Bicep refactor (#470)

* deployment names + LAW sku

* bumping acr import

* deployment name limit

* better string trimming.

* descriptive managed id name

* bumping k8s version

* api version bumps

* linter warnings

* ContainerLogV2 parent

* adding v2configmap to gitignore

* requestRoutingRule priority

.gitignore

@@ -8,3 +8,4 @@ bicep/main.json
 helper/localsite.html
 helper/prodsite.html
 helper/build/**
+container-azm-ms-agentconfig.yaml

bicep/acragentpool.bicep

@@ -2,7 +2,7 @@ param location string = resourceGroup().location
 param acrName string
 param acrPoolSubnetId string = ''
 
-resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing =  {
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing =  {
   name: acrName
 }
 

bicep/aksagentpool.bicep

@@ -59,8 +59,8 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
     mode: 'User'
     vmSize: agentVMSize
     count: agentCount
-    minCount: autoScale ? agentCount : json('null')
-    maxCount: autoScale ? agentCountMax : json('null')
+    minCount: autoScale ? agentCount : null
+    maxCount: autoScale ? agentCountMax : null
     enableAutoScaling: autoScale
     availabilityZones: !empty(availabilityZones) ? availabilityZones : null
     osDiskType: osDiskType
@@ -69,7 +69,7 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
     osType: osType
     maxPods: maxPods
     type: 'VirtualMachineScaleSets'
-    vnetSubnetID: !empty(subnetId) ? subnetId : json('null')
+    vnetSubnetID: !empty(subnetId) ? subnetId : null
     upgradeSettings: {
       maxSurge: '33%'
     }

bicep/aksnetcontrib.bicep

@@ -15,15 +15,15 @@ var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/rol
 var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
 var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''
 
-resource existingvnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing =  {
+resource existingvnet 'Microsoft.Network/virtualNetworks@2022-07-01' existing =  {
   name: existingAksVnetName
 }
-resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2020-08-01' existing = {
+resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
   parent: existingvnet
   name: existingAksSubnetName
 }
 
-resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope == 'subnet') {
+resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') {
   name:  guid(user_identity_principalId, networkContributorRole, existingAksSubnetName)
   scope: existingAksSubnet
   properties: {
@@ -33,7 +33,7 @@ resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview'
   }
 }
 
-resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope != 'subnet') {
+resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope != 'subnet') {
   name:  guid(user_identity_principalId, networkContributorRole, existingAksVnetName)
   scope: existingvnet
   properties: {

bicep/appgw.bicep

@@ -25,7 +25,7 @@ resource appgwpip 'Microsoft.Network/publicIPAddresses@2020-07-01' = {
 var frontendPublicIpConfig = {
   properties: {
     publicIPAddress: {
-      id: '${appgwpip.id}'
+      id: appgwpip.id
     }
   }
   name: 'appGatewayFrontendIP'

bicep/bicepconfig.json

@@ -1,9 +1,13 @@
+
 {
     "analyzers": {
       "core": {
         "enabled": true,
         "verbose": false,
         "rules": {
+            "use-recent-api-versions" : {
+                "level": "warning"
+            },
             "no-hardcoded-location" : {
                 "level": "error"
             },

bicep/dnsZone.bicep

@@ -12,7 +12,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
 }
 
 var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
-resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
+resource dnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!isPrivate) {
   scope: dns
   name: guid(dns.id, principalId, DNSZoneContributor)
   properties: {
@@ -23,7 +23,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
 }
 
 var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
-resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
+resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (isPrivate) {
   scope: privateDns
   name: guid(privateDns.id, principalId, PrivateDNSZoneContributor)
   properties: {

bicep/dnsZoneRbac.bicep

@@ -15,7 +15,7 @@ var dnsZoneName = !empty(dnsZoneId) ? split(dnsZoneId, '/')[8] : ''
 var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false
 
 module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) {
-  name: 'dns-${dnsZoneName}'
+  name: take('${deployment().name}-dns-${dnsZoneName}',64)
   scope: resourceGroup(dnsZoneRg)
   params: {
     dnsZoneName: dnsZoneName

bicep/firewall.bicep

@@ -25,7 +25,7 @@ var managementIpConfig = {
   }
 }
 
-resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
+resource fw_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = {
   name: firewallPublicIpName
   location: location
   sku: {
@@ -38,7 +38,7 @@ resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
   }
 }
 
-resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(fwSku=='Basic') {
+resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(fwSku=='Basic') {
   name: firewallManagementPublicIpName
   location: location
   sku: {

bicep/keyvault.bicep

@@ -21,14 +21,13 @@ param keyVaultIPAllowlist array = []
 
 param logAnalyticsWorkspaceId string = ''
 
-var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
-var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName
+var akvName = take('kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}',24)
 
 var kvIPRules = [for kvIp in keyVaultIPAllowlist: {
   value: kvIp
 }]
 
-resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
+resource kv 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: akvName
   location: location
   properties: {
@@ -52,7 +51,7 @@ resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
     enabledForDiskEncryption: false
     enabledForTemplateDeployment: false
     enableSoftDelete: keyVaultSoftDelete
-    enablePurgeProtection: keyVaultPurgeProtection ? true : json('null')
+    enablePurgeProtection: keyVaultPurgeProtection ? true : null
   }
 }
 

bicep/keyvaultkey.bicep

@@ -1,10 +1,10 @@
 param keyVaultName string
 
-resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
+resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
   name: keyVaultName
 }
 
-resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2021-11-01-preview' = {
+resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
   name: 'kmskey'
   parent: kv
   properties: {

bicep/keyvaultrbac.bicep

@@ -48,7 +48,7 @@ var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/rol
 var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
 var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
 
-resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
+resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
   name: keyVaultName
 }
 

bicep/main.bicep

@@ -40,7 +40,7 @@ param byoAGWSubnetId string = ''
 
 //--- Custom, BYO networking and PrivateApiZones requires BYO AKS User Identity
 var createAksUai = custom_vnet || !empty(byoAKSSubnetId) || !empty(dnsApiPrivateZoneId) || keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId)
-resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = if (createAksUai) {
+resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (createAksUai) {
   name: 'id-aks-${resourceName}'
   location: location
 }
@@ -49,7 +49,7 @@ resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-pre
 var existingAksVnetRG = !empty(byoAKSSubnetId) ? (length(split(byoAKSSubnetId, '/')) > 4 ? split(byoAKSSubnetId, '/')[4] : '') : ''
 
 module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && createAksUai) {
-  name: 'addAksNetContributor'
+  name: take('${deployment().name}-addAksNetContributor',64)
   scope: resourceGroup(existingAksVnetRG)
   params: {
     byoAKSSubnetId: byoAKSSubnetId
@@ -115,7 +115,7 @@ param CreateNetworkSecurityGroups bool = false
 param CreateNetworkSecurityGroupFlowLogs bool = false
 
 module network './network.bicep' = if (custom_vnet) {
-  name: 'network'
+  name: take('${deployment().name}-network',64)
   params: {
     resourceName: resourceName
     location: location
@@ -166,7 +166,7 @@ param dnsZoneId string = ''
 var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false
 
 module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) {
-  name: 'addDnsContributor'
+  name: take('${deployment().name}-addDnsContributor',64)
   params: {
     dnsZoneId: dnsZoneId
     vnetId: isDnsZonePrivate ? (!empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/subnets')[0] : (custom_vnet ? network.outputs.vnetId : '')) : ''
@@ -202,7 +202,7 @@ param keyVaultAksCSIPollInterval string = '2m'
 
 @description('Creates a KeyVault for application secrets (eg. CSI)')
 module kv 'keyvault.bicep' = if(keyVaultCreate) {
-  name: 'keyvaultApps'
+  name: take('${deployment().name}-keyvaultApps',64)
   params: {
     resourceName: resourceName
     keyVaultPurgeProtection: keyVaultPurgeProtection
@@ -224,7 +224,7 @@ var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity
 
 @description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.')
 module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) {
-  name: 'KeyVaultAppsRbac'
+  name: take('${deployment().name}-KeyVaultAppsRbac',64)
   params: {
     keyVaultName: keyVaultCreate ? kv.outputs.keyVaultName : ''
 
