ci: improve Azure infrastructure template pipeline workflow (#89)

* feat: Set default values for AI embedding and chat model deployments in main.bicep

* fix: Update Cosmos DB module version and correct local authentication parameter

* fix: Correct Cosmos DB module version and update local authentication parameter

* fix for azd pipeline issue

* fix for azd pipeline issue

* fix for deployment pipeline issue

* psrule fix

* psrule fix issue for sql

* psrule fix

* fix: add secure attribute to administratorLoginCredential and update privateDnsZone reference

* fix: suppress PSRule warning for location output in SQL Server deployment

* fix: remove PSRule suppression comments for location output in SQL Server deployment

* fix: update PSRule suppression comments for SQL Server module output exposure

* fix: add PSRule configuration for SQL Server module output suppression

* fix: add PSRule configuration to suppress false positive AZR-000279 for SQL Server deployments

* fix: add PSRule configurations to suppress false positives for SQL Server deployments

* fix: add PSRule suppression for AVM SQL Server module output to ignore non-sensitive data

* fix: update virtual machine configuration to use 'adminPassword' variable for admin password

* fix: update virtual machine configuration to use 'vmAdminPasswordOrKey' for admin password

* fix: validate VM admin password length in main.bicep and simplify virtual machine module

* fix: update SQL Server module to use hardcoded administrator login password for testing purposes

* fix: update SQL Server module to use parameterized administrator login password

* fix: set default values for deployment parameters in main.bicep and main.parameters.json

* fix: add parameters for network isolation and private DNS zone configuration in cognitive services module

* fix: remove PSRule configuration files to eliminate false positives with SQL Server module

* fix: add deployerPrincipalType parameter to support different deployment principals in Bicep files

* fix: add Azure login and resource group creation steps for template validation workflow

* fix: remove resource group cleanup step and set deployer principal type for Azure login

* fix: remove default values for various parameters to enforce explicit configuration

* fix: set default value for sqlServerEnabled parameter to false

* fix: add default values for infrastructure parameters in Azure workflows

* fix: update infrastructure parameters for Azure workflows to enable AI search and Cosmos DB

* fix: update AI feature flags and network isolation parameter for Azure deployment

* fix: enable AI search and Cosmos DB features in deployment configuration

* fix: update sqlServer module to use administratorLoginPassword instead of administratorLoginCredential

* Refactor cognitive services Bicep module to separate private endpoint creation

- Changed variable name from `privateDnsZones` to `privateDnsZoneConfigs` for clarity.
- Removed private endpoints from the initial deployment to avoid timing issues.
- Created a separate module for the private endpoint with explicit dependency on the cognitive service.
- Updated private link service connection properties to align with new structure.

* refactor: remove unused parameters for AI deployments and network isolation

* refactor: add aiDeploymentsLocation and networkIsolation parameters

* refactor: remove unused infrastructure parameters from azure-dev.yml

* refactor: update deployerPrincipalType parameter to determine type based on deployment context

---------

Co-authored-by: Harmanpreet Kaur <v-harmanpkau@microsoft.com>
Co-authored-by: Abdul-Microsoft <v-amujeebta@microsoft.com>

Author: 3 people

.github/workflows/azd-template-validation.yml

@@ -17,6 +17,24 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Azure Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Create Resource Group for Validation
+        run: |
+          ENV_NAME="${{ vars.AZURE_ENV_NAME }}"
+          RG_NAME="rg-${ENV_NAME}"
+          echo "Creating resource group for template validation: ${RG_NAME}"
+          az group create \
+            --name "${RG_NAME}" \
+            --location "${{ vars.AZURE_LOCATION }}" \
+            --tags "CreatedBy=GitHubActions"
+          echo "Resource group ${RG_NAME} created successfully"
+
       - uses: microsoft/template-validation-action@Latest
         with:
           validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
@@ -28,7 +46,26 @@ jobs:
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
           AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
           AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+          AZURE_RESOURCE_GROUP: rg-${{ vars.AZURE_ENV_NAME  }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Set correct principal type for GitHub Actions ServicePrincipal
+          AZURE_DEPLOYER_PRINCIPAL_TYPE: ServicePrincipal
+          # Infrastructure parameter defaults for pipeline
+          AZURE_ACR_ENABLED: 'false'
+          AZURE_API_MANAGEMENT_ENABLED: 'false'
+          AZURE_AI_CONTENT_SAFETY_ENABLED: 'false'
+          AZURE_AI_DOC_INTELLIGENCE_ENABLED: 'false'
+          AZURE_AI_LANGUAGE_ENABLED: 'false'
+          AZURE_AI_SEARCH_ENABLED: 'true'
+          AZURE_AI_SPEECH_ENABLED: 'false'
+          AZURE_AI_TRANSLATOR_ENABLED: 'false'
+          
+          AZURE_AI_VISION_ENABLED: 'false'
+          AZURE_APP_SAMPLE_ENABLED: 'false'
+          AZURE_COSMOS_DB_ENABLED: 'true'
+          AZURE_NETWORK_ISOLATION: 'false'
+          AZURE_SQL_SERVER_ENABLED: 'false'
+          AZURE_AI_DEPLOYMENTS_LOCATION: ${{ vars.AZURE_LOCATION }}
 
