Optimize bicep execution flow (#107)

Author: simonkurtz-MSFT

.github/bicep.instructions.md

@@ -10,6 +10,7 @@ applyTo: '**/*.bicep'
 - Prefer modern Bicep syntax and patterns.
 - Keep templates readable and easy to extend.
 - Keep deployments cross-platform (Windows, Linux, macOS).
+- Strive for execution efficiency by parallelizing and avoiding unnecessary dependencies
 
 ## Conventions
 

infrastructure/afd-apim-pe/main.bicep

@@ -42,15 +42,13 @@ param afdEndpointName string = 'afd-${resourceSuffix}'
 param acaName string = 'aca-${resourceSuffix}'
 param useACA bool = false
 
-
 // ------------------
 //    "CONSTANTS"
 // ------------------
 
 var IMG_HELLO_WORLD = 'simonkurtzmsft/helloworld:latest'
 var IMG_MOCK_WEB_API = 'simonkurtzmsft/mockwebapi:1.0.0-alpha.1'
 
-
 // ------------------
 //    RESOURCES
 // ------------------
@@ -131,9 +129,26 @@ module vnetModule '../../shared/bicep/modules/vnet/v1/vnet.bicep' = {
   }
 }
 
-// TODO: We have a timing issue here in that we may get a null if this happens too quickly after the vnet module executes.
-var apimSubnetResourceId = resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', vnetName, apimSubnetName)
-var acaSubnetResourceId  = resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', vnetName, acaSubnetName)
+// Create explicit dependencies so subnet IDs are always available after the VNet module completes.
+resource vnetExisting 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
+  name: vnetName
+  dependsOn: [
+    vnetModule
+  ]
+}
+
+resource apimSubnetResource 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' existing = {
+  parent: vnetExisting
+  name: apimSubnetName
+}
+
+resource acaSubnetResource 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' existing = {
+  parent: vnetExisting
+  name: acaSubnetName
+}
+
+var apimSubnetResourceId = apimSubnetResource.id
+var acaSubnetResourceId  = acaSubnetResource.id
 
 // 4. Azure Container App Environment (ACAE)
 module acaEnvModule '../../shared/bicep/modules/aca/v1/environment.bicep' = if (useACA) {
@@ -152,15 +167,15 @@ module acaModule1 '../../shared/bicep/modules/aca/v1/containerapp.bicep' = if (u
   params: {
     name: 'ca-${resourceSuffix}-mockwebapi-1'
     containerImage: IMG_MOCK_WEB_API
-    environmentId: acaEnvModule.outputs.environmentId
+    environmentId: acaEnvModule!.outputs.environmentId
   }
 }
 module acaModule2 '../../shared/bicep/modules/aca/v1/containerapp.bicep' = if (useACA) {
   name: 'acaModule-2'
   params: {
     name: 'ca-${resourceSuffix}-mockwebapi-2'
     containerImage: IMG_MOCK_WEB_API
-    environmentId: acaEnvModule.outputs.environmentId
+    environmentId: acaEnvModule!.outputs.environmentId
   }
 }
 
@@ -175,9 +190,6 @@ module apimModule '../../shared/bicep/modules/apim/v1/apim.bicep' = {
     publicAccess: apimPublicAccess
     globalPolicyXml: revealBackendApiInfo ? loadTextContent('../../shared/apim-policies/all-apis-reveal-backend.xml') : loadTextContent('../../shared/apim-policies/all-apis.xml')
   }
-  dependsOn: [
-    vnetModule
-  ]
 }
 