@@ -266,14 +266,14 @@ var kmsRbacWaitSeconds=30
 @description('This indicates if the deploying user has provided their PrincipalId in order for the key to be created')
 var keyVaultKmsCreateAndPrereqs = keyVaultKmsCreate && !empty(keyVaultKmsOfficerRolePrincipalId) && privateLinks == false
 
-resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(!empty(keyVaultKmsByoName)) {
+resource kvKmsByo 'Microsoft.KeyVault/vaults@2022-07-01' existing = if(!empty(keyVaultKmsByoName)) {
   name: keyVaultKmsByoName
   scope: resourceGroup(keyVaultKmsByoRG)
 }
 
 @description('Creates a new Key vault for a new KMS Key')
 module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) {
-  name: 'keyvaultKms-${resourceName}'
+  name: take('${deployment().name}-keyvaultKms-${resourceName}',64)
   params: {
     resourceName: 'kms${resourceName}'
     keyVaultPurgeProtection: keyVaultPurgeProtection
@@ -285,7 +285,7 @@ module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) {
 }
 
 module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) {
-  name: 'keyvaultKmsRbacs-${resourceName}'
+  name: take('${deployment().name}-keyvaultKmsRbacs-${resourceName}',64)
   params: {
     keyVaultName: keyVaultKmsCreate ? kvKms.outputs.keyVaultName : ''
     //We can't create a kms kv and key and do privatelink. Private Link is a BYO scenario
@@ -308,7 +308,7 @@ module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) {
 }
 
 module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) {
-  name: 'keyvaultKmsByoRbacs-${resourceName}'
+  name: take('${deployment().name}-keyvaultKmsByoRbacs-${resourceName}',64)
   scope: resourceGroup(keyVaultKmsByoRG)
   params: {
     keyVaultName: kvKmsByo.name
@@ -325,7 +325,7 @@ module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) {
 
 @description('It can take time for the RBAC to propagate, this delays the deployment to avoid this problem')
 module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKmsCreateAndPrereqs && kmsRbacWaitSeconds>0) {
-  name: 'keyvaultKmsRbac-waits-${resourceName}'
+  name: take('${deployment().name}-keyvaultKmsRbac-waits-${resourceName}',64)
   params: {
     waitSeconds: kmsRbacWaitSeconds
     location: location
@@ -337,7 +337,7 @@ module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKms
 
 @description('Adding a key to the keyvault... We can only do this for public key vaults')
 module kvKmsKey 'keyvaultkey.bicep' = if(keyVaultKmsCreateAndPrereqs) {
-  name: 'keyvaultKmsKeys-${resourceName}'
+  name: take('${deployment().name}-keyvaultKmsKeys-${resourceName}',64)
   params: {
     keyVaultName: keyVaultKmsCreateAndPrereqs ? kvKms.outputs.keyVaultName : ''
   }
@@ -393,7 +393,7 @@ param acrUntaggedRetentionPolicy int = 30
 
 var acrName = 'cr${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
 
-resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!empty(registries_sku)) {
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (!empty(registries_sku)) {
   name: acrName
   location: location
   sku: {
@@ -409,7 +409,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!
       retentionPolicy: acrUntaggedRetentionPolicyEnabled ? {
         status: 'enabled'
         days: acrUntaggedRetentionPolicy
-      } : json('null')
+      } : null
     }
     publicNetworkAccess: privateLinks /* && empty(acrIPWhitelist)*/ ? 'Disabled' : 'Enabled'
     zoneRedundancy: acrZoneRedundancyEnabled
@@ -459,7 +459,7 @@ resource acrDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i
 
 //resource acrPool 'Microsoft.ContainerRegistry/registries/agentPools@2019-06-01-preview' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) {
 module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) {
-  name: 'acrprivatepool'
+  name: take('${deployment().name}-acrprivatepool',64)
   params: {
     acrName: acr.name
     acrPoolSubnetId: custom_vnet ? network.outputs.acrPoolSubnetId : ''
@@ -498,12 +498,13 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
 
 param imageNames array = []
 
