microsoft
diff --git a/‎infra/scripts/deploy_to_azure.ps1‎
Lines changed: 121 additions & 15 deletions b/‎infra/scripts/deploy_to_azure.ps1‎
Lines changed: 121 additions & 15 deletions
diff --git a/‎infra/scripts/deploy_to_azure.sh‎
Lines changed: 124 additions & 10 deletions b/‎infra/scripts/deploy_to_azure.sh‎
Lines changed: 124 additions & 10 deletions
@@ -131,6 +131,47 @@ function Check-Prerequisites {
     Write-LogSuccess "Logged into Azure CLI"
 }
 
+# ==============================================================================
+# Step 1b: Azure Role / Permission Check
+# ==============================================================================
+#
+# Per docs/DeploymentGuide.md, the deploying account needs:
+#   - Contributor (or Owner) on the subscription -- to update resources
+#   - User Access Administrator OR Role Based Access Control Administrator
+#     (or Owner) -- to assign the AcrPull role to managed identities
+# This check is non-fatal: group-inherited roles may not always enumerate.
+# ==============================================================================
+
+function Check-AzureRoles {
+    Write-LogStep "Step 1b: Checking Azure Roles & Permissions"
+
+    $subId  = az account show --query id -o tsv 2>$null
+    $userId = az ad signed-in-user show --query id -o tsv 2>$null
+    if (-not $subId -or -not $userId) {
+        Write-LogWarn "Could not determine subscription or user identity -- skipping role check."
+        return
+    }
+
+    $scope = "/subscriptions/$subId"
+    $rolesRaw = az role assignment list --assignee $userId --scope $scope `
+        --include-inherited --include-groups --query "[].roleDefinitionName" -o tsv 2>$null
+    if (-not $rolesRaw) {
+        Write-LogWarn "Unable to enumerate role assignments at $scope."
+        Write-LogWarn "Required: Contributor + (User Access Administrator OR Role Based Access Control Administrator), or Owner."
+        return
+    }
+
+    $roles = ($rolesRaw -split "`r?`n" | Where-Object { $_ -ne "" })
+    $hasResMgmt  = ($roles -contains 'Owner') -or ($roles -contains 'Contributor')
+    $hasRoleMgmt = ($roles -contains 'Owner') -or ($roles -contains 'User Access Administrator') -or ($roles -contains 'Role Based Access Control Administrator')
+
+    if ($hasResMgmt) { Write-LogSuccess "Resource management role found (Owner/Contributor)" }
+    else { Write-LogWarn "Missing 'Contributor' (or 'Owner') at subscription scope -- Azure resource updates may fail." }
+
+    if ($hasRoleMgmt) { Write-LogSuccess "Role-assignment permission found (Owner/UAA/RBAC Admin)" }
+    else { Write-LogWarn "Missing 'User Access Administrator' / 'Role Based Access Control Administrator' (or 'Owner') -- AcrPull role assignment may fail. Pass -SkipRoleAssignment if roles are already in place." }
+}
+
 # ==============================================================================
 # Step 2: Discover Azure Resources
 # ==============================================================================
@@ -454,22 +495,45 @@ function Build-AndPush {
 
     Write-LogInfo "Logging into ACR: $script:AcrName..."
     az acr login --name $script:AcrName
+    if ($LASTEXITCODE -ne 0) {
+        Write-LogError "ACR login failed for '$script:AcrName'."
+        Write-LogError "  Likely causes:"
+        Write-LogError "    - Your account lacks 'AcrPush' / 'Contributor' on the registry."
+        Write-LogError "    - Docker daemon not running."
+        Write-LogError "    - Tenant blocks docker-credential helpers (try: az acr login -n $script:AcrName --expose-token)."
+        exit 1
+    }
     Write-LogSuccess "ACR login successful"
 
     $env:DOCKER_BUILDKIT = "1"
 
+    # Track per-service success so a partial failure does not strand the others
+    $script:BuildResults = [ordered]@{}
+
     if ($script:DeployBackend) {
         $fullImage = "$($script:AcrLoginServer)/$BackendImageName`:$($script:ImageTag)"
         Write-LogInfo "Building backend image: $fullImage"
         if ($DryRun) {
             Write-LogInfo "[DRY RUN] Would build: docker build -t $fullImage $BackendDir"
+            $script:BuildResults["backend"] = "dry-run"
         } else {
             docker build -t $fullImage $BackendDir
-            if ($LASTEXITCODE -ne 0) { Write-LogError "Backend image build FAILED"; exit 1 }
-            Write-LogSuccess "Backend image built"
-            docker push $fullImage
-            if ($LASTEXITCODE -ne 0) { Write-LogError "Backend image push FAILED"; exit 1 }
-            Write-LogSuccess "Backend image pushed: $fullImage"
+            if ($LASTEXITCODE -ne 0) {
+                Write-LogError "Backend image build FAILED -- continuing with other services"
+                $script:BuildResults["backend"] = "build-failed"
+                $script:DeployBackend = $false
+            } else {
+                Write-LogSuccess "Backend image built"
+                docker push $fullImage
+                if ($LASTEXITCODE -ne 0) {
+                    Write-LogError "Backend image push FAILED -- continuing with other services"
+                    $script:BuildResults["backend"] = "push-failed"
+                    $script:DeployBackend = $false
+                } else {
+                    Write-LogSuccess "Backend image pushed: $fullImage"
+                    $script:BuildResults["backend"] = "ok"
+                }
+            }
         }
     }
 
