Enhance Bicep templates and Python scripts: add private endpoint configurations for DFS and streamline deployment script parameters

Author: Abdul-Microsoft

infra/main.bicep

@@ -301,6 +301,7 @@ var privateDnsZones = [
   'privatelink${environment().suffixes.sqlServerHostname}'
   'privatelink.azurewebsites.net'
   'privatelink.search.windows.net'
+  'privatelink.dfs.${environment().suffixes.storage}'
 ]
 // DNS Zone Index Constants
 var dnsZoneIndex = {
@@ -320,6 +321,7 @@ var dnsZoneIndex = {
   sqlServer: 13
   appService: 14
   search: 15
+  storageDfs: 16
 }
 @batchSize(5)
 module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
@@ -956,6 +958,32 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
           ]
         }
       }
+      {
+        name: 'pep-file-${solutionSuffix}'
+        service: 'file'
+        subnetResourceId: network!.outputs.subnetPrivateEndpointsResourceId
+        privateDnsZoneGroup: {
+          privateDnsZoneGroupConfigs: [
+            {
+              name: 'storage-dns-zone-group-file'
+              privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.storageFile]!.outputs.resourceId
+            }
+          ]
+        }
+      }
+      {
+        name: 'pep-dfs-${solutionSuffix}'
+        service: 'dfs'
+        subnetResourceId: network!.outputs.subnetPrivateEndpointsResourceId
+        privateDnsZoneGroup: {
+          privateDnsZoneGroupConfigs: [
+            {
+              name: 'storage-dns-zone-group-dfs'
+              privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.storageDfs]!.outputs.resourceId
+            }
+          ]
+        }
+      }
     ] : []
 
     // ✅ Blob service config (simplified, script-friendly)
@@ -1149,44 +1177,35 @@ module sqlDBModule 'br/public:avm/res/sql/server:0.20.1' = {
 
 //========== AVM WAF ========== //
 //========== Deployment script to upload data ========== //
-module uploadFiles 'br/public:avm/res/resources/deployment-script:0.5.1' = if(!enablePrivateNetworking) {
+module uploadFiles 'br/public:avm/res/resources/deployment-script:0.5.1' = {
   name: 'deploymentScriptForUploadFiles'
   params: {
     kind: 'AzureCLI'
     name: 'copy_demo_Data'
     azCliVersion: '2.52.0'
     cleanupPreference: 'Always'
-    location: solutionLocation   // same as VNet
+    location: solutionLocation
     managedIdentities: {
       userAssignedResourceIds: [
         userAssignedIdentity.outputs.resourceId
       ]
     }
     retentionInterval: 'P1D'
     runOnce: true
-
-    // ✅ Script + arguments
     primaryScriptUri: '${baseUrl}infra/scripts/copy_kb_files.sh'
     arguments: '${avmStorageAccount.outputs.name} data ${baseUrl} ${userAssignedIdentity.outputs.clientId}'
-
-    // ✅ Explicit storage account + subnet for private networking
     storageAccountResourceId: avmStorageAccount.outputs.resourceId
-    // subnetResourceIds: enablePrivateNetworking ? [
-    //   network!.outputs.subnetDeploymentScriptsResourceId
-    // ] : null
-
+    subnetResourceIds: enablePrivateNetworking ? [
+      network!.outputs.subnetDeploymentScriptsResourceId
+    ] : null
     tags: tags
     timeout: 'PT1H'
   }
-  dependsOn: [
-    avmStorageAccount
-    network
-  ]
 }
 
 //========== AVM WAF ========== //
 //========== Deployment script to create index ========== //
-module createIndex 'br/public:avm/res/resources/deployment-script:0.5.1' = if(!enablePrivateNetworking) {
+module createIndex 'br/public:avm/res/resources/deployment-script:0.5.1' = {
   name: 'deploymentScriptForCreateIndex'
   params: {
     // Required parameters
@@ -1207,6 +1226,10 @@ module createIndex 'br/public:avm/res/resources/deployment-script:0.5.1' = if(!e
     timeout: 'PT1H'
     retentionInterval: 'P1D'
     cleanupPreference: 'OnSuccess'
+    storageAccountResourceId: avmStorageAccount.outputs.resourceId
+    subnetResourceIds: enablePrivateNetworking ? [
+      network!.outputs.subnetDeploymentScriptsResourceId
+    ] : null
   }
   dependsOn:[sqlDBModule,uploadFiles]
 }

infra/modules/network.bicep

@@ -141,7 +141,7 @@ module network 'network/main.bicep' = {
           securityRules: []
         }
         delegation: 'Microsoft.ContainerInstance/containerGroups'
-        serviceEndpoints: ['Microsoft.Storage','Microsoft.KeyVault']
+        serviceEndpoints: ['Microsoft.Storage']
       }
     ]
     bastionConfiguration: {

infra/scripts/index_scripts/02_create_cu_template_audio.py

@@ -15,7 +15,7 @@
 ANALYZER_ID = "ckm-audio"
 ANALYZER_TEMPLATE_FILE = 'ckm-analyzer_config_audio.json'
 
-print("02_create_cu_template_audio.py: Started")
+
 # === Helper Functions ===
 def get_secrets_from_kv(secret_name: str, vault_name: str) -> str:
     """
@@ -40,8 +40,6 @@ def get_secrets_from_kv(secret_name: str, vault_name: str) -> str:
 # Fetch endpoint from Key Vault
 endpoint = get_secrets_from_kv("AZURE-OPENAI-CU-ENDPOINT", KEY_VAULT_NAME)
 
-print("02_create_cu_template_audio.py: Inprogress")
-
 credential = get_azure_credential(client_id=MANAGED_IDENTITY_CLIENT_ID)
 # Initialize Content Understanding Client
 token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default")
@@ -53,6 +51,4 @@ def get_secrets_from_kv(secret_name: str, vault_name: str) -> str:
 
 # Create Analyzer
 response = client.begin_create_analyzer(ANALYZER_ID, analyzer_template_path=ANALYZER_TEMPLATE_FILE)
-result = client.poll_result(response)
-
-print("02_create_cu_template_audio.py: Completed")
+result = client.poll_result(response)

infra/scripts/index_scripts/02_create_cu_template_text.py

@@ -15,7 +15,7 @@
 ANALYZER_ID = "ckm-json"
 ANALYZER_TEMPLATE_FILE = 'ckm-analyzer_config_text.json'
 
-print("02_create_cu_template_text.py: Started")
+
 # === Helper Functions ===
 def get_secret(secret_name: str, vault_name: str) -> str:
     """
@@ -32,8 +32,6 @@ def get_secret(secret_name: str, vault_name: str) -> str:
 endpoint = get_secret("AZURE-OPENAI-CU-ENDPOINT", KEY_VAULT_NAME)
 
 credential = get_azure_credential(client_id=MANAGED_IDENTITY_CLIENT_ID)
-
-print("02_create_cu_template_text.py: Inprogress")
 # Initialize Content Understanding Client
 token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default")
 client = AzureContentUnderstandingClient(
@@ -44,6 +42,4 @@ def get_secret(secret_name: str, vault_name: str) -> str:
 
 # Create Analyzer
 response = client.begin_create_analyzer(ANALYZER_ID, analyzer_template_path=ANALYZER_TEMPLATE_FILE)
-result = client.poll_result(response)
-
-print("02_create_cu_template_text.py: Completed")
+result = client.poll_result(response)