Bring back unneeded changes

pamelafox · pamelafox · commit 4b3cd8c46ca3 · 2025-07-29T23:16:32.000-07:00
diff --git a/infra/core/host/container-app-upsert.bicep b/infra/core/host/container-app-upsert.bicep
@@ -51,6 +51,8 @@ param containerMemory string = '1.0Gi'
 @description('Workload profile name to use for the container app when using private ingress')
 param workloadProfileName string = 'Warm'
 
+param allowedOrigins array = []
+
 resource existingApp 'Microsoft.App/containerApps@2022-03-01' existing = if (exists) {
   name: name
 }
@@ -81,19 +83,17 @@ module app 'container-app.bicep' = {
     daprAppId: daprAppId
     daprAppProtocol: daprAppProtocol
     secrets: secrets
+    allowedOrigins: allowedOrigins
     external: external
     env: concat(envAsArray, envSecrets)
     imageName: exists ? existingApp.properties.template.containers[0].image : ''
     targetPort: targetPort
-    // Pass workload profile name parameter
-    workloadProfileName: workloadProfileName
   }
 }
 
 output defaultDomain string = app.outputs.defaultDomain
 output imageName string = app.outputs.imageName
 output name string = app.outputs.name
-output hostName string = app.outputs.hostName
 output uri string = app.outputs.uri
 output identityResourceId string = app.outputs.identityResourceId
 output identityPrincipalId string = app.outputs.identityPrincipalId
diff --git a/infra/core/host/container-app.bicep b/infra/core/host/container-app.bicep
@@ -1,11 +1,23 @@
+metadata description = 'Creates a container app in an Azure Container App environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 
+@description('Allowed origins')
+param allowedOrigins array = []
+
+@description('Name of the environment for container apps')
 param containerAppsEnvironmentName string
+
+@description('The name of the container')
 param containerName string = 'main'
+
+@description('The name of the container registry')
 param containerRegistryName string
 
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @description('Minimum number of replicas to run')
 @minValue(1)
 param containerMinReplicas int = 1
@@ -20,16 +32,27 @@ param secrets object = {}
 @description('The environment variables for the container')
 param env array = []
 
+@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
-param imageName string
-param targetPort int = 80
 
 @description('User assigned identity name')
 param identityName string
 
+@description('The type of identity for the resource')
+@allowed([ 'None', 'SystemAssigned', 'UserAssigned' ])
+param identityType string = 'None'
+
+@description('The name of the container image')
+param imageName string
+
 @description('Enabled Ingress for container app')
 param ingressEnabled bool = true
 
+param revisionMode string = 'Single'
+
+@description('The target port for the container')
+param targetPort int = 80
+
 // Dapr Options
 @description('Enable Dapr')
 param daprEnabled bool = false
@@ -45,47 +68,53 @@ param containerCpuCoreCount string = '0.5'
 @description('Memory allocated to a single container instance, e.g. 1Gi')
 param containerMemory string = '1.0Gi'
 
-@description('Workload profile name to use for the container app when using private ingress')
-param workloadProfileName string = 'Warm'
-
 var keyvalueSecrets = [for secret in items(secrets): {
   name: secret.key
   value: secret.value
 }]
 
-resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(identityName)) {
   name: identityName
 }
 
-module containerRegistryAccess '../security/registry-access.bicep' = {
+// Private registry support requires both an ACR name and a User Assigned managed identity
+var usePrivateRegistry = !empty(identityName) && !empty(containerRegistryName)
+
+// Automatically set to `UserAssigned` when an `identityName` has been set
+var normalizedIdentityType = !empty(identityName) ? 'UserAssigned' : identityType
+
+module containerRegistryAccess '../security/registry-access.bicep' = if (usePrivateRegistry) {
   name: '${deployment().name}-registry-access'
   params: {
     containerRegistryName: containerRegistryName
-    principalId: userIdentity.properties.principalId
+    principalId: usePrivateRegistry ? userIdentity.properties.principalId : ''
   }
 }
 
-resource app 'Microsoft.App/containerApps@2025-01-01' = {
-  name: name
+resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
+name: name
   location: location
   tags: tags
   // It is critical that the identity is granted ACR pull access before the app is created
   // otherwise the container app will throw a provision error
   // This also forces us to use an user assigned managed identity since there would no way to
   // provide the system assigned identity with the ACR pull access before the app is created
-  dependsOn: [ containerRegistryAccess ]
+  dependsOn: usePrivateRegistry ? [ containerRegistryAccess ] : []
   identity: {
-    type: 'UserAssigned'
-    userAssignedIdentities: { '${userIdentity.id}': {} }
+    type: normalizedIdentityType
+    userAssignedIdentities: !empty(identityName) && normalizedIdentityType == 'UserAssigned' ? { '${userIdentity.id}': {} } : null
   }
   properties: {
     managedEnvironmentId: containerAppsEnvironment.id
     configuration: {
-      activeRevisionsMode: 'single'
+      activeRevisionsMode: revisionMode
       ingress: ingressEnabled ? {
         external: external
         targetPort: targetPort
         transport: 'auto'
+        corsPolicy: {
+          allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
+        }
       } : null
       dapr: daprEnabled ? {
         enabled: true
@@ -94,12 +123,12 @@ resource app 'Microsoft.App/containerApps@2025-01-01' = {
         appPort: ingressEnabled ? targetPort : 0
       } : { enabled: false }
       secrets: keyvalueSecrets
-      registries: [
+      registries: usePrivateRegistry ? [
         {
-          server: '${containerRegistry.name}.azurecr.io'
+          server: '${containerRegistryName}.${containerRegistryHostSuffix}'
           identity: userIdentity.id
         }
-      ]
+      ] : []
     }
     template: {
       containers: [
@@ -121,19 +150,14 @@ resource app 'Microsoft.App/containerApps@2025-01-01' = {
   }
 }
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' existing = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
   name: containerAppsEnvironmentName
 }
 
