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]",
+ "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]",
+ "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]",
+ "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]",
+ "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
+ },
+ "dependsOn": [
+ "networkInterface"
+ ]
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the deployed resource."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the deployed resource."
+ },
+ "value": "[resourceId('Microsoft.Network/networkInterfaces', parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource group of the deployed resource."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('networkInterface', '2024-05-01', 'full').location]"
+ },
+ "ipConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/networkInterfaceIPConfigurationOutputType"
+ },
+ "metadata": {
+ "description": "The list of IP configurations of the network interface."
+ },
+ "copy": {
+ "count": "[length(parameters('ipConfigurations'))]",
+ "input": {
+ "name": "[reference('networkInterface').ipConfigurations[copyIndex()].name]",
+ "privateIP": "[coalesce(tryGet(reference('networkInterface').ipConfigurations[copyIndex()].properties, 'privateIPAddress'), '')]",
+ "publicIP": "[if(and(contains(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressResourceId'), not(equals(tryGet(parameters('ipConfigurations')[copyIndex()], 'publicIPAddressResourceId'), null()))), coalesce(reference(format('publicIp[{0}]', copyIndex())).ipAddress, ''), '')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "networkInterface_publicIPAddresses"
+ ]
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the network interface."
+ },
+ "value": "[reference('networkInterface').outputs.name.value]"
+ },
+ "ipConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/networkInterfaceIPConfigurationOutputType"
+ },
+ "metadata": {
+ "description": "The list of IP configurations of the network interface."
+ },
+ "value": "[reference('networkInterface').outputs.ipConfigurations.value]"
+ }
+ }
+ }
+ }
+ },
+ "vm_domainJoinExtension": {
+ "condition": "[and(contains(parameters('extensionDomainJoinConfig'), 'enabled'), parameters('extensionDomainJoinConfig').enabled)]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-DomainJoin', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'name'), 'DomainJoin')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Compute"
+ },
+ "type": {
+ "value": "JsonADDomainExtension"
+ },
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), '1.3')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "settings": {
+ "value": "[parameters('extensionDomainJoinConfig').settings]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'tags'), parameters('tags'))]"
+ },
+ "protectedSettings": {
+ "value": {
+ "Password": "[parameters('extensionDomainJoinPassword')]"
+ }
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm"
+ ]
+ },
+ "vm_aadJoinExtension": {
+ "condition": "[parameters('extensionAadJoinConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-AADLogin', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'name'), 'AADLogin')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Azure.ActiveDirectory"
+ },
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AADLoginForWindows'), createObject('value', 'AADSSHLoginforLinux'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '2.0', '1.0'))]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "settings": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'settings'), createObject())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionAadJoinConfig'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_domainJoinExtension"
+ ]
+ },
+ "vm_microsoftAntiMalwareExtension": {
+ "condition": "[parameters('extensionAntiMalwareConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-MicrosoftAntiMalware', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'name'), 'MicrosoftAntiMalware')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Azure.Security"
+ },
+ "type": {
+ "value": "IaaSAntimalware"
+ },
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), '1.3')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "settings": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'settings'), createObject('AntimalwareEnabled', 'true', 'Exclusions', createObject(), 'RealtimeProtectionEnabled', 'true', 'ScheduledScanSettings', createObject('day', '7', 'isEnabled', 'true', 'scanType', 'Quick', 'time', '120')))]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_aadJoinExtension"
+ ]
+ },
+ "vm_azureMonitorAgentExtension": {
+ "condition": "[parameters('extensionMonitoringAgentConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-AzureMonitorAgent', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'name'), 'AzureMonitorAgent')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Azure.Monitor"
+ },
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureMonitorWindowsAgent'), createObject('value', 'AzureMonitorLinuxAgent'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '1.22', '1.29'))]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_microsoftAntiMalwareExtension"
+ ]
+ },
+ "vm_dependencyAgentExtension": {
+ "condition": "[parameters('extensionDependencyAgentConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-DependencyAgent', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'name'), 'DependencyAgent')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Azure.Monitoring.DependencyAgent"
+ },
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'DependencyAgentWindows'), createObject('value', 'DependencyAgentLinux'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), '9.10')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), true())]"
+ },
+ "settings": {
+ "value": {
+ "enableAMA": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'enableAMA'), true())]"
+ }
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_azureMonitorAgentExtension"
+ ]
+ },
+ "vm_networkWatcherAgentExtension": {
+ "condition": "[parameters('extensionNetworkWatcherAgentConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-NetworkWatcherAgent', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'name'), 'NetworkWatcherAgent')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Azure.NetworkWatcher"
+ },
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'NetworkWatcherAgentWindows'), createObject('value', 'NetworkWatcherAgentLinux'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), '1.4')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_dependencyAgentExtension"
+ ]
+ },
+ "vm_desiredStateConfigurationExtension": {
+ "condition": "[parameters('extensionDSCConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-DesiredStateConfiguration', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'name'), 'DesiredStateConfiguration')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Powershell"
+ },
+ "type": {
+ "value": "DSC"
+ },
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'typeHandlerVersion'), '2.77')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "settings": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'settings'), createObject())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'tags'), parameters('tags'))]"
+ },
+ "protectedSettings": {
+ "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'protectedSettings'), createObject())]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_networkWatcherAgentExtension"
+ ]
+ },
+ "vm_customScriptExtension": {
+ "condition": "[not(empty(parameters('extensionCustomScriptConfig')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-CustomScriptExtension', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'name'), 'CustomScriptExtension')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'Microsoft.Compute'), createObject('value', 'Microsoft.Azure.Extensions'))]",
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'CustomScriptExtension'), createObject('value', 'CustomScript'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '1.10', '2.1'))]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "forceUpdateTag": {
+ "value": "[tryGet(parameters('extensionCustomScriptConfig'), 'forceUpdateTag')]"
+ },
+ "provisionAfterExtensions": {
+ "value": "[tryGet(parameters('extensionCustomScriptConfig'), 'provisionAfterExtensions')]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'tags'), parameters('tags'))]"
+ },
+ "protectedSettingsFromKeyVault": {
+ "value": "[tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettingsFromKeyVault')]"
+ },
+ "settings": {
+ "value": "[shallowMerge(createArray(if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'settings'), 'commandToExecute'))), createObject('commandToExecute', tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'settings'), 'commandToExecute')), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'settings'), 'fileUris'))), createObject('fileUris', tryGet(parameters('extensionCustomScriptConfig'), 'settings', 'fileUris')), createObject())))]"
+ },
+ "protectedSettings": {
+ "value": "[shallowMerge(createArray(if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'commandToExecute'))), createObject('commandToExecute', tryGet(parameters('extensionCustomScriptConfig').protectedSettings, 'commandToExecute')), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'storageAccountName'))), createObject('storageAccountName', parameters('extensionCustomScriptConfig').protectedSettings.storageAccountName), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'storageAccountKey'))), createObject('storageAccountKey', parameters('extensionCustomScriptConfig').protectedSettings.storageAccountKey), createObject()), if(not(empty(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'fileUris'))), createObject('fileUris', parameters('extensionCustomScriptConfig').protectedSettings.fileUris), createObject()), if(not(equals(tryGet(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), 'managedIdentityResourceId'), null())), createObject('managedIdentity', if(not(empty(tryGet(parameters('extensionCustomScriptConfig').protectedSettings, 'managedIdentityResourceId'))), createObject('clientId', reference('cseIdentity').clientId), createObject())), createObject())))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "cseIdentity",
+ "vm",
+ "vm_desiredStateConfigurationExtension"
+ ]
+ },
+ "vm_azureDiskEncryptionExtension": {
+ "condition": "[parameters('extensionAzureDiskEncryptionConfig').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-AzureDiskEncryption', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'name'), 'AzureDiskEncryption')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.Azure.Security"
+ },
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureDiskEncryption'), createObject('value', 'AzureDiskEncryptionForLinux'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '2.2', '1.1'))]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "forceUpdateTag": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), '1.0')]"
+ },
+ "settings": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'settings'), createObject())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_customScriptExtension"
+ ]
+ },
+ "vm_nvidiaGpuDriverWindowsExtension": {
+ "condition": "[parameters('extensionNvidiaGpuDriverWindows').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-NvidiaGpuDriverWindows', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionNvidiaGpuDriverWindows'), 'name'), 'NvidiaGpuDriverWindows')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.HpcCompute"
+ },
+ "type": {
+ "value": "NvidiaGpuDriverWindows"
+ },
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionNvidiaGpuDriverWindows'), 'typeHandlerVersion'), '1.4')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionNvidiaGpuDriverWindows'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionNvidiaGpuDriverWindows'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionNvidiaGpuDriverWindows'), 'supressFailures'), false())]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionNvidiaGpuDriverWindows'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_azureDiskEncryptionExtension"
+ ]
+ },
+ "vm_hostPoolRegistrationExtension": {
+ "condition": "[parameters('extensionHostPoolRegistration').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-HostPoolRegistration', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": {
+ "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'name'), 'HostPoolRegistration')]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.PowerShell"
+ },
+ "type": {
+ "value": "DSC"
+ },
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'typeHandlerVersion'), '2.77')]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'enableAutomaticUpgrade'), false())]"
+ },
+ "settings": {
+ "value": {
+ "modulesUrl": "[parameters('extensionHostPoolRegistration').modulesUrl]",
+ "configurationFunction": "[parameters('extensionHostPoolRegistration').configurationFunction]",
+ "properties": {
+ "hostPoolName": "[parameters('extensionHostPoolRegistration').hostPoolName]",
+ "registrationInfoToken": "[parameters('extensionHostPoolRegistration').registrationInfoToken]",
+ "aadJoin": true
+ },
+ "supressFailures": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'supressFailures'), false())]"
+ }
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionHostPoolRegistration'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_nvidiaGpuDriverWindowsExtension"
+ ]
+ },
+ "vm_azureGuestConfigurationExtension": {
+ "condition": "[parameters('extensionGuestConfigurationExtension').enabled]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-GuestConfiguration', uniqueString(deployment().name, parameters('location')))]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "virtualMachineName": {
+ "value": "[parameters('name')]"
+ },
+ "name": "[if(coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'name'), equals(parameters('osType'), 'Windows')), createObject('value', 'AzurePolicyforWindows'), createObject('value', 'AzurePolicyforLinux'))]",
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "publisher": {
+ "value": "Microsoft.GuestConfiguration"
+ },
+ "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'ConfigurationforWindows'), createObject('value', 'ConfigurationForLinux'))]",
+ "typeHandlerVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '1.0', '1.0'))]"
+ },
+ "autoUpgradeMinorVersion": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'autoUpgradeMinorVersion'), true())]"
+ },
+ "enableAutomaticUpgrade": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'enableAutomaticUpgrade'), true())]"
+ },
+ "forceUpdateTag": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'forceUpdateTag'), '1.0')]"
+ },
+ "settings": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'settings'), createObject())]"
+ },
+ "supressFailures": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'supressFailures'), false())]"
+ },
+ "protectedSettings": {
+ "value": "[parameters('extensionGuestConfigurationExtensionProtectedSettings')]"
+ },
+ "tags": {
+ "value": "[coalesce(tryGet(parameters('extensionGuestConfigurationExtension'), 'tags'), parameters('tags'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "8391598897118491777"
+ },
+ "name": "Virtual Machine Extensions",
+ "description": "This module deploys a Virtual Machine Extension."
+ },
+ "parameters": {
+ "virtualMachineName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent virtual machine that extension is provisioned for. Required if the template is used in a standalone deployment."
+ }
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the virtual machine extension."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. The location the extension is deployed to."
+ }
+ },
+ "publisher": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the extension handler publisher."
+ }
+ },
+ "type": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the type of the extension; an example is \"CustomScriptExtension\"."
+ }
+ },
+ "typeHandlerVersion": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Specifies the version of the script handler."
+ }
+ },
+ "autoUpgradeMinorVersion": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension will not upgrade minor versions unless redeployed, even with this property set to true."
+ }
+ },
+ "forceUpdateTag": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. How the extension handler should be forced to update even if the extension configuration has not changed."
+ }
+ },
+ "settings": {
+ "type": "object",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific settings."
+ }
+ },
+ "protectedSettings": {
+ "type": "secureObject",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Any object that contains the extension specific protected settings."
+ }
+ },
+ "supressFailures": {
+ "type": "bool",
+ "defaultValue": false,
+ "metadata": {
+ "description": "Optional. Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+ }
+ },
+ "enableAutomaticUpgrade": {
+ "type": "bool",
+ "metadata": {
+ "description": "Required. Indicates whether the extension should be automatically upgraded by the platform if there is a newer version of the extension available."
+ }
+ },
+ "tags": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/tags"
+ },
+ "description": "Optional. Tags of the resource."
+ },
+ "nullable": true
+ },
+ "protectedSettingsFromKeyVault": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/protectedSettingsFromKeyVault"
+ },
+ "description": "Optional. The extensions protected settings that are passed by reference, and consumed from key vault."
+ },
+ "nullable": true
+ },
+ "provisionAfterExtensions": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Compute/virtualMachines/extensions@2024-11-01#properties/properties/properties/provisionAfterExtensions"
+ },
+ "description": "Optional. Collection of extension names after which this extension needs to be provisioned."
+ },
+ "nullable": true
+ }
+ },
+ "resources": {
+ "virtualMachine": {
+ "existing": true,
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2024-11-01",
+ "name": "[parameters('virtualMachineName')]"
+ },
+ "extension": {
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "apiVersion": "2024-11-01",
+ "name": "[format('{0}/{1}', parameters('virtualMachineName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "tags": "[parameters('tags')]",
+ "properties": {
+ "publisher": "[parameters('publisher')]",
+ "type": "[parameters('type')]",
+ "typeHandlerVersion": "[parameters('typeHandlerVersion')]",
+ "autoUpgradeMinorVersion": "[parameters('autoUpgradeMinorVersion')]",
+ "enableAutomaticUpgrade": "[parameters('enableAutomaticUpgrade')]",
+ "forceUpdateTag": "[parameters('forceUpdateTag')]",
+ "settings": "[parameters('settings')]",
+ "protectedSettings": "[parameters('protectedSettings')]",
+ "suppressFailures": "[parameters('supressFailures')]",
+ "protectedSettingsFromKeyVault": "[parameters('protectedSettingsFromKeyVault')]",
+ "provisionAfterExtensions": "[parameters('provisionAfterExtensions')]"
+ }
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the extension."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the extension."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('virtualMachineName'), parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the extension was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('extension', '2024-11-01', 'full').location]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_hostPoolRegistrationExtension"
+ ]
+ },
+ "vm_backup": {
+ "condition": "[not(empty(parameters('backupVaultName')))]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[format('{0}-VM-Backup', uniqueString(deployment().name, parameters('location')))]",
+ "resourceGroup": "[parameters('backupVaultResourceGroup')]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[format('vm;iaasvmcontainerv2;{0};{1}', resourceGroup().name, parameters('name'))]"
+ },
+ "location": {
+ "value": "[parameters('location')]"
+ },
+ "policyId": {
+ "value": "[resourceId(parameters('backupVaultResourceGroup'), 'Microsoft.RecoveryServices/vaults/backupPolicies', parameters('backupVaultName'), parameters('backupPolicyName'))]"
+ },
+ "protectedItemType": {
+ "value": "Microsoft.Compute/virtualMachines"
+ },
+ "protectionContainerName": {
+ "value": "[format('iaasvmcontainer;iaasvmcontainerv2;{0};{1}', resourceGroup().name, parameters('name'))]"
+ },
+ "recoveryVaultName": {
+ "value": "[parameters('backupVaultName')]"
+ },
+ "sourceResourceId": {
+ "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.39.26.7824",
+ "templateHash": "3866626825190424174"
+ },
+ "name": "Recovery Service Vaults Protection Container Protected Item",
+ "description": "This module deploys a Recovery Services Vault Protection Container Protected Item."
+ },
+ "parameters": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Name of the resource."
+ }
+ },
+ "protectionContainerName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment."
+ }
+ },
+ "recoveryVaultName": {
+ "type": "string",
+ "metadata": {
+ "description": "Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Optional. Location for all resources."
