azd 0.9.0

data/lib/generators/templates/infra/core/monitor/applicationinsights.bicep

@@ -0,0 +1,30 @@
+metadata description = 'Creates an Application Insights instance based on an existing Log Analytics workspace.'
+param name string
+param dashboardName string = ''
+param location string = resourceGroup().location
+param tags object = {}
+param logAnalyticsWorkspaceId string
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: name
+  location: location
+  tags: tags
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+    WorkspaceResourceId: logAnalyticsWorkspaceId
+  }
+}
+
+module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' = if (!empty(dashboardName)) {
+  name: 'application-insights-dashboard'
+  params: {
+    name: dashboardName
+    location: location
+    applicationInsightsName: applicationInsights.name
+  }
+}
+
+output connectionString string = applicationInsights.properties.ConnectionString
+output instrumentationKey string = applicationInsights.properties.InstrumentationKey
+output name string = applicationInsights.name

data/lib/generators/templates/infra/core/monitor/loganalytics.bicep

@@ -0,0 +1,22 @@
+metadata description = 'Creates a Log Analytics workspace.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  properties: any({
+    retentionInDays: 30
+    features: {
+      searchVersion: 1
+    }
+    sku: {
+      name: 'PerGB2018'
+    }
+  })
+}
+
+output id string = logAnalytics.id
+output name string = logAnalytics.name

data/lib/generators/templates/infra/core/monitor/monitoring.bicep

@@ -0,0 +1,32 @@
+metadata description = 'Creates an Application Insights instance and a Log Analytics workspace.'
+param logAnalyticsName string
+param applicationInsightsName string
+param applicationInsightsDashboardName string = ''
+param location string = resourceGroup().location
+param tags object = {}
+
+module logAnalytics 'loganalytics.bicep' = {
+  name: 'loganalytics'
+  params: {
+    name: logAnalyticsName
+    location: location
+    tags: tags
+  }
+}
+
+module applicationInsights 'applicationinsights.bicep' = {
+  name: 'applicationinsights'
+  params: {
+    name: applicationInsightsName
+    location: location
+    tags: tags
+    dashboardName: applicationInsightsDashboardName
+    logAnalyticsWorkspaceId: logAnalytics.outputs.id
+  }
+}
+
+output applicationInsightsConnectionString string = applicationInsights.outputs.connectionString
+output applicationInsightsInstrumentationKey string = applicationInsights.outputs.instrumentationKey
+output applicationInsightsName string = applicationInsights.outputs.name
+output logAnalyticsWorkspaceId string = logAnalytics.outputs.id
+output logAnalyticsWorkspaceName string = logAnalytics.outputs.name

data/lib/generators/templates/infra/core/networking/cdn-endpoint.bicep

@@ -0,0 +1,52 @@
+metadata description = 'Adds an endpoint to an Azure CDN profile.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('The name of the CDN profile resource')
+@minLength(1)
+param cdnProfileName string
+
+@description('Delivery policy rules')
+param deliveryPolicyRules array = []
+
+@description('The origin URL for the endpoint')
+@minLength(1)
+param originUrl string
+
+resource endpoint 'Microsoft.Cdn/profiles/endpoints@2022-05-01-preview' = {
+  parent: cdnProfile
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    originHostHeader: originUrl
+    isHttpAllowed: false
+    isHttpsAllowed: true
+    queryStringCachingBehavior: 'UseQueryString'
+    optimizationType: 'GeneralWebDelivery'
+    origins: [
+      {
+        name: replace(originUrl, '.', '-')
+        properties: {
+          hostName: originUrl
+          originHostHeader: originUrl
+          priority: 1
+          weight: 1000
+          enabled: true
+        }
+      }
+    ]
+    deliveryPolicy: {
+      rules: deliveryPolicyRules
+    }
+  }
+}
+
+resource cdnProfile 'Microsoft.Cdn/profiles@2022-05-01-preview' existing = {
+  name: cdnProfileName
+}
+
+output id string = endpoint.id
+output name string = endpoint.name
+output uri string = 'https://${endpoint.properties.hostName}'

