feat: Infra Changes - Content processing#627
Draft
Dhanushree-Microsoft wants to merge 9 commits into
Draft
Conversation
Align infra/avm/modules and infra/bicep/modules folder structure with the unified GSA module pattern from agentic-applications repo. Added module categories: - security/ (key-vault) - fabric/ (fabric-capacity) Added modules within existing categories: - ai/: ai-foundry-connection, ai-foundry-model-deployment, ai-foundry-project, ai-services, existing-project-setup - compute/: app-service-plan, app-service, container-app-environment, container-app, container-instance, function-app, kubernetes, maintenance-configuration, proximity-placement-group, virtual-machine - data/: app-configuration, cosmos-db-nosql, event-grid, event-hub, postgresql-flexible-server, sql-database, storage-account - identity/: cross-scope-role-assignment, role-assignments - monitoring/: app-insights, data-collection-rule, portal-dashboard - networking/: bastion-host, private-dns-zone, private-endpoint Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Align infra/avm/modules and infra/bicep/modules folder structure with the unified GSA module pattern from agentic-applications repo. Added module categories: - security/ (key-vault) - fabric/ (fabric-capacity) Added modules within existing categories: - ai/: ai-foundry-connection, ai-foundry-model-deployment, ai-foundry-project, ai-services, existing-project-setup - compute/: app-service-plan, app-service, container-app-environment, container-app, container-instance, function-app, kubernetes, maintenance-configuration, proximity-placement-group, virtual-machine - data/: app-configuration, cosmos-db-nosql, event-grid, event-hub, postgresql-flexible-server, sql-database, storage-account - identity/: cross-scope-role-assignment, role-assignments - monitoring/: app-insights, data-collection-rule, portal-dashboard - networking/: bastion-host, private-dns-zone, private-endpoint Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copy latest main.parameters.json and main.waf.parameters.json from agentic-applications infra-core-modules-copy branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Reorganized both infra/avm/main.bicep and infra/bicep/main.bicep to follow the GSA-compatible code structure from the reference repo: - Added section headers (Parameters, Variables, Monitoring, Networking, Identity, Security, AI, Data, Compute, Outputs) - Grouped parameters by category with @description decorators - Updated module deployment names to take('module.<name>.\', 64) pattern - Preserved all content-processing business logic and resources Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…n.bicep files Refactored Cosmos DB deployment to follow GSA pattern of calling local wrapper modules instead of direct AVM registry calls or inline resources: - avm/main.bicep: replaced direct br/public:avm/res/document-db/... call with ./modules/data/cosmos-db-mongo.bicep - bicep/main.bicep: replaced inline resource definitions with ./modules/data/cosmos-db-mongo.bicep module call - Added primaryReadWriteConnectionString output to AVM wrapper Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update AI Foundry API version to 2025-12-01 - Fix Container Registry SKU logic (enableRedundancy || enablePrivateNetworking) - Remove Premium-only policies from container-registry module - Set disableLocalAuth=false for App Configuration - Set containerRegistryEndpoint default to cpscontainerreg.azurecr.io - Add registries:null for external registry (no auth needed) - Reduce gptDeploymentCapacity default to 50 - Sync module format with reference toolkit Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Dhanushree-Microsoft
requested review from
Avijit-Microsoft,
Roopan-Microsoft,
aniaroramsft,
dgp10801,
nchandhi and
toherman-msft
as code owners
Dhanushree-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request restructures and expands the infra/ infrastructure-as-code by introducing a large set of reusable Bicep + AVM wrapper modules (AI Foundry, monitoring, networking, compute, data), updating deployment parameterization, and adding an infra/README.md to document the new layout and usage.
Changes:
- Added many new “vanilla Bicep” modules under
infra/bicep/modules/**and AVM wrapper modules underinfra/avm/modules/**for AI, compute, data, monitoring, networking, identity, and Fabric. - Updated
infra/main.parameters.jsonandinfra/main.waf.parameters.jsonto add/reshape parameters and environment-variable-driven values. - Added
infra/README.mdand created scripts folder scaffolding via.gitkeepfiles; removed older root-level infra modules.