-module acrImport 'br/public:deployment-scripts/import-acr:2.0.1' = if (!empty(registries_sku) && !empty(imageNames)) {
-  name: 'testAcrImportMulti'
+module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(registries_sku) && !empty(imageNames)) {
+  name: take('${deployment().name}-AcrImport',64)
   params: {
     acrName: acr.name
     location: location
     images: imageNames
+    managedIdentityName: 'id-acrImport-${resourceName}-${location}'
   }
 }
 
@@ -539,7 +540,7 @@ param certManagerFW bool = false
 param azureFirewallSku string = 'Standard'
 
 module firewall './firewall.bicep' = if (azureFirewalls && custom_vnet) {
-  name: 'firewall'
+  name: take('${deployment().name}-firewall',64)
   params: {
     resourceName: resourceName
     location: location
@@ -596,7 +597,7 @@ var appGWenableWafFirewall = appGWsku=='Standard_v2' ? false : appGWenableFirewa
 // If integrating App Gateway with KeyVault, create a Identity App Gateway will use to access keyvault
 // 'identity' is always created (adding: "|| deployAppGw") until this is fixed:
 // https://github.com/Azure/bicep/issues/387#issuecomment-885671296
-resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if (deployAppGw) {
+resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (deployAppGw) {
   name: 'id-appgw-${resourceName}'
   location: location
 }
@@ -604,7 +605,7 @@ resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11
 var appgwName = 'agw-${resourceName}'
 var appgwResourceId = deployAppGw ? resourceId('Microsoft.Network/applicationGateways', '${appgwName}') : ''
 
-resource appgwpip 'Microsoft.Network/publicIPAddresses@2021-02-01' = if (deployAppGw) {
+resource appgwpip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if (deployAppGw) {
   name: 'pip-agw-${resourceName}'
   location: location
   sku: {
@@ -722,6 +723,7 @@ var appgwProperties = union({
       name: 'appGwRoutingRuleName'
       properties: {
         ruleType: 'Basic'
+        priority: '1'
         httpListener: {
           id: '${appgwResourceId}/httpListeners/hlisten'
         }
@@ -742,7 +744,7 @@ var appgwProperties = union({
 } : {})
 
 // 'identity' is always set until this is fixed: https://github.com/Azure/bicep/issues/387#issuecomment-885671296
-resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAppGw) {
+resource appgw 'Microsoft.Network/applicationGateways@2022-07-01' = if (deployAppGw) {
   name: appgwName
   location: location
   zones: !empty(availabilityZones) ? availabilityZones : []
@@ -1113,7 +1115,7 @@ var systemPoolBase = {
   osType: 'Linux'
   maxPods: 30
   type: 'VirtualMachineScaleSets'
-  vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : json('null')
+  vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null
   upgradeSettings: {
     maxSurge: '33%'
   }
@@ -1280,7 +1282,7 @@ defenderForContainers && createLaw ? azureDefenderSecurityProfile : {},
 keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {}
 )
 
-resource aks 'Microsoft.ContainerService/managedClusters@2022-10-02-preview' = {
+resource aks 'Microsoft.ContainerService/managedClusters@2022-11-02-preview' = {
   name: 'aks-${resourceName}'
   location: location
   properties: aksProperties
@@ -1345,7 +1347,7 @@ output aksResourceId string = aks.id
 @description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.')
 var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet'
 module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !empty(dnsApiPrivateZoneId) && createAksUai) {
-  name: 'addPrivateK8sApiDnsContributor'
+  name: take('${deployment().name}-addPrivateK8sApiDnsContributor',64)
   params: {
     vnetId: ''
     dnsZoneId: dnsApiPrivateZoneId
@@ -1356,7 +1358,7 @@ module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !e
 var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d'
 var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00'
 
