Azure-Samples
diff --git a/‎README.md
Lines changed: 3 additions & 4 deletions b/‎README.md
Lines changed: 3 additions & 4 deletions
diff --git a/‎infra/abbreviations.json
Lines changed: 2 additions & 1 deletion b/‎infra/abbreviations.json
Lines changed: 2 additions & 1 deletion
diff --git a/‎infra/core/ai/cognitiveservices.bicep
Lines changed: 13 additions & 1 deletion b/‎infra/core/ai/cognitiveservices.bicep
Lines changed: 13 additions & 1 deletion
diff --git a/‎infra/core/host/container-app.bicep
Lines changed: 114 additions & 41 deletions b/‎infra/core/host/container-app.bicep
Lines changed: 114 additions & 41 deletions
diff --git a/‎infra/core/host/container-apps-environment.bicep
Lines changed: 16 additions & 1 deletion b/‎infra/core/host/container-apps-environment.bicep
Lines changed: 16 additions & 1 deletion
diff --git a/‎infra/core/host/container-apps.bicep
Lines changed: 13 additions & 3 deletions b/‎infra/core/host/container-apps.bicep
Lines changed: 13 additions & 3 deletions
@@ -98,7 +98,6 @@ You may try the [Azure pricing calculator](https://azure.com/e/8ffbe5b1919c4c72a
 - Azure Container Apps: Pay-as-you-go tier. Costs based on vCPU and memory used. [Pricing](https://azure.microsoft.com/pricing/details/container-apps/)
 - Azure Static Web Apps: Free Tier. [Pricing](https://azure.microsoft.com/pricing/details/app-service/static/)
 - Azure OpenAI: Standard tier, ChatGPT and Ada models. Pricing per 1K tokens used, and at least 1K tokens are used per question. [Pricing](https://azure.microsoft.com/pricing/details/search/)
-<!-- - Form Recognizer: SO (Standard) tier using pre-built layout. Pricing per document page, sample documents have 261 pages total. [Pricing](https://azure.microsoft.com/pricing/details/form-recognizer/) -->
 - Azure AI Search: Standard tier, 1 replica, free level of semantic search\*. Pricing per hour.[Pricing](https://azure.microsoft.com/pricing/details/search/) (_The pricing may vary or reflect an outdated tier model. Please visit the linked page for more accurate information_)
 - Azure Blob Storage: Standard tier with ZRS (Zone-redundant storage). Pricing per storage and read operations. [Pricing](https://azure.microsoft.com/pricing/details/storage/blobs/)
 - Azure Monitor: Pay-as-you-go tier. Costs based on data ingested. [Pricing](https://azure.microsoft.com/pricing/details/monitor/)
@@ -183,7 +182,7 @@ If you already have existing Azure resources, you can re-use those by setting `a
 
 #### Other existing Azure resources
 
-You can also use existing Form Recognizer and Storage Accounts. See `./infra/main.parameters.json` for list of environment variables to pass to `azd env set` to configure those existing resources.
+You can also use an existing Storage Account. See `./infra/main.parameters.json` for list of environment variables to pass to `azd env set` to configure those existing resources.
 
 #### Provision remaining resources
 
@@ -329,7 +328,7 @@ For more details, read [Azure OpenAI Landing Zone reference architecture](https:
 - [Generative AI For Beginners](https://github.com/microsoft/generative-ai-for-beginners)
 - [Revolutionize your Enterprise Data with ChatGPT: Next-gen Apps w/ Azure OpenAI and AI Search](https://aka.ms/entgptsearchblog)
 - [Azure AI Search](https://learn.microsoft.com/azure/search/search-what-is-azure-search)
-- [Azure OpenAI Service](https://learn.microsoft.com/azure/cognitive-services/openai/overview)
+- [Azure OpenAI Service](https://learn.microsoft.com/azure/ai-services/openai/overview)
 - [Building ChatGPT-Like Experiences with Azure: A Guide to Retrieval Augmented Generation for JavaScript applications](https://devblogs.microsoft.com/azure-sdk/building-chatgpt-like-experiences-with-azure-a-guide-to-retrieval-augmented-generation-for-javascript-applications/)
 
 ## Clean up
@@ -441,7 +440,7 @@ Here are the most common failure scenarios and solutions:
 
 1. You've exceeded a quota, most often number of resources per region. See [this article on quotas and limits](https://aka.ms/oai/quotas).
 
