Merge branch 'waf-avm' of https://github.com/Azure-Samples/chat-with-your-data-solution-accelerator into waf-avm

Author: Prajwal-Microsoft

code/backend/batch/utilities/chat_history/postgresdbservice.py

@@ -33,7 +33,7 @@ async def connect(self):
                 database=self.database,
                 password=token,
                 port=5432,
-                ssl="require",
+                ssl=True,
             )
         except Exception as e:
             logger.error("Failed to connect to PostgreSQL: %s", e)

code/backend/batch/utilities/helpers/azure_postgres_helper.py

@@ -31,7 +31,7 @@ def _create_search_client(self):
 
             # Use the token in the connection string
             conn_string = (
-                f"host={host} user={user} dbname={dbname} password={access_token.token}"
+                f"host={host} user={user} dbname={dbname} password={access_token.token} sslmode=require"
             )
             self.conn = psycopg2.connect(conn_string)
             logger.info("Connected to Azure PostgreSQL successfully.")

code/backend/batch/utilities/helpers/env_helper.py

@@ -40,6 +40,7 @@ def __load_config(self, **kwargs) -> None:
         self.AZURE_SUBSCRIPTION_ID = os.getenv("AZURE_SUBSCRIPTION_ID", "")
         self.AZURE_RESOURCE_GROUP = os.getenv("AZURE_RESOURCE_GROUP", "")
         self.MANAGED_IDENTITY_CLIENT_ID = os.getenv("MANAGED_IDENTITY_CLIENT_ID", "")
+        self.MANAGED_IDENTITY_RESOURCE_ID = os.getenv("MANAGED_IDENTITY_RESOURCE_ID", "")
 
         # Azure Search
         self.AZURE_SEARCH_SERVICE = os.getenv("AZURE_SEARCH_SERVICE", "")

code/backend/batch/utilities/integrated_vectorization/azure_search_datasource.py

@@ -1,6 +1,7 @@
 from azure.search.documents.indexes.models import (
     SearchIndexerDataContainer,
     SearchIndexerDataSourceConnection,
+    SearchIndexerDataUserAssignedIdentity,
 )
 from azure.search.documents.indexes._generated.models import (
     NativeBlobSoftDeleteDeletionDetectionPolicy,
@@ -35,6 +36,9 @@ def create_or_update_datasource(self):
             connection_string=connection_string,
             container=container,
             data_deletion_detection_policy=NativeBlobSoftDeleteDeletionDetectionPolicy(),
+            identity=SearchIndexerDataUserAssignedIdentity(
+                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            ),
         )
         self.indexer_client.create_or_update_data_source_connection(
             data_source_connection

code/backend/batch/utilities/integrated_vectorization/azure_search_skillset.py

@@ -11,6 +11,7 @@
     SearchIndexerIndexProjectionsParameters,
     IndexProjectionMode,
     SearchIndexerSkillset,
+    SearchIndexerDataUserAssignedIdentity,
 )
 from azure.search.documents.indexes import SearchIndexerClient
 from ..helpers.config.config_helper import IntegratedVectorizationConfig
@@ -95,6 +96,9 @@ def create_skillset(self):
                 if self.env_helper.is_auth_type_keys()
                 else None
             ),
+            auth_identity=SearchIndexerDataUserAssignedIdentity(
+                user_assigned_identity=self.env_helper.MANAGED_IDENTITY_RESOURCE_ID
+            ),
             inputs=[
                 InputFieldMappingEntry(name="text", source="/document/pages/*"),
             ],

infra/main.bicep

@@ -63,18 +63,6 @@ var hostingPlanName string = 'asp-${solutionSuffix}'
 ])
 param hostingPlanSku string = 'B3'
 
-@description('The sku tier for the App Service plan')
-@allowed([
-  'Free'
-  'Shared'
-  'Basic'
-  'Standard'
-  'Premium'
-  'PremiumV2'
-  'PremiumV3'
-])
-param skuTier string = 'Basic'
-
 @description('The type of database to deploy (cosmos or postgres)')
 @allowed([
   'PostgreSQL'
@@ -361,7 +349,7 @@ param enableRedundancy bool = false
 param enablePrivateNetworking bool = false
 
 @description('Optional. Size of the Jumpbox Virtual Machine when created. Set to custom value if enablePrivateNetworking is true.')
-param vmSize string?
+param vmSize string = 'Standard_DS2_v2'
 
 @secure()
 @description('Optional. The user name for the administrator account of the virtual machine. Allows to customize credentials if `enablePrivateNetworking` is set to true.')
@@ -521,11 +509,9 @@ var privateDnsZones = [
   'privatelink.openai.azure.com'
   'privatelink.blob.${environment().suffixes.storage}'
   'privatelink.queue.${environment().suffixes.storage}'
-  'privatelink.file.${environment().suffixes.storage}'
   'privatelink.documents.azure.com'
   'privatelink.postgres.cosmos.azure.com'
   'privatelink.vaultcore.azure.net'
-  'privatelink.azurecr.io'
   'privatelink.azurewebsites.net'
   'privatelink.search.windows.net'
   'privatelink.api.azureml.ms'
@@ -537,14 +523,13 @@ var dnsZoneIndex = {
   openAI: 1
   storageBlob: 2
   storageQueue: 3
-  storageFile: 4
-  cosmosDB: 5 // 'privatelink.mongo.cosmos.azure.com'
-  postgresDB: 6 // 'privatelink.postgres.cosmos.azure.com'
-  keyVault: 7
-  containerRegistry: 8
-  appService: 9
-  searchService: 10
-  machinelearning: 11
+  cosmosDB: 4 // 'privatelink.mongo.cosmos.azure.com'
+  postgresDB: 5 // 'privatelink.postgres.cosmos.azure.com'
+  keyVault: 6
+  appService: 7
+  searchService: 8
+  machinelearning: 9
+  // The indexes for 'storageFile' and 'containerRegistry' have been removed as they were unused
 }
 
