chore: update Bicep IaC to enforce managed identity and Key Vault for all secrets

## Context
The deployed environment now uses managed identity for Azure OpenAI (API key removed) and Key Vault for database password. The Bicep templates need updating to codify this.

## Tasks
- [ ] Remove `AZURE_OPENAI_API_KEY` from Container App env vars in Bicep
- [ ] Add Key Vault secret for `database-password` in Bicep
- [ ] Reference `database-password` via `secretref` in Container App Bicep module
- [ ] Remove `AZURE_OPENAI_DALLE_DEPLOYMENT` env var (no image model deployed)
- [ ] Set `allowSharedKeyAccess: false` on storage account in Bicep
- [ ] Ensure all service-to-service auth uses the user-assigned managed identity
- [ ] Add `Cognitive Services OpenAI User` role assignment in Bicep (already exists manually)

## Current State
These changes were applied manually via `az` CLI. The Bicep templates need to match.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: update Bicep IaC to enforce managed identity and Key Vault for all secrets #744

Context

Tasks

Current State

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

chore: update Bicep IaC to enforce managed identity and Key Vault for all secrets #744

Description

Context

Tasks

Current State

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions