Address all Bicep warnings (#2854)

Author: pamelafox

.github/instructions/bicep.instructions.md

@@ -0,0 +1,34 @@
+---
+description: 'Infrastructure as Code with Bicep'
+applyTo: '**/*.bicep'
+---
+
+# Bicep best-practices
+This list of best-practices builds on top of information available at https://learn.microsoft.com/azure/azure-resource-manager/bicep. It provides a more opinionated and up-to-date set of rules for generating high-quality Bicep code. You should aim to follow these rules whenever generating or modifying Bicep code.
+
+## Rules
+### General
+1. Avoid setting the `name` field for `module` statements - it is no longer required.
+1. If you need to input or output a set of logically-grouped values, generate a single `param` or `output` statement with a User-defined type instead of emitting a `param` or `output` statement for each value.
+1. If generating parameters, default to generating Bicep parameters files (`*.bicepparam`), instead of ARM parameters files (`*.json`).
+
+### Resources
+1. Do not add references from child resources to parent resources by using `/` characters in the child resource `name` property. Instead, use the `parent` property with a symbolic reference to the parent resource.
+1. If you are generating a child resource type, sometimes this may require you to add an `existing` resource for the parent if the parent is not already present in the file.
+1. If you see diagnostic codes `BCP036`, `BCP037` or `BCP081`, this may indicate you have hallucinated resource types or resource type properties. You may need to double-check against available resource type schema to tune your output.
+1. Avoid using multiple `resourceId()` functions and `reference()` function where possible. Instead use symbolic names to refer to ids or properties, creating `existing` resources if needed. For example, write `foo.id` or `foo.properties.id`, instead of `resourceId('...')` or `reference('...').id`.
+
+### Types
+1. Avoid using open types such as `array` or `object` when referencing types where possible (e.g. in `output` or `param` statements). Instead, use User-defined types to define a more precise type.
+1. Use typed variables instead of untyped variables when exporting values with the `@export()` decorator. For example, use `var foo string = 'blah'` instead of `var foo = bar`.
+1. When using User-defined types, aim to avoid repetition, and comment properties with `@description()` where the context is unclear.
+1. If you are passing data directly to or from a resource body via a `param` or `output` statement, try to use existing Resource-derived types (`resourceInput<'type@version'>` and `resourceOutput<'type@version'>`) instead of writing User-defined types.
+
+### Security
+1. When generating `param` or `output` statements, ALWAYS use the `@secure()` decorator if sensitive data is present.
+
+### Syntax
+1. If you hit warnings or errors with null properties, prefer solving them with the safe-dereference (`.?`) operator, in conjunction with the coalesce (`??`) operator. For example, `a.?b ?? c` is better than `a!.b` which may cause runtime errors, or `a != null ? a.b : c` which is unnecessarily verbose.
+
+## Glossary
+* Child resource: an Azure resource type with type name consisting of more than 1 `/` characters. For example, `Microsoft.Network/virtualNetworks/subnets` is a child resource. `Microsoft.Network/virtualNetworks` is not.

docs/deploy_existing.md

@@ -8,7 +8,6 @@ You should set these values before running `azd up`. Once you've set them, retur
 * [OpenAI resource](#openai-resource)
 * [Azure AI Search resource](#azure-ai-search-resource)
 * [Azure App Service Plan and App Service resources](#azure-app-service-plan-and-app-service-resources)
-* [Azure Application Insights and related resources](#azure-application-insights-and-related-resources)
 * [Azure AI Vision resources](#azure-ai-vision-resources)
 * [Azure Document Intelligence resource](#azure-document-intelligence-resource)
 * [Azure Speech resource](#azure-speech-resource)
@@ -72,12 +71,6 @@ You can also customize the search service (new or existing) for non-English sear
 1. Run `azd env set AZURE_APP_SERVICE {Name of existing Azure App Service}`.
 1. Run `azd env set AZURE_APP_SERVICE_SKU {SKU of Azure App Service, defaults to B1}`.
 
