From 2b4e2359508dbe92241ecd89bafc6e6a2424f40c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 10 Jul 2025 17:02:14 +0000 Subject: [PATCH 1/3] Initial plan From 1176198aa76200449e5d133353e1a9d1e94732ef Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 10 Jul 2025 17:11:47 +0000 Subject: [PATCH 2/3] Fix critical BCP420 scope resolution error and safe access warnings Co-authored-by: spboyer <7681382+spboyer@users.noreply.github.com> --- infra/core/ai/cognitiveservices.bicep | 4 ++-- infra/core/host/container-apps.bicep | 18 ++++++++++++++---- infra/core/security/keyvault-secrets.bicep | 8 ++++---- infra/core/storage/storage-account.bicep | 2 +- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep index 3588072c..86e5033f 100644 --- a/infra/core/ai/cognitiveservices.bicep +++ b/infra/core/ai/cognitiveservices.bicep @@ -44,9 +44,9 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01 name: deployment.name properties: { model: deployment.model - raiPolicyName: contains(deployment, 'raiPolicyName') ? deployment.raiPolicyName : null + raiPolicyName: deployment.?raiPolicyName ?? null } - sku: contains(deployment, 'sku') ? deployment.sku : { + sku: deployment.?sku ?? { name: 'Standard' capacity: 20 } diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep index 1c656e28..a3aa44c9 100644 --- a/infra/core/host/container-apps.bicep +++ b/infra/core/host/container-apps.bicep @@ -21,9 +21,19 @@ module containerAppsEnvironment 'container-apps-environment.bicep' = { } } -module containerRegistry 'container-registry.bicep' = { +module containerRegistryInCustomRG 'container-registry.bicep' = if (!empty(containerRegistryResourceGroupName)) { + name: '${name}-container-registry' + scope: resourceGroup(containerRegistryResourceGroupName) + params: { + name: containerRegistryName + location: location + adminUserEnabled: containerRegistryAdminUserEnabled + tags: tags + } +} + +module containerRegistryInCurrentRG 'container-registry.bicep' = if (empty(containerRegistryResourceGroupName)) { name: '${name}-container-registry' - scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup() params: { name: containerRegistryName location: location @@ -36,5 +46,5 @@ output defaultDomain string = containerAppsEnvironment.outputs.defaultDomain output environmentName string = containerAppsEnvironment.outputs.name output environmentId string = containerAppsEnvironment.outputs.id -output registryLoginServer string = containerRegistry.outputs.loginServer -output registryName string = containerRegistry.outputs.name +output registryLoginServer string = !empty(containerRegistryResourceGroupName) ? containerRegistryInCustomRG.outputs.loginServer : containerRegistryInCurrentRG.outputs.loginServer +output registryName string = !empty(containerRegistryResourceGroupName) ? containerRegistryInCustomRG.outputs.name : containerRegistryInCurrentRG.outputs.name diff --git a/infra/core/security/keyvault-secrets.bicep b/infra/core/security/keyvault-secrets.bicep index 7116bf8b..79692267 100644 --- a/infra/core/security/keyvault-secrets.bicep +++ b/infra/core/security/keyvault-secrets.bicep @@ -13,11 +13,11 @@ resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = [for se tags: tags properties: { attributes: { - enabled: contains(secret, 'enabled') ? secret.enabled : true - exp: contains(secret, 'exp') ? secret.exp : 0 - nbf: contains(secret, 'nbf') ? secret.nbf : 0 + enabled: secret.?enabled ?? true + exp: secret.?exp ?? 0 + nbf: secret.?nbf ?? 0 } - contentType: contains(secret, 'contentType') ? secret.contentType : 'string' + contentType: secret.?contentType ?? 'string' value: secret.value } }] diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep index 6149fb2f..c27ba1c1 100644 --- a/infra/core/storage/storage-account.bicep +++ b/infra/core/storage/storage-account.bicep @@ -62,7 +62,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = { resource container 'containers' = [for container in containers: { name: container.name properties: { - publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None' + publicAccess: container.?publicAccess ?? 'None' } }] } From 83099744ec63104e529c2478b9139535e097ab93 Mon Sep 17 00:00:00 2001 From: Kristen Womack <5034778+kristenwomack@users.noreply.github.com> Date: Thu, 10 Jul 2025 18:37:06 +0000 Subject: [PATCH 3/3] updates to bicep blob storage --- infra/main.bicep | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra/main.bicep b/infra/main.bicep index 79010b0d..99d29db8 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -511,6 +511,9 @@ module storage 'core/storage/storage-account.bicep' = { location: storageResourceGroupLocation tags: updatedTags publicNetworkAccess: 'Enabled' + allowBlobPublicAccess: false + allowSharedKeyAccess: false + defaultToOAuthAuthentication: true sku: { name: 'Standard_LRS' } @@ -521,7 +524,7 @@ module storage 'core/storage/storage-account.bicep' = { containers: [ { name: storageContainerName - publicAccess: 'Blob' + publicAccess: 'None' } ] }