Merge pull request #1 from microsoft/main

chore: merge  changes from upstream

Author: NirajC-Microsoft

.github/CODEOWNERS

@@ -2,4 +2,4 @@
 # Each line is a file pattern followed by one or more owners.
 
 # These owners will be the default owners for everything in the repo.
-* @Avijit-Microsoft @Roopan-Microsoft @Prajwal-Microsoft @Vinay-Microsoft @aniaroramsft
+* @Avijit-Microsoft @Roopan-Microsoft @Prajwal-Microsoft @Vinay-Microsoft @aniaroramsft @toherman-msft @nchandhi

.github/workflows/azd-template-validation.yml

@@ -1,44 +1,74 @@
-name: AZD Deployment
-on:
+name: AZD Template Validation
+on: 
   workflow_dispatch:
   push:
     branches:
       - main
 
 permissions:
-  id-token: write
   contents: read
+  id-token: write
+  pull-requests: write
 
 jobs:
-  build:
+  template_validation:
     runs-on: ubuntu-latest
-    env:
-      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
-      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-      AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
-      AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
-      AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-      AZURE_USER_OBJECT_ID: ''
+    name: azd template validation
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install azd
-        uses: Azure/setup-azd@v2
-      - name: Azure Developer CLI Login
-        run: |
-          azd auth login `
-            --client-id "$Env:AZURE_CLIENT_ID" `
-            --federated-credential-provider "github" `
-            --tenant-id "$Env:AZURE_TENANT_ID" 
-        shell: pwsh
-      - name: Azure CLI Login
+      - uses: actions/checkout@v4
+
+      - name: Azure Login
         uses: azure/login@v2
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-      - name: Provision Infrastructure
-        run: azd provision --no-prompt
+
+      - name: Create Resource Group for Validation
+        run: |
+          ENV_NAME="${{ vars.AZURE_ENV_NAME }}"
+          RG_NAME="rg-${ENV_NAME}"
+          echo "Creating resource group for template validation: ${RG_NAME}"
+          az group create \
+            --name "${RG_NAME}" \
+            --location "${{ vars.AZURE_LOCATION }}" \
+            --tags "CreatedBy=GitHubActions"
+          echo "Resource group ${RG_NAME} created successfully"
+
+      - uses: microsoft/template-validation-action@Latest
+        with:
+          validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
+          useDevContainer: ${{ vars.TEMPLATE_USE_DEV_CONTAINER }}
+          validateTests: ${{ vars.AZD_VALIDATE_TESTS }}
+        id: validation
         env:
-           AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+          AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+          AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+          AZURE_RESOURCE_GROUP: rg-${{ vars.AZURE_ENV_NAME  }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Set correct principal type for GitHub Actions ServicePrincipal
+          AZURE_DEPLOYER_PRINCIPAL_TYPE: ServicePrincipal
+          # Infrastructure parameter defaults for pipeline
+          AZURE_ACR_ENABLED: 'false'
+          AZURE_API_MANAGEMENT_ENABLED: 'false'
+          AZURE_AI_CONTENT_SAFETY_ENABLED: 'false'
+          AZURE_AI_DOC_INTELLIGENCE_ENABLED: 'false'
+          AZURE_AI_LANGUAGE_ENABLED: 'false'
+          AZURE_AI_SEARCH_ENABLED: 'true'
+          AZURE_AI_SPEECH_ENABLED: 'false'
+          AZURE_AI_TRANSLATOR_ENABLED: 'false'
+          
+          AZURE_AI_VISION_ENABLED: 'false'
+          AZURE_APP_SAMPLE_ENABLED: 'false'
+          AZURE_COSMOS_DB_ENABLED: 'true'
+          AZURE_NETWORK_ISOLATION: 'false'
+          AZURE_SQL_SERVER_ENABLED: 'false'
+          AZURE_AI_DEPLOYMENTS_LOCATION: ${{ vars.AZURE_LOCATION }}
+          AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
+
+
+      - name: print result
+        run: cat ${{ steps.validation.outputs.resultFile }}

