updated main_custom.bicep and azure_custom.yaml

Author: Harsh-Microsoft

azure_custom.yaml

@@ -46,62 +46,10 @@ services:
 hooks:
   postdeploy:
     windows:
-      run: |
-        # Detect if running in Git Bash or similar Bash environment
-        if ($env:SHELL -like "*bash*" -or $env:MSYSTEM) {
-          # Running in Git Bash/MSYS2 environment
-          Write-Host ""
-          Write-Host "===============================================================" -ForegroundColor Yellow
-          Write-Host " POST-DEPLOYMENT STEPS (Bash)" -ForegroundColor Green  
-          Write-Host "===============================================================" -ForegroundColor Yellow
-          Write-Host ""
-
-          Write-Host " Upload Team Configurations and index sample data" -ForegroundColor White
-          Write-Host "  👉 Run the following command in Bash:" -ForegroundColor White
-          Write-Host "   bash infra/scripts/post-provision/selecting_team_config_and_data.sh" -ForegroundColor Cyan
-          Write-Host ""
-
-          Write-Host "🌐 Access your deployed Frontend application at:" -ForegroundColor Green
-          Write-Host "   https://$env:webSiteDefaultHostname" -ForegroundColor Cyan
-          Write-Host ""
-        } else {
-          # Running in PowerShell
-          Write-Host ""
-          Write-Host "===============================================================" -ForegroundColor Yellow
-          Write-Host " POST-DEPLOYMENT STEP (PowerShell) " -ForegroundColor Green
-          Write-Host "===============================================================" -ForegroundColor Yellow
-          Write-Host ""
-
-          Write-Host " Upload Team Configurations and index sample data" -ForegroundColor White
-          Write-Host "  👉 Run the following command in PowerShell:" -ForegroundColor White
-          Write-Host "   infra\scripts\post-provision\Selecting-Team-Config-And-Data.ps1" -ForegroundColor Cyan
-          Write-Host ""
-
-          Write-Host "🌐 Access your deployed Frontend application at:" -ForegroundColor Green
-          Write-Host "   https://$env:webSiteDefaultHostname" -ForegroundColor Cyan
-          Write-Host ""
-        }
-        
+      run: infra/scripts/post-provision/post_deploy.ps1
       shell: pwsh
       interactive: true
     posix:
-      run: |
-        Blue='\033[0;34m'
-        Green='\033[0;32m'
-        Yellow='\033[1;33m'
-        NC='\033[0m'
-
-        printf "\n"
-
-        printf "${Yellow}===============================================================\n"
-        printf "${Green} POST-DEPLOYMENT STEPS (Bash)\n"
-        printf "${Yellow}===============================================================${NC}\n\n"
-
-        printf  "Upload Team Configurations and index sample data:\n"
-        printf  "  👉 Run the following command in Bash:\n"
-        printf  "   ${Blue}bash infra/scripts/post-provision/selecting_team_config_and_data.sh${NC}\n\n"
-
-        printf "🌐 Access your deployed Frontend application at:\n"
-        printf "   ${Blue}https://%s${NC}\n\n" "$webSiteDefaultHostname"
+      run: bash infra/scripts/post-provision/post_deploy.sh
       shell: sh
       interactive: true

infra/bicep/main.bicep

@@ -185,6 +185,9 @@ param createdBy string = contains(deployer(), 'userPrincipalName')
   ? split(deployer().userPrincipalName, '@')[0]
   : deployer().objectId
 
+@description('Optional. Flag to indicate if this is a custom code deployment. If true, some resources may be skipped or configured differently.')
+param isCustom bool = false
+
 var deployerInfo = deployer()
 var deployingUserPrincipalId = deployerInfo.objectId
 var deployerPrincipalType = contains(deployerInfo, 'userPrincipalName') ? 'User' : 'ServicePrincipal'
@@ -485,12 +488,27 @@ module foundry_search_connection './modules/ai/ai-foundry-connection.bicep' = {
   }
 }
 
