Step 6 — Deployment

✅ Preflight Validation
📋 Deployment Details
🏗️ Deployed Resources
📤 Deployment Outputs
📝 Post-Deployment Tasks
References

Generated: 2026-03-11 Generated by 07b-Bicep Deploy agent Status: Succeeded — all 5 phases deployed successfully

⬅️ Previous	📑 Index	Next ➡️
Implementation Reference	Demo Index	As-Built Documentation

✅ Preflight Validation

Property	Value	Status
Project Type	Standalone Bicep (AVM)	ℹ️
Deployment Scope	resourceGroup	ℹ️
Validation Level	Provider	ℹ️
Bicep Build	Warnings only (no errors)	✅
What-If Status	Completed	✅
Placeholders	All resolved (4 values)	✅

Change Summary

Change Type	Count	Notes
Create (+)	37	All new resources — greenfield deployment
Delete (-)	0	No destructive operations
Modify (~)	0	No existing resources modified
NoChange (=)	0	—

Known Issues Resolved

Issue	Root Cause	Fix Applied	Severity
Phase 4 initial failure ❌	`availabilityZone: -1` + missing `zoneRedundant: false` in AVM SQL module `0.21.1` triggered zone-redundant provisioning, unsupported for Standard (S0) tier	Added `zoneRedundant: false` to database definition in `modules/sql.bicep`	⚠️ Fixed

📋 Deployment Details

Field	Value
Subscription	`noalz` (`00858ffc-dded-4f0f-8bbf-e17fff0d47d9`)
Resource Group	`rg-nordic-fresh-foods-prod`
Location	`swedencentral`
IaC Tool	Bicep (AVM modules)
Strategy	Phased (5 phases)
Total Duration	~20 minutes (excluding approval gates)
Overall Status	✅ Succeeded

Phase Execution Log

Phase	Name	Deployment Name	Duration	Result
0	Resource Group	(pre-existing)	—	✅ Present
1	Foundation	`nff-prod-phase1-20260311171038`	~2 min	✅ Succeeded
2	Observability	`nff-prod-phase2-20260311171237`	~2 min	✅ Succeeded
3	Security + DNS	`nff-prod-phase3-20260311171436`	~4 min	✅ Succeeded
4	Data	`nff-prod-phase4-20260311172523`	~5 min	✅ Succeeded
5	Compute + Budget	`nff-prod-phase5-20260311172803`	~3 min	✅ Succeeded

🏗️ Deployed Resources

Phase 1 — Foundation

Resource	Name	Type	Status
Virtual Network	`vnet-nordic-fresh-foods-prod`	`Microsoft.Network/virtualNetworks`	✅
Subnet (app tier)	`snet-app` (10.0.1.0/24)	vnet subnet	✅
Subnet (PE tier)	`snet-pe` (10.0.3.0/24)	vnet subnet	✅
Subnet (data tier)	`snet-data` (10.0.2.0/24)	vnet subnet	✅
NSG (app)	`nsg-nordic-fresh-foods-app-prod`	`Microsoft.Network/networkSecurityGroups`	✅
NSG (PE)	`nsg-nordic-fresh-foods-pe-prod`	`Microsoft.Network/networkSecurityGroups`	✅
NSG (data)	`nsg-nordic-fresh-foods-data-prod`	`Microsoft.Network/networkSecurityGroups`	✅

Phase 2 — Observability

Resource	Name	Type	Status
Log Analytics Workspace	`log-nordic-fresh-foods-prod`	`Microsoft.OperationalInsights/workspaces`	✅
Application Insights	`appi-nordic-fresh-foods-prod`	`Microsoft.Insights/components`	✅

Phase 3 — Security + DNS

Resource	Name	Type	Status
Key Vault (Premium, RBAC)	`kv-nff-prod-7jrcjfo3iqck`	`Microsoft.KeyVault/vaults`	✅
Private DNS Zone (SQL)	`privatelink.database.windows.net`	`Microsoft.Network/privateDnsZones`	✅
Private DNS Zone (Blob)	`privatelink.blob.core.windows.net`	`Microsoft.Network/privateDnsZones`	✅
Private DNS Zone (KV)	`privatelink.vaultcore.azure.net`	`Microsoft.Network/privateDnsZones`	✅
KV VNet Link	`vnet-nordic-fresh-foods-prod-vnetlink`	DNS VNet Link	✅
Private Endpoint (KV)	`pep-kv-nff-prod-7jrcjfo3iqck-vault-0`	`Microsoft.Network/privateEndpoints`	✅

