Deployment updates

[paullizer]

No description provided.

[Copilot]

Pull request overview

This PR updates the repo’s deployment tooling and documentation across AZD/Bicep, Azure CLI/PowerShell, and Terraform—mainly to improve private networking parity, make deployments more repeatable (especially under MFA/claims challenges), and reduce reliance on Key Vault for “core service” key-auth configuration.

Changes:

• Expanded deployment docs (main README, Bicep, Azure CLI, Terraform) with clearer shell/platform guidance, private networking runner connectivity guidance, and OpenAI deployment-type notes.
• Added multiple functional regression tests that assert key deployment behaviors by scanning deployer scripts/templates.
• Refactored deployment-time configuration to retrieve core keys directly from Azure resources / Azure CLI and added Terraform private networking support (VNets, private endpoints, private DNS handling).

Reviewed changes

Copilot reviewed 68 out of 71 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
README.md	Adds Azure CLI deployer reference + PowerShell-first quickstart and prerequisites guidance.
deployers/azure.yaml	Adds/updates AZD hooks (preprovision validation, postprovision behavior, Windows hook coverage).
functional_tests/test_postprovision_python_dependency_install.py	Regression test for venv-aware pip install logic in postprovision hook.
functional_tests/test_postconfig_azurecli_credential.py	Regression test ensuring postconfig uses AzureCliCredential and Cosmos key fallback.
functional_tests/test_enhanced_citations_storage_deployment_fix.py	Regression test ensuring storage connection string population for enhanced citations + version check.
functional_tests/test_core_service_key_deployment_path.py	Regression test for “core service keys from Azure resources (not KV)” + version check.
functional_tests/test_azurecli_aoai_model_deployments.py	Regression test for Azure CLI deployer AOAI model deployment support and docs.
functional_tests/test_azd_windows_hooks.py	Regression test for required Windows AZD hook behavior and Cosmos/ACR handling.
functional_tests/test_azd_prerequisites_allowed_ip_auto_merge.py	Regression test for auto-merging runner public IP into AZD env before provisioning.
functional_tests/test_acr_trusted_services_bypass.py	Regression test for ACR trusted services bypass + build/run polling behavior.
docs/how-to/enterprise_networking.md	Adds “deployment runner connectivity” guidance for private endpoint reachability.
docs/explanation/fixes/v0.237.064/POSTPROVISION_VENV_PIP_USER_FIX.md	Fix doc for avoiding pip --user inside venv during postprovision.
docs/explanation/fixes/v0.237.063/WINDOWS_ACR_LOG_STREAM_ENCODING_FIX.md	Fix doc for Windows ACR log streaming Unicode encode failures.
docs/explanation/fixes/v0.237.062/ACR_DEPLOYMENT_TIME_PUBLIC_ACCESS_FIX.md	Fix doc for allowing ACR access during build until final lockdown.
docs/explanation/fixes/v0.237.061/ACR_PREDEPLOY_TEMPORARY_FIREWALL_OPEN_FIX.md	Fix doc for temporary ACR firewall changes during predeploy (historical).
docs/explanation/fixes/v0.237.060/COSMOS_FIREWALL_MFA_FALLBACK_ACCESS_CHECK_FIX.md	Fix doc for Cosmos firewall MFA fallback access probing.
docs/explanation/fixes/v0.237.059/COSMOS_FIREWALL_CIDR_PROPAGATION_FIX.md	Fix doc for CIDR matching + propagation wait behavior.
docs/explanation/fixes/v0.237.058/ACR_TASKS_TRUSTED_AZURE_SERVICES_FIX.md	Fix doc for ACR Tasks access via trusted Azure services bypass.
docs/explanation/fixes/v0.237.057/AZD_POSTPROVISION_COSMOS_ACCESS_PROBE_FIX.md	Fix doc for Cosmos data-plane probe short-circuiting.
docs/explanation/fixes/v0.237.056/AZD_PRIVATE_NETWORK_RUNNER_IP_PRIMING_FIX.md	Fix doc for runner IP priming before provisioning.
docs/explanation/fixes/v0.237.055/AZD_POSTPROVISION_MFA_COSMOS_GUIDANCE_FIX.md	Fix doc for surfacing MFA-specific Cosmos guidance.
docs/explanation/fixes/v0.237.054/AZD_POSTPROVISION_COSMOS_FIREWALL_RUNNER_ACCESS_FIX.md	Fix doc for adding runner IP to Cosmos firewall during hook execution.
docs/explanation/fixes/v0.237.053/AZD_POSTPROVISION_COSMOS_KEY_FALLBACK_FIX.md	Fix doc for Cosmos key fallback to avoid RBAC propagation timing.
docs/explanation/fixes/v0.237.052/POSTCONFIG_AZURECLI_CREDENTIAL_FIX.md	Fix doc for switching postconfig to AzureCliCredential.
docs/explanation/fixes/v0.237.051/AZD_WINDOWS_SUBSCRIPTION_TARGETING_FIX.md	Fix doc for subscription-pinned Azure CLI calls on Windows hooks.
docs/explanation/fixes/v0.237.050/AZD_WINDOWS_RGNAME_RESOLUTION_FIX.md	Fix doc for Windows resource group name resolution fallback.
docs/explanation/fixes/v0.237.049/AZD_WINDOWS_POSTPROVISION_HOOK_FIX.md	Fix doc for missing Windows hook definitions.
docs/explanation/fixes/ENHANCED_CITATIONS_STORAGE_CONNECTION_STRING_FIX.md	Fix doc for ensuring enhanced citations storage connection string persistence.
docs/explanation/fixes/CORE_SERVICE_KEY_DEPLOYMENT_FIX.md	Fix doc for core-service key retrieval directly from Azure resources.
docs/explanation/features/v0.237.001/PRIVATE_NETWORKING_SUPPORT.md	Adds “deployment runner access” guidance to private networking feature doc.
docs/explanation/features/TERRAFORM_PRIVATE_NETWORKING_PARITY.md	Feature doc describing Terraform private networking parity scope.
