Merge pull request #313 from microsoft/psl-pk-sqlsfi-mod

fix: Resolve SFI issue on Storage Account by using Azure Container Apps instead of Deployment Scripts

Author: Pavan-Microsoft

.github/workflows/deploy-KMGeneric.yml

@@ -112,7 +112,7 @@ jobs:
           az deployment group create \
             --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
             --template-file infra/main.bicep \
-            --parameters environmentName=${{env.SOLUTION_PREFIX}} contentUnderstandingLocation="westus" secondaryLocation="${{ env.AZURE_LOCATION }}" imageTag=${{ steps.determine_tag.outputs.tagname }}
+            --parameters environmentName=${{env.SOLUTION_PREFIX}} contentUnderstandingLocation="swedencentral" secondaryLocation="${{ env.AZURE_LOCATION }}" imageTag=${{ steps.determine_tag.outputs.tagname }}
      
 
       - name: Extract AI Services and Key Vault Names

README.md

@@ -11,7 +11,7 @@ User story
 
 This solution accelerator enables customers with large amounts of conversational data to improve decision-making by leveraging intelligence to uncover insights, relationships, and patterns from customer interactions. It empowers users to gain valuable knowledge and drive targeted business impact. 
 
-It leverages Azure AI Foundry, AI Content Understanding, Azure OpenAI, and Azure AI Search to transform large volumes of conversational data into actionable insights through topic modeling, key phrase extraction, speech-to-text transcription, and interactive chat experiences.
+It leverages Azure AI Foundry, Azure AI Content Understanding, Azure OpenAI Service, and Azure AI Search to transform large volumes of conversational data into actionable insights through topic modeling, key phrase extraction, speech-to-text transcription, and interactive chat experiences.
 
 
 ### Technical key features
@@ -51,7 +51,7 @@ To deploy this solution accelerator, ensure you have access to an [Azure subscri
 Check the [Azure Products by Region](https://azure.microsoft.com/en-us/explore/global-infrastructure/products-by-region/?products=all&regions=all) page and select a **region** where the following services are available:  
 
 - Azure AI Foundry 
-- Azure OpenAI Services 
+- Azure OpenAI Service 
 - Azure AI Search
 - Azure AI Content Understanding
 - Embedding Deployment Capacity  
@@ -68,9 +68,9 @@ When you start the deployment, most parameters will have **default values**, but
 | **Setting** | **Description** | **Default value** |
 |------------|----------------|------------|
 | **Azure Region** | The region where resources will be created. | eastus | 
-| **Environment Name** | A **3-20 character alphanumeric value** used to prefix resources. | kmtemplate |
-| **Content Understanding Location** | Select from a drop-down list of values. | westus |
-| **Secondary Location** | A **less busy** region for **Azure SQL and CosmosDB**, useful in case of availability constraints. | eastus2 |
+| **Environment Name** | A **3-20 character alphanumeric value** used to generate a unique ID to prefix the resources. | kmtemplate |
+| **Azure AI Content Understanding Location** | Select from a drop-down list of values. | swedencentral |
+| **Secondary Location** | A **less busy** region for **Azure SQL and Azure Cosmos DB**, useful in case of availability constraints. | eastus2 |
 | **Deployment Type** | Select from a drop-down list. | GlobalStandard |
 | **GPT Model** | Choose from **gpt-4, gpt-4o, gpt-4o-mini** | gpt-4o-mini |  
 | **GPT Model Deployment Capacity** | Configure capacity for **GPT models**. | 30k |

docs/CustomizingAzdParameters.md

@@ -5,10 +5,10 @@ By default this template will use the environment name as the prefix to prevent
 
 > To override any of the parameters, run `azd env set <key> <value>` before running `azd up`. On the first azd command, it will prompt you for the environment name. Be sure to choose 3-20 charaters alphanumeric unique name. 
 