.github/workflows/azure-dev.yml

@@ -2,6 +2,8 @@
 
 # Deploy your AI Application in Production
 
+**Note:** With any AI solutions you create using these templates, you are responsible for assessing all associated risks and for complying with all applicable laws and safety standards. Learn more in the transparency documents for [Agent Service](https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/agents/transparency-note) and [Agent Framework](https://github.com/microsoft/agent-framework/blob/main/TRANSPARENCY_FAQ.md).
+
 ## Overview
 
 <span style="font-size: 3em;">🚀</span> **New: Updated deployment to match Foundry release at Build 2025!**
@@ -85,7 +87,7 @@ QUICK DEPLOY
 
 | [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/microsoft/Deploy-Your-AI-Application-In-Production) | [![Open in Dev Containers](https://img.shields.io/static/v1?style=for-the-badge&label=Dev%20Containers&message=Open&color=blue&logo=visualstudiocode)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/microsoft/Deploy-Your-AI-Application-In-Production) |
 |---|---|
-[Steps to deploy with GitHub Codespaces](docs/github_code_spaces_steps.md)
+[Steps to deploy with GitHub Codespaces](docs/github_code_spaces_steps.md)| [Steps to deploy with Dev Container](docs/Dev_ContainerSteps.md)
 
 
 ## Connect to and validate access to the new environment 

README.md

@@ -0,0 +1,154 @@
+### VS Code Dev Containers
+
+You can run this solution in VS Code Dev Containers, which will open the project in your local VS Code using the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers):
+
+1. Open the project:
+
+    [![Open in Dev Containers](https://img.shields.io/static/v1?style=for-the-badge&label=Dev%20Containers&message=Open&color=blue&logo=visualstudiocode)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/microsoft/Deploy-Your-AI-Application-In-Production)
+
+3. In the VS Code window that opens, once the project files show up (this may take several minutes), open a terminal window.
+4. Continue with the [deploying steps](#steps-to-provision-network-isolated-environment-using-dev-container).
+
+# Steps to Provision Network Isolated environment using Dev Container
+
+1. Log into your Azure subscription:
+
+   ```shell
+    azd auth login
+    ```
+
+   ![Image showing the entering of the command 'azd auth' in the terminal of VS Code](../img/provisioning/azdauthcommandline.png)
+
+   ![image showing the authorization window opening in the browser](../img/provisioning/azdauthpopup.png)
+
+   ![Image showing the password prompt for azure](../img/provisioning/enterpassword.png)
+
+2. Login to azure, run the below command: 
+    ```shell
+    az login
+     ```
+    The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/what-is-azure-cli?view=azure-cli-latest) is used to validate available AI model quota.
+
+   ![image showing theaz login in the vs code terminal](../img/provisioning/az_login.png)  
+3. Return to terminal and type the below command for initializing the environment.
+    ```shell
+    azd init
+    ```
+   ![image showing the initial screen in the vs code terminal](../img/provisioning/azd_init_terminal.png)
+
+4. Enter the environment name.
+   > **Note:** Length of the environment name should be less than or equal to 12 characters.
+
+   ![aImage showing entering a new environment name](../img/provisioning/enter_evn_name.png)
+
+5. Now start the deployment of the infrastructure by typing the below command:
+    ```shell
+    azd up
+    ```
+    > ⚠️ **Note:** The latest version of the Azure Developer CLI (AZD) is currently limited on prompting for missing parameters. The feature flag parameters in this solution have been temporarily defaulted to `'disabled'` until this limitation is lifted and prompting will resume.
+   
+
+   ![image showing the terminal in vs code](images/re_use_log/nonwaf.png)
+   Log in to **Azure** for authentication.   ![alt text](images/re_use_log/login.png) 
+    This step will allow you to choose from the subscriptions you have available, based on the account you logged in with in the login step. Next it will prompt you for the region to deploy the resources into as well as any additional Azure resources to be provisioned and configured.
+
+    **Important:** Be sure to remember the vm password. This will be used in a later step. You are still required to log into Azure once you connect through the virtual machine.
+    > ⚠️ **Note:**  
+    > 1. For **WAF Deployment**, Select the **Network Isolation** as **'True'**.  
+    > ![alt text](images/re_use_log/waf.png)  
+    > 2. For **Sample App Deployment**, Select the **appSampleEnabled** as **'True'**.  
+    > ![alt text](images/re_use_log/samapp.png)
+
+
