Merge branch 'waf-avm' of https://github.com/Azure-Samples/chat-with-your-data-solution-accelerator into waf-avm

Author: Prajwal-Microsoft

code/backend/batch/utilities/helpers/env_helper.py

@@ -35,6 +35,7 @@ def __load_config(self, **kwargs) -> None:
         self.secretHelper = SecretHelper()
 
         self.LOGLEVEL = os.environ.get("LOGLEVEL", "INFO").upper()
+        self.APP_ENV = os.getenv("APP_ENV", "Prod").lower()
 
         # Azure
         self.AZURE_SUBSCRIPTION_ID = os.getenv("AZURE_SUBSCRIPTION_ID", "")

code/backend/batch/utilities/integrated_vectorization/azure_search_datasource.py

@@ -36,8 +36,12 @@ def create_or_update_datasource(self):
             connection_string=connection_string,
             container=container,
             data_deletion_detection_policy=NativeBlobSoftDeleteDeletionDetectionPolicy(),
-            identity=SearchIndexerDataUserAssignedIdentity(
-                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            identity=(
+                None
+                if getattr(self.env_helper, "APP_ENV", "").lower() == "dev"
+                else SearchIndexerDataUserAssignedIdentity(
+                    user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                )
             ),
         )
         self.indexer_client.create_or_update_data_source_connection(

code/backend/batch/utilities/integrated_vectorization/azure_search_index.py

@@ -145,8 +145,12 @@ def get_vector_search_config(self):
             azure_open_ai_parameters = AzureOpenAIParameters(
                 resource_uri=self.env_helper.AZURE_OPENAI_ENDPOINT,
                 deployment_id=self.env_helper.AZURE_OPENAI_EMBEDDING_MODEL,
-                auth_identity=SearchIndexerDataUserAssignedIdentity(
-                    user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                auth_identity=(
+                    None
+                    if getattr(self.env_helper, "APP_ENV", "").lower() == "dev"
+                    else SearchIndexerDataUserAssignedIdentity(
+                        user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                    )
                 ),
             )
 

code/backend/batch/utilities/integrated_vectorization/azure_search_skillset.py

@@ -96,8 +96,12 @@ def create_skillset(self):
                 if self.env_helper.is_auth_type_keys()
                 else None
             ),
-            auth_identity=SearchIndexerDataUserAssignedIdentity(
-                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            auth_identity=(
+                None
+                if getattr(self.env_helper, "APP_ENV", "").lower() == "dev"
+                else SearchIndexerDataUserAssignedIdentity(
+                    user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+                )
             ),
             inputs=[
                 InputFieldMappingEntry(name="text", source="/document/pages/*"),

infra/main.bicep

@@ -857,6 +857,21 @@ module search 'modules/core/search/search-services.bicep' = if (databaseType ==
         principalType: 'User'
       }
     ] : [])
+    enableSystemAssigned: true
+    systemAssignedRoleAssignments: [
+      {
+        resourceId: storage.outputs.id
+        roleName: 'Storage Blob Data Contributor'
+        roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+        principalType: 'ServicePrincipal'
+      }
+      {
+        resourceId: openai.outputs.resourceId
+        roleName: 'Cognitive Services User'
+        roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
+        principalType: 'ServicePrincipal'
+      }
+    ]
   }
 }
 

infra/main.json

@@ -39,6 +39,10 @@ param replicaCount int = 1
 param semanticSearch string = 'disabled'
 param userAssignedResourceId string = ''
 param roleAssignments array = []
+@description('Optional. Flag to enable a system-assigned managed identity for the Cognitive Services resource.')
+param enableSystemAssigned bool = false
+@description('Optional. Array of role assignments to apply to the system-assigned identity at the search service scope. Each item: { roleDefinitionId: "<GUID or built-in role definition id>" }')
+param systemAssignedRoleAssignments array = []
 
 // // Define DNS zone group configs as a variable
 // var privateDnsZoneGroupConfigs = [for zoneId in privateDnsZoneResourceIds: {
@@ -98,12 +102,27 @@ module avmSearch 'br/public:avm/res/search/search-service:0.11.1' = {
         ]
       : []
 
-    // Use only user-assigned identity
-    managedIdentities: { systemAssigned: false, userAssignedResourceIds: [userAssignedResourceId] }
+    // Configure managed identity: user-assigned for production, system-assigned allowed for local development with integrated vectorization
+    managedIdentities: { systemAssigned: enableSystemAssigned, userAssignedResourceIds: [userAssignedResourceId] }
     roleAssignments: roleAssignments
   }
 }
 
+// --- System-assigned identity role assignments for local development with integrated vectorization (optional) --- //
+@description('Role assignments applied to the system-assigned identity via AVM module. Objects can include: roleDefinitionId (req), roleName, principalType, resourceId.')
+module systemAssignedIdentityRoleAssignments 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = [
+  for assignment in systemAssignedRoleAssignments: if (enableSystemAssigned && !empty(systemAssignedRoleAssignments)) {
+    name: take('avm.ptn.authorization.resource-role-assignment.${uniqueString(searchResourceName, assignment.roleDefinitionId, assignment.resourceId)}', 64)
+    params: {
+      roleDefinitionId: assignment.roleDefinitionId
+      principalId: avmSearch.outputs.systemAssignedMIPrincipalId
+      resourceId: assignment.resourceId
+      roleName: assignment.roleName
+      principalType: assignment.principalType
+    }
+  }
+]
+
 output searchName string = avmSearch.outputs.name
 output searchEndpoint string = avmSearch.outputs.endpoint
 output searchResourceId string = avmSearch.outputs.resourceId