Bicep support for 'custom' azure environment

application/single_app/config.py

@@ -136,7 +136,7 @@
 CUSTOM_COGNITIVE_SERVICES_URL_VALUE = os.getenv("CUSTOM_COGNITIVE_SERVICES_URL_VALUE", "")
 CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE = os.getenv("CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE", "")
 CUSTOM_REDIS_CACHE_INFRASTRUCTURE_URL_VALUE = os.getenv("CUSTOM_REDIS_CACHE_INFRASTRUCTURE_URL_VALUE", "")
-
+CUSTOM_OIDC_METADATA_URL_VALUE = os.getenv("CUSTOM_OIDC_METADATA_URL_VALUE", "")
 
 # Azure AD Configuration
 CLIENT_ID = os.getenv("CLIENT_ID")
@@ -171,12 +171,14 @@
     KEY_VAULT_DOMAIN = ".vault.usgovcloudapi.net"
 
 elif AZURE_ENVIRONMENT == "custom":
+    OIDC_METADATA_URL = CUSTOM_OIDC_METADATA_URL_VALUE
     resource_manager = CUSTOM_RESOURCE_MANAGER_URL_VALUE
     authority = CUSTOM_IDENTITY_URL_VALUE
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = CUSTOM_COGNITIVE_SERVICES_URL_VALUE  
     search_resource_manager = CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE
     KEY_VAULT_DOMAIN = os.getenv("KEY_VAULT_DOMAIN", ".vault.azure.net")
+    video_indexer_endpoint = os.getenv("VIDEO_INDEXER_ENDPOINT", "https://api.videoindexer.ai")
 else:
     OIDC_METADATA_URL = f"https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration"
     resource_manager = "https://management.azure.com"

application/single_app/route_backend_users.py

@@ -27,7 +27,7 @@ def api_user_search():
         if AZURE_ENVIRONMENT == "usgovernment":
             user_endpoint = "https://graph.microsoft.us/v1.0/users"
         elif AZURE_ENVIRONMENT == "custom":
-            user_endpoint = CUSTOM_GRAPH_URL_VALUE
+            user_endpoint = f"{CUSTOM_GRAPH_URL_VALUE}/v1.0/users"
         else:
             user_endpoint = "https://graph.microsoft.com/v1.0/users"
 

deployers/bicep/main.bicep

@@ -5,14 +5,12 @@ targetScope = 'subscription'
 - Region must align to the target cloud environment''')
 param location string
 
-@description('''The target Azure Cloud environment.
-- Accepted values are: AzureCloud, AzureUSGovernment
-- Default is AzureCloud''')
 @allowed([
-  'AzureCloud'
-  'AzureUSGovernment'
+  'public'
+  'usgovernment'
+  'custom'  
 ])
-param cloudEnvironment string
+param cloudEnvironment string = az.environment().name == 'AzureCloud' ? 'public' : (az.environment().name == 'AzureUSGovernment' ? 'usgovernment' : 'custom')
 
 @description('''The name of the application to be deployed.  
 - Name may only contain letters and numbers
@@ -96,6 +94,20 @@ param existingOpenAIResourceGroupName string
 - Required if useExistingOpenAISvc is true''')
 param existingOpenAIResourceName string
 
+param existingOpenAIChatModelParams object = {
+  modelName: 'gpt-4o'
+  modelVersion: '2024-11-20'
+  skuName: 'GlobalStandard'
+  skuCapacity: 100
+}
+
+param existingOpenAIEmbeddingModelParams object = {
+  modelName: 'text-embedding-3-small'
+  modelVersion: '1'
+  skuName: 'GlobalStandard'
+  skuCapacity: 150
+}
+
 @description('''The name of the container image to deploy to the web app.
 - should be in the format <repository>:<tag>''')
 param imageName string
@@ -112,14 +124,28 @@ param imageName string
 ])
 param unauthenticatedClientAction string = 'RedirectToLoginPage'
 
