fix: update event stream names and enforce security settings in Bicep templates

Kanchan-Microsoft · Kanchan-Microsoft · commit 7adc4532e8f8 · 2026-05-19T13:16:57.000+05:30
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -433,7 +433,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
+              'Microsoft-Event'
             ]
             eventLogName: 'Security'
             eventTypes: [
@@ -469,6 +469,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }
@@ -654,6 +664,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = {
       defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow'
       ipRules: []
     }
+    requireInfrastructureEncryption: true
     supportsHttpsTrafficOnly: true
     accessTier: 'Hot'
     tags: tags
@@ -1048,6 +1059,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'
@@ -1089,6 +1101,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressTargetPort: 3000
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     scaleSettings: {
       maxReplicas: enableScalability ? 3 : 2
       minReplicas: enableScalability ? 2 : 1
@@ -1723,6 +1736,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' =
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'
diff --git a/infra/main.json b/infra/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "312988678863218513"
+      "templateHash": "11967716103255684929"
     },
     "name": "Content Processing Solution Accelerator",
     "description": "Bicep template to deploy the Content Processing Solution Accelerator with AVM compliance."
@@ -14607,7 +14607,7 @@
                   {
                     "name": "SecurityAuditEvents",
                     "streams": [
-                      "Microsoft-WindowsEvent"
+                      "Microsoft-Event"
                     ],
                     "eventLogName": "Security",
                     "eventTypes": [
@@ -14642,6 +14642,16 @@
                   ],
                   "transformKql": "source",
                   "outputStream": "Microsoft-Perf"
+                },
+                {
+                  "streams": [
+                    "Microsoft-Event"
+                  ],
+                  "destinations": [
+                    "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                  ],
+                  "transformKql": "source",
+                  "outputStream": "Microsoft-Event"
                 }
               ]
             }
@@ -28050,6 +28060,9 @@
               "ipRules": []
             }
           },
+          "requireInfrastructureEncryption": {
+            "value": true
+          },
           "supportsHttpsTrafficOnly": {
             "value": true
           },
@@ -42481,10 +42494,10 @@
       },
       "dependsOn": [
         "avmAiServices",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').contentUnderstanding)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
         "virtualNetwork"
       ]
     },
@@ -45910,6 +45923,9 @@
           "ingressTransport": {
             "value": "auto"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "corsPolicy": {
             "value": {
               "allowedOrigins": [
@@ -47515,6 +47531,9 @@
           "ingressTransport": {
             "value": "auto"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "scaleSettings": {
             "value": {
               "maxReplicas": "[if(parameters('enableScalability'), 3, 2)]",
@@ -63175,6 +63194,9 @@
           "ingressTransport": {
             "value": "auto"
           },
+          "ingressAllowInsecure": {
+            "value": false
+          },
           "corsPolicy": {
             "value": {
               "allowedOrigins": [
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -436,7 +436,7 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
+              'Microsoft-Event'
             ]
             eventLogName: 'Security'
             eventTypes: [
@@ -472,6 +472,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }
@@ -657,6 +667,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.32.0' = {
       defaultAction: (enablePrivateNetworking) ? 'Deny' : 'Allow'
       ipRules: []
     }
+    requireInfrastructureEncryption: true
     supportsHttpsTrafficOnly: true
     accessTier: 'Hot'
     tags: tags
@@ -1061,6 +1072,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'
@@ -1107,6 +1119,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.22.1' = {
     ingressTargetPort: 3000
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     scaleSettings: {
       maxReplicas: enableScalability ? 3 : 2
       minReplicas: enableScalability ? 2 : 1
@@ -1756,6 +1769,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.22.1' =
     ingressExternal: true
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
+    ingressAllowInsecure: false
     corsPolicy: {
       allowedOrigins: [
         '*'
