environment() fix

infrastructure/infrastructure-setup-bicep/32-customer-managed-keys-user-assigned-identity/README.md

@@ -46,8 +46,8 @@ Before deploying this solution, ensure you have:
 1. **Azure CLI** installed and configured
 2. **Azure subscription** with appropriate permissions
 3. **Resource Group** created
-4. **Key Vault** with a key for CMK encryption
-5. **User-Assigned Managed Identity** with Key Vault permissions
+4. **Azure Key Vault** with a CMK RSA-2048 key already created
+5. **User-Assigned Managed Identity** created with Key Vault Crypto User role assigned
 
 ### Setting Up Prerequisites
 
@@ -82,7 +82,7 @@ az role assignment create --assignee $UAI_PRINCIPAL_ID --role "Key Vault Crypto
 
 ## Parameters
 
-The solution requires the following parameters:
+The template constructs the Key Vault URI automatically from `keyVaultName` using the cloud-appropriate suffix. Ensure your Key Vault and CMK key already exist before deployment.
 
 | Parameter | Description | Example |
 |-----------|-------------|---------|
@@ -122,6 +122,7 @@ The solution requires the following parameters:
 Get the Key Vault key version:
 ```powershell
 az keyvault key show --vault-name your-key-vault-name --name your-key-name --query key.kid -o tsv
+# Extract the last segment after the final '/' as the keyVersion
 ```
 
 Get UAI details:
@@ -175,7 +176,7 @@ Creates the AI Foundry account with:
 ### 2. CMK Encryption Module (`cmk-encryption.bicep`)
 
 Configures Customer-Managed Key encryption:
-- Adds Key Vault access policy for UAI
+- Constructs Key Vault URI automatically from keyVaultName using `environment().suffixes.keyvaultDns`
 - Updates account with CMK encryption settings
 - Uses UAI client ID for Key Vault authentication
 

infrastructure/infrastructure-setup-bicep/32-customer-managed-keys-user-assigned-identity/main.bicep

@@ -1,7 +1,7 @@
 /*
   Complete AI Foundry solution with UAI, CMK, and Project
-  
-  Description: 
+
+  Description:
   - Create an Azure AI Foundry account with User-Assigned Identity
   - Enable Customer-Managed Keys (CMK) encryption
   - Create a project
@@ -75,3 +75,4 @@ output accountId string = aiFoundryAccount.outputs.accountId
 output accountName string = aiFoundryAccount.outputs.accountName
 output projectId string = aiProject.outputs.projectId
 output projectName string = aiProject.outputs.projectName
+output keyVaultUri string = cmkEncryption.outputs.keyVaultUri

infrastructure/infrastructure-setup-bicep/32-customer-managed-keys-user-assigned-identity/modules/cmk-encryption.bicep

@@ -1,6 +1,5 @@
 /*
   Module: Customer-Managed Key (CMK) Encryption
-
   Configures customer-managed key encryption for AI Foundry account:
   - Adds Key Vault access policy for user-assigned identity
   - Updates account with CMK encryption configuration
@@ -28,7 +27,7 @@ param userAssignedIdentityId string
 param userAssignedIdentityClientId string
 
 // Use the actual Key Vault URI directly since environment() might not resolve correctly in this context
-var keyVaultUri = 'https://${keyVaultName}.${environment().suffixes.keyvaultDns}/'
+var keyVaultUri = 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/'
 
 // Note: Key Vault Crypto User role should already be assigned to the UAI
 // If not assigned, run: az role assignment create --assignee <UAI-Principal-ID> --role "Key Vault Crypto User" --scope <KeyVault-Resource-ID>
@@ -63,10 +62,10 @@ resource accountUpdate 'Microsoft.CognitiveServices/accounts@2025-04-01-preview'
         identityClientId: userAssignedIdentityClientId
       }
     }
-    
+
     // Required for AI Foundry projects
     allowProjectManagement: true
-    
+
     // Preserve existing properties
     publicNetworkAccess: 'Enabled'
     customSubDomainName: aiFoundryName
@@ -76,3 +75,4 @@ resource accountUpdate 'Microsoft.CognitiveServices/accounts@2025-04-01-preview'
 
 // Outputs
 output encryptionStatus string = 'CMK encryption enabled'
+output keyVaultUri string = keyVaultUri