+// --- Custom Azure Environment Parameters (for 'custom' azureEnvironment) ---
+@description('Custom blob storage URL suffix, e.g. blob.core.usgovcloudapi.net')
+param customBlobStorageSuffix string = 'blob.${az.environment().suffixes.storage}'
+@description('Custom Graph API URL, e.g. https://graph.microsoft.us')
+param customGraphUrl string = az.environment().graph
+@description('Custom Identity URL, e.g. https://login.microsoftonline.us')
+param customIdentityUrl string = az.environment().authentication.loginEndpoint
+@description('Custom Resource Manager URL, e.g. https://management.usgovcloudapi.net')
+param customResourceManagerUrl string = az.environment().resourceManager
+@description('Custom Cognitive Services scope ex: https://cognitiveservices.azure.com/.default')
+param customCognitiveServicesScope string = 'https://cognitiveservices.azure.com/.default'
+@description('Custom search resource URL for token audience, e.g. https://search.azure.us')
+param customSearchResourceUrl string = 'https://search.azure.com'
+
 //=========================================================
 // variable declarations for the main deployment 
 //=========================================================
 
 var rgName = '${appName}-${environment}-rg'
 var requiredTags = { application: appName, environment: environment, 'azd-env-name': azdEnvironmentName }
 var tags = union(requiredTags, specialTags)
-var acrCloudSuffix = cloudEnvironment == 'AzureCloud' ? '.azurecr.io' : '.azurecr.us'
+var acrCloudSuffix = az.environment().suffixes.acrLoginServer
 var containerRegistry = '${acrName}${acrCloudSuffix}'
 var acrName = useExistingAcr ? existingAcrResourceName : toLower('${appName}${environment}acr')
 var containerImageName = '${containerRegistry}/${imageName}'
@@ -319,6 +345,8 @@ module openAI_existing 'modules/openAI-existing.bicep' = if (useExistingOpenAISv
   scope: resourceGroup(useExistingOpenAISvc ? existingOpenAIResourceGroupName : rgName)
   params: {
     openAIName: existingOpenAIResourceName
+    openAIChatModelParams: existingOpenAIChatModelParams
+    openAIEmbeddingModelParams: existingOpenAIEmbeddingModelParams
   }
 }
 
@@ -385,8 +413,7 @@ module appService 'modules/appService.bicep' = {
     appName: appName
     environment: environment
     tags: tags
-    #disable-next-line BCP318 // expect one value to be null
-    acrName: useExistingAcr ? acr_existing.outputs.acrName : acr_create.outputs.acrName
+    acrName: useExistingAcr ? acr_existing!.outputs.acrName : acr_create!.outputs.acrName
     managedIdentityId: managedIdentity.outputs.resourceId
     managedIdentityClientId: managedIdentity.outputs.clientId
     enableDiagLogging: enableDiagLogging
@@ -396,18 +423,23 @@ module appService 'modules/appService.bicep' = {
     azurePlatform: cloudEnvironment
     cosmosDbName: cosmosDB.outputs.cosmosDbName
     searchServiceName: searchService.outputs.searchServiceName
-    #disable-next-line BCP318 // expect one value to be null
-    openAiServiceName: useExistingOpenAISvc ? openAI_existing.outputs.openAIName : openAI_create.outputs.openAIName
-    #disable-next-line BCP318 // expect one value to be null
+    openAiServiceName: useExistingOpenAISvc ? openAI_existing!.outputs.openAIName : openAI_create!.outputs.openAIName
+    openAiEndpoint: useExistingOpenAISvc ? openAI_existing!.outputs.openAIEndpoint : openAI_create!.outputs.openAIEndpoint
     openAiResourceGroupName: useExistingOpenAISvc
       ? existingOpenAIResourceGroupName
-      #disable-next-line BCP318 // expect one value to be null
-      : openAI_create.outputs.openAIResourceGroup
+      : openAI_create!.outputs.openAIResourceGroup
     documentIntelligenceServiceName: docIntel.outputs.documentIntelligenceServiceName
     appInsightsName: appInsights.outputs.appInsightsName
     enterpriseAppClientId: enterpriseAppClientId
     enterpriseAppClientSecret: ''
     keyVaultUri: keyVault.outputs.keyVaultUri
+    // --- Custom Azure Environment Parameters (for 'custom' azureEnvironment) ---
+    customBlobStorageSuffix: customBlobStorageSuffix
+    customGraphUrl: customGraphUrl
+    customIdentityUrl: customIdentityUrl
+    customResourceManagerUrl: customResourceManagerUrl
+    customCognitiveServicesScope: customCognitiveServicesScope
+    customSearchResourceUrl: customSearchResourceUrl
   }
 }
 