-## Azure Application Insights and related resources
-
-1. Run `azd env set AZURE_APPLICATION_INSIGHTS {Name of existing Azure App Insights}`.
-1. Run `azd env set AZURE_APPLICATION_INSIGHTS_DASHBOARD {Name of existing Azure App Insights Dashboard}`.
-1. Run `azd env set AZURE_LOG_ANALYTICS {Name of existing Azure Log Analytics Workspace Name}`.
-
 ## Azure AI Vision resources
 
 1. Run `azd env set AZURE_VISION_SERVICE {Name of existing Azure AI Vision Service Name}`

infra/backend-dashboard.bicep

@@ -4,7 +4,6 @@ param applicationInsightsName string
 param location string = resourceGroup().location
 param tags object = {}
 
-// 2020-09-01-preview because that is the latest valid version
 resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-preview' = {
   name: name
   location: location
@@ -21,7 +20,9 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 2
               rowSpan: 1
             }
-            metadata: {
+            // The Bicep schema only defines MarkdownPart, so we use any() to bypass
+            // type checking for other valid extension types (AppInsightsExtension, MonitorChartPart)
+            metadata: any({
               inputs: [
                 {
                   name: 'id'
@@ -32,14 +33,13 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   value: '1.0'
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/AspNetOverviewPinnedPart'
               asset: {
                 idInputName: 'id'
                 type: 'ApplicationInsights'
               }
               defaultMenuItemId: 'overview'
-            }
+            })
           }
           {
             position: {
@@ -48,7 +48,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 1
               rowSpan: 1
             }
-            metadata: {
+            metadata: any({
               inputs: [
                 {
                   name: 'ComponentId'
@@ -63,14 +63,13 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   value: '1.0'
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/ProactiveDetectionAsyncPart'
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
               }
               defaultMenuItemId: 'ProactiveDetection'
-            }
+            })
           }
           {
             position: {
@@ -79,7 +78,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 1
               rowSpan: 1
             }
-            metadata: {
+            metadata: any({
               inputs: [
                 {
                   name: 'ComponentId'
@@ -105,13 +104,12 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   value: '78ce933e-e864-4b05-a27b-71fd55a6afad'
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/AppMapButtonPart'
               asset: {
                 idInputName: 'ComponentId'
                 type: 'ApplicationInsights'
               }
-            }
+            })
           }
           {
             position: {
@@ -141,7 +139,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 1
               rowSpan: 1
             }
-            metadata: {
+            metadata: any({
               inputs: [
                 {
                   name: 'ResourceId'
@@ -167,15 +165,14 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   isOptional: true
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/CuratedBladeFailuresPinnedPart'
               isAdapter: true
               asset: {
                 idInputName: 'ResourceId'
                 type: 'ApplicationInsights'
               }
               defaultMenuItemId: 'failures'
-            }
+            })
           }
           {
             position: {
@@ -205,7 +202,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 1
               rowSpan: 1
             }
-            metadata: {
+            metadata: any({
               inputs: [
                 {
                   name: 'ResourceId'
@@ -231,15 +228,14 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   isOptional: true
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/AppInsightsExtension/PartType/CuratedBladePerformancePinnedPart'
               isAdapter: true
               asset: {
                 idInputName: 'ResourceId'
                 type: 'ApplicationInsights'
               }
               defaultMenuItemId: 'performance'
-            }
+            })
           }
           {
             position: {
@@ -248,7 +244,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 4
               rowSpan: 3
             }
-            metadata: {
+            metadata: any({
               inputs: [
                 {
                   name: 'options'
@@ -306,10 +302,9 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   isOptional: true
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/HubsExtension/PartType/MonitorChartPart'
               settings: {}
-            }
+            })
           }
           {
             position: {
@@ -318,7 +313,7 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
               colSpan: 4
               rowSpan: 3
             }
-            metadata: {
+            metadata: any({
               inputs: [
                 {
                   name: 'options'
@@ -376,10 +371,9 @@ resource applicationInsightsDashboard 'Microsoft.Portal/dashboards@2020-09-01-pr
                   isOptional: true
                 }
               ]
-              #disable-next-line BCP036
               type: 'Extension/HubsExtension/PartType/MonitorChartPart'
               settings: {}
-            }
+            })
           }
         ]
       }

