Merge branch 'main' into mcs/ianjensenisme/13-end-to-end-test

Author: ianjensenisme

README.md

@@ -78,9 +78,9 @@ This architecture ensures that sensitive enterprise data never traverses public
   - [**Copilot in Power Apps**](https://learn.microsoft.com/en-us/power-apps/maker/canvas-apps/ai-overview?WT.mc_id=ppac_inproduct_settings): Enable this setting to allow AI-powered assistance within Power Apps development
   - [**Publish Copilots with AI features**](https://learn.microsoft.com/en-us/microsoft-copilot-studio/security-and-governance): Allow Copilot authors to publish from Copilot Studio when AI features are enabled  
 - **Power Platform licenses**. The designated user must have the following Power Platform licenses assigned:
-    - **Microsoft Power Apps**
-    - **Power Automate**
-    - **Copilot Studio**
+  - **Microsoft Power Apps**
+  - **Power Automate**
+  - **Copilot Studio**
 
     To simplify license management, you can use an Azure subscription with a Billing Policy instead of assigning licenses directly. Configure this by using the following flag:
 
@@ -328,9 +328,8 @@ telemetry, simply remove `partner_id`. When enabled, the `partner_id` is appende
 
 ## Responsible AI
 
-Microsoft encourages customers to review its Responsible AI Standard when developing AI-enabled 
-systems to ensure ethical, safe, and inclusive AI practices. Learn more at 
-https://www.microsoft.com/en-us/ai/responsible-ai.
+Microsoft encourages customers to review its Responsible AI Standard when developing AI-enabled
+systems to ensure ethical, safe, and inclusive AI practices. Learn more at <https://www.microsoft.com/en-us/ai/responsible-ai>.
 
 ## Getting help
 

docs/app_registration_setup.md

@@ -23,6 +23,9 @@ will be created:
    - *Contributor*: Grants permission to create and manage Azure resources.
    - *Role Based Access Control Administrator*: Grants permission to assign RBAC roles, which is
    required when using managed identities.
+   - *User Access Administrator*: Grants the ability to manage user access to resources, including assigning and revoking permissions.
+
+   **Note**: You can specify those permissions on a resource group level to limit their scope. See [providing your own resource group documentation](./custom_resource_group.md) for more details.
 
 1. Grant **admin consent** for all delegated permissions assigned to the app. This can be done in the [Azure portal](portal.azure.com) under **App registrations** > **API permissions** > **Grant admin consent**.
 

docs/custom_resource_group.md

@@ -0,0 +1,11 @@
+# Custom Resource Group Name
+
+This template creates a resource group with a randomly generated name by default. You can override this behavior by specifying pre-created resource group during deployment.
+
+## Required Variables
+
+To use your own resource group, set the following environment variable:
+
+```shell
+azd env set RESOURCE_GROUP_NAME "<your-resource-group-name>"
+```

infra/main.ai.tf

@@ -7,7 +7,7 @@ module "azure_open_ai" {
   kind                               = "OpenAI"
   location                           = var.location
   name                               = "aoai${random_string.name.id}"
-  resource_group_name                = azurerm_resource_group.this.name
+  resource_group_name                = local.resource_group_name
   enable_telemetry                   = true
   sku_name                           = "S0"
   local_auth_enabled                 = true
@@ -45,7 +45,7 @@ module "azure_open_ai" {
 # Private DNS zone for Azure OpenAI private endpoint resolution
 resource "azurerm_private_dns_zone" "aoai_dns" {
   name                = "privatelink.openai.azure.com"
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 }
 
@@ -58,7 +58,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "aoai_dns_links" {
 
   name                  = "aoai-${each.key}-link"
   private_dns_zone_name = azurerm_private_dns_zone.aoai_dns.name
-  resource_group_name   = azurerm_resource_group.this.name
+  resource_group_name   = local.resource_group_name
   virtual_network_id    = each.value
   tags                  = var.tags
 }
@@ -68,7 +68,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "aoai_dns_links" {
 resource "azurerm_private_dns_a_record" "aoai_dns_record" {
   name                = module.azure_open_ai.resource.name
   zone_name           = azurerm_private_dns_zone.aoai_dns.name
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   ttl                 = 10
   records             = [module.azure_open_ai.private_endpoints["pe_endpoint"].private_service_connection[0].private_ip_address]
   tags                = var.tags

infra/main.app_insights.tf

@@ -4,9 +4,9 @@ resource "azurerm_application_insights" "insights" {
   count = var.include_app_insights ? 1 : 0
 
   application_type    = "web"
-  location            = azurerm_resource_group.this.location
+  location            = local.resource_group_location
   name                = "${var.resource_prefix}-appinsights-${var.resource_suffix}"
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
 }
 
