chore: commit all outstanding changes

Author: srnichols

AzureArchitecture/deploymentStampLayer.bicep

@@ -1,11 +1,3 @@
-@description('Azure AD administrator login for SQL Server (user or group UPN)')
-param sqlAadAdminLogin string = ''
-
-@description('Azure AD administrator objectId for SQL Server (user or group objectId)')
-param sqlAadAdminObjectId string = ''
-
-@description('Azure AD tenantId for SQL Server')
-param sqlAadAdminTenantId string = ''
 // --------------------------------------------------------------------------------------
 // CELL Layer Module
 // - Deploys isolated application/data resources for a single CELL
@@ -37,6 +29,9 @@ param storageAccountName string
 @description('Name for the Key Vault for this CELL/Stamp')
 param keyVaultName string
 
+@description('Optional salt to ensure unique resource names for repeated deployments (e.g., date, initials, or random chars)')
+param salt string = ''
+
 @description('Name for the Cosmos DB account for this CELL/Stamp')
 param cosmosDbStampName string
 
@@ -343,7 +338,7 @@ resource storageLifecyclePolicy 'Microsoft.Storage/storageAccounts/managementPol
 
 // Key Vault for CELL with security hardening
 resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
-  name: keyVaultName
+  name: empty(salt) ? keyVaultName : '${keyVaultName}${salt}'
   location: location
   properties: {
     sku: {
@@ -422,7 +417,7 @@ resource sqlEncryptionKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
 
 // Diagnostic settings for Key Vault
 resource keyVaultDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
-  name: '${keyVaultName}-diagnostics'
+  name: empty(salt) ? '${keyVaultName}-diagnostics' : '${keyVaultName}${salt}-diagnostics'
   scope: keyVault
   properties: {
     workspaceId: globalLogAnalyticsWorkspaceId
@@ -487,15 +482,15 @@ resource sqlPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = if
 
 // Private endpoint for Key Vault
 resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = if (enablePrivateEndpoints && !empty(privateEndpointSubnetId)) {
-  name: '${keyVaultName}-pe'
+  name: empty(salt) ? '${keyVaultName}-pe' : '${keyVaultName}${salt}-pe'
   location: location
   properties: {
     subnet: {
       id: privateEndpointSubnetId
     }
     privateLinkServiceConnections: [
       {
-        name: '${keyVaultName}-psc'
+  name: empty(salt) ? '${keyVaultName}-psc' : '${keyVaultName}${salt}-psc'
         properties: {
           privateLinkServiceId: keyVault.id
           groupIds: ['vault']
@@ -749,27 +744,17 @@ resource sqlServer 'Microsoft.Sql/servers@2022-11-01-preview' = {
   identity: {
     type: 'SystemAssigned'
   }
-  // Note: Only AAD admin is configured to comply with AAD-only authentication policy.
+  // Note: Only SQL admin login is configured. AAD-only authentication is NOT enabled by default.
   properties: {
+    administratorLogin: sqlAdminUsername
+    administratorLoginPassword: sqlAdminPassword
     version: '12.0'
     // Security hardening
     minimalTlsVersion: '1.2'
     publicNetworkAccess: 'Disabled'
   }
 }
 
-// Azure AD administrator for SQL Server (required for AAD-only authentication)
-resource sqlServerAadAdmin 'Microsoft.Sql/servers/administrators@2022-11-01-preview' = if (!empty(sqlAadAdminObjectId) && !empty(sqlAadAdminLogin) && !empty(sqlAadAdminTenantId)) {
-  name: 'activeDirectory'
-  parent: sqlServer
-  properties: {
-    administratorType: 'ActiveDirectory'
-    login: sqlAadAdminLogin
-    sid: sqlAadAdminObjectId
-    tenantId: sqlAadAdminTenantId
-  }
-}
-
 // SQL Server firewall rule is not created because public network access is disabled.
 // If you enable public access, add a conditional firewall rule accordingly.
 