infra/core/ai/hub.bicep

@@ -60,9 +60,9 @@ resource hub 'Microsoft.MachineLearningServices/workspaces@2024-07-01-preview' =
         category: 'CognitiveSearch'
         authType: 'ApiKey'
         isSharedToAll: true
-        target: 'https://${search.name}.search.windows.net/'
+        target: 'https://${search!.name}.search.windows.net/'
         credentials: {
-          key: !empty(aiSearchName) ? search.listAdminKeys().primaryKey : ''
+          key: !empty(aiSearchName) ? search!.listAdminKeys().primaryKey : ''
         }
       }
     }

infra/core/host/appservice.bicep

@@ -99,8 +99,8 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
         ENABLE_ORYX_BUILD: string(enableOryxBuild)
       },
       runtimeName == 'python' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true' } : {},
-      !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
-      !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
+      !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights!.properties.ConnectionString } : {},
+      !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault!.properties.vaultUri } : {})
   }
 
   resource configLogs 'config' = {

infra/core/host/container-app-upsert.bicep

@@ -116,7 +116,7 @@ module app 'container-app.bicep' = {
     allowedOrigins: allowedOrigins
     external: external
     env: concat(envAsArray, envSecrets)
-    imageName: !empty(imageName) ? imageName : exists ? existingApp.properties.template.containers[0].image : ''
+    imageName: !empty(imageName) ? imageName : exists ? existingApp!.properties.template.containers[0].image : ''
     targetPort: targetPort
     serviceBinds: serviceBinds
   }

infra/core/host/container-app.bicep

@@ -104,7 +104,7 @@ module containerRegistryAccess '../security/registry-access.bicep' = if (usePriv
   name: '${deployment().name}-registry-access'
   params: {
     containerRegistryName: containerRegistryName
-    principalId: usePrivateRegistry ? userIdentity.properties.principalId : ''
+    principalId: usePrivateRegistry ? userIdentity!.properties.principalId : ''
   }
 }
 
@@ -174,7 +174,7 @@ resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01'
 }
 
 output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
-output identityPrincipalId string = normalizedIdentityType == 'None' ? '' : (empty(identityName) ? app.identity.principalId : userIdentity.properties.principalId)
+output identityPrincipalId string = normalizedIdentityType == 'None' ? '' : (empty(identityName) ? app.identity.principalId : userIdentity!.properties.principalId)
 output identityResourceId string = normalizedIdentityType == 'UserAssigned' ? resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', userIdentity.name) : ''
 output imageName string = imageName
 output name string = app.name

infra/core/host/container-apps-environment.bicep

@@ -28,11 +28,11 @@ resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2025-02-02-
     appLogsConfiguration: {
       destination: 'log-analytics'
       logAnalyticsConfiguration: {
-        customerId: logAnalyticsWorkspace.properties.customerId
-        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
+        customerId: logAnalyticsWorkspace!.properties.customerId
+        sharedKey: logAnalyticsWorkspace!.listKeys().primarySharedKey
       }
     }
-    daprAIInstrumentationKey: daprEnabled && !empty(applicationInsightsName) ? applicationInsights.properties.InstrumentationKey : ''
+    daprAIInstrumentationKey: daprEnabled && !empty(applicationInsightsName) ? applicationInsights!.properties.InstrumentationKey : ''
     publicNetworkAccess: usePrivateIngress ? 'Disabled' : 'Enabled'
     vnetConfiguration: usePrivateIngress ? {
       infrastructureSubnetId: subnetResourceId