 resource "azurerm_application_insights_workbook" "workbook" {
@@ -35,7 +35,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
           "queryType" : 0,
           "resourceType" : "microsoft.insights/components",
           "crossComponentResources" : [
-            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.this.name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
+            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
           ],
           "visualization" : var.app_insights_sections["section_1"].chart
         },
@@ -53,7 +53,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
           "queryType" : 0,
           "resourceType" : "microsoft.insights/components",
           "crossComponentResources" : [
-            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.this.name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
+            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
           ],
           "visualization" : var.app_insights_sections["section_2"].chart
         },
@@ -71,7 +71,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
           "queryType" : 0,
           "resourceType" : "microsoft.insights/components",
           "crossComponentResources" : [
-            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.this.name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
+            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
           ],
           "visualization" : var.app_insights_sections["section_3"].chart
         },
@@ -89,7 +89,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
           "queryType" : 0,
           "resourceType" : "microsoft.insights/components",
           "crossComponentResources" : [
-            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.this.name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
+            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
           ],
           "visualization" : var.app_insights_sections["section_4"].chart
         },
@@ -107,7 +107,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
           "queryType" : 0,
           "resourceType" : "microsoft.insights/components",
           "crossComponentResources" : [
-            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.this.name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
+            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
           ],
           "visualization" : var.app_insights_sections["section_5"].chart
         },
@@ -125,7 +125,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
           "queryType" : 0,
           "resourceType" : "microsoft.insights/components",
           "crossComponentResources" : [
-            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.this.name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
+            "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Insights/components/${azurerm_application_insights.insights[0].name}"
           ],
           "visualization" : var.app_insights_sections["section_6"].chart
         },
@@ -138,7 +138,7 @@ resource "azurerm_application_insights_workbook" "workbook" {
     "$schema" : "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
   })
   display_name        = "Azure Monitor Workbook"
-  location            = azurerm_resource_group.this.location
+  location            = local.resource_group_location
   name                = random_uuid.uid.result
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
 }

infra/main.github_runners.tf

@@ -7,7 +7,7 @@ module "github_runner_aca_primary" {
   environment_name           = var.azd_environment_name
   unique_id                  = random_string.name.id
   location                   = var.primary_location
-  resource_group_name        = azurerm_resource_group.this.name
+  resource_group_name        = local.resource_group_name
   infrastructure_subnet_id   = azurerm_subnet.github_runner_primary_subnet[0].id
   private_endpoint_subnet_id = local.pe_primary_subnet_id
   virtual_network_id         = local.primary_virtual_network_id
@@ -48,7 +48,7 @@ module "github_runner_aca_failover" {
   environment_name           = "${var.azd_environment_name}-failover"
   unique_id                  = "${random_string.name.id}-fo"
   location                   = var.failover_location
-  resource_group_name        = azurerm_resource_group.this.name
+  resource_group_name        = local.resource_group_name
   infrastructure_subnet_id   = azurerm_subnet.github_runner_failover_subnet[0].id
   private_endpoint_subnet_id = local.pe_failover_subnet_id
   virtual_network_id         = local.failover_virtual_network_id

infra/main.network.tf

@@ -3,7 +3,7 @@ locals {
   primary_virtual_network_id    = coalesce(var.networking.primary_virtual_network.id, local.create_network_infrastructure ? null : azurerm_virtual_network.primary_virtual_network[0].id)
   primary_virtual_network_resource_group = coalesce(
     length(local.primary_vnet_matches) > 0 ? local.primary_vnet_matches[0].resource_group_name : null,
-    local.create_network_infrastructure ? null : azurerm_resource_group.this.name
+    local.create_network_infrastructure ? null : local.resource_group_name
   )
 
   # Get matching primary VNets from data source
@@ -58,7 +58,7 @@ resource "azurerm_virtual_network" "primary_virtual_network" {
   count = local.create_network_infrastructure ? 0 : 1
 
   name                = "power-platform-primary-vnet-${random_string.name.id}"
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   location            = var.primary_location
   address_space       = var.primary_vnet_address_spaces
   tags                = var.tags
@@ -68,7 +68,7 @@ resource "azurerm_virtual_network" "failover_virtual_network" {
   count = local.create_network_infrastructure ? 0 : 1
 
   name                = "power-platform-failover-vnet-${random_string.name.id}"
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   location            = var.failover_location
   address_space       = var.failover_vnet_address_spaces
   tags                = var.tags
@@ -80,7 +80,7 @@ resource "azurerm_subnet" "primary_subnet" {
   count = local.create_network_infrastructure ? 0 : 1
 
   name                 = var.primary_subnet_name
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.primary_virtual_network[0].name
   address_prefixes     = var.primary_subnet_address_spaces
   service_endpoints    = ["Microsoft.Storage", "Microsoft.CognitiveServices"]
@@ -107,7 +107,7 @@ resource "azurerm_subnet" "failover_subnet" {
   count = local.create_network_infrastructure ? 0 : 1
 
   name                 = var.failover_subnet_name
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.failover_virtual_network[0].name
   address_prefixes     = var.failover_subnet_address_spaces
   service_endpoints    = ["Microsoft.Storage", "Microsoft.CognitiveServices"]
@@ -134,7 +134,7 @@ resource "azurerm_subnet" "pe_primary_subnet" {
 
