microsoft
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎azure.yaml‎
Lines changed: 12 additions & 0 deletions b/‎azure.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/DeploymentGuide.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/DeploymentGuide.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/PARAMETER_GUIDE.md‎
Lines changed: 11 additions & 0 deletions b/‎docs/PARAMETER_GUIDE.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎infra/main.bicep‎
Lines changed: 184 additions & 9 deletions b/‎infra/main.bicep‎
Lines changed: 184 additions & 9 deletions
diff --git a/‎infra/main.bicepparam‎
Lines changed: 35 additions & 1 deletion b/‎infra/main.bicepparam‎
Lines changed: 35 additions & 1 deletion
@@ -22,7 +22,7 @@ This accelerator extends the [AI Landing Zone](https://github.com/Azure/ai-landi
 
 ### Solution Architecture
 
-| ![Architecture](./img/Architecture/AI-Landing-Zone-without-platform.png) |
+| ![Architecture](./img/Architecture/Deploy-AI-App-in-Prod-Architecture_final.png) |
 |---|
 
 ### Key Components
 
@@ -71,6 +71,18 @@ hooks:
       interactive: false
       shell: pwsh
       continueOnError: false
+
+    # Stage 7.4: Prepare PostgreSQL for Fabric mirroring (server params + role)
+    - run: ./scripts/automationScripts/FabricWorkspace/Mirror/run_postgresql_mirroring_prep_with_public_access.ps1
+      interactive: false
+      shell: pwsh
+      continueOnError: false
+
+    # Stage 7.5: Create PostgreSQL Mirrored Database (if PostgreSQL is provisioned)
+    - run: ./scripts/automationScripts/FabricWorkspace/Mirror/create_postgresql_mirror.ps1
+      interactive: false
+      shell: pwsh
+      continueOnError: false
 
     # Stage 8: Setup Fabric Workspace Private Link (for VNet integration)
     - run: ./scripts/automationScripts/FabricWorkspace/SecureWorkspace/setup_fabric_private_link.ps1
 
@@ -179,6 +179,7 @@ Edit `infra/main.bicepparam` or set environment variables:
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `networkIsolation` | Enable network isolation | `false` |
+| `postgreSqlNetworkIsolation` | PostgreSQL private networking toggle (defaults to `networkIsolation`) | `networkIsolation` |
 | `useExistingVNet` | Reuse an existing VNet | `false` |
 | `existingVnetResourceId` | Existing VNet resource ID (when `useExistingVNet=true`) | `` |
 | `vmUserName` | Jump box VM admin username | `` |
 
