exp issues fix

Ravikirana-Microsoft · Ravikirana-Microsoft · commit 804e084981fc · 2025-09-11T13:25:59.000+05:30
diff --git a/docs/CustomizingAzdParameters.md b/docs/CustomizingAzdParameters.md
@@ -13,7 +13,7 @@ By default this template will use the environment name as the prefix to prevent
 | `AZURE_ENV_OPENAI_LOCATION`     | string | `<User selects during deployment>`   | Specifies the region for OpenAI resource deployment.                                                |
 | `AZURE_ENV_MODEL_DEPLOYMENT_TYPE` | string | `GlobalStandard` | Defines the deployment type for the AI model (e.g., Standard, GlobalStandard).                     |
 | `AZURE_ENV_MODEL_NAME`          | string | `gpt-4o`          | Specifies the name of the GPT model to be deployed.                                                |
-| `AZURE_ENV_FOUNDRY_PROJECT_ID`          | string | `<Existing Workspace Id>`          | Set this if you want to reuse an AI Foundry Project instead of creating a new one.                                                |                        
+| `AZURE_EXISTING_AI_PROJECT_RESOURCE_ID`          | string | `<Existing Workspace Id>`          | Set this if you want to reuse an AI Foundry Project instead of creating a new one.                                                |                        
 | `AZURE_ENV_MODEL_VERSION`       | string | `2024-08-06`      | Version of the GPT model to be used for deployment.                                                |
 | `AZURE_ENV_MODEL_CAPACITY`       | int | `150`      | Sets the GPT model capacity.                                                |
 | `AZURE_ENV_IMAGETAG`            | string | `latest`          | Docker image tag used for container deployments.                                                   |
diff --git a/docs/TroubleShootingSteps.md b/docs/TroubleShootingSteps.md
@@ -297,5 +297,35 @@ The subscription 'xxxx-xxxx' cannot have more than 1 Container App Environments
  
 </details>
 
+<details>
+<summary><b>EncryptionAtHostFeatureNotEnabled</b></summary>
+
+This error appears when a resource (typically a Virtual Machine or scale set) sets the property <code>encryptionAtHost: true</code> but the subscription isn't enabled for the feature <code>Microsoft.Compute/EncryptionAtHost</code> in that region.
+
+Example error snippet:
+
+<pre>
+{"code":"InvalidTemplateDeployment","message":"The template deployment failed with error: 'The feature Microsoft.Compute/EncryptionAtHost is not enabled for subscription <sub-id> in location <region>.'"}
+</pre>
+
+Why it happens:
+ - The host-level encryption capability is a gated feature. Subscriptions must register the feature (and sometimes wait for registration to complete) before provisioning VMs with it enabled.
+ - Attempting to force it on before registration completes blocks deployment.
+
+How to fix:
+ 1. Set the subscription
+        - Run: <code>az account set --subscription "yourSubIDHere"</code>
+ 2. Register the feature (one time per subscription):
+        - Run: <code>az feature register --name EncryptionAtHost --namespace Microsoft.Compute</code>
+ 3. Check status until it shows "Registered":
+        - <code>az feature show --name EncryptionAtHost --namespace Microsoft.Compute</code>
+ 4. Re-run the deployment.
+
+Reference docs:
+ - Azure Host Encryption: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli
+
+</details>
+<br/>
+<br/>
 💡 Note: If you encounter any other issues, you can refer to the [Common Deployment Errors](https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/common-deployment-errors) documentation.
 If the problem persists, you can also raise an bug in our [MACAE Github Issues](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator/issues) for further support.
diff --git a/docs/re-use-foundry-project.md b/docs/re-use-foundry-project.md
@@ -36,7 +36,7 @@ In the left-hand menu of the project blade:
 ### 6. Set the Foundry Project Resource ID in Your Environment
 Run the following command in your terminal
 ```bash
-azd env set AZURE_ENV_FOUNDRY_PROJECT_ID '<Existing Foundry Project Resource ID>'
+azd env set AZURE_EXISTING_AI_PROJECT_RESOURCE_ID '<Existing Foundry Project Resource ID>'
 ```
 Replace `<Existing Foundry Project Resource ID>` with the value obtained from Step 5.
 
