feat(infra): provision AI Search vector pipeline via managed identity (#380)

Author: Cataldir

.infra/README.md

@@ -164,7 +164,7 @@ When `agcSupportEnabled` is on, shared infrastructure also creates the delegated
 
 The `catalog-products` Azure AI Search index is ensured during `azd` `postprovision`, after the search service is reachable, to avoid nested ARM child-resource timing conflicts during `azd provision`.
 
-The vector indexing pipeline (`product_search_index` + datasource/skillset/indexer) is also ensured during `azd` `postprovision`. The current hook path uses a Cosmos DB connection string from the management plane for the AI Search datasource, so no additional AI Search managed-identity Cosmos RBAC assignment is required for this flow.
+The vector indexing pipeline (`product_search_index` + datasource/skillset/indexer) is also ensured during `azd` `postprovision`. The datasource uses a managed-identity Cosmos DB connection string (`IdentityAuthType=AccessToken`), and shared infrastructure provisions both Cosmos control-plane and data-plane reader role assignments for the Azure AI Search managed identity.
 
 **Duration**: ~25 minutes | **Cost**: see [Cost Estimates](#-cost-estimates)
 

.infra/azd/hooks/ensure-ai-search-vector-pipeline.ps1

@@ -131,12 +131,14 @@ if (-not $cosmosAccountName) {
     exit 1
 }
 
-$cosmosConnectionString = az cosmosdb keys list --resource-group $ResourceGroup --name $cosmosAccountName --type connection-strings --query 'connectionStrings[0].connectionString' -o tsv
-if (-not $cosmosConnectionString) {
-    Write-Error "Failed to resolve Cosmos DB connection string for account '$cosmosAccountName'."
+$cosmosAccountId = az cosmosdb show --resource-group $ResourceGroup --name $cosmosAccountName --query id -o tsv 2>$null
+if (-not $cosmosAccountId) {
+    Write-Error "Failed to resolve Cosmos DB resource ID for account '$cosmosAccountName'."
     exit 1
 }
 
+$cosmosConnectionString = "ResourceId=$cosmosAccountId;Database=$cosmosDatabase;IdentityAuthType=AccessToken"
+
 $projectEndpoint = Resolve-FromAzdEnv -Keys @('PROJECT_ENDPOINT')
 if (-not $projectEndpoint) {
     $aiServicesName = Resolve-FromAzdEnv -Keys @('AI_SERVICES_NAME', 'aiServicesName')
@@ -217,21 +219,22 @@ $indexDefinition = @{
         @{ name = 'search_keywords'; type = 'Collection(Edm.String)'; searchable = $true }
         @{ name = 'enriched_description'; type = 'Edm.String'; searchable = $true }
         @{ name = 'description_vector'; type = 'Collection(Edm.Single)'; searchable = $true; retrievable = $true; dimensions = 3072; vectorSearchProfile = 'default-vector-profile' }
+        @{ name = 'content_vector'; type = 'Collection(Edm.Single)'; searchable = $true; retrievable = $true; dimensions = 3072; vectorSearchProfile = 'default-vector-profile' }
     )
     vectorSearch = @{
         algorithms = @(
             @{ name = 'hnsw-algo'; kind = 'hnsw'; hnswParameters = @{ m = 4; efConstruction = 400; efSearch = 500; metric = 'cosine' } }
         )
         profiles = @(
-            @{ name = 'default-vector-profile'; algorithmConfigurationName = 'hnsw-algo'; vectorizer = 'text-embedding-vectorizer' }
+            @{ name = 'default-vector-profile'; algorithm = 'hnsw-algo'; vectorizer = 'text-embedding-vectorizer' }
         )
         vectorizers = @(
             @{ name = 'text-embedding-vectorizer'; kind = 'azureOpenAI'; azureOpenAIParameters = @{ modelName = $EmbeddingDeploymentName; deploymentId = $EmbeddingDeploymentName; resourceUri = $projectEndpoint } }
         )
     }
     semantic = @{
         configurations = @(
-            @{ name = 'default-semantic'; prioritizedFields = @{ titleField = @{ fieldName = 'name' }; contentFields = @(@{ fieldName = 'enriched_description' }, @{ fieldName = 'description' }); keywordsFields = @(@{ fieldName = 'search_keywords' }, @{ fieldName = 'use_cases' }) } }
+            @{ name = 'default-semantic'; prioritizedFields = @{ titleField = @{ fieldName = 'name' }; prioritizedContentFields = @(@{ fieldName = 'enriched_description' }, @{ fieldName = 'description' }); prioritizedKeywordsFields = @(@{ fieldName = 'search_keywords' }, @{ fieldName = 'use_cases' }) } }
         )
     }
 } | ConvertTo-Json -Depth 20 -Compress
@@ -246,10 +249,6 @@ $indexerDefinition = @{
         batchSize = 100
         maxFailedItems = 10
         maxFailedItemsPerBatch = 5
-        configuration = @{
-            parsingMode = 'json'
-            dataToExtract = 'contentAndMetadata'
-        }
     }
     fieldMappings = @(
         @{ sourceFieldName = 'entity_id'; targetFieldName = 'entity_id' }
@@ -267,6 +266,7 @@ $indexerDefinition = @{
     )
     outputFieldMappings = @(
         @{ sourceFieldName = '/document/description_vector'; targetFieldName = 'description_vector' }
+        @{ sourceFieldName = '/document/description_vector'; targetFieldName = 'content_vector' }
     )
 } | ConvertTo-Json -Depth 16 -Compress
 
