Enhance sample data processing scripts to manage public access for Azure resources

Author: Harsh-Microsoft

.gitignore

@@ -125,6 +125,7 @@ celerybeat.pid
 # Environments
 .env
 .venv
+scriptenv
 env/
 venv/
 ENV/

infra/main.bicep

@@ -1265,12 +1265,12 @@ module searchService 'br/public:avm/res/search/search-service:0.11.1' = {
         aadAuthFailureMode: 'http401WithBearerChallenge'
       }
     }
-    cmkEnforcement: virtualNetworkEnabled ? 'Enabled' : null
     disableLocalAuth: false
     hostingMode: 'default'
     managedIdentities: {
       systemAssigned: true
     }
+    publicNetworkAccess: virtualNetworkEnabled ? 'Disabled' : 'Enabled'
     networkRuleSet: {
       bypass: 'AzureServices'
     }
@@ -1344,6 +1344,7 @@ output AZURE_STORAGE_BLOB_URL string = avmStorageAccount.outputs.serviceEndpoint
 output AZURE_STORAGE_ACCOUNT_NAME string = storageAccountName
 output AZURE_STORAGE_CONTAINER_NAME string = storageContainerName
 output AZURE_SEARCH_ENDPOINT string = searchService.outputs.endpoint
+output AZURE_SEARCH_NAME string = searchService.outputs.name
 
 @export()
 @description('The type for the Multi-Agent Custom Automation Engine Log Analytics Workspace resource configuration.')

infra/scripts/Process-Sample-Data.ps1

@@ -3,7 +3,8 @@
 param(
     [string]$StorageAccount,
     [string]$BlobContainer,
-    [string]$AiSearch
+    [string]$AiSearch,
+    [string]$ResourceGroup
 )
 
 # Get parameters from azd env, if not provided
@@ -16,14 +17,18 @@ if (-not $BlobContainer) {
 }
 
 if (-not $AiSearch) {
-    $AiSearch = $(azd env get-value AZURE_SEARCH_ENDPOINT)
+    $AiSearch = $(azd env get-value AZURE_SEARCH_NAME)
+}
+
+if (-not $ResourceGroup) {
+    $ResourceGroup = $(azd env get-value AZURE_RESOURCE_GROUP)
 }
 
 $AzSubscriptionId = $(azd env get-value AZURE_SUBSCRIPTION_ID)
 
 # Check if all required arguments are provided
 if (-not $StorageAccount -or -not $BlobContainer -or -not $AiSearch) {
-    Write-Host "Usage: .\infra\scripts\Process-Sample-Data.ps1 -StorageAccount <StorageAccount> -BlobContainer <StorageContainerName> -AiSearch <AISearchName/AISearchEndpoint>"
+    Write-Host "Usage: .\infra\scripts\Process-Sample-Data.ps1 -StorageAccount <StorageAccount> -BlobContainer <StorageContainerName> -AiSearch <AISearchName> [-ResourceGroup <ResourceGroup>]"
     exit 1
 }
 
@@ -105,6 +110,40 @@ else {
     az account set --subscription $currentSubscriptionId
 }
 
+$stIsPublicAccessDisabled = $false
+$srchIsPublicAccessDisabled = $false
+# Enable public access for resources
+if ($ResourceGroup) {
+    $stPublicAccess = $(az storage account show --name $StorageAccount --resource-group $ResourceGroup --query "publicNetworkAccess" -o tsv)
+    if ($stPublicAccess -eq "Disabled") {
+        $stIsPublicAccessDisabled = $true
+        Write-Host "Enabling public access for storage account: $StorageAccount"
+        az storage account update --name $StorageAccount --public-network-access enabled --default-action Allow --output none
+        if ($LASTEXITCODE -ne 0) {
+            Write-Host "Error: Failed to enable public access for storage account."
+            exit 1
+        }
+    }
+    else {
+        Write-Host "Public access is already enabled for storage account: $StorageAccount"
+    }
+
+    $srchPublicAccess = $(az search service show --name $AiSearch --resource-group $ResourceGroup --query "publicNetworkAccess" -o tsv)
+    if ($srchPublicAccess -eq "Disabled") {
+        $srchIsPublicAccessDisabled = $true
+        Write-Host "Enabling public access for search service: $AiSearch"
+        az search service update --name $AiSearch --resource-group $ResourceGroup --public-network-access enabled --output none
+        if ($LASTEXITCODE -ne 0) {
+            Write-Host "Error: Failed to enable public access for search service."
+            exit 1
+        }
+    }
+    else {
+        Write-Host "Public access is already enabled for search service: $AiSearch"
+    }
+}
+
+
 # Upload sample files to blob storage
 Write-Host "Uploading sample files to blob storage..."
 $result = az storage blob upload-batch --account-name $StorageAccount --destination $BlobContainer --source "data/datasets" --auth-mode login --pattern "*" --overwrite --output none
@@ -187,4 +226,23 @@ if ($process.ExitCode -ne 0) {
     exit 1
 }
 