@@ -437,6 +437,17 @@ az cognitiveservices account list-usage \
 
 ## Individual Service Configuration
 
+### PostgreSQL Flexible Server (Repo Wrapper)
+
+Use these in `infra/main.bicepparam` when deploying via this repo. `postgreSqlNetworkIsolation` defaults to `networkIsolation`.
+
+```bicep-params
+param deployPostgreSql = true
+param postgreSqlNetworkIsolation = networkIsolation
+```
+
+When `postgreSqlNetworkIsolation` is `false`, PostgreSQL uses public access and does not create private endpoints or private DNS resources.
+
 ### Storage Account
 
 ```json
 
@@ -205,24 +205,197 @@ param purviewAccountResourceId string = ''
 @description('Optional. Existing Purview collection name')
 param purviewCollectionName string = ''
 
+// ========================================
+// PARAMETERS - POSTGRESQL FLEXIBLE SERVER
+// ========================================
+
+@description('Deploy PostgreSQL Flexible Server.')
+param deployPostgreSql bool = false
+
+@description('PostgreSQL Flexible Server name.')
+param postgreSqlServerName string = 'pg${resourceToken}'
+
+@description('Enable network isolation for PostgreSQL (private DNS + private endpoint).')
+param postgreSqlNetworkIsolation bool = networkIsolation
+
+@description('Create and link the PostgreSQL private DNS zone to the VNet.')
+param deployPostgreSqlPrivateDnsLink bool = true
+
+@description('Optional override for the PostgreSQL private DNS VNet link name.')
+param postgreSqlPrivateDnsLinkNameOverride string = ''
+
+@description('PostgreSQL admin username.')
+param postgreSqlAdminLogin string = 'pgadmin'
+
+@description('PostgreSQL admin password.')
+@secure()
+param postgreSqlAdminPassword string
+
+@description('Store PostgreSQL admin password in Key Vault.')
+param enablePostgreSqlKeyVaultSecret bool = true
+
+@description('Key Vault secret name for PostgreSQL admin password.')
+param postgreSqlAdminSecretName string = 'postgres-admin-password'
+
+@description('PostgreSQL role name for Fabric mirroring.')
+param postgreSqlFabricUserName string = 'fabric_user'
+
+@description('Key Vault secret name for the Fabric mirroring PostgreSQL role password.')
+param postgreSqlFabricUserSecretName string = 'postgres-fabric-user-password'
+
+@description('PostgreSQL SKU name (tier + family + cores).')
+param postgreSqlSkuName string = 'Standard_D2s_v3'
+
+@description('PostgreSQL tier aligned with SKU.')
+@allowed([
+  'Burstable'
+  'GeneralPurpose'
+  'MemoryOptimized'
+])
+param postgreSqlTier string = 'GeneralPurpose'
+
+@description('PostgreSQL availability zone. -1 means no zone preference.')
+@allowed([
+  -1
+  1
+  2
+  3
+])
+param postgreSqlAvailabilityZone int = -1
+
+@description('PostgreSQL high availability mode.')
+@allowed([
+  'Disabled'
+  'SameZone'
+  'ZoneRedundant'
+])
+param postgreSqlHighAvailability string = 'Disabled'
+
+@description('PostgreSQL high availability standby zone. -1 means no zone preference.')
+@allowed([
+  -1
+  1
+  2
+  3
+])
+param postgreSqlHighAvailabilityZone int = -1
+
+@description('PostgreSQL version.')
+@allowed([
+  '11'
+  '12'
+  '13'
+  '14'
+  '15'
+  '16'
+  '17'
+  '18'
+])
+param postgreSqlVersion string = '16'
+
+@description('PostgreSQL storage size in GB.')
+param postgreSqlStorageSizeGB int = 32
+
 // ========================================
 // FABRIC CAPACITY DEPLOYMENT
 // ========================================
 
 var effectiveFabricCapacityMode = fabricCapacityMode
 var effectiveFabricWorkspaceMode = fabricWorkspaceMode
+var effectiveLocation = !empty(location) ? location : resourceGroup().location
 
 var envSlugSanitized = replace(replace(replace(replace(replace(replace(replace(replace(toLower(environmentName), ' ', ''), '-', ''), '_', ''), '.', ''), '/', ''), '\\', ''), ':', ''), ',', '')
 
 var envSlugTrimmed = substring(envSlugSanitized, 0, min(40, length(envSlugSanitized)))
 var capacityNameBase = !empty(envSlugTrimmed) ? 'fabric${envSlugTrimmed}' : 'fabric${baseName}'
 var capacityName = substring(capacityNameBase, 0, min(50, length(capacityNameBase)))
 