@@ -275,18 +275,19 @@ $headers = @{ 'api-key' = $adminKey; 'Content-Type' = 'application/json' }
 function Invoke-SearchPut {
     param([string]$Name, [string]$Uri, [string]$Body)
     for ($attempt = 1; $attempt -le 12; $attempt++) {
-        try {
-            Invoke-RestMethod -Method Put -Uri $Uri -Headers $headers -Body $Body | Out-Null
+        $response = Invoke-WebRequest -Method Put -Uri $Uri -Headers $headers -Body $Body -SkipHttpErrorCheck
+        if ($response.StatusCode -ge 200 -and $response.StatusCode -lt 300) {
             Write-Host "Azure AI Search resource '$Name' is ready."
             return
         }
-        catch {
-            if ($attempt -eq 12) {
-                Write-Error "Failed to create or update Azure AI Search resource '$Name': $($_.Exception.Message)"
-                exit 1
-            }
-            Start-Sleep -Seconds 10
+
+        if ($attempt -eq 12) {
+            $detail = if ($response.Content) { " Details: $($response.Content)" } else { '' }
+            Write-Error "Failed to create or update Azure AI Search resource '$Name' (HTTP $($response.StatusCode)).$detail"
+            exit 1
         }
+
+        Start-Sleep -Seconds 10
     }
 }
 

.infra/azd/hooks/ensure-ai-search-vector-pipeline.sh

@@ -101,12 +101,14 @@ if [ -z "$COSMOS_ACCOUNT_NAME" ]; then
   exit 1
 fi
 
-COSMOS_CONNECTION_STRING="$(az cosmosdb keys list --resource-group "$RESOURCE_GROUP" --name "$COSMOS_ACCOUNT_NAME" --type connection-strings --query 'connectionStrings[0].connectionString' -o tsv)"
-if [ -z "$COSMOS_CONNECTION_STRING" ]; then
-  echo "Failed to resolve Cosmos DB connection string for account '${COSMOS_ACCOUNT_NAME}'." >&2
+COSMOS_ACCOUNT_ID="$(az cosmosdb show --resource-group "$RESOURCE_GROUP" --name "$COSMOS_ACCOUNT_NAME" --query id -o tsv 2>/dev/null || true)"
+if [ -z "$COSMOS_ACCOUNT_ID" ]; then
+  echo "Failed to resolve Cosmos DB resource ID for account '${COSMOS_ACCOUNT_NAME}'." >&2
   exit 1
 fi
 