-1. You're getting "same resource name not allowed" conflicts. That's likely because you've run the sample multiple times and deleted the resources you've been creating each time, but are forgetting to purge them. Azure keeps resources for 48 hours unless you purge from soft delete. See [this article on purging resources](https://learn.microsoft.com/azure/cognitive-services/manage-resources?tabs=azure-portal#purge-a-deleted-resource).
+1. You're getting "same resource name not allowed" conflicts. That's likely because you've run the sample multiple times and deleted the resources you've been creating each time, but are forgetting to purge them. Azure keeps resources for 48 hours unless you purge from soft delete. See [this article on purging resources](https://learn.microsoft.com/azure/ai-services/recover-purge-resources?tabs=azure-portal#purge-a-deleted-resource).
 
 1. After running `azd up` and visiting the website, you see a '404 Not Found' in the browser. Wait 10 minutes and try again, as it might be still starting up. Then try running `azd deploy` and wait again. If you still encounter errors with the deployed app, consult these [tips for debugging App Service app deployments](http://blog.pamelafox.org/2023/06/tips-for-debugging-flask-deployments-to.html) and file an issue if the error logs don't help you resolve the issue.
 
 
@@ -1,7 +1,7 @@
 {
   "analysisServicesServers": "as",
   "apiManagementService": "apim-",
-  "appConfigurationConfigurationStores": "appcs-",
+  "appConfigurationStores": "appcs-",
   "appManagedEnvironments": "cae-",
   "appContainerApps": "ca-",
   "authorizationPolicyDefinitions": "policy-",
@@ -55,6 +55,7 @@
   "kubernetesConnectedClusters": "arck",
   "kustoClusters": "dec",
   "kustoClustersDatabases": "dedb",
+  "loadTesting": "lt-",
   "logicIntegrationAccounts": "ia-",
   "logicWorkflows": "logic-",
   "machineLearningServicesWorkspaces": "mlw-",
 
@@ -1,15 +1,26 @@
+metadata description = 'Creates an Azure Cognitive Services instance.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
-
+@description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = name
 param deployments array = []
 param kind string = 'OpenAI'
+
+@allowed([ 'Enabled', 'Disabled' ])
 param publicNetworkAccess string = 'Enabled'
 param sku object = {
   name: 'S0'
 }
 
+param allowedIpRules array = []
+param networkAcls object = empty(allowedIpRules) ? {
+  defaultAction: 'Allow'
+} : {
+  ipRules: allowedIpRules
+  defaultAction: 'Deny'
+}
+
 resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   name: name
   location: location
@@ -18,6 +29,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
+    networkAcls: networkAcls
   }
   sku: sku
 }
 
