process KM sample data manually as part of post-deployment activity

Author: Priyanka-Microsoft

infra/scripts/add_user_scripts/create-sql-user-and-role.ps1

@@ -7,7 +7,7 @@
 .DESCRIPTION
     During an application deployment, the managed identity (and potentially the developer identity)
     must be added to the SQL database as a user and assigned to one or more roles. This script
-    accomplishes this task using the owner-managed identity for authentication.
+    accomplishes this task using Azure AD authentication.
 
 .PARAMETER SqlServerName
     The name of the Azure SQL Server resource.
@@ -21,43 +21,36 @@
 .PARAMETER DisplayName
     The Object (Principal) display name of the identity to be added.
 
-.PARAMETER ManagedIdentityClientId
-    The Client ID of the managed identity that will authenticate to the SQL database.
+.PARAMETER UseManagedIdentity
+    Switch to indicate whether to use a Managed Identity for authentication (useful for automation).
+    If not provided, it will use your currently logged-in Azure AD account.
 
 .PARAMETER DatabaseRole
     The database role that should be assigned to the user (e.g., db_datareader, db_datawriter, db_owner).
 #>
 
-Param(
+param (
     [string] $SqlServerName,
     [string] $SqlDatabaseName,
     [string] $ClientId,
     [string] $DisplayName,
-    [string] $ManagedIdentityClientId,
+    [switch] $UseManagedIdentity,
     [string] $DatabaseRole
 )
 
 function Resolve-Module($moduleName) {
-    # If module is imported; say that and do nothing
-    if (Get-Module | Where-Object { $_.Name -eq $moduleName }) {
-        Write-Debug "Module $moduleName is already imported"
-    } elseif (Get-Module -ListAvailable | Where-Object { $_.Name -eq $moduleName }) {
-        Import-Module $moduleName
-    } elseif (Find-Module -Name $moduleName | Where-Object { $_.Name -eq $moduleName }) {
-        Install-Module $moduleName -Force -Scope CurrentUser
-        Import-Module $moduleName
-    } else {
-        Write-Error "Module $moduleName not found"
-        [Environment]::exit(1)
+    if (-not (Get-Module -ListAvailable -Name $moduleName)) {
+        Install-Module -Name $moduleName -Scope CurrentUser -Force -AllowClobber
     }
+    Import-Module -Name $moduleName -Force
 }
 
-###
-### MAIN SCRIPT
-###
+### Load Required Modules
+Resolve-Module -moduleName Az.Accounts
 Resolve-Module -moduleName Az.Resources
 Resolve-Module -moduleName SqlServer
 
+### Generate SQL Script
 $sql = @"
 DECLARE @username nvarchar(max) = N'$($DisplayName)';
 DECLARE @clientId uniqueidentifier = '$($ClientId)';
@@ -70,8 +63,21 @@ END
 EXEC sp_addrolemember '$($DatabaseRole)', @username;
 "@
 
-Write-Output "`nSQL:`n$($sql)`n`n"
+Write-Output "`nSQL to be executed:`n$($sql)`n"
+
+### Authenticate and Get Access Token
+if ($UseManagedIdentity) {
+    Write-Host "[INFO] Logging in using Managed Identity..."
+    Connect-AzAccount -Identity
+} else {
+    Write-Host "[INFO] Logging in using current user identity..."
+    Connect-AzAccount
+}
 
-Connect-AzAccount -Identity -AccountId $ManagedIdentityClientId
 $token = (Get-AzAccessToken -ResourceUrl https://database.windows.net/).Token
-Invoke-SqlCmd -ServerInstance "$SqlServerName" -Database $SqlDatabaseName -AccessToken $token -Query $sql -ErrorAction 'Stop'
+
+### Execute the SQL Command
+Write-Host "[INFO] Executing SQL against $SqlDatabaseName..."
+Invoke-Sqlcmd -ServerInstance "$SqlServerName.database.windows.net" -Database $SqlDatabaseName -AccessToken $token -Query $sql -ErrorAction Stop
+
+Write-Host "[SUCCESS] User and role assignment completed."

infra/scripts/copy_kb_files.sh

@@ -3,33 +3,71 @@
 # Variables
 storageAccount="$1"
 fileSystem="$2"
-baseUrl="$3"
+# baseUrl="$3"
 managedIdentityClientId="$4"
+keyVaultName="$5"  # ✅ NEW ARG REQUIRED
 
 zipFileName1="call_transcripts.zip"
 extractedFolder1="call_transcripts"
-zipUrl1=${baseUrl}"infra/data/call_transcripts.zip"
+zipUrl1="infra/data/call_transcripts.zip"
 
 zipFileName2="audio_data.zip"
 extractedFolder2="audiodata"
-zipUrl2=${baseUrl}"infra/data/audio_data.zip"
+zipUrl2="infra/data/audio_data.zip"
 