-resource aks_policies 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(azurepolicy)) {
+resource aks_policies 'Microsoft.Authorization/policyAssignments@2022-06-01' = if (!empty(azurepolicy)) {
   name: '${resourceName}-${azurePolicyInitiative}'
   location: location
   properties: {
@@ -1401,7 +1403,7 @@ resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022
 
 param fluxGitOpsAddon bool = false
 
-resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(fluxGitOpsAddon) {
+resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(fluxGitOpsAddon) {
   name: 'flux'
   scope: aks
   properties: {
@@ -1424,7 +1426,7 @@ param daprAddon bool = false
 @description('Enable high availability (HA) mode for the Dapr control plane')
 param daprAddonHA bool = false
 
-resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(daprAddon) {
+resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(daprAddon) {
     name: 'dapr'
     scope: aks
     properties: {
@@ -1502,7 +1504,7 @@ var AlertFrequencyLookup = {
 var AlertFrequency = AlertFrequencyLookup[AksMetricAlertMetricFrequencyModel]
 
 module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) {
-  name: 'aksmetricalerts'
+  name: take('${deployment().name}-aksmetricalerts',64)
   scope: resourceGroup()
   params: {
     clusterName: aks.name
@@ -1532,6 +1534,9 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre
   location: location
   properties : union({
       retentionInDays: retentionInDays
+      sku: {
+        name: 'PerGB2018'
+      }
     },
     logDataCap>0 ? { workspaceCapping: {
       dailyQuotaGb: logDataCap
@@ -1541,7 +1546,8 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre
 
 
 resource containerLogsV2_Basiclogs 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = if(containerLogsV2BasicLogs){
-  name: '${aks_law_name}/ContainerLogV2'
+  name: 'ContainerLogV2'
+  parent: aks_law
   properties: {
     plan: 'Basic'
   }

bicep/network.bicep

@@ -96,7 +96,7 @@ var fw_subnet = {
 
 /// ---- Firewall VNET config
 module calcAzFwIp './calcAzFwIp.bicep' = if (azureFirewalls) {
-  name: 'calcAzFwIp'
+  name: take('${deployment().name}-calcAzFwIp',64)
   params: {
     vnetFirewallSubnetAddressPrefix: vnetFirewallSubnetAddressPrefix
   }
@@ -174,7 +174,7 @@ var subnets = union(
 output debugSubnets array = subnets
 
 var vnetName = 'vnet-${resourceName}'
-resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
+resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
   name: vnetName
   location: location
   properties: {
@@ -196,7 +196,7 @@ output appGwSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subn
 output privateLinkSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, private_link_subnet_name)
 
 module aks_vnet_con 'networksubnetrbac.bicep' = if (!empty(aksPrincipleId)) {
-  name: '${resourceName}-subnetRbac'
+  name: take('${deployment().name}-subnetRbac',64)
   params: {
     servicePrincipalId: aksPrincipleId
     subnetName: aks_subnet_name
@@ -328,7 +328,7 @@ var publicIpAddressName = 'pip-${bastionHostName}'
 ])
 param bastionSku string = 'Standard'
 
-resource bastionPip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(bastion) {
+resource bastionPip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(bastion) {
   name: publicIpAddressName
   location: location
   sku: {
@@ -371,8 +371,7 @@ resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if
 
 param CreateNsgFlowLogs bool = false
 
-var flowLogStorageRawName = replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-','')
-var flowLogStorageName = length(flowLogStorageRawName) > 24 ? substring(flowLogStorageRawName, 0, 24) : flowLogStorageRawName
+var flowLogStorageName = take(replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-',''),24)
 resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateNsgFlowLogs && networkSecurityGroups) {
   name: flowLogStorageName
   kind: 'StorageV2'
@@ -387,7 +386,7 @@ resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateN
 
 //NSG's
 module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
-  name: 'nsgAks'
+  name: take('${deployment().name}-nsgAks',64)
   params: {
     location: location
     resourceName: '${aks_subnet_name}-${resourceName}'
@@ -402,7 +401,7 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
 }
 
 module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
-  name: 'nsgAcrPool'
+  name: take('${deployment().name}-nsgAcrPool',64)
   params: {
     location: location
     resourceName: '${acrpool_subnet_name}-${resourceName}'
@@ -417,7 +416,7 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
 }
 
 module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGroups) {
-  name: 'nsgAppGw'
+  name: take('${deployment().name}-nsgAppGw',64)
   params: {
     location: location
     resourceName: '${appgw_subnet_name}-${resourceName}'
@@ -438,7 +437,7 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro
 }
 
