Fix Bicep compilation errors preventing azd up/down in AI Gallery template

[Copilot]

This PR resolves critical Bicep compilation errors that were preventing azd up and azd down from working, addressing the AI Gallery Standard Validation failures.

Issues Fixed

1. Critical BCP420 Scope Resolution Error

The main blocker was in infra/core/host/container-apps.bicep where a conditional scope expression was too complex for compile-time resolution:

# Before (causing BCP420 error)
module containerRegistry 'container-registry.bicep' = {
  scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
  # ...
}

# After (split into two modules)
module containerRegistryInCustomRG 'container-registry.bicep' = if (!empty(containerRegistryResourceGroupName)) {
  scope: resourceGroup(containerRegistryResourceGroupName)
  # ...
}

module containerRegistryInCurrentRG 'container-registry.bicep' = if (empty(containerRegistryResourceGroupName)) {
  # ...
}

2. Safe Access Operator Warnings

Replaced contains() function calls with modern safe access operator (.?) and null coalescing (??):

storage-account.bicep:

# Before
publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None'

# After  
publicAccess: container.?publicAccess ?? 'None'

keyvault-secrets.bicep:

# Before
enabled: contains(secret, 'enabled') ? secret.enabled : true
exp: contains(secret, 'exp') ? secret.exp : 0

# After
enabled: secret.?enabled ?? true
exp: secret.?exp ?? 0

cognitiveservices.bicep:

# Before
raiPolicyName: contains(deployment, 'raiPolicyName') ? deployment.raiPolicyName : null
sku: contains(deployment, 'sku') ? deployment.sku : { name: 'Standard', capacity: 20 }

# After
raiPolicyName: deployment.?raiPolicyName ?? null
sku: deployment.?sku ?? { name: 'Standard', capacity: 20 }

Validation Results

• ✅ Main Bicep template compiles successfully
• ✅ All 22 core Bicep modules compile individually
• ✅ All 2 app Bicep modules compile individually
• ✅ BCP420 and BCP104 errors eliminated
• ✅ All use-safe-access warnings resolved
• ⚠️ Only 1 warning remains: secure value warning (acceptable as parameter is marked @secure())

Impact

These fixes should resolve the azd up and azd down failures reported in the AI Gallery Standard Validation, allowing the template to be properly deployed and torn down.

Fixes #375.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: bicep build infra/main.bicep --stdout (dns block)
  • Triggering command: curl -fsSL REDACTED (dns block)
  • Triggering command: bicep build --stdout infra/main.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[kristenwomack]

@copilot - I got this error message and when fixing it, then re-deploying it, it worked.

Error message

ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information.
RequestDisallowedByPolicy: Resource 'sts6kfcrkejlziy' was disallowed by policy. Reasons: 'This request was denied due to internal policy. Anonymous blob access is not allowed. For more information, refer to https://aka.ms/denyblobaccess.','This request was denied due to internal policy. Local authentication methods are not allowed. For more information, refer to https://aka.ms/safesecretsstandard.'. See error details for policy resource IDs.

Error Analysis

1. Anonymous Blob Access Policy Violation
   Issue: The policy blocks storage accounts that allow anonymous blob access
   Resource: storage account
   Policy: Organization has disabled anonymous blob access for security
2. Local Authentication Methods Policy Violation
   Issue: The policy blocks storage accounts using access keys/connection strings
   Policy: Organization requires managed identity or other secure authentication methods

Changes Applied:

• Disabled Anonymous Blob Access: Added allowBlobPublicAccess: false
• Disabled Shared Key Access: Added allowSharedKeyAccess: false
• Enabled OAuth by Default: Added defaultToOAuthAuthentication: true
• Set Container Access to None: Changed publicAccess: 'Blob' to publicAccess: 'None'

What This Means:

✅ Security Compliant: Now meets your organization's security policies
✅ Managed Identity Only: Applications will use managed identities for authentication
✅ No Public Access: Containers are private and secure
✅ Modern Authentication: Uses Azure AD OAuth instead of access keys

Will you please recheck and make changes to the PR?

[spboyer]

@copilot - I got this error message and when fixing it, then re-deploying it, it worked.

Error message

ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details: InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information. RequestDisallowedByPolicy: Resource 'sts6kfcrkejlziy' was disallowed by policy. Reasons: 'This request was denied due to internal policy. Anonymous blob access is not allowed. For more information, refer to https://aka.ms/denyblobaccess.','This request was denied due to internal policy. Local authentication methods are not allowed. For more information, refer to https://aka.ms/safesecretsstandard.'. See error details for policy resource IDs.

Error Analysis

1. Anonymous Blob Access Policy Violation
   Issue: The policy blocks storage accounts that allow anonymous blob access
   Resource: storage account
   Policy: Organization has disabled anonymous blob access for security
2. Local Authentication Methods Policy Violation
   Issue: The policy blocks storage accounts using access keys/connection strings
   Policy: Organization requires managed identity or other secure authentication methods

Changes Applied:

• Disabled Anonymous Blob Access: Added allowBlobPublicAccess: false
• Disabled Shared Key Access: Added allowSharedKeyAccess: false
• Enabled OAuth by Default: Added defaultToOAuthAuthentication: true
• Set Container Access to None: Changed publicAccess: 'Blob' to publicAccess: 'None'

What This Means:

✅ Security Compliant: Now meets your organization's security policies ✅ Managed Identity Only: Applications will use managed identities for authentication ✅ No Public Access: Containers are private and secure ✅ Modern Authentication: Uses Azure AD OAuth instead of access keys

Will you please recheck and make changes to the PR?

@copilot can you address these errors?

[Copilot]

@copilot - I got this error message and when fixing it, then re-deploying it, it worked.

Error message

...

I've fixed the Azure policy violations in the storage account configuration. The changes disable anonymous blob access, disable shared key access, enable OAuth authentication by default, and set container access to None. These changes ensure compliance with your organization's security policies. The Bicep template compiles successfully with these security-compliant settings.

Commit: 0cbacc2

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: bicep build infra/main.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

[kristenwomack]

LGTM!

[rajeshkamal5050]

@vhvb1989 @JeffreyCA can you help review this?

[vhvb1989]

All this file is not required. Should be removed

[Copilot]

Removed the compiled Bicep output file and updated .gitignore to prevent future compiled outputs from being committed to the repository. Commit: 7080a1e

[vhvb1989]

LGTM, but there is no need to commit the full ARM file (main.json)

[Copilot]

LGTM, but there is no need to commit the full ARM file (main.json)

The main.json file has been removed and .gitignore updated to exclude compiled Bicep outputs while preserving necessary parameter files. Commit: 7080a1e

[JeffreyCA]

Can we also make openAIApiKey a @secure() param? Here and in infra/app/web.bicep

[kristenwomack]

@copilot will you please make openAIApiKey a @secure() param in infra/app/main.bicep and in infra/app/web.bicep as @JeffreyCA suggested?

[spboyer]

@copilot will you please make openAIApiKey a @secure() param in infra/app/main.bicep and in infra/app/web.bicep as @JeffreyCA suggested?

@copilot See requests