Merge pull request #417 from microsoft/psl-hb-us-22543

feat: update bicep to provision new storage and search resources, script for uploading and indexing sample data

Author: Fr4nc3

.gitignore

@@ -125,6 +125,7 @@ celerybeat.pid
 # Environments
 .env
 .venv
+scriptenv
 env/
 venv/
 ENV/

infra/main.bicep

@@ -1076,6 +1076,22 @@ module containerApp 'br/public:avm/res/app/container-app:0.14.2' = if (container
             name: 'APP_ENV'
             value: 'Prod'
           }
+          {
+            name: 'AZURE_STORAGE_BLOB_URL'
+            value: avmStorageAccount.outputs.serviceEndpoints.blob
+          }
+          {
+            name: 'AZURE_STORAGE_CONTAINER_NAME'
+            value: storageContainerName
+          }
+          {
+            name: 'AZURE_SEARCH_ENDPOINT'
+            value: searchService.outputs.endpoint
+          }
+          {
+            name: 'AZURE_SEARCH_CONNECTION_NAME'
+            value: aiSearchConnectionName
+          }
         ]
       }
     ]
@@ -1134,6 +1150,187 @@ module webSite 'br/public:avm/res/web/site:0.15.1' = if (webSiteEnabled) {
   }
 }
 
+
+// ========== Storage Account ========== //
+
+module privateDnsZonesStorageAccount 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (virtualNetworkEnabled) {
+  name: take('avm.res.network.private-dns-zone.storage-account.${solutionPrefix}', 64)
+  params: {
+    name: 'privatelink.blob.core.windows.net'
+    enableTelemetry: enableTelemetry
+    virtualNetworkLinks: [
+      {
+        name: 'vnetlink-storage-account'
+        virtualNetworkResourceId: virtualNetwork.outputs.resourceId
+      }
+    ]
+    tags: tags
+  }
+}
+
+var storageAccountName = replace('st${solutionPrefix}', '-', '')
+param storageContainerName string = 'sample-dataset'
+module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
+  name: take('avm.res.storage.storage-account.${storageAccountName}', 64)
+  params: {
+    name: storageAccountName
+    location: solutionLocation
+    managedIdentities: { systemAssigned: true }
+    minimumTlsVersion: 'TLS1_2'
+    enableTelemetry: enableTelemetry
+    tags: tags
+    accessTier: 'Hot'
+    supportsHttpsTrafficOnly: true
+
+    roleAssignments: [
+      {
+        principalId: userAssignedIdentity.outputs.principalId
+        roleDefinitionIdOrName: 'Storage Blob Data Contributor'
+        principalType: 'ServicePrincipal'
+      }
+      {
+        principalId: deployingUserPrincipalId
+        roleDefinitionIdOrName: 'Storage Blob Data Contributor'
+        principalType: 'User'
+      }
+    ]
+
+    // WAF aligned networking
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: virtualNetworkEnabled ? 'Deny' : 'Allow'
+    }
+    allowBlobPublicAccess: false
+    publicNetworkAccess: virtualNetworkEnabled ? 'Disabled' : 'Enabled'
+
+    // Private endpoints for blob
+    privateEndpoints: virtualNetworkEnabled
+      ? [
+          {
+            name: 'pep-blob-${solutionPrefix}'
+            privateDnsZoneGroup: {
+              privateDnsZoneGroupConfigs: [
+                {
+                  name: 'storage-dns-zone-group-blob'
+                  privateDnsZoneResourceId: privateDnsZonesStorageAccount.outputs.resourceId
+                }
+              ]
+            }
+            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0]
+            service: 'blob'
+          }
+        ]
+      : []
+    blobServices: {
+      automaticSnapshotPolicyEnabled: true
+      containerDeleteRetentionPolicyDays: 10
+      containerDeleteRetentionPolicyEnabled: true
+      containers: [
+        {
+          name: storageContainerName
+          publicAccess: 'None'
+        }
+      ]
+      deleteRetentionPolicyDays: 9
+      deleteRetentionPolicyEnabled: true
+      lastAccessTimeTrackingPolicyEnabled: true
+    }
+  }
+}
+
+// ========== Search Service ========== //
+
+module privateDnsZonesSearchService 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (virtualNetworkEnabled) {
+  name: take('avm.res.network.private-dns-zone.search-service.${solutionPrefix}', 64)
+  params: {
+    name: 'privatelink.search.windows.net'
+    enableTelemetry: enableTelemetry
+    virtualNetworkLinks: [
+      {
+        name: 'vnetlink-search-service'
+        virtualNetworkResourceId: virtualNetwork.outputs.resourceId
+      }
+    ]
+    tags: tags
+  }
+}
+
+var searchServiceName = 'srch-${solutionPrefix}'
+module searchService 'br/public:avm/res/search/search-service:0.11.1' = {
+  name: take('avm.res.search.search-service.${solutionPrefix}', 64)
+  params: {
+    name: searchServiceName
+    authOptions: {
+      aadOrApiKey: {
+        aadAuthFailureMode: 'http401WithBearerChallenge'
+      }
+    }
+    disableLocalAuth: false
+    hostingMode: 'default'
+    managedIdentities: {
+      systemAssigned: true
+    }
+    publicNetworkAccess: virtualNetworkEnabled ? 'Disabled' : 'Enabled'
+    networkRuleSet: {
+      bypass: 'AzureServices'
+    }
+    partitionCount: 1
+    replicaCount: 1
+    sku: 'standard'
+    tags: tags
+    roleAssignments: [
+      {
+        principalId: userAssignedIdentity.outputs.principalId
+        roleDefinitionIdOrName: 'Search Index Data Contributor'
+        principalType: 'ServicePrincipal'
+      }
+      {
+        principalId: deployingUserPrincipalId
+        roleDefinitionIdOrName: 'Search Index Data Contributor'
+        principalType: 'User'
+      }
+    ]
+    privateEndpoints: virtualNetworkEnabled
+      ? [
+          {
+            name: 'pep-search-${solutionPrefix}'
+            privateDnsZoneGroup: {
+              privateDnsZoneGroupConfigs: [
+                {
+                  privateDnsZoneResourceId: privateDnsZonesSearchService.outputs.resourceId
+                }
+              ]
+            }
+            subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0]
+            service: 'searchService'
+          }
+        ]
+      : []
+  }
+}
+
+// ========== Search Service - AI Project Connection ========== //
+
+var aiSearchConnectionName = 'aifp-srch-connection-${solutionPrefix}'
+var aifSubscriptionId = useExistingFoundryProject ? split(existingFoundryProjectResourceId, '/')[2] : subscription().subscriptionId
+var aifResourceGroup = useExistingFoundryProject ? split(existingFoundryProjectResourceId, '/')[4] : resourceGroup().name
+module aiSearchFoundryConnection 'modules/aifp_search_connection.bicep' = if (aiFoundryAIservicesEnabled) {
+  name: take('aifp-srch-connection.${solutionPrefix}', 64)
+  scope: resourceGroup(aifSubscriptionId, aifResourceGroup)
+  params: {
+    aiFoundryProjectName: aiFoundryAiProjectName
+    aiFoundryName: aiFoundryAiServicesResourceName
+    aifSearchConnectionName: aiSearchConnectionName
+    searchServiceResourceId: searchService.outputs.resourceId
+    searchServiceLocation: searchService.outputs.location
+    searchServiceName: searchService.outputs.name
+  }
+  dependsOn: [
+    aiFoundryAiServices
+  ]
+}
+
+
 // ============ //
 // Outputs      //
 // ============ //
@@ -1143,6 +1340,12 @@ module webSite 'br/public:avm/res/web/site:0.15.1' = if (webSiteEnabled) {
 @description('The default url of the website to connect to the Multi-Agent Custom Automation Engine solution.')
 output webSiteDefaultHostname string = webSite.outputs.defaultHostname
 
