Merge branch 'Azure-Samples:main' into main

AldenBodak · web-flow · commit 85391851178f · 2025-09-11T13:42:21.000-04:00
diff --git a/infra/core/host/container-apps-auth.bicep b/infra/core/host/container-apps-auth.bicep
@@ -56,7 +56,7 @@ resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
       }
     }
     login: {
-      // https://learn.microsoft.com/en-us/azure/container-apps/token-store
+      // https://learn.microsoft.com/azure/container-apps/token-store
       tokenStore: {
         enabled: true
         azureBlobStorage: {
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -992,7 +992,7 @@ module storageRoleUser 'core/security/role.bicep' = {
   name: 'storage-role-user'
   params: {
     principalId: principalId
-    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
     principalType: principalType
   }
 }
@@ -1002,7 +1002,7 @@ module storageContribRoleUser 'core/security/role.bicep' = {
   name: 'storage-contrib-role-user'
   params: {
     principalId: principalId
-    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
     principalType: principalType
   }
 }
@@ -1012,7 +1012,7 @@ module storageOwnerRoleUser 'core/security/role.bicep' = if (useUserUpload) {
   name: 'storage-owner-role-user'
   params: {
     principalId: principalId
-    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
+    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner
     principalType: principalType
   }
 }
@@ -1112,7 +1112,7 @@ module storageRoleBackend 'core/security/role.bicep' = {
     principalId: (deploymentTarget == 'appservice')
       ? backend.outputs.identityPrincipalId
       : acaBackend.outputs.identityPrincipalId
-    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
     principalType: 'ServicePrincipal'
   }
 }
@@ -1124,7 +1124,7 @@ module storageOwnerRoleBackend 'core/security/role.bicep' = if (useUserUpload) {
     principalId: (deploymentTarget == 'appservice')
       ? backend.outputs.identityPrincipalId
       : acaBackend.outputs.identityPrincipalId
-    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
+    roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner
     principalType: 'ServicePrincipal'
   }
 }
@@ -1134,7 +1134,7 @@ module storageRoleSearchService 'core/security/role.bicep' = if (useIntegratedVe
   name: 'storage-role-searchservice'
   params: {
     principalId: searchService.outputs.principalId
-    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+    roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
     principalType: 'ServicePrincipal'
   }
 }
@@ -1149,6 +1149,17 @@ module storageRoleContributorSearchService 'core/security/role.bicep' = if (useI
   }
 }
 
+// Necessary for the Container Apps backend to store authentication tokens in the blob storage container
+module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) {
+  scope: storageResourceGroup
+  name: 'storage-role-contributor-aca-backend'
+  params: {
+    principalId: acaBackend.outputs.identityPrincipalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // Used to issue search queries
 // https://learn.microsoft.com/azure/search/search-security-rbac
 module searchRoleBackend 'core/security/role.bicep' = {

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`	`login: {`
`59`		`- // https://learn.microsoft.com/en-us/azure/container-apps/token-store`
	`59`	`+ // https://learn.microsoft.com/azure/container-apps/token-store`
`60`	`60`	`tokenStore: {`
`61`	`61`	`enabled: true`
`62`	`62`	`azureBlobStorage: {`
Original file line number	Diff line number	Diff line change
`@@ -992,7 +992,7 @@ module storageRoleUser 'core/security/role.bicep' = {`
`992`	`992`	`name: 'storage-role-user'`
`993`	`993`	`params: {`
`994`	`994`	`principalId: principalId`
`995`		`- roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'`
	`995`	`+ roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader`
`996`	`996`	`principalType: principalType`
`997`	`997`	`}`
`998`	`998`	`}`
`@@ -1002,7 +1002,7 @@ module storageContribRoleUser 'core/security/role.bicep' = {`
`1002`	`1002`	`name: 'storage-contrib-role-user'`
`1003`	`1003`	`params: {`
`1004`	`1004`	`principalId: principalId`
`1005`		`- roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'`
	`1005`	`+ roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor`
`1006`	`1006`	`principalType: principalType`
`1007`	`1007`	`}`
`1008`	`1008`	`}`
`@@ -1012,7 +1012,7 @@ module storageOwnerRoleUser 'core/security/role.bicep' = if (useUserUpload) {`
`1012`	`1012`	`name: 'storage-owner-role-user'`
`1013`	`1013`	`params: {`
`1014`	`1014`	`principalId: principalId`
`1015`		`- roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'`
	`1015`	`+ roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner`
`1016`	`1016`	`principalType: principalType`
`1017`	`1017`	`}`
`1018`	`1018`	`}`
`@@ -1112,7 +1112,7 @@ module storageRoleBackend 'core/security/role.bicep' = {`
`1112`	`1112`	`principalId: (deploymentTarget == 'appservice')`
`1113`	`1113`	`? backend.outputs.identityPrincipalId`
`1114`	`1114`	`: acaBackend.outputs.identityPrincipalId`
`1115`		`- roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'`
	`1115`	`+ roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader`
`1116`	`1116`	`principalType: 'ServicePrincipal'`
`1117`	`1117`	`}`
`1118`	`1118`	`}`
`@@ -1124,7 +1124,7 @@ module storageOwnerRoleBackend 'core/security/role.bicep' = if (useUserUpload) {`
`1124`	`1124`	`principalId: (deploymentTarget == 'appservice')`
`1125`	`1125`	`? backend.outputs.identityPrincipalId`
`1126`	`1126`	`: acaBackend.outputs.identityPrincipalId`
`1127`		`- roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'`
	`1127`	`+ roleDefinitionId: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner`
`1128`	`1128`	`principalType: 'ServicePrincipal'`
`1129`	`1129`	`}`
`1130`	`1130`	`}`
`@@ -1134,7 +1134,7 @@ module storageRoleSearchService 'core/security/role.bicep' = if (useIntegratedVe`
`1134`	`1134`	`name: 'storage-role-searchservice'`
`1135`	`1135`	`params: {`
`1136`	`1136`	`principalId: searchService.outputs.principalId`
`1137`		`- roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'`
	`1137`	`+ roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader`
`1138`	`1138`	`principalType: 'ServicePrincipal'`
`1139`	`1139`	`}`
`1140`	`1140`	`}`
`@@ -1149,6 +1149,17 @@ module storageRoleContributorSearchService 'core/security/role.bicep' = if (useI`
`1149`	`1149`	`}`
`1150`	`1150`	`}`
`1151`	`1151`
	`1152`	`+// Necessary for the Container Apps backend to store authentication tokens in the blob storage container`
	`1153`	`+module storageRoleContributorBackend 'core/security/role.bicep' = if (deploymentTarget == 'containerapps' && !empty(clientAppId)) {`
	`1154`	`+ scope: storageResourceGroup`
	`1155`	`+ name: 'storage-role-contributor-aca-backend'`
	`1156`	`+ params: {`
	`1157`	`+ principalId: acaBackend.outputs.identityPrincipalId`
	`1158`	`+ roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor`
	`1159`	`+ principalType: 'ServicePrincipal'`
	`1160`	`+ }`
	`1161`	`+}`
	`1162`	`+`
`1152`	`1163`	`// Used to issue search queries`
`1153`	`1164`	`// https://learn.microsoft.com/azure/search/search-security-rbac`
`1154`	`1165`	`module searchRoleBackend 'core/security/role.bicep' = {`