 module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
-  name: 'nsgBastion'
+  name: take('${deployment().name}-nsgBastion',64)
   params: {
     location: location
     resourceName: '${bastion_subnet_name}-${resourceName}'
@@ -459,7 +458,7 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
 }
 
 module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) {
-  name: 'nsgPrivateLinks'
+  name: take('${deployment().name}-nsgPrivateLinks',64)
   params: {
     location: location
     resourceName: '${private_link_subnet_name}-${resourceName}'

bicep/networkwatcherflowlog.bicep

@@ -19,7 +19,8 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = {
 }
 
 resource nsgFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = {
-  name: '${networkWatcher.name}/${name}'
+  name: name
+  parent: networkWatcher
   location: location
   properties: {
     targetResourceId: nsgId

bicep/nsg.bicep

@@ -14,7 +14,7 @@ output nsgId string = nsg.id
 
 param ruleInAllowGwManagement bool = false
 param ruleInGwManagementPort string = '443,65200-65535'
-resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowGwManagement) {
+resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowGwManagement) {
   parent: nsg
   name: 'Allow_AppGatewayManagement'
   properties: {
@@ -30,7 +30,7 @@ resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRu
 }
 
 param ruleInAllowAzureLoadBalancer bool = false
-resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if (ruleInAllowAzureLoadBalancer) {
+resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if (ruleInAllowAzureLoadBalancer) {
   parent: nsg
   name: 'Allow_AzureLoadBalancer'
   properties: {
@@ -50,7 +50,7 @@ resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/security
 }
 
 param ruleInDenyInternet bool = false
-resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenyInternet) {
+resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenyInternet) {
   parent: nsg
   name: 'Deny_AllInboundInternet'
   properties: {
@@ -71,7 +71,7 @@ resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules
 }
 
 param ruleInAllowInternetHttp bool = false
-resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttp) {
+resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttp) {
   parent: nsg
   name: 'Allow_Internet_Http'
   properties: {
@@ -92,7 +92,7 @@ resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules
 }
 
 param ruleInAllowInternetHttps bool = false
-resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttps) {
+resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttps) {
   parent: nsg
   name: 'Allow_Internet_Https'
   properties: {
@@ -113,7 +113,7 @@ resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRule
 }
 
 param ruleInAllowBastionHostComms bool = false
-resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowBastionHostComms) {
+resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowBastionHostComms) {
   parent: nsg
   name: 'Allow_Bastion_Host_Communication'
   properties: {
@@ -135,7 +135,7 @@ resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@
 }
 
 param ruleOutAllowBastionComms bool = false
-resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
+resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
   parent: nsg
   name: 'Allow_SshRdp_Outbound'
   properties: {
@@ -156,7 +156,7 @@ resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securi
   }
 }
 
-resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
+resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
   parent: nsg
   name: 'Allow_Azure_Cloud_Outbound'
   properties: {
@@ -176,7 +176,7 @@ resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securit
   }
 }
 
-resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
+resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
   parent: nsg
   name: 'Allow_Bastion_Communication'
   properties: {
@@ -197,7 +197,7 @@ resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/
   }
 }
 
-resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
+resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
   parent: nsg
   name: 'Allow_Get_Session_Info'
   properties: {
@@ -218,7 +218,7 @@ resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/s
 }
 
 param ruleInDenySsh bool = false
-resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenySsh) {
+resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenySsh) {
   parent: nsg
   name: 'DenySshInbound'
   properties: {
@@ -260,7 +260,7 @@ resource nsgDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i
 param FlowLogStorageAccountId string = ''
 param FlowLogTrafficAnalytics bool = !empty(FlowLogStorageAccountId)
 module nsgFlow 'networkwatcherflowlog.bicep' = if(!empty(FlowLogStorageAccountId)) {
-  name: 'flow-${nsgName}'
+  name: take('${deployment().name}-flow-${nsgName}',64)
   scope: resourceGroup('NetworkWatcherRG')
   params: {
     location:location