@@ -494,6 +526,6 @@ output var_rgName string = rgName
 output var_acrName string = useExistingAcr ? existingAcrResourceName : toLower('${appName}${environment}acr')
 output var_containerRegistry string = containerRegistry
 output var_imageName string = contains(imageName, ':') ? split(imageName, ':')[0] : imageName
-output var_imageTag string = split(imageName, ':')[1] 
+output var_imageTag string = contains(imageName, ':') ? split(imageName, ':')[1] : 'latest'
 output var_specialImage bool = contains(imageName, ':') ? split(imageName, ':')[1] != 'latest' : false
 output var_webService string = appService.outputs.name

deployers/bicep/modules/appService.bicep

@@ -17,6 +17,7 @@ param azurePlatform string
 param cosmosDbName string
 param searchServiceName string
 param openAiServiceName string
+param openAiEndpoint string
 param openAiResourceGroupName string
 param documentIntelligenceServiceName string
 param appInsightsName string
@@ -31,6 +32,25 @@ param enterpriseAppClientSecret string = ''
 @description('Key Vault URI for secret references')
 param keyVaultUri string = ''
 
+// --- Custom Azure Environment Parameters (for 'custom' azureEnvironment) ---
+@description('Custom blob storage URL suffix, e.g. blob.core.usgovcloudapi.net')
+param customBlobStorageSuffix string?
+@description('Custom Graph API URL, e.g. https://graph.microsoft.us')
+param customGraphUrl string?
+@description('Custom Identity URL, e.g. https://login.microsoftonline.us')
+param customIdentityUrl string?
+@description('Custom Resource Manager URL, e.g. https://management.usgovcloudapi.net')
+param customResourceManagerUrl string?
+
+@description('Custom Cognitive Services scope ex: https://cognitiveservices.azure.com/.default')
+param customCognitiveServicesScope string?
+
+@description('Custom search resource URL for token audience, e.g. https://search.azure.us')
+param customSearchResourceUrl string?
+
+var tenantId = tenant().tenantId
+var openIdMetadataUrl = '${az.environment().authentication.loginEndpoint}/${tenantId}/v2.0/.well-known/openid-configuration'
+
 // Import diagnostic settings configurations
 module diagnosticConfigs 'diagnosticSettings.bicep' = if (enableDiagLogging) {
   name: 'diagnosticConfigs'
@@ -48,18 +68,14 @@ resource searchService 'Microsoft.Search/searchServices@2025-05-01' existing = {
   name: searchServiceName
 }
 
-resource openAiService 'Microsoft.CognitiveServices/accounts@2024-10-01' existing = {
-  name: openAiServiceName
-}
-
 resource documentIntelligence 'Microsoft.CognitiveServices/accounts@2025-06-01' existing = {
   name: documentIntelligenceServiceName 
 }
 resource appInsights 'Microsoft.Insights/components@2020-02-02' existing = {
   name: appInsightsName
 }
 
-var acrDomain = azurePlatform == 'AzureUSGovernment' ? '.azurecr.us' : '.azurecr.io'
+var acrDomain = az.environment().suffixes.acrLoginServer
 
 // add web app
 resource webApp 'Microsoft.Web/sites@2022-03-01' = {
@@ -75,9 +91,9 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
       alwaysOn: true
       ftpsState: 'Disabled'
       healthCheckPath: '/external/healthcheck'
-      appSettings: [
+      appSettings: union([
 
