ci: Enhance Azure Dev workflow with submodule support and service principal configuration

.github/workflows/azd-template-validation.yml

@@ -16,6 +16,8 @@ jobs:
     name: azd template validation
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
 
       # This postprovision cleanup step (Stage 19) has been removed from azure.yaml because
       # azd down was failing in the pipeline. As a workaround, we are removing this step
@@ -24,6 +26,12 @@ jobs:
         run: |
           yq -i 'del(.hooks.postprovision[] | select(.run == "./submodules/ai-landing-zone/bicep/scripts/postprovision.ps1"))' azure.yaml
 
+      # Set principalType to ServicePrincipal for CI/CD deployment
+      - name: Configure bicepparam for service principal
+        run: |
+          sed -i "s/param principalType = 'User'/param principalType = readEnvironmentVariable('principalType', 'User')/" infra/main.bicepparam
+          sed -i "s/param principalId = ''/param principalId = readEnvironmentVariable('principalId', '')/" infra/main.bicepparam
+
       - uses: microsoft/template-validation-action@Latest
         with:
           validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
@@ -36,6 +44,9 @@ jobs:
           AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
           AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TEMP: /tmp
           fabricCapacityMode: 'none'
+          principalId: ${{ vars.PRINCIPAL_ID || secrets.AZURE_CLIENT_ID }}
+          principalType: 'ServicePrincipal'
       - name: print result
         run: cat ${{ steps.validation.outputs.resultFile }}

.github/workflows/azure-dev.yml

@@ -24,10 +24,16 @@ jobs:
       AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
       AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
       AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-      AZURE_USER_OBJECT_ID: ''
+      TEMP: /tmp
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Configure bicepparam for service principal
+        run: |
+          sed -i "s/param principalType = 'User'/param principalType = readEnvironmentVariable('principalType', 'User')/" infra/main.bicepparam
+          sed -i "s/param principalId = ''/param principalId = readEnvironmentVariable('principalId', '')/" infra/main.bicepparam
       - name: Install azd
         uses: Azure/setup-azd@v2
       - name: Azure Developer CLI Login
@@ -43,7 +49,48 @@ jobs:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - name: Get Service Principal Object ID
+        id: get-sp-id
+        run: |
+          SP_OBJECT_ID=$(az ad sp show --id ${{ vars.AZURE_CLIENT_ID }} --query id -o tsv)
+          echo "principalId=$SP_OBJECT_ID" >> $GITHUB_ENV
+          echo "Service Principal Object ID: $SP_OBJECT_ID"
+      - name: Create Resource Group if needed
+        run: |
+          # Use provided RG name or derive from environment name
+          RESOURCE_GROUP="${AZURE_RESOURCE_GROUP:-rg-${AZURE_ENV_NAME}}"
+          echo "Using resource group: $RESOURCE_GROUP"
+
+          RG_EXISTS=$(az group exists --name "$RESOURCE_GROUP")
+          if [ "$RG_EXISTS" = "false" ]; then
+            echo "Creating resource group: $RESOURCE_GROUP"
+            az group create --name "$RESOURCE_GROUP" --location ${{ vars.AZURE_LOCATION }}
+          else
+            echo "Resource group already exists: $RESOURCE_GROUP"
+          fi
+
+          # Set for subsequent steps
+          echo "RESOURCE_GROUP=$RESOURCE_GROUP" >> $GITHUB_ENV
+      - name: Configure AZD Environment
+        run: |
+          # Create environment if it doesn't exist
+          if azd env list 2>/dev/null | grep -q "${{ vars.AZURE_ENV_NAME }}"; then
+            echo "Environment ${{ vars.AZURE_ENV_NAME }} already exists, selecting it"
+            azd env select ${{ vars.AZURE_ENV_NAME }}
+          else
+            echo "Creating new environment: ${{ vars.AZURE_ENV_NAME }}"
+            azd env new ${{ vars.AZURE_ENV_NAME }} --location ${{ vars.AZURE_LOCATION }} --subscription ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          fi
+
+          # Set environment variables
+          azd env set AZURE_RESOURCE_GROUP "$RESOURCE_GROUP"
+          azd env set principalType ServicePrincipal
+          azd env set principalId $principalId
+          azd env set fabricWorkspaceMode none
       - name: Provision Infrastructure
+        id: provision-main
+        continue-on-error: true
         run: azd provision --no-prompt
         env:
            AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+           fabricWorkspaceMode: 'none'