fix: update post-deployment scripts to install Python dependencies for the user and enhance README instructions

Author: Abdul-Microsoft

README.md

@@ -204,9 +204,9 @@ When Deployment is complete:
 1. Run the post-deployment setup script to configure the Function App client key and create PostgreSQL tables (if applicable). Open [Azure Cloud Shell](https://shell.azure.com) (Bash) and run:
 
     ```bash
+    az login
     git clone https://github.com/Azure-Samples/chat-with-your-data-solution-accelerator.git
     cd chat-with-your-data-solution-accelerator
-    pip install -r scripts/data_scripts/requirements.txt
     bash scripts/post_deployment_setup.sh "<your-resource-group-name>"
     ```
 

docs/AVMPostDeploymentGuide.md

@@ -12,26 +12,13 @@ Ensure you have a **Deployed Infrastructure** - A successful Chat with your data
 
 ## Post Deployment Steps
 
-### Step 1: Run Post-Deployment Setup Script
-
-Run the post-deployment script to configure the Function App client key and create PostgreSQL tables (if applicable). Open [Azure Cloud Shell](https://shell.azure.com) (Bash) and run:
-
-```bash
-git clone https://github.com/Azure-Samples/chat-with-your-data-solution-accelerator.git
-cd chat-with-your-data-solution-accelerator
-pip install -r scripts/data_scripts/requirements.txt
-bash scripts/post_deployment_setup.sh "<your-resource-group-name>"
-```
-
-> **Note:** The script auto-discovers all resources in the resource group. It handles private networking (WAF) deployments by temporarily enabling public access, performing the setup, then restoring the original state.
-
-### Step 2: Configure App Authentication
+### Step 1: Configure App Authentication
 
 1. After deployment is complete, navigate to your Azure App Service in the Azure portal
 2. Follow the detailed instructions in [Set Up Authentication in Azure App Service](./azure_app_service_auth_setup.md) to add authentication to your web app
 3. This will ensure only authorized users can access your application
 
-### Step 3: Access and Configure the Admin Site
+### Step 2: Access and Configure the Admin Site
 
 1. **Navigate to the admin site** using the following URL pattern:
    ```
@@ -49,7 +36,7 @@ bash scripts/post_deployment_setup.sh "<your-resource-group-name>"
    - Wait for the documents to be processed and indexed
    - Verify successful ingestion through the admin interface
 
-### Step 4: Access the Chat Application
+### Step 3: Access the Chat Application
 
