fix: Integrate UMI Across Infra, Secure PostgreSQL Connections, and Update Azure Search Identity (#1899)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Roopan-Microsoft <[email protected]>
Co-authored-by: Ajit Padhi <[email protected]>
Co-authored-by: Roopan P M <[email protected]>
Co-authored-by: Ross Smith <[email protected]>
Co-authored-by: gpickett <[email protected]>
Co-authored-by: Francia Riesco <[email protected]>
Co-authored-by: Francia Riesco <[email protected]>
Co-authored-by: Prajwal D C <[email protected]>
Co-authored-by: Harmanpreet-Microsoft <[email protected]>
Co-authored-by: UtkarshMishra-Microsoft <[email protected]>
Co-authored-by: Priyanka-Microsoft <[email protected]>
Co-authored-by: Prasanjeet-Microsoft <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kiran-Siluveru-Microsoft <[email protected]>
Co-authored-by: Prashant-Microsoft <[email protected]>
Co-authored-by: Rohini-Microsoft <[email protected]>
Co-authored-by: Avijit-Microsoft <[email protected]>
Co-authored-by: RaviKiran-Microsoft <[email protected]>
Co-authored-by: Somesh Joshi <[email protected]>
Co-authored-by: Himanshi Agrawal <[email protected]>
Co-authored-by: pradeepjha-microsoft <[email protected]>
Co-authored-by: Harmanpreet Kaur <[email protected]>
Co-authored-by: Bangarraju-Microsoft <[email protected]>
Co-authored-by: Harsh-Microsoft <[email protected]>
Co-authored-by: Kanchan-Microsoft <[email protected]>
Co-authored-by: Cristopher Coronado <[email protected]>
Co-authored-by: Cristopher Coronado Moreira <[email protected]>
Co-authored-by: Vamshi-Microsoft <[email protected]>
Co-authored-by: Thanusree-Microsoft <[email protected]>
Co-authored-by: Niraj Chaudhari (Persistent Systems Inc) <[email protected]>
Co-authored-by: Rohini-Microsoft <[email protected]>

Author: 29 people

code/backend/batch/utilities/chat_history/postgresdbservice.py

@@ -33,7 +33,7 @@ async def connect(self):
                 database=self.database,
                 password=token,
                 port=5432,
-                ssl="require",
+                ssl=True,
             )
         except Exception as e:
             logger.error("Failed to connect to PostgreSQL: %s", e)

code/backend/batch/utilities/helpers/azure_postgres_helper.py

@@ -31,7 +31,7 @@ def _create_search_client(self):
 
             # Use the token in the connection string
             conn_string = (
-                f"host={host} user={user} dbname={dbname} password={access_token.token}"
+                f"host={host} user={user} dbname={dbname} password={access_token.token} sslmode=require"
             )
             self.conn = psycopg2.connect(conn_string)
             logger.info("Connected to Azure PostgreSQL successfully.")

code/backend/batch/utilities/helpers/env_helper.py

@@ -40,6 +40,7 @@ def __load_config(self, **kwargs) -> None:
         self.AZURE_SUBSCRIPTION_ID = os.getenv("AZURE_SUBSCRIPTION_ID", "")
         self.AZURE_RESOURCE_GROUP = os.getenv("AZURE_RESOURCE_GROUP", "")
         self.MANAGED_IDENTITY_CLIENT_ID = os.getenv("MANAGED_IDENTITY_CLIENT_ID", "")
+        self.MANAGED_IDENTITY_RESOURCE_ID = os.getenv("MANAGED_IDENTITY_RESOURCE_ID", "")
 
         # Azure Search
         self.AZURE_SEARCH_SERVICE = os.getenv("AZURE_SEARCH_SERVICE", "")

code/backend/batch/utilities/integrated_vectorization/azure_search_datasource.py

@@ -1,6 +1,7 @@
 from azure.search.documents.indexes.models import (
     SearchIndexerDataContainer,
     SearchIndexerDataSourceConnection,
+    SearchIndexerDataUserAssignedIdentity,
 )
 from azure.search.documents.indexes._generated.models import (
     NativeBlobSoftDeleteDeletionDetectionPolicy,
@@ -35,6 +36,9 @@ def create_or_update_datasource(self):
             connection_string=connection_string,
             container=container,
             data_deletion_detection_policy=NativeBlobSoftDeleteDeletionDetectionPolicy(),
+            identity=SearchIndexerDataUserAssignedIdentity(
+                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            ),
         )
         self.indexer_client.create_or_update_data_source_connection(
             data_source_connection

