Skip to content

Commit cd1948f

Browse files
author
Mike Swantek
committed
Update post deployment steps and other supporting documentation
1 parent ba7050f commit cd1948f

10 files changed

Lines changed: 95 additions & 5 deletions

README.md

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,18 @@ If you only want a small Foundry demo or a basic RAG sample, this repo is heavie
4242

4343
For the first attempt, the lowest-risk path is to keep Fabric and Purview disabled unless you already have their prerequisites in place.
4444

45+
> **Important:** The checked-in values in `infra/main.bicepparam` are an opinionated end-to-end provisioning path for this accelerator, not a neutral baseline for every scenario. They are useful for demonstrating the full stack and the automation flow, but they might enable services, networking, mirroring behavior, or governance hooks that you do not want in your target deployment.
46+
>
47+
> Before running `azd up`, review the active settings across:
48+
> - repo wrapper parameters in `infra/main.bicepparam`
49+
> - AI Landing Zone feature flags and topology implied by the preprovision deployment
50+
> - postprovision automation expectations in `azure.yaml`
51+
> - supporting server-specific settings such as PostgreSQL networking, mirroring mode, and Fabric/Purview inputs
52+
>
53+
> Treat the current defaults as the repo's "golden path" for a broad end-to-end demo and validation flow. Adjust them deliberately if you want a smaller, cheaper, or less integrated deployment.
54+
55+
> **Security note (PostgreSQL mirroring):** The mirroring prep script must run from a VNet-connected host when Key Vault and PostgreSQL are private. If you need a non-VNet demo, temporarily open access to both Key Vault and PostgreSQL, run the script, then lock them down. See [docs/post_deployment_steps.md](./docs/post_deployment_steps.md) for the manual steps, including the temporary Key Vault override.
56+
4557
### Dependency Map
4658

4759
| Area | Required to enable it | If missing |
@@ -98,7 +110,7 @@ Follow the deployment guide to deploy this solution to your own Azure subscripti
98110
99111
1. Run `azd auth login` and confirm the target subscription with `az account show`
100112
2. Create a new environment and set `AZURE_SUBSCRIPTION_ID` and `AZURE_LOCATION`
101-
3. Review `infra/main.bicepparam`, especially `principalId`, `aiSearchAdditionalAccessObjectIds`, `fabricCapacityPreset`, `fabricWorkspacePreset`, `fabricCapacityAdmins`, `purviewAccountResourceId`, `networkIsolation`, and `postgreSqlNetworkIsolation`
113+
3. Review `infra/main.bicepparam`, especially `principalId`, `aiSearchAdditionalAccessObjectIds`, `fabricCapacityPreset`, `fabricWorkspacePreset`, `fabricCapacityAdmins`, `purviewAccountResourceId`, `networkIsolation`, `postgreSqlNetworkIsolation`, and `postgreSqlAllowAzureServices`
102114
4. Run `azd up`
103115
5. Follow [docs/post_deployment_steps.md](./docs/post_deployment_steps.md) to verify the deployment
104116

azure.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ hooks:
7676
- run: ./scripts/automationScripts/FabricWorkspace/mirror/prepare_postgresql_for_mirroring.ps1
7777
interactive: false
7878
shell: pwsh
79-
continueOnError: false
79+
continueOnError: true
8080

8181
# Stage 8: Setup Fabric Workspace Private Link (for VNet integration)
8282
- run: ./scripts/automationScripts/FabricWorkspace/SecureWorkspace/setup_fabric_private_link.ps1

docs/DeploymentGuide.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,18 @@ azd env set AZURE_LOCATION eastus2
144144

