diff --git a/infra-as-code/bicep/keyvault.bicep b/infra-as-code/bicep/keyvault.bicep index 9cd84aa..eefb376 100755 --- a/infra-as-code/bicep/keyvault.bicep +++ b/infra-as-code/bicep/keyvault.bicep @@ -30,24 +30,24 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-11-01' = { name: 'standard' } networkAcls: { - defaultAction: 'Allow' // Production readiness change: This sample uses identity as the perimeter. Production scenarios should layer in network perimeter control as well. - bypass: 'AzureServices' // Required for AppGW communication if firewall is enabled in the future. + defaultAction: 'Allow' // Production readiness change: This sample uses identity as the perimeter. Production scenarios should layer in network perimeter control as well. + bypass: 'AzureServices' // Required for AppGW communication if firewall is enabled in the future. ipRules: [] virtualNetworkRules: [] } tenantId: subscription().tenantId - enableRbacAuthorization: true // Using RBAC - enabledForDeployment: true // VMs can retrieve certificates - enabledForTemplateDeployment: true // ARM can retrieve values - accessPolicies: [] // Using RBAC - publicNetworkAccess: 'Enabled' // Production readiness change: This sample uses identity as the perimeter. Production scenarios should layer in network perimeter control as well. + enableRbacAuthorization: true // Using RBAC + enabledForDeployment: true // VMs can retrieve certificates + enabledForTemplateDeployment: true // ARM can retrieve values + accessPolicies: [] // Using RBAC + publicNetworkAccess: 'Enabled' // Production readiness change: This sample uses identity as the perimeter. Production scenarios should layer in network perimeter control as well. enabledForDiskEncryption: false enableSoftDelete: true softDeleteRetentionInDays: 7 - createMode: 'default' // Creating or updating the key vault (not recovering) + createMode: 'default' // Creating or updating the key vault (not recovering) } } diff --git a/infra-as-code/bicep/machinelearning.bicep b/infra-as-code/bicep/machinelearning.bicep index e466068..bfd2987 100755 --- a/infra-as-code/bicep/machinelearning.bicep +++ b/infra-as-code/bicep/machinelearning.bicep @@ -128,7 +128,6 @@ resource blobStorageContributorForUserRoleAssignment 'Microsoft.Authorization/ro principalId: yourPrincipalId // Production readiness change: Users shouldn't be using the Prompt flow developer portal in production, so this role // assignment would only be needed in pre-production environments. In pre-production, use conditions on this assignment // to restrict access to just the blob containers used by the project. - } } @@ -173,19 +172,17 @@ resource aiHub 'Microsoft.MachineLearningServices/workspaces@2025-01-01-preview' allowRoleAssignmentOnRG: false // Require role assignments at the resource level. v1LegacyMode: false workspaceHubConfig: { - defaultWorkspaceResourceGroup: resourceGroup().id // Setting this to the same resource group as the workspace + defaultWorkspaceResourceGroup: resourceGroup().id // Setting this to the same resource group as the workspace } - // Default settings for projects storageAccount: aiStudioStorageAccount.id containerRegistry: containerRegistry.id - systemDatastoresAuthMode: 'identity' - enableSoftwareBillOfMaterials: true enableDataIsolation: true keyVault: keyVault.id - applicationInsights: applicationInsights.id hbiWorkspace: false - imageBuildCompute: null + applicationInsights: applicationInsights.id + systemDatastoresAuthMode: 'Identity' + enableSoftwareBillOfMaterials: true } resource azureAiServicesConnection 'connections' = { @@ -475,7 +472,6 @@ resource chatProjectDiagSettings 'Microsoft.Insights/diagnosticSettings@2021-05- } } - @description('Azure Diagnostics: AI Foundry chat project -> endpoint') resource chatProjectEndpointDiagSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { name: 'default' diff --git a/infra-as-code/bicep/webapp.bicep b/infra-as-code/bicep/webapp.bicep index d336e6e..3de14f8 100755 --- a/infra-as-code/bicep/webapp.bicep +++ b/infra-as-code/bicep/webapp.bicep @@ -24,7 +24,7 @@ resource logWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' exis } // Built-in Azure RBAC role that is applied to a Key Vault to grant secrets content read permissions. -resource keyVaultSecretsUserRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { +resource keyVaultSecretsUserRole 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = { name: '4633458b-17de-408a-b874-0445c86b69e6' scope: subscription() } @@ -64,7 +64,7 @@ module appServiceSecretsUserRoleAssignmentModule './modules/keyvaultRoleAssignme } // App service plan -resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = { +resource appServicePlan 'Microsoft.Web/serverfarms@2024-04-01' = { name: 'asp-${appName}${uniqueString(resourceGroup().id)}' location: location sku: { @@ -79,7 +79,7 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = { } // Web App -resource webApp 'Microsoft.Web/sites@2023-12-01' = { +resource webApp 'Microsoft.Web/sites@2024-04-01' = { name: appName location: location kind: 'app' @@ -110,7 +110,7 @@ resource webApp 'Microsoft.Web/sites@2023-12-01' = { } // App Settings -resource appsettings 'Microsoft.Web/sites/config@2022-09-01' = { +resource appsettings 'Microsoft.Web/sites/config@2024-04-01' = { name: 'appsettings' parent: webApp properties: {