Deploy the Bicep template. The .env contents are passed via a temp parameters file (not inline --parameters key=value) because the value is multi-line, contains '=' characters, and is marked @secure() in Bicep — passing it inline is fragile and can leak the value into shell his
(
*,
resource_group: str,
app_name: str,
container_image: str,
tenant_id: str,
client_id: str,
group_ids: str,
sql_server_fqdn: str,
sql_database_name: str,
kv_resource_id: str,
acr_name: str,
env_file_contents: str,
owner_tag: str = "",
)
| 779 | |
| 780 | |
| 781 | def deploy_bicep( |
| 782 | *, |
| 783 | resource_group: str, |
| 784 | app_name: str, |
| 785 | container_image: str, |
| 786 | tenant_id: str, |
| 787 | client_id: str, |
| 788 | group_ids: str, |
| 789 | sql_server_fqdn: str, |
| 790 | sql_database_name: str, |
| 791 | kv_resource_id: str, |
| 792 | acr_name: str, |
| 793 | env_file_contents: str, |
| 794 | owner_tag: str = "", |
| 795 | ) -> dict: |
| 796 | """ |
| 797 | Deploy the Bicep template. |
| 798 | |
| 799 | The .env contents are passed via a temp parameters file (not inline |
| 800 | --parameters key=value) because the value is multi-line, contains '=' |
| 801 | characters, and is marked @secure() in Bicep — passing it inline is |
| 802 | fragile and can leak the value into shell history. The temp file is |
| 803 | deleted after deployment. |
| 804 | |
| 805 | Args: |
| 806 | resource_group (str): The resource group name. |
| 807 | app_name (str): The Container App name. |
| 808 | container_image (str): The container image reference. |
| 809 | tenant_id (str): The Entra tenant ID. |
| 810 | client_id (str): The Entra app registration client ID. |
| 811 | group_ids (str): Comma-separated group object IDs. |
| 812 | sql_server_fqdn (str): The SQL server FQDN. |
| 813 | sql_database_name (str): The SQL database name. |
| 814 | kv_resource_id (str): The Key Vault resource ID (kept for the |
| 815 | keyVaultName output; not referenced at container runtime). |
| 816 | acr_name (str): The ACR name. |
| 817 | env_file_contents (str): The prepared .env content to inject as |
| 818 | the Container App's `env-file` secret. |
| 819 | owner_tag (str): Value for the Owner tag on Bicep-managed resources. |
| 820 | |
| 821 | Returns: |
| 822 | dict: The deployment outputs. |
| 823 | """ |
| 824 | logger.info("Deploying Bicep template to resource group: %s", resource_group) |
| 825 | |
| 826 | parameters: dict = { |
| 827 | "appName": {"value": app_name}, |
| 828 | "containerImage": {"value": container_image}, |
| 829 | "entraTenantId": {"value": tenant_id}, |
| 830 | "entraClientId": {"value": client_id}, |
| 831 | "allowedGroupObjectIds": {"value": group_ids}, |
| 832 | "sqlServerFqdn": {"value": sql_server_fqdn}, |
| 833 | "sqlDatabaseName": {"value": sql_database_name}, |
| 834 | "keyVaultResourceId": {"value": kv_resource_id}, |
| 835 | "acrName": {"value": acr_name}, |
| 836 | "enablePrivateEndpoint": {"value": False}, |
| 837 | "envFileContents": {"value": env_file_contents}, |
| 838 | } |