Address feedback from Copilot

pamelafox · pamelafox · commit fc628e4c757a · 2025-07-30T17:28:02.000-07:00
diff --git a/infra/core/host/container-registry.bicep b/infra/core/host/container-registry.bicep
@@ -16,9 +16,6 @@ param sku object = {
 }
 param zoneRedundancy string = 'Disabled'
 
-@description('The log analytics workspace id used for logging & monitoring')
-param workspaceId string = ''
-
 // 2022-02-01-preview needed for anonymousPullEnabled
 resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
   name: name
@@ -36,34 +33,6 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
   }
 }
 
-// TODO: Update diagnostics to be its own module
-// Blocking issue: https://github.com/Azure/bicep/issues/622
-// Unable to pass in a `resource` scope or unable to use string interpolation in resource types
-resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {
-  name: 'registry-diagnostics'
-  scope: containerRegistry
-  properties: {
-    workspaceId: workspaceId
-    logs: [
-      {
-        category: 'ContainerRegistryRepositoryEvents'
-        enabled: true
-      }
-      {
-        category: 'ContainerRegistryLoginEvents'
-        enabled: true
-      }
-    ]
-    metrics: [
-      {
-        category: 'AllMetrics'
-        enabled: true
-        timeGrain: 'PT1M'
-      }
-    ]
-  }
-}
-
 output loginServer string = containerRegistry.properties.loginServer
 output name string = containerRegistry.name
 output resourceId string = containerRegistry.id
diff --git a/infra/network-isolation.bicep b/infra/network-isolation.bicep
@@ -17,6 +17,13 @@ param useVpnGateway bool = false
 param vpnGatewayName string = '${vnetName}-vpn-gateway'
 param dnsResolverName string = '${vnetName}-dns-resolver'
 
+// Subnet name constants
+var backendSubnetName = 'backend-subnet'
+var gatewaySubnetName = 'GatewaySubnet' // Required name for Gateway subnet
+var dnsResolverSubnetName = 'dns-resolver-subnet'
+var appServiceSubnetName = 'app-service-subnet'
+var containerAppsSubnetName = 'container-apps-subnet'
+
 module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = if (deploymentTarget == 'containerapps') {
   name: 'container-apps-nsg'
   params: {
@@ -41,7 +48,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'
   }
 }
 
-module privateEndpointsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = if (deploymentTarget == 'containerapps') {
+module privateEndpointsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = {
   name: 'private-endpoints-nsg'
   params: {
     name: '${vnetName}-private-endpoints-nsg'
@@ -155,26 +162,26 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {
     subnets: union(
       [
         {
-          name: 'backend-subnet'
+          name: backendSubnetName
           addressPrefix: '10.0.8.0/24'
           privateEndpointNetworkPolicies: 'Enabled'
           privateLinkServiceNetworkPolicies: 'Enabled'
           networkSecurityGroupResourceId: privateEndpointsNSG.outputs.resourceId
         }
         {
-          name: 'GatewaySubnet' // Required name for Gateway subnet
+          name: gatewaySubnetName // Required name for Gateway subnet
           addressPrefix: '10.0.255.0/27' // Using a /27 subnet size which is minimal required size for gateway subnet
         }
         {
-          name: 'dns-resolver-subnet' // Dedicated subnet for Azure Private DNS Resolver
+          name: dnsResolverSubnetName // Dedicated subnet for Azure Private DNS Resolver
           addressPrefix: '10.0.11.0/28'
           delegation: 'Microsoft.Network/dnsResolvers'
         }
       ],
       deploymentTarget == 'appservice'
         ? [
             {
-              name: 'app-service-subnet'
+              name: appServiceSubnetName
               addressPrefix: '10.0.9.0/24'
               privateEndpointNetworkPolicies: 'Enabled'
               privateLinkServiceNetworkPolicies: 'Enabled'
@@ -183,16 +190,21 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {
           ]
         : [
             {
-              name: 'container-apps-subnet'
+              name: containerAppsSubnetName
               addressPrefix: '10.0.0.0/21'
-              networkSecurityGroupResourceId: containerAppsNSG.outputs.resourceId
               delegation: 'Microsoft.App/environments'
+              networkSecurityGroupResourceId: containerAppsNSG!.outputs.resourceId
             }
           ]
     )
   }
 }
 