145145
### Step 3: Configure Parameters
146146

147+
> **Important:** The values currently checked into `infra/main.bicepparam` represent an opinionated end-to-end path for provisioning this accelerator, including AI Landing Zone infrastructure, Fabric-related automation, PostgreSQL options, and postprovision hooks. They are not guaranteed to be the right settings for every deployment.
148+
>
149+
> Before you run `azd up`, verify the feature flags and automation inputs you are inheriting from:
150+
> - `infra/main.bicepparam`
151+
> - the AI Landing Zone submodule deployment that runs in preprovision
152+
> - `azure.yaml` postprovision hooks and their prerequisites
153+
> - service-specific settings such as Fabric, Purview, network isolation, PostgreSQL mirroring mode, and Azure-services firewall access
154+
>
155+
> If your goal is not the full end-to-end accelerator flow, change the flags first instead of treating the current defaults as universally safe.
156+
157+
> **Security note (PostgreSQL mirroring):** The mirroring prep script requires VNet access when Key Vault and PostgreSQL are private. If you need to demo mirroring end-to-end from a non-VNet machine, temporarily open access to both Key Vault and PostgreSQL before running the script and lock them down afterward. See [docs/postgresql_mirroring.md](./postgresql_mirroring.md).
158+
147159
<details>
148160
<summary><b>Required Parameters</b></summary>
149161

