[DO NOT MERGE] Working Branch for Cleanup

.devcontainer/devcontainer.json

@@ -1,67 +1,67 @@
-{
-    "name": "Azure Developer CLI",
-    "image": "mcr.microsoft.com/devcontainers/go:1.4.1-bullseye",
-    "features": {
-        // terraform and az (required for auth) are installed by default
-        // See https://containers.dev/features for list of features
-        "ghcr.io/devcontainers/features/python:1" : {},
-        "ghcr.io/devcontainers/features/powershell:1": {},
-        "ghcr.io/devcontainers/features/azure-cli:1": {},
-        "ghcr.io/devcontainers/features/github-cli:1": {},
-        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
-        "ghcr.io/devcontainers/features/terraform:1": {
-            "installTFsec": true
-        },
-        "ghcr.io/devcontainers/features/dotnet:2": {
-            "version": "9.0"
-        },
-        "ghcr.io/azure/azure-dev/azd:latest": {
-            "version": "1.20.0"
-        },
-        "./features/dev-tools": {}
-    },
-    "customizations": {
-        "vscode": {
-            "extensions": [
-                "GitHub.vscode-github-actions",
-                "hashicorp.terraform",
-                "ms-azuretools.azure-dev",
-                "ms-azuretools.vscode-docker",
-                "GitHub.copilot",  
-                "GitHub.copilot-chat",
-                "ms-vscode.makefile-tools",  
-                "DavidAnson.vscode-markdownlint",
-                "golang.go",
-                "ms-azuretools.vscode-azureterraform",
-                "terraform-linters.tflint-vscode",
-                "ms-vscode.azurecli",
-                "bierner.markdown-mermaid",
-                "ms-dotnettools.csharp",
-                "ms-dotnettools.vscode-dotnet-runtime"
-
-                // Include other VSCode extensions if needed. Right click on an extension inside VSCode
-                // to add directly to devcontainer.json, or copy the extension ID
-            ],
-            "settings": {
-                "terraform.languageServer.enable":true,
-                "tflint.enable": true,
-                "tflint.validateOnSave": true
-            }
-        }
-    },
-    "forwardPorts": [
-        // Forward ports if needed for local development
-    ],
-    "containerEnv": {
-        "POWER_PLATFORM_USE_CLI": "true",
-        "DOTNET_CLI_TELEMETRY_OPTOUT": "1"
-    },
-    "remoteEnv": {
-        "PATH": "${containerEnv:PATH}:/home/vscode/.local/bin"
-    },
-    "postCreateCommand": "sh .devcontainer/postCreate.sh",
-    "remoteUser": "vscode",
-    "hostRequirements": {
-        "memory": "8gb"
-    }
-}
+{
+    "name": "Azure Developer CLI",
+    "image": "mcr.microsoft.com/devcontainers/go:1.4.1-bullseye",
+    "features": {
+        // terraform and az (required for auth) are installed by default
+        // See https://containers.dev/features for list of features
+        "ghcr.io/devcontainers/features/python:1" : {},
+        "ghcr.io/devcontainers/features/powershell:1": {},
+        "ghcr.io/devcontainers/features/azure-cli:1": {},
+        "ghcr.io/devcontainers/features/github-cli:1": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/devcontainers/features/terraform:1": {
+            "installTFsec": true
+        },
+        "ghcr.io/devcontainers/features/dotnet:2": {
+            "version": "9.0"
+        },
+        "ghcr.io/azure/azure-dev/azd:latest": {
+            "version": "1.20.0"
+        },
+        "./features/dev-tools": {}
+    },
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "GitHub.vscode-github-actions",
+                "hashicorp.terraform",
+                "ms-azuretools.azure-dev",
+                "ms-azuretools.vscode-docker",
+                "GitHub.copilot",  
+                "GitHub.copilot-chat",
+                "ms-vscode.makefile-tools",  
+                "DavidAnson.vscode-markdownlint",
+                "golang.go",
+                "ms-azuretools.vscode-azureterraform",
+                "terraform-linters.tflint-vscode",
+                "ms-vscode.azurecli",
+                "bierner.markdown-mermaid",
+                "ms-dotnettools.csharp",
+                "ms-dotnettools.vscode-dotnet-runtime"
+
+                // Include other VSCode extensions if needed. Right click on an extension inside VSCode
+                // to add directly to devcontainer.json, or copy the extension ID
+            ],
+            "settings": {
+                "terraform.languageServer.enable":true,
+                "tflint.enable": true,
+                "tflint.validateOnSave": true
+            }
+        }
+    },
+    "forwardPorts": [
+        // Forward ports if needed for local development
+    ],
+    "containerEnv": {
+        "POWER_PLATFORM_USE_CLI": "true",
+        "DOTNET_CLI_TELEMETRY_OPTOUT": "1"
+    },
+    "remoteEnv": {
+        "PATH": "${containerEnv:PATH}:/home/vscode/.local/bin"
+    },
+    "postCreateCommand": "sh .devcontainer/postCreate.sh",
+    "remoteUser": "vscode",
+    "hostRequirements": {
+        "memory": "8gb"
+    }
+}