+// Helper variables to find subnet resource IDs by name instead of hardcoded indices
+var dnsResolverSubnetIndex = indexOf(vnet.outputs.subnetNames, dnsResolverSubnetName)
+var backendSubnetIndex = indexOf(vnet.outputs.subnetNames, backendSubnetName)
+var appSubnetIndex = deploymentTarget == 'appservice' ? indexOf(vnet.outputs.subnetNames, appServiceSubnetName) : indexOf(vnet.outputs.subnetNames, containerAppsSubnetName)
+
 module virtualNetworkGateway 'br/public:avm/res/network/virtual-network-gateway:0.8.0' = if (useVpnGateway) {
   name: 'virtual-network-gateway'
   params: {
@@ -230,15 +242,15 @@ module dnsResolver 'br/public:avm/res/network/dns-resolver:0.5.4' = if (useVpnGa
     inboundEndpoints: [
       {
         name: 'inboundEndpoint'
-        subnetResourceId: useVpnGateway ? vnet.outputs.subnetResourceIds[2] : ''
+        subnetResourceId: useVpnGateway ? vnet.outputs.subnetResourceIds[dnsResolverSubnetIndex] : ''
       }
     ]
   }
 }
 
-output backendSubnetId string = vnet.outputs.subnetResourceIds[0]
-output privateDnsResolverSubnetId string = useVpnGateway ? vnet.outputs.subnetResourceIds[2] : ''
-output appSubnetId string = vnet.outputs.subnetResourceIds[3]
+output backendSubnetId string = vnet.outputs.subnetResourceIds[backendSubnetIndex]
+output privateDnsResolverSubnetId string = useVpnGateway ? vnet.outputs.subnetResourceIds[dnsResolverSubnetIndex] : ''
+output appSubnetId string = vnet.outputs.subnetResourceIds[appSubnetIndex]
 output vnetName string = vnet.outputs.name
 output vnetId string = vnet.outputs.resourceId
-output virtualNetworkGatewayName string = useVpnGateway ? virtualNetworkGateway.outputs.name : ''
+output virtualNetworkGatewayName string = useVpnGateway ? virtualNetworkGateway!.outputs.name : ''
diff --git a/infra/private-endpoints.bicep b/infra/private-endpoints.bicep
@@ -82,7 +82,8 @@ module monitorDnsZones './core/networking/private-dns-zones.bicep' = [for monito
 }]
 // Get blob DNS zone index for monitor private link
 var blobEndpointInfo = filter(flatten(privateEndpointInfo), info => info.groupId == 'blob')
-var dnsZoneBlobIndex = empty(blobEndpointInfo) ? 0 : blobEndpointInfo[0].dnsZoneIndex
+// Assert that blob endpoints exist (required for this application)
+var dnsZoneBlobIndex = blobEndpointInfo[0].dnsZoneIndex
 
 // Azure Monitor Private Link Scope
 // https://learn.microsoft.com/azure/azure-monitor/logs/private-link-security