docs/PARAMETER_GUIDE.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -444,6 +444,7 @@ Use these in `infra/main.bicepparam` when deploying via this repo. `postgreSqlNe
444444
```bicep-params
445445
param deployPostgreSql = true
446446
param postgreSqlNetworkIsolation = networkIsolation
447+
param postgreSqlAllowAzureServices = false
447448
param postgreSqlMirrorConnectionMode = 'fabricUser'
448449
param postgreSqlAuthConfig = {
449450
activeDirectoryAuth: 'Enabled'
@@ -453,6 +454,13 @@ param postgreSqlAuthConfig = {
453454

454455
When `postgreSqlNetworkIsolation` is `false`, PostgreSQL uses public access and does not create private endpoints or private DNS resources.
455456

457+
`postgreSqlAllowAzureServices` controls whether deployment also creates the PostgreSQL firewall rule that allows Azure services to connect (`0.0.0.0` to `0.0.0.0`). This is the declarative equivalent of the Azure portal **Allow public access from any Azure service within Azure to this server** setting.
458+
459+
Recommended combinations:
460+
461+
- Public/manual Fabric path: `postgreSqlNetworkIsolation = false` and `postgreSqlAllowAzureServices = true`
462+
- Private/gateway path: `postgreSqlNetworkIsolation = true` and `postgreSqlAllowAzureServices = false`
463+
456464
`postgreSqlAuthConfig` should remain set to both authentication modes enabled if you plan to configure Fabric mirroring after deployment. This ensures the server is created with password authentication available for the `fabric_user` connection instead of relying on a later hook to change the auth mode.
457465

458466
`postgreSqlMirrorConnectionMode` controls which credential the manual Fabric PostgreSQL connection should use after deployment:

docs/post_deployment_steps.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,15 @@ Use these short steps to verify the PostgreSQL mirroring follow-up flow. For ful
5353

5454
Mirroring in the current branch is a separate follow-up activity. Fabric connection creation and mirrored database creation are not part of `azd up`.
5555

56+
> **Security step (required for manual mirroring):** The mirroring prep script must run from a VNet-connected host when Key Vault and PostgreSQL are private. If you want to demo mirroring end-to-end from a non-VNet machine, temporarily open access to both Key Vault and PostgreSQL before running the script, then lock them down afterward.
57+
58+
If you must run the mirroring prep from a non-VNet host, set the temporary Key Vault override before you run the script:
59+
60+
```powershell
61+
$env:POSTGRES_TEMP_ENABLE_KV_PUBLIC_ACCESS = "true"
62+
pwsh ./scripts/automationScripts/FabricWorkspace/mirror/prepare_postgresql_for_mirroring.ps1
63+
```
64+
5665
For post-deployment verification, the important distinction is simple:
5766

5867
- If you did not intentionally run the mirroring follow-up, treat mirroring as deferred and do not use it as a deployment success criterion.

docs/postgresql_mirroring.md

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,16 @@
22

33
This guide explains how to complete PostgreSQL mirroring in Microsoft Fabric after deployment.
44

5+
> **Security-critical note:** The mirroring prep script must run from a VNet-connected host when Key Vault and PostgreSQL are private. If you want to demo the full end-to-end mirroring flow from a non-VNet machine, you must temporarily open access to both Key Vault and PostgreSQL before running the script, then re-lock them afterward. Treat this as a deliberate security step, not a default configuration.
6+
57
Mirroring automation in the current branch is set for PostgreSQL deployments where `postgreSqlNetworkIsolation = false`.
68

9+
For the public/manual path, this repo now supports a declarative firewall toggle through `postgreSqlAllowAzureServices`.
10+
11+
- `postgreSqlNetworkIsolation = false` makes PostgreSQL publicly reachable.
12+
- `postgreSqlAllowAzureServices = true` creates the PostgreSQL `AllowAzureServices` firewall rule (`0.0.0.0` to `0.0.0.0`), which is the deployment equivalent of the Azure portal **Allow public access from any Azure service within Azure to this server** setting.
13+
- That combination is the recommended configuration when you want `azd up` to leave PostgreSQL ready for a manual Fabric connection without using a VNet gateway.
14+
715
If you want full PostgreSQL isolation, the database deployment can still succeed, but end-to-end Fabric mirroring moves to the Fabric VNet gateway path.
816

917
If you are not changing the network approach right now, there are only two valid post-deployment outcomes:
@@ -26,13 +34,21 @@ Choose one path up front:
2634

2735
Use this path when the PostgreSQL server has `publicNetworkAccess=Enabled`. In this repo, that corresponds to `postgreSqlNetworkIsolation = false`.
2836

37+
Recommended deployment settings for this path:
38+
39+
```bicep-params
40+
param postgreSqlNetworkIsolation = false
41+
param postgreSqlAllowAzureServices = true
42+
```
43+
2944
1. In Azure Portal, open the PostgreSQL Flexible Server.
3045
2. Open **Fabric Mirroring** on the server and let the portal prepare the server-side prerequisites.
3146
- Microsoft documentation explicitly calls out this page as the path that automates the server-side mirroring prerequisites.
3247
- This overlaps with what `prepare_postgresql_for_mirroring.ps1` is trying to automate.
3348
- It does **not** create the Fabric connection object or the mirrored database item in the Fabric workspace.
3449