+module container_registry './modules/compute/container-registry.bicep' = if(isCustom) {
+  name: take('module.container-registry.${solutionSuffix}', 64)
+  params: {
+    solutionName: solutionSuffix
+    name: 'cr${solutionSuffix}'
+    location: solutionLocation
+    tags: allTags
+    sku: 'Basic'
+    adminUserEnabled: false
+    publicNetworkAccess: 'Enabled'
+    exportPolicyStatus: 'enabled'
+    retentionPolicyStatus: 'disabled'
+  }
+}
+
 module backend_container_app './modules/compute/container-app.bicep' = {
   name: take('module.backend-container-app.${solutionSuffix}', 64)
   params: {
     name: backendContainerAppName
     location: solutionLocation
-    tags: allTags
+    tags: isCustom ? union(allTags, { 'azd-service-name': 'backend' }) : allTags
     environmentResourceId: container_app_environment.outputs.resourceId
     ingressExternal: true
     ingressTargetPort: 8000
@@ -514,6 +532,12 @@ module backend_container_app './modules/compute/container-app.bicep' = {
       minReplicas: 1
       maxReplicas: 1
     }
+    registries: isCustom ? [
+      {
+        server: container_registry!.outputs.loginServer
+        identity: userAssignedIdentity.outputs.resourceId
+      }
+    ] : []
     containers: [
       {
         name: 'backend'
@@ -658,7 +682,7 @@ module mcp_container_app './modules/compute/container-app.bicep' = {
   params: {
     name: mcpContainerAppName
     location: solutionLocation
-    tags: allTags
+    tags: isCustom ? union(allTags, { 'azd-service-name': 'mcp' }) : allTags
     environmentResourceId: container_app_environment.outputs.resourceId
     ingressExternal: true
     ingressTargetPort: 9000
@@ -675,6 +699,12 @@ module mcp_container_app './modules/compute/container-app.bicep' = {
       minReplicas: 1
       maxReplicas: 1
     }
+    registries: isCustom ? [
+      {
+        server: container_registry!.outputs.loginServer
+        identity: userAssignedIdentity.outputs.resourceId
+      }
+    ] : []
     containers: [
       {
         name: 'mcp'
@@ -770,10 +800,21 @@ module frontend_app './modules/compute/app-service.bicep' = {
   params: {
     solutionName: frontendAppName
     location: solutionLocation
-    tags: allTags
+    tags: isCustom ? union(allTags, { 'azd-service-name': 'frontend' }) : allTags
     serverFarmResourceId: app_service_plan.outputs.resourceId
-    linuxFxVersion: 'DOCKER|${frontendContainerRegistryHostname}/${frontendContainerImageName}:${frontendContainerImageTag}'
-    appSettings: {
+    linuxFxVersion: isCustom ? 'python|3.11' : 'DOCKER|${frontendContainerRegistryHostname}/${frontendContainerImageName}:${frontendContainerImageTag}'
+    appCommandLine: isCustom ? 'python3 -m uvicorn frontend_server:app --host 0.0.0.0 --port 8000' : ''
+    appSettings: isCustom ? {
+      SCM_DO_BUILD_DURING_DEPLOYMENT: 'True'
+      WEBSITES_PORT: '8000'
+      BACKEND_API_URL: 'https://${backend_container_app.outputs.fqdn}'
+      AUTH_ENABLED: 'false'
+      PROXY_API_REQUESTS: 'false'
+      ENABLE_ORYX_BUILD: 'True'
+      APPLICATIONINSIGHTS_CONNECTION_STRING: app_insights.outputs.connectionString
+      APPINSIGHTS_INSTRUMENTATIONKEY: app_insights.outputs.instrumentationKey
+    }
+    : {
       SCM_DO_BUILD_DURING_DEPLOYMENT: 'true'
       DOCKER_REGISTRY_SERVER_URL: 'https://${frontendContainerRegistryHostname}'
       WEBSITES_PORT: '3000'
@@ -802,6 +843,7 @@ module role_assignments './modules/identity/role-assignments.bicep' = {
     deployerPrincipalType: deployerPrincipalType
     userAssignedManagedIdentityPrincipalId: userAssignedIdentity.outputs.principalId
     cosmosDbAccountName: cosmosDBModule.outputs.name
+    containerRegistryResourceId: isCustom ? container_registry!.outputs.resourceId : ''
   }
 }
 