 1. **Navigate to the main chat application** using this URL pattern:
    ```

scripts/post_deployment_setup.ps1

@@ -107,9 +107,10 @@ else {
                 $existingAssignment = az role assignment list --assignee $currentUserOid --role $kvSecretsUserRoleId --scope $kvResourceId --query "[0].id" -o tsv 2>$null
                 if (-not $existingAssignment) {
                     Write-Host "✓ Assigning 'Key Vault Secrets User' role to current user on Key Vault..."
-                    az role assignment create --assignee-object-id $currentUserOid --assignee-principal-type User --role $kvSecretsUserRoleId --scope $kvResourceId | Out-Null
+                    $roleOutput = az role assignment create --assignee-object-id $currentUserOid --assignee-principal-type User --role $kvSecretsUserRoleId --scope $kvResourceId 2>&1 | Out-String
                     if ($LASTEXITCODE -ne 0) {
-                        Write-Warning "⚠ Failed to assign Key Vault Secrets User role. You may not have Owner/User Access Administrator permissions."
+                        Write-Warning "⚠ Failed to assign Key Vault Secrets User role."
+                        Write-Warning "  $roleOutput"
                     } else {
                         Write-Host "✓ Role assigned. Waiting 30s for propagation..."
                         Start-Sleep -Seconds 30
@@ -127,9 +128,9 @@ else {
         if ($kvPublicAccess -eq "Disabled") {
             Write-Host "Key Vault has public access disabled (private networking detected)."
             Write-Host "✓ Temporarily enabling public access on Key Vault '$keyVaultName'..."
-            az keyvault update --name $keyVaultName --resource-group $ResourceGroupName --public-network-access Enabled | Out-Null
+            $kvOutput = az keyvault update --name $keyVaultName --resource-group $ResourceGroupName --public-network-access Enabled 2>&1 | Out-String
             if ($LASTEXITCODE -ne 0) {
-                Write-Error "✗ Failed to enable public access on Key Vault. Cannot proceed."
+                Write-Error "✗ Failed to enable public access on Key Vault. Cannot proceed.`n  $kvOutput"
                 exit 1
             }
             $resourcesToRestore += @{ type = "keyvault"; name = $keyVaultName }
@@ -198,10 +199,10 @@ else {
     if ($pgPublicAccess -eq "Disabled") {
         Write-Host "PostgreSQL has public access disabled (private networking detected)."
         Write-Host "✓ Temporarily enabling public access on PostgreSQL '$serverName'..."
-        az postgres flexible-server update --resource-group $ResourceGroupName --name $serverName --public-access Enabled 2>$null | Out-Null
+        $pgOutput = az postgres flexible-server update --resource-group $ResourceGroupName --name $serverName --public-access Enabled 2>&1 | Out-String
         if ($LASTEXITCODE -ne 0) {
             Restore-NetworkAccess
-            Write-Error "✗ Failed to enable public access on PostgreSQL. Cannot proceed."
+            Write-Error "✗ Failed to enable public access on PostgreSQL. Cannot proceed.`n  $pgOutput"
             exit 1
         }
         $resourcesToRestore += @{ type = "postgres"; name = $serverName }
@@ -247,14 +248,15 @@ else {
     $addedPgAdmin = $false
     if (-not $isAdmin) {
         Write-Host "✓ Adding current user as PostgreSQL Entra administrator..."
-        az postgres flexible-server ad-admin create `
+        $adminOutput = az postgres flexible-server ad-admin create `
             --resource-group $ResourceGroupName `
             --server-name $serverName `
             --display-name $currentUserUpn `
             --object-id $currentUserOid `
-            --type User 2>$null | Out-Null
+            --type User 2>&1 | Out-String
         if ($LASTEXITCODE -ne 0) {
             Write-Warning "⚠ Failed to add current user as PostgreSQL admin. Table creation may fail."
+            Write-Warning "  $adminOutput"
         } else {
             $addedPgAdmin = $true
             Write-Host "✓ PostgreSQL admin added. Waiting 60s for propagation..."
@@ -270,7 +272,7 @@ else {
         $requirementsFile = Join-Path $scriptDir "data_scripts" "requirements.txt"
         if (Test-Path $requirementsFile) {
             Write-Host "✓ Installing Python dependencies..."
-            pip install -r $requirementsFile
+            pip install --user -r $requirementsFile 2>&1 | Out-Null
         }
 
         Write-Host "✓ Creating tables..."

scripts/post_deployment_setup.sh

@@ -73,11 +73,13 @@ else
                 EXISTING_ASSIGNMENT=$(az role assignment list --assignee "$CURRENT_USER_OID" --role "$KV_SECRETS_USER_ROLE_ID" --scope "$KV_RESOURCE_ID" --query "[0].id" -o tsv 2>/dev/null || true)
                 if [ -z "$EXISTING_ASSIGNMENT" ]; then
                     echo "✓ Assigning 'Key Vault Secrets User' role to current user on Key Vault..."
-                    if az role assignment create --assignee-object-id "$CURRENT_USER_OID" --assignee-principal-type User --role "$KV_SECRETS_USER_ROLE_ID" --scope "$KV_RESOURCE_ID" > /dev/null 2>&1; then
+                    ROLE_ERR=$(az role assignment create --assignee-object-id "$CURRENT_USER_OID" --assignee-principal-type User --role "$KV_SECRETS_USER_ROLE_ID" --scope "$KV_RESOURCE_ID" 2>&1 > /dev/null) || true
+                    if [ $? -eq 0 ] && [ -z "$ROLE_ERR" ] || az role assignment list --assignee "$CURRENT_USER_OID" --role "$KV_SECRETS_USER_ROLE_ID" --scope "$KV_RESOURCE_ID" --query "[0].id" -o tsv 2>/dev/null | grep -q .; then
                         echo "✓ Role assigned. Waiting 30s for propagation..."
                         sleep 30
                     else
-                        echo "⚠ WARNING: Failed to assign Key Vault Secrets User role. You may not have Owner/User Access Administrator permissions."
+                        echo "⚠ WARNING: Failed to assign Key Vault Secrets User role."
+                        echo "  $ROLE_ERR"
                     fi
                 else
                     echo "✓ Current user already has 'Key Vault Secrets User' role on Key Vault."
@@ -92,8 +94,10 @@ else
         if [ "$KV_PUBLIC_ACCESS" = "Disabled" ]; then
             echo "Key Vault has public access disabled (private networking detected)."
             echo "✓ Temporarily enabling public access on Key Vault '${KEY_VAULT_NAME}'..."
-            if ! az keyvault update --name "$KEY_VAULT_NAME" --resource-group "$RESOURCE_GROUP" --public-network-access Enabled > /dev/null 2>&1; then
+            KV_ERR=$(az keyvault update --name "$KEY_VAULT_NAME" --resource-group "$RESOURCE_GROUP" --public-network-access Enabled 2>&1 > /dev/null) || true
+            if [ -n "$KV_ERR" ]; then
                 echo "✗ ERROR: Failed to enable public access on Key Vault. Cannot proceed." >&2
+                echo "  $KV_ERR" >&2
                 exit 1
             fi
             RESTORE_KV_NAME="$KEY_VAULT_NAME"
@@ -129,8 +133,10 @@ else
         URI="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.Web/sites/${FUNCTION_APP_NAME}/host/default/functionKeys/clientKey?api-version=2023-01-01"
         BODY="{\"properties\":{\"name\":\"ClientKey\",\"value\":\"${FUNCTION_KEY}\"}}"
 