 // ===================================================
@@ -705,7 +690,7 @@ module openai 'modules/core/ai/cognitiveservices.bicep' = {
     location: location
     tags: allTags
     kind: 'OpenAI'
-    sku: 'S0'
+    sku: azureOpenAISkuName
     deployments: openAiDeployments
     userAssignedResourceId: managedIdentityModule.outputs.managedIdentityOutput.id
     enablePrivateNetworking: enablePrivateNetworking
@@ -751,7 +736,7 @@ module computerVision 'modules/core/ai/cognitiveservices.bicep' = if (useAdvance
     kind: 'ComputerVision'
     location: computerVisionLocation != '' ? computerVisionLocation : location
     tags: allTags
-    sku: 'S0'
+    sku: computerVisionSkuName
 
     enablePrivateNetworking: enablePrivateNetworking
     subnetResourceId: enablePrivateNetworking ? network!.outputs.subnetPrivateEndpointsResourceId : null
@@ -931,7 +916,7 @@ module web 'modules/app/web.bicep' = if (hostingModel == 'code' || hostingModel
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -984,6 +969,7 @@ module web 'modules/app/web.bicep' = if (hostingModel == 'code' || hostingModel
         OPEN_AI_FUNCTIONS_SYSTEM_PROMPT: openAIFunctionsSystemPrompt
         SEMANTIC_KERNEL_SYSTEM_PROMPT: semanticKernelSystemPrompt
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         AZURE_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId // Required so LangChain AzureSearch vector store authenticates with this user-assigned managed identity
         APP_ENV: appEnvironment
       },
@@ -1020,7 +1006,7 @@ module web 'modules/app/web.bicep' = if (hostingModel == 'code' || hostingModel
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: hostingModel == 'container' ? '${websiteName}-docker' : websiteName
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1034,6 +1020,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code'|| host
     name: hostingModel == 'container' ? '${adminWebsiteName}-docker' : adminWebsiteName
     location: location
     tags: union(tags, { 'azd-service-name': hostingModel == 'container' ? 'adminweb-docker' : 'adminweb' })
+    allTags: allTags
     kind: hostingModel == 'container' ? 'app,linux,container' : 'app,linux'
     serverFarmResourceId: webServerFarm.outputs.resourceId
     // runtime settings apply only for code-hosted apps
@@ -1079,6 +1066,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code'|| host
         DATABASE_TYPE: databaseType
         USE_KEY_VAULT: 'true'
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         APP_ENV: appEnvironment
       },
       databaseType == 'CosmosDB'
@@ -1111,7 +1099,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code'|| host
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.?outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.?outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: hostingModel == 'container' ? '${adminWebsiteName}-docker' : adminWebsiteName
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )
@@ -1121,7 +1109,7 @@ module adminweb 'modules/app/adminweb.bicep' = if (hostingModel == 'code'|| host
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1161,7 +1149,7 @@ module function 'modules/app/function.bicep' = if (hostingModel == 'code' || hos
     virtualNetworkSubnetId: enablePrivateNetworking ? network!.outputs.subnetWebResourceId : ''
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
-    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    publicNetworkAccess: 'Enabled' // Always enabling public network access
     privateEndpoints: enablePrivateNetworking
       ? [
           {
@@ -1203,6 +1191,7 @@ module function 'modules/app/function.bicep' = if (hostingModel == 'code' || hos
         AZURE_OPENAI_SYSTEM_MESSAGE: azureOpenAISystemMessage
         DATABASE_TYPE: databaseType
         MANAGED_IDENTITY_CLIENT_ID: managedIdentityModule.outputs.managedIdentityOutput.clientId
+        MANAGED_IDENTITY_RESOURCE_ID: managedIdentityModule.outputs.managedIdentityOutput.id
         APP_ENV: appEnvironment
       },
       databaseType == 'CosmosDB'
@@ -1228,7 +1217,7 @@ module function 'modules/app/function.bicep' = if (hostingModel == 'code' || hos
             ? {
                 AZURE_POSTGRESQL_HOST_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLServerName
                 AZURE_POSTGRESQL_DATABASE_NAME: postgresDBModule.outputs.postgresDbOutput.postgreSQLDatabaseName
-                AZURE_POSTGRESQL_USER: hostingModel == 'container' ? '${functionName}-docker' : functionName
+                AZURE_POSTGRESQL_USER: managedIdentityModule.outputs.managedIdentityOutput.name
               }
             : {}
     )