+ }
+ },
+ "protectedItemType": {
+ "type": "string",
+ "allowedValues": [
+ "AzureFileShareProtectedItem",
+ "AzureVmWorkloadSAPAseDatabase",
+ "AzureVmWorkloadSAPHanaDatabase",
+ "AzureVmWorkloadSQLDatabase",
+ "DPMProtectedItem",
+ "GenericProtectedItem",
+ "MabFileFolderProtectedItem",
+ "Microsoft.ClassicCompute/virtualMachines",
+ "Microsoft.Compute/virtualMachines",
+ "Microsoft.Sql/servers/databases"
+ ],
+ "metadata": {
+ "description": "Required. The backup item type."
+ }
+ },
+ "policyId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. ID of the backup policy with which this item is backed up."
+ }
+ },
+ "sourceResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. Resource ID of the resource to back up."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
+ "apiVersion": "2025-02-01",
+ "name": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "protectedItemType": "[parameters('protectedItemType')]",
+ "policyId": "[parameters('policyId')]",
+ "sourceResourceId": "[parameters('sourceResourceId')]"
+ }
+ }
+ ],
+ "outputs": {
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Resource Group the protected item was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the protected item."
+ },
+ "value": "[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems', split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[0], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[1], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[2], split(format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name')), '/')[3])]"
+ },
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The Name of the protected item."
+ },
+ "value": "[format('{0}/Azure/{1}/{2}', parameters('recoveryVaultName'), parameters('protectionContainerName'), parameters('name'))]"
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "vm",
+ "vm_azureGuestConfigurationExtension"
+ ]
+ }
+ },
+ "outputs": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the VM."
+ },
+ "value": "[parameters('name')]"
+ },
+ "resourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "The resource ID of the VM."
+ },
+ "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('name'))]"
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the resource group the VM was created in."
+ },
+ "value": "[resourceGroup().name]"
+ },
+ "systemAssignedMIPrincipalId": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "The principal ID of the system assigned identity."
+ },
+ "value": "[tryGet(tryGet(reference('vm', '2024-07-01', 'full'), 'identity'), 'principalId')]"
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The location the resource was deployed into."
+ },
+ "value": "[reference('vm', '2024-07-01', 'full').location]"
+ },
+ "nicConfigurations": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/nicConfigurationOutputType"
+ },
+ "metadata": {
+ "description": "The list of NIC configurations of the virtual machine."
+ },
+ "copy": {
+ "count": "[length(parameters('nicConfigurations'))]",
+ "input": {
+ "name": "[reference(format('vm_nic[{0}]', copyIndex())).outputs.name.value]",
+ "ipConfigurations": "[reference(format('vm_nic[{0}]', copyIndex())).outputs.ipConfigurations.value]"
+ }
+ }
+ }
+ }
+ }
+ },
+ "dependsOn": [
+ "logAnalyticsWorkspace",
+ "userAssignedIdentity",
+ "virtualNetwork"
+ ]
+ },
+ "avmPrivateDnsZones": {
+ "copy": {
+ "name": "avmPrivateDnsZones",
+ "count": "[length(variables('privateDnsZones'))]",
+ "mode": "serial",
+ "batchSize": 5
+ },
+ "condition": "[parameters('enablePrivateNetworking')]",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2025-04-01",
+ "name": "[take(format('avm.res.network.private-dns-zone.{0}', replace(variables('privateDnsZones')[copyIndex()], '.', '-')), 64)]",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "name": {
+ "value": "[variables('privateDnsZones')[copyIndex()]]"
+ },
+ "tags": {
+ "value": "[parameters('tags')]"
+ },
+ "enableTelemetry": {
+ "value": "[parameters('enableTelemetry')]"
+ },
+ "virtualNetworkLinks": {
+ "value": [
+ {
+ "virtualNetworkResourceId": "[if(parameters('enablePrivateNetworking'), reference('virtualNetwork').outputs.resourceId.value, '')]",
+ "registrationEnabled": false
+ }
+ ]
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "_generator": {
+ "name": "bicep",
+ "version": "0.37.4.10188",
+ "templateHash": "17921343070314002065"
+ },
+ "name": "Private DNS Zones",
+ "description": "This module deploys a Private DNS zone."
+ },
+ "definitions": {
+ "aType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "aRecords": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/A@2024-06-01#properties/properties/properties/aRecords"
+ },
+ "description": "Optional. The list of A records in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the A record."
+ }
+ },
+ "aaaaType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "aaaaRecords": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/AAAA@2024-06-01#properties/properties/properties/aaaaRecords"
+ },
+ "description": "Optional. The list of AAAA records in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the AAAA record."
+ }
+ },
+ "cnameType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "cnameRecord": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/CNAME@2024-06-01#properties/properties/properties/cnameRecord"
+ },
+ "description": "Optional. The CNAME record in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the CNAME record."
+ }
+ },
+ "mxType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "mxRecords": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/MX@2024-06-01#properties/properties/properties/mxRecords"
+ },
+ "description": "Optional. The list of MX records in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the MX record."
+ }
+ },
+ "ptrType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "ptrRecords": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/PTR@2024-06-01#properties/properties/properties/ptrRecords"
+ },
+ "description": "Optional. The list of PTR records in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the PTR record."
+ }
+ },
+ "soaType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "soaRecord": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/SOA@2024-06-01#properties/properties/properties/soaRecord"
+ },
+ "description": "Optional. The SOA record in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the SOA record."
+ }
+ },
+ "srvType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "srvRecords": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/SRV@2024-06-01#properties/properties/properties/srvRecords"
+ },
+ "description": "Optional. The list of SRV records in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the SRV record."
+ }
+ },
+ "txtType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The name of the record."
+ }
+ },
+ "metadata": {
+ "type": "object",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/metadata"
+ },
+ "description": "Optional. The metadata of the record."
+ },
+ "nullable": true
+ },
+ "ttl": {
+ "type": "int",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The TTL of the record."
+ }
+ },
+ "roleAssignments": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/roleAssignmentType"
+ },
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Array of role assignments to create."
+ }
+ },
+ "txtRecords": {
+ "type": "array",
+ "metadata": {
+ "__bicep_resource_derived_type!": {
+ "source": "Microsoft.Network/privateDnsZones/TXT@2024-06-01#properties/properties/properties/txtRecords"
+ },
+ "description": "Optional. The list of TXT records in the record set."
+ },
+ "nullable": true
+ }
+ },
+ "metadata": {
+ "__bicep_export!": true,
+ "description": "The type for the TXT record."
+ }
+ },
+ "virtualNetworkLinkType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "minLength": 1,
+ "maxLength": 80,
+ "metadata": {
+ "description": "Optional. The resource name."
+ }
+ },
+ "virtualNetworkResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Required. The resource ID of the virtual network to link."
+ }
+ },
+ "location": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. The Azure Region where the resource lives."
+ }
+ },
+ "registrationEnabled": {
+ "type": "bool",
+ "nullable": true,
"metadata": {
"description": "Optional. Is auto-registration of virtual machine records in the virtual network in the Private DNS zone enabled?."
}
@@ -13971,8 +24861,8 @@
},
"dependsOn": [
"aiFoundryAiServices",
- "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
"[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
+ "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
"virtualNetwork"
]
},
@@ -14012,8 +24902,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "5579055444657114163"
+ "version": "0.42.1.51946",
+ "templateHash": "831092851343254936"
}
},
"parameters": {
@@ -14150,8 +25040,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "4896504561894393634"
+ "version": "0.42.1.51946",
+ "templateHash": "1725382017005764747"
}
},
"parameters": {
@@ -14274,8 +25164,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "12449348145632794739"
+ "version": "0.42.1.51946",
+ "templateHash": "8900687660670713557"
}
},
"parameters": {
@@ -31212,8 +42102,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "8373975196748337393"
+ "version": "0.42.1.51946",
+ "templateHash": "1960900918045956971"
}
},
"definitions": {
@@ -32241,8 +43131,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "5518029515589119726"
+ "version": "0.42.1.51946",
+ "templateHash": "12846584330925464650"
},
"name": "Site App Settings",
"description": "This module deploys a Site App Setting."
@@ -33166,11 +44056,11 @@
"value": "[format('https://{0}.openai.azure.com/', variables('aiFoundryAiServicesResourceName'))]"
},
{
- "name": "AZURE_OPENAI_GPT_MODEL",
+ "name": "AZURE_ENV_GPT_MODEL_NAME",
"value": "[parameters('gptModelName')]"
},
{
- "name": "AZURE_OPENAI_IMAGE_MODEL",
+ "name": "AZURE_ENV_IMAGE_MODEL_NAME",
"value": "[variables('imageModelConfig')[parameters('imageModelChoice')].name]"
},
{
@@ -33178,7 +44068,7 @@
"value": "[if(not(equals(parameters('imageModelChoice'), 'none')), format('https://{0}.openai.azure.com/', variables('aiFoundryAiServicesResourceName')), '')]"
},
{
- "name": "AZURE_OPENAI_API_VERSION",
+ "name": "AZURE_ENV_OPENAI_API_VERSION",
"value": "[parameters('azureOpenaiAPIVersion')]"
},
{
@@ -33278,8 +44168,8 @@
"metadata": {
"_generator": {
"name": "bicep",
- "version": "0.41.2.15936",
- "templateHash": "11066122245438821615"
+ "version": "0.42.1.51946",
+ "templateHash": "10568375158361462358"
}
},
"parameters": {
@@ -33563,7 +44453,7 @@
},
"value": "[if(variables('useExistingAiFoundryAiProject'), '', reference('aiFoundryAiServices').outputs.resourceId.value)]"
},
- "AZURE_EXISTING_AI_PROJECT_RESOURCE_ID": {
+ "AZURE_EXISTING_AIPROJECT_RESOURCE_ID": {
"type": "string",
"metadata": {
"description": "Contains existing AI project resource ID."
@@ -33605,14 +44495,14 @@
},
"value": "[format('https://{0}.openai.azure.com/', variables('aiFoundryAiServicesResourceName'))]"
},
- "AZURE_OPENAI_GPT_MODEL": {
+ "AZURE_ENV_GPT_MODEL_NAME": {
"type": "string",
"metadata": {
"description": "Contains GPT Model"
},
"value": "[parameters('gptModelName')]"
},
- "AZURE_OPENAI_IMAGE_MODEL": {
+ "AZURE_ENV_IMAGE_MODEL_NAME": {
"type": "string",
"metadata": {
"description": "Contains Image Model (empty if none selected)"
@@ -33626,7 +44516,7 @@
},
"value": "[if(not(equals(parameters('imageModelChoice'), 'none')), format('https://{0}.openai.azure.com/', variables('aiFoundryAiServicesResourceName')), '')]"
},
- "AZURE_OPENAI_API_VERSION": {
+ "AZURE_ENV_OPENAI_API_VERSION": {
"type": "string",
"metadata": {
"description": "Contains Azure OpenAI API Version"
@@ -33661,7 +44551,7 @@
},
"value": "[if(and(parameters('enableMonitoring'), not(variables('useExistingLogAnalytics'))), reference('applicationInsights').outputs.connectionString.value, '')]"
},
- "AZURE_ENV_OPENAI_LOCATION": {
+ "AZURE_ENV_AI_SERVICE_LOCATION": {
"type": "string",
"metadata": {
"description": "Contains the location used for AI Services deployment"
@@ -33689,7 +44579,7 @@
},
"value": "[if(parameters('enablePrivateNetworking'), '', reference('containerInstance').outputs.fqdn.value)]"
},
- "ACR_NAME": {
+ "AZURE_ENV_CONTAINER_REGISTRY_NAME": {
"type": "string",
"metadata": {
"description": "Contains ACR Name"
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
index 00c481f2e..b830e8365 100644
--- a/infra/main.parameters.json
+++ b/infra/main.parameters.json
@@ -9,43 +9,43 @@
"value": "${AZURE_LOCATION}"
},
"secondaryLocation": {
- "value": "${SECONDARY_LOCATION}"
+ "value": "${AZURE_ENV_SECONDARY_LOCATION}"
},
"gptModelName": {
- "value": "${AZURE_OPENAI_GPT_MODEL}"
+ "value": "${AZURE_ENV_GPT_MODEL_NAME}"
},
"gptModelVersion": {
- "value": "${GPT_MODEL_VERSION}"
+ "value": "${AZURE_ENV_GPT_MODEL_VERSION}"
},
"gptModelDeploymentType": {
- "value": "${GPT_MODEL_DEPLOYMENT_TYPE}"
+ "value": "${AZURE_ENV_MODEL_DEPLOYMENT_TYPE}"
},
"gptModelCapacity": {
- "value": "${GPT_MODEL_CAPACITY}"
+ "value": "${AZURE_ENV_GPT_MODEL_CAPACITY}"
},
"imageModelChoice": {
- "value": "${AZURE_OPENAI_IMAGE_MODEL}"
+ "value": "${AZURE_ENV_IMAGE_MODEL_NAME}"
},
"imageModelCapacity": {
- "value": "${IMAGE_MODEL_CAPACITY}"
+ "value": "${AZURE_ENV_IMAGE_MODEL_CAPACITY}"
},
"azureOpenaiAPIVersion": {
- "value": "${AZURE_OPENAI_API_VERSION}"
+ "value": "${AZURE_ENV_OPENAI_API_VERSION}"
},
"azureAiServiceLocation": {
- "value": "${AZURE_ENV_OPENAI_LOCATION}"
+ "value": "${AZURE_ENV_AI_SERVICE_LOCATION}"
},
"existingLogAnalyticsWorkspaceId": {
- "value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}"
+ "value": "${AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID}"
},
"azureExistingAIProjectResourceId": {
- "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"
+ "value": "${AZURE_EXISTING_AIPROJECT_RESOURCE_ID}"
},
"acrName": {
- "value": "${ACR_NAME}"
+ "value": "${AZURE_ENV_CONTAINER_REGISTRY_NAME}"
},
"imageTag": {
- "value": "${IMAGE_TAG=latest}"
+ "value": "${AZURE_ENV_IMAGE_TAG=latest}"
}
}
}
diff --git a/infra/main.waf.parameters.json b/infra/main.waf.parameters.json
index 0cc363c9d..e4ec5e0c5 100644
--- a/infra/main.waf.parameters.json
+++ b/infra/main.waf.parameters.json
@@ -9,43 +9,43 @@
"value": "${AZURE_LOCATION}"
},
"secondaryLocation": {
- "value": "${SECONDARY_LOCATION}"
+ "value": "${AZURE_ENV_SECONDARY_LOCATION}"
},
"gptModelName": {
- "value": "${AZURE_OPENAI_GPT_MODEL}"
+ "value": "${AZURE_ENV_GPT_MODEL_NAME}"
},
"gptModelVersion": {
- "value": "${GPT_MODEL_VERSION}"
+ "value": "${AZURE_ENV_GPT_MODEL_VERSION}"
},
"gptModelDeploymentType": {
- "value": "${GPT_MODEL_DEPLOYMENT_TYPE}"
+ "value": "${AZURE_ENV_MODEL_DEPLOYMENT_TYPE}"
},
"gptModelCapacity": {
- "value": "${GPT_MODEL_CAPACITY}"
+ "value": "${AZURE_ENV_GPT_MODEL_CAPACITY}"
},
"imageModelChoice": {
- "value": "${AZURE_OPENAI_IMAGE_MODEL}"
+ "value": "${AZURE_ENV_IMAGE_MODEL_NAME}"
},
"imageModelCapacity": {
- "value": "${IMAGE_MODEL_CAPACITY}"
+ "value": "${AZURE_ENV_IMAGE_MODEL_CAPACITY}"
},
"azureOpenaiAPIVersion": {
- "value": "${AZURE_OPENAI_API_VERSION}"
+ "value": "${AZURE_ENV_OPENAI_API_VERSION}"
},
"azureAiServiceLocation": {
- "value": "${AZURE_ENV_OPENAI_LOCATION}"
+ "value": "${AZURE_ENV_AI_SERVICE_LOCATION}"
},
"existingLogAnalyticsWorkspaceId": {
- "value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}"
+ "value": "${AZURE_ENV_EXISTING_LOG_ANALYTICS_WORKSPACE_RID}"
},
"azureExistingAIProjectResourceId": {
- "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"
+ "value": "${AZURE_EXISTING_AIPROJECT_RESOURCE_ID}"
},
"acrName": {
- "value": "${ACR_NAME}"
+ "value": "${AZURE_ENV_CONTAINER_REGISTRY_NAME}"
},
"imageTag": {
- "value": "${IMAGE_TAG=latest}"
+ "value": "${AZURE_ENV_IMAGE_TAG=latest}"
},
"enablePrivateNetworking": {
"value": true
@@ -55,6 +55,18 @@
},
"enableScalability": {
"value": true
+ },
+ "deployBastionAndJumpbox": {
+ "value": true
+ },
+ "vmAdminUsername": {
+ "value": "${AZURE_ENV_VM_ADMIN_USERNAME}"
+ },
+ "vmAdminPassword": {
+ "value": "${AZURE_ENV_VM_ADMIN_PASSWORD}"
+ },
+ "vmSize": {
+ "value": "${AZURE_ENV_VM_SIZE}"
}
}
}
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
new file mode 100644
index 000000000..411f4b0a3
--- /dev/null
+++ b/infra/main_custom.bicep
@@ -0,0 +1,1248 @@
+// ========== main.bicep ========== //
+targetScope = 'resourceGroup'
+
+metadata name = 'Intelligent Content Generation Accelerator'
+metadata description = '''Solution Accelerator for multimodal marketing content generation using Microsoft Agent Framework.