AzureArchitecture/globalLayer.bicep

@@ -1,3 +1,4 @@
+// Endpoints are now filtered in the deployment script. Use as-is.
 // --------------------------------------------------------------------------------------
 // Module: globalLayer
 // Purpose: Provisions global/shared resources such as DNS Zone, Traffic Manager, and Front Door.
@@ -88,19 +89,7 @@ resource trafficManager 'Microsoft.Network/trafficManagerProfiles@2022-04-01' =
       port: 443
       path: '/health'
     }
-    endpoints: [
-      for (endpoint, i) in regionalEndpoints: if (!empty(endpoint.fqdn)) {
-        name: 'regional-endpoint-${i + 1}'
-        type: 'Microsoft.Network/trafficManagerProfiles/externalEndpoints'
-        properties: {
-          target: endpoint.fqdn
-          endpointStatus: 'Enabled'
-          endpointLocation: endpoint.location
-          weight: 1
-          priority: i + 1
-        }
-      }
-    ]
+    endpoints: regionalEndpoints
   }
 }
 
@@ -184,62 +173,8 @@ resource apimRoute 'Microsoft.Cdn/profiles/afdEndpoints/routes@2023-05-01' = if
   ]
 }
 
-// Secondary Origin Group for regional Application Gateways (fallback/direct routing)
-resource regionalOriginGroup 'Microsoft.Cdn/profiles/originGroups@2023-05-01' = if (length([for endpoint in regionalEndpoints: if (!empty(endpoint.fqdn)) endpoint]) > 0) {
-  name: 'regional-agw-origins'
-  parent: frontDoor
-  properties: {
-    loadBalancingSettings: {
-      sampleSize: 4
-      successfulSamplesRequired: 3
-      additionalLatencyInMilliseconds: 50
-    }
-    healthProbeSettings: {
-      probePath: '/health'
-      probeRequestType: 'GET'
-      probeProtocol: 'Https'
-      probeIntervalInSeconds: 100
-    }
-  }
-}
 
-// Origins for each regional Application Gateway (fallback routing)
-resource regionalOrigins 'Microsoft.Cdn/profiles/originGroups/origins@2023-05-01' = [for (endpoint, i) in regionalEndpoints: if (!empty(endpoint.fqdn)) {
-  name: 'agw-${endpoint.location}-origin'
-  parent: regionalOriginGroup
-  properties: {
-    hostName: endpoint.fqdn
-    httpPort: 80
-    httpsPort: 443
-    originHostHeader: endpoint.fqdn
-    priority: (i % 5) + 1  // Ensure priority is between 1-5
-    weight: 1000
-    enabledState: 'Enabled'
-    enforceCertificateNameCheck: true
-  }
-}]
-
-// Fallback Route for direct regional access (bypassing APIM)
-resource regionalRoute 'Microsoft.Cdn/profiles/afdEndpoints/routes@2023-05-01' = if (length([for endpoint in regionalEndpoints: if (!empty(endpoint.fqdn)) endpoint]) > 0) {
-  name: 'regional-fallback-route'
-  parent: frontDoorEndpoint
-  properties: {
-    customDomains: []
-    originGroup: {
-      id: regionalOriginGroup.id
-    }
-    originPath: null
-    ruleSets: []
-    supportedProtocols: ['Http', 'Https']
-    patternsToMatch: ['/direct/*', '/regional/*']  // Specific patterns for direct regional access
-    forwardingProtocol: 'HttpsOnly'
-    linkToDefaultDomain: 'Enabled'
-    httpsRedirect: 'Enabled'
-  }
-  dependsOn: [
-    regionalOrigins
-  ]
-}
+// Fallback routing for regional Application Gateways must be implemented manually if needed.
 