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,13 @@ param useVpnGateway bool = false`
`17`	`17`	`param vpnGatewayName string = '${vnetName}-vpn-gateway'`
`18`	`18`	`param dnsResolverName string = '${vnetName}-dns-resolver'`
`19`	`19`
	`20`	`+// Subnet name constants`
	`21`	`+var backendSubnetName = 'backend-subnet'`
	`22`	`+var gatewaySubnetName = 'GatewaySubnet' // Required name for Gateway subnet`
	`23`	`+var dnsResolverSubnetName = 'dns-resolver-subnet'`
	`24`	`+var appServiceSubnetName = 'app-service-subnet'`
	`25`	`+var containerAppsSubnetName = 'container-apps-subnet'`
	`26`	`+`
`20`	`27`	`module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = if (deploymentTarget == 'containerapps') {`
`21`	`28`	`name: 'container-apps-nsg'`
`22`	`29`	`params: {`
`@@ -41,7 +48,7 @@ module containerAppsNSG 'br/public:avm/res/network/network-security-group:0.5.1'`
`41`	`48`	`}`
`42`	`49`	`}`
`43`	`50`
`44`		`-module privateEndpointsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = if (deploymentTarget == 'containerapps') {`
	`51`	`+module privateEndpointsNSG 'br/public:avm/res/network/network-security-group:0.5.1' = {`
`45`	`52`	`name: 'private-endpoints-nsg'`
`46`	`53`	`params: {`
`47`	`54`	`name: '${vnetName}-private-endpoints-nsg'`
`@@ -155,26 +162,26 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {`
`155`	`162`	`subnets: union(`
`156`	`163`	`[`
`157`	`164`	`{`
`158`		`- name: 'backend-subnet'`
	`165`	`+ name: backendSubnetName`
`159`	`166`	`addressPrefix: '10.0.8.0/24'`
`160`	`167`	`privateEndpointNetworkPolicies: 'Enabled'`
`161`	`168`	`privateLinkServiceNetworkPolicies: 'Enabled'`
`162`	`169`	`networkSecurityGroupResourceId: privateEndpointsNSG.outputs.resourceId`
`163`	`170`	`}`
`164`	`171`	`{`
`165`		`- name: 'GatewaySubnet' // Required name for Gateway subnet`
	`172`	`+ name: gatewaySubnetName // Required name for Gateway subnet`
`166`	`173`	`addressPrefix: '10.0.255.0/27' // Using a /27 subnet size which is minimal required size for gateway subnet`
`167`	`174`	`}`
`168`	`175`	`{`
`169`		`- name: 'dns-resolver-subnet' // Dedicated subnet for Azure Private DNS Resolver`
	`176`	`+ name: dnsResolverSubnetName // Dedicated subnet for Azure Private DNS Resolver`
`170`	`177`	`addressPrefix: '10.0.11.0/28'`
`171`	`178`	`delegation: 'Microsoft.Network/dnsResolvers'`
`172`	`179`	`}`
`173`	`180`	`],`
`174`	`181`	`deploymentTarget == 'appservice'`
`175`	`182`	`? [`
`176`	`183`	`{`
`177`		`- name: 'app-service-subnet'`
	`184`	`+ name: appServiceSubnetName`
`178`	`185`	`addressPrefix: '10.0.9.0/24'`
`179`	`186`	`privateEndpointNetworkPolicies: 'Enabled'`
`180`	`187`	`privateLinkServiceNetworkPolicies: 'Enabled'`
`@@ -183,16 +190,21 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {`
`183`	`190`	`]`
`184`	`191`	`: [`
`185`	`192`	`{`
`186`		`- name: 'container-apps-subnet'`
	`193`	`+ name: containerAppsSubnetName`
`187`	`194`	`addressPrefix: '10.0.0.0/21'`
`188`		`- networkSecurityGroupResourceId: containerAppsNSG.outputs.resourceId`
`189`	`195`	`delegation: 'Microsoft.App/environments'`
	`196`	`+ networkSecurityGroupResourceId: containerAppsNSG!.outputs.resourceId`
`190`	`197`	`}`
`191`	`198`	`]`
`192`	`199`	`)`
`193`	`200`	`}`
`194`	`201`	`}`
`195`	`202`
	`203`	`+// Helper variables to find subnet resource IDs by name instead of hardcoded indices`
	`204`	`+var dnsResolverSubnetIndex = indexOf(vnet.outputs.subnetNames, dnsResolverSubnetName)`
	`205`	`+var backendSubnetIndex = indexOf(vnet.outputs.subnetNames, backendSubnetName)`
	`206`	`+var appSubnetIndex = deploymentTarget == 'appservice' ? indexOf(vnet.outputs.subnetNames, appServiceSubnetName) : indexOf(vnet.outputs.subnetNames, containerAppsSubnetName)`
	`207`	`+`
`196`	`208`	`module virtualNetworkGateway 'br/public:avm/res/network/virtual-network-gateway:0.8.0' = if (useVpnGateway) {`
`197`	`209`	`name: 'virtual-network-gateway'`
`198`	`210`	`params: {`
`@@ -230,15 +242,15 @@ module dnsResolver 'br/public:avm/res/network/dns-resolver:0.5.4' = if (useVpnGa`
`230`	`242`	`inboundEndpoints: [`
`231`	`243`	`{`
`232`	`244`	`name: 'inboundEndpoint'`
`233`		`- subnetResourceId: useVpnGateway ? vnet.outputs.subnetResourceIds[2] : ''`
	`245`	`+ subnetResourceId: useVpnGateway ? vnet.outputs.subnetResourceIds[dnsResolverSubnetIndex] : ''`
`234`	`246`	`}`
`235`	`247`	`]`
`236`	`248`	`}`
`237`	`249`	`}`
`238`	`250`
`239`		`-output backendSubnetId string = vnet.outputs.subnetResourceIds[0]`
`240`		`-output privateDnsResolverSubnetId string = useVpnGateway ? vnet.outputs.subnetResourceIds[2] : ''`
`241`		`-output appSubnetId string = vnet.outputs.subnetResourceIds[3]`
	`251`	`+output backendSubnetId string = vnet.outputs.subnetResourceIds[backendSubnetIndex]`
	`252`	`+output privateDnsResolverSubnetId string = useVpnGateway ? vnet.outputs.subnetResourceIds[dnsResolverSubnetIndex] : ''`
	`253`	`+output appSubnetId string = vnet.outputs.subnetResourceIds[appSubnetIndex]`
`242`	`254`	`output vnetName string = vnet.outputs.name`
`243`	`255`	`output vnetId string = vnet.outputs.resourceId`
`244`		`-output virtualNetworkGatewayName string = useVpnGateway ? virtualNetworkGateway.outputs.name : ''`
	`256`	`+output virtualNetworkGatewayName string = useVpnGateway ? virtualNetworkGateway!.outputs.name : ''`