+'''
+
+@minLength(3)
+@maxLength(15)
+@description('Optional. A unique application/solution name for all resources in this deployment.')
+param solutionName string = 'contentgen'
+
+@minLength(3)
+@maxLength(5)
+@description('Optional. A unique text value for the solution.')
+param solutionUniqueText string = substring(uniqueString(subscription().id, resourceGroup().name, solutionName), 0, 5)
+
+@allowed([
+ 'australiaeast'
+ 'centralus'
+ 'eastasia'
+ 'eastus'
+ 'eastus2'
+ 'japaneast'
+ 'northeurope'
+ 'southeastasia'
+ 'swedencentral'
+ 'uksouth'
+ 'westus'
+ 'westus3'
+])
+@metadata({ azd: { type: 'location' } })
+@description('Required. Azure region for all services.')
+param location string
+
+@minLength(3)
+@description('Optional. Secondary location for databases creation.')
+param secondaryLocation string = 'uksouth'
+
+// NOTE: Metadata must be compile-time constants. Update usageName manually if you change model parameters.
+// Format: 'OpenAI..,'
+// Allowed regions: Union of GPT-5.1, gpt-image-1-mini, and gpt-image-1.5 GlobalStandard availability
+@allowed([
+ 'australiaeast'
+ 'canadaeast'
+ 'eastus2'
+ 'japaneast'
+ 'koreacentral'
+ 'polandcentral'
+ 'swedencentral'
+ 'switzerlandnorth'
+ 'uaenorth'
+ 'uksouth'
+ 'westus3'
+])
+@metadata({
+ azd: {
+ type: 'location'
+ usageName: [
+ 'OpenAI.GlobalStandard.gpt-5.1,150'
+ 'OpenAI.GlobalStandard.gpt-image-1-mini,1'
+ ]
+ }
+})
+@description('Required. Location for AI deployments.')
+param azureAiServiceLocation string
+
+@minLength(1)
+@allowed([
+ 'Standard'
+ 'GlobalStandard'
+])
+@description('Optional. GPT model deployment type.')
+param gptModelDeploymentType string = 'GlobalStandard'
+
+@minLength(1)
+@description('Optional. Name of the GPT model to deploy.')
+param gptModelName string = 'gpt-5.1'
+
+@description('Optional. Version of the GPT model to deploy.')
+param gptModelVersion string = '2025-11-13'
+
+@description('Optional. Image model to deploy: gpt-image-1-mini, gpt-image-1.5, or none to skip.')
+@allowed([
+ 'gpt-image-1-mini'
+ 'gpt-image-1.5'
+ 'none'
+])
+param imageModelChoice string = 'gpt-image-1-mini'
+
+@description('Optional. API version for Azure OpenAI service.')
+param azureOpenaiAPIVersion string = '2025-01-01-preview'
+
+@description('Optional. API version for Azure AI Agent service.')
+param azureAiAgentApiVersion string = '2025-05-01'
+
+@minValue(10)
+@description('Optional. AI model deployment token capacity.')
+param gptModelCapacity int = 150
+
+@minValue(1)
+@description('Optional. Image model deployment capacity (RPM).')
+param imageModelCapacity int = 1
+
+@description('Optional. Existing Log Analytics Workspace Resource ID.')
+param existingLogAnalyticsWorkspaceId string = ''
+
+@description('Optional. Resource ID of an existing Foundry project.')
+param azureExistingAIProjectResourceId string = ''
+
+@description('Optional. Deploy Azure Bastion and Jumpbox resources for private network administration.')
+param deployBastionAndJumpbox bool = false
+
+@description('Optional. Jumpbox VM size. Must support accelerated networking and Premium SSD.')
+param vmSize string = ''
+
+@description('Optional. Jumpbox VM admin username.')
+param vmAdminUsername string = ''
+
+@description('Optional. Jumpbox VM admin password.')
+@secure()
+param vmAdminPassword string = ''
+
+@description('Optional. The tags to apply to all deployed Azure resources.')
+param tags object = {}
+
+@description('Optional. Enable monitoring for applicable resources (WAF-aligned).')
+param enableMonitoring bool = false
+
+@description('Optional. Enable Azure AI Foundry mode for multi-agent orchestration.')
+param useFoundryMode bool = true
+
+@description('Optional. Enable scalability for applicable resources (WAF-aligned).')
+param enableScalability bool = false
+
+@description('Optional. Enable redundancy for applicable resources (WAF-aligned).')
+param enableRedundancy bool = false
+
+@description('Optional. Enable private networking for applicable resources (WAF-aligned).')
+param enablePrivateNetworking bool = false
+
+@description('Optional. Enable/Disable usage telemetry for module.')
+param enableTelemetry bool = true
+
+@description('Optional. Frontend image name (without tag).')
+param frontendImageName string = 'content-gen-app'
+
+@description('Optional. Backend image name (without tag).')
+param backendImageName string = 'content-gen-api'
+
+@description('Optional. Image tag for container deployment. Leave empty to skip ACI deployment.')
+param imageTag string
+
+@description('Optional. Azure Container Registry name (unused - ACR name is auto-generated). Declared for parameter file compatibility.')
+#disable-next-line no-unused-params
+param acrName string = ''
+
+@description('Optional. Created by user name.')
+param createdBy string = contains(deployer(), 'userPrincipalName')? split(deployer().userPrincipalName, '@')[0]: deployer().objectId
+
+// ============== //
+// Variables //
+// ============== //
+
+var solutionLocation = empty(location) ? resourceGroup().location : location
+
+var solutionSuffix = toLower(trim(replace(
+ replace(
+ replace(replace(replace(replace('${solutionName}${solutionUniqueText}', '-', ''), '_', ''), '.', ''), '/', ''),
+ ' ',
+ ''
+ ),
+ '*',
+ ''
+)))
+
+// ACR name is always auto-generated in custom deployment
+var acrResourceName = 'cr${solutionSuffix}'
+
+var cosmosDbZoneRedundantHaRegionPairs = {
+ australiaeast: 'uksouth'
+ centralus: 'eastus2'
+ eastasia: 'southeastasia'
+ eastus: 'centralus'
+ eastus2: 'centralus'
+ japaneast: 'australiaeast'
+ northeurope: 'westeurope'
+ southeastasia: 'eastasia'
+ uksouth: 'westeurope'
+ westus: 'westus3'
+ westus3: 'westus'
+}
+var cosmosDbHaLocation = cosmosDbZoneRedundantHaRegionPairs[?resourceGroup().location] ?? secondaryLocation
+
+var replicaRegionPairs = {
+ australiaeast: 'australiasoutheast'
+ centralus: 'westus'
+ eastasia: 'japaneast'
+ eastus: 'centralus'
+ eastus2: 'centralus'
+ japaneast: 'eastasia'
+ northeurope: 'westeurope'
+ southeastasia: 'eastasia'
+ uksouth: 'westeurope'
+ westus: 'westus3'
+ westus3: 'westus'
+}
+var replicaLocation = replicaRegionPairs[?resourceGroup().location] ?? secondaryLocation
+
+var azureSearchIndex = 'products'
+var aiSearchName = 'srch-${solutionSuffix}'
+var aiSearchConnectionName = 'foundry-search-connection-${solutionSuffix}'
+
+// Extracts subscription, resource group, and workspace name from the resource ID
+var useExistingLogAnalytics = !empty(existingLogAnalyticsWorkspaceId)
+var useExistingAiFoundryAiProject = !empty(azureExistingAIProjectResourceId)
+var aiFoundryAiServicesResourceGroupName = useExistingAiFoundryAiProject
+ ? split(azureExistingAIProjectResourceId, '/')[4]
+ : 'rg-${solutionSuffix}'
+var aiFoundryAiServicesSubscriptionId = useExistingAiFoundryAiProject
+ ? split(azureExistingAIProjectResourceId, '/')[2]
+ : subscription().subscriptionId
+var aiFoundryAiServicesResourceName = useExistingAiFoundryAiProject
+ ? split(azureExistingAIProjectResourceId, '/')[8]
+ : 'aif-${solutionSuffix}'
+var aiFoundryAiProjectResourceName = useExistingAiFoundryAiProject
+ ? split(azureExistingAIProjectResourceId, '/')[10]
+ : 'proj-${solutionSuffix}'
+
+// Base model deployments (GPT only - no embeddings needed for content generation)
+var baseModelDeployments = [
+ {
+ format: 'OpenAI'
+ name: gptModelName
+ model: gptModelName
+ sku: {
+ name: gptModelDeploymentType
+ capacity: gptModelCapacity
+ }
+ version: gptModelVersion
+ raiPolicyName: 'Microsoft.Default'
+ }
+]
+
+// Image model configuration based on choice
+var imageModelConfig = {
+ 'gpt-image-1-mini': {
+ name: 'gpt-image-1-mini'
+ version: '2025-10-06'
+ sku: 'GlobalStandard'
+ }
+ 'gpt-image-1.5': {
+ name: 'gpt-image-1.5'
+ version: '2025-12-16'
+ sku: 'GlobalStandard'
+ }
+ none: {
+ name: ''
+ version: ''
+ sku: ''
+ }
+}
+
+// Image model deployment (optional)
+var imageModelDeployment = imageModelChoice != 'none' ? [
+ {
+ format: 'OpenAI'
+ name: imageModelConfig[imageModelChoice].name
+ model: imageModelConfig[imageModelChoice].name
+ sku: {
+ name: imageModelConfig[imageModelChoice].sku
+ capacity: imageModelCapacity
+ }
+ version: imageModelConfig[imageModelChoice].version
+ raiPolicyName: 'Microsoft.Default'
+ }
+] : []
+
+// Combine deployments based on imageModelChoice
+var aiFoundryAiServicesModelDeployment = concat(baseModelDeployments, imageModelDeployment)
+
+var aiFoundryAiProjectDescription = 'Content Generation AI Foundry Project'
+
+// Reference existing resource group to access current tags
+resource existingResourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' existing = {
+ scope: subscription()
+ name: resourceGroup().name
+}
+
+var existingTags = existingResourceGroup.tags ?? {}
+
+// ============== //
+// Resources //
+// ============== //
+
+#disable-next-line no-deployments-resources
+resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
+ name: '46d3xbcp.ptn.sa-contentgeneration.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, solutionLocation), 0, 4)}'
+ properties: {
+ mode: 'Incremental'
+ template: {
+ '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+ contentVersion: '1.0.0.0'
+ resources: []
+ outputs: {
+ telemetry: {
+ type: 'String'
+ value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
+ }
+ }
+ }
+ }
+}
+
+// ========== Resource Group Tag ========== //
+resource resourceGroupTags 'Microsoft.Resources/tags@2025-04-01' = {
+ name: 'default'
+ properties: {
+ tags: union(
+ existingTags,
+ tags,
+ {
+ TemplateName: 'ContentGen'
+ Type: enablePrivateNetworking ? 'WAF' : 'Non-WAF'
+ CreatedBy: createdBy
+ }
+ )
+ }
+}
+
+// ========== Log Analytics Workspace ========== //
+var logAnalyticsWorkspaceResourceName = 'log-${solutionSuffix}'
+module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.15.0' = if (enableMonitoring && !useExistingLogAnalytics) {
+ name: take('avm.res.operational-insights.workspace.${logAnalyticsWorkspaceResourceName}', 64)
+ params: {
+ name: logAnalyticsWorkspaceResourceName
+ tags: tags
+ location: solutionLocation
+ enableTelemetry: enableTelemetry
+ skuName: 'PerGB2018'
+ dataRetention: 365
+ features: { enableLogAccessUsingOnlyResourcePermissions: true }
+ diagnosticSettings: [{ useThisWorkspace: true }]
+ dailyQuotaGb: enableRedundancy ? '10' : null
+ replication: enableRedundancy
+ ? {
+ enabled: true
+ location: replicaLocation
+ }
+ : null
+ publicNetworkAccessForIngestion: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+ publicNetworkAccessForQuery: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+ }
+}
+var logAnalyticsWorkspaceResourceId = useExistingLogAnalytics
+ ? existingLogAnalyticsWorkspaceId
+ : (enableMonitoring ? logAnalyticsWorkspace!.outputs.resourceId : '')
+
+// ========== Application Insights ========== //
+var applicationInsightsResourceName = 'appi-${solutionSuffix}'
+module applicationInsights 'br/public:avm/res/insights/component:0.7.1' = if (enableMonitoring) {
+ name: take('avm.res.insights.component.${applicationInsightsResourceName}', 64)
+ params: {
+ name: applicationInsightsResourceName
+ tags: tags
+ location: solutionLocation
+ enableTelemetry: enableTelemetry
+ retentionInDays: 365
+ kind: 'web'
+ disableIpMasking: false
+ flowType: 'Bluefield'
+ workspaceResourceId: logAnalyticsWorkspaceResourceId
+ }
+}
+
+// ========== User Assigned Identity ========== //
+var userAssignedIdentityResourceName = 'id-${solutionSuffix}'
+module userAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.5.0' = {
+ name: take('avm.res.managed-identity.user-assigned-identity.${userAssignedIdentityResourceName}', 64)
+ params: {
+ name: userAssignedIdentityResourceName
+ location: solutionLocation
+ tags: tags
+ enableTelemetry: enableTelemetry
+ }
+}
+
+// ========== Azure Container Registry ========== //
+// CUSTOM DEPLOYMENT: ACR for remote Docker builds (AZD pushes images here)
+module containerRegistry 'br/public:avm/res/container-registry/registry:0.9.0' = {
+ name: take('avm.res.container-registry.registry.${acrResourceName}', 64)
+ params: {
+ name: acrResourceName
+ location: solutionLocation
+ tags: tags
+ enableTelemetry: enableTelemetry
+ acrSku: 'Standard'
+ acrAdminUserEnabled: false
+ anonymousPullEnabled: false
+ publicNetworkAccess: 'Enabled'
+ networkRuleBypassOptions: 'AzureServices'
+ roleAssignments: [
+ {
+ principalId: userAssignedIdentity.outputs.principalId
+ roleDefinitionIdOrName: '7f951dda-4ed3-4680-a7ca-43fe172d538d' // AcrPull
+ principalType: 'ServicePrincipal'
+ }
+ ]
+ }
+}
+
+// ========== Virtual Network and Networking Components ========== //
+var deployAdminAccessResources = enablePrivateNetworking && deployBastionAndJumpbox && !empty(vmAdminPassword)
+module virtualNetwork 'modules/virtualNetwork.bicep' = if (enablePrivateNetworking) {
+ name: take('module.virtualNetwork.${solutionSuffix}', 64)
+ params: {
+ vnetName: 'vnet-${solutionSuffix}'
+ addressPrefixes: ['10.0.0.0/20'] // 4096 addresses (enough for 8 /23 subnets or 16 /24)
+ location: solutionLocation
+ deployBastionAndJumpbox: deployAdminAccessResources
+ tags: tags
+ logAnalyticsWorkspaceId: logAnalyticsWorkspaceResourceId
+ resourceSuffix: solutionSuffix
+ enableTelemetry: enableTelemetry
+ }
+}
+
+// Azure Bastion Host
+var bastionHostName = 'bas-${solutionSuffix}'
+var zoneSupportedJumpboxLocations = [
+ 'australiaeast'
+ 'centralus'
+ 'eastus'
+ 'eastus2'
+ 'japaneast'
+ 'northeurope'
+ 'southeastasia'
+ 'swedencentral'
+ 'uksouth'
+ 'westus3'
+]
+module bastionHost 'br/public:avm/res/network/bastion-host:0.8.2' = if (deployAdminAccessResources) {