 @description('Enable diagnostic settings for Front Door (some categories may be restricted by SKU/region).')
 param enableFrontDoorDiagnostics bool = false

AzureArchitecture/host-main.bicep

@@ -1,3 +1,5 @@
+@description('Optional salt to ensure unique resource names for repeated deployments (e.g., date, initials, or random chars)')
+param salt string = ''
 
 // Orchestrator for regional networking and CELL deployments in the Host subscription
 // Consumes a central Log Analytics workspace resource ID from the Hub deployment
@@ -193,7 +195,8 @@ module deploymentStampLayers './deploymentStampLayer.bicep' = [for (cell, idx) i
     sqlAdminPassword: sqlAdminPassword
     sqlDbName: toLower('sqldb-cell${substring(cell.cellName, length(cell.cellName) - 2, 2)}-z${string(length(cell.availabilityZones))}-${(regionShortNames[?cell.regionName] ?? substring(cell.regionName, 0, 3))}-${envShort}')
     storageAccountName: toLower('st${(geoShortNames[?cell.geoName] ?? substring(cell.geoName, 0, 2))}${(regionShortNames[?cell.regionName] ?? substring(cell.regionName, 0, 3))}cell${substring(cell.cellName, length(cell.cellName) - 2, 2)}z${string(length(cell.availabilityZones))}${envShort}${substring(uniqueString(subscription().id, cell.regionName, cell.cellName, deployment().name), 0, 2)}')
-    keyVaultName: toLower('kv-${(geoShortNames[?cell.geoName] ?? substring(cell.geoName, 0, 2))}-${(regionShortNames[?cell.regionName] ?? substring(cell.regionName, 0, 3))}-cell${substring(cell.cellName, length(cell.cellName) - 2, 2)}-${envShort}-${substring(uniqueString(subscription().id, cell.regionName, cell.cellName), 0, 2)}')
+  keyVaultName: toLower('kv-${(geoShortNames[?cell.geoName] ?? substring(cell.geoName, 0, 2))}-${(regionShortNames[?cell.regionName] ?? substring(cell.regionName, 0, 3))}-cell${substring(cell.cellName, length(cell.cellName) - 2, 2)}-${envShort}-${substring(uniqueString(subscription().id, cell.regionName, cell.cellName), 0, 2)}${empty(salt) ? '' : salt}')
+  salt: salt
     cosmosDbStampName: toLower('cosmos${(geoShortNames[?cell.geoName] ?? substring(cell.geoName, 0, 2))}${(regionShortNames[?cell.regionName] ?? substring(cell.regionName, 0, 3))}cell${substring(cell.cellName, length(cell.cellName) - 2, 2)}z${string(length(cell.availabilityZones))}${envShort}${substring(uniqueString(subscription().id, cell.regionName, cell.cellName, deployment().name), 0, 6)}')
     tags: union(tags, {
       geo: cell.geoName

AzureArchitecture/main.bicep

@@ -1,3 +1,5 @@
+@description('Optional salt to ensure unique resource names for repeated deployments (e.g., date, initials, or random chars)')
+param salt string = ''
 // Requires Bicep CLI v0.20.0 or later for array filtering with ternary operator
 @description('Enable deployment of global Function Apps and their plans/storage (disable in smoke/lab to avoid quota)')
 param enableGlobalFunctions bool = true
@@ -433,7 +435,8 @@ module deploymentStampLayers './deploymentStampLayer.bicep' = [
       storageAccountName: toLower('st${uniqueString(subscription().id, cell.regionName, 'CELL-${padLeft(string(index + 1), 2, '0')}')}z${string(length(cell.availabilityZones))}')
   // Key Vault name: max 24 chars, alphanumeric only, must start with letter, end with letter/digit
   // Example: kvs-wus2-p-abc123de
-  keyVaultName: toLower('kvs${take(cell.regionName, 3)}${take(environment, 1)}${substring(uniqueString(subscription().id, 'kv', cell.regionName, environment, 'CELL-${padLeft(string(index + 1), 2, '0')}'), 0, 8)}')
+  keyVaultName: toLower('kvs${take(cell.regionName, 3)}${take(environment, 1)}${substring(uniqueString(subscription().id, 'kv', cell.regionName, environment, 'CELL-${padLeft(string(index + 1), 2, '0')}'), 0, 8)}${empty(salt) ? '' : salt}')
+  salt: salt
   // Cosmos DB name: 3-44 chars, lowercase, letters, numbers, hyphens only, must start with a letter
   cosmosDbStampName: toLower('cosmos${take(cell.geoName, 3)}${take(cell.regionName, 3)}${padLeft(string(index + 1), 2, '0')}z${string(length(cell.availabilityZones))}${substring(uniqueString(subscription().id, cell.geoName, cell.regionName, string(index)), 0, 6)}')
       tags: union(baseTags, {