+output AZURE_STORAGE_BLOB_URL string = avmStorageAccount.outputs.serviceEndpoints.blob
+output AZURE_STORAGE_ACCOUNT_NAME string = storageAccountName
+output AZURE_STORAGE_CONTAINER_NAME string = storageContainerName
+output AZURE_SEARCH_ENDPOINT string = searchService.outputs.endpoint
+output AZURE_SEARCH_NAME string = searchService.outputs.name
+
 @export()
 @description('The type for the Multi-Agent Custom Automation Engine Log Analytics Workspace resource configuration.')
 type logAnalyticsWorkspaceConfigurationType = {

infra/modules/aifp_search_connection.bicep

@@ -0,0 +1,21 @@
+param aifSearchConnectionName string
+param searchServiceName string
+param searchServiceResourceId string
+param searchServiceLocation string
+param aiFoundryName string
+param aiFoundryProjectName string
+
+resource aiSearchFoundryConnection 'Microsoft.CognitiveServices/accounts/projects/connections@2025-04-01-preview' = {
+  name: '${aiFoundryName}/${aiFoundryProjectName}/${aifSearchConnectionName}'
+  properties: {
+    category: 'CognitiveSearch'
+    target: 'https://${searchServiceName}.search.windows.net'
+    authType: 'AAD'
+    isSharedToAll: true
+    metadata: {
+      ApiType: 'Azure'
+      ResourceId: searchServiceResourceId
+      location: searchServiceLocation
+    }
+  }
+}