       - name: print result
-        run: cat ${{ steps.validation.outputs.resultFile }}
+        run: cat ${{ steps.validation.outputs.resultFile }}

infra/main.bicep

@@ -1,5 +1,6 @@
 targetScope = 'resourceGroup'
 
+
 @minLength(3)
 @maxLength(12)
 @description('The name of the environment/application. Use alphanumeric characters only.')
@@ -10,10 +11,20 @@ param name string
 param location string
 
 @description('Specifies the AI embedding model to use for the AI Foundry deployment. This is the model used for text embeddings in AI Foundry. NOTE: Any adjustments to this parameter\'s values must also be made on the aiDeploymentsLocation metadata in the main.bicep file.') 
-param aiEmbeddingModelDeployment modelDeploymentType
+param aiEmbeddingModelDeployment modelDeploymentType = {
+  name: 'text-embedding-3-small'
+  modelName: 'text-embedding-3-small'
+  version: '1'
+  capacity: 100
+}
 
 @description('Specifies the AI chat model to use for the AI Foundry deployment. This is the model used for chat interactions in AI Foundry. NOTE: Any adjustments to this parameter\'s values must also be made on the aiDeploymentsLocation metadata in the main.bicep file.')
-param aiGPTModelDeployment modelDeploymentType
+param aiGPTModelDeployment modelDeploymentType = {
+  name: 'gpt-4o'
+  modelName: 'gpt-4o'
+  version: '2024-05-13'
+  capacity: 150
+}
 
 @metadata({
   azd: {
@@ -28,7 +39,7 @@ param aiGPTModelDeployment modelDeploymentType
 param aiDeploymentsLocation string
 
 @description('Specifies whether creating an Azure Container Registry.')
-param acrEnabled bool
+param acrEnabled bool 
 
 @description('Specifies the size of the jump-box Virtual Machine.')
 param vmSize string = 'Standard_DS4_v2'
@@ -50,26 +61,28 @@ param tags object = {}
 @description('Specifies the object id of a Microsoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources. This defaults to the deploying user.')
 param userObjectId string = deployer().objectId
 
+@description('The type of principal that is deploying the resources. Use "User" for interactive deployment and "ServicePrincipal" for automated deployment.')
+param deployerPrincipalType string = contains(deployer(), 'userPrincipalName') ? 'User' : 'ServicePrincipal'
 @description('Optional IP address to allow access to the jump-box VM. This is necessary to provide secure access to the private VNET via a jump-box VM with Bastion. If not specified, all IP addresses are allowed.')
 param allowedIpAddress string = ''
 
 @description('Specifies if Microsoft APIM is deployed.')
-param apiManagementEnabled bool
+param apiManagementEnabled bool 
 
 @description('Specifies the publisher email for the API Management service. Defaults to admin@[name].com.')
 param apiManagementPublisherEmail string = 'admin@${name}.com'
 
 @description('Specifies whether network isolation is enabled. When true, Foundry and related components will be deployed, network access parameters will be set to Disabled.')
-param networkIsolation bool
+param networkIsolation bool 
 
 @description('Whether to include Cosmos DB in the deployment.')
-param cosmosDbEnabled bool
+param cosmosDbEnabled bool 
 
 @description('Optional. List of Cosmos DB databases to deploy.')
 param cosmosDatabases sqlDatabaseType[] = []
 
