feat: Add support for AI Foundry resource ID and project name resolution in deployment scripts

Author: Vamshi-Microsoft

infra/scripts/post_deploy.ps1

@@ -250,6 +250,8 @@ function Get-ValuesFromAzdEnv {
     $script:aiSearchEndpoint = $(azd env get-value AZURE_SEARCH_ENDPOINT 2>$null)
     $script:openaiEndpoint   = $(azd env get-value AZURE_OPENAI_ENDPOINT 2>$null)
     $script:projectEndpoint  = $(azd env get-value AZURE_AI_PROJECT_ENDPOINT 2>$null)
+    $script:aiFoundryResourceId = $(azd env get-value AI_FOUNDRY_RESOURCE_ID 2>$null)
+    $script:aiProjectName    = $(azd env get-value AZURE_AI_PROJECT_NAME 2>$null)
     $script:ResourceGroup    = $(azd env get-value AZURE_RESOURCE_GROUP 2>$null)
 
     if (-not $script:backendUrl -or -not $script:storageAccount -or -not $script:aiSearch -or -not $script:ResourceGroup) {
@@ -283,6 +285,8 @@ function Get-ValuesFromAzDeployment {
     $script:aiSearchEndpoint = Get-DeploymentValue -DeploymentOutputs $deploymentOutputs -PrimaryKey "azurE_SEARCH_ENDPOINT"      -FallbackKey "azureSearchEndpoint"
     $script:openaiEndpoint   = Get-DeploymentValue -DeploymentOutputs $deploymentOutputs -PrimaryKey "azurE_OPENAI_ENDPOINT"      -FallbackKey "azureOpenaiEndpoint"
     $script:projectEndpoint  = Get-DeploymentValue -DeploymentOutputs $deploymentOutputs -PrimaryKey "azurE_AI_PROJECT_ENDPOINT"  -FallbackKey "azureAiProjectEndpoint"
+    $script:aiFoundryResourceId = Get-DeploymentValue -DeploymentOutputs $deploymentOutputs -PrimaryKey "aI_FOUNDRY_RESOURCE_ID"  -FallbackKey "aiFoundryResourceId"
+    $script:aiProjectName    = Get-DeploymentValue -DeploymentOutputs $deploymentOutputs -PrimaryKey "azurE_AI_PROJECT_NAME"      -FallbackKey "azureAiProjectName"
 
     if (-not $script:storageAccount -or -not $script:aiSearch -or -not $script:backendUrl) {
         Write-Host "Error: Could not extract all required values from deployment outputs."
@@ -636,6 +640,40 @@ try {
     if ($script:aiSearchEndpoint) { $env:AZURE_AI_SEARCH_ENDPOINT  = $script:aiSearchEndpoint }
     if ($script:openaiEndpoint)   { $env:AZURE_OPENAI_ENDPOINT     = $script:openaiEndpoint }
 
+    # Resolve AI Foundry account resource ID and project name. Prefer values
+    # from azd env / deployment outputs; otherwise fall back to az CLI lookup.
+    # These are exported so seed_kb_connections.py can construct the project
+    # ARM resource ID directly, avoiding fragile data-plane discovery that
+    # fails for service principals on fresh deployments.
+    if (-not $script:aiFoundryResourceId -and $script:openaiEndpoint -and $script:ResourceGroup) {
+        $foundryAccountName = $null
+        if ($script:openaiEndpoint -match '^https?://([^.]+)\.') {
+            $foundryAccountName = $Matches[1]
+        }
+        if ($foundryAccountName) {
+            $script:aiFoundryResourceId = az cognitiveservices account show --name $foundryAccountName --resource-group $script:ResourceGroup --query id -o tsv 2>$null
+        }
+    }
+    if (-not $script:aiProjectName -and $script:projectEndpoint) {
+        # Project endpoint format: https://{account}.services.ai.azure.com/api/projects/{project}
+        $script:aiProjectName = ($script:projectEndpoint.TrimEnd('/') -split '/')[-1]
+    }
+
+    if ($script:aiFoundryResourceId) { $env:AI_FOUNDRY_RESOURCE_ID = $script:aiFoundryResourceId }
+    if ($script:aiProjectName)       { $env:AZURE_AI_PROJECT_NAME  = $script:aiProjectName }
+    if ($script:azSubscriptionId) {
+        $env:AZURE_AI_SUBSCRIPTION_ID = $script:azSubscriptionId
+        $env:AZURE_SUBSCRIPTION_ID    = $script:azSubscriptionId
+    }
+    if ($script:ResourceGroup) {
+        $env:AZURE_AI_RESOURCE_GROUP = $script:ResourceGroup
+        $env:AZURE_RESOURCE_GROUP    = $script:ResourceGroup
+    }
+
+    if (-not $script:aiFoundryResourceId -or -not $script:aiProjectName) {
+        Write-Host "Warning: AI_FOUNDRY_RESOURCE_ID or AZURE_AI_PROJECT_NAME not resolved. KB MCP connection provisioning may fall back to data-plane discovery." -ForegroundColor Yellow
+    }
+
     # ── WAF: temporarily enable public access for use cases that need data ──
     $usesData = $useCaseSelection -in @("1","2","5","6","7")
     if ($usesData) {

