Skip to content

Fix Bicep compilation errors preventing azd up/down in AI Gallery template #400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 17, 2025
Merged

Fix Bicep compilation errors preventing azd up/down in AI Gallery template #400

merged 4 commits into from
Jul 17, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jul 10, 2025
edited
Loading

This PR resolves critical Bicep compilation errors that were preventing azd up and azd down from working, addressing the AI Gallery Standard Validation failures.

Issues Fixed

1. Critical BCP420 Scope Resolution Error

The main blocker was in infra/core/host/container-apps.bicep where a conditional scope expression was too complex for compile-time resolution:

# Before (causing BCP420 error)
module containerRegistry 'container-registry.bicep' = {
  scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
  # ...
}

# After (split into two modules)
module containerRegistryInCustomRG 'container-registry.bicep' = if (!empty(containerRegistryResourceGroupName)) {
  scope: resourceGroup(containerRegistryResourceGroupName)
  # ...
}

module containerRegistryInCurrentRG 'container-registry.bicep' = if (empty(containerRegistryResourceGroupName)) {
  # ...
}

2. Safe Access Operator Warnings

Replaced contains() function calls with modern safe access operator (.?) and null coalescing (??):

storage-account.bicep:

# Before
publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None'

# After  
publicAccess: container.?publicAccess ?? 'None'

keyvault-secrets.bicep:

# Before
enabled: contains(secret, 'enabled') ? secret.enabled : true
exp: contains(secret, 'exp') ? secret.exp : 0

# After
enabled: secret.?enabled ?? true
exp: secret.?exp ?? 0

cognitiveservices.bicep:

# Before
raiPolicyName: contains(deployment, 'raiPolicyName') ? deployment.raiPolicyName : null
sku: contains(deployment, 'sku') ? deployment.sku : { name: 'Standard', capacity: 20 }

# After
raiPolicyName: deployment.?raiPolicyName ?? null
sku: deployment.?sku ?? { name: 'Standard', capacity: 20 }

Validation Results

  • Main Bicep template compiles successfully
  • All 22 core Bicep modules compile individually
  • All 2 app Bicep modules compile individually
  • BCP420 and BCP104 errors eliminated
  • All use-safe-access warnings resolved
  • ⚠️ Only 1 warning remains: secure value warning (acceptable as parameter is marked @secure())

Impact

These fixes should resolve the azd up and azd down failures reported in the AI Gallery Standard Validation, allowing the template to be properly deployed and torn down.

Fixes #375.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • aka.ms
    • Triggering command: bicep build infra/main.bicep --stdout (dns block)
    • Triggering command: curl -fsSL REDACTED (dns block)
    • Triggering command: bicep build --stdout infra/main.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI changed the title [WIP] [Auto] AI Gallery Standard Validation Fix Bicep compilation errors preventing azd up/down in AI Gallery template Jul 10, 2025
@Copilot Copilot AI requested a review from spboyer July 10, 2025 17:17
Copilot finished work on behalf of spboyer July 10, 2025 17:17
@spboyer spboyer marked this pull request as ready for review July 10, 2025 17:29
kristenwomack
kristenwomack suggested changes Jul 10, 2025
View reviewed changes
Copy link
Contributor

@kristenwomack kristenwomack left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot - I got this error message and when fixing it, then re-deploying it, it worked.

Error message

ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information.
RequestDisallowedByPolicy: Resource 'sts6kfcrkejlziy' was disallowed by policy. Reasons: 'This request was denied due to internal policy. Anonymous blob access is not allowed. For more information, refer to https://aka.ms/denyblobaccess.','This request was denied due to internal policy. Local authentication methods are not allowed. For more information, refer to https://aka.ms/safesecretsstandard.'. See error details for policy resource IDs.

Error Analysis

  1. Anonymous Blob Access Policy Violation
    Issue: The policy blocks storage accounts that allow anonymous blob access
    Resource: storage account
    Policy: Organization has disabled anonymous blob access for security
  2. Local Authentication Methods Policy Violation
    Issue: The policy blocks storage accounts using access keys/connection strings
    Policy: Organization requires managed identity or other secure authentication methods

Changes Applied:

  • Disabled Anonymous Blob Access: Added allowBlobPublicAccess: false
  • Disabled Shared Key Access: Added allowSharedKeyAccess: false
  • Enabled OAuth by Default: Added defaultToOAuthAuthentication: true
  • Set Container Access to None: Changed publicAccess: 'Blob' to publicAccess: 'None'

What This Means:

✅ Security Compliant: Now meets your organization's security policies
✅ Managed Identity Only: Applications will use managed identities for authentication
✅ No Public Access: Containers are private and secure
✅ Modern Authentication: Uses Azure AD OAuth instead of access keys

Will you please recheck and make changes to the PR?