AzureArchitecture/main.parameters.json

@@ -47,15 +47,6 @@
     "sqlAdminPassword": {
       "value": "G7!rT9p#xQ2z@LmS"
     },
-    "sqlAadAdminLogin": {
-      "value": "srnichols_live.com#EXT#@fdpo.onmicrosoft.com"
-    },
-    "sqlAadAdminObjectId": {
-      "value": "90379532-1038-4db5-8709-b0dc8fec9cad"
-    },
-    "sqlAadAdminTenantId": {
-      "value": "16b3c013-d300-468d-ac64-7eda0820b6d3"
-    },
     "enableGlobalFunctions": {
       "value": true
     },

AzureArchitecture/single-sub-deployment-step1.ps1

@@ -1,3 +1,12 @@
+# Helper: Filter out endpoints with empty/null FQDNs
+function Filter-ValidEndpoints {
+    param(
+        [Parameter(Mandatory=$true)]
+        [array]$Endpoints
+    )
+    return $Endpoints | Where-Object { $_.fqdn -and $_.fqdn.Trim() -ne '' }
+}
+
 # PowerShell script to deploy main.bicep, extract management portal outputs, and write to management-portal.parameters.json
 
 # Set variables
@@ -6,6 +15,13 @@ $ParametersFile = "./AzureArchitecture/host-main.parameters.json"
 $DeploymentName = "stamps-host-$(Get-Date -Format 'yyyyMMdd-HHmmss')"
 $OutputFile = "./AzureArchitecture/management-portal.parameters.json"
 
+
+# (Optional) If you have a regionalEndpoints array to pass, filter it here before deployment
+# Example usage:
+# $regionalEndpoints = ... # Load or construct your endpoints array
+# $filteredEndpoints = Filter-ValidEndpoints -Endpoints $regionalEndpoints
+# Then pass $filteredEndpoints to Bicep as a parameter
+
 # Deploy host-main.bicep at subscription scope and capture outputs
 $deploymentResult = az deployment sub create `
     --name $DeploymentName `

AzureArchitecture/single-sub-deployment-step2.ps1

@@ -1,3 +1,12 @@
+# Helper: Filter out endpoints with empty/null FQDNs
+function Filter-ValidEndpoints {
+  param(
+    [Parameter(Mandatory=$true)]
+    [array]$Endpoints
+  )
+  return $Endpoints | Where-Object { $_.fqdn -and $_.fqdn.Trim() -ne '' }
+}
+
 # PowerShell script to configure post-deployment traffic routing between Front Door, APIM, and Application Gateways
 # This script should be run after single-sub-deployment-step1.ps1 completes successfully
 
@@ -59,34 +68,36 @@ if (-not $trafficManager) {
 
 Write-Host "Found Traffic Manager: $($trafficManager.name) - FQDN: $($trafficManager.fqdn)" -ForegroundColor Green
 
+
 # Get regional Application Gateways
 Write-Host "Step 2: Discovering regional Application Gateways..." -ForegroundColor Cyan
 