+COSMOS_CONNECTION_STRING="ResourceId=${COSMOS_ACCOUNT_ID};Database=${COSMOS_DATABASE};IdentityAuthType=AccessToken"
+
 PROJECT_ENDPOINT_VALUE="$(resolve_from_azd_env 'PROJECT_ENDPOINT')"
 if [ -z "$PROJECT_ENDPOINT_VALUE" ]; then
   AI_SERVICES_NAME_VALUE="$(resolve_from_azd_env 'AI_SERVICES_NAME|aiServicesName')"
@@ -135,12 +137,12 @@ EOF
 )
 
 INDEX_DEFINITION=$(cat <<EOF
-{"name":"${VECTOR_INDEX_NAME}","fields":[{"name":"id","type":"Edm.String","key":true,"filterable":true},{"name":"entity_id","type":"Edm.String","filterable":true},{"name":"sku","type":"Edm.String","filterable":true,"searchable":true},{"name":"name","type":"Edm.String","searchable":true,"analyzer":"en.microsoft"},{"name":"brand","type":"Edm.String","filterable":true,"facetable":true,"searchable":true},{"name":"category","type":"Edm.String","filterable":true,"facetable":true},{"name":"description","type":"Edm.String","searchable":true,"analyzer":"en.microsoft"},{"name":"price","type":"Edm.Double","filterable":true,"sortable":true,"facetable":true},{"name":"use_cases","type":"Collection(Edm.String)","filterable":true,"searchable":true},{"name":"complementary_products","type":"Collection(Edm.String)","filterable":true},{"name":"substitute_products","type":"Collection(Edm.String)","filterable":true},{"name":"search_keywords","type":"Collection(Edm.String)","searchable":true},{"name":"enriched_description","type":"Edm.String","searchable":true},{"name":"description_vector","type":"Collection(Edm.Single)","searchable":true,"retrievable":true,"dimensions":3072,"vectorSearchProfile":"default-vector-profile"}],"vectorSearch":{"algorithms":[{"name":"hnsw-algo","kind":"hnsw","hnswParameters":{"m":4,"efConstruction":400,"efSearch":500,"metric":"cosine"}}],"profiles":[{"name":"default-vector-profile","algorithmConfigurationName":"hnsw-algo","vectorizer":"text-embedding-vectorizer"}],"vectorizers":[{"name":"text-embedding-vectorizer","kind":"azureOpenAI","azureOpenAIParameters":{"modelName":"${EMBEDDING_DEPLOYMENT_NAME}","deploymentId":"${EMBEDDING_DEPLOYMENT_NAME}","resourceUri":"${PROJECT_ENDPOINT_VALUE}"}}]},"semantic":{"configurations":[{"name":"default-semantic","prioritizedFields":{"titleField":{"fieldName":"name"},"contentFields":[{"fieldName":"enriched_description"},{"fieldName":"description"}],"keywordsFields":[{"fieldName":"search_keywords"},{"fieldName":"use_cases"}]}}]}}
+{"name":"${VECTOR_INDEX_NAME}","fields":[{"name":"id","type":"Edm.String","key":true,"filterable":true},{"name":"entity_id","type":"Edm.String","filterable":true},{"name":"sku","type":"Edm.String","filterable":true,"searchable":true},{"name":"name","type":"Edm.String","searchable":true,"analyzer":"en.microsoft"},{"name":"brand","type":"Edm.String","filterable":true,"facetable":true,"searchable":true},{"name":"category","type":"Edm.String","filterable":true,"facetable":true},{"name":"description","type":"Edm.String","searchable":true,"analyzer":"en.microsoft"},{"name":"price","type":"Edm.Double","filterable":true,"sortable":true,"facetable":true},{"name":"use_cases","type":"Collection(Edm.String)","filterable":true,"searchable":true},{"name":"complementary_products","type":"Collection(Edm.String)","filterable":true},{"name":"substitute_products","type":"Collection(Edm.String)","filterable":true},{"name":"search_keywords","type":"Collection(Edm.String)","searchable":true},{"name":"enriched_description","type":"Edm.String","searchable":true},{"name":"description_vector","type":"Collection(Edm.Single)","searchable":true,"retrievable":true,"dimensions":3072,"vectorSearchProfile":"default-vector-profile"},{"name":"content_vector","type":"Collection(Edm.Single)","searchable":true,"retrievable":true,"dimensions":3072,"vectorSearchProfile":"default-vector-profile"}],"vectorSearch":{"algorithms":[{"name":"hnsw-algo","kind":"hnsw","hnswParameters":{"m":4,"efConstruction":400,"efSearch":500,"metric":"cosine"}}],"profiles":[{"name":"default-vector-profile","algorithm":"hnsw-algo","vectorizer":"text-embedding-vectorizer"}],"vectorizers":[{"name":"text-embedding-vectorizer","kind":"azureOpenAI","azureOpenAIParameters":{"modelName":"${EMBEDDING_DEPLOYMENT_NAME}","deploymentId":"${EMBEDDING_DEPLOYMENT_NAME}","resourceUri":"${PROJECT_ENDPOINT_VALUE}"}}]},"semantic":{"configurations":[{"name":"default-semantic","prioritizedFields":{"titleField":{"fieldName":"name"},"prioritizedContentFields":[{"fieldName":"enriched_description"},{"fieldName":"description"}],"prioritizedKeywordsFields":[{"fieldName":"search_keywords"},{"fieldName":"use_cases"}]}}]}}
 EOF
 )
 
