Merge pull request #472 from microsoft/psl-rc-postdscript

fix: Updated post deployment script for ai user role assignment

Author: Roopan-Microsoft

docs/DeploymentGuide.md

@@ -167,7 +167,7 @@ Once you've opened the project in [Codespaces](#github-codespaces), [Dev Contain
     ```
     If you don't have azd env then you need to pass parameters along with the command. Then the command will look like the following:
     ```shell 
-    bash ./infra/scripts/process_sample_data.sh <Storage-Account-name> <Storage-Account-container-name> <Key-Vault-name> <CosmosDB-Account-name> <Resource-Group-name>
+    bash ./infra/scripts/process_sample_data.sh <Storage-Account-name> <Storage-Account-container-name> <Key-Vault-name> <CosmosDB-Account-name> <Resource-Group-name> <aiFoundryResourceName>
     ```
 
 6. Open the [Azure Portal](https://portal.azure.com/), go to the deployed resource group, find the App Service and get the app URL from `Default domain`.

infra/main.bicep

@@ -178,3 +178,4 @@ output STORAGE_CONTAINER_NAME string = storageAccount.outputs.storageContainer
 output KEY_VAULT_NAME string = kvault.outputs.keyvaultName
 output COSMOSDB_ACCOUNT_NAME string = cosmosDBModule.outputs.cosmosAccountName
 output RESOURCE_GROUP_NAME string = resourceGroup().name
+output AI_FOUNDRY_NAME string = aifoundry.outputs.aiFoundryName

infra/main.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.36.1.42791",
-      "templateHash": "16830004841131342789"
+      "templateHash": "5837450370511727433"
     }
   },
   "parameters": {
@@ -2291,6 +2291,10 @@
     "RESOURCE_GROUP_NAME": {
       "type": "string",
       "value": "[resourceGroup().name]"
+    },
+    "AI_FOUNDRY_NAME": {
+      "type": "string",
+      "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, resourceGroup().name), 'Microsoft.Resources/deployments', 'deploy_ai_foundry'), '2022-09-01').outputs.aiFoundryName.value]"
     }
   }
 }

infra/scripts/process_sample_data.sh

@@ -6,7 +6,8 @@ fileSystem="$2"
 keyvaultName="$3"
 cosmosDbAccountName="$4"
 resourceGroupName="$5"
-managedIdentityClientId="$6"
+aiFoundryName="$6"
+managedIdentityClientId="$7"
 
 # get parameters from azd env, if not provided
 if [ -z "$resourceGroupName" ]; then
@@ -29,10 +30,13 @@ if [ -z "$keyvaultName" ]; then
     keyvaultName=$(azd env get-value KEY_VAULT_NAME)
 fi
 
+if [ -z "$aiFoundryName" ]; then
+    aiFoundryName=$(azd env get-value AI_FOUNDRY_NAME)
+fi
 
 # Check if all required arguments are provided
-if [ -z "$storageAccount" ] || [ -z "$fileSystem" ] || [ -z "$keyvaultName" ] || [ -z "$cosmosDbAccountName" ] || [ -z "$resourceGroupName" ]; then
-    echo "Usage: $0 <storageAccount> <storageContainerName> <keyvaultName> <cosmosDbAccountName> <resourceGroupName>"
+if [ -z "$storageAccount" ] || [ -z "$fileSystem" ] || [ -z "$keyvaultName" ] || [ -z "$cosmosDbAccountName" ] || [ -z "$resourceGroupName" ] || [ -z "$aiFoundryName" ]; then
+    echo "Usage: $0 <storageAccount> <storageContainerName> <keyvaultName> <cosmosDbAccountName> <resourceGroupName> <aiFoundryName>"
     exit 1
 fi
 
@@ -56,7 +60,7 @@ echo "copy_kb_files.sh completed successfully."
 
 # Call run_create_index_scripts.sh
 echo "Running run_create_index_scripts.sh"
-bash infra/scripts/run_create_index_scripts.sh "$keyvaultName" "$managedIdentityClientId"
+bash infra/scripts/run_create_index_scripts.sh "$keyvaultName" "$resourceGroupName" "$aiFoundryName" "$managedIdentityClientId"
 if [ $? -ne 0 ]; then
     echo "Error: run_create_index_scripts.sh failed."
     exit 1

infra/scripts/run_create_index_scripts.sh

@@ -3,7 +3,9 @@
 # Variables
 # baseUrl="$1"
 keyvaultName="$1"
-managedIdentityClientId="$2"
+resourceGroupName="$2"
+aiFoundryName="$3"
+managedIdentityClientId="$4"
 # requirementFile="infra/scripts/index_scripts/requirements.txt"
 # requirementFileUrl=${baseUrl}"infra/scripts/index_scripts/requirements.txt"
 
@@ -60,6 +62,27 @@ else
     echo "User already has the Key Vault Administrator role."
 fi
 
+### Assign Azure AI User role to the signed in user ###
+
+    echo "Getting Azure AI resource id"
+    aif_resource_id=$(az cognitiveservices account show --name $aiFoundryName --resource-group $resourceGroupName --query id --output tsv)
+
+    # Check if the user has the Azure AI User role
+    echo "Checking if user has the Azure AI User role"
+    role_assignment=$(MSYS_NO_PATHCONV=1 az role assignment list --role 53ca6127-db72-4b80-b1b0-d745d6d5456d --scope $aif_resource_id --assignee $signed_user_id --query "[].roleDefinitionId" -o tsv)
+    if [ -z "$role_assignment" ]; then
+        echo "User does not have the Azure AI User role. Assigning the role."
+        MSYS_NO_PATHCONV=1 az role assignment create --assignee $signed_user_id --role 53ca6127-db72-4b80-b1b0-d745d6d5456d --scope $aif_resource_id --output none
+        if [ $? -eq 0 ]; then
+            echo "Azure AI User role assigned successfully."
+        else
+            echo "Failed to assign Azure AI User role."
+            exit 1
+        fi
+    else
+        echo "User already has the Azure AI User role."
+    fi
+
 # RUN apt-get update
 # RUN apt-get install python3 python3-dev g++ unixodbc-dev unixodbc libpq-dev
 # apk add python3 python3-dev g++ unixodbc-dev unixodbc libpq-dev