Phase 4 — Data

Resource	Name	Type	Status
SQL Server	`sql-nordic-fresh-foods-prod`	`Microsoft.Sql/servers`	✅
SQL Database (S0, 10 DTU)	`sqldb-freshconnect-prod`	`Microsoft.Sql/servers/databases`	✅
SQL Auditing + Security	default policies	SQL sub-resources	✅
Private Endpoint (SQL)	`pep-sql-nordic-fresh-foods-prod-sqlServer-0`	`Microsoft.Network/privateEndpoints`	✅
Storage Account (HTTPS-only)	`stnffprod7jrcjfo3iqckk`	`Microsoft.Storage/storageAccounts`	✅
Blob Container	`assets`	blob container	✅
Blob Container	`product-images`	blob container	✅
Private Endpoint (Blob)	`pep-stnffprod7jrcjfo3iqckk-blob-0`	`Microsoft.Network/privateEndpoints`	✅

Phase 5 — Compute + Budget

Resource	Name	Type	Status
App Service Plan (S1)	`asp-nordic-fresh-foods-prod`	`Microsoft.Web/serverfarms`	✅
App Service	`app-nordic-fresh-foods-prod-7jrcjf`	`Microsoft.Web/sites`	✅ Running
Autoscale Settings	`autoscale-asp-nordic-fresh-foods-prod`	`Microsoft.Insights/autoscalesettings`	✅
RBAC Role Assignment (KV)	Managed Identity → Key Vault Secrets User	`Microsoft.Authorization/roleAssignments`	✅
Budget Alert (€800/month)	`budget-nordic-fresh-foods-prod`	`Microsoft.Consumption/budgets`	✅

📤 Outputs (Expected)

{
  "vnetResourceId": "/subscriptions/00858ffc-dded-4f0f-8bbf-e17fff0d47d9/resourceGroups/rg-nordic-fresh-foods-prod/providers/Microsoft.Network/virtualNetworks/vnet-nordic-fresh-foods-prod",
  "appServiceHostname": "app-nordic-fresh-foods-prod-7jrcjf.azurewebsites.net",
  "appServicePrincipalId": "24cd6768-7247-43ac-a1d2-9a7f22000a40",
  "keyVaultUri": "https://kv-nff-prod-7jrcjfo3iqck.vault.azure.net/",
  "sqlServerFqdn": "sql-nordic-fresh-foods-prod.database.windows.net",
  "storageAccountName": "stnffprod7jrcjfo3iqckk",
  "logAnalyticsWorkspaceName": "log-nordic-fresh-foods-prod"
}

Security Baseline Verification

Check	Expected	Actual	Status
Key Vault public access	Disabled	Disabled	✅
Key Vault purge protection	Enabled	True	✅
SQL Server auth	Azure AD-only	ActiveDirectory	✅
SQL Server public access	Disabled	Disabled	✅
Storage HTTPS-only	True	True	✅
Storage public blob access	False	False	✅
Storage network access	Disabled	Disabled	✅
App Service state	Running	Running	✅
App Managed Identity	Assigned	24cd6768-…	✅

🚀 To Actually Deploy

# Navigate to Bicep directory
cd infra/bicep/nordic-fresh-foods

# Preview changes
./deploy.ps1 -ResourceGroup rg-nordic-fresh-foods-prod -Environment prod -WhatIf

# Deploy (will prompt for approval at each phase in prod)
./deploy.ps1 -ResourceGroup rg-nordic-fresh-foods-prod -Environment prod

# Phase 1: Foundation
az deployment group create \
  --resource-group rg-nordic-fresh-foods-prod \
  --template-file main.bicep \
  --parameters main.bicepparam \
  --parameters phase=foundation

# Repeat with: phase=observability, phase=security, phase=data, phase=compute

📝 Post-Deployment Tasks

Task	Owner	Status
Bootstrap SQL contained user for App Service Managed Identity	DBA / nordic-foods-dba group	⬜
Configure application settings (App Insights key, SQL conn string via KV ref)	Dev team	⬜
Deploy application code to App Service	Dev/CI team	⬜
Validate App Service → Key Vault access via private endpoint	Ops team	⬜
Validate App Service → SQL database access via Managed Identity	Ops team	⬜
Run smoke tests on production endpoint	QA team	⬜
Notify budget contacts of active alerts (`jeff@bezos.com`, `sam@altman.com`)	Owner	⬜

SQL Contained User Bootstrap

Run after App Service MI principal ID is available:

-- Connect to sqldb-freshconnect-prod as Azure AD admin
CREATE USER [app-nordic-fresh-foods-prod-7jrcjf] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [app-nordic-fresh-foods-prod-7jrcjf];
ALTER ROLE db_datawriter ADD MEMBER [app-nordic-fresh-foods-prod-7jrcjf];

MI Object ID: 24cd6768-7247-43ac-a1d2-9a7f22000a40

References

Topic	Link
ARM Deployment Operations	View in Portal
Resource Group	View in Portal
App Service	View in Portal
Azure ARM Deployments	Documentation
Deployment Troubleshooting	Common Errors
What-If Operations	Preview Changes

Deployment summary for Nordic Fresh Foods (FreshConnect MVP) — generated by 07b-Bicep Deploy agent.

⬅️ Implementation Reference	🏠 Demo Index	➡️ As-Built Documentation