infra/scripts/post_deploy.sh

@@ -11,6 +11,8 @@ ai_search=""
 ai_search_endpoint=""
 openai_endpoint=""
 project_endpoint=""
+ai_foundry_resource_id=""
+ai_project_name=""
 az_subscription_id=""
 resource_group=""
 user_principal_id=""
@@ -297,6 +299,8 @@ get_values_from_azd_env() {
   if [ -z "$project_endpoint" ]; then
     project_endpoint="$(azd env get-value AZURE_AI_AGENT_ENDPOINT 2>/dev/null || true)"
   fi
+  ai_foundry_resource_id="$(azd env get-value AI_FOUNDRY_RESOURCE_ID 2>/dev/null || true)"
+  ai_project_name="$(azd env get-value AZURE_AI_PROJECT_NAME 2>/dev/null || true)"
   resource_group="$(azd env get-value AZURE_RESOURCE_GROUP 2>/dev/null || true)"
 
   if [ -z "$backend_url" ] || [ -z "$storage_account" ] || [ -z "$ai_search" ] || [ -z "$resource_group" ]; then
@@ -325,7 +329,7 @@ get_values_from_az_deployment() {
     return 1
   fi
 
-  local dep_storage_account dep_ai_search dep_backend_url dep_ai_search_endpoint dep_openai_endpoint dep_project_endpoint
+  local dep_storage_account dep_ai_search dep_backend_url dep_ai_search_endpoint dep_openai_endpoint dep_project_endpoint dep_ai_foundry_resource_id dep_ai_project_name
   dep_storage_account="$(printf '%s' "$deployment_outputs" | get_value_from_deployment "azurE_STORAGE_ACCOUNT_NAME" "azureStorageAccountName" 2>/dev/null || true)"
   dep_ai_search="$(printf '%s' "$deployment_outputs" | get_value_from_deployment "azurE_AI_SEARCH_NAME" "azureAiSearchName" 2>/dev/null || true)"
   dep_backend_url="$(printf '%s' "$deployment_outputs" | get_value_from_deployment "backenD_URL" "backendUrl" 2>/dev/null || true)"
@@ -338,6 +342,8 @@ get_values_from_az_deployment() {
   if [ -z "$dep_project_endpoint" ]; then
     dep_project_endpoint="$(printf '%s' "$deployment_outputs" | get_value_from_deployment "azurE_AI_AGENT_ENDPOINT" "azureAiAgentEndpoint" 2>/dev/null || true)"
   fi
+  dep_ai_foundry_resource_id="$(printf '%s' "$deployment_outputs" | get_value_from_deployment "aI_FOUNDRY_RESOURCE_ID" "aiFoundryResourceId" 2>/dev/null || true)"
+  dep_ai_project_name="$(printf '%s' "$deployment_outputs" | get_value_from_deployment "azurE_AI_PROJECT_NAME" "azureAiProjectName" 2>/dev/null || true)"
 
   if [ -n "$dep_storage_account" ]; then
     storage_account="$dep_storage_account"
@@ -357,6 +363,12 @@ get_values_from_az_deployment() {
   if [ -n "$dep_project_endpoint" ]; then
     project_endpoint="$dep_project_endpoint"
   fi
+  if [ -n "$dep_ai_foundry_resource_id" ]; then
+    ai_foundry_resource_id="$dep_ai_foundry_resource_id"
+  fi
+  if [ -n "$dep_ai_project_name" ]; then
+    ai_project_name="$dep_ai_project_name"
+  fi
 
   if [ -z "$storage_account" ] || [ -z "$ai_search" ] || [ -z "$backend_url" ]; then
     error "Could not extract all required values from deployment outputs."
@@ -723,6 +735,45 @@ main() {
     warn "AZURE_OPENAI_ENDPOINT is not set. Knowledge base reasoning may fall back to default or fail."
   fi
 
