Merge pull request #647 from microsoft/dev

fix: merging dev to main

Author: Roopan-Microsoft

documents/DeploymentGuide.md

@@ -223,6 +223,7 @@ Once you've opened the project in [Codespaces](#github-codespaces), [Dev Contain
 5. Once the deployment has completed successfully, open the [Azure Portal](https://portal.azure.com/), go to the deployed resource group, find the App Service, and get the app URL from `Default domain`.
 
 6. If you are done trying out the application, you can delete the resources by running `azd down`.
+   > **Note:** If you deployed with `enableRedundancy=true` and Log Analytics workspace replication is enabled, you must first disable replication before running `azd down` else resource group delete will fail. Follow the steps in [Handling Log Analytics Workspace Deletion with Replication Enabled](./LogAnalyticsReplicationDisable.md), wait until replication returns `false`, then run `azd down`.
 
 ### 🛠️ Troubleshooting
  If you encounter any issues during the deployment process, please refer  [troubleshooting](../documents/TroubleShootingSteps.md) document for detailed steps and solutions

documents/LogAnalyticsReplicationDisable.md

@@ -0,0 +1,28 @@
+# 🛠 Handling Log Analytics Workspace Deletion with Replication Enabled
+
+If redundancy (replication) is enabled for your Log Analytics workspace, you must disable it before deleting the workspace or resource group. Otherwise, deletion will fail.
+
+## ✅ Steps to Disable Replication Before Deletion
+Run the following Azure CLI command. Note: This operation may take about 5 minutes to complete.
+
+```bash
+az resource update --ids "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{logAnalyticsName}" --set properties.replication.enabled=false
+```
+
+Replace:
+- `{subscriptionId}` → Your Azure subscription ID
+- `{resourceGroupName}` → The name of your resource group
+- `{logAnalyticsName}` → The name of your Log Analytics workspace
+
+Optional: Verify replication disabled (should output `false`):
+```bash
+az resource show --ids "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{logAnalyticsName}" --query properties.replication.enabled -o tsv
+```
+
+## ✅ After Disabling Replication
+You can safely delete:
+- The Log Analytics workspace (manual)
+- The resource group (manual), or
+- All provisioned resources via `azd down`
+
+Return to: [Deployment Guide](./DeploymentGuide.md)

infra/main.bicep

@@ -506,11 +506,11 @@ module userAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-id
 