+#disable public access for resources
+if ($stIsPublicAccessDisabled) {
+    Write-Host "Disabling public access for storage account: $StorageAccount"
+    az storage account update --name $StorageAccount --public-network-access disabled --default-action Deny --output none
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "Error: Failed to disable public access for storage account."
+        exit 1
+    }
+}
+
+if ($srchIsPublicAccessDisabled) {
+    Write-Host "Disabling public access for search service: $AiSearch"
+    az search service update --name $AiSearch --resource-group $ResourceGroup --public-network-access disabled --output none
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "Error: Failed to disable public access for search service."
+        exit 1
+    }
+}
+
 Write-Host "Script executed successfully. Sample Data Processed Successfully."

infra/scripts/process_sample_data.sh

@@ -4,6 +4,7 @@
 storageAccount="$1"
 blobContainer="$2"
 aiSearch="$3"
+resourceGroup="$4"
 
 # get parameters from azd env, if not provided
 if [ -z "$storageAccount" ]; then
@@ -15,14 +16,18 @@ if [ -z "$blobContainer" ]; then
 fi
 
 if [ -z "$aiSearch" ]; then
-    aiSearch=$(azd env get-value AZURE_SEARCH_ENDPOINT)
+    aiSearch=$(azd env get-value AZURE_SEARCH_NAME)
+fi
+
+if [ -z "$resourceGroup" ]; then
+    resourceGroup=$(azd env get-value AZURE_RESOURCE_GROUP)
 fi
 
 azSubscriptionId=$(azd env get-value AZURE_SUBSCRIPTION_ID)
 
 # Check if all required arguments are provided
 if [ -z "$storageAccount" ] || [ -z "$blobContainer" ] || [ -z "$aiSearch" ]; then
-    echo "Usage: $0 <StorageAccount> <StorageContainerName> <AISearchName/AISearchEndpoint>"
+    echo "Usage: $0 <StorageAccount> <StorageContainerName> <AISearchName> [ResourceGroup]"
     exit 1
 fi
 
@@ -77,6 +82,41 @@ else
     az account set --subscription "$currentSubscriptionId"
 fi
 
+stIsPublicAccessDisabled=false
+srchIsPublicAccessDisabled=false
+#Enable Public Access for resources
+if [ -n "$resourceGroup" ]; then
+    stPublicAccess=$(az storage account show --name "$storageAccount" --resource-group "$resourceGroup" --query "publicNetworkAccess" -o tsv)
+    srchPublicAccess=$(az search service show --name "$aiSearch" --resource-group "$resourceGroup" --query "publicNetworkAccess" -o tsv)
+    if [ "$stPublicAccess" == "Disabled" ]; then
+        stIsPublicAccessDisabled=true
+        echo "Enabling public access for storage account: $storageAccount"
+        az storage account update --name "$storageAccount" --public-network-access enabled --default-action Allow --output none
+        if [ $? -ne 0 ]; then
+            echo "Error: Failed to enable public access for storage account."
+            exit 1
+        fi
+        echo "Public access enabled for storage account: $storageAccount"
+    else
+        echo "Public access is already enabled for storage account: $storageAccount"
+    fi
+
+    if [ "$srchPublicAccess" == "Disabled" ]; then
+        srchIsPublicAccessDisabled=true
+        echo "Enabling public access for search service: $aiSearch"
+        az search service update --name "$aiSearch" --resource-group "$resourceGroup" --public-network-access enabled --output none
+        if [ $? -ne 0 ]; then
+            echo "Error: Failed to enable public access for search service."
+            exit 1
+        fi
+        echo "Public access enabled for search service: $aiSearch"
+    else
+        echo "Public access is already enabled for search service: $aiSearch"
+    fi
+
+fi
+
+
 #Upload sample files to blob storage
 echo "Uploading sample files to blob storage..."
 az storage blob upload-batch --account-name "$storageAccount" --destination "$blobContainer" --source "data/datasets" --auth-mode login --pattern '*' --overwrite --output none
@@ -127,4 +167,25 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
+#disable public access for resources
+if [ "$stIsPublicAccessDisabled" = true ]; then
+    echo "Disabling public access for storage account: $storageAccount"
+    az storage account update --name "$storageAccount" --public-network-access disabled --default-action Deny --output none
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to disable public access for storage account."
+        exit 1
+    fi
+    echo "Public access disabled for storage account: $storageAccount"
+fi
+
+if [ "$srchIsPublicAccessDisabled" = true ]; then
+    echo "Disabling public access for search service: $aiSearch"
+    az search service update --name "$aiSearch" --resource-group "$resourceGroup" --public-network-access disabled --output none
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to disable public access for search service."
+        exit 1
+    fi
+    echo "Public access disabled for search service: $aiSearch"
+fi
+
 echo "Script executed successfully. Sample Data Processed Successfully."