3. In **Networking**, make sure Fabric can reach the server.
35-
- Shortest path: add the `0.0.0.0` firewall rule to allow Azure services.
50+
- If `postgreSqlAllowAzureServices = true`, deployment should already have created the Azure-services firewall rule.
51+
- If it is not enabled in deployment, add the `0.0.0.0` firewall rule manually.
3652
- If you only need to read the password secret yourself, temporarily add only your client IP to Key Vault, retrieve the secret, then remove the IP again.
3753
4. In Fabric, create a new **Mirrored Azure Database for PostgreSQL** item.
3854
5. Use these deployment values instead of hardcoding names:
@@ -134,6 +150,7 @@ If preflight fails, fix the runner first instead of continuing into SQL prep or
134150
What is automated today:
135151

136152
- PostgreSQL server deployment during `azd up`.
153+
- Optional PostgreSQL Azure-services firewall rule creation during `azd up` when `postgreSqlAllowAzureServices = true` and PostgreSQL public access is enabled.
137154
- PostgreSQL mirroring prep during `azd up` postprovision (server parameters, auth mode, mirroring role/grants, and seed table).
138155
- Manual or follow-up Fabric connection creation for PostgreSQL mirroring.
139156
- Manual or follow-up mirror creation after the Fabric connection is resolved.
@@ -149,6 +166,7 @@ The Fabric mirroring API requires a Fabric "connection" object that stores the P
149166
- PostgreSQL authentication mode is **PostgreSQL and Microsoft Entra authentication** (password auth enabled).
150167
- You have access to the Key Vault that stores the PostgreSQL secrets.
151168
- Decide which connection mode you are using: `fabricUser` (default) or `admin` via `postgreSqlMirrorConnectionMode`.
169+
- If you are using the public/manual path, prefer `postgreSqlAllowAzureServices = true` so Fabric can reach PostgreSQL without a VNet gateway.
152170

153171
## Step 1: Confirm PostgreSQL Details
154172

@@ -172,6 +190,15 @@ pwsh ./scripts/automationScripts/FabricWorkspace/Mirror/prepare_postgresql_for_m
172190

173191
Re-run it manually only if you need to repair or reapply the PostgreSQL mirroring readiness settings.
174192

193+
> **Security step (manual demo path):** If you are not running from a VNet-connected host, temporarily enable Key Vault access and PostgreSQL firewall access for your client before running the script. Restore the locked-down settings immediately after.
194+
195+
If you need the script to temporarily enable Key Vault public access while it runs, set:
196+
197+
```powershell
198+
$env:POSTGRES_TEMP_ENABLE_KV_PUBLIC_ACCESS = "true"
199+
pwsh ./scripts/automationScripts/FabricWorkspace/mirror/prepare_postgresql_for_mirroring.ps1
200+
```
201+
175202
### Manual rerun
176203

177204
Run:
-114 KB
Binary file not shown.
15.7 KB
Loading

infra/main.bicep

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,9 @@ param postgreSqlServerName string = 'pg${resourceToken}'
218218
@description('Enable network isolation for PostgreSQL (private DNS + private endpoint).')
219219
param postgreSqlNetworkIsolation bool = networkIsolation
220220

221+
@description('Allow connections from Azure services to the PostgreSQL server when public access is enabled. This creates the 0.0.0.0 firewall rule equivalent to the portal Allow Azure services setting.')
222+
param postgreSqlAllowAzureServices bool = false
223+
221224
@description('Create and link the PostgreSQL private DNS zone to the VNet.')
222225
param deployPostgreSqlPrivateDnsLink bool = true
223226

@@ -406,6 +409,22 @@ module postgreSqlFlexibleServer 'br/public:avm/res/db-for-postgre-sql/flexible-s
406409
}
407410
}
408411

412+
resource postgreSqlFlexibleServerResource 'Microsoft.DBforPostgreSQL/flexibleServers@2025-06-01-preview' existing = if (deployPostgreSql) {
413+
name: postgreSqlServerName
414+
}
415+
416+
resource postgreSqlAllowAzureServicesFirewallRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2025-01-01-preview' = if (deployPostgreSql && !postgreSqlNetworkIsolation && postgreSqlAllowAzureServices) {
417+
parent: postgreSqlFlexibleServerResource
418+
name: 'AllowAzureServices'
419+
properties: {
420+
startIpAddress: '0.0.0.0'
421+
endIpAddress: '0.0.0.0'
422+
}
423+
dependsOn: [
424+
postgreSqlFlexibleServer
425+
]
426+
}
427+
409428
resource postgreSqlAdminSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = if (deployPostgreSql && enablePostgreSqlKeyVaultSecret) {
410429
name: postgreSqlAdminSecretName
411430
parent: keyVault

infra/main.bicepparam

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,12 +32,15 @@ param aiSearchAdditionalAccessObjectIds = ['']
3232

3333
param deploymentTags = {}
3434
param appConfigLabel = 'ai-lz'
35+
// Create the provisioning of the AI landing zone with network isolation (vnet,private end points, etc)
3536
param networkIsolation = true
3637

3738
// Coordinate PostgreSQL networking with the overall isolation flag by default.
38-
param postgreSqlNetworkIsolation = networkIsolation
39+
param postgreSqlNetworkIsolation = false
40+
// Allow Fabric and other Azure services to reach PostgreSQL when public access is enabled.
41+
param postgreSqlAllowAzureServices = true
3942
// Skip this if a PostgreSQL private DNS zone is already linked to the VNet.
40-
param deployPostgreSqlPrivateDnsLink = true
43+
param deployPostgreSqlPrivateDnsLink = false
4144
// Optional: use an existing VNet link name to avoid conflicts.
4245
param postgreSqlPrivateDnsLinkNameOverride = ''
4346

0 commit comments

Comments
 (0)