   # checkov:skip=CKV2_AZURE_31:"Ensure VNET subnet is configured with a Network Security Group (NSG)
   name                 = "pe-primary-subnet"
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.primary_virtual_network[0].name
   address_prefixes     = var.primary_pe_subnet_address_spaces
   service_endpoints    = ["Microsoft.CognitiveServices", "Microsoft.Storage"]
@@ -148,7 +148,7 @@ resource "azurerm_subnet" "pe_failover_subnet" {
   count = local.create_network_infrastructure ? 0 : 1
 
   name                 = "pe-failover-subnet"
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.failover_virtual_network[0].name
   address_prefixes     = var.failover_pe_subnet_address_spaces
   service_endpoints    = ["Microsoft.CognitiveServices"]
@@ -164,7 +164,7 @@ resource "azurerm_subnet" "github_runner_primary_subnet" {
   count = var.deploy_github_runner && local.create_network_infrastructure == false ? 1 : 0
 
   name                 = "github-runner-primary-subnet"
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.primary_virtual_network[0].name
   address_prefixes     = var.primary_gh_runner_subnet_address_spaces
   service_endpoints    = ["Microsoft.Storage"]
@@ -191,7 +191,7 @@ resource "azurerm_subnet" "github_runner_failover_subnet" {
   count = var.deploy_github_runner && local.create_network_infrastructure == false ? 1 : 0
 
   name                 = "github-runner-failover-subnet"
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.failover_virtual_network[0].name
   address_prefixes     = var.failover_gh_runner_subnet_address_spaces
   service_endpoints    = ["Microsoft.Storage"]
@@ -222,7 +222,7 @@ resource "azurerm_public_ip" "nat_gateway_ips" {
 
   name                = "${each.key}-nat-gateway-ip"
   location            = each.value
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   allocation_method   = "Static"
   sku                 = "Standard"
   tags                = var.tags
@@ -236,7 +236,7 @@ resource "azurerm_nat_gateway" "nat_gateways" {
 
   location            = each.value
   name                = "${each.key}-nat-gateway"
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   sku_name            = "Standard"
   tags                = var.tags
 
@@ -259,7 +259,7 @@ resource "azurerm_subnet" "deployment_script_container_subnet" {
   count = local.create_network_infrastructure ? 0 : 1
 
   name                 = "deploymentscript-subnet"
-  resource_group_name  = azurerm_resource_group.this.name
+  resource_group_name  = local.resource_group_name
   virtual_network_name = azurerm_virtual_network.primary_virtual_network[0].name
   address_prefixes     = var.deployment_script_subnet_address_spaces
   service_endpoints    = ["Microsoft.Storage", "Microsoft.CognitiveServices"]
@@ -291,7 +291,7 @@ resource "azurerm_network_security_group" "power_platform_primary_nsg" {
 
   name                = "power-platform-primary-nsg-${random_string.name.id}"
   location            = var.primary_location
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 
   # Allow outbound HTTPS for Power Platform services
@@ -353,7 +353,7 @@ resource "azurerm_network_security_group" "power_platform_failover_nsg" {
 
   name                = "power-platform-failover-nsg-${random_string.name.id}"
   location            = var.failover_location
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 
   # Allow outbound HTTPS for Power Platform services
@@ -415,7 +415,7 @@ resource "azurerm_network_security_group" "private_endpoint_primary_nsg" {
 
   name                = "private-endpoint-primary-nsg-${random_string.name.id}"
   location            = var.primary_location
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 
   # Allow inbound traffic from VNet to private endpoints
@@ -451,7 +451,7 @@ resource "azurerm_network_security_group" "private_endpoint_failover_nsg" {
 
   name                = "private-endpoint-failover-nsg-${random_string.name.id}"
   location            = var.failover_location
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 
   # Allow inbound traffic from VNet to private endpoints
@@ -486,7 +486,7 @@ resource "azurerm_network_security_group" "github_runner_nsg" {
   count               = var.deploy_github_runner && local.create_network_infrastructure == false ? 1 : 0
   name                = "github-runner-nsg-${random_string.name.id}"
   location            = var.primary_location
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 
   # Allow outbound HTTPS for GitHub and container registry access
@@ -560,7 +560,7 @@ resource "azurerm_network_security_group" "deployment_script_nsg" {
 
   name                = "deployment-script-nsg-${random_string.name.id}"
   location            = var.primary_location
-  resource_group_name = azurerm_resource_group.this.name
+  resource_group_name = local.resource_group_name
   tags                = var.tags
 
   # Allow outbound HTTPS for Azure services and package downloads