Combine last 9 commits

Author: jacob-gaylord

.github/workflows/azure-dev.yml

@@ -26,6 +26,7 @@ jobs:
       AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
       AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
       AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
       # project specific
@@ -95,7 +96,7 @@ jobs:
       USE_SPEECH_OUTPUT_BROWSER: ${{ vars.USE_SPEECH_OUTPUT_BROWSER }}
       USE_SPEECH_OUTPUT_AZURE: ${{ vars.USE_SPEECH_OUTPUT_AZURE }}
       AZURE_SPEECH_SERVICE: ${{ vars.AZURE_SPEECH_SERVICE }}
-      AZURE_SPEECH_SERVICE_RESOURCE_GROUP: ${{ vars.AZURE_SPEECH_RESOURCE_GROUP }}
+      AZURE_SPEECH_SERVICE_RESOURCE_GROUP: ${{ vars.AZURE_SPEECH_SERVICE_RESOURCE_GROUP }}
       AZURE_SPEECH_SERVICE_LOCATION: ${{ vars.AZURE_SPEECH_SERVICE_LOCATION }}
       AZURE_SPEECH_SERVICE_SKU: ${{ vars.AZURE_SPEECH_SERVICE_SKU }}
       AZURE_SPEECH_SERVICE_VOICE: ${{ vars.AZURE_SPEECH_SERVICE_VOICE }}
@@ -116,6 +117,7 @@ jobs:
       USE_CHAT_HISTORY_BROWSER: ${{ vars.USE_CHAT_HISTORY_BROWSER }}
       USE_MEDIA_DESCRIBER_AZURE_CU: ${{ vars.USE_MEDIA_DESCRIBER_AZURE_CU }}
       USE_AI_PROJECT: ${{ vars.USE_AI_PROJECT }}
+      SERVICE_WEB_RESOURCE_EXISTS: ${{ vars.SERVICE_WEB_RESOURCE_EXISTS }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -126,7 +128,7 @@ jobs:
       - name: Install Nodejs
         uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 20
 
       - name: Log in with Azure (Federated Credentials)
         if: ${{ env.AZURE_CLIENT_ID != '' }}
@@ -151,6 +153,25 @@ jobs:
         env:
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
 
+      - name: Set default resource group variables
+        run: |
+          DEFAULT_RG="$AZURE_RESOURCE_GROUP"
+          for var in \
+            AZURE_OPENAI_RESOURCE_GROUP \
+            AZURE_DOCUMENTINTELLIGENCE_RESOURCE_GROUP \
+            AZURE_COMPUTER_VISION_RESOURCE_GROUP \
+            AZURE_CONTENT_UNDERSTANDING_RESOURCE_GROUP \
+            AZURE_SEARCH_SERVICE_RESOURCE_GROUP \
+            AZURE_STORAGE_RESOURCE_GROUP \
+            AZURE_SPEECH_SERVICE_RESOURCE_GROUP \
+            AZURE_COSMOSDB_RESOURCE_GROUP; do
+              if [ -z "${!var}" ]; then
+                echo "Setting $var to default $DEFAULT_RG"
+                echo "$var=$DEFAULT_RG" >> "$GITHUB_ENV"
+              fi
+          done
+        shell: bash
+
       - name: Provision Infrastructure
         run: azd provision --no-prompt
         env:

azure.yaml

@@ -8,11 +8,11 @@ services:
     project: ./app/backend
     language: py
     # Please check docs/azure_container_apps.md for more information on how to deploy to Azure Container Apps
-    host: containerapp
+    # host: containerapp
     docker:
       remoteBuild: true
     # Please check docs/azure_app_service.md for more information on how to deploy to Azure App Service
-    # host: appservice
+    host: appservice
     hooks:
       # This hook is called when App Service is the host
       prepackage:
@@ -122,11 +122,13 @@ pipeline:
       - AZURE_ADLS_GEN2_STORAGE_ACCOUNT
       - AZURE_ADLS_GEN2_FILESYSTEM_PATH
       - AZURE_ADLS_GEN2_FILESYSTEM
+      - AZURE_RESOURCE_GROUP
       - DEPLOYMENT_TARGET
       - AZURE_CONTAINER_APPS_WORKLOAD_PROFILE
       - USE_CHAT_HISTORY_BROWSER
       - USE_MEDIA_DESCRIBER_AZURE_CU
       - USE_AI_PROJECT
+      - SERVICE_WEB_RESOURCE_EXISTS
   secrets:
       - AZURE_SERVER_APP_SECRET
       - AZURE_CLIENT_APP_SECRET