 INDEXER_DEFINITION=$(cat <<EOF
-{"name":"${INDEXER_NAME}","dataSourceName":"${DATA_SOURCE_NAME}","targetIndexName":"${VECTOR_INDEX_NAME}","skillsetName":"${SKILLSET_NAME}","schedule":{"interval":"PT5M"},"parameters":{"batchSize":100,"maxFailedItems":10,"maxFailedItemsPerBatch":5,"configuration":{"parsingMode":"json","dataToExtract":"contentAndMetadata"}},"fieldMappings":[{"sourceFieldName":"entity_id","targetFieldName":"entity_id"},{"sourceFieldName":"sku","targetFieldName":"sku"},{"sourceFieldName":"name","targetFieldName":"name"},{"sourceFieldName":"brand","targetFieldName":"brand"},{"sourceFieldName":"category","targetFieldName":"category"},{"sourceFieldName":"description","targetFieldName":"description"},{"sourceFieldName":"price","targetFieldName":"price"},{"sourceFieldName":"use_cases","targetFieldName":"use_cases"},{"sourceFieldName":"complementary_products","targetFieldName":"complementary_products"},{"sourceFieldName":"substitute_products","targetFieldName":"substitute_products"},{"sourceFieldName":"search_keywords","targetFieldName":"search_keywords"},{"sourceFieldName":"enriched_description","targetFieldName":"enriched_description"}],"outputFieldMappings":[{"sourceFieldName":"/document/description_vector","targetFieldName":"description_vector"}]}
+{"name":"${INDEXER_NAME}","dataSourceName":"${DATA_SOURCE_NAME}","targetIndexName":"${VECTOR_INDEX_NAME}","skillsetName":"${SKILLSET_NAME}","schedule":{"interval":"PT5M"},"parameters":{"batchSize":100,"maxFailedItems":10,"maxFailedItemsPerBatch":5},"fieldMappings":[{"sourceFieldName":"entity_id","targetFieldName":"entity_id"},{"sourceFieldName":"sku","targetFieldName":"sku"},{"sourceFieldName":"name","targetFieldName":"name"},{"sourceFieldName":"brand","targetFieldName":"brand"},{"sourceFieldName":"category","targetFieldName":"category"},{"sourceFieldName":"description","targetFieldName":"description"},{"sourceFieldName":"price","targetFieldName":"price"},{"sourceFieldName":"use_cases","targetFieldName":"use_cases"},{"sourceFieldName":"complementary_products","targetFieldName":"complementary_products"},{"sourceFieldName":"substitute_products","targetFieldName":"substitute_products"},{"sourceFieldName":"search_keywords","targetFieldName":"search_keywords"},{"sourceFieldName":"enriched_description","targetFieldName":"enriched_description"}],"outputFieldMappings":[{"sourceFieldName":"/document/description_vector","targetFieldName":"description_vector"},{"sourceFieldName":"/document/description_vector","targetFieldName":"content_vector"}]}
 EOF
 )
 
