Formatting

Author: pamelafox

infra/appregistration.bicep

@@ -1,91 +1,91 @@
-extension microsoftGraphV1
-
-@description('Specifies the name of cloud environment to run this deployment in.')
-param cloudEnvironment string = environment().name
-
-// NOTE: Microsoft Graph Bicep file deployment is only supported in Public Cloud
-@description('Audience uris for public and national clouds')
-param audiences object = {
-  AzureCloud: {
-    uri: 'api://AzureADTokenExchange'
-  }
-  AzureUSGovernment: {
-    uri: 'api://AzureADTokenExchangeUSGov'
-  }
-  USNat: {
-    uri: 'api://AzureADTokenExchangeUSNat'
-  }
-  USSec: {
-    uri: 'api://AzureADTokenExchangeUSSec'
-  }
-  AzureChinaCloud: {
-    uri: 'api://AzureADTokenExchangeChina'
-  }
-}
-
-@description('Specifies the ID of the user-assigned managed identity.')
-param webAppIdentityId string
-
-@description('Specifies the unique name for the client application.')
-param clientAppName string
-
-@description('Specifies the display name for the client application')
-param clientAppDisplayName string
-
-@description('Specifies the scopes that the client application requires.')
-param clientAppScopes array = ['User.Read', 'offline_access', 'openid', 'profile']
-
-param serviceManagementReference string = ''
-
-param issuer string
-
-param webAppEndpoint string
-
-// Get the MS Graph Service Principal based on its application ID:
-// https://learn.microsoft.com/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in
-var msGraphAppId = '00000003-0000-0000-c000-000000000000'
-resource msGraphSP 'Microsoft.Graph/[email protected]' existing = {
-  appId: msGraphAppId
-}
-
-var graphScopes = msGraphSP.oauth2PermissionScopes
-resource clientApp 'Microsoft.Graph/[email protected]' = {
-  uniqueName: clientAppName
-  displayName: clientAppDisplayName
-  signInAudience: 'AzureADMyOrg'
-  serviceManagementReference: empty(serviceManagementReference) ? null : serviceManagementReference
-  web: {
-    redirectUris: [
-      'http://localhost:50505/.auth/login/aad/callback'
-      '${webAppEndpoint}/.auth/login/aad/callback'
-    ]
-    implicitGrantSettings: { enableIdTokenIssuance: true }
-  }
-  requiredResourceAccess: [
-    {
-      resourceAppId: msGraphAppId
-      resourceAccess: [
-        for (scope, i) in clientAppScopes: {
-          id: filter(graphScopes, graphScopes => graphScopes.value == scope)[0].id
-          type: 'Scope'
-        }
-      ]
-    }
-  ]
-
-  resource clientAppFic '[email protected]' = {
-    name: '${clientApp.uniqueName}/miAsFic'
-    audiences: [
-      audiences[cloudEnvironment].uri
-   ]
-    issuer: issuer
-    subject: webAppIdentityId
-  }
-}
-
-resource clientSp 'Microsoft.Graph/[email protected]' = {
-  appId: clientApp.appId
-}
-
-output clientAppId string = clientApp.appId
-output clientSpId string = clientSp.id
+extension microsoftGraphV1
+
+@description('Specifies the name of cloud environment to run this deployment in.')
+param cloudEnvironment string = environment().name
+
+// NOTE: Microsoft Graph Bicep file deployment is only supported in Public Cloud
+@description('Audience uris for public and national clouds')
+param audiences object = {
+  AzureCloud: {
+    uri: 'api://AzureADTokenExchange'
+  }
+  AzureUSGovernment: {
+    uri: 'api://AzureADTokenExchangeUSGov'
+  }
+  USNat: {
+    uri: 'api://AzureADTokenExchangeUSNat'
+  }
+  USSec: {
+    uri: 'api://AzureADTokenExchangeUSSec'
+  }
+  AzureChinaCloud: {
+    uri: 'api://AzureADTokenExchangeChina'
+  }
+}
+
+@description('Specifies the ID of the user-assigned managed identity.')
+param webAppIdentityId string
+
+@description('Specifies the unique name for the client application.')
+param clientAppName string
+
+@description('Specifies the display name for the client application')
+param clientAppDisplayName string
+
+@description('Specifies the scopes that the client application requires.')
+param clientAppScopes array = ['User.Read', 'offline_access', 'openid', 'profile']
+
+param serviceManagementReference string = ''
+
+param issuer string
+
+param webAppEndpoint string
+
+// Get the MS Graph Service Principal based on its application ID:
+// https://learn.microsoft.com/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in
+var msGraphAppId = '00000003-0000-0000-c000-000000000000'
+resource msGraphSP 'Microsoft.Graph/[email protected]' existing = {
+  appId: msGraphAppId
+}
+
+var graphScopes = msGraphSP.oauth2PermissionScopes
+resource clientApp 'Microsoft.Graph/[email protected]' = {
+  uniqueName: clientAppName
+  displayName: clientAppDisplayName
+  signInAudience: 'AzureADMyOrg'
+  serviceManagementReference: empty(serviceManagementReference) ? null : serviceManagementReference
+  web: {
+    redirectUris: [
+      'http://localhost:50505/.auth/login/aad/callback'
+      '${webAppEndpoint}/.auth/login/aad/callback'
+    ]
+    implicitGrantSettings: { enableIdTokenIssuance: true }
+  }
+  requiredResourceAccess: [
+    {
+      resourceAppId: msGraphAppId
+      resourceAccess: [
+        for (scope, i) in clientAppScopes: {
+          id: filter(graphScopes, graphScopes => graphScopes.value == scope)[0].id
+          type: 'Scope'
+        }
+      ]
+    }
+  ]
+
+  resource clientAppFic '[email protected]' = {
+    name: '${clientApp.uniqueName}/miAsFic'
+    audiences: [
+      audiences[cloudEnvironment].uri
+    ]
+    issuer: issuer
+    subject: webAppIdentityId
+  }
+}
+
+resource clientSp 'Microsoft.Graph/[email protected]' = {
+  appId: clientApp.appId
+}
+
+output clientAppId string = clientApp.appId
+output clientSpId string = clientSp.id