configure_demo.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+# configure_demo.sh – prepares azd environment for the public demo using existing resource group & storage account
+set -euo pipefail
+
+# ----- parameters you may tweak -----
+RG="rg-jacob-paul-rag"                        # existing resource group
+SUB="6c8e23df-4aec-4ed5-bec5-79853ea6c6c6"   # subscription id
+LOC="eastus2"                                # default location
+ENV_NAME="demo"                              # azd env folder name
+STORAGE_ACCT="stinternalrag001"              # existing ADLS Gen2 account
+
+# fixed resource names following pattern <abbr>-internal-3c-rag
+SEARCH="srch-internal-3c-rag"
+OPENAI="oai-internal-3c-rag"
+DOCINT="di-internal-3c-rag"
+SPEECH="spch-internal-3c-rag"
+PLAN="asp-internal-3c-rag"
+WEBAPP="app-internal-3c-rag"
+COSMOS="cosmosinternal3crag"    # Cosmos account names cannot have hyphens
+
+# ----- create / switch azd env -----
+# create or switch to environment
+if azd env list --output json | grep -q "\"$ENV_NAME\""; then
+  echo "Selecting existing environment $ENV_NAME"
+  azd env select "$ENV_NAME"
+else
+  azd env new "$ENV_NAME" --subscription "$SUB" --location "$LOC"
+fi
+# pin to existing resource group
+azd env set AZURE_RESOURCE_GROUP "$RG"
+
+# ----- hosting SKUs / flags -----
+azd env set DEPLOYMENT_TARGET appservice
+azd env set AZURE_APP_SERVICE_SKU P0v3
+azd env set AZURE_SEARCH_SERVICE_SKU standard
+azd env set SERVICE_WEB_RESOURCE_EXISTS true
+
+# ----- explicit resource names -----
+azd env set AZURE_STORAGE_ACCOUNT           "$STORAGE_ACCT"
+azd env set AZURE_STORAGE_CONTAINER        "content"
+azd env set AZURE_STORAGE_RESOURCE_GROUP   "$RG"
+azd env set AZURE_APPLICATION_INSIGHTS     "appi-internal-3c-rag"
+azd env set AZURE_APPLICATION_INSIGHTS_DASHBOARD "dash-internal-3c-rag"
+azd env set AZURE_LOG_ANALYTICS            "log-internal-3c-rag"
+azd env set AZURE_SEARCH_SERVICE            "$SEARCH"
+azd env set AZURE_OPENAI_SERVICE            "$OPENAI"
+azd env set AZURE_DOCUMENTINTELLIGENCE_SERVICE "$DOCINT"
+azd env set AZURE_SPEECH_SERVICE            "$SPEECH"
+azd env set AZURE_APP_SERVICE_PLAN          "$PLAN"
+azd env set AZURE_APP_SERVICE               "$WEBAPP"
+azd env set AZURE_COSMOSDB_ACCOUNT          "$COSMOS"
+
+# ----- model / vision -----
+azd env set AZURE_OPENAI_EMB_MODEL_NAME  text-embedding-3-large
+azd env set AZURE_OPENAI_EMB_DIMENSIONS  3072
+# Enable GPT-4 Vision feature flag expected by template
+azd env set USE_GPT4V true
+# Optional: set the GPT-4V deployment/model names (can be blank to let template default)
+azd env set AZURE_OPENAI_GPT4V_MODEL gpt-4o
+azd env set AZURE_OPENAI_GPT4V_DEPLOYMENT gpt4v
+azd env set USE_MEDIA_DESCRIBER_AZURE_CU false
+
+# ----- retrieval options -----
+azd env set AZURE_SEARCH_SEMANTIC_RANKER standard
+azd env set AZURE_SEARCH_QUERY_REWRITING true
+
+# ----- chat history -----
+azd env set USE_CHAT_HISTORY_COSMOS true
+
+# ----- speech -----
+azd env set USE_SPEECH_INPUT_BROWSER  true
+azd env set USE_SPEECH_OUTPUT_AZURE  true
+azd env set AZURE_SPEECH_SERVICE_VOICE en-US-AndrewMultilingualNeural
+
+# ----- security & uploads -----
+azd env set AZURE_USE_AUTHENTICATION true
+TENANT_ID=$(az account show --query tenantId -o tsv 2>/dev/null || echo "")
+if [ -n "$TENANT_ID" ]; then
+  azd env set AZURE_AUTH_TENANT_ID "$TENANT_ID"
+  azd env set AZURE_TENANT_ID "$TENANT_ID"
+fi
+azd env set USE_USER_UPLOAD true
+
+# content understanding (Azure AI Foundry account)
+azd env set AZURE_COMPUTER_VISION_SERVICE  "cu-internal-3c-rag"
+
+# user-upload storage account (ADLS Gen2)
+azd env set AZURE_ADLS_GEN2_STORAGE_ACCOUNT "userstinternal3crag"
+azd env set AZURE_ADLS_GEN2_FILESYSTEM      "user-content"
+azd env set AZURE_ADLS_GEN2_FILESYSTEM_PATH ""
+
+# ----- regional parameters to avoid interactive prompts -----
+# keep required uppercase vars
+azd env set AZURE_OPENAI_LOCATION "$LOC"
+azd env set AZURE_DOCUMENTINTELLIGENCE_LOCATION "eastus"
+
+echo "✔ Demo environment configured. Run 'azd up' next." 