 $resourceGroups = az group list --query "[?starts_with(name, '$regionalRgPrefix')].name" --output tsv
 $appGateways = @()
 
 foreach ($rgName in $resourceGroups) {
-    $agw = az network application-gateway list --resource-group $rgName --query "[0].{name:name, fqdn:frontendIPConfigurations[0].publicIPAddress.fqdn, location:location}" | ConvertFrom-Json
-    if ($agw) {
-        # Get the actual public IP FQDN
-        $pipName = az network application-gateway show --name $agw.name --resource-group $rgName --query "frontendIPConfigurations[0].publicIPAddress.id" --output tsv | Split-Path -Leaf
-        $pip = az network public-ip show --name $pipName --resource-group $rgName --query "{fqdn:dnsSettings.fqdn, ipAddress:ipAddress}" | ConvertFrom-Json
-        
-        $appGateways += @{
-            name = $agw.name
-            resourceGroup = $rgName
-            location = $agw.location
-            fqdn = $pip.fqdn
-            ipAddress = $pip.ipAddress
-        }
-        
-        Write-Host "Found App Gateway: $($agw.name) in $($agw.location) - FQDN: $($pip.fqdn)" -ForegroundColor Green
+  $agw = az network application-gateway list --resource-group $rgName --query "[0].{name:name, fqdn:frontendIPConfigurations[0].publicIPAddress.fqdn, location:location}" | ConvertFrom-Json
+  if ($agw) {
+    # Get the actual public IP FQDN
+    $pipName = az network application-gateway show --name $agw.name --resource-group $rgName --query "frontendIPConfigurations[0].publicIPAddress.id" --output tsv | Split-Path -Leaf
+    $pip = az network public-ip show --name $pipName --resource-group $rgName --query "{fqdn:dnsSettings.fqdn, ipAddress:ipAddress}" | ConvertFrom-Json
+    $appGateways += @{
+      name = $agw.name
+      resourceGroup = $rgName
+      location = $agw.location
+      fqdn = $pip.fqdn
+      ipAddress = $pip.ipAddress
     }
+    Write-Host "Found App Gateway: $($agw.name) in $($agw.location) - FQDN: $($pip.fqdn)" -ForegroundColor Green
+  }
 }
 
+# Filter out any app gateways with empty/null FQDNs before using them
+$appGateways = Filter-ValidEndpoints -Endpoints $appGateways
+
 if ($appGateways.Count -eq 0) {
-    Write-Error "No Application Gateways found in regional resource groups"
-    exit 1
+  Write-Error "No Application Gateways with valid FQDNs found in regional resource groups"
+  exit 1
 }
 
 Write-Host "Step 3: Configuring APIM backends for regional Application Gateways..." -ForegroundColor Cyan

VERSION

@@ -1,3 +1,5 @@
+---
+
 # Three-Step Deployment Process for Management Portal and Routing
 
 This guide outlines the recommended three-step process for deploying the Stamps Pattern infrastructure, global routing, and the Management Portal application. This approach separates infrastructure, routing, and application deployment for maximum reliability and clarity.
@@ -85,5 +87,19 @@ This guide outlines the recommended three-step process for deploying the Stamps
 - Adjust parameter values and secrets as needed for your environment.
 
 ---
+## Special Parameters for Repeated Deployments
+
+**salt**: To avoid Azure soft-delete conflicts (e.g., with Key Vaults), a `salt` parameter is now supported. This can be any short string (date, initials, random chars) and will be appended to resource names like Key Vault. Update the `salt` value in your deployment parameters or script for each new deployment attempt on the same day.
 
+**How to use:**
+- Add or update the `salt` parameter in your deployment command or parameters file (e.g., `-salt 20250824a`).
+- This ensures unique resource names and prevents soft-delete name collisions.
+
+**Example:**
+```pwsh
+pwsh ./scripts/single-sub-deployment-step1.ps1 -SubscriptionId <subscription-id> -Location <primary-location> -Environment <env> -Salt 20250824a
+```
+
+If you encounter a Key Vault name conflict, simply change the `salt` value and redeploy.
+---
 For more details, see the project documentation or ask in the project discussions.