Fix Redis public access, staging slot config, teardown, retention consistency

- Add public_network_access_enabled=false to Redis in AI and API-first (TF+Bicep)
- Add appSettings to staging slot in API-first Bicep (Cosmos, Redis, AppInsights)
- Teardown script: check terraform.tfvars exists before destroy
- Standardize Log Analytics retention to 30 days across all examples
- Update Application Insights API version from 2020-02-02 to 2020-11-20

Author: ricmmartins

examples/ai-startup/main.bicep

@@ -269,6 +269,7 @@ resource redis 'Microsoft.Cache/redis@2024-03-01' = {
     }
     enableNonSslPort: false
     minimumTlsVersion: '1.2'
+    publicNetworkAccess: 'Disabled'
   }
 }
 

examples/ai-startup/terraform/main.tf

@@ -324,15 +324,16 @@ resource "azurerm_storage_container" "datasets" {
 # ==============================================================================
 
 resource "azurerm_redis_cache" "this" {
-  name                 = "redis-${var.app_name}-${var.environment}"
-  location             = var.location
-  resource_group_name  = data.azurerm_resource_group.this.name
-  capacity             = var.environment == "prod" ? 1 : 0
-  family               = "C"
-  sku_name             = var.environment == "prod" ? "Standard" : "Basic"
-  non_ssl_port_enabled = false
-  minimum_tls_version  = "1.2"
-  tags                 = local.tags
+  name                          = "redis-${var.app_name}-${var.environment}"
+  location                      = var.location
+  resource_group_name           = data.azurerm_resource_group.this.name
+  capacity                      = var.environment == "prod" ? 1 : 0
+  family                        = "C"
+  sku_name                      = var.environment == "prod" ? "Standard" : "Basic"
+  non_ssl_port_enabled          = false
+  minimum_tls_version           = "1.2"
+  public_network_access_enabled = false
+  tags                          = local.tags
 }
 
 # ==============================================================================

examples/api-first-startup/main.bicep

@@ -41,11 +41,13 @@ resource law 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
   tags: tags
   properties: {
     sku: { name: 'PerGB2018' }
-    retentionInDays: 90
+    // 30-day retention keeps costs low for startup workloads. Increase to 90 days
+    // for compliance or if you need longer investigative windows.
+    retentionInDays: 30
   }
 }
 
-resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
+resource appInsights 'Microsoft.Insights/components@2020-11-20' = {
   name: 'ai-${appName}-${environment}'
   location: location
   tags: tags
@@ -120,6 +122,20 @@ resource stagingSlot 'Microsoft.Web/sites/slots@2023-12-01' = if (environment ==
       minTlsVersion: '1.2'
       ftpsState: 'Disabled'
       alwaysOn: false
+      appSettings: [
+        {
+          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+          value: appInsights.properties.ConnectionString
+        }
+        {
+          name: 'COSMOS_ENDPOINT'
+          value: cosmos.properties.documentEndpoint
+        }
+        {
+          name: 'REDIS_HOSTNAME'
+          value: redis.properties.hostName
+        }
+      ]
     }
   }
 }
@@ -231,6 +247,7 @@ resource redis 'Microsoft.Cache/redis@2024-03-01' = {
     }
     enableNonSslPort: false
     minimumTlsVersion: '1.2'
+    publicNetworkAccess: 'Disabled'
   }
 }
 

examples/api-first-startup/terraform/main.tf

@@ -115,8 +115,10 @@ resource "azurerm_log_analytics_workspace" "this" {
   location            = var.location
   resource_group_name = data.azurerm_resource_group.this.name
   sku                 = "PerGB2018"
-  retention_in_days   = 90
-  tags                = local.tags
+  # 30-day retention keeps costs low for startup workloads. Increase to 90 days
+  # for compliance or if you need longer investigative windows.
+  retention_in_days = 30
+  tags              = local.tags
 }
 
 resource "azurerm_application_insights" "this" {
@@ -125,7 +127,7 @@ resource "azurerm_application_insights" "this" {
   resource_group_name = data.azurerm_resource_group.this.name
   workspace_id        = azurerm_log_analytics_workspace.this.id
   application_type    = "web"
-  retention_in_days   = 90
+  retention_in_days   = 30
   tags                = local.tags
 }
 
@@ -285,15 +287,16 @@ resource "azurerm_cosmosdb_sql_role_assignment" "app_cosmos" {
 # ==============================================================================
 
 resource "azurerm_redis_cache" "this" {
-  name                 = "redis-${var.app_name}-${var.environment}"
-  location             = var.location
-  resource_group_name  = data.azurerm_resource_group.this.name
-  capacity             = var.environment == "prod" ? 1 : 0
-  family               = "C"
-  sku_name             = var.environment == "prod" ? "Standard" : "Basic"
-  non_ssl_port_enabled = false
-  minimum_tls_version  = "1.2"
-  tags                 = local.tags
+  name                          = "redis-${var.app_name}-${var.environment}"
+  location                      = var.location
+  resource_group_name           = data.azurerm_resource_group.this.name
+  capacity                      = var.environment == "prod" ? 1 : 0
+  family                        = "C"
+  sku_name                      = var.environment == "prod" ? "Standard" : "Basic"
+  non_ssl_port_enabled          = false
+  minimum_tls_version           = "1.2"
+  public_network_access_enabled = false
+  tags                          = local.tags
 }
 
 # ==============================================================================

scripts/teardown.sh

@@ -104,6 +104,16 @@ if [[ "$TOOL" == "terraform" ]]; then
   TF_VAR_budget_start_date="$(date -u +%Y-%m-01T00:00:00Z)"
 
   cd "$TF_DIR"
+
+  # terraform.tfvars must exist — it provides required variables
+  # (subscription_id, company_name, budget_alert_emails, security_contact_email).
+  if [[ ! -f "terraform.tfvars" ]]; then
+    echo "Error: terraform.tfvars not found in $TF_DIR."
+    echo "This file is required for destroy — it provides subscription_id, company_name, and other required variables."
+    echo "Create it from the example: cp terraform.tfvars.example terraform.tfvars"
+    exit 1
+  fi
+
   terraform init
   terraform destroy \
     -var="environment=$ENV" \