-Change the Content Understanding Location (allowed values: West US, Sweden Central, Australia East)
+Change the Content Understanding Location (allowed values: Sweden Central, Australia East)
 
 ```shell
-azd env set AZURE_ENV_CU_LOCATION 'westus'
+azd env set AZURE_ENV_CU_LOCATION 'swedencentral'
 ```
 
 Change the Secondary Location (example: eastus2, westus2, etc.)

docs/Images/ReadMe/techkeyfeatures.png

@@ -5,7 +5,7 @@ param keyVaultName string
 param cuLocation string
 param deploymentType string
 param gptModelName string
-param gptModelVersion string
+param azureOpenAIApiVersion string
 param gptDeploymentCapacity int
 param embeddingModel string
 param embeddingDeploymentCapacity int
@@ -358,6 +358,34 @@ resource storageroleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-
   }
 }
 
+resource cognitiveServicesUserRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: aiServices_CU
+  name: 'a97b65f3-24c7-4388-baec-2e87135dc908'
+}
+
+resource cognitiveServicesUserAccessProj 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, managedIdentityObjectId, cognitiveServicesUserRoleDefinition.id)
+  properties: {
+    principalId: managedIdentityObjectId
+    roleDefinitionId: cognitiveServicesUserRoleDefinition.id
+    principalType: 'ServicePrincipal' 
+  }
+}
+
+resource aiDeveloperRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: aiServices_CU
+  name: '64702f94-c441-49e6-a78b-ef80e0188fee'
+}
+
+resource aiDeveloperAccessProj 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, managedIdentityObjectId, aiDeveloperRoleDefinition.id)
+  properties: {
+    principalId: managedIdentityObjectId
+    roleDefinitionId: aiDeveloperRoleDefinition.id
+    principalType: 'ServicePrincipal' 
+  }
+}
+
 resource aiHub 'Microsoft.MachineLearningServices/workspaces@2023-08-01-preview' = {
   name: aiHubName
   location: location
@@ -531,7 +559,7 @@ resource azureOpenAIApiVersionEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-0
   parent: keyVault
   name: 'AZURE-OPENAI-PREVIEW-API-VERSION'
   properties: {
-    value: gptModelVersion  //'2024-02-15-preview'
+    value: azureOpenAIApiVersion  //'2024-02-15-preview'
   }
 }
 
@@ -671,4 +699,5 @@ output aiSearchService string = aiSearch.name
 output aiProjectName string = aiHubProject.name
 
 output applicationInsightsId string = applicationInsights.id
+output logAnalyticsWorkspaceResourceName string = logAnalytics.name
 output storageAccountName string = storageNameCleaned

