Skip to content

Commit f1cbea8

Browse files
Merge pull request #131 from microsoft/dev
chore: dev to main merge
2 parents d7412e8 + ab864e0 commit f1cbea8

File tree

11 files changed

+824
-46
lines changed

11 files changed

+824
-46
lines changed

.github/workflows/azd-template-validation.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,14 @@
11
name: AZD Template Validation
2-
on:
2+
on:
33
workflow_dispatch:
44
push:
55
branches:
66
- main
7+
paths:
8+
- 'infra/**'
9+
- 'azure.yaml'
10+
- 'scripts/**'
11+
- '.github/workflows/azure-dev.yml'
712

813
permissions:
914
contents: read
@@ -16,6 +21,8 @@ jobs:
1621
name: azd template validation
1722
steps:
1823
- uses: actions/checkout@v4
24+
with:
25+
submodules: recursive
1926

2027
# This postprovision cleanup step (Stage 19) has been removed from azure.yaml because
2128
# azd down was failing in the pipeline. As a workaround, we are removing this step
@@ -36,6 +43,9 @@ jobs:
3643
AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
3744
AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
3845
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
46+
TEMP: /tmp
3947
fabricCapacityMode: 'none'
48+
AZURE_PRINCIPAL_ID: ${{ vars.PRINCIPAL_ID || secrets.AZURE_CLIENT_ID }}
49+
AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
4050
- name: print result
4151
run: cat ${{ steps.validation.outputs.resultFile }}

.github/workflows/azure-dev.yml

Lines changed: 50 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,26 +24,73 @@ jobs:
2424
AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
2525
AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
2626
AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
27-
AZURE_USER_OBJECT_ID: ''
27+
AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
28+
TEMP: /tmp
2829
steps:
2930
- name: Checkout
3031
uses: actions/checkout@v4
32+
with:
33+
submodules: recursive
34+
3135
- name: Install azd
3236
uses: Azure/setup-azd@v2
37+
3338
- name: Azure Developer CLI Login
3439
run: |
3540
azd auth login `
3641
--client-id "$Env:AZURE_CLIENT_ID" `
3742
--federated-credential-provider "github" `
38-
--tenant-id "$Env:AZURE_TENANT_ID"
43+
--tenant-id "$Env:AZURE_TENANT_ID"
3944
shell: pwsh
45+
4046
- name: Azure CLI Login
4147
uses: azure/login@v2
4248
with:
4349
client-id: ${{ vars.AZURE_CLIENT_ID }}
4450
tenant-id: ${{ vars.AZURE_TENANT_ID }}
4551
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
52+
53+
- name: Resolve Service Principal Object ID
54+
run: |
55+
# If PRINCIPAL_ID repo variable is set and is a valid GUID, use it directly
56+
if [[ "${{ vars.PRINCIPAL_ID }}" =~ ^[0-9a-fA-F-]{36}$ ]]; then
57+
echo "Using PRINCIPAL_ID from repo variables"
58+
echo "AZURE_PRINCIPAL_ID=${{ vars.PRINCIPAL_ID }}" >> $GITHUB_ENV
59+
else
60+
# Resolve the Object ID from the Application (Client) ID
61+
# Role assignments require the SP Object ID, not the Client/App ID
62+
echo "Resolving Service Principal Object ID from Client ID..."
63+
SP_OBJECT_ID=$(az ad sp show --id "${{ vars.AZURE_CLIENT_ID }}" --query id -o tsv 2>/dev/null)
64+
if [[ -z "$SP_OBJECT_ID" ]]; then
65+
echo "::error::Failed to resolve Service Principal Object ID from Client ID: ${{ vars.AZURE_CLIENT_ID }}"
66+
exit 1
67+
fi
68+
echo "Resolved SP Object ID: $SP_OBJECT_ID"
69+
echo "AZURE_PRINCIPAL_ID=$SP_OBJECT_ID" >> $GITHUB_ENV
70+
fi
71+
72+
- name: Create Resource Group if needed
73+
run: |
74+
# Use provided RG name or derive from environment name
75+
RESOURCE_GROUP="${AZURE_RESOURCE_GROUP:-rg-${AZURE_ENV_NAME}}"
76+
echo "Using resource group: $RESOURCE_GROUP"
77+
78+
RG_EXISTS=$(az group exists --name "$RESOURCE_GROUP")
79+
if [ "$RG_EXISTS" = "false" ]; then
80+
echo "Creating resource group: $RESOURCE_GROUP"
81+
az group create --name "$RESOURCE_GROUP" --location ${{ vars.AZURE_LOCATION }}
82+
else
83+
echo "Resource group already exists: $RESOURCE_GROUP"
84+
fi
85+
86+
# Set for subsequent steps
87+
echo "RESOURCE_GROUP=$RESOURCE_GROUP" >> $GITHUB_ENV
88+
4689
- name: Provision Infrastructure
90+
id: provision-main
4791
run: azd provision --no-prompt
4892
env:
49-
AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
93+
AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
94+
AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
95+
fabricCapacityMode: 'none'
96+
fabricWorkspaceMode: 'none'

azure.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ name: deploy-your-ai-application-in-production
22