infra/appupdate.bicep

@@ -1,60 +1,62 @@
-metadata description = 'Creates an Azure Container Apps Auth Config using Microsoft Entra as Identity Provider.'
-
-@description('The name of the container apps resource within the current resource group scope')
-param containerAppName string
-
-@description('The client ID of the Microsoft Entra application.')
-param clientId string
-
-param openIdIssuer string
-
-@description('Enable token store for the Container App.')
-param includeTokenStore bool = false
-
-@description('The URI of the Azure Blob Storage container to be used for token storage.')
-param blobContainerUri string = ''
-@description('The resource ID of the managed identity to be used for accessing the Azure Blob Storage.')
-param appIdentityResourceId string = ''
-
-resource app 'Microsoft.App/containerApps@2023-05-01' existing = {
-  name: containerAppName
-}
-
-resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
-  parent: app
-  name: 'current'
-  properties: {
-    platform: {
-      enabled: true
-    }
-    globalValidation: {
-      redirectToProvider: 'azureactivedirectory'
-      unauthenticatedClientAction: 'RedirectToLoginPage'
-    }
-    identityProviders: {
-      azureActiveDirectory: {
-        enabled: true
-        registration: {
-          clientId: clientId
-          clientSecretSettingName: 'override-use-mi-fic-assertion-client-id'
-          openIdIssuer: openIdIssuer
-        }
-        validation: {
-          defaultAuthorizationPolicy: {
-            allowedApplications: []
-          }
-        }
-      }
-    }
-    login: {
-      // https://learn.microsoft.com/azure/container-apps/token-store
-      tokenStore: {
-        enabled: includeTokenStore
-        azureBlobStorage: includeTokenStore ? {
-          blobContainerUri: blobContainerUri
-          managedIdentityResourceId: appIdentityResourceId
-        } : {}
-      }
-    }
-  }
-}
+metadata description = 'Creates an Azure Container Apps Auth Config using Microsoft Entra as Identity Provider.'
+
+@description('The name of the container apps resource within the current resource group scope')
+param containerAppName string
+
+@description('The client ID of the Microsoft Entra application.')
+param clientId string
+
+param openIdIssuer string
+
+@description('Enable token store for the Container App.')
+param includeTokenStore bool = false
+
+@description('The URI of the Azure Blob Storage container to be used for token storage.')
+param blobContainerUri string = ''
+@description('The resource ID of the managed identity to be used for accessing the Azure Blob Storage.')
+param appIdentityResourceId string = ''
+
+resource app 'Microsoft.App/containerApps@2023-05-01' existing = {
+  name: containerAppName
+}
+
+resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
+  parent: app
+  name: 'current'
+  properties: {
+    platform: {
+      enabled: true
+    }
+    globalValidation: {
+      redirectToProvider: 'azureactivedirectory'
+      unauthenticatedClientAction: 'RedirectToLoginPage'
+    }
+    identityProviders: {
+      azureActiveDirectory: {
+        enabled: true
+        registration: {
+          clientId: clientId
+          clientSecretSettingName: 'override-use-mi-fic-assertion-client-id'
+          openIdIssuer: openIdIssuer
+        }
+        validation: {
+          defaultAuthorizationPolicy: {
+            allowedApplications: []
+          }
+        }
+      }
+    }
+    login: {
+      // https://learn.microsoft.com/azure/container-apps/token-store
+      tokenStore: {
+        enabled: includeTokenStore
+        azureBlobStorage: includeTokenStore
+          ? {
+              blobContainerUri: blobContainerUri
+              managedIdentityResourceId: appIdentityResourceId
+            }
+          : {}
+      }
+    }
+  }
+}