-# Create folders if they do not exist
-mkdir -p "/mnt/azscripts/azscriptinput/$extractedFolder1"
-mkdir -p "/mnt/azscripts/azscriptinput/$extractedFolder2"
+unzip infra/data/"$zipFileName1" -d infra/data/"$extractedFolder1"
+unzip infra/data/"$zipFileName2" -d infra/data/"$extractedFolder2"
 
-# Download the zip file
-curl --output /mnt/azscripts/azscriptinput/"$zipFileName1" "$zipUrl1"
-curl --output /mnt/azscripts/azscriptinput/"$zipFileName2" "$zipUrl2"
+echo "Script Started"
 
-# Extract the zip file
-unzip /mnt/azscripts/azscriptinput/"$zipFileName1" -d /mnt/azscripts/azscriptinput/"$extractedFolder1"
-unzip /mnt/azscripts/azscriptinput/"$zipFileName2" -d /mnt/azscripts/azscriptinput/"$extractedFolder2"
+# Authenticate with Azure
+if az account show &> /dev/null; then
+    echo "Already authenticated with Azure."
+else
+    if [ -n "$managedIdentityClientId" ]; then
+        echo "Authenticating with Managed Identity..."
+        az login --identity --client-id ${managedIdentityClientId}
+    else
+        echo "Authenticating with Azure CLI..."
+        az login
+    fi
+    echo "Not authenticated with Azure. Attempting to authenticate..."
+fi
 
-echo "Script Started"
+echo "Getting signed in user id"
+signed_user_id=$(az ad signed-in-user show --query id -o tsv)
+
+echo "Getting storage account resource id"
+storage_account_resource_id=$(az storage account show --name $storageAccount --query id --output tsv)
+
+# ✅ Assign Storage Blob Data Contributor role (if not already assigned)
+echo "Checking if user has the Storage Blob Data Contributor role"
+storage_role_assignment=$(az role assignment list --assignee $signed_user_id --role "Storage Blob Data Contributor" --scope $storage_account_resource_id --query "[].roleDefinitionId" -o tsv)
+
+if [ -z "$storage_role_assignment" ]; then
+    echo "Assigning Storage Blob Data Contributor role..."
+    az role assignment create --assignee $signed_user_id --role "Storage Blob Data Contributor" --scope $storage_account_resource_id --output none
+    echo "Role assignment for Blob Storage completed."
+else
+    echo "User already has Storage Blob Data Contributor role."
+fi
+
+# ✅ Assign Key Vault Secrets User role (NEW BLOCK)
+echo "Getting Key Vault resource ID"
+key_vault_resource_id=$(az keyvault show --name $keyVaultName --query id --output tsv)
+
+echo "Checking if user has Key Vault Secrets User role"
+kv_role_assignment=$(az role assignment list --assignee $signed_user_id --role "Key Vault Secrets User" --scope $key_vault_resource_id --query "[].roleDefinitionId" -o tsv)
+
+if [ -z "$kv_role_assignment" ]; then
+    echo "Assigning Key Vault Secrets User role..."
+    az role assignment create --assignee $signed_user_id --role "Key Vault Secrets User" --scope $key_vault_resource_id --output none
+    echo "Role assignment for Key Vault completed."
+else
+    echo "User already has Key Vault Secrets User role."
+fi
 
-# Authenticate with Azure using managed identity
-az login --identity --client-id ${managedIdentityClientId}
-# Using az storage blob upload-batch to upload files with managed identity authentication, as the az storage fs directory upload command is not working with managed identity authentication.
-az storage blob upload-batch --account-name "$storageAccount" --destination data/"$extractedFolder1" --source /mnt/azscripts/azscriptinput/"$extractedFolder1" --auth-mode login --pattern '*' --overwrite
-az storage blob upload-batch --account-name "$storageAccount" --destination data/"$extractedFolder2" --source /mnt/azscripts/azscriptinput/"$extractedFolder2" --auth-mode login --pattern '*' --overwrite
+# Upload files to Azure Storage
+echo "Uploading files to Azure Storage"
+az storage blob upload-batch --account-name "$storageAccount" --destination "$fileSystem"/"$extractedFolder1" --source infra/data/"$extractedFolder1" --auth-mode login --pattern '*' --overwrite --output none
+az storage blob upload-batch --account-name "$storageAccount" --destination "$fileSystem"/"$extractedFolder2" --source infra/data/"$extractedFolder2" --auth-mode login --pattern '*' --overwrite --output none

infra/scripts/index_scripts/01_create_search_index.py

@@ -1,8 +1,9 @@
 from azure.keyvault.secrets import SecretClient  
 from azure.identity import DefaultAzureCredential
+import sys
 