33
requiredVersions:
44
azd: ">=1.15.0 != 1.23.9"
5+
bicep: '>= 0.33.0'
56

67
infra:
78
provider: "bicep"

docs/ACCESSING_PRIVATE_RESOURCES.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@ azd env get-values | grep jumpVm
1818
1919
# Or in Azure Portal:
2020
# 1. Navigate to your resource group
21-
# 2. Find the VM (usually named like "vm-jump-<env>")
21+
# 2. Find the VM resource created for the jump box
2222
# 3. Click "Connect" → "Bastion"
23-
# 4. Enter the username and password (auto-generated during deployment)
23+
# 4. Enter the username and password you set via VM_ADMIN_USERNAME / VM_ADMIN_PASSWORD
2424
```
2525

2626
### 2. From Jump VM, Access Private Services
@@ -169,7 +169,13 @@ You can configure services without private endpoints by modifying individual ser
169169

170170
### Jump VM credentials unknown
171171

172-
Credentials are auto-generated during deployment. To reset:
172+
If you did not set the credentials before deployment, use the top-layer defaults or reset them:
173+
174+
- Username: `VM_ADMIN_USERNAME` environment variable, or `vmUserName` in [infra/main.bicepparam](../infra/main.bicepparam)
175+
- Default username when unset: `testvmuser`
176+
- Password: `VM_ADMIN_PASSWORD` environment variable, or `vmAdminPassword` in [infra/main.bicepparam](../infra/main.bicepparam)
177+
178+
To reset:
173179

174180
```bash
175181
az vm user update \

docs/deploy_app_from_foundry.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ Since all resources are deployed with private endpoints, you must access Microso
2424
2. Navigate to your resource group
2525
3. Select the **Jump VM** (Windows Virtual Machine)
2626
4. Click **Connect****Bastion**
27-
5. Enter the VM credentials (set during deployment)
27+
5. Enter the VM credentials you configured in the top layer (`VM_ADMIN_USERNAME` / `VM_ADMIN_PASSWORD`, or [infra/main.bicepparam](../infra/main.bicepparam))
2828
6. Once connected, open a browser and navigate to [Microsoft Foundry](https://ai.azure.com)
2929

3030
### 2. Configure Your Playground

docs/deploymentguide.md

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -202,8 +202,22 @@ Edit `infra/main.bicepparam` or set environment variables:
202202
| `postgreSqlNetworkIsolation` | PostgreSQL private networking toggle (defaults to `networkIsolation`) | `networkIsolation` |
203203
| `useExistingVNet` | Reuse an existing VNet | `false` |
204204
| `existingVnetResourceId` | Existing VNet resource ID (when `useExistingVNet=true`) | `` |
205-
| `vmUserName` | Jump box VM admin username | `` |
206-
| `vmAdminPassword` | Jump box VM admin password | (prompted) |
205+
| `vmUserName` | Jump box VM admin username | `VM_ADMIN_USERNAME` env var or `testvmuser` |
206+
| `vmAdminPassword` | Jump box VM admin password | `VM_ADMIN_PASSWORD` env var |
207+
208+
For network-isolated deployments, set the VM credentials before running `azd up`:
209+
210+
```powershell
211+
azd env set VM_ADMIN_USERNAME "youradminuser"
212+
azd env set VM_ADMIN_PASSWORD "Use-A-Strong-Password-Here!"
213+
```
214+
215+
If you prefer source-controlled defaults, set them in [infra/main.bicepparam](../infra/main.bicepparam) instead:
216+
217+
```bicep
218+
param vmUserName = 'youradminuser'
219+
param vmAdminPassword = 'Use-A-Strong-Password-Here!'
220+
```
207221

208222
</details>
209223

docs/post_deployment_steps.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -209,9 +209,10 @@ For network-isolated deployments, use Azure Bastion to access resources:
209209

210210
![Image showing bastion blade](../img/provisioning/checkNetworkIsolation7.png)
211211