@@ -151,16 +153,23 @@ put_with_retry() {
 
   attempt=1
   while [ "$attempt" -le 12 ]; do
-    if curl -fsS -X PUT -H "api-key: ${ADMIN_KEY}" -H 'Content-Type: application/json' --data "$RESOURCE_BODY" "$RESOURCE_URI" >/dev/null; then
+    RESPONSE_FILE="$(mktemp)"
+    HTTP_CODE="$(curl -sS -o "$RESPONSE_FILE" -w '%{http_code}' -X PUT -H "api-key: ${ADMIN_KEY}" -H 'Content-Type: application/json' --data "$RESOURCE_BODY" "$RESOURCE_URI" || true)"
+    if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
+      rm -f "$RESPONSE_FILE"
       echo "Azure AI Search resource '${RESOURCE_NAME}' is ready."
       return 0
     fi
 
     if [ "$attempt" -eq 12 ]; then
-      echo "Failed to create or update Azure AI Search resource '${RESOURCE_NAME}'." >&2
+      echo "Failed to create or update Azure AI Search resource '${RESOURCE_NAME}' (HTTP ${HTTP_CODE})." >&2
+      cat "$RESPONSE_FILE" >&2 || true
+      rm -f "$RESPONSE_FILE"
       exit 1
     fi
 
+    rm -f "$RESPONSE_FILE"
+
     attempt=$((attempt + 1))
     sleep 10
   done

.infra/modules/shared-infrastructure/shared-infrastructure.bicep

@@ -1100,6 +1100,36 @@ resource aksSearchIndexDataContributorRole 'Microsoft.Authorization/roleAssignme
   }
 }
 
+// Azure AI Search managed identity -> Cosmos DB (control plane)
+resource aiSearchCosmosAccountReaderRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, aiSearchName, cosmosAccountName, 'CosmosAccountReader')
+  scope: cosmosAccount
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8') // Cosmos DB Account Reader Role
+    principalId: aiSearchFromFoundry.identity.principalId
+    principalType: 'ServicePrincipal'
+  }
+  dependsOn: [
+    aiFoundry
+    cosmos
+  ]
+}
+
+// Azure AI Search managed identity -> Cosmos DB (data plane)
+resource aiSearchCosmosDataReaderRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-11-15' = {
+  parent: cosmosAccount
+  name: guid(resourceGroup().id, aiSearchName, cosmosAccountName, 'CosmosDataReader')
+  properties: {
+    roleDefinitionId: '${cosmosAccount.id}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000001' // Built-in Data Reader
+    principalId: aiSearchFromFoundry.identity.principalId
+    scope: cosmosAccount.id
+  }
+  dependsOn: [
+    aiFoundry
+    cosmos
+  ]
+}
+
 // Outputs
 output aksClusterName string = aks.outputs.name
 output acrLoginServer string = acr.outputs.loginServer