@@ -478,13 +542,25 @@ function Build-AndPush {
         Write-LogInfo "Building MCP image: $fullImage"
         if ($DryRun) {
             Write-LogInfo "[DRY RUN] Would build: docker build -t $fullImage $McpDir"
+            $script:BuildResults["mcp"] = "dry-run"
         } else {
             docker build -t $fullImage $McpDir
-            if ($LASTEXITCODE -ne 0) { Write-LogError "MCP image build FAILED"; exit 1 }
-            Write-LogSuccess "MCP image built"
-            docker push $fullImage
-            if ($LASTEXITCODE -ne 0) { Write-LogError "MCP image push FAILED"; exit 1 }
-            Write-LogSuccess "MCP image pushed: $fullImage"
+            if ($LASTEXITCODE -ne 0) {
+                Write-LogError "MCP image build FAILED -- continuing with other services"
+                $script:BuildResults["mcp"] = "build-failed"
+                $script:DeployMcp = $false
+            } else {
+                Write-LogSuccess "MCP image built"
+                docker push $fullImage
+                if ($LASTEXITCODE -ne 0) {
+                    Write-LogError "MCP image push FAILED -- continuing with other services"
+                    $script:BuildResults["mcp"] = "push-failed"
+                    $script:DeployMcp = $false
+                } else {
+                    Write-LogSuccess "MCP image pushed: $fullImage"
+                    $script:BuildResults["mcp"] = "ok"
+                }
+            }
         }
     }
 
@@ -493,16 +569,35 @@ function Build-AndPush {
         Write-LogInfo "Building frontend image: $fullImage"
         if ($DryRun) {
             Write-LogInfo "[DRY RUN] Would build: docker build -t $fullImage $FrontendDir"
+            $script:BuildResults["frontend"] = "dry-run"
         } else {
             docker build -t $fullImage $FrontendDir
-            if ($LASTEXITCODE -ne 0) { Write-LogError "Frontend image build FAILED"; exit 1 }
-            Write-LogSuccess "Frontend image built"
-            docker push $fullImage
-            if ($LASTEXITCODE -ne 0) { Write-LogError "Frontend image push FAILED"; exit 1 }
-            Write-LogSuccess "Frontend image pushed: $fullImage"
+            if ($LASTEXITCODE -ne 0) {
+                Write-LogError "Frontend image build FAILED -- continuing with other services"
+                $script:BuildResults["frontend"] = "build-failed"
+                $script:DeployFrontend = $false
+            } else {
+                Write-LogSuccess "Frontend image built"
+                docker push $fullImage
+                if ($LASTEXITCODE -ne 0) {
+                    Write-LogError "Frontend image push FAILED -- continuing with other services"
+                    $script:BuildResults["frontend"] = "push-failed"
+                    $script:DeployFrontend = $false
+                } else {
+                    Write-LogSuccess "Frontend image pushed: $fullImage"
+                    $script:BuildResults["frontend"] = "ok"
+                }
+            }
         }
     }
 
+    # If all selected services failed to build/push, bail before touching Azure resources
+    $okCount = ($script:BuildResults.Values | Where-Object { $_ -eq "ok" -or $_ -eq "dry-run" }).Count
+    if ($okCount -eq 0 -and $script:BuildResults.Count -gt 0) {
+        Write-LogError "All image builds/pushes failed -- aborting before touching Azure resources."
+        exit 1
+    }
+
     if ($BuildOnly) {
         Write-LogSuccess "Build & push complete (-BuildOnly mode, skipping Azure update)"
     }
@@ -656,6 +751,16 @@ function Print-Summary {
     Write-Host "  Image Tag:       $($script:ImageTag)"
     Write-Host ""
 