212-
4. Enter the VM admin credentials (set during deployment) and click **Connect**
213-
- Admin username: `vmUserName` in [infra/main.bicep](../infra/main.bicep)
214-
- Admin password: `vmAdminPassword` in [infra/main.bicepparam](../infra/main.bicepparam) (defaults to the `VM_ADMIN_PASSWORD` environment variable)
212+
4. Enter the VM admin credentials and click **Connect**
213+
- Admin username: `vmUserName` in [infra/main.bicepparam](../infra/main.bicepparam) or the `VM_ADMIN_USERNAME` environment variable
214+
- Admin password: `vmAdminPassword` in [infra/main.bicepparam](../infra/main.bicepparam) or the `VM_ADMIN_PASSWORD` environment variable
215+
- If `vmUserName` is not set in the top layer, the effective default is `testvmuser`
215216
- If you do not have them, reset the password in **Azure Portal****Virtual machine****Reset password**.
216217

217218
![Image showing bastion login](../img/provisioning/checkNetworkIsolation8.png)

docs/quota_check.md

Lines changed: 75 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1,64 +1,97 @@
11
# Check Quota Availability Before Deployment
22

3-
Before deploying the accelerator, **ensure sufficient quota availability** for the required model.
4-
> **We recommend increasing the capacity to 100k tokens for optimal performance.**
3+
Before deploying the accelerator, **ensure sufficient quota availability** for the required AI models and Fabric capacity.
4+
> **The default capacities match the deployment parameters in `infra/main.bicepparam`.**
55
66
## Login if you have not done so already
77
```
88
az login
99
```
1010

1111
## 📌 Default Models & Capacities:
12+
These match the `modelDeploymentList` in the Bicep parameters:
1213
```
13-
gpt-4o:150, gpt-4o-mini:150, gpt-4:150, text-embedding-3-small:100
14+
gpt-4.1-mini:40:GlobalStandard, text-embedding-3-large:40:Standard
1415
```
16+
1517
## 📌 Default Regions:
1618
```
17-
eastus, uksouth, eastus2, northcentralus, swedencentral, westus, westus2, southcentralus, canadacentral, australiaeast, japaneast, norwayeast
19+
eastus, eastus2, swedencentral, uksouth, westus, westus2, southcentralus, canadacentral, australiaeast, japaneast, norwayeast
1820
```
21+
22+
## 📌 Optional: Fabric Capacity Check
23+
The accelerator also deploys a **Microsoft Fabric F8** capacity. Pass `--check-fabric` (bash) or `-CheckFabric` (PowerShell) to verify Fabric SKU availability.
24+
1925
## Usage Scenarios:
2026
- No parameters passed → Default models and capacities will be checked in default regions.
2127
- Only model(s) provided → The script will check for those models in the default regions.
2228
- Only region(s) provided → The script will check default models in the specified regions.
2329
- Both models and regions provided → The script will check those models in the specified regions.
2430
- `--verbose` passed → Enables detailed logging output for debugging and traceability.
31+
- `--check-fabric` passed → Also checks Microsoft Fabric capacity availability.
2532

26-
## **Input Formats**
27-
> Use the --models, --regions, and --verbose options for parameter handling:
33+
## **Input Formats — Bash**
34+
> Use the --models, --regions, --verbose, and --check-fabric options for parameter handling:
2835
29-
✔️ Run without parameters to check default models & regions without verbose logging:
30-
```
31-
./quota_check.sh
36+
✔️ Run without parameters to check default models & regions:
37+
```sh
38+
./quota_check.sh
3239
```
3340
✔️ Enable verbose logging:
34-
```
35-
./quota_check.sh --verbose
41+
```sh
42+
./quota_check.sh --verbose
3643
```
3744
✔️ Check specific model(s) in default regions:
38-
```
39-
./quota_check.sh --models gpt-4o:150,text-embedding-3-small:100
45+
```sh
46+
./quota_check.sh --models gpt-4.1-mini:40:GlobalStandard,text-embedding-3-large:40:Standard
4047
```
4148
✔️ Check default models in specific region(s):
42-
```
43-
./quota_check.sh --regions eastus,westus
44-
```
45-
✔️ Passing Both models and regions:
46-
```
47-
./quota_check.sh --models gpt-4o:150 --regions eastus,westus2
49+
```sh
50+
./quota_check.sh --regions eastus,westus
4851
```
4952
✔️ All parameters combined:
53+
```sh
54+
./quota_check.sh --models gpt-4.1-mini:40 --regions eastus,westus --verbose
55+
```
56+
✔️ Also check Fabric capacity availability:
57+
```sh
58+
./quota_check.sh --check-fabric --verbose
5059
```
51-
./quota_check.sh --models gpt-4:150,text-embedding-3-small:100 --regions eastus,westus --verbose
60+
61+
## **Input Formats — PowerShell**
62+
> Use the -Models, -Regions, -Verbose, and -CheckFabric parameters:
63+
64+
✔️ Run without parameters:
65+
```powershell
66+
.\quota_check.ps1
67+
```
68+
✔️ Check specific model(s):
69+
```powershell
70+
.\quota_check.ps1 -Models "gpt-4.1-mini:40:GlobalStandard,text-embedding-3-large:40:Standard"
5271
```
53-
✔️ Multiple models with single region:
72+
✔️ Check specific region(s):
73+
```powershell
74+
.\quota_check.ps1 -Regions "eastus,westus2"
5475
```
55-
./quota_check.sh --models gpt-4:150,text-embedding-3-small:100 --regions eastus2 --verbose
76+
✔️ All parameters combined:
77+
```powershell
78+
.\quota_check.ps1 -Models "gpt-4.1-mini:40" -Regions "eastus,westus" -CheckFabric -Verbose
5679
```
5780

