{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "baseName": {
      "type": "string",
      "metadata": {
        "description": "The base resource name."
      }
    },
    "testApplicationOid": {
      "type": "string",
      "metadata": {
        "description": "The client OID to grant access to test resources."
      }
    },
    "tenantId": {
      "type": "string",
      "defaultValue": "72f988bf-86f1-41af-91ab-2d7cd011db47",
      "metadata": {
        "description": "The tenant ID to which the application and resources belong."
      }
    },
    "testApplicationId": {
      "type": "string",
      "metadata": {
        "description": "The application client ID used to run tests."
      }
    },
    "enableVersioning": {
      "type": "bool",
      "defaultValue": true
    },
    "storageEndpointSuffix": {
      "type": "string",
      "defaultValue": "core.windows.net",
      "metadata": {
        "description": "Storage endpoint suffix. The default value uses Azure Public Cloud (core.windows.net)"
      }
    }
  },
  "variables": {
    "storageApiVersion": "2022-05-01",
    "location": "[resourceGroup().location]",
    "accountName": "[parameters('baseName')]",
    "accountNameTidy": "[toLower(trim(variables('accountName')))]",
    "accountSasProperties": {
      "signedServices": "bfqt",
      "signedPermission": "rwdlacup",
      "signedResourceTypes": "sco",
      "keyToSign": "key1",
      "signedExpiry": "2099-01-01T23:59:00Z"
    },
    "authorizationApiVersion": "2018-01-01-preview",
    "tablesDataContributorRoleId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]",
    "tablesDataReaderRoleId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6')]"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "[variables('authorizationApiVersion')]",
      "name": "[guid(concat('tablesDataContributorRoleId', variables('accountName')))]",
      "dependsOn": [ "[variables('accountName')]" ],
      "properties": {
        "roleDefinitionId": "[variables('tablesDataContributorRoleId')]",
        "principalId": "[parameters('testApplicationOid')]"
      }
    },
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "[variables('authorizationApiVersion')]",
      "name": "[guid(concat('tablesDataReaderRoleId', variables('accountName')))]",
      "dependsOn": [ "[variables('accountName')]" ],
      "properties": {
        "roleDefinitionId": "[variables('tablesDataReaderRoleId')]",
        "principalId": "[parameters('testApplicationOid')]"
      }
    },
    {
      "name": "[variables('accountName')]",
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "[variables('storageApiVersion')]",
      "location": "[variables('location')]",
      "sku": {
        "name": "Standard_RAGRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "networkAcls": {
          "bypass": "AzureServices",
          "virtualNetworkRules": [
          ],
          "ipRules": [
          ],
          "defaultAction": "Allow"
        },
        "allowSharedKeyAccess": false,
        "supportsHttpsTrafficOnly": true,
        "allowBlobPublicAccess": true,
        "encryption": {
          "services": {
            "file": {
              "enabled": true
            },
            "blob": {
              "enabled": true
            }
          },
          "keySource": "Microsoft.Storage"
        },
        "accessTier": "Hot",
        "minimumTlsVersion": "TLS1_2"
      },
      "dependsOn": [],
      "tags": {}
    },
    {
      "name": "[concat(variables('accountName'), '/default')]",
      "type": "microsoft.storage/storageaccounts/tableServices",
      "apiVersion": "2023-01-01",
      "dependsOn": [
        "[concat('microsoft.storage/storageaccounts/', variables('accountName'))]"
      ]
    }
  ],
  "outputs": {
    "STORAGE_TENANT_ID": {
      "type": "string",
      "value": "[parameters('tenantId')]"
    },
    "STORAGE_CLIENT_ID": {
      "type": "string",
      "value": "[parameters('testApplicationId')]"
    },
    "ACCOUNT_NAME": {
      "type": "string",
      "value": "[variables('accountName')]"
    },
    "ACCOUNT_KEY": {
      "type": "string",
      "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('accountName')), variables('storageApiVersion')).keys[0].value]"
    },
    "ACCOUNT_SAS": {
      "type": "string",
      "value": "[concat('?', listAccountSas(variables('accountNameTidy'), variables('storageApiVersion'), variables('accountSasProperties')).accountSasToken)]"
    },
    "STANDARD_STORAGE_CONNECTION_STRING": {
      "type": "string",
      "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('accountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('accountName')), variables('storageApiVersion')).keys[0].value, ';EndpointSuffix=', parameters('storageEndpointSuffix'))]"
    },
    "AZURE_STORAGE_CONNECTION_STRING": {
      "type": "string",
      "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('accountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('accountName')), variables('storageApiVersion')).keys[0].value, ';EndpointSuffix=', parameters('storageEndpointSuffix'))]"
    },
   "AAD_TENANT_ID": {
      "type": "string",
      "value": "[parameters('tenantId')]"
    },
    "AAD_CLIENT_ID": {
      "type": "string",
      "value": "[parameters('testApplicationId')]"
    },
    "RESOURCE_GROUP": {
      "type": "string",
      "value": "[concat('rg-storage-', variables('accountName'))]"
    }
  }
}