+ name: take('avm.res.network.bastion-host.${bastionHostName}', 64)
+ params: {
+ name: bastionHostName
+ skuName: 'Standard'
+ location: solutionLocation
+ virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
+ diagnosticSettings: !empty(logAnalyticsWorkspaceResourceId)
+ ? [
+ {
+ name: 'bastionDiagnostics'
+ workspaceResourceId: logAnalyticsWorkspaceResourceId
+ logCategoriesAndGroups: [
+ {
+ categoryGroup: 'allLogs'
+ enabled: true
+ }
+ ]
+ }
+ ]
+ : []
+ tags: tags
+ enableTelemetry: enableTelemetry
+ publicIPAddressObject: {
+ name: 'pip-${bastionHostName}'
+ }
+ }
+}
+
+// Jumpbox Virtual Machine
+var jumpboxUniqueToken = take(uniqueString(resourceGroup().id, solutionSuffix), 10)
+var jumpboxVmName = take('vm-${jumpboxUniqueToken}', 15)
+module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.21.0' = if (deployAdminAccessResources) {
+ name: take('avm.res.compute.virtual-machine.${jumpboxVmName}', 64)
+ params: {
+ name: take(jumpboxVmName, 15)
+ enableTelemetry: enableTelemetry
+ computerName: take(jumpboxVmName, 15)
+ osType: 'Windows'
+ vmSize: empty(vmSize) ? 'Standard_D2s_v5' : vmSize
+ adminUsername: empty(vmAdminUsername) ? 'JumpboxAdminUser' : vmAdminUsername
+ adminPassword: vmAdminPassword
+ managedIdentities: {
+ userAssignedResourceIds: [
+ userAssignedIdentity.outputs.resourceId
+ ]
+ }
+ availabilityZone: contains(zoneSupportedJumpboxLocations, solutionLocation) ? 1 : -1
+ imageReference: {
+ publisher: 'microsoft-dsvm'
+ offer: 'dsvm-win-2022'
+ sku: 'winserver-2022'
+ version: 'latest'
+ }
+ nicConfigurations: [
+ {
+ name: 'nic-${jumpboxVmName}'
+ enableAcceleratedNetworking: true
+ ipConfigurations: [
+ {
+ name: 'ipconfig01'
+ subnetResourceId: virtualNetwork!.outputs.jumpboxSubnetResourceId
+ }
+ ]
+ }
+ ]
+ osDisk: {
+ caching: 'ReadWrite'
+ diskSizeGB: 128
+ managedDisk: {
+ storageAccountType: 'Premium_LRS'
+ }
+ }
+ encryptionAtHost: false // Some Azure subscriptions do not support encryption at host
+ location: solutionLocation
+ tags: tags
+ }
+ dependsOn: (enableMonitoring && !useExistingLogAnalytics) ? [logAnalyticsWorkspace] : []
+}
+
+// ========== Private DNS Zones ========== //
+// Only create DNS zones for resources that need private endpoints:
+// - Cognitive Services (for AI Services)
+// - OpenAI (for Azure OpenAI endpoints)
+// - Blob Storage
+// - Cosmos DB (Documents)
+var privateDnsZones = [
+ 'privatelink.cognitiveservices.azure.com'
+ 'privatelink.openai.azure.com'
+ 'privatelink.blob.${environment().suffixes.storage}'
+ 'privatelink.documents.azure.com'
+]
+
+var dnsZoneIndex = {
+ cognitiveServices: 0
+ openAI: 1
+ storageBlob: 2
+ cosmosDB: 3
+}
+
+@batchSize(5)
+module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.8.0' = [
+ for (zone, i) in privateDnsZones: if (enablePrivateNetworking) {
+ name: take('avm.res.network.private-dns-zone.${replace(zone, '.', '-')}', 64)
+ params: {
+ name: zone
+ tags: tags
+ enableTelemetry: enableTelemetry
+ virtualNetworkLinks: [
+ {
+ virtualNetworkResourceId: enablePrivateNetworking ? virtualNetwork!.outputs.resourceId : ''
+ registrationEnabled: false
+ }
+ ]
+ }
+ }
+]
+
+// ========== AI Foundry: AI Services ========== //
+module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.1' = if (!useExistingAiFoundryAiProject) {
+ name: take('avm.res.cognitive-services.account.${aiFoundryAiServicesResourceName}', 64)
+ params: {
+ name: aiFoundryAiServicesResourceName
+ location: azureAiServiceLocation
+ tags: tags
+ enableTelemetry: enableTelemetry
+ sku: 'S0'
+ kind: 'AIServices'
+ disableLocalAuth: true
+ allowProjectManagement: true
+ customSubDomainName: aiFoundryAiServicesResourceName
+ restrictOutboundNetworkAccess: false
+ deployments: [
+ for deployment in aiFoundryAiServicesModelDeployment: {
+ name: deployment.name
+ model: {
+ format: deployment.format
+ name: deployment.name
+ version: deployment.version
+ }
+ raiPolicyName: deployment.raiPolicyName
+ sku: {
+ name: deployment.sku.name
+ capacity: deployment.sku.capacity
+ }
+ }
+ ]
+ networkAcls: {
+ defaultAction: 'Allow'
+ virtualNetworkRules: []
+ ipRules: []
+ }
+ managedIdentities: {
+ userAssignedResourceIds: [userAssignedIdentity!.outputs.resourceId]
+ }
+ roleAssignments: [
+ {
+ roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User
+ principalId: userAssignedIdentity.outputs.principalId
+ principalType: 'ServicePrincipal'
+ }
+ {
+ roleDefinitionIdOrName: '64702f94-c441-49e6-a78b-ef80e0188fee' // Azure AI Developer
+ principalId: userAssignedIdentity.outputs.principalId
+ principalType: 'ServicePrincipal'
+ }
+ {
+ roleDefinitionIdOrName: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' // Cognitive Services OpenAI User
+ principalId: userAssignedIdentity.outputs.principalId
+ principalType: 'ServicePrincipal'
+ }
+ {
+ roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User for deployer
+ principalId: deployer().objectId
+ }
+ ]
+ diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
+ publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+ // Note: Private endpoint is created separately to avoid timing issues with model deployments
+ }
+}
+
+// Create private endpoint for AI Services AFTER the account is fully provisioned
+module aiServicesPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.1' = if (!useExistingAiFoundryAiProject && enablePrivateNetworking) {
+ name: take('pep-ai-services-${aiFoundryAiServicesResourceName}', 64)
+ params: {
+ name: 'pep-${aiFoundryAiServicesResourceName}'
+ location: solutionLocation
+ tags: tags
+ enableTelemetry: enableTelemetry
+ subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
+ privateLinkServiceConnections: [
+ {
+ name: 'pep-${aiFoundryAiServicesResourceName}'
+ properties: {
+ privateLinkServiceId: aiFoundryAiServices!.outputs.resourceId
+ groupIds: ['account']
+ }
+ }
+ ]
+ privateDnsZoneGroup: {
+ privateDnsZoneGroupConfigs: [
+ {
+ name: 'cognitiveservices'
+ privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.cognitiveServices]!.outputs.resourceId
+ }
+ {
+ name: 'openai'
+ privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.openAI]!.outputs.resourceId
+ }
+ ]
+ }
+ }
+}
+
+module aiFoundryAiServicesProject 'modules/ai-project.bicep' = if (!useExistingAiFoundryAiProject) {
+ name: take('module.ai-project.${aiFoundryAiProjectResourceName}', 64)
+ params: {
+ name: aiFoundryAiProjectResourceName
+ location: azureAiServiceLocation
+ tags: tags
+ desc: aiFoundryAiProjectDescription
+ aiServicesName: aiFoundryAiServicesResourceName
+ azureExistingAIProjectResourceId: azureExistingAIProjectResourceId
+ }
+ dependsOn: [
+ aiFoundryAiServices
+ ]
+}
+
+var aiFoundryAiProjectEndpoint = useExistingAiFoundryAiProject
+ ? 'https://${aiFoundryAiServicesResourceName}.services.ai.azure.com/api/projects/${aiFoundryAiProjectResourceName}'
+ : aiFoundryAiServicesProject!.outputs.apiEndpoint
+
+// ========== Role Assignments for Existing AI Services ========== //
+module existingAiServicesRoleAssignments 'modules/deploy_foundry_role_assignment.bicep' = if (useExistingAiFoundryAiProject) {
+ name: take('module.foundry-role-assignment.${aiFoundryAiServicesResourceName}', 64)
+ scope: resourceGroup(aiFoundryAiServicesSubscriptionId, aiFoundryAiServicesResourceGroupName)
+ params: {
+ aiServicesName: aiFoundryAiServicesResourceName
+ principalId: userAssignedIdentity.outputs.principalId
+ principalType: 'ServicePrincipal'
+ }
+}
+
+// ========== Model Deployments for Existing AI Services ========== //
+module existingAiServicesModelDeployments 'modules/deploy_ai_model.bicep' = if (useExistingAiFoundryAiProject) {
+ name: take('module.model-deployments-existing.${aiFoundryAiServicesResourceName}', 64)
+ scope: resourceGroup(aiFoundryAiServicesSubscriptionId, aiFoundryAiServicesResourceGroupName)
+ params: {
+ aiServicesName: aiFoundryAiServicesResourceName
+ deployments: [
+ for deployment in aiFoundryAiServicesModelDeployment: {
+ name: deployment.name
+ format: deployment.format
+ model: deployment.model
+ sku: {
+ name: deployment.sku.name
+ capacity: deployment.sku.capacity
+ }
+ version: deployment.version
+ raiPolicyName: deployment.raiPolicyName
+ }
+ ]
+ }
+ dependsOn: [
+ existingAiServicesRoleAssignments
+ ]
+}
+
+// ========== AI Search ========== //
+module aiSearch 'br/public:avm/res/search/search-service:0.12.0' = {
+ name: take('avm.res.search.search-service.${aiSearchName}', 64)
+ params: {
+ name: aiSearchName
+ location: solutionLocation
+ tags: tags
+ enableTelemetry: enableTelemetry
+ sku: enableScalability ? 'standard' : 'basic'
+ replicaCount: enableRedundancy ? 3 : 1
+ partitionCount: 1
+ hostingMode: 'Default'
+ semanticSearch: 'free'
+ authOptions: {
+ aadOrApiKey: {
+ aadAuthFailureMode: 'http401WithBearerChallenge'
+ }
+ }
+ disableLocalAuth: false
+ roleAssignments: [
+ {
+ principalId: userAssignedIdentity.outputs.principalId
+ roleDefinitionIdOrName: 'Search Index Data Contributor'
+ principalType: 'ServicePrincipal'
+ }
+ {
+ principalId: userAssignedIdentity.outputs.principalId
+ roleDefinitionIdOrName: 'Search Service Contributor'
+ principalType: 'ServicePrincipal'
+ }
+ ]
+ diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
+ // AI Search remains publicly accessible - accessed from ACI via managed identity
+ publicNetworkAccess: 'Enabled'
+ }
+}
+
+// ========== AI Search Connection to AI Services ========== //
+resource aiSearchFoundryConnection 'Microsoft.CognitiveServices/accounts/projects/connections@2025-09-01' = if (!useExistingAiFoundryAiProject) {
+ name: '${aiFoundryAiServicesResourceName}/${aiFoundryAiProjectResourceName}/${aiSearchConnectionName}'
+ properties: {
+ category: 'CognitiveSearch'
+ target: 'https://${aiSearchName}.search.windows.net'
+ authType: 'AAD'
+ isSharedToAll: true
+ metadata: {
+ ApiVersion: '2024-05-01-preview'
+ ResourceId: aiSearch.outputs.resourceId
+ }
+ }
+ dependsOn: [aiFoundryAiServicesProject]
+}
+
+// ========== Storage Account ========== //
+var storageAccountName = 'st${solutionSuffix}'
+var productImagesContainer = 'product-images'
+var generatedImagesContainer = 'generated-images'
+var dataContainer = 'data'
+
+module storageAccount 'br/public:avm/res/storage/storage-account:0.31.1' = {
+ name: take('avm.res.storage.storage-account.${storageAccountName}', 64)
+ params: {
+ name: storageAccountName
+ location: solutionLocation
+ skuName: enableRedundancy ? 'Standard_ZRS' : 'Standard_LRS'
+ managedIdentities: { systemAssigned: true }
+ minimumTlsVersion: 'TLS1_2'
+ enableTelemetry: enableTelemetry
+ tags: tags
+ accessTier: 'Hot'
+ supportsHttpsTrafficOnly: true
+ blobServices: {
+ containerDeleteRetentionPolicyEnabled: true
+ containerDeleteRetentionPolicyDays: 7
+ deleteRetentionPolicyEnabled: true
+ deleteRetentionPolicyDays: 7
+ containers: [
+ {
+ name: productImagesContainer
+ publicAccess: 'None'
+ }
+ {
+ name: generatedImagesContainer
+ publicAccess: 'None'
+ }
+ {
+ name: dataContainer
+ publicAccess: 'None'
+ }
+ ]
+ }
+ roleAssignments: [
+ {
+ principalId: userAssignedIdentity.outputs.principalId
+ roleDefinitionIdOrName: 'Storage Blob Data Contributor'
+ principalType: 'ServicePrincipal'
+ }
+ ]
+ networkAcls: {
+ bypass: 'AzureServices'
+ defaultAction: enablePrivateNetworking ? 'Deny' : 'Allow'
+ }
+ allowBlobPublicAccess: false
+ publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+ privateEndpoints: enablePrivateNetworking
+ ? [
+ {
+ service: 'blob'
+ subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
+ privateDnsZoneGroup: {
+ privateDnsZoneGroupConfigs: [
+ { privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.storageBlob]!.outputs.resourceId }
+ ]
+ }
+ }
+ ]
+ : null
+ diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
+ }
+}
+
+// ========== Cosmos DB ========== //
+var cosmosDBResourceName = 'cosmos-${solutionSuffix}'
+var cosmosDBDatabaseName = 'content_generation_db'
+var cosmosDBConversationsContainer = 'conversations'
+var cosmosDBProductsContainer = 'products'
+
+module cosmosDB 'br/public:avm/res/document-db/database-account:0.18.0' = {
+ name: take('avm.res.document-db.database-account.${cosmosDBResourceName}', 64)
+ params: {
+ name: 'cosmos-${solutionSuffix}'
+ location: secondaryLocation
+ tags: tags
+ enableTelemetry: enableTelemetry
+ sqlDatabases: [
+ {
+ name: cosmosDBDatabaseName
+ containers: [
+ {
+ name: cosmosDBConversationsContainer
+ paths: [
+ '/userId'
+ ]
+ }
+ {
+ name: cosmosDBProductsContainer
+ paths: [
+ '/category'
+ ]
+ }
+ ]
+ }
+ ]
+ sqlRoleDefinitions: [
+ {
+ roleName: 'contentgen-data-contributor'
+ dataActions: [
+ 'Microsoft.DocumentDB/databaseAccounts/readMetadata'
+ 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
+ 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
+ ]
+ }
+ ]
+ sqlRoleAssignments: [
+ {
+ principalId: userAssignedIdentity.outputs.principalId
+ roleDefinitionId: '00000000-0000-0000-0000-000000000002' // Built-in Cosmos DB Data Contributor
+ }
+ {
+ principalId: deployer().objectId
+ roleDefinitionId: '00000000-0000-0000-0000-000000000002' // Built-in Cosmos DB Data Contributor to the deployer
+ }
+ ]
+ diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
+ networkRestrictions: {
+ networkAclBypass: 'AzureServices'
+ publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+ }
+ zoneRedundant: enableRedundancy
+ capabilitiesToAdd: enableRedundancy ? null : ['EnableServerless']
+ enableAutomaticFailover: enableRedundancy
+ failoverLocations: enableRedundancy
+ ? [
+ {
+ failoverPriority: 0
+ isZoneRedundant: true
+ locationName: secondaryLocation
+ }
+ {