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -232,7 +232,7 @@ module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0
     features: { enableLogAccessUsingOnlyResourcePermissions: true }
     diagnosticSettings: [{ useThisWorkspace: true }]
     // WAF aligned configuration for Redundancy
-    dailyQuotaGb: enableRedundancy ? 10 : null //WAF recommendation: 10 GB per day is a good starting point for most workloads
+    dailyQuotaGb: enableRedundancy ? 150 : null //WAF recommendation: 150 GB per day is a good starting point for most workloads
     replication: enableRedundancy
       ? {
           enabled: true
@@ -799,6 +799,26 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             name: 'perfCounterDataSource60'
           }
         ]
+        windowsEventLogs: [
+          {
+            name: 'SecurityAuditEvents'
+            streams: [
+              'Microsoft-WindowsEvent'
+            ]
+            eventLogName: 'Security'
+            eventTypes: [
+              {
+                eventType: 'Audit Success'
+              }
+              {
+                eventType: 'Audit Failure'
+              }
+            ]
+            xPathQueries: [
+              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+            ]
+          }
+        ]
       }
       destinations: {
         logAnalytics: [
@@ -856,7 +876,7 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.17.0' = if (e
     bypassPlatformSafetyChecksOnUserSchedule: true
     maintenanceConfigurationResourceId: maintenanceConfiguration!.outputs.resourceId
     enableAutomaticUpdates: true
-    encryptionAtHost: false
+    encryptionAtHost: true
     availabilityZone: virtualMachineAvailabilityZone
     proximityPlacementGroupResourceId: proximityPlacementGroup!.outputs.resourceId
     imageReference: {
@@ -1498,6 +1518,7 @@ module webSite 'modules/web-sites.bicep' = {
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.subnetResourceIds[4] : null
     publicNetworkAccess: 'Enabled' // Always enabling the public network access for Web App
+    e2eEncryptionEnabled: true
   }
 }
 
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
@@ -36,7 +36,7 @@
         "value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}"
     },
     "existingAiFoundryAiProjectResourceId": {
-      "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}"
+      "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"
     }
   }
 }
diff --git a/infra/main.waf.parameters.json b/infra/main.waf.parameters.json
@@ -51,7 +51,34 @@
         "value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}"
     },
     "existingAiFoundryAiProjectResourceId": {
-      "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}"
+      "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"
+    },
+    "customerManagedKey": {
+      "value": {
+        "keyVaultResourceId": "/subscriptions/1d5876cd-7603-407a-96d2-ae5ca9a9c5f3/resourceGroups/macae-keyvault/providers/Microsoft.KeyVault/vaults/macae-cmk",
+        "keyName": "macae-key",
+        "keyVersion": "c9c62b36289342eca6fffb111f3634be",
+        "userAssignedIdentityResourceId": "/subscriptions/1d5876cd-7603-407a-96d2-ae5ca9a9c5f3/resourceGroups/macae-keyvault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/macae-identity"
+      }
+    },
+    "allowedFqdnList": {
+      "value": [
+        "mcr.microsoft.com",
+        "openai.azure.com",
+        "cognitiveservices.azure.com",
+        "login.microsoftonline.com",
+        "management.azure.com",
+        "aiinfra.azure.com",
+        "aiinfra.azure.net",
+        "aiinfra.azureedge.net",
+        "blob.core.windows.net",
+        "database.windows.net",
+        "vault.azure.net",
+        "monitoring.azure.com",
+        "dc.services.visualstudio.com",
+        "azconfig.io",
+        "azconfig.azure.net"
+      ]
     }
   }
 }
diff --git a/infra/modules/web-sites.bicep b/infra/modules/web-sites.bicep
@@ -207,6 +207,7 @@ resource app 'Microsoft.Web/sites@2024-04-01' = {
     vnetImagePullEnabled: vnetImagePullEnabled
     vnetRouteAllEnabled: vnetRouteAllEnabled
     scmSiteAlsoStopped: scmSiteAlsoStopped
+    // Always enforce end to end encryption
     endToEndEncryptionEnabled: e2eEncryptionEnabled
     dnsConfiguration: dnsConfiguration
     autoGeneratedDomainNameLabelScope: autoGeneratedDomainNameLabelScope
diff --git a/infra/old/08-2025/main.parameters.json b/infra/old/08-2025/main.parameters.json
@@ -40,7 +40,7 @@
         "value": "${AZURE_ENV_MODEL_CAPACITY}"
       },
       "existingFoundryProjectResourceId": {
-      "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}"
+      "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"
       },
       "imageTag": {
         "value": "${AZURE_ENV_IMAGE_TAG}"

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@`
`36`	`36`	`"value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}"`
`37`	`37`	`},`
`38`	`38`	`"existingAiFoundryAiProjectResourceId": {`
`39`		`- "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}"`
	`39`	`+ "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`	`}`