 // 7. APIM Policy Fragments
@@ -200,7 +212,7 @@ module backendModule1 '../../shared/bicep/modules/apim/v1/backend.bicep' = if (u
   params: {
     apimName: apimName
     backendName: 'aca-backend-1'
-    url: 'https://${acaModule1.outputs.containerAppFqdn}'
+    url: 'https://${acaModule1!.outputs.containerAppFqdn}'
   }
   dependsOn: [
     apimModule
@@ -212,7 +224,7 @@ module backendModule2 '../../shared/bicep/modules/apim/v1/backend.bicep' = if (u
   params: {
     apimName: apimName
     backendName: 'aca-backend-2'
-    url: 'https://${acaModule2.outputs.containerAppFqdn}'
+    url: 'https://${acaModule2!.outputs.containerAppFqdn}'
   }
   dependsOn: [
     apimModule
@@ -227,12 +239,12 @@ module backendPoolModule '../../shared/bicep/modules/apim/v1/backend-pool.bicep'
     backendPoolDescription: 'Backend pool for ACA Hello World backends'
     backends: [
       {
-        name: backendModule1.outputs.backendName
+        name: backendModule1!.outputs.backendName
         priority: 1
         weight: 75
       }
       {
-        name: backendModule2.outputs.backendName
+        name: backendModule2!.outputs.backendName
         priority: 1
         weight: 25
       }
@@ -252,11 +264,13 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
     appInsightsId: appInsightsId
     api: api
   }
-  dependsOn: [
+  dependsOn: useACA ? [
     apimModule
     backendModule1
     backendModule2
     backendPoolModule
+  ] : [
+    apimModule
   ]
 }]
 
@@ -277,8 +291,8 @@ module apimDnsPrivateLinkModule '../../shared/bicep/modules/dns/v1/dns-private-l
 module acaDnsPrivateZoneModule '../../shared/bicep/modules/dns/v1/aca-dns-private-zone.bicep' = if (useACA && !empty(acaSubnetResourceId)) {
   name: 'acaDnsPrivateZoneModule'
   params: {
-    acaEnvironmentRandomSubdomain: acaEnvModule.outputs.environmentRandomSubdomain
-    acaEnvironmentStaticIp: acaEnvModule.outputs.environmentStaticIp
+    acaEnvironmentRandomSubdomain: acaEnvModule!.outputs.environmentRandomSubdomain
+    acaEnvironmentStaticIp: acaEnvModule!.outputs.environmentStaticIp
     vnetId: vnetModule.outputs.vnetId
   }
 }
@@ -323,5 +337,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]

infrastructure/apim-aca/main.bicep

@@ -16,15 +16,13 @@ param policyFragments array = []
 @description('Reveals the backend API information. Defaults to true. *** WARNING: This will expose backend API information to the caller - For learning & testing only! ***')
 param revealBackendApiInfo bool = true
 
-
 // ------------------
 //    "CONSTANTS"
 // ------------------
 
 var IMG_HELLO_WORLD = 'simonkurtzmsft/helloworld:latest'
 var IMG_MOCK_WEB_API = 'simonkurtzmsft/mockwebapi:1.0.0-alpha.1'
 
-
 // ------------------
 //    RESOURCES
 // ------------------
@@ -193,5 +191,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]

infrastructure/appgw-apim-pe/main.bicep

@@ -284,7 +284,7 @@ module appgwPipModule 'br/public:avm/res/network/public-ip-address:0.9.1' = {
 
 // 7. WAF Policy for Application Gateway
 // https://learn.microsoft.com/azure/templates/microsoft.network/applicationgatewaywebapplicationfirewallpolicies
-resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2024-05-01' = {
+resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2025-01-01' = {
   name: 'waf-${resourceSuffix}'
   location: location
   properties: {
@@ -299,8 +299,9 @@ resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPo
     managedRules: {
       managedRuleSets: [
         {
-          ruleSetType: 'OWASP'
-          ruleSetVersion: '3.2'
+          // Ruleset is defined here: https://github.com/Azure/azure-cli/pull/31289/files
+          ruleSetType: 'Microsoft_DefaultRuleSet'
+          ruleSetVersion: '2.1'
         }
       ]
     }
@@ -505,7 +506,11 @@ module appgwModule 'br/public:avm/res/network/application-gateway:0.7.2' = {
     sku: 'WAF_v2'
     firewallPolicyResourceId: wafPolicy.id
     enableHttp2: true
-    // Use minimal AZs for cost savings. Adjust accordingly for production workloads.
+    // Create only one instance (default is 2) for cost savings. Adjust accordingly for production workloads (use scaling, minimum instances, no maximum instances, etc.).
+    capacity: 1
+    // Use minimal AZs (1) for cost savings. Adjust accordingly for production workloads.
+    // Setting to 1 availability zone yields the following Azure Advisor message:
+    // High Impact - Deploy your Application Gateway across Availability Zones
     availabilityZones: [
       1
     ]

