fix(infra): address SFI security compliance issues (ADO #43311)

infra/main.bicep

@@ -363,6 +363,10 @@ module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.15.0' = if (enable
     adminPassword: vmAdminPassword ?? 'JumpboxAdminP@ssw0rd1234!'
     tags: allTags
     zone: 0
+    // SFI: enable system-assigned managed identity on the jumpbox VM. Required so
+    // the Azure Monitor Agent can authenticate to the Log Analytics workspace and
+    // honor the SecurityAuditEvents data collection rule association. (ADO #43311)
+    managedIdentities: { systemAssigned: true }
     imageReference: {
       offer: 'WindowsServer'
       publisher: 'MicrosoftWindowsServer'
@@ -409,6 +413,94 @@ module jumpboxVM 'br/public:avm/res/compute/virtual-machine:0.15.0' = if (enable
       }
     ]
     enableTelemetry: enableTelemetry
+    // SFI: associate the SecurityAuditEvents data collection rule with the
+    // jumpbox VM via the Azure Monitor Agent extension. Routes Windows audit
+    // success (4624) / audit failure (4625) events to Log Analytics. Disabled
+    // when monitoring is off because the DCR is also gated on enableMonitoring.
+    // (ADO #43311)
+    extensionMonitoringAgentConfig: enableMonitoring
+      ? {
+          enabled: true
+          tags: allTags
+          dataCollectionRuleAssociations: [
+            {
+              name: 'send-${logAnalyticsWorkspaceResourceName}'
+              dataCollectionRuleResourceId: windowsVmDataCollectionRules!.outputs.resourceId
+            }
+          ]
+        }
+      : null
+  }
+}
+
+// SFI: install the Azure Monitor "Security" solution on the Log Analytics
+// workspace so that the Microsoft-SecurityEvent stream produced by the data
+// collection rule below populates the SecurityEvent table. Same gate as the
+// DCR. (ADO #43311)
+resource securitySolution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = if (enablePrivateNetworking && enableMonitoring) {
+  name: 'Security(${logAnalyticsWorkspaceResourceName})'
+  location: solutionLocation
+  plan: {
+    name: 'Security(${logAnalyticsWorkspaceResourceName})'
+    publisher: 'Microsoft'
+    product: 'OMSGallery/Security'
+    promotionCode: ''
+  }
+  properties: {
+    workspaceResourceId: logAnalyticsWorkspaceResourceId
+  }
+}
+
+// SFI: data collection rule that captures Windows Security audit success
+// (EventID 4624) and audit failure (EventID 4625) events from the jumpbox VM
+// and routes them to Log Analytics via the Microsoft-SecurityEvent stream.
+// (ADO #43311)
+var dataCollectionRulesResourceName = 'dcr-${solutionSuffix}'
+var dataCollectionRulesLocation = useExistingLogAnalytics
+  ? existingLogAnalyticsWorkspace!.location
+  : logAnalyticsWorkspace!.outputs.location
+module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-rule:0.11.0' = if (enablePrivateNetworking && enableMonitoring) {
+  name: take('avm.res.insights.data-collection-rule.${dataCollectionRulesResourceName}', 64)
+  dependsOn: [securitySolution]
+  params: {
+    name: dataCollectionRulesResourceName
+    tags: allTags
+    enableTelemetry: enableTelemetry
+    location: dataCollectionRulesLocation
+    dataCollectionRuleProperties: {
+      kind: 'Windows'
+      dataSources: {
+        windowsEventLogs: [
+          {
+            name: 'SecurityAuditEvents'
+            streams: [
+              'Microsoft-SecurityEvent'
+            ]
+            xPathQueries: [
+              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+            ]
+          }
+        ]
+      }
+      destinations: {
+        logAnalytics: [
+          {
+            workspaceResourceId: logAnalyticsWorkspaceResourceId
+            name: 'la-${dataCollectionRulesResourceName}'
+          }
+        ]
+      }
+      dataFlows: [
+        {
+          streams: [
+            'Microsoft-SecurityEvent'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+        }
+      ]
+    }
   }
 }
 
@@ -480,6 +572,8 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
     location: solutionLocation
     managedIdentities: { systemAssigned: true }
     minimumTlsVersion: 'TLS1_2'
+    // SFI: enable infrastructure (double) encryption at rest (ADO #43311)
+    requireInfrastructureEncryption: true
     enableTelemetry: enableTelemetry
     tags: allTags
     accessTier: 'Hot'
@@ -598,6 +692,8 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
     location: cosmosLocation
     tags: allTags
     enableTelemetry: enableTelemetry
+    // SFI: enable system-assigned managed identity for Cosmos DB account (ADO #43311)
+    managedIdentities: { systemAssigned: true }
     sqlDatabases: [
       {
         name: cosmosDatabaseName
@@ -1147,6 +1243,11 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
     ]
     enableTelemetry: enableTelemetry
     publicNetworkAccess: 'Enabled' // Always enabled for Container Apps Environment
+    // SFI: enable mTLS / end-to-end encryption between revisions within the
+    // Container Apps environment (Container Apps equivalent of App Service's
+    // endToEndEncryptionEnabled). Applies to Microsoft.App/managedEnvironments
+    // peerTrafficConfiguration.encryption.enabled. (ADO #43311)
+    peerTrafficEncryption: true
 
     // <========== WAF related parameters