code/backend/batch/utilities/integrated_vectorization/azure_search_skillset.py

@@ -11,6 +11,7 @@
     SearchIndexerIndexProjectionsParameters,
     IndexProjectionMode,
     SearchIndexerSkillset,
+    SearchIndexerDataUserAssignedIdentity,
 )
 from azure.search.documents.indexes import SearchIndexerClient
 from ..helpers.config.config_helper import IntegratedVectorizationConfig
@@ -95,6 +96,9 @@ def create_skillset(self):
                 if self.env_helper.is_auth_type_keys()
                 else None
             ),
+            auth_identity=SearchIndexerDataUserAssignedIdentity(
+                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            ),
             inputs=[
                 InputFieldMappingEntry(name="text", source="/document/pages/*"),
             ],

infra/main.bicep

@@ -63,18 +63,6 @@ var hostingPlanName string = 'asp-${solutionSuffix}'
 ])
 param hostingPlanSku string = 'B3'
 
-@description('The sku tier for the App Service plan')
-@allowed([
-  'Free'
-  'Shared'
-  'Basic'
-  'Standard'
-  'Premium'
-  'PremiumV2'
-  'PremiumV3'
-])
-param skuTier string = 'Basic'
-
 @description('The type of database to deploy (cosmos or postgres)')
 @allowed([
   'PostgreSQL'
@@ -361,7 +349,7 @@ param enableRedundancy bool = false
 param enablePrivateNetworking bool = false
 
 @description('Optional. Size of the Jumpbox Virtual Machine when created. Set to custom value if enablePrivateNetworking is true.')
-param vmSize string?
+param vmSize string = 'Standard_DS2_v2'
 
 @secure()
 @description('Optional. The user name for the administrator account of the virtual machine. Allows to customize credentials if `enablePrivateNetworking` is set to true.')
@@ -521,11 +509,9 @@ var privateDnsZones = [
   'privatelink.openai.azure.com'
   'privatelink.blob.${environment().suffixes.storage}'
   'privatelink.queue.${environment().suffixes.storage}'
-  'privatelink.file.${environment().suffixes.storage}'
   'privatelink.documents.azure.com'
   'privatelink.postgres.cosmos.azure.com'
   'privatelink.vaultcore.azure.net'
-  'privatelink.azurecr.io'
   'privatelink.azurewebsites.net'
   'privatelink.search.windows.net'
   'privatelink.api.azureml.ms'
@@ -537,14 +523,13 @@ var dnsZoneIndex = {
   openAI: 1
   storageBlob: 2
   storageQueue: 3
-  storageFile: 4
-  cosmosDB: 5 // 'privatelink.mongo.cosmos.azure.com'
-  postgresDB: 6 // 'privatelink.postgres.cosmos.azure.com'
-  keyVault: 7
-  containerRegistry: 8
-  appService: 9
-  searchService: 10
-  machinelearning: 11
+  cosmosDB: 4 // 'privatelink.mongo.cosmos.azure.com'
+  postgresDB: 5 // 'privatelink.postgres.cosmos.azure.com'
+  keyVault: 6
+  appService: 7
+  searchService: 8
+  machinelearning: 9
+  // The indexes for 'storageFile' and 'containerRegistry' have been removed as they were unused
 }
 
 // ===================================================
@@ -705,7 +690,7 @@ module openai 'modules/core/ai/cognitiveservices.bicep' = {
     location: location
     tags: allTags
     kind: 'OpenAI'
-    sku: 'S0'
+    sku: azureOpenAISkuName
     deployments: openAiDeployments
     userAssignedResourceId: managedIdentityModule.outputs.managedIdentityOutput.id
     enablePrivateNetworking: enablePrivateNetworking
@@ -749,7 +734,7 @@ module computerVision 'modules/core/ai/cognitiveservices.bicep' = if (useAdvance
     kind: 'ComputerVision'
     location: computerVisionLocation != '' ? computerVisionLocation : location
     tags: allTags
-    sku: 'S0'
+    sku: computerVisionSkuName
 
     enablePrivateNetworking: enablePrivateNetworking
     subnetResourceId: enablePrivateNetworking ? network!.outputs.subnetPrivateEndpointsResourceId : null
@@ -919,7 +904,7 @@ module web 'modules/app/web.bicep' = if (hostingModel == 'code') {
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -972,6 +957,7 @@ module web 'modules/app/web.bicep' = if (hostingModel == 'code') {
         OPEN_AI_FUNCTIONS_SYSTEM_PROMPT: openAIFunctionsSystemPrompt
         SEMANTIC_KERNEL_SYSTEM_PROMPT: semanticKernelSystemPrompt
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         AZURE_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId // Required so LangChain AzureSearch vector store authenticates with this user-assigned managed identity
         APP_ENV: appEnvironment
       },
@@ -1008,7 +994,7 @@ module web 'modules/app/web.bicep' = if (hostingModel == 'code') {
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: websiteName
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1022,6 +1008,7 @@ module web_docker 'modules/app/web.bicep' = if (hostingModel == 'container') {
     name: '${websiteName}-docker'
     location: location
     tags: union(tags, { 'azd-service-name': 'web-docker' })
+    allTags: allTags
     kind: 'app,linux,container'
     serverFarmResourceId: webServerFarm.outputs.resourceId
     dockerFullImageName: '${registryName}.azurecr.io/rag-webapp:${appversion}'
@@ -1033,7 +1020,7 @@ module web_docker 'modules/app/web.bicep' = if (hostingModel == 'container') {
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1087,6 +1074,7 @@ module web_docker 'modules/app/web.bicep' = if (hostingModel == 'container') {
         OPEN_AI_FUNCTIONS_SYSTEM_PROMPT: openAIFunctionsSystemPrompt
         SEMANTIC_KERNEL_SYSTEM_PROMPT: semanticKernelSystemPrompt
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         AZURE_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId // Required so LangChain AzureSearch vector store authenticates with this user-assigned managed identity
         APP_ENV: appEnvironment
       },
@@ -1123,7 +1111,7 @@ module web_docker 'modules/app/web.bicep' = if (hostingModel == 'container') {
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: '${websiteName}-docker'
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1137,6 +1125,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code') {
     name: adminWebsiteName
     location: location
     tags: union(tags, { 'azd-service-name': 'adminweb' })
+    allTags: allTags
     kind: 'app,linux'
     serverFarmResourceId: webServerFarm.outputs.resourceId
     // Python runtime settings
@@ -1179,6 +1168,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code') {
         DATABASE_TYPE: databaseType
         USE_KEY_VAULT: 'true'
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         APP_ENV: appEnvironment
       },
       databaseType == 'CosmosDB'
@@ -1211,7 +1201,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code') {
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.?outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.?outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: adminWebsiteName
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1221,7 +1211,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code') {
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1247,6 +1237,7 @@ module adminweb_docker 'modules/app/adminweb.bicep' = if (hostingModel == 'conta
     name: '${adminWebsiteName}-docker'
     location: location
     tags: union(tags, { 'azd-service-name': 'adminweb-docker' })
+    allTags: allTags
     kind: 'app,linux,container'
     serverFarmResourceId: webServerFarm.outputs.resourceId
     // Docker settings
@@ -1289,6 +1280,7 @@ module adminweb_docker 'modules/app/adminweb.bicep' = if (hostingModel == 'conta
         DATABASE_TYPE: databaseType
         USE_KEY_VAULT: 'true'
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         APP_ENV: appEnvironment
       },
       databaseType == 'CosmosDB'
@@ -1321,7 +1313,7 @@ module adminweb_docker 'modules/app/adminweb.bicep' = if (hostingModel == 'conta
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: '${adminWebsiteName}-docker'
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1331,7 +1323,7 @@ module adminweb_docker 'modules/app/adminweb.bicep' = if (hostingModel == 'conta
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1371,7 +1363,7 @@ module function 'modules/app/function.bicep' = if (hostingModel == 'code') {
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1413,6 +1405,7 @@ module function 'modules/app/function.bicep' = if (hostingModel == 'code') {
         AZURE_OPENAI_SYSTEM_MESSAGE: azureOpenAISystemMessage
         DATABASE_TYPE: databaseType
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         APP_ENV: appEnvironment
       },
       // Conditionally add database-specific settings
@@ -1439,7 +1432,7 @@ module function 'modules/app/function.bicep' = if (hostingModel == 'code') {
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: functionName
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1466,7 +1459,7 @@ module function_docker 'modules/app/function.bicep' = if (hostingModel == 'conta
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1508,6 +1501,7 @@ module function_docker 'modules/app/function.bicep' = if (hostingModel == 'conta
         AZURE_OPENAI_SYSTEM_MESSAGE: azureOpenAISystemMessage
         DATABASE_TYPE: databaseType
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         APP_ENV: appEnvironment
       },
       // Conditionally add database-specific settings
@@ -1534,7 +1528,7 @@ module function_docker 'modules/app/function.bicep' = if (hostingModel == 'conta
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.?outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.?outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: '${functionName}-docker'
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )