refactor: Replace Container App with Deployment Scripts for SQL and Post-Deployment Operations & update model capacity similar to bicep

Author: Avijit-Microsoft

.github/workflows/deploy-KMGeneric.yml

@@ -12,8 +12,8 @@ on:
     - cron: '0 9,21 * * *'  # Runs at 9:00 AM and 9:00 PM GMT
   workflow_dispatch:  # Allow manual triggering
 env:
-  GPT_MIN_CAPACITY: 250
-  TEXT_EMBEDDING_MIN_CAPACITY: 90
+  GPT_MIN_CAPACITY: 150
+  TEXT_EMBEDDING_MIN_CAPACITY: 80
   BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
 jobs:
   deploy:
@@ -40,8 +40,8 @@ jobs:
           export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
           export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
           export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export GPT_MIN_CAPACITY="150"
-          export TEXT_EMBEDDING_MIN_CAPACITY="80"
+          export GPT_MIN_CAPACITY=${{ env.GPT_MIN_CAPACITY }}
+          export TEXT_EMBEDDING_MIN_CAPACITY=${{ env.TEXT_EMBEDDING_MIN_CAPACITY }}
           export AZURE_REGIONS="${{ vars.AZURE_REGIONS_KM }}"
           chmod +x infra/scripts/checkquota_km.sh
           if ! infra/scripts/checkquota_km.sh; then

documents/QuotaCheck.md

@@ -10,7 +10,7 @@ azd auth login
 
 ### 📌 Default Models & Capacities:
 ```
-gpt-4o:30, gpt-4o-mini:30, gpt-4:30, text-embedding-ada-002:80
+gpt-4o:150, gpt-4o-mini:150, gpt-4:150, text-embedding-ada-002:80
 ```
 ### 📌 Default Regions:
 ```
@@ -36,19 +36,19 @@ eastus, uksouth, eastus2, northcentralus, swedencentral, westus, westus2, southc
    ```
 ✔️ Check specific model(s) in default regions:
   ```
-  ./quota_check_params.sh --models gpt-4o:30,text-embedding-ada-002:80
+  ./quota_check_params.sh --models gpt-4o:150,text-embedding-ada-002:80
   ```
 ✔️ Check default models in specific region(s):
   ```
 ./quota_check_params.sh --regions eastus,westus
   ```
 ✔️ Passing Both models and regions:  
   ```
-  ./quota_check_params.sh --models gpt-4o:30 --regions eastus,westus2
+  ./quota_check_params.sh --models gpt-4o:150 --regions eastus,westus2
   ```
 ✔️ All parameters combined:
   ```
- ./quota_check_params.sh --models gpt-4:30,text-embedding-ada-002:80 --regions eastus,westus --verbose
+ ./quota_check_params.sh --models gpt-4:150,text-embedding-ada-002:80 --regions eastus,westus --verbose
   ```
 
 ### **Sample Output**

infra/create-sql-user-and-role.bicep

@@ -0,0 +1,62 @@
+targetScope = 'resourceGroup'
+
+@description('The Azure region for the resource.')
+param location string
+
+@description('The tags to associate with this resource.')
+param tags object = {}
+
+@description('The database roles to assign to the user.')
+param databaseRoles string[] = ['db_datareader']
+
+@description('The name of the User Assigned Managed Identity to be used.')
+param managedIdentityName string
+
+@description('The principal (or object) ID of the user to create.')
+param principalId string
+
+@description('The name of the user to create.')
+param principalName string
+
+@description('The name of the SQL Database resource.')
+param sqlDatabaseName string
+
+@description('The name of the SQL Server resource.')
+param sqlServerName string
+
+@description('Do not set - unique script ID to force the script to run.')
+param uniqueScriptId string = newGuid()
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: managedIdentityName
+}
+
+resource createSqlUserAndRole 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: 'sqlUserRole-${guid(principalId, sqlServerName, sqlDatabaseName)}'
+  location: location
+  tags: tags
+  kind: 'AzurePowerShell'
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+  properties: {
+    forceUpdateTag: uniqueScriptId
+    azPowerShellVersion: '7.2'
+    retentionInterval: 'PT1H'
+    cleanupPreference: 'OnSuccess'
+    arguments: join(
+      [
+        '-SqlServerName \'${sqlServerName}\''
+        '-SqlDatabaseName \'${sqlDatabaseName}\''
+        '-ClientId \'${principalId}\''
+        '-DisplayName \'${principalName}\''
+        '-DatabaseRoles \'${join(databaseRoles, ',')}\''
+      ],
+      ' '
+    )
+    scriptContent: loadTextContent('./scripts/add_user_scripts/create-sql-user-and-role.ps1')
+  }
+}

infra/deploy_index_scripts.bicep

@@ -0,0 +1,27 @@
+@description('Specifies the location for resources.')
+param solutionLocation string 
+
+param baseUrl string
+param keyVaultName string
+param managedIdentityResourceId string
+param managedIdentityClientId string
+
+resource create_index 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  kind:'AzureCLI'
+  name: 'create_search_indexes'
+  location: solutionLocation
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityResourceId}' : {}
+    }
+  }
+  properties: {
+    azCliVersion: '2.52.0'
+    primaryScriptUri: '${baseUrl}infra/scripts/run_create_index_scripts.sh' 
+    arguments: '${baseUrl} ${keyVaultName} ${managedIdentityClientId}'
+    timeout: 'PT1H'
+    retentionInterval: 'PT1H'
+    cleanupPreference:'OnSuccess'
+  }
+}

infra/deploy_post_deployment_scripts.bicep

@@ -1,13 +1,15 @@
 param solutionLocation string
 param keyVaultName string
-param managedIdentityObjectId string
 param managedIdentityName string
-
 param serverName string
 param sqlDBName string
+param sqlUsers array = []
+
 var location = solutionLocation
-var administratorLogin = 'sqladmin'
-var administratorLoginPassword = 'TestPassword_1234'
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: managedIdentityName
+}
 
 resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
   name: serverName
@@ -17,10 +19,10 @@ resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
     publicNetworkAccess: 'Enabled'
     version: '12.0'
     restrictOutboundNetworkAccess: 'Disabled'
-    minimalTlsVersion: '1.2' // Enforce TLS 1.2 to comply with Azure policy
+    minimalTlsVersion: '1.2'
     administrators: {
       login: managedIdentityName
-      sid: managedIdentityObjectId
+      sid: managedIdentity.properties.principalId
       tenantId: subscription().tenantId
       administratorType: 'ActiveDirectory'
       azureADOnlyAuthentication: true
@@ -66,6 +68,21 @@ resource sqlDB 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
   }
 }
 
+module sqluser 'create-sql-user-and-role.bicep' = [
+  for user in sqlUsers: {
+    name: 'sqluser-${guid(solutionLocation, user.principalId, user.principalName, sqlDB.name, sqlServer.name)}'
+    params: {
+      managedIdentityName: managedIdentityName
+      location: solutionLocation
+      sqlDatabaseName: sqlDB.name
+      sqlServerName: sqlServer.name
+      principalId: user.principalId
+      principalName: user.principalName
+      databaseRoles: user.databaseRoles
+    }
+  }
+]
+
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
   name: keyVaultName
 }
@@ -86,22 +103,5 @@ resource sqldbDatabaseEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-previe
   }
 }
 
-resource sqldbDatabaseUsername 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
-  parent: keyVault
-  name: 'SQLDB-USERNAME'
-  properties: {
-    value: administratorLogin
-  }
-}
-
-resource sqldbDatabasePwd 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
-  parent: keyVault
-  name: 'SQLDB-PASSWORD'
-  properties: {
-    value: administratorLoginPassword
-  }
-}
-
 output sqlServerName string = '${serverName}.database.windows.net'
 output sqlDbName string = sqlDBName
-output sqlDbUser string = administratorLogin

infra/deploy_sql_db.bicep

@@ -0,0 +1,27 @@
+@description('Specifies the location for resources.')
+param solutionLocation string
+param baseUrl string
+param managedIdentityResourceId string
+param managedIdentityClientId string
+param storageAccountName string
+param containerName string
+
+resource copy_demo_Data 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  kind:'AzureCLI'
+  name: 'copy_demo_Data'
+  location: solutionLocation
+  identity:{
+    type:'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityResourceId}' : {}
+    }
+  }
+  properties: {
+    azCliVersion: '2.52.0'
+    primaryScriptUri: '${baseUrl}infra/scripts/copy_kb_files.sh'
+    arguments: '${storageAccountName} ${containerName} ${baseUrl} ${managedIdentityClientId}'
+    timeout: 'PT1H'
+    retentionInterval: 'PT1H'
+    cleanupPreference:'OnSuccess'
+  }
+}