-        if ! az rest --method put --uri "$URI" --body "$BODY" > /dev/null 2>&1; then
+        REST_ERR=$(az rest --method put --uri "$URI" --body "$BODY" 2>&1 > /dev/null) || true
+        if [ -n "$REST_ERR" ]; then
             echo "✗ ERROR: Failed to set function key on '${FUNCTION_APP_NAME}'." >&2
+            echo "  $REST_ERR" >&2
             restore_network_access
             exit 1
         fi
@@ -157,8 +163,10 @@ else
     if [ "$PG_PUBLIC_ACCESS" = "Disabled" ]; then
         echo "PostgreSQL has public access disabled (private networking detected)."
         echo "✓ Temporarily enabling public access on PostgreSQL '${SERVER_NAME}'..."
-        if ! az postgres flexible-server update --resource-group "$RESOURCE_GROUP" --name "$SERVER_NAME" --public-access Enabled > /dev/null 2>&1; then
+        PG_ERR=$(az postgres flexible-server update --resource-group "$RESOURCE_GROUP" --name "$SERVER_NAME" --public-access Enabled 2>&1 > /dev/null) || true
+        if [ -n "$PG_ERR" ]; then
             echo "✗ ERROR: Failed to enable public access on PostgreSQL. Cannot proceed." >&2
+            echo "  $PG_ERR" >&2
             restore_network_access
             exit 1
         fi
@@ -215,17 +223,19 @@ else
     fi
     if [ "$IS_ADMIN" = "false" ]; then
         echo "✓ Adding current user as PostgreSQL Entra administrator..."
-        if az postgres flexible-server ad-admin create \
+        ADMIN_ERR=$(az postgres flexible-server ad-admin create \
             --resource-group "$RESOURCE_GROUP" \
             --server-name "$SERVER_NAME" \
             --display-name "$CURRENT_USER_UPN" \
             --object-id "$CURRENT_USER_OID" \
-            --type User > /dev/null 2>&1; then
+            --type User 2>&1 > /dev/null) || true
+        if [ -z "$ADMIN_ERR" ]; then
             ADDED_PG_ADMIN=true
             echo "✓ PostgreSQL admin added. Waiting 60s for propagation..."
             sleep 60
         else
             echo "⚠ WARNING: Failed to add current user as PostgreSQL admin. Table creation may fail."
+            echo "  $ADMIN_ERR"
         fi
     else
         echo "✓ Current user is already a PostgreSQL Entra administrator."
@@ -256,7 +266,7 @@ else
     REQUIREMENTS_FILE="${SCRIPT_DIR}/data_scripts/requirements.txt"
     if [ -f "$REQUIREMENTS_FILE" ]; then
         echo "✓ Installing Python dependencies..."
-        pip install -r "$REQUIREMENTS_FILE"
+        pip install --user -r "$REQUIREMENTS_FILE" > /dev/null 2>&1 || echo "⚠ WARNING: pip install failed. Continuing anyway..."
     fi
 
     echo "✓ Creating tables..."