Merge branch 'main' into app-sample-end-to-end

Author: Seth

.devcontainer/devcontainer.json

@@ -4,8 +4,8 @@
     "image": "mcr.microsoft.com/devcontainers/python:3.10-bullseye",
     "features": {
         // See https://containers.dev/features for list of features
-        "ghcr.io/devcontainers/features/docker-in-docker:2": {
-        },
-        "ghcr.io/azure/azure-dev/azd:latest": {}
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/azure/azure-dev/azd:latest": {},
+        "ghcr.io/devcontainers/features/azure-cli:1": {}
     }
 }

.github/workflows/azure-dev.yml

@@ -25,14 +25,19 @@ jobs:
         uses: actions/checkout@v4
       - name: Install azd
         uses: Azure/setup-azd@v2
-      - name: Log in with Azure (Federated Credentials)
+      - name: Azure Developer CLI Login
         run: |
           azd auth login `
             --client-id "$Env:AZURE_CLIENT_ID" `
             --federated-credential-provider "github" `
             --tenant-id "$Env:AZURE_TENANT_ID" 
         shell: pwsh
-
+      - name: Azure CLI Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
       - name: Provision Infrastructure
         run: azd provision --no-prompt
         env:

.gitignore

@@ -1,3 +1,4 @@
 .vscode
 .vs
-.venv
+.venv
+__pycache__

README.md

@@ -47,7 +47,7 @@ Offers ability to [start with an existing Azure AI Project](docs/transfer_projec
 1. Have access to an Azure subscription and Entra ID account with Contributor permissions.
 2. Confirm the subscription you are deploying into has the [Required Roles and Scopes](docs/Required_roles_scopes_resources.md).
 3. The solution ensures secure access to the private VNET through a jump-box VM with Azure Bastion. By default, Bastion does not require an inbound NSG rule for network traffic. However, if your environment enforces specific policy rules, you can resolve access issues by entering your machine's IP address in the `allowedIpAddress` parameter when prompted during deployment. If not specified, all IP addresses are allowed to connect to Azure Bastion. 
-4. If deploying from your [local environment](docs/local_environment_steps.md), install the [Azure Developer CLI (AZD)](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows).
+4. If deploying from your [local environment](docs/local_environment_steps.md), install the [Azure CLI (AZ)](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) and the [Azure Developer CLI (AZD)](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows).
 5. If deploying via [GitHub Codespaces](docs/github_code_spaces_steps.md) - requires the user to be on a GitHub Team or Enterprise Cloud plan.
 6. If leveraging [One-click deployment](#quick-deploy).
 7. If leveraging [GitHub Actions](docs/github_actions_steps.md).

azure.yaml

@@ -5,30 +5,24 @@ metadata:
   template: deploy-your-ai-application-in-production@1.0
 hooks:
   preup:
-      windows:
-        shell: pwsh
-        run: ./scripts/SetConnectionsEnvironmentVariables.ps1
-        interactive: true
-        continueOnError: false
+    windows:
+      shell: pwsh
+      run: ./scripts/set_conns_env_vars.ps1
+      interactive: true
+      continueOnError: false
+    posix:
+      shell: sh
+      run: chmod u+r+x ./scripts/set_conns_env_vars.sh; ./scripts/set_conns_env_vars.sh
+      interactive: true
+      continueOnError: false
   preprovision:
-      windows:
-        shell: pwsh
-        run: ./scripts/auth_init.ps1
-        interactive: true
-        continueOnError: false
-      posix:
-        shell: sh
-        run: chmod u+r+x ./scripts/auth_init.sh; ./scripts/auth_init.sh
-        interactive: true
-        continueOnError: false
-  postprovision:
-      windows:
-        shell: pwsh
-        run: ./scripts/auth_update.ps1;
-        interactive: true
-        continueOnError: false
-      posix:
-        shell: sh
-        run: chmod u+r+x ./scripts/auth_update.sh; ./scripts/auth_update.sh
-        interactive: true
-        continueOnError: false
+    posix:
+      shell: sh
+      run: chmod u+r+x ./scripts/validate_model_deployment_quotas.sh; chmod u+r+x ./scripts/validate_model_quota.sh; ./scripts/validate_model_deployment_quotas.sh --subscription $AZURE_SUBSCRIPTION_ID --location $AZURE_LOCATION --models-parameter "aiModelDeployments"
+      interactive: false
+      continueOnError: false
+    windows:
+      shell: pwsh
+      run: ./scripts/validate_model_deployment_quotas.ps1 -Subscription $env:AZURE_SUBSCRIPTION_ID -Location $env:AZURE_LOCATION -ModelsParameter "aiModelDeployments"
+      interactive: false
+      continueOnError: false

docs/Verify_Services_On_Network.md

@@ -6,7 +6,7 @@ This guide will walk you through using a secure jump-box virtual machine to inst
 