+6. The automated model quota check will run, and will check if the location selected will have the necessary quota for the AI Models that are listed in the parameters file prior to deploying any resources. 
+    ![image showing model quota pre-provision code executing](../img/provisioning/preprovision_output.png)
+
+
+    If the location selected has sufficient quota for the models you plan to deploy, the provisioning will begin without notification.
+
+    ![image showing model quota pre-provision pass](../img/provisioning/preprovision_success.png)
+
+    If the location selected does not have the available quota for the models selected in your parameters, there will be a message back to the user, prior to any provisioning of resources. This will allow the developer to change the location of the provisiong and try again. Note that in our example, Italy North had capacity for gpt-4o but not for text-embedding-ada-002. This terminated the entire provisioning, because both models could not be deployed due to a quota issue.
+
+    ![image showing model quota pre-provision fail](../img/provisioning/preprovision_fail.png)
+
+7. After completeing the required paramters that you were prompted for, and a successful model quota validation, the provisioning of resources will run and deploy the Network Isolated AI Foundry development portal and dependent resources in about 20 minutes.
+
+
+# Post Deployment Steps:
+These steps will help to check that the isolated environment was set up correctly.
+Follow these steps to check the creation of the required private endpoints in the environment (when set to networkIsolation = true).
+
+One way to verify whether access is private to the foundry is by launching Azure AI Foundry from the portal.
+
+![Image showing if network isolation is checked](images/re_use_log/AI_Foundry_Portal.png)
+
+When a user that is not connected through the virtual network via an RDP approved connection will see the following screen in their browser. This is the intended behavior! 
+
+![Image showing the virtual machine in the browser](images/re_use_log/AI_Foundry_view.png)
+
+A more thourough check is to look for the networking settings and checking for private end points.
+
+1. Go to the Azure Portal and select your Azure AI hub that was just created.
+
+2.	Click on Resource Management and then Networking.
+
+    ![Image showing the Azure Portal for AI Foundry Hub and the settings blade](images/re_use_log/Private_network_endpoints.png)
+
+
+    Here, you will find the private endpoints that are connected to the resources within the foundry managed virtual network. Ensure that these private endpoints are active.
+    The foundry should show that Public access is ‘disabled’.
+
+## Connecting to the isolated network via RDP
+1.	Navigate to the resource group where the isolated AI Foundry was deployed to and select the virtual machine.
+
+    ![Image showing the Azure Portal for the virtual machine](../img/provisioning/checkNetworkIsolation5.png)
+
+2.	Be sure that the Virtual Machine is running. If not, start the VM.
+
+    ![Image showing the Azure Portal VM and the start/stop button](../img/provisioning/checkNetworkIsolation6.png)
+
+3.	Select “Bastion” under the ‘Connect’ heading in the VM resource.
+
+    ![Image showing the bastion blade selected](../img/provisioning/checkNetworkIsolation7.png)
+
+4.	Supply the username and the password you created as environment variables and press the connect button.
+
+    ![Image showing the screen to enter the VM Admin info and the connect to bastion button](../img/provisioning/Bastion.png)
+
+5.	Your virtual machine will launch and you will see a different screen.
+
+    ![Image showing the opening of the Virtual machine in another browser tab](../img/provisioning/checkNetworkIsolation9.png)
+
+6.	Launch Edge browser and navigate to your Azure AI Foundry. https://ai.azure.com Sign in using your credentials.
+
+
+7.	You are challenged by MFA to connect.
+
+    ![Image showing the Multi Factor Authentication popup](../img/provisioning/checkNetworkIsolation10.png)
+
+8.	You will now be able to view the Azure AI Foundry which is contained in an isolated network.
+
+    ![Image showing the Azure Foundry AI Hub with a private bubble icon](images/re_use_log/Azure_ai_foundry_inside_vm.png)
+
+## Contributing
+
+This project welcomes contributions and suggestions. Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
+## Trademarks
+
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 
+trademarks or logos is subject to and must follow 
+[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
+Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
+Any use of third-party trademarks or logos are subject to those third-party's policies.