.github/workflows/azure-dev-down.yml

@@ -58,6 +58,8 @@ jobs:
           POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
           POWER_PLATFORM_USE_OIDC: "true"
 
+          RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }}
+
           ARM_USE_AZUREAD: "true"
           ARM_STORAGE_USE_AZUREAD: "true"
           ARM_USE_OIDC: "true"

.github/workflows/azure-dev.yml

@@ -116,6 +116,7 @@ jobs:
         with:
           add-tools-to-path: true
 
+
       - name: Install Power Platform CLI
         run: |
           pac help
@@ -253,4 +254,4 @@ jobs:
               --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged"
           else
             echo "OpenAI resource information not found in environment outputs. Skipping purge."
-          fi
+          fi

infra/main.network.tf

@@ -482,6 +482,19 @@ resource "azurerm_network_security_group" "deployment_script_nsg" {
     destination_address_prefix = "Storage"
   }
 
+  # Allow Azure Files SMB access for script volume mounts
+  security_rule {
+    name                       = "Allow-Storage-SMB-Outbound"
+    priority                   = 112
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "445"
+    source_address_prefixes    = var.deployment_script_subnet_address_spaces
+    destination_address_prefix = "Storage"
+  }
+
   # Allow Azure AI Search access (via private endpoint)
   security_rule {
     name                         = "Allow-AISearch-Outbound"

infra/main.search_configuration.tf

@@ -48,6 +48,109 @@ resource "azurerm_storage_account" "deployment_container" {
   ]
 }
 
+# Enable diagnostic logging for deployment container storage account
+resource "azapi_resource" "deployment_container_diagnostics" {
+  count = var.include_log_analytics ? 1 : 0
+
+  type      = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
+  name      = "deployment-container-diagnostics"
+  parent_id = azurerm_storage_account.deployment_container.id
+
+  body = {
+    properties = {
+      workspaceId = azurerm_log_analytics_workspace.monitoring[0].id
+      metrics = [
+        {
+          category = "Transaction"
+          enabled  = true
+        },
+        {
+          category = "Capacity"
+          enabled  = true
+        }
+      ]
+    }
+  }
+}
+
+# Enable diagnostic logging for blob service
+resource "azapi_resource" "deployment_container_blob_diagnostics" {
+  count = var.include_log_analytics ? 1 : 0
+
+  type      = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
+  name      = "deployment-container-blob-diagnostics"
+  parent_id = "${azurerm_storage_account.deployment_container.id}/blobServices/default"
+
+  body = {
+    properties = {
+      workspaceId = azurerm_log_analytics_workspace.monitoring[0].id
+      logs = [
+        {
+          category = "StorageRead"
+          enabled  = true
+        },
+        {
+          category = "StorageWrite"
+          enabled  = true
+        },
+        {
+          category = "StorageDelete"
+          enabled  = true
+        }
+      ]
+      metrics = [
+        {
+          category = "Transaction"
+          enabled  = true
+        },
+        {
+          category = "Capacity"
+          enabled  = true
+        }
+      ]
+    }
+  }
+}
+
+# Enable diagnostic logging for file service (used by Deployment Scripts)
+resource "azapi_resource" "deployment_container_file_diagnostics" {
+  count = var.include_log_analytics ? 1 : 0
+
+  type      = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
+  name      = "deployment-container-file-diagnostics"
+  parent_id = "${azurerm_storage_account.deployment_container.id}/fileServices/default"
+
+  body = {
+    properties = {
+      workspaceId = azurerm_log_analytics_workspace.monitoring[0].id
+      logs = [
+        {
+          category = "StorageRead"
+          enabled  = true
+        },
+        {
+          category = "StorageWrite"
+          enabled  = true
+        },
+        {
+          category = "StorageDelete"
+          enabled  = true
+        }
+      ]
+      metrics = [
+        {
+          category = "Transaction"
+          enabled  = true
+        },
+        {
+          category = "Capacity"
+          enabled  = true
+        }
+      ]
+    }
+  }
+}
+
 # Force recreation of Python scripts on each deployment
 resource "terraform_data" "force_script_update" {
   input = local.deployment_timestamp