 ### 1. Copy Testing Script to Virtual Machine
 
-Copy [TestConnections.ps1](./scripts/TestConnections.ps1) to the Virtual Machine.
+Copy [test_azure_resource_conns.ps1](./scripts/test_azure_resource_conns.ps1) to the Virtual Machine.
 
 ### 2. Install Azure CLI
 
@@ -41,7 +41,7 @@ $containerRegistry = "your-container-registry-name"
 ### 5. Execute Testing PowerShell Script
 
 ```powershell
-.\TestConnections.ps1 `
+.\test_azure_resource_conns.ps1 `
     -SubscriptionId $subscriptionId `
     -ResourceGroup $resourceGroup `
     -KeyVault $keyvault `

docs/github_code_spaces_steps.md

@@ -32,31 +32,40 @@ You can run this solution using GitHub Codespaces. The button will open a web-ba
 
    ![Image showing the password prompt for azure](../img/provisioning/enterpassword.png)
 
-   **Prompting for MFA**
+7. Return to the codespaces window and type “az login”. The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/what-is-azure-cli?view=azure-cli-latest) is used to validate available AI model quota.
+     ![image showing theaz login in the vs code terminal](../img/provisioning/az_login.png)  
 
-   ![Image showing the pop up window in the web browser for azd auth](../img/provisioning/azdauthpopup.png)
-
-7. Return to the codespaces window now. In the terminal window, begin by initializing the environment by typing the command “azd init”
+8. Return to the codespaces window now. In the terminal window, begin by initializing the environment by typing the command “azd init”
 
    ![image showing the initial screen in the vs code terminal](../img/provisioning/azd_init_terminal.png)
 
-8. Enter the name for your environment
+9. Enter the name for your environment
 
    ![aImage showing entering a new environment name](../img/provisioning/enter_evn_name.png)
 
-9. Now start the deployment of the infrastructure by typing the command “azd provision”
+10. Now start the deployment of the infrastructure by typing the command “azd up”
+
+    ![image showing the terminal in vs code](../img/provisioning/azd_provision_terminal.png)
+
+    This step will allow you to choose from the subscriptions you have available, based on the account you logged in with in the login step. Next it will prompt you for the region to deploy the resources into as well as any additional Azure resources to be provisioned and configured.
+
+    **Be sure to remember the vm password. This will be used in a later step. You are still required to log into Azure once you connect through the virtual machine.
+
+
+11. The automated model quota check will run, and will check if the location selected will have the necessary quota for the AI Models that are listed in the parameters file prior to deploying any resources. 
+    ![image showing model quota pre-provision code executing](../img/provisioning/preprovision_output.png)
+
+
+    If the location selected has sufficient quota for the models you plan to deploy, the provisioning will begin without notification.
 
-   ![image showing the terminal in vs code](../img/provisioning/azd_provision_terminal.png)
+    ![image showing model quota pre-provision pass](../img/provisioning/preprovision_success.png)
 
-   This step will allow you to choose from the subscriptions you have available, based on the account you logged in with in the azd auth login step. Next it will prompt you for the region to deploy the resources into.
+    If the location selected does not have the available quota for the models selected in your parameters, there will be a message back to the user, prior to any provisioning of resources. This will allow the developer to change the location of the provisiong and try again. Note that in our example, Italy North had capacity for gpt-4o but not for text-embedding-ada-002. This terminated the entire provisioning, because both models could not be deployed due to a quota issue.
 
-   ![image showing region selection](../img/provisioning/azdprovision_select_location.png)
+    ![image showing model quota pre-provision fail](../img/provisioning/preprovision_fail.png)
 
-10. Next you will be prompted for values to enable additional features outside of the AI Foundry required features. They are false by default.
-    ![image of prompts](../img/provisioning/prompts.png)
-    **Be sure to remember the vm password and vm username. This will be used in a later step. Because we are using FDPO subscriptions, we do not have access to Entra to create the SSO to the jump box at this time. You are still required to log into Azure once you connect to the virtual machine.
+12. After completeing the required paramters that you were prompted for, and a successful model quota validation, the provisioning of resources will run and deploy the Network Isolated AI Foundry development portal and dependent resources in about 20 minutes.
 
-11. After completeing the required paramters that you were prompted for, the provisioning of resources will run and deploy the Network Isolated AI hub, project and dependent resources in about 20 minutes.
 
 # Post Deployment Steps:
 These steps will help to check that the isolated environment was set up correctly.

docs/local_environment_steps.md

@@ -7,16 +7,22 @@ git clone https://github.com/microsoft/Deploy-Your-AI-Application-In-Production.
 cd Deploy-Your-AI-Application-In-Production
 ```
 