-// 2022-02-01-preview needed for anonymousPullEnabled
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = {
-  name: containerRegistryName
-}
-
 output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
+output identityPrincipalId string = userIdentity.properties.principalId
+output identityResourceId string = resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', userIdentity.name)
 output imageName string = imageName
 output name string = app.name
-output hostName string = app.properties.configuration.ingress.fqdn
 output uri string = ingressEnabled ? 'https://${app.properties.configuration.ingress.fqdn}' : ''
-output identityResourceId string = resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', userIdentity.name)
-output identityPrincipalId string = userIdentity.properties.principalId
+output id string = app.id
diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep
@@ -46,4 +46,3 @@ output environmentName string = containerAppsEnvironment.outputs.name
 output environmentId string = containerAppsEnvironment.outputs.resourceId
 output registryLoginServer string = containerRegistry.outputs.loginServer
 output registryName string = containerRegistry.outputs.name
-output registryId string = containerRegistry.outputs.resourceId
diff --git a/infra/core/search/search-services.bicep b/infra/core/search/search-services.bicep
@@ -55,7 +55,6 @@ resource search 'Microsoft.Search/searchServices@2023-11-01' = {
   }
   sku: sku
 
-  // https://github.com/Azure/bicep-types-az/issues/2421
   resource sharedPrivateLinkResource 'sharedPrivateLinkResources@2023-11-01' = [for (resourceId, i) in sharedPrivateLinkStorageAccounts: {
     name: 'search-shared-private-link-${i}'
     properties: {
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -553,7 +553,7 @@ module acaBackend 'core/host/container-app-upsert.bicep' = if (deploymentTarget
     containerCpuCoreCount: '1.0'
     containerMemory: '2Gi'
     containerMinReplicas: 1
-    //allowedOrigins: allowedOrigins
+    allowedOrigins: allowedOrigins
     env: union(appEnvVariables, {
       // For using managed identity to access Azure resources. See https://github.com/microsoft/azure-container-apps/issues/442
       AZURE_CLIENT_ID: (deploymentTarget == 'containerapps') ? acaIdentity.outputs.clientId : ''
@@ -699,8 +699,6 @@ module documentIntelligence 'br/public:avm/res/cognitive-services/account:0.7.2'
     name: !empty(documentIntelligenceServiceName)
       ? documentIntelligenceServiceName
       : '${abbrs.cognitiveServicesDocumentIntelligence}${resourceToken}'
-    location: documentIntelligenceResourceGroupLocation
-    tags: tags
     kind: 'FormRecognizer'
     customSubDomainName: !empty(documentIntelligenceServiceName)
       ? documentIntelligenceServiceName
@@ -709,8 +707,10 @@ module documentIntelligence 'br/public:avm/res/cognitive-services/account:0.7.2'
     networkAcls: {
       defaultAction: 'Allow'
     }
-    sku: documentIntelligenceSkuName
+    location: documentIntelligenceResourceGroupLocation
     disableLocalAuth: true
+    tags: tags
+    sku: documentIntelligenceSkuName
   }
 }
 
@@ -1166,9 +1166,6 @@ module isolation 'network-isolation.bicep' = if (usePrivateEndpoint) {
     vnetName: '${abbrs.virtualNetworks}${resourceToken}'
     useVpnGateway: useVpnGateway
     deploymentTarget: deploymentTarget
-    // Need to check deploymentTarget due to https://github.com/Azure/bicep/issues/3990
-    appServicePlanName: deploymentTarget == 'appservice' ? appServicePlan.outputs.name : ''
-    //containerAppsEnvName: deploymentTarget == 'containerapps' ? acaManagedEnvironmentName : ''
     vpnGatewayName: useVpnGateway ? '${abbrs.networkVpnGateways}${resourceToken}' : ''
     dnsResolverName: useVpnGateway ? '${abbrs.privateDnsResolver}${resourceToken}' : ''
   }
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
@@ -344,9 +344,6 @@
     "webAppExists": {
         "value": "${SERVICE_WEB_RESOURCE_EXISTS=false}"
     },
-    "azureContainerAppsWorkloadProfile": {
-      "value": "${AZURE_CONTAINER_APPS_WORKLOAD_PROFILE=Consumption}"
-    },
     "useMediaDescriberAzureCU": {
       "value": "${USE_MEDIA_DESCRIBER_AZURE_CU=false}"
     },
diff --git a/infra/network-isolation.bicep b/infra/network-isolation.bicep
diff --git a/todo.txt b/todo.txt

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,6 @@ resource search 'Microsoft.Search/searchServices@2023-11-01' = {`
`55`	`55`	`}`
`56`	`56`	`sku: sku`
`57`	`57`
`58`		`- // https://github.com/Azure/bicep-types-az/issues/2421`
`59`	`58`	`resource sharedPrivateLinkResource 'sharedPrivateLinkResources@2023-11-01' = [for (resourceId, i) in sharedPrivateLinkStorageAccounts: {`
`60`	`59`	`name: 'search-shared-private-link-${i}'`
`61`	`60`	`properties: {`