data/lib/generators/templates/infra/core/networking/cdn-profile.bicep

@@ -0,0 +1,34 @@
+metadata description = 'Creates an Azure CDN profile.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('The pricing tier of this CDN profile')
+@allowed([
+  'Custom_Verizon'
+  'Premium_AzureFrontDoor'
+  'Premium_Verizon'
+  'StandardPlus_955BandWidth_ChinaCdn'
+  'StandardPlus_AvgBandWidth_ChinaCdn'
+  'StandardPlus_ChinaCdn'
+  'Standard_955BandWidth_ChinaCdn'
+  'Standard_Akamai'
+  'Standard_AvgBandWidth_ChinaCdn'
+  'Standard_AzureFrontDoor'
+  'Standard_ChinaCdn'
+  'Standard_Microsoft'
+  'Standard_Verizon'
+])
+param sku string = 'Standard_Microsoft'
+
+resource profile 'Microsoft.Cdn/profiles@2022-05-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  sku: {
+    name: sku
+  }
+}
+
+output id string = profile.id
+output name string = profile.name

data/lib/generators/templates/infra/core/networking/cdn.bicep

@@ -0,0 +1,42 @@
+metadata description = 'Creates an Azure CDN profile with a single endpoint.'
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('Name of the CDN endpoint resource')
+param cdnEndpointName string
+
+@description('Name of the CDN profile resource')
+param cdnProfileName string
+
+@description('Delivery policy rules')
+param deliveryPolicyRules array = []
+
+@description('Origin URL for the CDN endpoint')
+param originUrl string
+
+module cdnProfile 'cdn-profile.bicep' = {
+  name: 'cdn-profile'
+  params: {
+    name: cdnProfileName
+    location: location
+    tags: tags
+  }
+}
+
+module cdnEndpoint 'cdn-endpoint.bicep' = {
+  name: 'cdn-endpoint'
+  params: {
+    name: cdnEndpointName
+    location: location
+    tags: tags
+    cdnProfileName: cdnProfile.outputs.name
+    originUrl: originUrl
+    deliveryPolicyRules: deliveryPolicyRules
+  }
+}
+
+output endpointName string = cdnEndpoint.outputs.name
+output endpointId string = cdnEndpoint.outputs.id
+output profileName string = cdnProfile.outputs.name
+output profileId string = cdnProfile.outputs.id
+output uri string = cdnEndpoint.outputs.uri

data/lib/generators/templates/infra/core/search/search-services.bicep

@@ -0,0 +1,68 @@
+metadata description = 'Creates an Azure AI Search instance.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param sku object = {
+  name: 'standard'
+}
+
+param authOptions object = {}
+param disableLocalAuth bool = false
+param disabledDataExfiltrationOptions array = []
+param encryptionWithCmk object = {
+  enforcement: 'Unspecified'
+}
+@allowed([
+  'default'
+  'highDensity'
+])
+param hostingMode string = 'default'
+param networkRuleSet object = {
+  bypass: 'None'
+  ipRules: []
+}
+param partitionCount int = 1
+@allowed([
+  'enabled'
+  'disabled'
+])
+param publicNetworkAccess string = 'enabled'
+param replicaCount int = 1
+@allowed([
+  'disabled'
+  'free'
+  'standard'
+])
+param semanticSearch string = 'disabled'
+
+var searchIdentityProvider = (sku.name == 'free') ? null : {
+  type: 'SystemAssigned'
+}
+
+resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  // The free tier does not support managed identity
+  identity: searchIdentityProvider
+  properties: {
+    authOptions: authOptions
+    disableLocalAuth: disableLocalAuth
+    disabledDataExfiltrationOptions: disabledDataExfiltrationOptions
+    encryptionWithCmk: encryptionWithCmk
+    hostingMode: hostingMode
+    networkRuleSet: networkRuleSet
+    partitionCount: partitionCount
+    publicNetworkAccess: publicNetworkAccess
+    replicaCount: replicaCount
+    semanticSearch: semanticSearch
+  }
+  sku: sku
+}
+
+output id string = search.id
+output endpoint string = 'https://${name}.search.windows.net/'
+output name string = search.name
+output principalId string = !empty(searchIdentityProvider) ? search.identity.principalId : ''
+

data/lib/generators/templates/infra/core/security/aks-managed-cluster-access.bicep