infra/create-sql-user-and-role.bicep

@@ -0,0 +1,91 @@
+@description('Solution Name')
+param solutionName string
+@description('Specifies the location for resources.')
+param solutionLocation string
+param baseUrl string
+param managedIdentityObjectId string
+param managedIdentityClientId string
+param storageAccountName string
+param containerName string
+param containerAppName string = '${ solutionName }containerapp'
+param environmentName string = '${ solutionName }containerappenv'
+param imageName string = 'python:3.11-alpine'
+param setupCopyKbFiles string = '${baseUrl}infra/scripts/copy_kb_files.sh'
+param setupCreateIndexScriptsUrl string = '${baseUrl}infra/scripts/run_create_index_scripts.sh'
+param createSqlUserAndRoleScriptsUrl string = '${baseUrl}infra/scripts/add_user_scripts/create-sql-user-and-role.ps1'
+param keyVaultName string
+param sqlServerName string
+param sqlDbName string
+param sqlUsers array = [
+]
+param logAnalyticsWorkspaceResourceName string
+
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2020-10-01' existing = {
+  name: logAnalyticsWorkspaceResourceName
+  scope: resourceGroup()
+}
+
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2022-03-01' = {
+  name: environmentName
+  location: solutionLocation
+  properties: {
+    zoneRedundant: false
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: logAnalytics.properties.customerId
+        sharedKey: logAnalytics.listKeys().primarySharedKey
+      }
+    }
+  }
+}
+
+resource containerApp 'Microsoft.App/containerApps@2022-03-01' = {
+  name: containerAppName
+  location: solutionLocation
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityObjectId}': {}
+    }
+  }
+  properties: {
+    managedEnvironmentId: containerAppEnv.id
+    configuration: {
+      ingress: {
+        external: true
+        targetPort: 80
+      }
+ 
+    }
+    template: {
+      containers: [
+        {
+          name: containerAppName
+          image: imageName
+          resources: {
+            cpu: 1
+            memory: '2.0Gi'
+          }
+          command: [
+            '/bin/sh', '-c', 'mkdir -p /scripts && apk add --no-cache curl bash jq py3-pip gcc musl-dev libffi-dev openssl-dev python3-dev && pip install --upgrade azure-cli && apk add --no-cache --virtual .build-deps build-base unixodbc-dev && curl -s -o msodbcsql18_18.4.1.1-1_amd64.apk https://download.microsoft.com/download/7/6/d/76de322a-d860-4894-9945-f0cc5d6a45f8/msodbcsql18_18.4.1.1-1_amd64.apk && curl -s -o mssql-tools18_18.4.1.1-1_amd64.apk https://download.microsoft.com/download/7/6/d/76de322a-d860-4894-9945-f0cc5d6a45f8/mssql-tools18_18.4.1.1-1_amd64.apk && apk add --allow-untrusted msodbcsql18_18.4.1.1-1_amd64.apk && apk add --allow-untrusted mssql-tools18_18.4.1.1-1_amd64.apk && curl -s -o /scripts/copy_kb_files.sh ${setupCopyKbFiles} && chmod +x /scripts/copy_kb_files.sh && sh -x /scripts/copy_kb_files.sh ${storageAccountName} ${containerName} ${baseUrl} ${managedIdentityClientId} && curl -s -o /scripts/run_create_index_scripts.sh ${setupCreateIndexScriptsUrl} && chmod +x /scripts/run_create_index_scripts.sh && sh -x /scripts/run_create_index_scripts.sh ${baseUrl} ${keyVaultName} ${managedIdentityClientId} && apk add --no-cache ca-certificates less ncurses-terminfo-base krb5-libs libgcc libintl libssl3 libstdc++ tzdata userspace-rcu zlib icu-libs curl && apk -X https://dl-cdn.alpinelinux.org/alpine/edge/main add --no-cache lttng-ust openssh-client && curl -L https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell-7.5.0-linux-musl-x64.tar.gz -o /tmp/powershell.tar.gz && mkdir -p /opt/microsoft/powershell/7 && tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 && chmod +x /opt/microsoft/powershell/7/pwsh && ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh && curl -s -o /scripts/create-sql-user-and-role.ps1 ${createSqlUserAndRoleScriptsUrl} && chmod +x /scripts/create-sql-user-and-role.ps1 && pwsh -File /scripts/create-sql-user-and-role.ps1 -SqlServerName ${sqlServerName} -SqlDatabaseName ${sqlDbName} -ClientId ${sqlUsers[0].principalId} -DisplayName ${sqlUsers[0].principalName} -ManagedIdentityClientId ${managedIdentityClientId} -DatabaseRole ${sqlUsers[0].databaseRoles[0]} && pwsh -File /scripts/create-sql-user-and-role.ps1 -SqlServerName ${sqlServerName} -SqlDatabaseName ${sqlDbName} -ClientId ${sqlUsers[0].principalId} -DisplayName ${sqlUsers[0].principalName} -ManagedIdentityClientId ${managedIdentityClientId} -DatabaseRole ${sqlUsers[0].databaseRoles[1]} && pwsh -File /scripts/create-sql-user-and-role.ps1 -SqlServerName ${sqlServerName} -SqlDatabaseName ${sqlDbName} -ClientId ${sqlUsers[1].principalId} -DisplayName ${sqlUsers[1].principalName} -ManagedIdentityClientId ${managedIdentityClientId} -DatabaseRole ${sqlUsers[1].databaseRoles[0]} && echo "Container app setup completed successfully."'
+          ]
+          env: [
+            {
+              name: 'STORAGE_ACCOUNT_NAME'
+              value: storageAccountName
+            }
+            {
+              name: 'CONTAINER_NAME'
+              value: containerName
+            }
+            {
+              name:'APPSETTING_WEBSITE_SITE_NAME'
+              value:'DUMMY'
+            }
+          ]
+        }
+      ]
+    }
+  }
+}