+var effectiveVnetResourceId = useExistingVNet && !empty(existingVnetResourceId)
+  ? existingVnetResourceId
+  : resourceId('Microsoft.Network/virtualNetworks', vnetName)
+
+var postgreSqlPrivateDnsZoneName = 'privatelink.postgres.database.azure.com'
+var postgreSqlPrivateDnsLinkNameRaw = '${postgreSqlServerName}-vnetlink'
+var postgreSqlPrivateEndpointNameRaw = '${postgreSqlServerName}-pe'
+var postgreSqlPrivateDnsLinkName = substring(postgreSqlPrivateDnsLinkNameRaw, 0, min(80, length(postgreSqlPrivateDnsLinkNameRaw)))
+var effectivePostgreSqlPrivateDnsLinkName = !empty(postgreSqlPrivateDnsLinkNameOverride)
+  ? postgreSqlPrivateDnsLinkNameOverride
+  : postgreSqlPrivateDnsLinkName
+var postgreSqlPrivateEndpointName = substring(postgreSqlPrivateEndpointNameRaw, 0, min(80, length(postgreSqlPrivateEndpointNameRaw)))
+
+var effectiveKeyVaultResourceId = !empty(keyVaultResourceId)
+  ? keyVaultResourceId
+  : resourceId('Microsoft.KeyVault/vaults', keyVaultName)
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: last(split(effectiveKeyVaultResourceId, '/'))
+}
+
+resource postgreSqlPrivateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = if (deployPostgreSql && postgreSqlNetworkIsolation) {
+  name: postgreSqlPrivateDnsZoneName
+  location: 'global'
+  tags: deploymentTags
+}
+
+resource postgreSqlPrivateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (deployPostgreSql && postgreSqlNetworkIsolation && deployPostgreSqlPrivateDnsLink) {
+  name: '${postgreSqlPrivateDnsZone.name}/${effectivePostgreSqlPrivateDnsLinkName}'
+  location: 'global'
+  properties: {
+    virtualNetwork: {
+      id: effectiveVnetResourceId
+    }
+    registrationEnabled: false
+  }
+}
+
+var postgreSqlPrivateEndpoints = postgreSqlNetworkIsolation ? [
+  {
+    name: postgreSqlPrivateEndpointName
+    subnetResourceId: '${effectiveVnetResourceId}/subnets/${peSubnetName}'
+    privateDnsZoneGroup: {
+      privateDnsZoneGroupConfigs: [
+        {
+          privateDnsZoneResourceId: postgreSqlPrivateDnsZone.id
+        }
+      ]
+    }
+  }
+] : []
+
+module postgreSqlFlexibleServer 'br/public:avm/res/db-for-postgre-sql/flexible-server:0.15.2' = if (deployPostgreSql) {
+  name: 'postgresql-flexible'
+  params: {
+    availabilityZone: postgreSqlAvailabilityZone
+    highAvailability: postgreSqlHighAvailability
+    highAvailabilityZone: postgreSqlHighAvailabilityZone
+    name: postgreSqlServerName
+    skuName: postgreSqlSkuName
+    tier: postgreSqlTier
+    administratorLogin: postgreSqlAdminLogin
+    administratorLoginPassword: postgreSqlAdminPassword
+    managedIdentities: {
+      systemAssigned: true
+    }
+    publicNetworkAccess: postgreSqlNetworkIsolation ? 'Disabled' : 'Enabled'
+    version: postgreSqlVersion
+    storageSizeGB: postgreSqlStorageSizeGB
+    privateEndpoints: postgreSqlPrivateEndpoints
+    tags: deploymentTags
+  }
+}
+
+resource postgreSqlAdminSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = if (deployPostgreSql && enablePostgreSqlKeyVaultSecret) {
+  name: '${keyVault.name}/${postgreSqlAdminSecretName}'
+  properties: {
+    value: postgreSqlAdminPassword
+  }
+}
+
 module fabricCapacity 'modules/fabric-capacity.bicep' = if (effectiveFabricCapacityMode == 'create') {
   name: 'fabric-capacity'
   params: {
     capacityName: capacityName
-    location: location
+    location: effectiveLocation
     sku: fabricCapacitySku
     adminMembers: fabricCapacityAdmins
     tags: deploymentTags
@@ -233,14 +406,6 @@ module fabricCapacity 'modules/fabric-capacity.bicep' = if (effectiveFabricCapac
 // OUTPUTS - Pass through from AI Landing Zone
 // ========================================
 
-var effectiveVnetResourceId = useExistingVNet && !empty(existingVnetResourceId)
-  ? existingVnetResourceId
-  : resourceId('Microsoft.Network/virtualNetworks', vnetName)
-
-var effectiveKeyVaultResourceId = !empty(keyVaultResourceId)
-  ? keyVaultResourceId
-  : resourceId('Microsoft.KeyVault/vaults', keyVaultName)
-
 var effectiveAiSearchResourceId = !empty(aiSearchResourceId)