+ failoverPriority: 1
+ isZoneRedundant: true
+ locationName: cosmosDbHaLocation
+ }
+ ]
+ : [
+ {
+ locationName: secondaryLocation
+ failoverPriority: 0
+ isZoneRedundant: false
+ }
+ ]
+ privateEndpoints: enablePrivateNetworking
+ ? [
+ {
+ service: 'Sql'
+ subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
+ privateDnsZoneGroup: {
+ privateDnsZoneGroupConfigs: [
+ { privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.cosmosDB]!.outputs.resourceId }
+ ]
+ }
+ }
+ ]
+ : null
+ }
+}
+
+// ========== App Service Plan ========== //
+var webServerFarmResourceName = 'asp-${solutionSuffix}'
+module webServerFarm 'br/public:avm/res/web/serverfarm:0.7.0' = {
+ name: take('avm.res.web.serverfarm.${webServerFarmResourceName}', 64)
+ params: {
+ name: webServerFarmResourceName
+ tags: tags
+ enableTelemetry: enableTelemetry
+ location: solutionLocation
+ reserved: true
+ kind: 'linux'
+ diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
+ skuName: enableScalability || enableRedundancy ? 'P1v3' : 'B1'
+ skuCapacity: enableRedundancy ? 2 : 1
+ zoneRedundant: enableRedundancy ? true : false
+ }
+ scope: resourceGroup(resourceGroup().name)
+}
+
+// ========== Web App ========== //
+var webSiteResourceName = 'app-${solutionSuffix}'
+// Backend URL: Use ACI IP (private or public) or FQDN depending on networking mode
+var aciPrivateIpFallback = '10.0.4.4'
+var aciPublicFqdnFallback = '${containerInstanceName}.${solutionLocation}.azurecontainer.io'
+// For private networking use IP, for public use FQDN
+var aciBackendUrl = enablePrivateNetworking
+ ? 'http://${aciPrivateIpFallback}:8000'
+ : 'http://${aciPublicFqdnFallback}:8000'
+module webSite 'modules/web-sites.bicep' = {
+ name: take('module.web-sites.${webSiteResourceName}', 64)
+ params: {
+ name: webSiteResourceName
+ tags: union(tags, { 'azd-service-name': 'frontend' })
+ location: solutionLocation
+ kind: 'app,linux'
+ serverFarmResourceId: webServerFarm.outputs.resourceId
+ managedIdentities: { userAssignedResourceIds: [userAssignedIdentity!.outputs.resourceId] }
+ siteConfig: {
+ // Node.js runtime for frontend server (code deployment via AZD)
+ linuxFxVersion: 'NODE|22-lts'
+ minTlsVersion: '1.2'
+ alwaysOn: true
+ ftpsState: 'FtpsOnly'
+ appCommandLine: 'node server.js'
+ }
+ virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.webSubnetResourceId : null
+ configs: concat(
+ [
+ {
+ // Frontend server proxies to ACI backend
+ name: 'appsettings'
+ properties: {
+ WEBSITES_PORT: '8080'
+ BACKEND_URL: aciBackendUrl
+ AZURE_CLIENT_ID: userAssignedIdentity.outputs.clientId
+ SCM_DO_BUILD_DURING_DEPLOYMENT: 'true' // Run npm install during deployment
+ }
+ applicationInsightResourceId: enableMonitoring ? applicationInsights!.outputs.resourceId : null
+ }
+ ],
+ enableMonitoring
+ ? [
+ {
+ name: 'logs'
+ properties: {}
+ }
+ ]
+ : []
+ )
+ enableMonitoring: enableMonitoring
+ enableTelemetry: enableTelemetry
+ diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
+ vnetRouteAllEnabled: enablePrivateNetworking
+ vnetImagePullEnabled: enablePrivateNetworking
+ publicNetworkAccess: 'Enabled'
+ }
+}
+
+// ========== Container Instance (Backend API) ========== //
+// CUSTOM DEPLOYMENT: Inline ACI definition with managed identity auth for ACR
+var containerInstanceName = 'aci-${solutionSuffix}'
+var backendImageUrl = '${containerRegistry.outputs.loginServer}/${backendImageName}:${imageTag}'
+var aciPort = 8000
+var isPrivateNetworking = enablePrivateNetworking
+// Construct identity resource ID from known values (required for deployment-time calculation)
+var userAssignedIdentityResourceIdForACI = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${userAssignedIdentityResourceName}'
+// Deploy ACI only when imageTag is set to a real tag (not 'none')
+var shouldDeployACI = !empty(imageTag) && imageTag != 'none'
+
+#disable-next-line no-deployments-resources
+resource aciTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry && shouldDeployACI) {
+ name: '46d3xbcp.res.containerinstance.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, solutionLocation), 0, 4)}'
+ properties: {
+ mode: 'Incremental'
+ template: {
+ '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+ contentVersion: '1.0.0.0'
+ resources: []
+ }
+ }
+}
+
+resource containerInstance 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = if (shouldDeployACI) {
+ name: containerInstanceName
+ location: solutionLocation
+ tags: tags
+ identity: {
+ type: 'UserAssigned'
+ userAssignedIdentities: {
+ '${userAssignedIdentityResourceIdForACI}': {}
+ }
+ }
+ properties: {
+ containers: [
+ {
+ name: containerInstanceName
+ properties: {
+ image: backendImageUrl
+ resources: {
+ requests: {
+ cpu: 2
+ memoryInGB: 4
+ }
+ }
+ ports: [
+ {
+ port: aciPort
+ protocol: 'TCP'
+ }
+ ]
+ environmentVariables: [
+ // Azure OpenAI Settings
+ { name: 'AZURE_OPENAI_ENDPOINT', value: 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/' }
+ { name: 'AZURE_ENV_GPT_MODEL_NAME', value: gptModelName }
+ { name: 'AZURE_ENV_IMAGE_MODEL_NAME', value: imageModelConfig[imageModelChoice].name }
+ { name: 'AZURE_OPENAI_GPT_IMAGE_ENDPOINT', value: imageModelChoice != 'none' ? 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/' : '' }
+ { name: 'AZURE_ENV_OPENAI_API_VERSION', value: azureOpenaiAPIVersion }
+ // Azure Cosmos DB Settings
+ { name: 'AZURE_COSMOS_ENDPOINT', value: 'https://cosmos-${solutionSuffix}.documents.azure.com:443/' }
+ { name: 'AZURE_COSMOS_DATABASE_NAME', value: cosmosDBDatabaseName }
+ { name: 'AZURE_COSMOS_PRODUCTS_CONTAINER', value: cosmosDBProductsContainer }
+ { name: 'AZURE_COSMOS_CONVERSATIONS_CONTAINER', value: cosmosDBConversationsContainer }
+ // Azure Blob Storage Settings
+ { name: 'AZURE_BLOB_ACCOUNT_NAME', value: storageAccountName }
+ { name: 'AZURE_BLOB_PRODUCT_IMAGES_CONTAINER', value: productImagesContainer }
+ { name: 'AZURE_BLOB_GENERATED_IMAGES_CONTAINER', value: generatedImagesContainer }
+ // Azure AI Search Settings
+ { name: 'AZURE_AI_SEARCH_ENDPOINT', value: 'https://${aiSearchName}.search.windows.net' }
+ { name: 'AZURE_AI_SEARCH_PRODUCTS_INDEX', value: azureSearchIndex }
+ { name: 'AZURE_AI_SEARCH_IMAGE_INDEX', value: 'product-images' }
+ // App Settings
+ { name: 'AZURE_CLIENT_ID', value: userAssignedIdentity.outputs.clientId }
+ { name: 'PORT', value: '8000' }
+ { name: 'WORKERS', value: '4' }
+ { name: 'RUNNING_IN_PRODUCTION', value: 'true' }
+ // Azure AI Foundry Settings
+ { name: 'USE_FOUNDRY', value: useFoundryMode ? 'true' : 'false' }
+ { name: 'AZURE_AI_PROJECT_ENDPOINT', value: aiFoundryAiProjectEndpoint }
+ { name: 'AZURE_AI_MODEL_DEPLOYMENT_NAME', value: gptModelName }
+ { name: 'AZURE_AI_IMAGE_MODEL_DEPLOYMENT', value: imageModelConfig[imageModelChoice].name }
+ // Logging Settings
+ { name: 'AZURE_BASIC_LOGGING_LEVEL', value: 'INFO' }
+ { name: 'AZURE_PACKAGE_LOGGING_LEVEL', value: 'WARNING' }
+ { name: 'AZURE_LOGGING_PACKAGES', value: '' }
+ // Application Insights
+ { name: 'APPLICATIONINSIGHTS_CONNECTION_STRING', value: enableMonitoring ? applicationInsights!.outputs.connectionString : '' }
+ ]
+ }
+ }
+ ]
+ osType: 'Linux'
+ restartPolicy: 'Always'
+ subnetIds: isPrivateNetworking ? [
+ {
+ id: virtualNetwork!.outputs.aciSubnetResourceId
+ }
+ ] : null
+ ipAddress: {
+ type: isPrivateNetworking ? 'Private' : 'Public'
+ ports: [
+ {
+ port: aciPort
+ protocol: 'TCP'
+ }
+ ]
+ dnsNameLabel: isPrivateNetworking ? null : containerInstanceName
+ }
+ // Managed identity auth for ACR (instead of anonymous pull)
+ imageRegistryCredentials: [
+ {
+ server: containerRegistry.outputs.loginServer
+ identity: userAssignedIdentityResourceIdForACI
+ }
+ ]
+ }
+}
+
+// ========== Outputs ========== //
+@description('Contains App Service Name')
+output APP_SERVICE_NAME string = webSite.outputs.name
+
+@description('Contains WebApp URL')
+output WEB_APP_URL string = 'https://${webSite.outputs.name}.azurewebsites.net'
+
+@description('Contains Storage Account Name')
+output AZURE_BLOB_ACCOUNT_NAME string = storageAccount.outputs.name
+
+@description('Contains Product Images Container')
+output AZURE_BLOB_PRODUCT_IMAGES_CONTAINER string = productImagesContainer
+
+@description('Contains Generated Images Container')
+output AZURE_BLOB_GENERATED_IMAGES_CONTAINER string = generatedImagesContainer
+
+@description('Contains CosmosDB Account Name')
+output COSMOSDB_ACCOUNT_NAME string = cosmosDB.outputs.name
+
+@description('Contains CosmosDB Endpoint URL')
+output AZURE_COSMOS_ENDPOINT string = 'https://cosmos-${solutionSuffix}.documents.azure.com:443/'
+
+@description('Contains CosmosDB Database Name')
+output AZURE_COSMOS_DATABASE_NAME string = cosmosDBDatabaseName
+
+@description('Contains CosmosDB Products Container')
+output AZURE_COSMOS_PRODUCTS_CONTAINER string = cosmosDBProductsContainer
+
+@description('Contains CosmosDB Conversations Container')
+output AZURE_COSMOS_CONVERSATIONS_CONTAINER string = cosmosDBConversationsContainer
+
+@description('Contains Resource Group Name')
+output RESOURCE_GROUP_NAME string = resourceGroup().name
+
+@description('Contains AI Foundry Name')
+output AI_FOUNDRY_NAME string = aiFoundryAiProjectResourceName
+
+@description('Contains AI Foundry RG Name')
+output AI_FOUNDRY_RG_NAME string = aiFoundryAiServicesResourceGroupName
+
+@description('Contains AI Foundry Resource ID')
+output AI_FOUNDRY_RESOURCE_ID string = useExistingAiFoundryAiProject ? '' : aiFoundryAiServices!.outputs.resourceId
+
+@description('Contains existing AI project resource ID.')
+output AZURE_EXISTING_AIPROJECT_RESOURCE_ID string = azureExistingAIProjectResourceId
+
+@description('Contains AI Search Service Endpoint URL')
+output AZURE_AI_SEARCH_ENDPOINT string = 'https://${aiSearch.outputs.name}.search.windows.net/'
+
+@description('Contains AI Search Service Name')
+output AI_SEARCH_SERVICE_NAME string = aiSearch.outputs.name
+
+@description('Contains AI Search Product Index')
+output AZURE_AI_SEARCH_PRODUCTS_INDEX string = azureSearchIndex
+
+@description('Contains AI Search Image Index')
+output AZURE_AI_SEARCH_IMAGE_INDEX string = 'product-images'
+
+@description('Contains Azure OpenAI endpoint URL')
+output AZURE_OPENAI_ENDPOINT string = 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
+
+@description('Contains GPT Model')
+output AZURE_ENV_GPT_MODEL_NAME string = gptModelName
+
+@description('Contains Image Model (empty if none selected)')
+output AZURE_ENV_IMAGE_MODEL_NAME string = imageModelConfig[imageModelChoice].name
+
+@description('Contains Azure OpenAI GPT/Image endpoint URL (empty if no image model selected)')
+output AZURE_OPENAI_GPT_IMAGE_ENDPOINT string = imageModelChoice != 'none' ? 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/' : ''
+
+@description('Contains Azure OpenAI API Version')
+output AZURE_ENV_OPENAI_API_VERSION string = azureOpenaiAPIVersion
+
+@description('Contains OpenAI Resource')
+output AZURE_OPENAI_RESOURCE string = aiFoundryAiServicesResourceName
+
+@description('Contains AI Agent Endpoint')
+output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint
+
+@description('Contains AI Agent API Version')
+output AZURE_AI_AGENT_API_VERSION string = azureAiAgentApiVersion
+
+@description('Contains Application Insights Connection String')
+output AZURE_APPLICATION_INSIGHTS_CONNECTION_STRING string = (enableMonitoring && !useExistingLogAnalytics) ? applicationInsights!.outputs.connectionString : ''
+
+@description('Contains the location used for AI Services deployment')
+output AZURE_ENV_AI_SERVICE_LOCATION string = azureAiServiceLocation
+
+@description('Contains Container Instance Name')
+output CONTAINER_INSTANCE_NAME string = shouldDeployACI ? containerInstance!.name : ''
+
+@description('Contains Container Instance IP Address')
+output CONTAINER_INSTANCE_IP string = shouldDeployACI ? containerInstance!.properties.ipAddress.ip : ''
+
+@description('Contains Container Instance FQDN (only for non-private networking)')
+output CONTAINER_INSTANCE_FQDN string = (shouldDeployACI && !isPrivateNetworking) ? containerInstance!.properties.ipAddress.fqdn : ''
+
+@description('Contains ACR Name')
+output AZURE_ENV_CONTAINER_REGISTRY_NAME string = containerRegistry.outputs.name
+
+@description('Contains flag for Azure AI Foundry usage')
+output USE_FOUNDRY bool = useFoundryMode ? true : false
+
+@description('Contains Azure AI Project Endpoint')
+output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
+
+@description('Contains Azure AI Model Deployment Name')
+output AZURE_AI_MODEL_DEPLOYMENT_NAME string = gptModelName
+
+@description('Contains Azure AI Image Model Deployment Name (empty if none selected)')
+output AZURE_AI_IMAGE_MODEL_DEPLOYMENT string = imageModelConfig[imageModelChoice].name
+
+@description('Contains Managed Identity Client ID')
+output AZURE_CLIENT_ID string = userAssignedIdentity.outputs.clientId
+
+@description('Frontend image name')
+output FRONTEND_IMAGE_NAME string = frontendImageName
+
+@description('Backend image name')
+output BACKEND_IMAGE_NAME string = backendImageName
+
+@description('Image tag')
+output AZURE_ENV_IMAGE_TAG string = imageTag
diff --git a/infra/modules/virtualNetwork.bicep b/infra/modules/virtualNetwork.bicep
index d4ec64795..2d79b1288 100644
--- a/infra/modules/virtualNetwork.bicep
+++ b/infra/modules/virtualNetwork.bicep
@@ -2,13 +2,13 @@
// Networking - NSGs, VNET and Subnets for Content Generation Solution
/****************************************************************************************************************************/
@description('Name of the virtual network.')