+  # Resolve AI Foundry account resource ID and project name. Prefer the values
+  # already retrieved from azd env / deployment outputs; otherwise fall back to
+  # querying the resource group with az CLI. These are exported so that
+  # seed_kb_connections.py can construct the project ARM resource ID directly,
+  # avoiding fragile data-plane discovery that fails for service principals on
+  # fresh deployments.
+  if [ -z "$ai_foundry_resource_id" ] && [ -n "$resource_group" ] && [ -n "$openai_endpoint" ]; then
+    local foundry_account_name=""
+    if [[ "$openai_endpoint" =~ ^https?://([^.]+)\. ]]; then
+      foundry_account_name="${BASH_REMATCH[1]}"
+    fi
+    if [ -n "$foundry_account_name" ]; then
+      ai_foundry_resource_id="$(az cognitiveservices account show --name "$foundry_account_name" --resource-group "$resource_group" --query id -o tsv 2>/dev/null || true)"
+    fi
+  fi
+  if [ -z "$ai_project_name" ] && [ -n "$project_endpoint" ]; then
+    # Project endpoint format: https://{account}.services.ai.azure.com/api/projects/{project}
+    ai_project_name="${project_endpoint##*/}"
+  fi
+
+  if [ -n "$ai_foundry_resource_id" ]; then
+    export AI_FOUNDRY_RESOURCE_ID="$ai_foundry_resource_id"
+  fi
+  if [ -n "$ai_project_name" ]; then
+    export AZURE_AI_PROJECT_NAME="$ai_project_name"
+  fi
+  if [ -n "$az_subscription_id" ]; then
+    export AZURE_AI_SUBSCRIPTION_ID="$az_subscription_id"
+    export AZURE_SUBSCRIPTION_ID="$az_subscription_id"
+  fi
+  if [ -n "$resource_group" ]; then
+    export AZURE_AI_RESOURCE_GROUP="$resource_group"
+    export AZURE_RESOURCE_GROUP="$resource_group"
+  fi
+
+  if [ -z "$ai_foundry_resource_id" ] || [ -z "$ai_project_name" ]; then
+    warn "AI_FOUNDRY_RESOURCE_ID or AZURE_AI_PROJECT_NAME not resolved. KB MCP connection provisioning may fall back to data-plane discovery."
+  fi
+
   local uses_data=false
   case "$selected_use_case" in
     1|2|5|6|7) uses_data=true ;; 

infra/scripts/seed_kb_connections.py

@@ -13,13 +13,23 @@
   - AZURE_AI_SEARCH_ENDPOINT
   - AZURE_AI_PROJECT_ENDPOINT  (the full project endpoint URL)
 
+Optional (preferred — used to construct the project ARM resource ID directly,
+avoiding fragile data-plane discovery that fails for service principals on
+fresh deployments):
+  - AI_FOUNDRY_RESOURCE_ID    (the AI Foundry / Cognitive Services account ARM id)
+  - AZURE_AI_PROJECT_NAME     (the project name under the account)
+  - AZURE_AI_PROJECT_RESOURCE_ID (explicit full project ARM id; overrides the above)
+  - AZURE_AI_SUBSCRIPTION_ID  (or AZURE_SUBSCRIPTION_ID)
+  - AZURE_AI_RESOURCE_GROUP   (or AZURE_RESOURCE_GROUP)
+
 Authentication: DefaultAzureCredential — caller needs Contributor on the AI project.
 Idempotent: PUTs connections (creates or updates).
 """
 
 import os
 import sys
 from pathlib import Path
+from urllib.parse import urlparse
 
 import httpx
 from azure.identity import DefaultAzureCredential
@@ -115,6 +125,63 @@ def _discover_project_resource_id(credential: DefaultAzureCredential) -> str:
     return ""
 