@@ -1,60 +1,139 @@
+metadata description = 'Creates a container app in an Azure Container App environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-param containerAppsEnvironmentName string = ''
+@description('Allowed origins')
+param allowedOrigins array = []
+
+@description('Name of the environment for container apps')
+param containerAppsEnvironmentName string
+
+@description('CPU cores allocated to a single container instance, e.g., 0.5')
+param containerCpuCoreCount string = '0.5'
+
+@description('The maximum number of replicas to run. Must be at least 1.')
+@minValue(1)
+param containerMaxReplicas int = 10
+
+@description('Memory allocated to a single container instance, e.g., 1Gi')
+param containerMemory string = '1.0Gi'
+
+@description('The minimum number of replicas to run. Must be at least 1.')
+param containerMinReplicas int = 1
+
+@description('The name of the container')
 param containerName string = 'main'
+
+@description('The name of the container registry')
 param containerRegistryName string = ''
+
+@description('The protocol used by Dapr to connect to the app, e.g., http or grpc')
+@allowed([ 'http', 'grpc' ])
+param daprAppProtocol string = 'http'
+
+@description('The Dapr app ID')
+param daprAppId string = containerName
+
+@description('Enable Dapr')
+param daprEnabled bool = false
+
+@description('The environment variables for the container')
 param env array = []
-param secrets array = []
+
+@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
-param imageName string
-param keyVaultName string = ''
-param managedIdentity bool = !empty(keyVaultName)
+
+@description('The name of the user-assigned identity')
+param identityName string = ''
+
+@description('The type of identity for the resource')
+@allowed([ 'None', 'SystemAssigned', 'UserAssigned' ])
+param identityType string = 'None'
+
+@description('The name of the container image')
+param imageName string = ''
+
+@description('Specifies if Ingress is enabled for the container app')
+param ingressEnabled bool = true
+
+param revisionMode string = 'Single'
+
+@description('The secrets required for the container')
+param secrets array = []
+
+@description('The service binds associated with the container')
+param serviceBinds array = []
+
+@description('The name of the container apps add-on to use. e.g. redis')
+param serviceType string = ''
+
+@description('The target port for the container')
 param targetPort int = 80
-param allowedOrigins array = []
 
-@description('CPU cores allocated to a single container instance, e.g. 0.5')
-param containerCpuCoreCount string = '0.5'
+resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(identityName)) {
+  name: identityName
+}
 
-@description('Memory allocated to a single container instance, e.g. 1Gi')
-param containerMemory string = '1.0Gi'
+// Private registry support requires both an ACR name and a User Assigned managed identity
+var usePrivateRegistry = !empty(identityName) && !empty(containerRegistryName)
+
+// Automatically set to `UserAssigned` when an `identityName` has been set
+var normalizedIdentityType = !empty(identityName) ? 'UserAssigned' : identityType
 
-resource app 'Microsoft.App/containerApps@2023-05-01' = {
+module containerRegistryAccess '../security/registry-access.bicep' = if (usePrivateRegistry) {
+  name: '${deployment().name}-registry-access'
+  params: {
+    containerRegistryName: containerRegistryName
+    principalId: usePrivateRegistry ? userIdentity.properties.principalId : ''
+  }
+}
+
+resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
   name: name
   location: location
   tags: tags
-  identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
+  // It is critical that the identity is granted ACR pull access before the app is created
+  // otherwise the container app will throw a provision error
+  // This also forces us to use an user assigned managed identity since there would no way to 
+  // provide the system assigned identity with the ACR pull access before the app is created
+  dependsOn: usePrivateRegistry ? [ containerRegistryAccess ] : []
+  identity: {
+    type: normalizedIdentityType
+    userAssignedIdentities: !empty(identityName) && normalizedIdentityType == 'UserAssigned' ? { '${userIdentity.id}': {} } : null
+  }
   properties: {
     managedEnvironmentId: containerAppsEnvironment.id
     configuration: {
-      activeRevisionsMode: 'single'
-      ingress: {
+      activeRevisionsMode: revisionMode
+      ingress: ingressEnabled ? {
         external: external
         targetPort: targetPort
         transport: 'auto'
         corsPolicy: {
-          allowedOrigins: empty(allowedOrigins) ? ['*'] : allowedOrigins
-        }
-      }
-      secrets: concat(secrets, [
-        {
-          name: 'registry-password'
-          value: containerRegistry.listCredentials().passwords[0].value
+          allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
         }
-      ])
-      registries: [
+      } : null
+      dapr: daprEnabled ? {
+        enabled: true
+        appId: daprAppId
+        appProtocol: daprAppProtocol
+        appPort: ingressEnabled ? targetPort : 0
+      } : { enabled: false }
+      secrets: secrets
+      service: !empty(serviceType) ? { type: serviceType } : null
+      registries: usePrivateRegistry ? [
         {
-          server: '${containerRegistry.name}.azurecr.io'
-          username: containerRegistry.name
-          passwordSecretRef: 'registry-password'
+          server: '${containerRegistryName}.azurecr.io'
+          identity: userIdentity.id
         }
-      ]
+      ] : []
     }
     template: {
+      serviceBinds: !empty(serviceBinds) ? serviceBinds : null
       containers: [
         {
-          image: imageName
+          image: !empty(imageName) ? imageName : 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
           name: containerName
           env: env
           resources: {
@@ -64,26 +143,20 @@ resource app 'Microsoft.App/containerApps@2023-05-01' = {
         }
       ]
       scale: {
-        minReplicas: 1
-        maxReplicas: 10
+        minReplicas: containerMinReplicas
+        maxReplicas: containerMaxReplicas
       }
     }
   }
-  dependsOn: [
-    containerRegistry
-  ]
 }
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' existing = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
   name: containerAppsEnvironmentName
 }
 