-### Establish AZD Environment
+### Establish Environment
 
-This solution uses the [Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/overview) to quickly provision and deploy infrastructure and applications to Azure.
+This solution uses the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/what-is-azure-cli?view=azure-cli-latest) and the [Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/overview) to quickly provision and deploy infrastructure and applications to Azure.
 
 To get started, authenticate with an Azure Subscription ([details](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/reference#azd-auth-login)):
 
 ```powershell
 azd auth login
 ```
 
+Also authenticate with the Azure CLI ([details](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)):
+
+```powershell
+az login
+```
+
 Establish a new environment. Provide a name that represents the application domain:
 
 ```powershell

docs/quota_check.md

@@ -5,7 +5,7 @@ Before deploying the accelerator, **ensure sufficient quota availability** for t
 
 ## Login if you have not done so already
 ```
-azd auth login
+az login
 ```
 
 ## 📌 Default Models & Capacities:
@@ -88,12 +88,4 @@ The final table lists regions with available quota. You can select any of these
     ```sh
     ./quota_check.sh
     ```
-   - Refer to [Input Formats](#input-formats) for detailed commands.
-
-5. If you see the error `_bash: az: command not found_`, install Azure CLI:  
-
-    ```sh
-    curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-    az login
-    ```
-6. Rerun the script after installing Azure CLI.
+   - Refer to [Input Formats](#input-formats) for detailed commands.

img/provisioning/az_login.png

@@ -0,0 +1,171 @@
+#!/bin/bash
+
+# Usage: ./set_conns_env_vars.sh [--tenant TENANT] [--subscription SUBSCRIPTION] [--resource-group RESOURCE_GROUP] [--workspace WORKSPACE] [--include-verbose]
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --tenant)
+      TENANT="$2"
+      shift 2
+      ;;
+    --subscription)
+      SUBSCRIPTION="$2"
+      shift 2
+      ;;
+    --resource-group)
+      RESOURCE_GROUP="$2"
+      shift 2
+      ;;
+    --workspace)
+      WORKSPACE="$2"
+      shift 2
+      ;;
+    --include-verbose)
+      INCLUDE_VERBOSE=true
+      shift
+      ;;
+    *)
+      echo "Unknown option: $1"
+      exit 1
+      ;;
+  esac
+done
+
+TENANT="${TENANT:-$AZURE_ORIGINAL_TENANT_ID}"
+SUBSCRIPTION="${SUBSCRIPTION:-$AZURE_ORIGINAL_SUBSCRIPTION_ID}"
+RESOURCE_GROUP="${RESOURCE_GROUP:-$AZURE_ORIGINAL_RESOURCE_GROUP}"
+WORKSPACE="${WORKSPACE:-$AZURE_ORIGINAL_WORKSPACE_NAME}"
+
+if [[ -z "$TENANT" || -z "$SUBSCRIPTION" || -z "$RESOURCE_GROUP" || -z "$WORKSPACE" ]]; then
+  read -p "Start with existing Project connections? [NOTE: This action cannot be undone after executing. To revert, create a new AZD environment and run the process again.] (yes/no) " response
+  if [[ "$response" == "yes" ]]; then
+    [[ -z "$TENANT" ]] && read -p "Enter Tenant ID: " TENANT
+    [[ -z "$SUBSCRIPTION" ]] && read -p "Enter Subscription ID: " SUBSCRIPTION
+    [[ -z "$RESOURCE_GROUP" ]] && read -p "Enter Resource Group: " RESOURCE_GROUP
+    [[ -z "$WORKSPACE" ]] && read -p "Enter Workspace / Project Name: " WORKSPACE
+  else
+    echo "Not starting with existing Project. Exiting script."
+    exit 0
+  fi
+else