 
+def _build_project_resource_id_from_env() -> str:
+    """Construct the project ARM resource ID from environment variables.
+
+    Preferred resolution order:
+      1. AZURE_AI_PROJECT_RESOURCE_ID (explicit override)
+      2. AI_FOUNDRY_RESOURCE_ID + AZURE_AI_PROJECT_NAME
+      3. (subscription, resource group) + (account, project) parsed from PROJECT_ENDPOINT
+
+    Returns empty string if it cannot be constructed.
+    """
+    explicit = os.environ.get("AZURE_AI_PROJECT_RESOURCE_ID", "").strip().rstrip("/")
+    if explicit:
+        return explicit
+
+    foundry_id = os.environ.get("AI_FOUNDRY_RESOURCE_ID", "").strip().rstrip("/")
+    project_name_env = os.environ.get("AZURE_AI_PROJECT_NAME", "").strip()
+
+    # Parse account name and project name from the project endpoint as a fallback.
+    parsed = urlparse(PROJECT_ENDPOINT) if PROJECT_ENDPOINT else None
+    parsed_account = ""
+    parsed_project = ""
+    if parsed and parsed.hostname:
+        parsed_account = parsed.hostname.split(".", 1)[0]
+        path_parts = [p for p in (parsed.path or "").split("/") if p]
+        if path_parts:
+            parsed_project = path_parts[-1]
+
+    project_name = project_name_env or parsed_project
+
+    # Path 2: foundry resource id + project name
+    if foundry_id and project_name:
+        # Ensure the id points to the account (not the project itself) before appending.
+        if "/projects/" in foundry_id.lower():
+            return foundry_id
+        return f"{foundry_id}/projects/{project_name}"
+
+    # Path 3: build from sub + rg + parsed account/project
+    sub = (
+        os.environ.get("AZURE_AI_SUBSCRIPTION_ID")
+        or os.environ.get("AZURE_SUBSCRIPTION_ID")
+        or ""
+    ).strip()
+    rg = (
+        os.environ.get("AZURE_AI_RESOURCE_GROUP")
+        or os.environ.get("AZURE_RESOURCE_GROUP")
+        or ""
+    ).strip()
+    if sub and rg and parsed_account and project_name:
+        return (
+            f"/subscriptions/{sub}/resourceGroups/{rg}"
+            f"/providers/Microsoft.CognitiveServices/accounts/{parsed_account}"
+            f"/projects/{project_name}"
+        )
+
+    return ""
+
+
 def _create_connection_via_arm(
     resource_id: str, connection_name: str, target_url: str, credential: DefaultAzureCredential
 ) -> bool:
@@ -171,27 +238,47 @@ def main() -> None:
 
     credential = DefaultAzureCredential()
 
-    # Discover the ARM resource ID of the project
-    print("Discovering project resource ID...")
-    resource_id = _discover_project_resource_id(credential)
-    if not resource_id:
-        # Try to get it from an existing connection
-        print("  Could not discover via data-plane. Trying existing connection...")
-        from azure.ai.projects import AIProjectClient
-
-        client = AIProjectClient(endpoint=PROJECT_ENDPOINT, credential=credential)
-        connections = list(client.connections.list())
-        if connections:
-            # Parse resource ID from any connection's ID
-            # Format: /subscriptions/.../connections/name
-            conn_id = connections[0].id
-            # Remove the /connections/... suffix to get the project resource ID
-            resource_id = conn_id.rsplit("/connections/", 1)[0]
-        client.close()
+    # Resolve the project ARM resource ID.
+    # Preferred path: build it directly from environment variables exported by
+    # post_deploy.{sh,ps1} (these come from azd env / deployment outputs). This
+    # avoids fragile data-plane discovery that fails for service principals on
+    # fresh deployments where no connections exist yet.
+    print("Resolving project resource ID...")
+    resource_id = _build_project_resource_id_from_env()
+    if resource_id:
+        print(f"  Using project resource ID from environment: {resource_id}")
+    else:
+        print("  Env-based resolution unavailable. Trying data-plane discovery...")
+        resource_id = _discover_project_resource_id(credential)
+        if not resource_id:
+            # Last-resort: parse from any existing connection.
+            print("  Could not discover via data-plane. Trying existing connection...")
+            try:
+                from azure.ai.projects import AIProjectClient
+
+                client = AIProjectClient(endpoint=PROJECT_ENDPOINT, credential=credential)
+                try:
+                    connections = list(client.connections.list())
+                except Exception as exc:  # noqa: BLE001
+                    print(f"  Connection list failed: {exc}")
+                    connections = []
+                finally:
+                    client.close()
+                if connections:
+                    # Format: /subscriptions/.../connections/name
+                    conn_id = connections[0].id
+                    resource_id = conn_id.rsplit("/connections/", 1)[0]
+            except Exception as exc:  # noqa: BLE001
+                print(f"  AIProjectClient fallback failed: {exc}")
 
     if not resource_id:
         print("ERROR: Could not determine project ARM resource ID.")
-        print("  Ensure at least one connection exists or AZURE_AI_PROJECT_ENDPOINT is correct.")
+        print(
+            "  Set one of the following so the script can build the resource ID:\n"
+            "    - AZURE_AI_PROJECT_RESOURCE_ID (full ARM id), OR\n"
+            "    - AI_FOUNDRY_RESOURCE_ID + AZURE_AI_PROJECT_NAME, OR\n"
+            "    - AZURE_AI_SUBSCRIPTION_ID + AZURE_AI_RESOURCE_GROUP + AZURE_AI_PROJECT_ENDPOINT."
+        )
         sys.exit(1)
 
     print(f"  Project resource ID: {resource_id}")