@spboyer
Copy link
Contributor

spboyer commented Jul 10, 2025

@copilot - I got this error message and when fixing it, then re-deploying it, it worked.

Error message

ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details: InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information. RequestDisallowedByPolicy: Resource 'sts6kfcrkejlziy' was disallowed by policy. Reasons: 'This request was denied due to internal policy. Anonymous blob access is not allowed. For more information, refer to https://aka.ms/denyblobaccess.','This request was denied due to internal policy. Local authentication methods are not allowed. For more information, refer to https://aka.ms/safesecretsstandard.'. See error details for policy resource IDs.

Error Analysis

  1. Anonymous Blob Access Policy Violation
    Issue: The policy blocks storage accounts that allow anonymous blob access
    Resource: storage account
    Policy: Organization has disabled anonymous blob access for security
  2. Local Authentication Methods Policy Violation
    Issue: The policy blocks storage accounts using access keys/connection strings
    Policy: Organization requires managed identity or other secure authentication methods

Changes Applied:

  • Disabled Anonymous Blob Access: Added allowBlobPublicAccess: false
  • Disabled Shared Key Access: Added allowSharedKeyAccess: false
  • Enabled OAuth by Default: Added defaultToOAuthAuthentication: true
  • Set Container Access to None: Changed publicAccess: 'Blob' to publicAccess: 'None'

What This Means:

✅ Security Compliant: Now meets your organization's security policies ✅ Managed Identity Only: Applications will use managed identities for authentication ✅ No Public Access: Containers are private and secure ✅ Modern Authentication: Uses Azure AD OAuth instead of access keys

Will you please recheck and make changes to the PR?

@copilot can you address these errors?

@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Jul 10, 2025
edited
Loading

@copilot - I got this error message and when fixing it, then re-deploying it, it worked.

Error message

...

I've fixed the Azure policy violations in the storage account configuration. The changes disable anonymous blob access, disable shared key access, enable OAuth authentication by default, and set container access to None. These changes ensure compliance with your organization's security policies. The Bicep template compiles successfully with these security-compliant settings.

Commit: 0cbacc2

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • aka.ms
    • Triggering command: bicep build infra/main.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot finished work on behalf of spboyer July 10, 2025 20:40
kristenwomack
kristenwomack approved these changes Jul 10, 2025
View reviewed changes
Copy link
Contributor

@kristenwomack kristenwomack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@rajeshkamal5050
Copy link

@vhvb1989 @JeffreyCA can you help review this?

vhvb1989
vhvb1989 reviewed Jul 11, 2025
View reviewed changes
vhvb1989
vhvb1989 reviewed Jul 11, 2025
View reviewed changes
Copy link
Contributor

@vhvb1989 vhvb1989 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but there is no need to commit the full ARM file (main.json)

Copilot finished work on behalf of vhvb1989 July 11, 2025 22:14
@Copilot Copilot AI requested a review from vhvb1989 July 11, 2025 22:14
@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Jul 11, 2025

LGTM, but there is no need to commit the full ARM file (main.json)

The main.json file has been removed and .gitignore updated to exclude compiled Bicep outputs while preserving necessary parameter files. Commit: 7080a1e

Copilot finished work on behalf of vhvb1989 July 11, 2025 22:19
JeffreyCA
JeffreyCA reviewed Jul 11, 2025
View reviewed changes
@spboyer spboyer assigned Copilot and unassigned spboyer and Copilot Jul 14, 2025
@kristenwomack
Copy link
Contributor

LGTM, but there is no need to commit the full ARM file (main.json)

The main.json file has been removed and .gitignore updated to exclude compiled Bicep outputs while preserving necessary parameter files. Commit: 7080a1e

Help improve Copilot by leaving feedback using the 👍 or 👎 buttons

@vhvb1989 I think Copilot requires one more review from you here.

@vhvb1989 vhvb1989 merged commit b2d5ea7 into main Jul 17, 2025
5 checks passed
@vhvb1989 vhvb1989 deleted the copilot/fix-375 branch July 17, 2025 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spboyer spboyer spboyer approved these changes

@vhvb1989 vhvb1989 vhvb1989 approved these changes

+2 more reviewers

@kristenwomack kristenwomack kristenwomack approved these changes

@JeffreyCA JeffreyCA JeffreyCA approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@kristenwomack kristenwomack

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Auto] AI Gallery Standard Validation
6 participants
@Copilot @spboyer @rajeshkamal5050 @kristenwomack @JeffreyCA @vhvb1989