Merge branch 'dev' into psl-agentsdk

Author: Kanchan-Microsoft

.github/workflows/deploy-KMGeneric.yml

@@ -40,8 +40,8 @@ jobs:
           export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
           export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
           export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export GPT_MIN_CAPACITY="150"
-          export TEXT_EMBEDDING_MIN_CAPACITY="80"
+          export GPT_MIN_CAPACITY=${{ env.GPT_MIN_CAPACITY }}
+          export TEXT_EMBEDDING_MIN_CAPACITY=${{ env.TEXT_EMBEDDING_MIN_CAPACITY }}
           export AZURE_REGIONS="${{ vars.AZURE_REGIONS_KM }}"
           chmod +x infra/scripts/checkquota_km.sh
           if ! infra/scripts/checkquota_km.sh; then

documents/QuotaCheck.md

@@ -10,7 +10,7 @@ azd auth login
 
 ### 📌 Default Models & Capacities:
 ```
-gpt-4o:30, gpt-4o-mini:30, gpt-4:30, text-embedding-ada-002:80
+gpt-4o:150, gpt-4o-mini:150, gpt-4:150, text-embedding-ada-002:80
 ```
 ### 📌 Default Regions:
 ```
@@ -36,19 +36,19 @@ eastus, uksouth, eastus2, northcentralus, swedencentral, westus, westus2, southc
    ```
 ✔️ Check specific model(s) in default regions:
   ```
-  ./quota_check_params.sh --models gpt-4o:30,text-embedding-ada-002:80
+  ./quota_check_params.sh --models gpt-4o:150,text-embedding-ada-002:80
   ```
 ✔️ Check default models in specific region(s):
   ```
 ./quota_check_params.sh --regions eastus,westus
   ```
 ✔️ Passing Both models and regions:  
   ```
-  ./quota_check_params.sh --models gpt-4o:30 --regions eastus,westus2
+  ./quota_check_params.sh --models gpt-4o:150 --regions eastus,westus2
   ```
 ✔️ All parameters combined:
   ```
- ./quota_check_params.sh --models gpt-4:30,text-embedding-ada-002:80 --regions eastus,westus --verbose
+ ./quota_check_params.sh --models gpt-4:150,text-embedding-ada-002:80 --regions eastus,westus --verbose
   ```
 
 ### **Sample Output**

infra/create-sql-user-and-role.bicep

@@ -0,0 +1,62 @@
+targetScope = 'resourceGroup'
+
+@description('The Azure region for the resource.')
+param location string
+
+@description('The tags to associate with this resource.')
+param tags object = {}
+
+@description('The database roles to assign to the user.')
+param databaseRoles string[] = ['db_datareader']
+
+@description('The name of the User Assigned Managed Identity to be used.')
+param managedIdentityName string
+
+@description('The principal (or object) ID of the user to create.')
+param principalId string
+
+@description('The name of the user to create.')
+param principalName string
+
+@description('The name of the SQL Database resource.')
+param sqlDatabaseName string
+
+@description('The name of the SQL Server resource.')
+param sqlServerName string
+
+@description('Do not set - unique script ID to force the script to run.')
+param uniqueScriptId string = newGuid()
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: managedIdentityName
+}
+
+resource createSqlUserAndRole 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: 'sqlUserRole-${guid(principalId, sqlServerName, sqlDatabaseName)}'
+  location: location
+  tags: tags
+  kind: 'AzurePowerShell'
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+  properties: {
+    forceUpdateTag: uniqueScriptId
+    azPowerShellVersion: '7.2'
+    retentionInterval: 'PT1H'
+    cleanupPreference: 'OnSuccess'
+    arguments: join(
+      [
+        '-SqlServerName \'${sqlServerName}\''
+        '-SqlDatabaseName \'${sqlDatabaseName}\''
+        '-ClientId \'${principalId}\''
+        '-DisplayName \'${principalName}\''
+        '-DatabaseRoles \'${join(databaseRoles, ',')}\''
+      ],
+      ' '
+    )
+    scriptContent: loadTextContent('./scripts/add_user_scripts/create-sql-user-and-role.ps1')
+  }
+}

infra/deploy_ai_foundry.bicep

@@ -250,18 +250,19 @@ module assignFoundryRoleToMIExisting 'deploy_foundry_role_assignment.bicep' = if
   params: {
     roleDefinitionId: aiUser.id
     roleAssignmentName: guid(resourceGroup().id, managedIdentityObjectId, aiUser.id, 'foundry')
-    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
-    aiProjectName: !empty(azureExistingAIProjectResourceId) ? existingAIProjectName : aiProjectName
+    aiServicesName: existingAIServicesName
+    aiProjectName: existingAIProjectName
     principalId: managedIdentityObjectId
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : solutionLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
+    aiLocation: existing_aiServicesModule.outputs.location
+    aiKind: existing_aiServicesModule.outputs.kind
+    aiSkuName: existing_aiServicesModule.outputs.skuName
+    customSubDomainName: existing_aiServicesModule.outputs.customSubDomainName
+    publicNetworkAccess: existing_aiServicesModule.outputs.publicNetworkAccess
     enableSystemAssignedIdentity: true
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    defaultNetworkAction: existing_aiServicesModule.outputs.defaultNetworkAction
+    vnetRules: existing_aiServicesModule.outputs.vnetRules
+    ipRules: existing_aiServicesModule.outputs.ipRules
+    aiModelDeployments: aiModelDeployments // Pass the model deployments to the module if model not already deployed
   }
 }
 
@@ -279,24 +280,26 @@ resource cognitiveServicesOpenAIUser 'Microsoft.Authorization/roleDefinitions@20
   name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
 }
 
-module assignOpenAIRoleToAISearch 'deploy_foundry_role_assignment.bicep' = {
-  name: 'assignOpenAIRoleToAISearch'
+resource assignOpenAIRoleToAISearch 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (empty(azureExistingAIProjectResourceId))  {
+  name: guid(resourceGroup().id, aiServices.id, cognitiveServicesOpenAIUser.id)
+  scope: aiServices
+  properties: {
+    principalId: aiSearch.identity.principalId
+    roleDefinitionId: cognitiveServicesOpenAIUser.id
+    principalType: 'ServicePrincipal'
+  }
+}
+
+module assignOpenAIRoleToAISearchExisting 'deploy_foundry_role_assignment.bicep' = if (!empty(azureExistingAIProjectResourceId)) {
+  name: 'assignOpenAIRoleToAISearchExisting'
   scope: resourceGroup(existingAIServiceSubscription, existingAIServiceResourceGroup)
   params: {
     roleDefinitionId: cognitiveServicesOpenAIUser.id
     roleAssignmentName: guid(resourceGroup().id, aiSearch.id, cognitiveServicesOpenAIUser.id, 'openai-foundry')
-    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
-    aiProjectName: !empty(azureExistingAIProjectResourceId) ? existingAIProjectName : aiProjectName
+    aiServicesName: existingAIServicesName
+    aiProjectName: existingAIProjectName
     principalId: aiSearch.identity.principalId
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : solutionLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    enableSystemAssignedIdentity: true
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    enableSystemAssignedIdentity: false
   }
 }
 
@@ -318,7 +321,7 @@ resource assignSearchIndexDataReaderToExistingAiProject 'Microsoft.Authorization
   name: guid(resourceGroup().id, existingAIProjectName, searchIndexDataReader.id, 'Existing')
   scope: aiSearch
   properties: {
-    principalId: assignOpenAIRoleToAISearch.outputs.aiProjectPrincipalId
+    principalId: assignOpenAIRoleToAISearchExisting.outputs.aiProjectPrincipalId
     roleDefinitionId: searchIndexDataReader.id
     principalType: 'ServicePrincipal'
   }
@@ -342,7 +345,7 @@ resource assignSearchServiceContributorToExistingAiProject 'Microsoft.Authorizat
   name: guid(resourceGroup().id, existingAIProjectName, searchServiceContributor.id, 'Existing')
   scope: aiSearch
   properties: {
-    principalId: assignOpenAIRoleToAISearch.outputs.aiProjectPrincipalId
+    principalId: assignOpenAIRoleToAISearchExisting.outputs.aiProjectPrincipalId
     roleDefinitionId: searchServiceContributor.id
     principalType: 'ServicePrincipal'
   }

infra/deploy_backend_docker.bicep

@@ -185,15 +185,7 @@ module assignAiUserRoleToAiProject 'deploy_foundry_role_assignment.bicep' = {
     roleAssignmentName: guid(appService.name, aiServices.id, aiUser.id)
     aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
     aiProjectName: !empty(azureExistingAIProjectResourceId) ? split(azureExistingAIProjectResourceId, '/')[10] : ''
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : aideploymentsLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    enableSystemAssignedIdentity: true
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    enableSystemAssignedIdentity: false
   }
 }
 