+    if ($script:BuildResults -and $script:BuildResults.Count -gt 0) {
+        Write-Host "  Build results:"
+        foreach ($k in $script:BuildResults.Keys) {
+            $v = $script:BuildResults[$k]
+            $glyph = if ($v -eq "ok" -or $v -eq "dry-run") { "[OK]" } else { "[FAIL]" }
+            Write-Host ("    {0,-6} {1,-9} {2}" -f $glyph, $k, $v)
+        }
+        Write-Host ""
+    }
+
     if ($script:DeployBackend -and $script:BackendCA) {
         Write-Host "  Backend:         $($script:AcrLoginServer)/$BackendImageName`:$($script:ImageTag)"
     }
@@ -720,6 +825,7 @@ Write-Host "╚═════════════════════
 Write-Host ""
 
 Check-Prerequisites
+Check-AzureRoles
 Discover-Resources
 Resolve-Acr
 Determine-Services
 
@@ -207,6 +207,54 @@ check_prerequisites() {
     log_success "Logged into Azure CLI"
 }
 
+# ==============================================================================
+# Step 1b: Azure Role / Permission Check
+# ==============================================================================
+#
+# Per docs/DeploymentGuide.md, the deploying account needs:
+#   - Contributor (or Owner) on the subscription -- to update resources
+#   - User Access Administrator OR Role Based Access Control Administrator
+#     (or Owner) -- to assign the AcrPull role to managed identities
+# This check is non-fatal: group-inherited roles may not always enumerate.
+# ==============================================================================
+
+check_azure_roles() {
+    log_step "Step 1b: Checking Azure Roles & Permissions"
+
+    local sub_id user_id
+    sub_id=$(az account show --query id -o tsv 2>/dev/null || true)
+    user_id=$(az ad signed-in-user show --query id -o tsv 2>/dev/null || true)
+    if [[ -z "$sub_id" || -z "$user_id" ]]; then
+        log_warn "Could not determine subscription or user identity -- skipping role check."
+        return
+    fi
+
+    local scope="/subscriptions/$sub_id"
+    local roles_raw
+    roles_raw=$(az role assignment list --assignee "$user_id" --scope "$scope" \
+        --include-inherited --include-groups --query "[].roleDefinitionName" -o tsv 2>/dev/null || true)
+    if [[ -z "$roles_raw" ]]; then
+        log_warn "Unable to enumerate role assignments at $scope."
+        log_warn "Required: Contributor + (User Access Administrator OR Role Based Access Control Administrator), or Owner."
+        return
+    fi
+
+    local has_res_mgmt=false has_role_mgmt=false
+    while IFS= read -r r; do
+        case "$r" in
+            Owner) has_res_mgmt=true; has_role_mgmt=true ;;
+            Contributor) has_res_mgmt=true ;;
+            "User Access Administrator"|"Role Based Access Control Administrator") has_role_mgmt=true ;;
+        esac
+    done <<< "$roles_raw"
+
+    if $has_res_mgmt; then log_success "Resource management role found (Owner/Contributor)"
+    else log_warn "Missing 'Contributor' (or 'Owner') at subscription scope -- Azure resource updates may fail."; fi
+
+    if $has_role_mgmt; then log_success "Role-assignment permission found (Owner/UAA/RBAC Admin)"
+    else log_warn "Missing 'User Access Administrator' / 'Role Based Access Control Administrator' (or 'Owner') -- AcrPull role assignment may fail. Pass --skip-role-assignment if roles are already in place."; fi
+}
+
 # ==============================================================================
 # Step 2: Validate Resource Group & Discover Resources
 # ==============================================================================
@@ -576,21 +624,44 @@ build_and_push() {
     fi
 
     log_info "Logging into ACR: $ACR_NAME..."
-    az acr login --name "$ACR_NAME"
+    if ! az acr login --name "$ACR_NAME"; then
+        log_error "ACR login failed for '$ACR_NAME'."
+        log_error "  Likely causes:"
+        log_error "    - Your account lacks 'AcrPush' / 'Contributor' on the registry."
+        log_error "    - Docker daemon not running."
+        log_error "    - Tenant blocks docker-credential helpers (try: az acr login -n $ACR_NAME --expose-token)."
+        exit 1
+    fi
     log_success "ACR login successful"
 
     export DOCKER_BUILDKIT=1
 
+    # Track per-service success so a partial failure does not strand the others.
+    # Uses parallel arrays so we can iterate in order in the summary.
+    BUILD_RESULT_NAMES=()
+    BUILD_RESULT_STATUS=()
+    _record_build_result() { BUILD_RESULT_NAMES+=("$1"); BUILD_RESULT_STATUS+=("$2"); }
+
     if [[ "$DEPLOY_BACKEND" == true ]]; then
         local full_image="$ACR_LOGIN_SERVER/$BACKEND_IMAGE_NAME:$IMAGE_TAG"
         log_info "Building backend image: $full_image"
         if [[ "$DRY_RUN" == true ]]; then
             log_info "[DRY RUN] Would build: docker build -t $full_image $BACKEND_DIR"
+            _record_build_result backend dry-run
+        elif ! docker build -t "$full_image" "$(_winpath "$BACKEND_DIR")"; then
+            log_error "Backend image build FAILED -- continuing with other services"
+            _record_build_result backend build-failed
+            DEPLOY_BACKEND=false
         else
-            docker build -t "$full_image" "$(_winpath "$BACKEND_DIR")"
             log_success "Backend image built"
-            docker push "$full_image"
-            log_success "Backend image pushed: $full_image"
+            if ! docker push "$full_image"; then
+                log_error "Backend image push FAILED -- continuing with other services"
+                _record_build_result backend push-failed
+                DEPLOY_BACKEND=false
+            else
+                log_success "Backend image pushed: $full_image"
+                _record_build_result backend ok
+            fi
         fi
     fi
 