docs/explanation/features/AZURECLI_PRIVATE_NETWORKING_PARITY.md	Feature doc describing Azure CLI deployer private networking parity scope.
docs/explanation/features/AZURECLI_AOAI_MODEL_DEPLOYMENTS.md	Feature doc describing AOAI model deployment creation via Azure CLI deployer.
docs/explanation/features/ACR_BUILD_WORKFLOW_FOR_DEPLOYERS.md	Feature doc describing ACR Tasks-based build workflow across deployers.
deployers/terraform/ReadMe.md	Updates Terraform deployer docs (private networking notes, OpenAI reuse, image build guidance).
deployers/terraform/private_networking.tf	Adds Terraform resources/logic for VNets, subnets, private endpoints, and private DNS zone reuse/linking.
deployers/terraform/.terraform.lock.hcl	Updates provider locks (adds azapi and bumps provider versions).
deployers/Initialize-EntraApplication.ps1	Adds cloud selection/auth improvements + permission grant handling + interactive input validation.
deployers/Initialize-AzureEnvironment.ps1	Adds existing OpenAI reuse options + cloud selection/auth + outputs ACR build guidance.
deployers/bicep/validate_azd_prerequisites.py	New preprovision script to validate private networking prerequisites and persist runner IP to AZD env.
deployers/bicep/README.md	Updates Bicep deployer docs (shell correctness, ACR build, private DNS + existing VNet guidance, OpenAI deployment type).
deployers/bicep/postconfig.py	Refactors postconfig to use Azure CLI + direct resource key retrieval, plus enhanced citations storage connection string handling.
deployers/bicep/OneClickDeploy.md	Adds upfront private networking/existing VNet prerequisite warnings for one-click deployments.
deployers/bicep/modules/videoIndexer.bicep	Adds selectable Video Indexer ARM API version path (legacy vs current).
deployers/bicep/modules/speechService.bicep	Removes deployment-time Key Vault secret storage for speech keys.
deployers/bicep/modules/setPermissions.bicep	Adds cross-RG/sub OpenAI permission path and conditional Video Indexer/OpenAI integration behavior.
deployers/bicep/modules/setPermissions-openAIExternal.bicep	New module to assign OpenAI roles when OpenAI is in a different RG/subscription.
deployers/bicep/modules/search.bicep	Removes deployment-time Key Vault secret storage for search key.
deployers/bicep/modules/redisCache.bicep	Removes deployment-time Key Vault secret storage for Redis key.
deployers/bicep/modules/privateNetworking.bicep	Adds private DNS zone reuse and optional VNet link creation; supports external OpenAI resource scoping.
deployers/bicep/modules/privateDNSLink.bicep	New module to create VNet links in an existing private DNS zone scope.
deployers/bicep/modules/privateDNS.bicep	Adds support for existing private DNS zone reuse and optional link creation.
deployers/bicep/modules/openAI.bicep	Adds “existing OpenAI endpoint/resource metadata” flow; skips provisioning/models when reusing endpoint.
deployers/bicep/modules/documentIntelligence.bicep	Removes deployment-time Key Vault secret storage for doc intel keys.
deployers/bicep/modules/cosmosDb.bicep	Removes deployment-time Key Vault secret storage for Cosmos key.
deployers/bicep/modules/contentSafety.bicep	Removes deployment-time Key Vault secret storage for content safety key.
deployers/bicep/modules/azureContainerRegistry.bicep	Adjusts ACR networking defaults and enables trusted Azure services bypass; removes KV secret storage.
deployers/bicep/modules/appService.bicep	Switches key-auth settings to direct listKeys/listCredentials values; adds Video Indexer env settings.
deployers/bicep/main.parameters.json	Adds new parameters for existing VNet/subnets, OpenAI reuse, OpenAI deployment type, Video Indexer overrides.
deployers/bicep/main.bicep	Adds new private networking reuse params, private DNS configs, OpenAI reuse options, default model logic, and default imageName.
deployers/bicep/cosmosDb-postDeployPerms.sh	Adds MFA/“already exists” detection to role assignment flows.
deployers/azurecli/README.md	Major expansion of Azure CLI deployer documentation (features, prerequisites, private networking, AOAI models, ACR build).
deployers/azurecli/destroy-simplechat.ps1	Adds cloud-aware token refresh targets + cleanup scope notes + new security group coverage.
application/single_app/route_backend_models.py	Returns configured models for Foundry endpoints / missing resource metadata instead of hard failing.
application/single_app/functions_settings.py	Makes default Video Indexer ARM API version environment/cloud-aware.
application/single_app/config.py	Bumps application version to 0.240.004.

Files not reviewed (1)

• deployers/terraform/.terraform.lock.hcl: Language not supported

Comments suppressed due to low confidence (1)

deployers/azure.yaml:223

• The postprovision hook runs postconfig via .venv/bin/python3, but this workflow doesn’t create a .venv (and dependencies were installed via python3 -m pip ..., not into .venv). This will fail on fresh deployments. Consider invoking postconfig with the same interpreter used for the pip install step (or explicitly create/activate a venv before installing and running postconfig).

            echo ""
            echo "[3/4] Running post-deployment configuration..."
            if .venv/bin/python3 ./bicep/postconfig.py; then
                echo "✓ Post-deployment configuration completed"
            else