-        {name: 'AZURE_ENDPOINT', value: azurePlatform == 'AzureUSGovernment' ? 'usgovernment' : 'public'}
+        {name: 'AZURE_ENVIRONMENT', value: azurePlatform }
         {name: 'SCM_DO_BUILD_DURING_DEPLOYMENT', value: 'false'}
         {name: 'AZURE_COSMOS_ENDPOINT', value: cosmosDb.properties.documentEndpoint}
         {name: 'AZURE_COSMOS_AUTHENTICATION_TYPE', value: 'managed_identity'}
@@ -93,9 +109,9 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
         //{name: 'DOCKER_REGISTRY_SERVER_USERNAME', value: acrService.listCredentials().username }
         //{name: 'DOCKER_REGISTRY_SERVER_PASSWORD', value: acrService.listCredentials().passwords[0].value }
         {name: 'WEBSITE_AUTH_AAD_ALLOWED_TENANTS', value: tenant().tenantId }
-        {name: 'AZURE_OPENAI_RESOURCE_NAME', value: openAiService.name}
+        {name: 'AZURE_OPENAI_RESOURCE_NAME', value: openAiServiceName}
         {name: 'AZURE_OPENAI_RESOURCE_GROUP_NAME', value: openAiResourceGroupName}
-        {name: 'AZURE_OPENAI_URL', value: openAiService.properties.endpoint}
+        {name: 'AZURE_OPENAI_URL', value: openAiEndpoint}
         {name: 'AZURE_SEARCH_SERVICE_NAME', value: searchService.name}
         {name: 'AZURE_SEARCH_API_KEY', value: searchService.listAdminKeys().primaryKey}
         {name: 'AZURE_DOCUMENT_INTELLIGENCE_ENDPOINT', value: documentIntelligence.properties.endpoint}
@@ -112,7 +128,17 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = {
         {name: 'XDT_MicrosoftApplicationInsights_BaseExtensions', value: 'disabled'}
         {name: 'XDT_MicrosoftApplicationInsights_Mode', value: 'recommended'}
         {name: 'XDT_MicrosoftApplicationInsights_PreemptSdk', value: 'disabled'}
-      ]
+      ],
+      azurePlatform == 'custom' ? [
+        {name: 'CUSTOM_GRAPH_URL_VALUE', value: customGraphUrl}
+        {name: 'CUSTOM_IDENTITY_URL_VALUE', value: customIdentityUrl}
+        {name: 'CUSTOM_RESOURCE_MANAGER_URL_VALUE', value: customResourceManagerUrl}
+        {name: 'CUSTOM_BLOB_STORAGE_URL_VALUE', value: customBlobStorageSuffix}
+        {name: 'CUSTOM_COGNITIVE_SERVICES_URL_VALUE', value: customCognitiveServicesScope}
+        {name: 'CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE', value: customSearchResourceUrl}
+        {name: 'KEY_VAULT_DOMAIN', value: az.environment().suffixes.keyvaultDns}
+        {name: 'CUSTOM_OIDC_METADATA_URL_VALUE', value: openIdMetadataUrl}
+      ] : [])      
     }
     clientAffinityEnabled: false
     httpsOnly: true

deployers/bicep/modules/appServiceAuthentication.bicep

@@ -31,6 +31,8 @@ param unauthenticatedClientAction string = 'RedirectToLoginPage'
 @description('Token store enabled')
 param tokenStoreEnabled bool = true
 
+var openIdIssuerUrl = '${az.environment().authentication.loginEndpoint}/${tenantId}'
+
 resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
   name: webAppName
 }
@@ -49,7 +51,7 @@ resource authSettings 'Microsoft.Web/sites/config@2022-03-01' = if (enableAuthen
       azureActiveDirectory: {
         enabled: true
         registration: {
-          openIdIssuer: 'https://sts.windows.net/${tenantId}/'
+          openIdIssuer: openIdIssuerUrl
           clientId: clientId
           clientSecretSettingName: !empty(clientSecretKeyVaultUri) ? 'MICROSOFT_PROVIDER_AUTHENTICATION_SECRET' : null
         }