Reviewed changes
Copilot reviewed 87 out of 96 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/scripts/utilities/.gitkeep | Keeps utilities scripts folder in repo. |
| infra/scripts/pre-provision/.gitkeep | Keeps pre-provision scripts folder in repo. |
| infra/scripts/post-provision/.gitkeep | Keeps post-provision scripts folder in repo. |
| infra/README.md | New infra documentation (structure, usage, parameters). |
| infra/modules/managed-identity.bicep | Removed legacy root-level module (replaced by new modular structure). |
| infra/modules/log-analytics-workspace.bicep | Removed legacy root-level module (replaced by new modular structure). |
| infra/modules/container-registry.bicep | Removed legacy root-level module (replaced by new modular structure). |
| infra/main.waf.parameters.json | Updated WAF parameters file (env-var driven settings). |
| infra/main.parameters.json | Updated standard parameters file (env-var driven settings). |
| infra/bicep/modules/security/key-vault.bicep | New vanilla Key Vault module. |
| infra/bicep/modules/monitoring/workbook.bicep | New vanilla workbook module. |
| infra/bicep/modules/monitoring/portal-dashboard.bicep | New vanilla portal dashboard module. |
| infra/bicep/modules/monitoring/log-analytics.bicep | New vanilla Log Analytics workspace module. |
| infra/bicep/modules/monitoring/app-insights.bicep | New vanilla Application Insights module. |
| infra/bicep/modules/identity/role-assignments.bicep | New centralized RBAC assignment module. |
| infra/bicep/modules/identity/managed-identity.bicep | New vanilla user-assigned managed identity module. |
| infra/bicep/modules/identity/cross-scope-role-assignment.bicep | New helper for cross-scope role assignment. |
| infra/bicep/modules/fabric/fabric-capacity.bicep | New vanilla Fabric capacity module. |
| infra/bicep/modules/data/storage-account.bicep | New vanilla storage account module. |
| infra/bicep/modules/data/sql-database.bicep | New vanilla SQL Server/DB module. |
| infra/bicep/modules/data/postgresql-flexible-server.bicep | New vanilla PostgreSQL flexible server module. |
| infra/bicep/modules/data/event-hub.bicep | New vanilla Event Hub namespace module. |
| infra/bicep/modules/data/event-grid.bicep | New vanilla Event Grid system topic module. |
| infra/bicep/modules/data/cosmos-db-nosql.bicep | New vanilla Cosmos DB NoSQL module. |
| infra/bicep/modules/data/cosmos-db-mongo.bicep | New vanilla Cosmos DB Mongo module. |
| infra/bicep/modules/data/app-configuration.bicep | New vanilla App Configuration module. |
| infra/bicep/modules/compute/kubernetes.bicep | New vanilla AKS module. |
| infra/bicep/modules/compute/function-app.bicep | New vanilla Function App module. |
| infra/bicep/modules/compute/container-registry.bicep | New vanilla ACR module. |
| infra/bicep/modules/compute/container-instance.bicep | New vanilla ACI module. |
| infra/bicep/modules/compute/container-app.bicep | New vanilla Container App module. |
| infra/bicep/modules/compute/container-app-environment.bicep | New vanilla Container Apps Environment module. |
| infra/bicep/modules/compute/app-service.bicep | New vanilla App Service module. |
| infra/bicep/modules/compute/app-service-plan.bicep | New vanilla App Service Plan module. |
| infra/bicep/modules/ai/existing-project-setup.bicep | New vanilla module to reference existing Foundry project/account. |
| infra/bicep/modules/ai/ai-services.bicep | New vanilla generic AI Services module. |
| infra/bicep/modules/ai/ai-search.bicep | New vanilla AI Search module (2-step pattern). |
| infra/bicep/modules/ai/ai-search-identity.bicep | New vanilla “step 2” identity/config update for AI Search. |
| infra/bicep/modules/ai/ai-foundry.bicep | New vanilla AI Foundry account + optional project module. |
| infra/bicep/modules/ai/ai-foundry-project.bicep | New vanilla module for account+project creation. |
| infra/bicep/modules/ai/ai-foundry-model-deployment.bicep | New vanilla model deployment module. |
| infra/bicep/modules/ai/ai-foundry-connection.bicep | New vanilla project connection module. |
| infra/avm/modules/security/key-vault.bicep | New AVM wrapper for Key Vault. |
| infra/avm/modules/networking/virtual-network.bicep | New AVM wrapper for VNet/Subnets/NSGs. |
| infra/avm/modules/networking/private-endpoint.bicep | New AVM wrapper for private endpoint. |
