Fix review findings: missing params, descriptions, identity, hardcoded values

ricmmartins · ricmmartins · commit fea882248ae4 · 2026-02-20T18:45:25.000-05:00
- Add missing sqlAdminLogin param to saas-startup bicepparam - Add @description to tags param in all 3 Bicep examples - Expose aksAdminUsername as param in AI startup (Bicep + TF) - Add identity block to web container app in SaaS (Bicep + TF) - Complete policy module outputs (all 8 assignments) - Use set -euo pipefail in all scripts - Update git origin to sslz repo
diff --git a/.devcontainer/post-create.sh b/.devcontainer/post-create.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e
+set -euo pipefail
 
 echo "Installing jq and shellcheck..."
 sudo apt-get update -qq && sudo apt-get install -y -qq jq shellcheck > /dev/null
diff --git a/diagrams/generate.sh b/diagrams/generate.sh
@@ -4,7 +4,7 @@
 # Outputs PNG and SVG files for use in docs and presentations
 # Requires: npx (Node.js) OR docker
 # ==============================================================================
-set -e
+set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 OUTPUT_DIR="${SCRIPT_DIR}/output"
diff --git a/examples/ai-startup/main.bicep b/examples/ai-startup/main.bicep
@@ -33,6 +33,10 @@ param kubernetesVersion string = '1.30'
 @description('SSH public key for AKS nodes')
 param sshPublicKey string
 
+@description('Linux admin username for AKS nodes')
+param aksAdminUsername string = 'azureuser'
+
+@description('Resource tags applied to all deployed resources')
 param tags object = {
   environment: environment
   team: 'ml-engineering'
@@ -96,7 +100,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' = {
       }
     }
     linuxProfile: {
-      adminUsername: 'azureuser'
+      adminUsername: aksAdminUsername
       ssh: {
         publicKeys: [
           {
diff --git a/examples/ai-startup/terraform/main.tf b/examples/ai-startup/terraform/main.tf
@@ -105,6 +105,12 @@ variable "ssh_public_key" {
   type        = string
 }
 
+variable "aks_admin_username" {
+  description = "Linux admin username for AKS nodes"
+  type        = string
+  default     = "azureuser"
+}
+
 variable "tags" {
   description = "Tags applied to all resources"
   type        = map(string)
@@ -181,7 +187,7 @@ resource "azurerm_kubernetes_cluster" "this" {
   }
 
   linux_profile {
-    admin_username = "azureuser"
+    admin_username = var.aks_admin_username
     ssh_key {
       key_data = var.ssh_public_key
     }
diff --git a/examples/api-first-startup/main.bicep b/examples/api-first-startup/main.bicep
@@ -24,6 +24,7 @@ param apimPublisherEmail string
 @description('APIM publisher name')
 param apimPublisherName string
 
+@description('Resource tags applied to all deployed resources')
 param tags object = {
   environment: environment
   team: 'engineering'
diff --git a/examples/saas-startup/main.bicep b/examples/saas-startup/main.bicep
@@ -38,6 +38,7 @@ param privateEndpointSubnetId string = ''
 @description('VNet resource ID for Private DNS Zone links. Required when deployPrivateEndpoints is true. Example: /subscriptions/.../virtualNetworks/vnet-prod')
 param vnetId string = ''
 
+@description('Resource tags applied to all deployed resources')
 param tags object = {
   environment: environment
   team: 'engineering'
@@ -138,6 +139,7 @@ resource webApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: 'ca-${appName}-web'
   location: location
   tags: tags
+  identity: { type: 'SystemAssigned' }
   properties: {
     managedEnvironmentId: cae.id
     configuration: {
diff --git a/examples/saas-startup/main.bicepparam b/examples/saas-startup/main.bicepparam
@@ -8,6 +8,7 @@ param appName = 'mysaas'
 param environment = 'prod'
 param apiImage = 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
 param webImage = 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+param sqlAdminLogin = '<replace-with-admin-username>'
 // In production, use Key Vault references instead of inline passwords.
 // See: https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter
 param sqlAdminPassword = '<replace-with-secure-password>'
diff --git a/examples/saas-startup/terraform/main.tf b/examples/saas-startup/terraform/main.tf
@@ -231,6 +231,10 @@ resource "azurerm_container_app" "web" {
   revision_mode                = "Single"
   tags                         = local.tags
 