infrastructure/simple-apim/main.bicep

@@ -76,7 +76,6 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
   ]
 }]
 
-
 // ------------------
 //    MARK: OUTPUTS
 // ------------------
@@ -99,5 +98,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]

samples/authX-pro/main.bicep

@@ -79,7 +79,7 @@ module productModule '../../shared/bicep/modules/apim/v1/product.bicep' = [for p
 }]
 
 // APIM APIs (deployed after products are ready to avoid race conditions)
-@batchSize(1)  // Deploy APIs sequentially to avoid race conditions
+@batchSize(4)
 module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in apis: {
   name: 'api-${api.name}'
   params:{
@@ -92,12 +92,10 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
   dependsOn: [
     namedValueModule              // ensure all named values are created before APIs
     policyFragmentModule          // ensure all policy fragments are created before APIs
-    productModule              // ensure all products are fully created before APIs
+    productModule                 // ensure all products are fully created before APIs
   ]
 }]
 
-// [ADD RELEVANT BICEP MODULES HERE]
-
 // ------------------
 //    MARK: OUTPUTS
 // ------------------

samples/authX/main.bicep

@@ -13,8 +13,6 @@ param apimName string = 'apim-${resourceSuffix}'
 param appInsightsName string = 'appi-${resourceSuffix}'
 param apis array = []
 
-// [ADD RELEVANT PARAMETERS HERE]
-
 // ------------------
 //    RESOURCES
 // ------------------
@@ -57,8 +55,6 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
   ]
 }]
 
-// [ADD RELEVANT BICEP MODULES HERE]
-
 // ------------------
 //    MARK: OUTPUTS
 // ------------------
@@ -78,5 +74,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]

samples/azure-maps/main.bicep

@@ -215,5 +215,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]

samples/general/main.bicep

@@ -12,7 +12,6 @@ param apimName string = 'apim-${resourceSuffix}'
 param appInsightsName string = 'appi-${resourceSuffix}'
 param apis array = []
 
-
 // ------------------
 //    RESOURCES
 // ------------------
@@ -60,5 +59,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]

samples/load-balancing/main.bicep

@@ -12,16 +12,12 @@ param apimName string = 'apim-${resourceSuffix}'
 param appInsightsName string = 'appi-${resourceSuffix}'
 param apis array = []
 
-// [ADD RELEVANT PARAMETERS HERE]
-
-
 // ------------------
 //    "CONSTANTS"
 // ------------------
 
 var IMG_WEB_API_429 = 'simonkurtzmsft/webapi429:1.0.0'
 
-
 // ------------------
 //    RESOURCES
 // ------------------
@@ -186,7 +182,7 @@ module backendPoolModule4 '../../shared/bicep/modules/apim/v1/backend-pool.bicep
         name: backendModule3.outputs.backendName
         priority: 2
         weight: 50
-      }      
+      }
     ]
   }
   dependsOn: [
@@ -212,7 +208,6 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [
   }
 ]
 
-
 // ------------------
 //    MARK: OUTPUTS
 // ------------------
@@ -233,5 +228,3 @@ output apiOutputs array = [for i in range(0, length(apis)): {
   subscriptionPrimaryKey: apisModule[i].?outputs.?subscriptionPrimaryKey ?? ''
   subscriptionSecondaryKey: apisModule[i].?outputs.?subscriptionSecondaryKey ?? ''
 }]
-
-// [ADD RELEVANT OUTPUTS HERE]