| infra/avm/modules/networking/private-dns-zone.bicep | New AVM wrapper for private DNS zone. |
| infra/avm/modules/networking/bastion-host.bicep | New AVM wrapper for Bastion host. |
| infra/avm/modules/monitoring/workbook.bicep | New AVM workbook module. |
| infra/avm/modules/monitoring/portal-dashboard.bicep | New AVM portal dashboard module. |
| infra/avm/modules/monitoring/log-analytics.bicep | New AVM Log Analytics module. |
| infra/avm/modules/monitoring/data-collection-rule.bicep | New AVM data collection rule module. |
| infra/avm/modules/monitoring/app-insights.bicep | New AVM Application Insights module. |
| infra/avm/modules/identity/managed-identity.bicep | New AVM managed identity wrapper module. |
| infra/avm/modules/identity/cross-scope-role-assignment.bicep | New AVM helper for cross-scope role assignment. |
| infra/avm/modules/fabric/fabric-capacity.bicep | New AVM Fabric capacity wrapper module. |
| infra/avm/modules/data/storage-account.bicep | New AVM storage account wrapper module. |
| infra/avm/modules/data/sql-database.bicep | New AVM SQL wrapper module. |
| infra/avm/modules/data/postgresql-flexible-server.bicep | New AVM PostgreSQL wrapper module. |
| infra/avm/modules/data/event-hub.bicep | New AVM Event Hub wrapper module. |
| infra/avm/modules/data/event-grid.bicep | New AVM Event Grid wrapper module. |
| infra/avm/modules/data/cosmos-db-nosql.bicep | New AVM Cosmos NoSQL wrapper module. |
| infra/avm/modules/data/cosmos-db-mongo.bicep | New AVM Cosmos Mongo wrapper module. |
| infra/avm/modules/data/app-configuration.bicep | New AVM App Configuration wrapper module. |
| infra/avm/modules/compute/virtual-machine.bicep | New AVM VM wrapper module. |
| infra/avm/modules/compute/proximity-placement-group.bicep | New AVM PPG wrapper module. |
| infra/avm/modules/compute/maintenance-configuration.bicep | New AVM maintenance configuration wrapper module. |
| infra/avm/modules/compute/kubernetes.bicep | New AVM AKS wrapper module. |
| infra/avm/modules/compute/function-app.bicep | New AVM Function App wrapper module. |
| infra/avm/modules/compute/container-registry.bicep | New AVM ACR wrapper module. |
| infra/avm/modules/compute/container-instance.bicep | New AVM ACI wrapper module. |
| infra/avm/modules/compute/container-app.bicep | New AVM Container App wrapper module. |
| infra/avm/modules/compute/container-app-workflow.bicep | New AVM workflow container app composition module. |
| infra/avm/modules/compute/container-app-web.bicep | New AVM web container app composition module. |
| infra/avm/modules/compute/container-app-processor.bicep | New AVM processor container app composition module. |
| infra/avm/modules/compute/container-app-environment.bicep | New AVM Container Apps Environment wrapper module. |
| infra/avm/modules/compute/container-app-api.bicep | New AVM API container app composition module. |
| infra/avm/modules/compute/app-service.bicep | New AVM App Service wrapper module. |
| infra/avm/modules/compute/app-service-plan.bicep | New AVM App Service Plan wrapper module. |
| infra/avm/modules/ai/modules/project.bicep | New AVM project submodule (project creation / reuse). |
| infra/avm/modules/ai/modules/keyVaultExport.bicep | New AVM helper to export secrets to Key Vault. |
| infra/avm/modules/ai/existing-project-setup.bicep | New AVM module to reference existing Foundry project/account. |
| infra/avm/modules/ai/ai-services.bicep | New AVM generic AI Services wrapper module. |
| infra/avm/modules/ai/ai-search.bicep | New AVM AI Search wrapper module (2-step pattern). |
| infra/avm/modules/ai/ai-foundry.bicep | Updated AVM AI Foundry module (resolved defaults for RBAC/deployments). |
| infra/avm/modules/ai/ai-foundry-project.bicep | New AVM module for account+project provisioning. |
| infra/avm/modules/ai/ai-foundry-model-deployment.bicep | New AVM model deployment module. |
| infra/avm/modules/ai/ai-foundry-connection.bicep | New AVM project connection module. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+55
to
+72
| resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-10-15' = { | ||
| parent: cosmos | ||
| name: databaseName | ||
| properties: { | ||
| resource: { id: databaseName } | ||
| } | ||
|
|
||
| resource list 'containers' = [for container in containers: { | ||
| name: container.name | ||
| properties: { | ||
| resource: { | ||
| id: container.name | ||
| partitionKey: { paths: [ container.partitionKeyPath ] } | ||
