refactor: Replace Container App with Deployment Scripts for SQL and Post-Deployment Operations

Author: Avijit-Microsoft

infra/create-sql-user-and-role.bicep

@@ -0,0 +1,62 @@
+targetScope = 'resourceGroup'
+
+@description('The Azure region for the resource.')
+param location string
+
+@description('The tags to associate with this resource.')
+param tags object = {}
+
+@description('The database roles to assign to the user.')
+param databaseRoles string[] = ['db_datareader']
+
+@description('The name of the User Assigned Managed Identity to be used.')
+param managedIdentityName string
+
+@description('The principal (or object) ID of the user to create.')
+param principalId string
+
+@description('The name of the user to create.')
+param principalName string
+
+@description('The name of the SQL Database resource.')
+param sqlDatabaseName string
+
+@description('The name of the SQL Server resource.')
+param sqlServerName string
+
+@description('Do not set - unique script ID to force the script to run.')
+param uniqueScriptId string = newGuid()
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: managedIdentityName
+}
+
+resource createSqlUserAndRole 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: 'sqlUserRole-${guid(principalId, sqlServerName, sqlDatabaseName)}'
+  location: location
+  tags: tags
+  kind: 'AzurePowerShell'
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+  properties: {
+    forceUpdateTag: uniqueScriptId
+    azPowerShellVersion: '7.2'
+    retentionInterval: 'PT1H'
+    cleanupPreference: 'OnSuccess'
+    arguments: join(
+      [
+        '-SqlServerName \'${sqlServerName}\''
+        '-SqlDatabaseName \'${sqlDatabaseName}\''
+        '-ClientId \'${principalId}\''
+        '-DisplayName \'${principalName}\''
+        '-DatabaseRoles \'${join(databaseRoles, ',')}\''
+      ],
+      ' '
+    )
+    scriptContent: loadTextContent('./scripts/add_user_scripts/create-sql-user-and-role.ps1')
+  }
+}

infra/deploy_index_scripts.bicep

@@ -0,0 +1,27 @@
+@description('Specifies the location for resources.')
+param solutionLocation string 
+
+param baseUrl string
+param keyVaultName string
+param managedIdentityResourceId string
+param managedIdentityClientId string
+
+resource create_index 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  kind:'AzureCLI'
+  name: 'create_search_indexes'
+  location: solutionLocation
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityResourceId}' : {}
+    }
+  }
+  properties: {
+    azCliVersion: '2.52.0'
+    primaryScriptUri: '${baseUrl}infra/scripts/run_create_index_scripts.sh' 
+    arguments: '${baseUrl} ${keyVaultName} ${managedIdentityClientId}'
+    timeout: 'PT1H'
+    retentionInterval: 'PT1H'
+    cleanupPreference:'OnSuccess'
+  }
+}

infra/deploy_post_deployment_scripts.bicep

@@ -1,13 +1,15 @@
 param solutionLocation string
 param keyVaultName string
-param managedIdentityObjectId string
 param managedIdentityName string
-
 param serverName string
 param sqlDBName string
+param sqlUsers array = []
+
 var location = solutionLocation
-var administratorLogin = 'sqladmin'
-var administratorLoginPassword = 'TestPassword_1234'
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: managedIdentityName
+}
 
 resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
   name: serverName
@@ -17,10 +19,10 @@ resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
     publicNetworkAccess: 'Enabled'
     version: '12.0'
     restrictOutboundNetworkAccess: 'Disabled'
-    minimalTlsVersion: '1.2' // Enforce TLS 1.2 to comply with Azure policy
+    minimalTlsVersion: '1.2'
     administrators: {
       login: managedIdentityName
-      sid: managedIdentityObjectId
+      sid: managedIdentity.properties.principalId
       tenantId: subscription().tenantId
       administratorType: 'ActiveDirectory'
       azureADOnlyAuthentication: true
@@ -66,6 +68,21 @@ resource sqlDB 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
   }
 }
 
+module sqluser 'create-sql-user-and-role.bicep' = [
+  for user in sqlUsers: {
+    name: 'sqluser-${guid(solutionLocation, user.principalId, user.principalName, sqlDB.name, sqlServer.name)}'
+    params: {
+      managedIdentityName: managedIdentityName
+      location: solutionLocation
+      sqlDatabaseName: sqlDB.name
+      sqlServerName: sqlServer.name
+      principalId: user.principalId
+      principalName: user.principalName
+      databaseRoles: user.databaseRoles
+    }
+  }
+]
+
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
   name: keyVaultName
 }
@@ -86,22 +103,5 @@ resource sqldbDatabaseEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-previe
   }
 }
 