5881
## **Sample Output**
5982
The final table lists regions with available quota. You can select any of these regions for deployment.
6083

61-
![quota-check-output](../img/Documentation/quota-check-output.png)
84+
```
85+
╔══════════════════════════════════════════════════════════════╗
86+
║ QUOTA CHECK SUMMARY ║
87+
╚══════════════════════════════════════════════════════════════╝
88+
89+
Region gpt-4.1-mini text-embedding-3-large Status
90+
──────────────────────────────────────────────────────────────────────────────────────────
91+
eastus ✅ 200/240 (need 40) ✅ 120/200 (need 40) ✅ PASS
92+
eastus2 ❌ 10/240 (need 40) ✅ 50/200 (need 40) ❌ FAIL
93+
swedencentral ✅ 100/240 (need 40) ✅ 80/200 (need 40) ✅ PASS
94+
```
6295

6396
---
6497
## **If using Azure Portal and Cloud Shell**
@@ -74,22 +107,33 @@ The final table lists regions with available quota. You can select any of these
74107
chmod +x quota_check.sh
75108
./quota_check.sh
76109
```
77-
- Refer to [Input Formats](#input-formats) for detailed commands.
110+
- Refer to [Input Formats — Bash](#input-formats--bash) for detailed commands.
78111

79112
## **If using VS Code or Codespaces**
113+
114+
### Option 1: Bash (Linux, macOS, Git Bash, WSL, Cloud Shell)
80115
1. Open the terminal in VS Code or Codespaces.
81-
2. Use a terminal that can run bash. This is only for the quota check script; deployment uses PowerShell.
116+
2. Use a terminal that can run bash.
82117
![git_bash](../img/provisioning/git_bash.png)
83-
3. Navigate to the `scripts` folder where the script files are located and make the script as executable:
118+
3. Navigate to the `scripts` folder and make the script executable:
84119
```sh
85120
cd scripts
86121
chmod +x quota_check.sh
87122
```
88-
4. Run the appropriate script based on your requirement:
89-
90-
**To check quota for the deployment**
91-
123+
4. Run the script:
92124
```sh
93125
./quota_check.sh
94126
```
95-
- Refer to [Input Formats](#input-formats) for detailed commands.
127+
- Refer to [Input Formats — Bash](#input-formats--bash) for detailed commands.
128+
129+
### Option 2: PowerShell (Windows, Linux, macOS)
130+
1. Open a PowerShell terminal in VS Code.
131+
2. Navigate to the `scripts` folder:
132+
```powershell
133+
cd scripts
134+
```
135+
3. Run the script:
136+
```powershell
137+
.\quota_check.ps1
138+
```
139+
- Refer to [Input Formats — PowerShell](#input-formats--powershell) for detailed commands.

infra/main.bicepparam

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ param location = readEnvironmentVariable('AZURE_LOCATION', '')
99
param cosmosLocation = readEnvironmentVariable('AZURE_COSMOS_LOCATION', '')
1010
// Entra object ID of the identity to grant RBAC (user, group, service principal, or UAI). Set this if Graph lookup is blocked.
1111
param principalId = readEnvironmentVariable('AZURE_PRINCIPAL_ID', '')
12-
param principalType = 'User'
12+
param principalType = readEnvironmentVariable('AZURE_PRINCIPAL_TYPE', 'User')
1313

1414
// ========================================
1515
// OPTIONAL INPUTS (Existing Resources)
@@ -204,7 +204,8 @@ param containerAppsList = [
204204
}
205205
]
206206

207-
param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '$(secretOrRandomPassword)')
207+
param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')
208+
param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')
208209
param vmSize = 'Standard_D2s_v4'
209210

210211
// ========================================

0 commit comments

Comments
 (0)