@@ -0,0 +1,19 @@
+metadata description = 'Assigns RBAC role to the specified AKS cluster and principal.'
+param clusterName string
+param principalId string
+
+var aksClusterAdminRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
+
+resource aksRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: aksCluster // Use when specifying a scope that is different than the deployment scope
+  name: guid(subscription().id, resourceGroup().id, principalId, aksClusterAdminRole)
+  properties: {
+    roleDefinitionId: aksClusterAdminRole
+    principalType: 'User'
+    principalId: principalId
+  }
+}
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-10-02-preview' existing = {
+  name: clusterName
+}

data/lib/generators/templates/infra/core/security/configstore-access.bicep

@@ -0,0 +1,21 @@
+@description('Name of Azure App Configuration store')
+param configStoreName string
+
+@description('The principal ID of the service principal to assign the role to')
+param principalId string
+
+resource configStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: configStoreName
+}
+
+var configStoreDataReaderRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')
+
+resource configStoreDataReaderRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, resourceGroup().id, principalId, configStoreDataReaderRole)
+  scope: configStore
+  properties: {
+    roleDefinitionId: configStoreDataReaderRole
+    principalId: principalId
+    principalType: 'ServicePrincipal' 
+  }
+}

data/lib/generators/templates/infra/core/security/keyvault-access.bicep

@@ -0,0 +1,22 @@
+metadata description = 'Assigns an Azure Key Vault access policy.'
+param name string = 'add'
+
+param keyVaultName string
+param permissions object = { secrets: [ 'get', 'list' ] }
+param principalId string
+
+resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
+  parent: keyVault
+  name: name
+  properties: {
+    accessPolicies: [ {
+        objectId: principalId
+        tenantId: subscription().tenantId
+        permissions: permissions
+      } ]
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}

data/lib/generators/templates/infra/core/security/keyvault-secret.bicep

@@ -0,0 +1,31 @@
+metadata description = 'Creates or updates a secret in an Azure Key Vault.'
+param name string
+param tags object = {}
+param keyVaultName string
+param contentType string = 'string'
+@description('The value of the secret. Provide only derived values like blob storage access, but do not hard code any secrets in your templates')
+@secure()
+param secretValue string
+
+param enabled bool = true
+param exp int = 0
+param nbf int = 0
+
+resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  name: name
+  tags: tags
+  parent: keyVault
+  properties: {
+    attributes: {
+      enabled: enabled
+      exp: exp
+      nbf: nbf
+    }
+    contentType: contentType
+    value: secretValue
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}

data/lib/generators/templates/infra/core/security/keyvault.bicep

@@ -0,0 +1,31 @@
+metadata description = 'Creates an Azure Key Vault.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param identityName string = ''
+
+resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(identityName)) {
+  name: identityName
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    tenantId: subscription().tenantId
+    sku: { family: 'A', name: 'standard' }
+    accessPolicies: !empty(userIdentity.properties.principalId) ? [
+      {
+        objectId: userIdentity.properties.principalId
+        permissions: { secrets: [ 'get', 'list' ] }
+        tenantId: subscription().tenantId
+      }
+    ] : []
+  }
+}
+
+output endpoint string = keyVault.properties.vaultUri
+output name string = keyVault.name
+output principalId string = userIdentity.properties.principalId

data/lib/generators/templates/infra/core/security/registry-access.bicep

@@ -0,0 +1,19 @@
+metadata description = 'Assigns ACR Pull permissions to access an Azure Container Registry.'
+param containerRegistryName string
+param principalId string
+
+var acrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+
+resource aksAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: containerRegistry // Use when specifying a scope that is different than the deployment scope
+  name: guid(subscription().id, resourceGroup().id, principalId, acrPullRole)
+  properties: {
+    roleDefinitionId: acrPullRole
+    principalType: 'ServicePrincipal'
+    principalId: principalId
+  }
+}
+
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: containerRegistryName
+}