infra/core/host/appservice.bicep

@@ -83,15 +83,25 @@ var appServiceProperties = {
   publicNetworkAccess: publicNetworkAccess
 }
 
-resource appService 'Microsoft.Web/sites@2022-03-01' = {
+// add flag to indicate the App Service already exists and should not be re-created
+@description('If true the module will reference an existing App Service instead of creating a new one.')
+param exists bool = false
+
+// Reference existing site when `exists` is true
+resource appServiceExisting 'Microsoft.Web/sites@2022-03-01' existing = if (exists) {
+  name: name
+}
+
+// Create or update site only when it doesn't already exist
+resource appService 'Microsoft.Web/sites@2022-03-01' = if (!exists) {
   name: name
   location: location
   tags: tags
   kind: kind
   properties: appServiceProperties
   identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
 
-  resource configAppSettings 'config' = {
+  resource configAppSettings 'config' = if (!exists) {
     name: 'appsettings'
     properties: union(appSettings,
       {
@@ -103,7 +113,7 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
       !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
   }
 
-  resource configLogs 'config' = {
+  resource configLogs 'config' = if (!exists) {
     name: 'logs'
     properties: {
       applicationLogs: { fileSystem: { level: 'Verbose' } }
@@ -116,21 +126,21 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
     ]
   }
 
-  resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = {
+  resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = if (!exists) {
     name: 'ftp'
     properties: {
       allow: false
     }
   }
 
-  resource basicPublishingCredentialsPoliciesScm 'basicPublishingCredentialsPolicies' = {
+  resource basicPublishingCredentialsPoliciesScm 'basicPublishingCredentialsPolicies' = if (!exists) {
     name: 'scm'
     properties: {
       allow: false
     }
   }
 
-  resource configAuth 'config' = if (!(empty(clientAppId)) && !disableAppServicesAuthentication) {
+  resource configAuth 'config' = if (!exists && !(empty(clientAppId)) && !disableAppServicesAuthentication) {
     name: 'authsettingsV2'
     properties: {
       globalValidation: {
@@ -174,7 +184,10 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing
   name: applicationInsightsName
 }
 
-output id string = appService.id
-output identityPrincipalId string = managedIdentity ? appService.identity.principalId : ''
-output name string = appService.name
-output uri string = 'https://${appService.properties.defaultHostName}'
+// Choose correct reference for outputs
+var appRef = exists ? appServiceExisting : appService
+
+output id string = resourceId('Microsoft.Web/sites', name)
+output identityPrincipalId string = managedIdentity ? appRef.identity.principalId : ''
+output name string = name
+output uri string = 'https://${appRef.properties.defaultHostName}'

infra/core/security/documentdb-sql-role.bicep

@@ -14,7 +14,7 @@ resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' exis
   name: databaseAccountName
 }
 
-resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-04-15' = {
+resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-04-15' = if (!empty(principalId)) {
   name: guid(databaseAccount.id, principalId, roleDefinitionId)
   parent: databaseAccount
   properties: {

infra/core/security/role.bicep

@@ -11,7 +11,7 @@ param principalId string
 param principalType string = 'ServicePrincipal'
 param roleDefinitionId string
 
-resource role 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+resource role 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(principalId)) {
   name: guid(subscription().id, resourceGroup().id, principalId, roleDefinitionId)
   properties: {
     principalId: principalId

infra/main.bicep

@@ -481,7 +481,6 @@ module backend 'core/host/appservice.bicep' = if (deploymentTarget == 'appservic
     name: !empty(backendServiceName) ? backendServiceName : '${abbrs.webSitesAppService}backend-${resourceToken}'
     location: location
     tags: union(tags, { 'azd-service-name': 'backend' })
-    // Need to check deploymentTarget again due to https://github.com/Azure/bicep/issues/3990
     appServicePlanId: deploymentTarget == 'appservice' ? appServicePlan.outputs.id : ''
     runtimeName: 'python'
     runtimeVersion: '3.11'
@@ -499,6 +498,7 @@ module backend 'core/host/appservice.bicep' = if (deploymentTarget == 'appservic
     authenticationIssuerUri: authenticationIssuerUri
     use32BitWorkerProcess: appServiceSkuName == 'F1'
     alwaysOn: appServiceSkuName != 'F1'
+    exists: webAppExists
     appSettings: union(appEnvVariables, {
       AZURE_SERVER_APP_SECRET: serverAppSecret
       AZURE_CLIENT_APP_SECRET: clientAppSecret