-// 2022-02-01-preview needed for anonymousPullEnabled
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = {
-  name: containerRegistryName
-}
-
-output identityPrincipalId string = managedIdentity ? app.identity.principalId : ''
+output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
+output identityPrincipalId string = normalizedIdentityType == 'None' ? '' : (empty(identityName) ? app.identity.principalId : userIdentity.properties.principalId)
 output imageName string = imageName
 output name string = app.name
-output uri string = 'https://${app.properties.configuration.ingress.fqdn}'
+output serviceBind object = !empty(serviceType) ? { serviceId: app.id, name: name } : {}
+output uri string = ingressEnabled ? 'https://${app.properties.configuration.ingress.fqdn}' : ''
@@ -1,10 +1,18 @@
+metadata description = 'Creates an Azure Container Apps environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 
+@description('Name of the Application Insights resource')
+param applicationInsightsName string = ''
+
+@description('Specifies if Dapr is enabled')
+param daprEnabled bool = false
+
+@description('Name of the Log Analytics workspace')
 param logAnalyticsWorkspaceName string
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' = {
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = {
   name: name
   location: location
   tags: tags
@@ -16,11 +24,18 @@ resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01'
         sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
       }
     }
+    daprAIInstrumentationKey: daprEnabled && !empty(applicationInsightsName) ? applicationInsights.properties.InstrumentationKey : ''
   }
 }
 
 resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
   name: logAnalyticsWorkspaceName
 }
 
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (daprEnabled && !empty(applicationInsightsName)) {
+  name: applicationInsightsName
+}
+
+output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
+output id string = containerAppsEnvironment.id
 output name string = containerAppsEnvironment.name
@@ -1,10 +1,14 @@
+metadata description = 'Creates an Azure Container Registry and an Azure Container Apps environment.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-param containerAppsEnvironmentName string = ''
-param containerRegistryName string = ''
-param logAnalyticsWorkspaceName string = ''
+param containerAppsEnvironmentName string
+param containerRegistryName string
+param containerRegistryResourceGroupName string = ''
+param containerRegistryAdminUserEnabled bool = false
+param logAnalyticsWorkspaceName string
+param applicationInsightsName string = ''
 
 module containerAppsEnvironment 'container-apps-environment.bicep' = {
   name: '${name}-container-apps-environment'
@@ -13,18 +17,24 @@ module containerAppsEnvironment 'container-apps-environment.bicep' = {
     location: location
     tags: tags
     logAnalyticsWorkspaceName: logAnalyticsWorkspaceName
+    applicationInsightsName: applicationInsightsName
   }
 }
 
 module containerRegistry 'container-registry.bicep' = {
   name: '${name}-container-registry'
+  scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
   params: {
     name: containerRegistryName
     location: location
+    adminUserEnabled: containerRegistryAdminUserEnabled
     tags: tags
   }
 }
 
+output defaultDomain string = containerAppsEnvironment.outputs.defaultDomain
 output environmentName string = containerAppsEnvironment.outputs.name
+output environmentId string = containerAppsEnvironment.outputs.id
+
 output registryLoginServer string = containerRegistry.outputs.loginServer
 output registryName string = containerRegistry.outputs.name