data/lib/generators/templates/infra/core/security/role.bicep

@@ -0,0 +1,21 @@
+metadata description = 'Creates a role assignment for a service principal.'
+param principalId string
+
+@allowed([
+  'Device'
+  'ForeignGroup'
+  'Group'
+  'ServicePrincipal'
+  'User'
+])
+param principalType string = 'ServicePrincipal'
+param roleDefinitionId string
+
+resource role 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, resourceGroup().id, principalId, roleDefinitionId)
+  properties: {
+    principalId: principalId
+    principalType: principalType
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+  }
+}

data/lib/generators/templates/infra/core/storage/storage-account.bicep

@@ -0,0 +1,64 @@
+metadata description = 'Creates an Azure storage account.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@allowed([
+  'Cool'
+  'Hot'
+  'Premium' ])
+param accessTier string = 'Hot'
+param allowBlobPublicAccess bool = true
+param allowCrossTenantReplication bool = true
+param allowSharedKeyAccess bool = true
+param containers array = []
+param defaultToOAuthAuthentication bool = false
+param deleteRetentionPolicy object = {}
+@allowed([ 'AzureDnsZone', 'Standard' ])
+param dnsEndpointType string = 'Standard'
+param kind string = 'StorageV2'
+param minimumTlsVersion string = 'TLS1_2'
+param supportsHttpsTrafficOnly bool = true
+param networkAcls object = {
+  bypass: 'AzureServices'
+  defaultAction: 'Allow'
+}
+@allowed([ 'Enabled', 'Disabled' ])
+param publicNetworkAccess string = 'Enabled'
+param sku object = { name: 'Standard_LRS' }
+
+resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
+  name: name
+  location: location
+  tags: tags
+  kind: kind
+  sku: sku
+  properties: {
+    accessTier: accessTier
+    allowBlobPublicAccess: allowBlobPublicAccess
+    allowCrossTenantReplication: allowCrossTenantReplication
+    allowSharedKeyAccess: allowSharedKeyAccess
+    defaultToOAuthAuthentication: defaultToOAuthAuthentication
+    dnsEndpointType: dnsEndpointType
+    minimumTlsVersion: minimumTlsVersion
+    networkAcls: networkAcls
+    publicNetworkAccess: publicNetworkAccess
+    supportsHttpsTrafficOnly: supportsHttpsTrafficOnly
+  }
+
+  resource blobServices 'blobServices' = if (!empty(containers)) {
+    name: 'default'
+    properties: {
+      deleteRetentionPolicy: deleteRetentionPolicy
+    }
+    resource container 'containers' = [for container in containers: {
+      name: container.name
+      properties: {
+        publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None'
+      }
+    }]
+  }
+}
+
+output name string = storage.name
+output primaryEndpoints object = storage.properties.primaryEndpoints

data/lib/generators/templates/infra/core/testing/loadtesting.bicep

@@ -0,0 +1,15 @@
+param name string
+param location string = resourceGroup().location
+param managedIdentity bool = false
+param tags object = {}
+
+resource loadTest 'Microsoft.LoadTestService/loadTests@2022-12-01' = {
+  name: name
+  location: location
+  tags: tags
+  identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
+  properties: {
+  }
+}
+
+output loadTestingName string = loadTest.name

data/lib/generators/templates/infra/identity.bicep

@@ -0,0 +1,20 @@
+//
+// Module that creates a user assigned managed identity
+//
+
+@description('Name of the user assigned managed identity to creates')
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+resource webIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: name
+  location: location
+  tags: tags
+}
+
+@description('Name of the created user managed identity')
+output name string = webIdentity.name
+
+@description('Principal ID of the created user managed identity')
+output principalId string = webIdentity.properties.principalId