Merge pull request #815 from microsoft/psl-github-issue-azdup

fix: enhance Azure template validation workflow, improve documentation, and update infrastructure configuration

Author: Prajwal-Microsoft

.github/workflows/azure-dev-validation.yml

@@ -1,6 +1,6 @@
 name: Azure Template Validation
 on:
-  workflow_dispatch: 
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -11,6 +11,7 @@ permissions:
 jobs:
   template_validation_job:
     runs-on: ubuntu-latest
+    environment: production
     name: Template validation
 
     steps:
@@ -21,13 +22,19 @@ jobs:
       # Step 2: Validate the Azure template using microsoft/template-validation-action
       - name: Validate Azure Template
         uses: microsoft/template-validation-action@v0.4.4
+        with:
+          validateAzd: true
+          useDevContainer: false
+          validateTests: false
         id: validation
         env:
           AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
           AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
           AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }}
           AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
+          AZURE_ENV_OPENAI_LOCATION: ${{ vars.AZURE_ENV_OPENAI_LOCATION || 'eastus2' }}
+          AZURE_ENV_USE_CASE: ${{ vars.AZURE_ENV_USE_CASE || 'telecom' }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
 

.github/workflows/azure-dev.yml

@@ -0,0 +1,49 @@
+name: Deploy to Azure
+
+on:
+  workflow_dispatch:
+  # push:
+  #   branches:
+  #     - main
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: production
+    env:
+      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+      AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+      AZURE_ENV_OPENAI_LOCATION: ${{ vars.AZURE_ENV_OPENAI_LOCATION || 'eastus2' }}
+      AZURE_ENV_USE_CASE: ${{ vars.AZURE_ENV_USE_CASE || 'telecom' }}
+      AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install azd
+        uses: Azure/setup-azd@v2.0.0
+
+      - name: Log in with Azure (Federated Credentials)
+        run: |
+          azd auth login `
+            --client-id "$Env:AZURE_CLIENT_ID" `
+            --federated-credential-provider "github" `
+            --tenant-id "$Env:AZURE_TENANT_ID"
+        shell: pwsh
+
+      - name: Provision Infrastructure
+        run: azd provision --no-prompt
+        env:
+          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+
+      - name: Deploy Application
+        run: azd deploy --no-prompt

README.md

@@ -34,6 +34,8 @@ Leverages Azure Content Understanding, Foundry IQ, Azure OpenAI Service, Azure A
 
 <br/>
 
+## Features
+
 ### Key features
 <details open>  
 <summary>Click to learn more about the key features this solution enables</summary>  
@@ -58,6 +60,8 @@ Summarized conversations, topic generation, and key phrase extraction support fa
 
 
 <br /><br />
+## Getting Started
+
 <h2><img src="./documents/Images/ReadMe/quick-deploy.png" width="48" />
 Quick deploy
 </h2>
@@ -79,6 +83,8 @@ Follow the quick deploy steps on the deployment guide to deploy this solution
 
 <br/>
 
+## Guidance
+
 ### Prerequisites and costs
 To deploy this solution accelerator, ensure you have access to an [Azure subscription](https://azure.microsoft.com/free/) with the necessary permissions to create **resource groups, resources, app registrations, and assign roles at the resource group level**. This should include Contributor role at the subscription level and  Role Based Access Control role on the subscription and/or resource group level. Follow the steps in [Azure Account Set Up](./documents/AzureAccountSetUp.md).
 
@@ -96,6 +102,11 @@ _Note: This is not meant to outline all costs as selected SKUs, scaled use, cust
 
 <br/>
 
+>⚠️ **Important:** To avoid unnecessary costs, remember to take down your app if it's no longer in use,
+either by deleting the resource group in the Portal or running `azd down`.
+
+## Resources
+
 | Product | Description | Tier / Expected Usage Notes | Cost |
 |---|---|---|---|
 | [Microsoft Foundry](https://learn.microsoft.com/en-us/azure/ai-foundry) | Used to orchestrate and build AI workflows that combine Azure AI services. | Free Tier | [Pricing](https://azure.microsoft.com/pricing/details/ai-studio/) |
@@ -112,8 +123,6 @@ _Note: This is not meant to outline all costs as selected SKUs, scaled use, cust
 
 <br/>
 
->⚠️ **Important:** To avoid unnecessary costs, remember to take down your app if it's no longer in use,
-either by deleting the resource group in the Portal or running `azd down`.
 
 <br /><br />
 <h2><img src="./documents/Images/ReadMe/business-scenario.png" width="48" />

infra/main.bicep

@@ -1383,6 +1383,9 @@ module webSiteFrontend 'modules/web-sites.bicep' = {
     location: location
     kind: 'app,linux,container'
     serverFarmResourceId: webServerFarm.outputs.resourceId
+    managedIdentities: {
+      systemAssigned: true
+    }
     siteConfig: {
       linuxFxVersion: 'DOCKER|${frontendContainerRegistryHostname}/${frontendContainerImageName}:${frontendContainerImageTag}'
       minTlsVersion: '1.2'