-param vnetName string
+param vnetName string
@description('Azure region to deploy resources.')
-param vnetLocation string = resourceGroup().location
+param location string = resourceGroup().location
@description('Required. An Array of 1 or more IP Address Prefixes for the Virtual Network.')
-param vnetAddressPrefixes array = ['10.0.0.0/20']
+param addressPrefixes array = ['10.0.0.0/20']
@description('Optional. Deploy Azure Bastion and Jumpbox subnets for VM-based administration.')
param deployBastionAndJumpbox bool = false
@@ -101,7 +101,15 @@ var coreSubnets = [
}
]
-// Optional Bastion and Jumpbox subnets (only deployed when needed for VM administration)
+// Bastion and Jumpbox subnets (only deployed when deployBastionAndJumpbox is true)
+// VM Size Notes:
+// 1 B-series VMs (like Standard_B2ms) do not support accelerated networking.
+// 2 Pick a VM size that supports accelerated networking + Premium SSD (the usual jump-box candidates):
+// Standard_D2s_v5 (2 vCPU, 8 GiB RAM, Premium SSD/v2/Ultra) // DEFAULT - current-gen Intel, broad regional availability.
+// Standard_D2as_v5 (2 vCPU, 8 GiB RAM, Premium SSD/Ultra) // AMD alternative, typically ~15% cheaper.
+// Standard_D2s_v4 (2 vCPU, 8 GiB RAM, Premium SSD) // Previous gen, also broadly available.
+// Standard_DS2_v2 (2 vCPU, 7 GiB RAM, Premium SSD) // Legacy SKU, being retired from some regions - avoid for new deployments.
+// 3 A-series (Av2) is NOT suitable: no Premium SSD support, no accelerated networking.
var bastionSubnets = deployBastionAndJumpbox ? [
{
name: 'AzureBastionSubnet'
@@ -209,7 +217,7 @@ module nsgs 'br/public:avm/res/network/network-security-group:0.5.2' = [
name: take('avm.res.network.network-security-group.${subnet.?networkSecurityGroup.name}.${resourceSuffix}', 64)
params: {
name: '${subnet.?networkSecurityGroup.name}-${resourceSuffix}'
- location: vnetLocation
+ location: location
securityRules: subnet.?networkSecurityGroup.securityRules
tags: tags
enableTelemetry: enableTelemetry
@@ -222,8 +230,8 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.7.2' = {
name: take('avm.res.network.virtual-network.${vnetName}', 64)
params: {
name: vnetName
- location: vnetLocation
- addressPrefixes: vnetAddressPrefixes
+ location: location
+ addressPrefixes: addressPrefixes
subnets: [
for (subnet, i) in vnetSubnets: {
name: subnet.name
@@ -265,6 +273,6 @@ output webSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.n
output pepsSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'peps') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'peps')] : ''
output aciSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'aci') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'aci')] : ''
-// Optional bastion/jumpbox subnet outputs (only present when deployBastionAndJumpbox is true)
-output bastionSubnetResourceId string = deployBastionAndJumpbox && contains(map(vnetSubnets, subnet => subnet.name), 'AzureBastionSubnet') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'AzureBastionSubnet')] : ''
-output jumpboxSubnetResourceId string = deployBastionAndJumpbox && contains(map(vnetSubnets, subnet => subnet.name), 'jumpbox') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'jumpbox')] : ''
+// Bastion/jumpbox subnet outputs (always declared; will be empty when those subnets are not deployed)
+output bastionSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'AzureBastionSubnet') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'AzureBastionSubnet')] : ''
+output jumpboxSubnetResourceId string = contains(map(vnetSubnets, subnet => subnet.name), 'jumpbox') ? virtualNetwork.outputs.subnetResourceIds[indexOf(map(vnetSubnets, subnet => subnet.name), 'jumpbox')] : ''
diff --git a/infra/scripts/package_frontend.ps1 b/infra/scripts/package_frontend.ps1
new file mode 100644
index 000000000..f711497f6
--- /dev/null
+++ b/infra/scripts/package_frontend.ps1
@@ -0,0 +1,29 @@
+# Package frontend for App Service deployment
+# This script is called by AZD during prepackage hook
+# Working directory is ./src/app/frontend-server (project directory)
+
+$ErrorActionPreference = 'Stop'
+
+Write-Host "Building React frontend..." -ForegroundColor Cyan
+
+# Build React frontend (one level up)
+Push-Location ../frontend
+npm ci --loglevel=error
+if ($LASTEXITCODE -ne 0) { throw "npm ci failed with exit code $LASTEXITCODE" }
+npm run build -- --outDir ../frontend-server/static
+if ($LASTEXITCODE -ne 0) { throw "npm run build failed with exit code $LASTEXITCODE" }
+Pop-Location
+
+Write-Host "Packaging frontend server..." -ForegroundColor Cyan
+
+# Create dist folder
+mkdir dist -Force | Out-Null
+rm dist/* -r -Force -ErrorAction SilentlyContinue
+
+# Copy required files to dist (node_modules excluded - App Service will npm install)
+cp -r static dist -Force
+cp server.js dist -Force
+cp package.json dist -Force
+cp package-lock.json dist -Force
+
+Write-Host "Frontend packaged successfully!" -ForegroundColor Green
diff --git a/infra/scripts/package_frontend.sh b/infra/scripts/package_frontend.sh
new file mode 100644
index 000000000..5906d1495
--- /dev/null
+++ b/infra/scripts/package_frontend.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+
+# Package frontend for App Service deployment
+# This script is called by AZD during prepackage hook
+# Working directory is ./src/app/frontend-server (project directory)
+
+echo "Building React frontend..."
+
+# Build React frontend (one level up)
+cd ../frontend
+npm ci --loglevel=error
+npm run build -- --outDir ../frontend-server/static
+cd ../frontend-server
+
+echo "Packaging frontend server..."
+
+# Create dist folder and copy files
+rm -rf ./dist
+mkdir -p ./dist
+
+# Copy required files to dist (node_modules excluded - App Service will npm install)
+cp -r static ./dist/
+cp server.js ./dist/
+cp package.json ./dist/
+cp package-lock.json ./dist/
+
+echo "Frontend packaged successfully!"
diff --git a/infra/scripts/validate_bicep_params.py b/infra/scripts/validate_bicep_params.py
new file mode 100644
index 000000000..85df7d149
--- /dev/null
+++ b/infra/scripts/validate_bicep_params.py
@@ -0,0 +1,422 @@
+"""
+Bicep Parameter Mapping Validator
+=================================
+Validates that parameter names in *.parameters.json files exactly match
+the param declarations in their corresponding Bicep templates.
+
+Checks performed:
+ 1. Whitespace â parameter names must have no leading/trailing spaces.
+ 2. Existence â every JSON parameter must map to a `param` in the Bicep file.
+ 3. Casing â names must match exactly (case-sensitive).
+ 4. Orphaned â required Bicep params (no default) missing from the JSON file.
+ 5. Env vars â parameter values bound to environment variables must use the
+ AZURE_ENV_* naming convention, except for explicitly allowed
+ names (for example, AZURE_LOCATION, AZURE_EXISTING_AIPROJECT_RESOURCE_ID).
+
+Usage:
+ # Validate a specific pair
+ python validate_bicep_params.py --bicep main.bicep --params main.parameters.json
+
+ # Auto-discover all *.parameters.json files under infra/
+ python validate_bicep_params.py --dir infra
+
+ # CI mode â exit code 1 on any error
+ python validate_bicep_params.py --dir infra --strict
+
+Returns exit-code 0 when no errors are found, 1 when errors are found (in --strict mode).
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import re
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+
+# Environment variables exempt from the AZURE_ENV_ naming convention.
+_ENV_VAR_EXCEPTIONS = {"AZURE_LOCATION", "AZURE_EXISTING_AIPROJECT_RESOURCE_ID"}
+
+# ---------------------------------------------------------------------------
+# Bicep param parser
+# ---------------------------------------------------------------------------
+
+# Matches lines like: param environmentName string
+# param tags resourceInput<...>
+# param gptDeploymentCapacity int = 150
+# Ignores commented-out lines (// param ...).
+# Captures the type token and the rest of the line so we can detect defaults.
+_PARAM_RE = re.compile(
+ r"^(?!//)[ \t]*param\s+(?P[A-Za-z_]\w*)\s+(?P\S+)(?P.*)",
+ re.MULTILINE,
+)
+
+
+@dataclass
+class BicepParam:
+ name: str
+ has_default: bool
+
+
+def parse_bicep_params(bicep_path: Path) -> list[BicepParam]:
+ """Extract all `param` declarations from a Bicep file."""
+ text = bicep_path.read_text(encoding="utf-8-sig")
+ params: list[BicepParam] = []
+ for match in _PARAM_RE.finditer(text):
+ name = match.group("name")
+ param_type = match.group("type")
+ rest = match.group("rest")
+ # A param is optional if it has a default value (= ...) or is nullable (type ends with ?)
+ has_default = "=" in rest or param_type.endswith("?")
+ params.append(BicepParam(name=name, has_default=has_default))
+ return params
+
+
+# ---------------------------------------------------------------------------
+# Parameters JSON parser
+# ---------------------------------------------------------------------------
+
+
+def parse_parameters_json(json_path: Path) -> list[str]:
+ """Return the raw parameter key names (preserving whitespace) from a
+ parameters JSON file."""
+ text = json_path.read_text(encoding="utf-8-sig")
+ # azd parameter files may include ${VAR} or ${VAR=default} placeholders inside
+ # string values. These are valid JSON strings, but we sanitize them so that
+ # json.loads remains resilient to azd-specific placeholders and any unusual
+ # default formats.
+ sanitized = re.sub(r'"\$\{[^}]+\}"', '"__placeholder__"', text)
+ try:
+ data = json.loads(sanitized)
+ except json.JSONDecodeError:
+ # Fallback: extract keys with regex for resilience.
+ return _extract_keys_regex(text)
+ return list(data.get("parameters", {}).keys())
+
+
+def parse_parameters_env_vars(json_path: Path) -> dict[str, list[str]]:
+ """Return a mapping of parameter name â list of azd env var names
+ referenced in its value (e.g. ``${AZURE_ENV_NAME}``)."""
+ text = json_path.read_text(encoding="utf-8-sig")
+ result: dict[str, list[str]] = {}
+ params = {}
+
+ # Parse the JSON to get the proper parameter structure.
+ sanitized = re.sub(r'"\$\{([^}]+)\}"', r'"__azd_\1__"', text)
+ try:
+ data = json.loads(sanitized)
+ params = data.get("parameters", {})
+ except json.JSONDecodeError:
+ # Best-effort behavior: if JSON cannot be parsed, treat as no env-var
+ return result
+
+ # Walk each top-level parameter and scan its entire serialized value
+ # for ${VAR} references from the original text.
+ for param_name, param_obj in params.items():
+ # Find the raw text block for this parameter in the original file
+ # by scanning for all ${VAR} patterns in the original value section.
+ raw_value = json.dumps(param_obj)
+ # Restore original var references from the sanitized placeholders
+ for m in re.finditer(r'__azd_([^_].*?)__', raw_value):
+ var_ref = m.group(1)
+ # var_ref may contain "=default", extract just the var name
+ var_name = var_ref.split("=")[0].strip()
+ if re.match(r'^[A-Za-z_][A-Za-z0-9_]*$', var_name):
+ result.setdefault(param_name, []).append(var_name)
+
+ return result
+
+
+def _extract_keys_regex(text: str) -> list[str]:
+ """Fallback key extraction via regex when JSON is non-standard."""
+ # Matches the key inside "parameters": { "key": ... }
+ keys: list[str] = []
+ in_params = False
+ for line in text.splitlines():
+ if '"parameters"' in line:
+ in_params = True
+ continue
+ if in_params:
+ m = re.match(r'\s*"([^"]+)"\s*:', line)
+ if m:
+ keys.append(m.group(1))
+ return keys
+
+
+# ---------------------------------------------------------------------------
+# Validation logic
+# ---------------------------------------------------------------------------
+
+@dataclass
+class ValidationIssue:
+ severity: str # "ERROR" or "WARNING"
+ param_file: str
+ bicep_file: str
+ param_name: str
+ message: str
+
+
+@dataclass
+class ValidationResult:
+ pair: str
+ issues: list[ValidationIssue] = field(default_factory=list)
+
+ @property
+ def has_errors(self) -> bool:
+ return any(i.severity == "ERROR" for i in self.issues)
+
+
+def validate_pair(
+ bicep_path: Path,
+ params_path: Path,
+) -> ValidationResult:
+ """Validate a single (bicep, parameters.json) pair."""
+ result = ValidationResult(
+ pair=f"{params_path.name} -> {bicep_path.name}"
+ )
+
+ bicep_params = parse_bicep_params(bicep_path)
+ bicep_names = {p.name for p in bicep_params}
+ bicep_names_lower = {p.name.lower(): p.name for p in bicep_params}
+ required_bicep = {p.name for p in bicep_params if not p.has_default}
+
+ json_keys = parse_parameters_json(params_path)
+
+ seen_json_keys: set[str] = set()
+
+ for raw_key in json_keys:
+ stripped = raw_key.strip()
+
+ # 1. Whitespace check
+ if raw_key != stripped:
+ result.issues.append(ValidationIssue(
+ severity="ERROR",
+ param_file=str(params_path),
+ bicep_file=str(bicep_path),
+ param_name=repr(raw_key),
+ message=(
+ f"Parameter name has leading/trailing whitespace. "
+ f"Raw key: {repr(raw_key)}, expected: {repr(stripped)}"
+ ),
+ ))
+
+ # 2. Exact match check
+ if stripped not in bicep_names:
+ # 3. Case-insensitive near-match
+ suggestion = bicep_names_lower.get(stripped.lower())
+ if suggestion:
+ result.issues.append(ValidationIssue(
+ severity="ERROR",
+ param_file=str(params_path),
+ bicep_file=str(bicep_path),
+ param_name=stripped,
+ message=(
+ f"Case mismatch: JSON has '{stripped}', "
+ f"Bicep declares '{suggestion}'."
+ ),
+ ))
+ else:
+ result.issues.append(ValidationIssue(
+ severity="ERROR",
+ param_file=str(params_path),
+ bicep_file=str(bicep_path),
+ param_name=stripped,
+ message=(
+ f"Parameter '{stripped}' exists in JSON but has no "
+ f"matching param in the Bicep template."
+ ),
+ ))
+ seen_json_keys.add(stripped)
+
+ # 4. Required Bicep params missing from JSON
+ for req in sorted(required_bicep - seen_json_keys):
+ result.issues.append(ValidationIssue(
+ severity="WARNING",
+ param_file=str(params_path),
+ bicep_file=str(bicep_path),
+ param_name=req,
+ message=(
+ f"Required Bicep param '{req}' (no default value) is not "
+ f"supplied in the parameters file."
+ ),
+ ))
+
+ # 5. Env var naming convention â all azd vars should start with AZURE_ENV_
+ env_vars = parse_parameters_env_vars(params_path)
+ for param_name, var_names in sorted(env_vars.items()):
+ for var in var_names:
+ if not var.startswith("AZURE_ENV_") and var not in _ENV_VAR_EXCEPTIONS:
+ result.issues.append(ValidationIssue(
+ severity="WARNING",
+ param_file=str(params_path),
+ bicep_file=str(bicep_path),
+ param_name=param_name,
+ message=(
+ f"Env var '${{{var}}}' does not follow the "
+ f"AZURE_ENV_ naming convention."