infra/deploy_foundry_role_assignment.bicep

@@ -6,15 +6,19 @@ param aiProjectName string = ''
 param aiLocation string=''
 param aiKind string=''
 param aiSkuName string=''
-param enableSystemAssignedIdentity bool = true
+param enableSystemAssignedIdentity bool = false
 param customSubDomainName string = ''
 param publicNetworkAccess string = ''
-param defaultNetworkAction string
+param defaultNetworkAction string = ''
 param vnetRules array = []
 param ipRules array = []
+param aiModelDeployments array = []
 
-// AI Services with Identity (enabled only if flag is true)
-resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = if (enableSystemAssignedIdentity) {
+resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = if (!enableSystemAssignedIdentity) {
+  name: aiServicesName
+}
+
+resource aiServicesWithIdentity 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = if (enableSystemAssignedIdentity) {
   name: aiServicesName
   location: aiLocation
   kind: aiKind
@@ -37,10 +41,31 @@ resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' =
   }
 }
 
-// AI Project with Identity (only if name provided and flag is true)
-resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!empty(aiProjectName) && enableSystemAssignedIdentity) {
+@batchSize(1)
+resource aiServicesDeployments 'Microsoft.CognitiveServices/accounts/deployments@2025-04-01-preview' = [for aiModeldeployment in aiModelDeployments: if (!empty(aiModelDeployments)) {
+  parent: aiServicesWithIdentity
+  name: aiModeldeployment.name
+  properties: {
+    model: {
+      format: 'OpenAI'
+      name: aiModeldeployment.model
+    }
+    raiPolicyName: aiModeldeployment.raiPolicyName
+  }
+  sku:{
+    name: aiModeldeployment.sku.name
+    capacity: aiModeldeployment.sku.capacity
+  }
+}]
+
+resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' existing = if (!empty(aiProjectName) && !enableSystemAssignedIdentity) {
   name: aiProjectName
   parent: aiServices
+}
+
+resource aiProjectWithIdentity 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!empty(aiProjectName) && enableSystemAssignedIdentity) {
+  name: aiProjectName
+  parent: aiServicesWithIdentity
   location: aiLocation
   identity: {
     type: 'SystemAssigned'
@@ -49,7 +74,16 @@ resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-pre
 }
 
 // Role Assignment to AI Services
-resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+resource roleAssignmentToFoundryExisting 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableSystemAssignedIdentity) {
+  name: roleAssignmentName
+  scope: aiServicesWithIdentity
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+  }
+}
+
+resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!enableSystemAssignedIdentity) {
   name: roleAssignmentName
   scope: aiServices
   properties: {
@@ -58,6 +92,14 @@ resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-0
   }
 }
 
-// Outputs
-output aiServicesPrincipalId string = aiServices.identity.principalId
-output aiProjectPrincipalId string = !empty(aiProjectName) ? aiProject.identity.principalId : ''
+// ========== Outputs ==========
+
+output aiServicesPrincipalId string = enableSystemAssignedIdentity
+  ? aiServicesWithIdentity.identity.principalId
+  : aiServices.identity.principalId
+
+output aiProjectPrincipalId string = !empty(aiProjectName)
+  ? (enableSystemAssignedIdentity
+      ? aiProjectWithIdentity.identity.principalId
+      : aiProject.identity.principalId)
+  : ''

infra/deploy_index_scripts.bicep

@@ -0,0 +1,27 @@
+@description('Specifies the location for resources.')
+param solutionLocation string 
+
+param baseUrl string
+param keyVaultName string
+param managedIdentityResourceId string
+param managedIdentityClientId string
+
+resource create_index 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  kind:'AzureCLI'
+  name: 'create_search_indexes'
+  location: solutionLocation
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityResourceId}' : {}
+    }
+  }
+  properties: {
+    azCliVersion: '2.52.0'
+    primaryScriptUri: '${baseUrl}infra/scripts/run_create_index_scripts.sh' 
+    arguments: '${baseUrl} ${keyVaultName} ${managedIdentityClientId}'
+    timeout: 'PT1H'
+    retentionInterval: 'PT1H'
+    cleanupPreference:'OnSuccess'
+  }
+}