-key_vault_name = 'kv_to-be-replaced'
-managed_identity_client_id = 'mici_to-be-replaced'
+key_vault_name=sys.argv[1]
+managed_identity_client_id = sys.argv[2]
 index_name = "call_transcripts_index"
 
 def get_secrets_from_kv(kv_name, secret_name):

infra/scripts/index_scripts/02_create_cu_template_audio.py

@@ -7,8 +7,8 @@
 from pathlib import Path
 from azure.identity import DefaultAzureCredential, get_bearer_token_provider
 
-key_vault_name = 'kv_to-be-replaced'
-managed_identity_client_id = 'mici_to-be-replaced'
+key_vault_name=sys.argv[1]
+managed_identity_client_id = sys.argv[2]
 
 def get_secrets_from_kv(kv_name, secret_name):
 

infra/scripts/index_scripts/02_create_cu_template_text.py

@@ -7,8 +7,8 @@
 from pathlib import Path
 from azure.identity import DefaultAzureCredential, get_bearer_token_provider
 
-key_vault_name = 'kv_to-be-replaced'
-managed_identity_client_id = 'mici_to-be-replaced'
+key_vault_name=sys.argv[1]
+managed_identity_client_id = sys.argv[2]
 
 def get_secrets_from_kv(kv_name, secret_name):
 

infra/scripts/index_scripts/03_cu_process_data_text.py

@@ -13,9 +13,10 @@
 import base64
 import pyodbc
 import struct
+import sys
 
-key_vault_name = 'kv_to-be-replaced'
-managed_identity_client_id = 'mici_to-be-replaced'
+key_vault_name=sys.argv[1]
+managed_identity_client_id = sys.argv[2]
 
 file_system_client_name = "data"
 directory = 'call_transcripts'

infra/scripts/process_sample_data.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+set -e  # Exit on first error
+set -o pipefail
+set -u  # Treat unset variables as error
+
+# === Configuration Parameters ===
+STORAGE_ACCOUNT_NAME="$1"
+CONTAINER_NAME="$2"
+# BASE_URL="$3"
+MANAGED_IDENTITY_CLIENT_ID="$3"
+KEY_VAULT_NAME="$4"
+SQL_SERVER_NAME="$5"
+SQL_DB_NAME="$6"
+RG_NAME="$7"
+
+# === Functions ===
+log() {
+    echo -e "\033[1;32m[INFO]\033[0m $1"
+}
+
+error() {
+    echo -e "\033[1;31m[ERROR]\033[0m $1" >&2
+    exit 1
+}
+
+trap 'error "An unexpected error occurred. Please check the logs."' ERR
+
+# basePath="C:/Users/$(whoami)/azscripts/azscriptinput"
+# echo "${basePath}"
+
+# === Step 1: Copy KB files ===
+echo "Running copy_kb_files.sh"
+bash infra/scripts/copy_kb_files.sh "$STORAGE_ACCOUNT_NAME" "$CONTAINER_NAME" "$MANAGED_IDENTITY_CLIENT_ID"
+if [ $? -ne 0 ]; then
+    echo "Error: copy_kb_files.sh failed."
+    exit 1
+fi
+echo "copy_kb_files.sh completed successfully."
+
+# === Step 2: Run create index scripts ===
+log "Creating indexes..."
+echo "Running run_create_index_scripts.sh"
+bash infra/scripts/run_create_index_scripts.sh "$KEY_VAULT_NAME" "$MANAGED_IDENTITY_CLIENT_ID" "$SQL_SERVER_NAME" "$RG_NAME"
+if [ $? -ne 0 ]; then
+    echo "Error: run_create_index_scripts.sh failed."
+    exit 1
+fi
+echo "run_create_index_scripts.sh completed successfully."
+
+
+# curl -s -o create-sql-user-and-role.ps1 "${BASE_URL}infra/scripts/add_user_scripts/create-sql-user-and-role.ps1"
+# chmod +x create-sql-user-and-role.ps1
+
+# Note: You'll need to pass user info (client ID, display name, role) via environment vars or args.
+# Here is a sample with hardcoded values for demo:
+
+# === Step 3: SQL User & Role Setup ===
+log "Setting up SQL users and roles..."
+
+pwsh -File ./infra/scripts/add_user_scripts/create-sql-user-and-role.ps1 \
+    -SqlServerName "$SQL_SERVER_NAME" \
+    -SqlDatabaseName "$SQL_DB_NAME" \
+    -ClientId "$MANAGED_IDENTITY_CLIENT_ID" \
+    -DisplayName "script-user" \
+    -ManagedIdentityClientId "$MANAGED_IDENTITY_CLIENT_ID" \
+    -DatabaseRole "db_datawriter" \
+
+log "Sample data processing completed successfully!"