+  identity {
+    type = "SystemAssigned"
+  }
+
   ingress {
     external_enabled = true
     target_port      = 80
diff --git a/infra/terraform/modules/policy/outputs.tf b/infra/terraform/modules/policy/outputs.tf
@@ -1,17 +1,27 @@
 output "policy_assignment_ids" {
   description = "Map of policy assignment resource IDs"
   value = {
-    mcsb              = azurerm_subscription_policy_assignment.mcsb.id
-    allowed_locations = azurerm_subscription_policy_assignment.allowed_locations.id
-    activity_log_diag = azurerm_subscription_policy_assignment.activity_log_diag.id
+    mcsb                 = azurerm_subscription_policy_assignment.mcsb.id
+    allowed_locations    = azurerm_subscription_policy_assignment.allowed_locations.id
+    allowed_locations_rg = azurerm_subscription_policy_assignment.allowed_locations_rg.id
+    require_env_tag      = azurerm_subscription_policy_assignment.require_env_tag.id
+    require_team_tag     = azurerm_subscription_policy_assignment.require_team_tag.id
+    inherit_env_tag      = azurerm_subscription_policy_assignment.inherit_env_tag.id
+    inherit_team_tag     = azurerm_subscription_policy_assignment.inherit_team_tag.id
+    activity_log_diag    = azurerm_subscription_policy_assignment.activity_log_diag.id
   }
 }
 
 output "policy_assignment_names" {
   description = "Map of policy assignment names"
   value = {
-    mcsb              = azurerm_subscription_policy_assignment.mcsb.name
-    allowed_locations = azurerm_subscription_policy_assignment.allowed_locations.name
-    activity_log_diag = azurerm_subscription_policy_assignment.activity_log_diag.name
+    mcsb                 = azurerm_subscription_policy_assignment.mcsb.name
+    allowed_locations    = azurerm_subscription_policy_assignment.allowed_locations.name
+    allowed_locations_rg = azurerm_subscription_policy_assignment.allowed_locations_rg.name
+    require_env_tag      = azurerm_subscription_policy_assignment.require_env_tag.name
+    require_team_tag     = azurerm_subscription_policy_assignment.require_team_tag.name
+    inherit_env_tag      = azurerm_subscription_policy_assignment.inherit_env_tag.name
+    inherit_team_tag     = azurerm_subscription_policy_assignment.inherit_team_tag.name
+    activity_log_diag    = azurerm_subscription_policy_assignment.activity_log_diag.name
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,10 @@ param kubernetesVersion string = '1.30'`
`33`	`33`	`@description('SSH public key for AKS nodes')`
`34`	`34`	`param sshPublicKey string`
`35`	`35`
	`36`	`+@description('Linux admin username for AKS nodes')`
	`37`	`+param aksAdminUsername string = 'azureuser'`
	`38`	`+`
	`39`	`+@description('Resource tags applied to all deployed resources')`
`36`	`40`	`param tags object = {`
`37`	`41`	`environment: environment`
`38`	`42`	`team: 'ml-engineering'`
`@@ -96,7 +100,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' = {`
`96`	`100`	`}`
`97`	`101`	`}`
`98`	`102`	`linuxProfile: {`
`99`		`- adminUsername: 'azureuser'`
	`103`	`+ adminUsername: aksAdminUsername`
`100`	`104`	`ssh: {`
`101`	`105`	`publicKeys: [`
`102`	`106`	`{`
Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,12 @@ variable "ssh_public_key" {`
`105`	`105`	`type = string`
`106`	`106`	`}`
`107`	`107`
	`108`	`+variable "aks_admin_username" {`
	`109`	`+ description = "Linux admin username for AKS nodes"`
	`110`	`+ type = string`
	`111`	`+ default = "azureuser"`
	`112`	`+}`
	`113`	`+`
`108`	`114`	`variable "tags" {`
`109`	`115`	`description = "Tags applied to all resources"`
`110`	`116`	`type = map(string)`
`@@ -181,7 +187,7 @@ resource "azurerm_kubernetes_cluster" "this" {`
`181`	`187`	`}`
`182`	`188`
`183`	`189`	`linux_profile {`
`184`		`- admin_username = "azureuser"`
	`190`	`+ admin_username = var.aks_admin_username`
`185`	`191`	`ssh_key {`
`186`	`192`	`key_data = var.ssh_public_key`
`187`	`193`	`}`