 @description('Whether to include SQL Server in the deployment.')
-param sqlServerEnabled bool
+param sqlServerEnabled bool = false
 
 @description('Optional. List of SQL Server databases to deploy.')
 param sqlServerDatabases databasePropertyType[] = []
@@ -90,7 +103,7 @@ param languageEnabled bool
 param speechEnabled bool
 
 @description('Whether to include Azure AI Translator in the deployment.')
-param translatorEnabled bool 
+param translatorEnabled bool
 
 @description('Whether to include Azure Document Intelligence in the deployment.')
 param documentIntelligenceEnabled bool
@@ -105,7 +118,7 @@ param networkAcls object = {
 param projectName string = '${take(name, 8)}proj'
 
 @description('Whether to include the sample app in the deployment. NOTE: Cosmos and Search must also be enabled and Auth Client ID and Secret must be provided.')
-param appSampleEnabled bool
+param appSampleEnabled bool 
 
 @description('Client id for registered application in Entra for use with app authentication.')
 param authClientId string?
@@ -131,6 +144,10 @@ var resourceToken = substring(uniqueString(subscription().id, location, name), 0
 var sanitizedName = toLower(replace(replace(replace(replace(replace(replace(replace(replace(replace(name, '@', ''), '#', ''), '$', ''), '!', ''), '-', ''), '_', ''), '.', ''), ' ', ''), '&', ''))
 var servicesUsername = take(replace(vmAdminUsername,'.', ''), 20)
 
+// VM Admin Password validation - ensure minimum 8 characters
+var randomString = uniqueString(resourceGroup().id, name, vmAdminPasswordOrKey)
+var validatedVmAdminPassword = (length(vmAdminPasswordOrKey) < 8) ? '${vmAdminPasswordOrKey}${take(randomString, 12)}' : vmAdminPasswordOrKey
+
 var deploySampleApp = appSampleEnabled && cosmosDbEnabled && searchEnabled && !empty(authClientId) && !empty(authClientSecret) && !empty(cosmosDatabases) && !empty(aiGPTModelDeployment) && length(aiEmbeddingModelDeployment) >= 2
 var authClientSecretName = 'auth-client-secret'
 
@@ -194,7 +211,7 @@ module keyvault 'modules/keyvault.bicep' = {
     roleAssignments: concat(empty(userObjectId) ? [] : [
       {
         principalId: userObjectId
-        principalType: 'User'
+        principalType: deployerPrincipalType
         roleDefinitionIdOrName: 'Key Vault Secrets User'
       }
     ], deploySampleApp ? [
@@ -239,7 +256,7 @@ module storageAccount 'modules/storageAccount.bicep' = {
     roleAssignments: concat(empty(userObjectId) ? [] : [
       {
         principalId: userObjectId
-        principalType: 'User'
+        principalType: deployerPrincipalType
         roleDefinitionIdOrName: 'Storage Blob Data Contributor'
       }
     ], [
@@ -286,6 +303,7 @@ module cognitiveServices 'modules/cognitive-services/cognitiveServices.bicep' =
       }
     ]
     userObjectId: userObjectId
+    deployerPrincipalType: deployerPrincipalType
     contentSafetyEnabled: contentSafetyEnabled
     visionEnabled: visionEnabled
     languageEnabled: languageEnabled
@@ -323,12 +341,12 @@ module aiSearch 'modules/aisearch.bicep' = if (searchEnabled) {
     roleAssignments: union(empty(userObjectId) ? [] : [
       {
         principalId: userObjectId
-        principalType: 'User'
+        principalType: deployerPrincipalType
         roleDefinitionIdOrName: 'Search Index Data Contributor'
       }
       {
         principalId: userObjectId
-        principalType: 'User'
+        principalType: deployerPrincipalType
         roleDefinitionIdOrName: 'Search Index Data Reader'
       }
     ], [
@@ -361,7 +379,7 @@ module virtualMachine './modules/virtualMachine.bicep' = if (networkIsolation)
     imageSku: 'win11-23h2-ent'
     authenticationType: 'password'
     vmAdminUsername: servicesUsername
-    vmAdminPasswordOrKey: vmAdminPasswordOrKey
+    vmAdminPasswordOrKey: validatedVmAdminPassword
     diskStorageAccountType: 'Premium_LRS'
     numDataDisks: 1
     osDiskSize: 128