-resource sqldbDatabaseUsername 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
-  parent: keyVault
-  name: 'SQLDB-USERNAME'
-  properties: {
-    value: administratorLogin
-  }
-}
-
-resource sqldbDatabasePwd 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
-  parent: keyVault
-  name: 'SQLDB-PASSWORD'
-  properties: {
-    value: administratorLoginPassword
-  }
-}
-
 output sqlServerName string = '${serverName}.database.windows.net'
 output sqlDbName string = sqlDBName
-output sqlDbUser string = administratorLogin

infra/deploy_sql_db.bicep

@@ -0,0 +1,27 @@
+@description('Specifies the location for resources.')
+param solutionLocation string
+param baseUrl string
+param managedIdentityResourceId string
+param managedIdentityClientId string
+param storageAccountName string
+param containerName string
+
+resource copy_demo_Data 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  kind:'AzureCLI'
+  name: 'copy_demo_Data'
+  location: solutionLocation
+  identity:{
+    type:'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentityResourceId}' : {}
+    }
+  }
+  properties: {
+    azCliVersion: '2.52.0'
+    primaryScriptUri: '${baseUrl}infra/scripts/copy_kb_files.sh'
+    arguments: '${storageAccountName} ${containerName} ${baseUrl} ${managedIdentityClientId}'
+    timeout: 'PT1H'
+    retentionInterval: 'PT1H'
+    cleanupPreference:'OnSuccess'
+  }
+}

infra/deploy_upload_files_script.bicep

@@ -183,37 +183,41 @@ module sqlDBModule 'deploy_sql_db.bicep' = {
     solutionLocation: secondaryLocation
     keyVaultName: kvault.outputs.keyvaultName
     managedIdentityName: managedIdentityModule.outputs.managedIdentityOutput.name
-    managedIdentityObjectId: managedIdentityModule.outputs.managedIdentityOutput.objectId
+    sqlUsers: [
+      {
+        principalId: managedIdentityModule.outputs.managedIdentityBackendAppOutput.clientId
+        principalName: managedIdentityModule.outputs.managedIdentityBackendAppOutput.name
+        databaseRoles: ['db_datareader', 'db_datawriter']
+      }
+    ]
   }
   scope: resourceGroup(resourceGroup().name)
 }
 
 //========== Deployment script to upload sample data ========== //
-module uploadFiles 'deploy_post_deployment_scripts.bicep' = {
-  name : 'deploy_post_deployment_scripts'
+module uploadFiles 'deploy_upload_files_script.bicep' = {
+  name : 'deploy_upload_files_script'
   params:{
     solutionLocation: secondaryLocation
     baseUrl: baseUrl
     storageAccountName: storageAccount.outputs.storageName
     containerName: storageAccount.outputs.storageContainer
-    containerAppName: '${abbrs.containers.containerApp}${solutionPrefix}'
-    environmentName: '${abbrs.containers.containerAppsEnvironment}${solutionPrefix}'
-    managedIdentityObjectId:managedIdentityModule.outputs.managedIdentityOutput.id
+    managedIdentityResourceId:managedIdentityModule.outputs.managedIdentityOutput.id
     managedIdentityClientId:managedIdentityModule.outputs.managedIdentityOutput.clientId
+  }
+}
+
+//========== Deployment script to process and index data ========== //
+module createIndex 'deploy_index_scripts.bicep' = {
+  name : 'deploy_index_scripts'
+  params:{
+    solutionLocation: secondaryLocation
+    managedIdentityResourceId:managedIdentityModule.outputs.managedIdentityOutput.id
+    managedIdentityClientId:managedIdentityModule.outputs.managedIdentityOutput.clientId
+    baseUrl:baseUrl
     keyVaultName:aifoundry.outputs.keyvaultName
-    logAnalyticsWorkspaceResourceName: aifoundry.outputs.logAnalyticsWorkspaceResourceName
-    logAnalyticsWorkspaceResourceGroup: aifoundry.outputs.logAnalyticsWorkspaceResourceGroup
-    logAnalyticsWorkspaceSubscription: aifoundry.outputs.logAnalyticsWorkspaceSubscription
-    sqlServerName: sqlDBModule.outputs.sqlServerName
-    sqlDbName: sqlDBModule.outputs.sqlDbName
-    sqlUsers: [
-      {
-        principalId: managedIdentityModule.outputs.managedIdentityBackendAppOutput.clientId
-        principalName: managedIdentityModule.outputs.managedIdentityBackendAppOutput.name
-        databaseRoles: ['db_datareader', 'db_datawriter']
-      }
-    ]
   }
+  dependsOn:[sqlDBModule,uploadFiles]
 }
 
 module hostingplan 'deploy_app_service_plan.bicep' = {
@@ -255,7 +259,6 @@ module backend_docker 'deploy_backend_docker.bicep' = {
       AZURE_COSMOSDB_ENABLE_FEEDBACK: 'True'
       SQLDB_DATABASE: sqlDBModule.outputs.sqlDbName
       SQLDB_SERVER: sqlDBModule.outputs.sqlServerName
-      SQLDB_USERNAME: sqlDBModule.outputs.sqlDbUser
       SQLDB_USER_MID: managedIdentityModule.outputs.managedIdentityBackendAppOutput.clientId
 
       AZURE_AI_SEARCH_ENDPOINT: aifoundry.outputs.aiSearchTarget
@@ -318,7 +321,6 @@ output REACT_APP_LAYOUT_CONFIG string = backend_docker.outputs.reactAppLayoutCon
 output SQLDB_DATABASE string = sqlDBModule.outputs.sqlDbName
 output SQLDB_SERVER string = sqlDBModule.outputs.sqlServerName
 output SQLDB_USER_MID string = managedIdentityModule.outputs.managedIdentityBackendAppOutput.clientId
-output SQLDB_USERNAME string = sqlDBModule.outputs.sqlDbUser
 output USE_AI_PROJECT_CLIENT string = 'False'
 output USE_CHAT_HISTORY_ENABLED string = 'True'
 output DISPLAY_CHART_DEFAULT string = 'False'