   ? aiSearchResourceId
   : resourceId('Microsoft.Search/searchServices', searchServiceName)
@@ -276,6 +441,16 @@ output fabricCapacityResourceIdOut string = effectiveFabricCapacityResourceId
 output fabricCapacityName string = effectiveFabricCapacityName
 output fabricCapacityId string = effectiveFabricCapacityResourceId
 
+// PostgreSQL outputs
+output postgreSqlServerNameOut string = deployPostgreSql ? postgreSqlFlexibleServer.outputs.name : ''
+output postgreSqlServerResourceId string = deployPostgreSql ? postgreSqlFlexibleServer.outputs.resourceId : ''
+output postgreSqlServerFqdn string = deployPostgreSql ? postgreSqlFlexibleServer.outputs.fqdn : ''
+output postgreSqlSystemAssignedPrincipalId string = deployPostgreSql ? postgreSqlFlexibleServer.outputs.systemAssignedMIPrincipalId : ''
+output postgreSqlAdminSecretName string = deployPostgreSql && enablePostgreSqlKeyVaultSecret ? postgreSqlAdminSecretName : ''
+output postgreSqlAdminLoginOut string = deployPostgreSql ? postgreSqlAdminLogin : ''
+output postgreSqlFabricUserNameOut string = deployPostgreSql ? postgreSqlFabricUserName : ''
+output postgreSqlFabricUserSecretNameOut string = deployPostgreSql && enablePostgreSqlKeyVaultSecret ? postgreSqlFabricUserSecretName : ''
+
 var effectiveFabricWorkspaceName = effectiveFabricWorkspaceMode == 'byo'
   ? (!empty(fabricWorkspaceName) ? fabricWorkspaceName : (!empty(environmentName) ? 'workspace-${environmentName}' : 'workspace-${baseName}'))
   : (!empty(environmentName) ? 'workspace-${environmentName}' : 'workspace-${baseName}')
 
@@ -34,6 +34,40 @@ param deploymentTags = {}
 param appConfigLabel = 'ai-lz'
 param networkIsolation = true
 
+// Coordinate PostgreSQL networking with the overall isolation flag by default.
+param postgreSqlNetworkIsolation = networkIsolation
+// Skip this if a PostgreSQL private DNS zone is already linked to the VNet.
+param deployPostgreSqlPrivateDnsLink = true
+// Optional: use an existing VNet link name to avoid conflicts.
+param postgreSqlPrivateDnsLinkNameOverride = ''
+
+// ========================================
+// POSTGRESQL FLEXIBLE SERVER (Optional)
+// ========================================
+
+var postgreSqlEnvNameLower = toLower(environmentName)
+var postgreSqlEnvNameSanitized = replace(replace(replace(replace(replace(replace(replace(postgreSqlEnvNameLower, ' ', '-'), '_', '-'), '.', ''), '/', ''), '\\', ''), ':', ''), ',', '')
+var postgreSqlEnvNameTrimmed = substring(postgreSqlEnvNameSanitized, 0, min(50, length(postgreSqlEnvNameSanitized)))
+var postgreSqlServerNameBase = !empty(postgreSqlEnvNameTrimmed)
+  ? 'pg-${postgreSqlEnvNameTrimmed}'
+  : 'pg${uniqueString(readEnvironmentVariable('AZURE_SUBSCRIPTION_ID', ''), environmentName, location)}'
+
+param deployPostgreSql = true
+param postgreSqlServerName = substring(postgreSqlServerNameBase, 0, min(63, length(postgreSqlServerNameBase)))
+param postgreSqlAdminLogin = 'pgadmin'
+param postgreSqlAdminPassword = readEnvironmentVariable('POSTGRES_ADMIN_PASSWORD', '$(secretOrRandomPassword)')
+param enablePostgreSqlKeyVaultSecret = true
+param postgreSqlAdminSecretName = 'postgres-admin-password'
+param postgreSqlFabricUserName = 'fabric_user'
+param postgreSqlFabricUserSecretName = 'postgres-fabric-user-password'
+param postgreSqlSkuName = 'Standard_D2s_v3'
+param postgreSqlTier = 'GeneralPurpose'
+param postgreSqlAvailabilityZone = 1
+param postgreSqlHighAvailability = 'Disabled'
+param postgreSqlHighAvailabilityZone = -1
+param postgreSqlVersion = '16'
+param postgreSqlStorageSizeGB = 32
+
 // ========================================
 // FEATURE TOGGLES
 // ========================================
@@ -44,7 +78,7 @@ param deployAiFoundrySubnet = true
 param deployAppConfig = true
 param deployKeyVault = true
 param deployVmKeyVault = readEnvironmentVariable('DEPLOY_VM_KEY_VAULT', 'true') == 'true'
-param deployLogAnalytics = true
+param deployLogAnalytics = false
 param deployAppInsights = true
 param deploySearchService = true
 param deployStorageAccount = true