| } | ||
| options: {} | ||
| } | ||
| }] | ||
| } |
Comment on lines
+84
to
+92
| resource acrPullAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
| name: guid(containerRegistryName, solutionName, 'acr-pull') | ||
| scope: containerRegistry | ||
| properties: { | ||
| principalId: managedIdentityPrincipalId | ||
| principalType: 'ServicePrincipal' | ||
| roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.acrPull) | ||
| } | ||
| } |
Comment on lines
+98
to
+106
| resource contentProcessorBlobRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
| name: guid(storageAccountName, 'app', 'blob') | ||
| scope: storageAccount | ||
| properties: { | ||
| principalId: contentProcessorAppPrincipalId | ||
| principalType: 'ServicePrincipal' | ||
| roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.storageBlobDataContributor) | ||
| } | ||
| } |
Comment on lines
+35
to
+37
| "imageTag": { | ||
| "value": "${AZURE_ENV_IMAGE_TAG}" | ||
| }, |
Comment on lines
+50
to
+55
| "azureAiServiceLocation": { | ||
| "value": "${AZURE_ENV_AI_SERVICE_LOCATION}" | ||
| }, | ||
| "containerRegistryName": { | ||
| "value": "${AZURE_ENV_CONTAINER_REGISTRY_NAME}" | ||
| }, |
Comment on lines
+79
to
+94
| { | ||
| name: 'APP_WEB_CLIENT_ID' | ||
| value: '<APP_REGISTRATION_CLIENTID>' | ||
| } | ||
| { | ||
| name: 'APP_WEB_AUTHORITY' | ||
| value: '${environment().authentication.loginEndpoint}/${tenant().tenantId}' | ||
| } | ||
| { | ||
| name: 'APP_WEB_SCOPE' | ||
| value: '<FRONTEND_API_SCOPE>' | ||
| } | ||
| { | ||
| name: 'APP_API_SCOPE' | ||
| value: '<BACKEND_API_SCOPE>' | ||
| } |
Comment on lines
+55
to
+61
| administrators: { | ||
| login: deployerPrincipalId | ||
| sid: deployerPrincipalId | ||
| tenantId: subscription().tenantId | ||
| administratorType: 'ActiveDirectory' | ||
| azureADOnlyAuthentication: true | ||
| } |
Comment on lines
+65
to
+71
| resource firewallRule 'Microsoft.Sql/servers/firewallRules@2025-01-01' = { | ||
| name: 'AllowSpecificRange' | ||
| parent: sqlServer | ||
| properties: { | ||
| startIpAddress: '0.0.0.0' | ||
| endIpAddress: '255.255.255.255' | ||
| } |
Comment on lines
+70
to
+77
| resource firewallAllowAll 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2026-01-01-preview' = { | ||
| name: 'AllowAll' | ||
| parent: postgresServer | ||
| properties: { | ||
| startIpAddress: '0.0.0.0' | ||
| endIpAddress: '255.255.255.255' | ||
| } | ||
| } |
| | `gptModelName` | No | GPT model name, default: `gpt-5.1` | | ||
| | `deploymentType` | No | `GlobalStandard` (default) or `Standard` | | ||
| | `gptModelVersion` | No | Model version, default: `2025-11-13` | | ||
| | `gptDeploymentCapacity` | No | TPM capacity, default: `300` | |
Dhanushree-Microsoft
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
This pull request introduces significant improvements and modularization to the infrastructure-as-code for Azure AI Services and AI Foundry projects, with a focus on reusability, clarity, and automation. The changes include new Bicep modules for AI Foundry resources, enhancements to role assignment and deployment parameterization, and improved documentation for the infrastructure folder. These updates make deployments more flexible, easier to maintain, and better aligned with Azure best practices.
Key changes:
New AI Foundry Bicep Modules
ai-foundry-project.bicep), model deployment (ai-foundry-model-deployment.bicep), and project connections (ai-foundry-connection.bicep), enabling reusable, parameter-driven deployments of AI resources. [1] [2] [3]Enhanced Role Assignment and Deployment Logic
ai-foundry.bicep) to support automatic role assignment for processor and workflow managed identities, and to allow default GPT model deployment parameters to be specified directly, reducing manual configuration. [1] [2] [3]resolvedRoleAssignmentsandresolvedDeploymentsvariables to inject defaults when explicit values are not provided.Improved Parameter Handling
Integration of Resolved Parameters
resolvedRoleAssignmentsandresolvedDeployments, ensuring that the new logic for defaults and overrides is consistently applied throughout deployments. [1] [2]Documentation and Usability
infra/README.mddescribing the folder structure, deployment flavors, usage instructions, and parameter definitions, improving onboarding and maintainability for the infrastructure codebase.Does this introduce a breaking change?