 // ========== SQL Operations User Assigned Identity ========== //
 // Dedicated identity for backend SQL operations with limited permissions (db_datareader, db_datawriter)
-var sqlUserAssignedIdentityResourceName = 'id-sql-${solutionSuffix}'
-module sqlUserAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
-  name: take('avm.res.managed-identity.user-assigned-identity.${sqlUserAssignedIdentityResourceName}', 64)
+var backendUserAssignedIdentityResourceName = 'id-backend-${solutionSuffix}'
+module backendUserAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
+  name: take('avm.res.managed-identity.user-assigned-identity.${backendUserAssignedIdentityResourceName}', 64)
   params: {
-    name: sqlUserAssignedIdentityResourceName
+    name: backendUserAssignedIdentityResourceName
     location: location
     tags: tags
     enableTelemetry: enableTelemetry
@@ -767,6 +767,11 @@ module aiFoundryAiServices 'modules/ai-services.bicep' = if (aiFoundryAIservices
         principalId: userAssignedIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
       }
+      {
+        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User
+        principalId: backendUserAssignedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+      }
       {
         roleDefinitionIdOrName: '64702f94-c441-49e6-a78b-ef80e0188fee' // Azure AI Developer
         principalId: userAssignedIdentity.outputs.principalId
@@ -777,6 +782,16 @@ module aiFoundryAiServices 'modules/ai-services.bicep' = if (aiFoundryAIservices
         principalId: userAssignedIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
       }
+      {
+        roleDefinitionIdOrName: '64702f94-c441-49e6-a78b-ef80e0188fee' // Azure AI Developer
+        principalId: backendUserAssignedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+      }
+      {
+        roleDefinitionIdOrName: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' // Cognitive Services OpenAI User
+        principalId: backendUserAssignedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+      }
     ]
     // WAF aligned configuration for Monitoring
     diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null
@@ -946,6 +961,11 @@ module searchSearchServices 'br/public:avm/res/search/search-service:0.11.1' = {
         principalId: userAssignedIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
       }
+      {
+        roleDefinitionIdOrName: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
+        principalId: backendUserAssignedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+      }
       {
         roleDefinitionIdOrName: '1407120a-92aa-4202-b7e9-c0e197c71c8f' // Search Index Data Reader
         principalId: !useExistingAiFoundryAiProject ? aiFoundryAiServices.outputs.aiProjectInfo.aiprojectSystemAssignedMIPrincipalId : existingAiFoundryAiServicesProject!.identity.principalId
@@ -1182,7 +1202,7 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
           'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
           'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
         ]
-        assignments: [{ principalId: userAssignedIdentity.outputs.principalId }]
+        assignments: [{ principalId: backendUserAssignedIdentity.outputs.principalId }]
       }
     ]
     // WAF aligned configuration for Monitoring
@@ -1278,6 +1298,7 @@ module sqlDBModule 'br/public:avm/res/sql/server:0.20.1' = {
       systemAssigned: true
       userAssignedResourceIds: [
         userAssignedIdentity.outputs.resourceId
+        backendUserAssignedIdentity.outputs.resourceId
       ]
     }
     primaryUserAssignedIdentityResourceId: userAssignedIdentity.outputs.resourceId
@@ -1396,8 +1417,8 @@ module createSqlUserAndRole 'br/public:avm/res/resources/deployment-script:0.5.1
       [
         '-SqlServerName \'${sqlServerResourceName}\''
         '-SqlDatabaseName \'${sqlDbModuleName}\''
-        '-ClientId \'${sqlUserAssignedIdentity.outputs.clientId}\''
-        '-DisplayName \'${sqlUserAssignedIdentity.outputs.name}\''
+        '-ClientId \'${backendUserAssignedIdentity.outputs.clientId}\''
+        '-DisplayName \'${backendUserAssignedIdentity.outputs.name}\''
         '-DatabaseRoles \'${join(databaseRoles, ',')}\''
       ],
       ' '
@@ -1513,7 +1534,7 @@ module webSiteBackend 'modules/web-sites.bicep' = {
     managedIdentities: {
       systemAssigned: true
       userAssignedResourceIds: [
-        userAssignedIdentity.outputs.resourceId
+        backendUserAssignedIdentity.outputs.resourceId
       ]
     }
     siteConfig: {
@@ -1539,7 +1560,7 @@ module webSiteBackend 'modules/web-sites.bicep' = {
           AZURE_COSMOSDB_ENABLE_FEEDBACK: 'True'
           SQLDB_DATABASE: 'sqldb-${solutionSuffix}'
           SQLDB_SERVER: '${sqlDBModule.outputs.name }${environment().suffixes.sqlServerHostname}'
-          SQLDB_USER_MID: sqlUserAssignedIdentity.outputs.clientId
+          SQLDB_USER_MID: backendUserAssignedIdentity.outputs.clientId
           AZURE_AI_SEARCH_ENDPOINT: 'https://${aiSearchName}.search.windows.net'
           AZURE_AI_SEARCH_INDEX: 'call_transcripts_index'
           AZURE_AI_SEARCH_CONNECTION_NAME: aiSearchName
@@ -1549,7 +1570,7 @@ module webSiteBackend 'modules/web-sites.bicep' = {
           DUMMY_TEST: 'True'
           SOLUTION_NAME: solutionSuffix
           APP_ENV: 'Prod'
-          AZURE_CLIENT_ID: userAssignedIdentity.outputs.clientId
+          AZURE_CLIENT_ID: backendUserAssignedIdentity.outputs.clientId
         }
         // WAF aligned configuration for Monitoring
         applicationInsightResourceId: enableMonitoring ? applicationInsights!.outputs.resourceId : null
@@ -1628,10 +1649,10 @@ output AZURE_AI_FOUNDRY_NAME string = !empty(existingAIServicesName) ? existingA
 output AZURE_AI_PROJECT_NAME string = !empty(existingAIProjectName) ? existingAIProjectName : aiFoundryAiServices.outputs.aiProjectInfo.name
 
 @description('Contains Azure AI Search service name.')
-output AZURE_AI_SEARCH_NAME string = !empty(existingAIServicesName) ? existingAIServicesName : aiFoundryAiServicesResourceName
+output AZURE_AI_SEARCH_NAME string = aiSearchName
 
 @description('Contains Azure AI Search endpoint URL.')
-output AZURE_AI_SEARCH_ENDPOINT string = 'https://${aiFoundryAiServices.outputs.name}.search.windows.net'
+output AZURE_AI_SEARCH_ENDPOINT string = 'https://${aiSearchName}.search.windows.net'
 
 @description('Contains Azure AI Search index name.')
 output AZURE_AI_SEARCH_INDEX string = 'call_transcripts_index'
@@ -1682,10 +1703,10 @@ output REACT_APP_LAYOUT_CONFIG string = reactAppLayoutConfig
 output SQLDB_DATABASE string = 'sqldb-${solutionSuffix}'
 
 @description('Contains SQL server name.')
-output SQLDB_SERVER string = sqlDBModule.outputs.name
+output SQLDB_SERVER string = '${sqlDBModule.outputs.name }${environment().suffixes.sqlServerHostname}'
 
 @description('Contains SQL database user managed identity client ID.')
-output SQLDB_USER_MID string = sqlUserAssignedIdentity.outputs.clientId
+output SQLDB_USER_MID string = backendUserAssignedIdentity.outputs.clientId
 
 @description('Contains AI project client usage setting.')
 output USE_AI_PROJECT_CLIENT string = 'False'