From 942455f92bd6f569b0f456e5b74fdd174e839327 Mon Sep 17 00:00:00 2001
From: Anthony Shaw <anthony.p.shaw@gmail.com>
Date: Wed, 17 Jul 2024 11:04:07 +1000
Subject: [PATCH] Replace storage accounts with AVM

---
 infra/core/storage/storage-account.bicep | 70 ------------------------
 infra/main.bicep                         | 64 ++++++++++++----------
 2 files changed, 36 insertions(+), 98 deletions(-)
 delete mode 100644 infra/core/storage/storage-account.bicep

diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
deleted file mode 100644
index 5dd98f1b9b..0000000000
--- a/infra/core/storage/storage-account.bicep
+++ /dev/null
@@ -1,70 +0,0 @@
-metadata description = 'Creates an Azure storage account.'
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-@allowed([
-  'Cool'
-  'Hot'
-  'Premium' ])
-param accessTier string = 'Hot'
-param allowBlobPublicAccess bool = true
-param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
-param containers array = []
-param defaultToOAuthAuthentication bool = false
-param deleteRetentionPolicy object = {}
-@allowed([ 'AzureDnsZone', 'Standard' ])
-param dnsEndpointType string = 'Standard'
-param isHnsEnabled bool = false
-param kind string = 'StorageV2'
-param minimumTlsVersion string = 'TLS1_2'
-param supportsHttpsTrafficOnly bool = true
-@allowed([ 'Enabled', 'Disabled' ])
-param publicNetworkAccess string = 'Enabled'
-param sku object = { name: 'Standard_LRS' }
-@allowed([ 'None', 'AzureServices' ])
-param bypass string = 'AzureServices'
-
-var networkAcls = (publicNetworkAccess == 'Enabled') ? {
-  bypass: bypass
-  defaultAction: 'Allow'
-} : { defaultAction: 'Deny' }
-
-resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
-  name: name
-  location: location
-  tags: tags
-  kind: kind
-  sku: sku
-  properties: {
-    accessTier: accessTier
-    allowBlobPublicAccess: allowBlobPublicAccess
-    allowCrossTenantReplication: allowCrossTenantReplication
-    allowSharedKeyAccess: allowSharedKeyAccess
-    defaultToOAuthAuthentication: defaultToOAuthAuthentication
-    dnsEndpointType: dnsEndpointType
-    isHnsEnabled: isHnsEnabled
-    minimumTlsVersion: minimumTlsVersion
-    networkAcls: networkAcls
-    publicNetworkAccess: publicNetworkAccess
-    supportsHttpsTrafficOnly: supportsHttpsTrafficOnly
-  }
-
-  resource blobServices 'blobServices' = if (!empty(containers)) {
-    name: 'default'
-    properties: {
-      deleteRetentionPolicy: deleteRetentionPolicy
-    }
-    resource container 'containers' = [for container in containers: {
-      name: container.name
-      properties: {
-        publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None'
-      }
-    }]
-  }
-}
-
-output id string = storage.id
-output name string = storage.name
-output primaryEndpoints object = storage.properties.primaryEndpoints
diff --git a/infra/main.bicep b/infra/main.bicep
index 967b7b1f23..4eaa8f8460 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -479,7 +479,7 @@ module searchService 'core/search/search-services.bicep' = {
     }
     semanticSearch: actualSearchServiceSemanticRankerLevel
     publicNetworkAccess: publicNetworkAccess == 'Enabled' ? 'enabled' : (publicNetworkAccess == 'Disabled' ? 'disabled' : null)
-    sharedPrivateLinkStorageAccounts: usePrivateEndpoint ? [ storage.outputs.id ] : []
+    sharedPrivateLinkStorageAccounts: usePrivateEndpoint ? [ storage.outputs.resourceId ] : []
   }
 }
 
@@ -492,54 +492,62 @@ module searchDiagnostics 'core/search/search-diagnostics.bicep' = if (useApplica
   }
 }
 
-module storage 'core/storage/storage-account.bicep' = {
+module storage 'br/public:avm/res/storage/storage-account:0.9.1' = {
   name: 'storage'
   scope: storageResourceGroup
   params: {
     name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${resourceToken}'
     location: storageResourceGroupLocation
     tags: tags
+
+    kind: 'StorageV2'
+    skuName: 'Standard_LRS'
     publicNetworkAccess: publicNetworkAccess
-    bypass: bypass
+    networkAcls: (publicNetworkAccess == 'Enabled') ? {
+      bypass: bypass
+      defaultAction: 'Allow'
+    } : { defaultAction: 'Deny' }
     allowBlobPublicAccess: false
     allowSharedKeyAccess: false
-    sku: {
-      name: storageSkuName
-    }
-    deleteRetentionPolicy: {
-      enabled: true
-      days: 2
+    blobServices: {
+      deleteRetentionPolicyDays: 2
+      deleteRetentionPolicyEnabled: true
+      containers: [
+        {
+          name: storageContainerName
+          publicAccess: 'None'
+        }
+      ]
     }
-    containers: [
-      {
-        name: storageContainerName
-        publicAccess: 'None'
-      }
-    ]
   }
 }
 
-module userStorage 'core/storage/storage-account.bicep' = if (useUserUpload) {
+module userStorage 'br/public:avm/res/storage/storage-account:0.9.1' = if (useUserUpload) {
   name: 'user-storage'
   scope: storageResourceGroup
   params: {
     name: !empty(userStorageAccountName) ? userStorageAccountName : 'user${abbrs.storageStorageAccounts}${resourceToken}'
     location: storageResourceGroupLocation
     tags: tags
+
+    kind: 'StorageV2'
+    skuName: 'Standard_LRS'
     publicNetworkAccess: publicNetworkAccess
-    bypass: bypass
+    networkAcls: (publicNetworkAccess == 'Enabled') ? {
+      bypass: bypass
+      defaultAction: 'Allow'
+    } : { defaultAction: 'Deny' }
     allowBlobPublicAccess: false
     allowSharedKeyAccess: false
-    isHnsEnabled: true
-    sku: {
-      name: storageSkuName
+    enableHierarchicalNamespace: true
+    blobServices: {
+      containers: [
+        {
+          name: userStorageContainerName
+          publicAccess: 'None'
+        }
+      ]
     }
-    containers: [
-      {
-        name: userStorageContainerName
-        publicAccess: 'None'
-      }
-    ]
   }
 }
 
@@ -740,8 +748,8 @@ var otherPrivateEndpointConnections = usePrivateEndpoint ? [
     groupId: 'blob'
     dnsZoneName: 'privatelink.blob.${environmentData.suffixes.storage}'
     resourceIds: concat(
-      [ storage.outputs.id ],
-      useUserUpload ? [ userStorage.outputs.id ] : []
+      [ storage.outputs.resourceId ],
+      useUserUpload ? [ userStorage.outputs.resourceId ] : []
     )
   }
   {