@@ -860,3 +902,7 @@ output AZURE_AI_SEARCH_INDEX_NAME_RFP_COMPLIANCE string = aiSearchIndexNameForRF
 output AZURE_AI_SEARCH_INDEX_NAME_CONTRACT_SUMMARY string = aiSearchIndexNameForContractSummary
 output AZURE_AI_SEARCH_INDEX_NAME_CONTRACT_RISK string = aiSearchIndexNameForContractRisk
 output AZURE_AI_SEARCH_INDEX_NAME_CONTRACT_COMPLIANCE string = aiSearchIndexNameForContractCompliance
+
+// Container Registry Outputs
+output AZURE_CONTAINER_REGISTRY_ENDPOINT string? = isCustom ? container_registry!.outputs.loginServer : null
+output AZURE_CONTAINER_REGISTRY_NAME string? = isCustom ? container_registry!.outputs.name : null

infra/bicep/modules/compute/container-registry.bicep

@@ -30,6 +30,9 @@ param publicNetworkAccess string = 'Enabled'
 @description('Export policy status.')
 param exportPolicyStatus string = 'enabled'
 
+@description('Retention policy status.')
+param retentionPolicyStatus string = 'disabled'
+
 // ============================================================================
 // Resource Deployment
 // ============================================================================
@@ -50,7 +53,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2025-04-01' =
         status: exportPolicyStatus
       }
       retentionPolicy: {
-        status: 'enabled'
+        status: retentionPolicyStatus
         days: 7
       }
       trustPolicy: {
@@ -72,4 +75,4 @@ output name string = containerRegistry.name
 output loginServer string = containerRegistry.properties.loginServer
 
 @description('The resource ID of the container registry.')
-output resourceId string = containerRegistry.id
+output resourceId string = containerRegistry.id

infra/bicep/modules/identity/role-assignments.bicep

@@ -49,6 +49,9 @@ param storageAccountResourceId string = ''
 @description('Name of the Cosmos DB account (empty if not deployed).')
 param cosmosDbAccountName string = ''
 
+@description('Resource ID of the Container Registry (empty if not deployed).')
+param containerRegistryResourceId string = ''
+
 // ============================================================================
 // Derived Variables
 // ============================================================================
@@ -71,6 +74,7 @@ var roleDefinitions = {
   searchServiceContributor: '7ca78c08-252a-4471-8644-bb5ff32d4ba0'
   storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
   storageBlobDataReader: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
+  acrPull: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
 }
 
 // ============================================================================
@@ -98,6 +102,10 @@ resource cosmosContributorRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/
   name: '00000000-0000-0000-0000-000000000002' // Cosmos DB Built-in Data Contributor
 }
 
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2025-04-01' existing = if (!empty(containerRegistryResourceId)) {
+  name: last(split(containerRegistryResourceId, '/'))
+}
+
 // ============================================================================
 // 1. AI SERVICES ROLE ASSIGNMENTS
 //    Cross-service roles scoped to AI Foundry account
@@ -399,3 +407,20 @@ resource deployerCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sql
     scope: cosmosAccount.id
   }
 }
+
+
+// ============================================================================
+// 6. ACR ROLE ASSIGNMENTS
+// ============================================================================
+
+// User-Assigned Managed Identity → AcrPull on Container Registry
+resource userAssignedManagedIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(containerRegistryResourceId) && !empty(userAssignedManagedIdentityPrincipalId)) {
+  name: guid(solutionName, containerRegistry.id, userAssignedManagedIdentityPrincipalId, roleDefinitions.acrPull)
+  scope: containerRegistry
+  properties: {
+    principalId: userAssignedManagedIdentityPrincipalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.acrPull)
+    principalType: 'ServicePrincipal'
+  }
+}
+