+ ),
+ ))
+
+ return result
+
+
+# ---------------------------------------------------------------------------
+# Discovery â find (bicep, params) pairs automatically
+# ---------------------------------------------------------------------------
+
+def discover_pairs(infra_dir: Path) -> list[tuple[Path, Path]]:
+ """For each *.parameters.json, find the matching Bicep file.
+
+ Naming convention: a file like ``main.waf.parameters.json`` is a
+ variant of ``main.parameters.json`` â the user copies its contents
+ into ``main.parameters.json`` before running ``azd up``. Both
+ files should therefore be validated against ``main.bicep``.
+
+ Resolution order:
+ 1. Exact stem match (e.g. ``foo.parameters.json`` â ``foo.bicep``).
+ 2. Base-stem match (e.g. ``main.waf.parameters.json`` â ``main.bicep``).
+ """
+ pairs: list[tuple[Path, Path]] = []
+ for pf in sorted(infra_dir.rglob("*.parameters.json")):
+ stem = pf.name.replace(".parameters.json", "")
+ bicep_candidate = pf.parent / f"{stem}.bicep"
+ if bicep_candidate.exists():
+ pairs.append((bicep_candidate, pf))
+ else:
+ # Try the base stem (first segment before the first dot).
+ base_stem = stem.split(".")[0]
+ base_candidate = pf.parent / f"{base_stem}.bicep"
+ if base_candidate.exists():
+ pairs.append((base_candidate, pf))
+ else:
+ print(f" [SKIP] No matching Bicep file for {pf.name}")
+ return pairs
+
+
+# ---------------------------------------------------------------------------
+# Reporting
+# ---------------------------------------------------------------------------
+
+_COLORS = {
+ "ERROR": "\033[91m", # red
+ "WARNING": "\033[93m", # yellow
+ "OK": "\033[92m", # green
+ "RESET": "\033[0m",
+}
+
+
+def print_report(results: list[ValidationResult], *, use_color: bool = True) -> None:
+ c = _COLORS if use_color else {k: "" for k in _COLORS}
+ total_errors = 0
+ total_warnings = 0
+
+ for r in results:
+ errors = [i for i in r.issues if i.severity == "ERROR"]
+ warnings = [i for i in r.issues if i.severity == "WARNING"]
+ total_errors += len(errors)
+ total_warnings += len(warnings)
+
+ if not r.issues:
+ print(f"\n{c['OK']}[PASS]{c['RESET']} {r.pair}")
+ elif errors:
+ print(f"\n{c['ERROR']}[FAIL]{c['RESET']} {r.pair}")
+ else:
+ print(f"\n{c['WARNING']}[WARN]{c['RESET']} {r.pair}")
+
+ for issue in r.issues:
+ tag = (
+ f"{c['ERROR']}ERROR{c['RESET']}"
+ if issue.severity == "ERROR"
+ else f"{c['WARNING']}WARN {c['RESET']}"
+ )
+ print(f" {tag} {issue.param_name}: {issue.message}")
+
+ print(f"\n{'='*60}")
+ print(f"Total: {total_errors} error(s), {total_warnings} warning(s)")
+ if total_errors == 0:
+ print(f"{c['OK']}All parameter mappings are valid.{c['RESET']}")
+ else:
+ print(f"{c['ERROR']}Parameter mapping issues detected!{c['RESET']}")
+
+
+# ---------------------------------------------------------------------------
+# CLI
+# ---------------------------------------------------------------------------
+
+def main() -> int:
+ parser = argparse.ArgumentParser(
+ description="Validate Bicep â parameters.json parameter mappings.",
+ )
+ parser.add_argument(
+ "--bicep",
+ type=Path,
+ help="Path to a specific Bicep template.",
+ )
+ parser.add_argument(
+ "--params",
+ type=Path,
+ help="Path to a specific parameters JSON file.",
+ )
+ parser.add_argument(
+ "--dir",
+ type=Path,
+ help="Directory to scan for *.parameters.json files (auto-discovers pairs).",
+ )
+ parser.add_argument(
+ "--strict",
+ action="store_true",
+ help="Exit with code 1 if any errors are found.",
+ )
+ parser.add_argument(
+ "--no-color",
+ action="store_true",
+ help="Disable colored output (useful for CI logs).",
+ )
+ parser.add_argument(
+ "--json-output",
+ type=Path,
+ help="Write results as JSON to the given file path.",
+ )
+ args = parser.parse_args()
+
+ results: list[ValidationResult] = []
+
+ if args.bicep and args.params:
+ results.append(validate_pair(args.bicep, args.params))
+ elif args.dir:
+ pairs = discover_pairs(args.dir)
+ if not pairs:
+ print(f"No (bicep, parameters.json) pairs found under {args.dir}")
+ return 0
+ for bicep_path, params_path in pairs:
+ results.append(validate_pair(bicep_path, params_path))
+ else:
+ parser.error("Provide either --bicep/--params or --dir.")
+
+ print_report(results, use_color=not args.no_color)
+
+ # Optional JSON output for CI artifact consumption
+ if args.json_output:
+ json_data = []
+ for r in results:
+ for issue in r.issues:
+ json_data.append({
+ "severity": issue.severity,
+ "paramFile": issue.param_file,
+ "bicepFile": issue.bicep_file,
+ "paramName": issue.param_name,
+ "message": issue.message,
+ })
+ args.json_output.parent.mkdir(parents=True, exist_ok=True)
+ args.json_output.write_text(
+ json.dumps(json_data, indent=2), encoding="utf-8"
+ )
+ print(f"\nJSON report written to {args.json_output}")
+
+ has_errors = any(r.has_errors for r in results)
+ return 1 if args.strict and has_errors else 0
+
+
+if __name__ == "__main__":
+ sys.exit(main())
diff --git a/scripts/checkquota.sh b/scripts/checkquota.sh
index 7b87424bd..c12df68c3 100644
--- a/scripts/checkquota.sh
+++ b/scripts/checkquota.sh
@@ -9,12 +9,12 @@
# Auto-detects mode based on environment variables.
#
# Usage (local):
-# bash checkquota.sh [image_model_choice]
+# bash checkquota.sh [model] # e.g. gpt-image-1-mini | gpt-image-1.5 | none
# bash checkquota.sh gpt-image-1-mini
# bash checkquota.sh none
#
# Usage (CI - via env vars):
-# Set AZURE_SUBSCRIPTION_ID, GPT_MIN_CAPACITY, AZURE_REGIONS, IMAGE_MODEL_CHOICE
+# Set AZURE_SUBSCRIPTION_ID, GPT_MIN_CAPACITY, AZURE_REGIONS, AZURE_ENV_IMAGE_MODEL_NAME
# Authentication is handled externally via OIDC (az login already done before this script runs)
# =============================================================================
@@ -28,9 +28,9 @@ fi
# ---- Configuration ----
# In local mode, image model can be passed as first argument
if [[ "$RUN_MODE" == "local" ]]; then
- IMAGE_MODEL_CHOICE="${1:-${IMAGE_MODEL_CHOICE:-gpt-image-1-mini}}"
+ AZURE_ENV_IMAGE_MODEL_NAME="${1:-${AZURE_ENV_IMAGE_MODEL_NAME:-gpt-image-1-mini}}"
else
- IMAGE_MODEL_CHOICE="${IMAGE_MODEL_CHOICE:-gpt-image-1-mini}"
+ AZURE_ENV_IMAGE_MODEL_NAME="${AZURE_ENV_IMAGE_MODEL_NAME:-gpt-image-1-mini}"
fi
GPT_MIN_CAPACITY="${GPT_MIN_CAPACITY:-150}"
@@ -40,7 +40,7 @@ IMAGE_MODEL_MIN_CAPACITY="${IMAGE_MODEL_MIN_CAPACITY:-1}"
if [[ -n "$AZURE_REGIONS" ]]; then
IFS=', ' read -ra REGIONS <<< "$AZURE_REGIONS"
else
- REGIONS=("westus3" "eastus2" "uaenorth" "swedencentral" "australiaeast" "eastus" "uksouth" "japaneast")
+ REGIONS=("westus3" "eastus2" "uaenorth" "swedencentral" "australiaeast" "uksouth" "japaneast" "canadaeast" "koreacentral" "polandcentral" "switzerlandnorth")
fi
# Map image model choice to Azure quota model name
@@ -53,8 +53,8 @@ IMAGE_MODEL_QUOTA_NAME=(
# ---- Validate image model choice ----
ALLOWED_MODELS=("gpt-image-1-mini" "gpt-image-1.5" "none")
-if [[ ! " ${ALLOWED_MODELS[@]} " =~ " ${IMAGE_MODEL_CHOICE} " ]]; then
- echo "â ERROR: Invalid image model choice: '$IMAGE_MODEL_CHOICE'"
+if [[ ! " ${ALLOWED_MODELS[@]} " =~ " ${AZURE_ENV_IMAGE_MODEL_NAME} " ]]; then
+ echo "â ERROR: Invalid image model choice: '$AZURE_ENV_IMAGE_MODEL_NAME'"
echo " Allowed values: ${ALLOWED_MODELS[*]}"
exit 1
fi
@@ -91,7 +91,7 @@ fi
echo ""
echo "đ Configuration:"
echo " Mode: $RUN_MODE"
-echo " Image Model Choice: $IMAGE_MODEL_CHOICE"
+echo " Image Model Choice: $AZURE_ENV_IMAGE_MODEL_NAME"
echo " GPT Min Capacity: $GPT_MIN_CAPACITY"
echo " Image Model Min Capacity: $IMAGE_MODEL_MIN_CAPACITY"
echo " Regions to check: ${REGIONS[*]}"
@@ -104,10 +104,10 @@ MIN_CAPACITY=(
)
# Add image model to quota check if not 'none'
-IMAGE_QUOTA_NAME="${IMAGE_MODEL_QUOTA_NAME[$IMAGE_MODEL_CHOICE]}"
+IMAGE_QUOTA_NAME="${IMAGE_MODEL_QUOTA_NAME[$AZURE_ENV_IMAGE_MODEL_NAME]}"
if [[ -n "$IMAGE_QUOTA_NAME" ]]; then
MIN_CAPACITY["$IMAGE_QUOTA_NAME"]=$IMAGE_MODEL_MIN_CAPACITY
- echo "đŧī¸ Image model '$IMAGE_MODEL_CHOICE' added to quota check (key: $IMAGE_QUOTA_NAME, min capacity: $IMAGE_MODEL_MIN_CAPACITY)"
+ echo "đŧī¸ Image model '$AZURE_ENV_IMAGE_MODEL_NAME' added to quota check (key: $IMAGE_QUOTA_NAME, min capacity: $IMAGE_MODEL_MIN_CAPACITY)"
else
echo "âšī¸ Image model set to 'none' â skipping image model quota check."
fi
@@ -170,7 +170,7 @@ echo ""
echo "========================================"
if [ -z "$VALID_REGION" ]; then
echo "â No region with sufficient quota found!"
- echo " Image Model: $IMAGE_MODEL_CHOICE"
+ echo " Image Model: $AZURE_ENV_IMAGE_MODEL_NAME"
echo " Checked regions: ${REGIONS[*]}"
# In CI mode, set GITHUB_ENV variable instead of exiting with error
diff --git a/scripts/deploy.ps1 b/scripts/deploy.ps1
index bed9b90a9..cc411a2f3 100644
--- a/scripts/deploy.ps1
+++ b/scripts/deploy.ps1
@@ -40,12 +40,12 @@ $ProjectDir = Split-Path -Parent $ScriptDir
Set-Location $ProjectDir
# Configuration from environment or prompt
-$ResourceGroup = if ($env:RESOURCE_GROUP) { $env:RESOURCE_GROUP } else { $null }
-$Location = if ($env:LOCATION) { $env:LOCATION } else { "eastus" }
-$AcrName = if ($env:ACR_NAME) { $env:ACR_NAME } else { $null }
-$ContainerName = if ($env:CONTAINER_NAME) { $env:CONTAINER_NAME } else { "aci-contentgen-backend" }
+$ResourceGroup = if ($env:AZURE_RESOURCE_GROUP) { $env:AZURE_RESOURCE_GROUP } else { $null }
+$Location = if ($env:AZURE_LOCATION) { $env:AZURE_LOCATION } else { "eastus" }
+$AcrName = if ($env:AZURE_ENV_CONTAINER_REGISTRY_NAME) { $env:AZURE_ENV_CONTAINER_REGISTRY_NAME } else { $null }
+$ContainerName = if ($env:CONTAINER_INSTANCE_NAME) { $env:CONTAINER_INSTANCE_NAME } else { "aci-contentgen-backend" }
$AppServiceName = if ($env:APP_SERVICE_NAME) { $env:APP_SERVICE_NAME } else { $null }
-$ImageTag = if ($env:IMAGE_TAG) { $env:IMAGE_TAG } else { "latest" }
+$ImageTag = if ($env:AZURE_ENV_IMAGE_TAG) { $env:AZURE_ENV_IMAGE_TAG } else { "latest" }
Write-Host ""
Write-Host "Current configuration:"
@@ -96,7 +96,7 @@ if ($continue -eq "y" -or $continue -eq "Y") {
Write-Host "Step 1: Building and pushing backend container..." -ForegroundColor Green
Write-Host "==========================================" -ForegroundColor Green
- Set-Location "$ProjectDir\src"
+ Set-Location "$ProjectDir\src\backend"
# Login to ACR
az acr login --name $AcrName
@@ -105,7 +105,7 @@ if ($continue -eq "y" -or $continue -eq "Y") {
az acr build `
--registry $AcrName `
--image "contentgen-backend:$ImageTag" `
- --file WebApp.Dockerfile `
+ --file ApiApp.Dockerfile `
.
Write-Host "â Container built and pushed to $AcrName.azurecr.io/contentgen-backend:$ImageTag" -ForegroundColor Green
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 10bbbbfa4..efd2b51b9 100644
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -39,19 +39,19 @@ cd "$PROJECT_DIR"
# Default configuration
RESOURCE_GROUP="${RESOURCE_GROUP:-}"
LOCATION="${LOCATION:-eastus}"
-ACR_NAME="${ACR_NAME:-}"
+AZURE_ENV_CONTAINER_REGISTRY_NAME="${AZURE_ENV_CONTAINER_REGISTRY_NAME:-}"
CONTAINER_NAME="${CONTAINER_NAME:-aci-contentgen-backend}"
APP_SERVICE_NAME="${APP_SERVICE_NAME:-}"
-IMAGE_TAG="${IMAGE_TAG:-latest}"
+AZURE_ENV_IMAGE_TAG="${AZURE_ENV_IMAGE_TAG:-latest}"
echo ""
echo "Current configuration:"
echo " Resource Group: ${RESOURCE_GROUP:-}"
echo " Location: $LOCATION"
-echo " ACR Name: ${ACR_NAME:-}"
+echo " ACR Name: ${AZURE_ENV_CONTAINER_REGISTRY_NAME:-}"
echo " Container Name: $CONTAINER_NAME"
echo " App Service: ${APP_SERVICE_NAME:-}"
-echo " Image Tag: $IMAGE_TAG"
+echo " Image Tag: $AZURE_ENV_IMAGE_TAG"
echo ""
# Prompt for missing values
@@ -59,8 +59,8 @@ if [ -z "$RESOURCE_GROUP" ]; then
read -p "Enter Resource Group name: " RESOURCE_GROUP
fi
-if [ -z "$ACR_NAME" ]; then
- read -p "Enter Azure Container Registry name: " ACR_NAME
+if [ -z "$AZURE_ENV_CONTAINER_REGISTRY_NAME" ]; then
+ read -p "Enter Azure Container Registry name: " AZURE_ENV_CONTAINER_REGISTRY_NAME
fi
if [ -z "$APP_SERVICE_NAME" ]; then
@@ -97,16 +97,16 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then
cd "$PROJECT_DIR/src"
# Login to ACR
- az acr login --name "$ACR_NAME"
+ az acr login --name "$AZURE_ENV_CONTAINER_REGISTRY_NAME"
# Build and push using ACR tasks
az acr build \
- --registry "$ACR_NAME" \
- --image "contentgen-backend:$IMAGE_TAG" \
- --file WebApp.Dockerfile \
- .