infra/deploy_ai_foundry.bicep

@@ -4,45 +4,30 @@
 param solutionName string
 param solutionLocation string
 param keyVaultName string
-param managedIdentityId string
 param managedIdentityObjectId string
 param managedIdentityName string
 
-// @description('The name of the SQL logical server.')
-// param serverName string = '${ solutionName }-sql-server'
-
-// @description('The name of the SQL Database.')
-// param sqlDBName string = '${ solutionName }-sql-db'
-
-// @description('Location for all resources.')
-// param location string = solutionLocation
-
-// @description('The administrator username of the SQL logical server.')
-// param administratorLogin string = 'sqladmin'
-
-// @description('The administrator password of the SQL logical server.')
-// @secure()
-// param administratorLoginPassword string = 'TestPassword_1234'
-
 var serverName = '${ solutionName }-sql-server'
 var sqlDBName = '${ solutionName }-sql-db'
 var location = solutionLocation
 var administratorLogin = 'sqladmin'
 var administratorLoginPassword = 'TestPassword_1234'
 
-param users array = [
-]
-
 resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
   name: serverName
   location: location
   kind:'v12.0'
   properties: {
-      administratorLogin: administratorLogin
-      administratorLoginPassword: administratorLoginPassword
       publicNetworkAccess: 'Enabled'
       version: '12.0'
       restrictOutboundNetworkAccess: 'Disabled'
+      administrators: {
+        login: managedIdentityName
+        sid: managedIdentityObjectId
+        tenantId: subscription().tenantId
+        administratorType: 'ActiveDirectory'
+        azureADOnlyAuthentication: true
+      }
     }
 }
 
@@ -84,31 +69,6 @@ resource sqlDB 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
   }
 }
 
-resource SQLServerName_ActiveDirectory 'Microsoft.Sql/servers/administrators@2023-08-01-preview' = {
-  parent: sqlServer
-  name: 'ActiveDirectory'
-  properties: {
-    login: managedIdentityName
-    sid: managedIdentityObjectId
-    tenantId: subscription().tenantId
-    administratorType: 'ActiveDirectory'
-  }
-}
-
-module sqluser 'create-sql-user-and-role.bicep' = [for user in users: {
-  name: 'sqluser-${guid(location, user.principalId, user.principalName, sqlDBName, sqlServer.name)}'
-  params: {
-    managedIdentityId: managedIdentityId
-    principalId: user.principalId
-    principalName: user.principalName
-    sqlDatabaseName: sqlDBName
-    location: location
-    sqlServerName: sqlServer.name
-    databaseRoles: user.databaseRoles
-  }
-  dependsOn: [ sqlDB, SQLServerName_ActiveDirectory ]
-}]
-
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
   name: keyVaultName
 }
@@ -148,10 +108,3 @@ resource sqldbDatabasePwd 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview'
 output sqlServerName string = '${serverName}.database.windows.net'
 output sqlDbName string = sqlDBName
 output sqlDbUser string = administratorLogin
-
-// output sqlDbOutput object = {
-//   sqlServerName: '${serverName}.database.windows.net' 
-//   sqlDbName: sqlDBName
-//   sqlDbUser: administratorLogin
-//   sqlDbPwd: administratorLoginPassword
-// }