@@ -599,11 +670,21 @@ build_and_push() {
         log_info "Building MCP image: $full_image"
         if [[ "$DRY_RUN" == true ]]; then
             log_info "[DRY RUN] Would build: docker build -t $full_image $MCP_DIR"
+            _record_build_result mcp dry-run
+        elif ! docker build -t "$full_image" "$(_winpath "$MCP_DIR")"; then
+            log_error "MCP image build FAILED -- continuing with other services"
+            _record_build_result mcp build-failed
+            DEPLOY_MCP=false
         else
-            docker build -t "$full_image" "$(_winpath "$MCP_DIR")"
             log_success "MCP image built"
-            docker push "$full_image"
-            log_success "MCP image pushed: $full_image"
+            if ! docker push "$full_image"; then
+                log_error "MCP image push FAILED -- continuing with other services"
+                _record_build_result mcp push-failed
+                DEPLOY_MCP=false
+            else
+                log_success "MCP image pushed: $full_image"
+                _record_build_result mcp ok
+            fi
         fi
     fi
 
@@ -612,14 +693,34 @@ build_and_push() {
         log_info "Building frontend image: $full_image"
         if [[ "$DRY_RUN" == true ]]; then
             log_info "[DRY RUN] Would build: docker build -t $full_image $FRONTEND_DIR"
+            _record_build_result frontend dry-run
+        elif ! docker build -t "$full_image" "$(_winpath "$FRONTEND_DIR")"; then
+            log_error "Frontend image build FAILED -- continuing with other services"
+            _record_build_result frontend build-failed
+            DEPLOY_FRONTEND=false
         else
-            docker build -t "$full_image" "$(_winpath "$FRONTEND_DIR")"
             log_success "Frontend image built"
-            docker push "$full_image"
-            log_success "Frontend image pushed: $full_image"
+            if ! docker push "$full_image"; then
+                log_error "Frontend image push FAILED -- continuing with other services"
+                _record_build_result frontend push-failed
+                DEPLOY_FRONTEND=false
+            else
+                log_success "Frontend image pushed: $full_image"
+                _record_build_result frontend ok
+            fi
         fi
     fi
 
+    # If all selected services failed to build/push, bail before touching Azure resources
+    local ok_count=0 i
+    for i in "${BUILD_RESULT_STATUS[@]}"; do
+        if [[ "$i" == "ok" || "$i" == "dry-run" ]]; then ok_count=$((ok_count + 1)); fi
+    done
+    if [[ ${#BUILD_RESULT_STATUS[@]} -gt 0 && $ok_count -eq 0 ]]; then
+        log_error "All image builds/pushes failed -- aborting before touching Azure resources."
+        exit 1
+    fi
+
     if [[ "$BUILD_ONLY" == true ]]; then
         log_success "Build & push complete (--build-only mode, skipping Azure update)"
         return
@@ -810,6 +911,18 @@ print_summary() {
     echo "  Image Tag:       $IMAGE_TAG"
     echo ""
 
+    if [[ ${#BUILD_RESULT_NAMES[@]:-0} -gt 0 ]]; then
+        echo "  Build results:"
+        local i name status glyph
+        for i in "${!BUILD_RESULT_NAMES[@]}"; do
+            name="${BUILD_RESULT_NAMES[$i]}"
+            status="${BUILD_RESULT_STATUS[$i]}"
+            if [[ "$status" == "ok" || "$status" == "dry-run" ]]; then glyph="[OK]  "; else glyph="[FAIL]"; fi
+            printf "    %s %-9s %s\n" "$glyph" "$name" "$status"
+        done
+        echo ""
+    fi
+
     if [[ "$DEPLOY_BACKEND" == true && -n "$BACKEND_CA" ]]; then
         echo "  Backend:         $ACR_LOGIN_SERVER/$BACKEND_IMAGE_NAME:$IMAGE_TAG"
     fi
@@ -876,6 +989,7 @@ main() {
 
     parse_args "$@"
     check_prerequisites
+    check_azure_roles
     validate_and_discover
     resolve_acr
     determine_services