+ --registry "$AZURE_ENV_CONTAINER_REGISTRY_NAME" \
+ --image "contentgen-backend:$AZURE_ENV_IMAGE_TAG" \
+ --file backend/ApiApp.Dockerfile \
+ backend
- echo "â Container built and pushed to $ACR_NAME.azurecr.io/contentgen-backend:$IMAGE_TAG"
+ echo "â Container built and pushed to $AZURE_ENV_CONTAINER_REGISTRY_NAME.azurecr.io/contentgen-backend:$AZURE_ENV_IMAGE_TAG"
# Step 2: Get the current container's managed identity
echo ""
diff --git a/scripts/local_dev.ps1 b/scripts/local_dev.ps1
index 6978846ba..7319aca56 100644
--- a/scripts/local_dev.ps1
+++ b/scripts/local_dev.ps1
@@ -109,7 +109,7 @@ function Ensure-AzureAIUserRole {
$foundryResourceId = $null
if (Test-Path ".env") {
Get-Content ".env" | ForEach-Object {
- if ($_ -match "^AZURE_EXISTING_AI_PROJECT_RESOURCE_ID=(.*)$") { $existingProjectId = $matches[1].Trim('"').Trim("'") }
+ if ($_ -match "^AZURE_EXISTING_AIPROJECT_RESOURCE_ID=(.*)$") { $existingProjectId = $matches[1].Trim('"').Trim("'") }
if ($_ -match "^AI_FOUNDRY_RESOURCE_ID=(.*)$") { $foundryResourceId = $matches[1].Trim('"').Trim("'") }
}
}
@@ -121,7 +121,7 @@ function Ensure-AzureAIUserRole {
} elseif ($foundryResourceId) {
$scope = $foundryResourceId
} else {
- Write-Error "Neither AZURE_EXISTING_AI_PROJECT_RESOURCE_ID nor AI_FOUNDRY_RESOURCE_ID found in .env"
+ Write-Error "Neither AZURE_EXISTING_AIPROJECT_RESOURCE_ID nor AI_FOUNDRY_RESOURCE_ID found in .env"
exit 1
}
diff --git a/scripts/local_dev.sh b/scripts/local_dev.sh
index 8bf811d92..4f1c084ac 100644
--- a/scripts/local_dev.sh
+++ b/scripts/local_dev.sh
@@ -105,7 +105,7 @@ ensure_azure_ai_user_role() {
local existing_project_id=""
local foundry_resource_id=""
if [ -f ".env" ]; then
- existing_project_id=$(grep "^AZURE_EXISTING_AI_PROJECT_RESOURCE_ID=" .env | cut -d'=' -f2- | tr -d '"' | tr -d "'" || echo "")
+ existing_project_id=$(grep "^AZURE_EXISTING_AIPROJECT_RESOURCE_ID=" .env | cut -d'=' -f2- | tr -d '"' | tr -d "'" || echo "")
foundry_resource_id=$(grep "^AI_FOUNDRY_RESOURCE_ID=" .env | cut -d'=' -f2- | tr -d '"' | tr -d "'" || echo "")
fi
@@ -115,7 +115,7 @@ ensure_azure_ai_user_role() {
elif [ -n "$foundry_resource_id" ]; then
scope="$foundry_resource_id"
else
- print_error "Neither AZURE_EXISTING_AI_PROJECT_RESOURCE_ID nor AI_FOUNDRY_RESOURCE_ID found in .env"
+ print_error "Neither AZURE_EXISTING_AIPROJECT_RESOURCE_ID nor AI_FOUNDRY_RESOURCE_ID found in .env"
exit 1
fi
diff --git a/scripts/post_deploy.py b/scripts/post_deploy.py
index d1eebb3f3..202d7ebeb 100644
--- a/scripts/post_deploy.py
+++ b/scripts/post_deploy.py
@@ -244,25 +244,31 @@ def get_api_headers(config: ResourceConfig) -> Dict[str, str]:
return headers
-async def check_admin_api_health(config: ResourceConfig) -> bool:
- """Check if the admin API is available."""
+async def check_admin_api_health(config: ResourceConfig, max_retries: int = 5, retry_delay: int = 10) -> bool:
+ """Check if the admin API is available with retry logic for cold starts."""
print_step("Checking admin API health...")
async with httpx.AsyncClient(timeout=30.0) as client:
- try:
- response = await client.get(
- f"{config.app_url}/api/admin/health",
- headers=get_api_headers(config)
- )
- if response.status_code == 200:
- print_success("Admin API is healthy")
- return True
- else:
- print_error(f"Admin API returned {response.status_code}")
- return False
- except Exception as e:
- print_error(f"Failed to reach admin API: {e}")
- return False
+ for attempt in range(1, max_retries + 1):
+ try:
+ response = await client.get(
+ f"{config.app_url}/api/admin/health",
+ headers=get_api_headers(config)
+ )
+ if response.status_code == 200:
+ print_success("Admin API is healthy")
+ return True
+ else:
+ print_warning(f"Attempt {attempt}/{max_retries}: Admin API returned {response.status_code}")
+ except Exception as e:
+ print_warning(f"Attempt {attempt}/{max_retries}: Failed to reach admin API: {e}")
+
+ if attempt < max_retries:
+ print(f" Retrying in {retry_delay} seconds...")
+ await asyncio.sleep(retry_delay)
+
+ print_error(f"Admin API not available after {max_retries} attempts")
+ return False
async def upload_images(config: ResourceConfig, dry_run: bool = False) -> int:
diff --git a/scripts/sample_content_generation.py b/scripts/sample_content_generation.py
index 1a75d5def..cf9b55c99 100644
--- a/scripts/sample_content_generation.py
+++ b/scripts/sample_content_generation.py
@@ -8,9 +8,9 @@
Prerequisites:
1. Set up environment variables (or use a .env file):
- AZURE_OPENAI_ENDPOINT: Your Azure OpenAI endpoint
- - AZURE_OPENAI_GPT_MODEL: GPT model deployment name
+ - AZURE_ENV_GPT_MODEL_NAME: GPT model deployment name
- AZURE_OPENAI_GPT_IMAGE_ENDPOINT: (Optional) Endpoint for images
- - AZURE_OPENAI_IMAGE_MODEL: Image model name (e.g., gpt-image-1-mini)
+ - AZURE_ENV_IMAGE_MODEL_NAME: Image model name (e.g., gpt-image-1-mini)
- AZURE_COSMOS_ENDPOINT: Your CosmosDB endpoint
- AZURE_COSMOS_DATABASE_NAME: content-generation
- AZURE_COSMOS_CONVERSATIONS_CONTAINER: conversations
diff --git a/scripts/sample_image_generation.py b/scripts/sample_image_generation.py
index 19c858041..d6710d185 100644
--- a/scripts/sample_image_generation.py
+++ b/scripts/sample_image_generation.py
@@ -9,7 +9,7 @@
1. Set up environment variables (or use a .env file):
- AZURE_OPENAI_ENDPOINT: Your Azure OpenAI endpoint
- AZURE_OPENAI_GPT_IMAGE_ENDPOINT: (Optional) Dedicated GPT image endpoint
- - AZURE_OPENAI_IMAGE_MODEL: Use "gpt-image-1-mini" or "gpt-image-1.5"
+ - AZURE_ENV_IMAGE_MODEL_NAME: Use "gpt-image-1-mini" or "gpt-image-1.5"
2. Ensure you have RBAC access:
- "Cognitive Services OpenAI User" role on the Azure OpenAI resource
diff --git a/src/backend/agents/image_content_agent.py b/src/backend/agents/image_content_agent.py
index 0d2d75c02..c5cce59d5 100644
--- a/src/backend/agents/image_content_agent.py
+++ b/src/backend/agents/image_content_agent.py
@@ -74,7 +74,7 @@ async def generate_image(
"""
Generate a marketing image using DALL-E 3, gpt-image-1-mini, or gpt-image-1.5.
- The model used is determined by AZURE_OPENAI_IMAGE_MODEL setting.
+ The model used is determined by AZURE_ENV_IMAGE_MODEL_NAME setting.
Args:
prompt: The main image generation prompt
diff --git a/src/backend/settings.py b/src/backend/settings.py
index e5e4a81ae..508af29b8 100644
--- a/src/backend/settings.py
+++ b/src/backend/settings.py
@@ -10,7 +10,7 @@
import os
from typing import List, Literal, Optional
-from pydantic import BaseModel, Field, field_validator, model_validator
+from pydantic import AliasChoices, BaseModel, Field, field_validator, model_validator
from pydantic_settings import BaseSettings, SettingsConfigDict
from typing_extensions import Self
@@ -87,12 +87,18 @@ class _AzureOpenAISettings(BaseSettings):
env_ignore_empty=True,
)
- gpt_model: str = Field(default="gpt-5", alias="AZURE_OPENAI_GPT_MODEL")
+ gpt_model: str = Field(
+ default="gpt-5",
+ validation_alias=AliasChoices("AZURE_ENV_GPT_MODEL_NAME", "AZURE_OPENAI_GPT_MODEL")
+ )
model: str = "gpt-5"
# Image generation model settings
# Supported models: "gpt-image-1-mini" or "gpt-image-1.5"
- image_model: str = Field(default="gpt-image-1-mini", alias="AZURE_OPENAI_IMAGE_MODEL")
+ image_model: str = Field(
+ default="gpt-image-1-mini",
+ validation_alias=AliasChoices("AZURE_ENV_IMAGE_MODEL_NAME", "AZURE_OPENAI_IMAGE_MODEL")
+ )
# gpt-image-1-mini or gpt-image-1.5 specific endpoint
gpt_image_endpoint: Optional[str] = Field(default=None, alias="AZURE_OPENAI_GPT_IMAGE_ENDPOINT")
@@ -103,7 +109,10 @@ class _AzureOpenAISettings(BaseSettings):
top_p: float = 0.95
max_tokens: int = 2000
stream: bool = True
- api_version: str = "2024-06-01"
+ api_version: str = Field(
+ default="2024-06-01",
+ validation_alias=AliasChoices("AZURE_ENV_OPENAI_API_VERSION", "AZURE_OPENAI_API_VERSION")
+ )
preview_api_version: str = "2024-02-01"
image_api_version: str = Field(default="2025-04-01-preview", alias="AZURE_OPENAI_IMAGE_API_VERSION")
diff --git a/src/tests/conftest.py b/src/tests/conftest.py
index bd8f06f34..8cff0bac9 100644
--- a/src/tests/conftest.py
+++ b/src/tests/conftest.py
@@ -74,7 +74,8 @@ def mock_environment(monkeypatch):
env_vars = {
# Azure OpenAI (required - _AzureOpenAISettings)
"AZURE_OPENAI_ENDPOINT": "https://test-openai.openai.azure.com/",
- "AZURE_OPENAI_API_VERSION": "2024-08-01-preview",
+ "AZURE_ENV_OPENAI_API_VERSION": "2024-08-01-preview",
+ "AZURE_OPENAI_API_VERSION": "2024-08-01-preview", # Legacy for backward compatibility test
# Azure Cosmos DB (_CosmosSettings uses AZURE_COSMOS_ prefix)
"AZURE_COSMOS_ENDPOINT": "https://test-cosmos.documents.azure.com:443/",
diff --git a/src/tests/services/test_orchestrator.py b/src/tests/services/test_orchestrator.py
index 1c79b00f2..6063dbd2c 100644
--- a/src/tests/services/test_orchestrator.py
+++ b/src/tests/services/test_orchestrator.py
@@ -1,10 +1,10 @@
import base64
import json
+import sys
from unittest.mock import AsyncMock, MagicMock, patch
import pytest
-import orchestrator
from orchestrator import (_HARMFUL_PATTERNS_COMPILED,
_SYSTEM_PROMPT_PATTERNS_COMPILED,
PLANNING_INSTRUCTIONS, RAI_HARMFUL_CONTENT_RESPONSE,
@@ -841,7 +841,7 @@ def test_get_orchestrator_singleton():
mock_builder.return_value = mock_builder_instance
# Reset the singleton
- orchestrator._orchestrator = None
+ sys.modules["orchestrator"]._orchestrator = None
instance1 = get_orchestrator()
instance2 = get_orchestrator()
@@ -1518,7 +1518,7 @@ async def test_get_chat_client_foundry_mode():
def test_foundry_not_available():
"""Test when Foundry SDK is not available."""
# Check that FOUNDRY_AVAILABLE is defined
- assert hasattr(orchestrator, 'FOUNDRY_AVAILABLE')
+ assert hasattr(sys.modules["orchestrator"], 'FOUNDRY_AVAILABLE')
# Tests for workflow event handling (lines 736-799, 841-895)
# Note: These are integration-level tests that verify the workflow event
diff --git a/src/tests/test_settings.py b/src/tests/test_settings.py
index 13968cfde..6b5dd2a9e 100644
--- a/src/tests/test_settings.py
+++ b/src/tests/test_settings.py
@@ -76,13 +76,48 @@ def test_effective_image_model_returns_image_model(self):
"""Test effective_image_model returns image_model directly."""
from settings import _AzureOpenAISettings
+ with patch.dict(os.environ, {
+ "AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
+ "AZURE_ENV_IMAGE_MODEL_NAME": "gpt-image-1.5"
+ }, clear=False):
+ settings = _AzureOpenAISettings()
+ assert settings.effective_image_model == "gpt-image-1.5"
+
+ def test_image_model_with_legacy_env_var(self):
+ """Test image_model loads from legacy AZURE_OPENAI_IMAGE_MODEL variable."""
+ from settings import _AzureOpenAISettings
+
with patch.dict(os.environ, {
"AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
"AZURE_OPENAI_IMAGE_MODEL": "gpt-image-1.5"
}, clear=False):
settings = _AzureOpenAISettings()
+ assert settings.image_model == "gpt-image-1.5"
assert settings.effective_image_model == "gpt-image-1.5"
+ def test_gpt_model_with_legacy_env_var(self):
+ """Test gpt_model loads from legacy AZURE_OPENAI_GPT_MODEL variable."""
+ from settings import _AzureOpenAISettings
+
+ with patch.dict(os.environ, {
+ "AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
+ "AZURE_OPENAI_GPT_MODEL": "gpt-4o"
+ }, clear=False):
+ settings = _AzureOpenAISettings()
+ assert settings.gpt_model == "gpt-4o"
+
+ def test_api_version_with_legacy_env_var(self):
+ """Test api_version loads from legacy AZURE_OPENAI_API_VERSION variable."""
+ from settings import _AzureOpenAISettings
+
+ with patch.dict(os.environ, {
+ "AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
+ "AZURE_OPENAI_API_VERSION": "2023-12-01-preview",
+ "AZURE_ENV_OPENAI_API_VERSION": "" # Clear new env var to test legacy
+ }, clear=False):
+ settings = _AzureOpenAISettings()
+ assert settings.api_version == "2023-12-01-preview"
+
class TestImageGenerationEnabled:
"""Tests for image_generation_enabled property logic."""
@@ -93,7 +128,7 @@ def test_disabled_with_none_model(self):
with patch.dict(os.environ, {
"AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
- "AZURE_OPENAI_IMAGE_MODEL": "none"
+ "AZURE_ENV_IMAGE_MODEL_NAME": "none"
}, clear=False):
settings = _AzureOpenAISettings()
assert settings.image_generation_enabled is False
@@ -104,7 +139,7 @@ def test_disabled_with_disabled_model(self):
with patch.dict(os.environ, {
"AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
- "AZURE_OPENAI_IMAGE_MODEL": "disabled"
+ "AZURE_ENV_IMAGE_MODEL_NAME": "disabled"
}, clear=False):
settings = _AzureOpenAISettings()
assert settings.image_generation_enabled is False
@@ -115,7 +150,7 @@ def test_enabled_with_valid_model_and_endpoint(self):
with patch.dict(os.environ, {
"AZURE_OPENAI_ENDPOINT": "https://test.openai.azure.com",
- "AZURE_OPENAI_IMAGE_MODEL": "gpt-image-1-mini"
+ "AZURE_ENV_IMAGE_MODEL_NAME": "gpt-image-1-mini"
}, clear=False):
settings = _AzureOpenAISettings()
assert settings.image_generation_enabled is True