diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 43fcaf25..5df919f9 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,67 +1,67 @@ -{ - "name": "Azure Developer CLI", - "image": "mcr.microsoft.com/devcontainers/go:1.4.1-bullseye", - "features": { - // terraform and az (required for auth) are installed by default - // See https://containers.dev/features for list of features - "ghcr.io/devcontainers/features/python:1" : {}, - "ghcr.io/devcontainers/features/powershell:1": {}, - "ghcr.io/devcontainers/features/azure-cli:1": {}, - "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers/features/docker-in-docker:2": {}, - "ghcr.io/devcontainers/features/terraform:1": { - "installTFsec": true - }, - "ghcr.io/devcontainers/features/dotnet:2": { - "version": "9.0" - }, - "ghcr.io/azure/azure-dev/azd:latest": { - "version": "1.20.0" - }, - "./features/dev-tools": {} - }, - "customizations": { - "vscode": { - "extensions": [ - "GitHub.vscode-github-actions", - "hashicorp.terraform", - "ms-azuretools.azure-dev", - "ms-azuretools.vscode-docker", - "GitHub.copilot", - "GitHub.copilot-chat", - "ms-vscode.makefile-tools", - "DavidAnson.vscode-markdownlint", - "golang.go", - "ms-azuretools.vscode-azureterraform", - "terraform-linters.tflint-vscode", - "ms-vscode.azurecli", - "bierner.markdown-mermaid", - "ms-dotnettools.csharp", - "ms-dotnettools.vscode-dotnet-runtime" - - // Include other VSCode extensions if needed. Right click on an extension inside VSCode - // to add directly to devcontainer.json, or copy the extension ID - ], - "settings": { - "terraform.languageServer.enable":true, - "tflint.enable": true, - "tflint.validateOnSave": true - } - } - }, - "forwardPorts": [ - // Forward ports if needed for local development - ], - "containerEnv": { - "POWER_PLATFORM_USE_CLI": "true", - "DOTNET_CLI_TELEMETRY_OPTOUT": "1" - }, - "remoteEnv": { - "PATH": "${containerEnv:PATH}:/home/vscode/.local/bin" - }, - "postCreateCommand": "sh .devcontainer/postCreate.sh", - "remoteUser": "vscode", - "hostRequirements": { - "memory": "8gb" - } -} +{ + "name": "Azure Developer CLI", + "image": "mcr.microsoft.com/devcontainers/go:1.4.1-bullseye", + "features": { + // terraform and az (required for auth) are installed by default + // See https://containers.dev/features for list of features + "ghcr.io/devcontainers/features/python:1" : {}, + "ghcr.io/devcontainers/features/powershell:1": {}, + "ghcr.io/devcontainers/features/azure-cli:1": {}, + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/docker-in-docker:2": {}, + "ghcr.io/devcontainers/features/terraform:1": { + "installTFsec": true + }, + "ghcr.io/devcontainers/features/dotnet:2": { + "version": "9.0" + }, + "ghcr.io/azure/azure-dev/azd:latest": { + "version": "1.20.0" + }, + "./features/dev-tools": {} + }, + "customizations": { + "vscode": { + "extensions": [ + "GitHub.vscode-github-actions", + "hashicorp.terraform", + "ms-azuretools.azure-dev", + "ms-azuretools.vscode-docker", + "GitHub.copilot", + "GitHub.copilot-chat", + "ms-vscode.makefile-tools", + "DavidAnson.vscode-markdownlint", + "golang.go", + "ms-azuretools.vscode-azureterraform", + "terraform-linters.tflint-vscode", + "ms-vscode.azurecli", + "bierner.markdown-mermaid", + "ms-dotnettools.csharp", + "ms-dotnettools.vscode-dotnet-runtime" + + // Include other VSCode extensions if needed. Right click on an extension inside VSCode + // to add directly to devcontainer.json, or copy the extension ID + ], + "settings": { + "terraform.languageServer.enable":true, + "tflint.enable": true, + "tflint.validateOnSave": true + } + } + }, + "forwardPorts": [ + // Forward ports if needed for local development + ], + "containerEnv": { + "POWER_PLATFORM_USE_CLI": "true", + "DOTNET_CLI_TELEMETRY_OPTOUT": "1" + }, + "remoteEnv": { + "PATH": "${containerEnv:PATH}:/home/vscode/.local/bin" + }, + "postCreateCommand": "sh .devcontainer/postCreate.sh", + "remoteUser": "vscode", + "hostRequirements": { + "memory": "8gb" + } +} diff --git a/.github/workflows/azure-dev-down.yml b/.github/workflows/azure-dev-down.yml index 60567257..d6901184 100644 --- a/.github/workflows/azure-dev-down.yml +++ b/.github/workflows/azure-dev-down.yml @@ -58,6 +58,8 @@ jobs: POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} POWER_PLATFORM_USE_OIDC: "true" + RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} + ARM_USE_AZUREAD: "true" ARM_STORAGE_USE_AZUREAD: "true" ARM_USE_OIDC: "true" diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index 4395c5aa..35d194b0 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -116,6 +116,7 @@ jobs: with: add-tools-to-path: true + - name: Install Power Platform CLI run: | pac help @@ -253,4 +254,4 @@ jobs: --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged" else echo "OpenAI resource information not found in environment outputs. Skipping purge." - fi + fi diff --git a/infra/main.network.tf b/infra/main.network.tf index 23bfe748..41b7ffff 100644 --- a/infra/main.network.tf +++ b/infra/main.network.tf @@ -482,6 +482,19 @@ resource "azurerm_network_security_group" "deployment_script_nsg" { destination_address_prefix = "Storage" } + # Allow Azure Files SMB access for script volume mounts + security_rule { + name = "Allow-Storage-SMB-Outbound" + priority = 112 + direction = "Outbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "445" + source_address_prefixes = var.deployment_script_subnet_address_spaces + destination_address_prefix = "Storage" + } + # Allow Azure AI Search access (via private endpoint) security_rule { name = "Allow-AISearch-Outbound" diff --git a/infra/main.search_configuration.tf b/infra/main.search_configuration.tf index 84ac4de0..8b614030 100644 --- a/infra/main.search_configuration.tf +++ b/infra/main.search_configuration.tf @@ -48,6 +48,109 @@ resource "azurerm_storage_account" "deployment_container" { ] } +# Enable diagnostic logging for deployment container storage account +resource "azapi_resource" "deployment_container_diagnostics" { + count = var.include_log_analytics ? 1 : 0 + + type = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview" + name = "deployment-container-diagnostics" + parent_id = azurerm_storage_account.deployment_container.id + + body = { + properties = { + workspaceId = azurerm_log_analytics_workspace.monitoring[0].id + metrics = [ + { + category = "Transaction" + enabled = true + }, + { + category = "Capacity" + enabled = true + } + ] + } + } +} + +# Enable diagnostic logging for blob service +resource "azapi_resource" "deployment_container_blob_diagnostics" { + count = var.include_log_analytics ? 1 : 0 + + type = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview" + name = "deployment-container-blob-diagnostics" + parent_id = "${azurerm_storage_account.deployment_container.id}/blobServices/default" + + body = { + properties = { + workspaceId = azurerm_log_analytics_workspace.monitoring[0].id + logs = [ + { + category = "StorageRead" + enabled = true + }, + { + category = "StorageWrite" + enabled = true + }, + { + category = "StorageDelete" + enabled = true + } + ] + metrics = [ + { + category = "Transaction" + enabled = true + }, + { + category = "Capacity" + enabled = true + } + ] + } + } +} + +# Enable diagnostic logging for file service (used by Deployment Scripts) +resource "azapi_resource" "deployment_container_file_diagnostics" { + count = var.include_log_analytics ? 1 : 0 + + type = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview" + name = "deployment-container-file-diagnostics" + parent_id = "${azurerm_storage_account.deployment_container.id}/fileServices/default" + + body = { + properties = { + workspaceId = azurerm_log_analytics_workspace.monitoring[0].id + logs = [ + { + category = "StorageRead" + enabled = true + }, + { + category = "StorageWrite" + enabled = true + }, + { + category = "StorageDelete" + enabled = true + } + ] + metrics = [ + { + category = "Transaction" + enabled = true + }, + { + category = "Capacity" + enabled = true + } + ] + } + } +} + # Force recreation of Python scripts on each deployment resource "terraform_data" "force_script_update" { input = local.deployment_timestamp diff --git a/infra/provider.tf b/infra/provider.tf index 2d280fef..feacff42 100644 --- a/infra/provider.tf +++ b/infra/provider.tf @@ -1,95 +1,95 @@ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT license. - -# Configure desired versions of terraform, azurerm provider -terraform { - backend "local" { - path = "terraform.tfstate" - } -} -terraform { - required_version = ">= 1.6.0, < 2.0.0" - required_providers { - azapi = { - source = "Azure/azapi" - version = "2.7.0" - } - azuread = { - source = "hashicorp/azuread" - version = "3.6.0" - } - azurerm = { - source = "hashicorp/azurerm" - version = "4.48.0" - } - modtm = { - source = "Azure/modtm" - version = "~> 0.3.2" - } - powerplatform = { - source = "microsoft/power-platform" - version = "3.9.1" - } - random = { - source = "hashicorp/random" - version = "~> 3.7.2" - } - time = { - source = "hashicorp/time" - version = "0.13.1" - } - azurecaf = { - source = "aztfmod/azurecaf" - version = "1.2.31" - } - } -} - -# Enable features for azurerm -provider "azurerm" { - features { - key_vault { - purge_soft_delete_on_destroy = false - } - resource_group { - prevent_deletion_if_contains_resources = false - } - - } - - # Keep Azure AD authentication for storage - storage_use_azuread = true - - # partner_id enables anonymous telemetry that helps us justify ongoing investment in maintaining and improving this template. - # Keeping this line supports the project and future feature development. To opt out of telemetry, simply remove the line below. - partner_id = "acce1e78-90a1-4306-89d1-a03ed6284007" -} - -provider "azapi" { - # partner_id enables anonymous telemetry that helps us justify ongoing investment in maintaining and improving this template. - # Keeping this line supports the project and future feature development. To opt out of telemetry, simply remove the line below. - partner_id = "acce1e78-90a1-4306-89d1-a03ed6284007" -} - -# Access client_id, tenant_id, subscription_id and object_id configuration values -data "azurerm_client_config" "current" {} - -# Configure Power Platform provider -provider "powerplatform" { - # PowerPlatform provider will use the same credentials as Azure provider by default - use_cli = true -} - - - - - - - - - - - - - - +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT license. + +# Configure desired versions of terraform, azurerm provider +terraform { + backend "local" { + path = "terraform.tfstate" + } +} +terraform { + required_version = ">= 1.6.0, < 2.0.0" + required_providers { + azapi = { + source = "Azure/azapi" + version = "2.7.0" + } + azuread = { + source = "hashicorp/azuread" + version = "3.6.0" + } + azurerm = { + source = "hashicorp/azurerm" + version = "4.48.0" + } + modtm = { + source = "Azure/modtm" + version = "~> 0.3.2" + } + powerplatform = { + source = "microsoft/power-platform" + version = "3.9.1" + } + random = { + source = "hashicorp/random" + version = "~> 3.7.2" + } + time = { + source = "hashicorp/time" + version = "0.13.1" + } + azurecaf = { + source = "aztfmod/azurecaf" + version = "1.2.31" + } + } +} + +# Enable features for azurerm +provider "azurerm" { + features { + key_vault { + purge_soft_delete_on_destroy = false + } + resource_group { + prevent_deletion_if_contains_resources = false + } + + } + + # Keep Azure AD authentication for storage + storage_use_azuread = true + + # partner_id enables anonymous telemetry that helps us justify ongoing investment in maintaining and improving this template. + # Keeping this line supports the project and future feature development. To opt out of telemetry, simply remove the line below. + partner_id = "acce1e78-90a1-4306-89d1-a03ed6284007" +} + +provider "azapi" { + # partner_id enables anonymous telemetry that helps us justify ongoing investment in maintaining and improving this template. + # Keeping this line supports the project and future feature development. To opt out of telemetry, simply remove the line below. + partner_id = "acce1e78-90a1-4306-89d1-a03ed6284007" +} + +# Access client_id, tenant_id, subscription_id and object_id configuration values +data "azurerm_client_config" "current" {} + +# Configure Power Platform provider +provider "powerplatform" { + # PowerPlatform provider will use the same credentials as Azure provider by default + use_cli = true +} + + + + + + + + + + + + + +