+  echo "All parameters provided. Starting with existing Project ${WORKSPACE}."
+fi
+
+if [[ -z "$TENANT" || -z "$SUBSCRIPTION" || -z "$RESOURCE_GROUP" || -z "$WORKSPACE" ]]; then
+  echo "Unable to start with existing Project: One or more required parameters are missing."
+  exit 1
+fi
+
+az account set --subscription "$SUBSCRIPTION"
+
+TOKEN=$(az account get-access-token --resource https://management.azure.com --query accessToken -o tsv)
+if [[ -z "$TOKEN" ]]; then
+  echo "Failed to get Azure access token."
+  exit 1
+fi
+
+CONNECTIONS_URL="https://management.azure.com/subscriptions/$SUBSCRIPTION/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$WORKSPACE/connections?api-version=2024-10-01"
+CONNECTIONS_RESPONSE=$(curl -s -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" "$CONNECTIONS_URL")
+CONNECTIONS=$(echo "$CONNECTIONS_RESPONSE" | jq '.value')
+
+echo "Connections in workspace ${WORKSPACE}"
+echo "----------------------------------"
+CONNECTION_COUNT=$(echo "$CONNECTIONS" | jq 'length')
+echo "Connection count: $CONNECTION_COUNT"
+if [[ "$CONNECTION_COUNT" -eq 0 ]]; then
+  echo "No connections found in the workspace."
+  exit 0
+fi
+
+if [[ "$INCLUDE_VERBOSE" == true ]]; then
+  echo "Connections response:"
+  echo "$CONNECTIONS"
+fi
+echo "----------------------------------"
+
+COGSVC_URL="https://management.azure.com/subscriptions/$SUBSCRIPTION/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.CognitiveServices/accounts/?api-version=2023-05-01"
+COGSVC_RESPONSE=$(curl -s -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" "$COGSVC_URL")
+COGSVC_ACCOUNTS=$(echo "$COGSVC_RESPONSE" | jq '.value')
+
+echo "Cognitive Service Accounts in resource group ${RESOURCE_GROUP}"
+echo "----------------------------------"
+COGSVC_COUNT=$(echo "$COGSVC_ACCOUNTS" | jq 'length')
+echo "Cognitive Service Account count: $COGSVC_COUNT"
+if [[ "$COGSVC_COUNT" -eq 0 ]]; then
+  echo "No Cognitive Service Accounts found in the resource group."
+  exit 0
+fi
+
+if [[ "$INCLUDE_VERBOSE" == true ]]; then
+  echo "Cognitive Service Accounts response:"
+  echo "$COGSVC_ACCOUNTS"
+fi
+
+for i in $(seq 0 $(($COGSVC_COUNT - 1))); do
+  ACCOUNT_NAME=$(echo "$COGSVC_ACCOUNTS" | jq -r ".[$i].name")
+  NORMALIZED_ACCOUNT_NAME=$(echo "$ACCOUNT_NAME" | tr -d '-_')
+  echo "Normalized Cognitive Service Account Name: $NORMALIZED_ACCOUNT_NAME"
+done
+echo "----------------------------------"
+
+echo "Connections details:"
+echo "----------------------------------"
+for i in $(seq 0 $(($CONNECTION_COUNT - 1))); do
+  NAME=$(echo "$CONNECTIONS" | jq -r ".[$i].name")
+  AUTHTYPE=$(echo "$CONNECTIONS" | jq -r ".[$i].properties.authType")
+  CATEGORY=$(echo "$CONNECTIONS" | jq -r ".[$i].properties.category")
+  TARGET=$(echo "$CONNECTIONS" | jq -r ".[$i].properties.target")
+
+  echo "Name: $NAME"
+  echo "AuthType: $AUTHTYPE"
+  echo "Category: $CATEGORY"
+  echo "Target: $TARGET"
+
+  if [[ "$CATEGORY" == "CognitiveSearch" ]]; then
+    azd env set 'AZURE_AI_SEARCH_ENABLED' 'true'
+    echo "Environment variable AZURE_AI_SEARCH_ENABLED set to true"
+  fi
+
+  if [[ "$CATEGORY" == "CognitiveService" ]]; then
+    for j in $(seq 0 $(($COGSVC_COUNT - 1))); do
+      ACCOUNT_NAME=$(echo "$COGSVC_ACCOUNTS" | jq -r ".[$j].name")
+      NORMALIZED_ACCOUNT_NAME=$(echo "$ACCOUNT_NAME" | tr -d '-_')
+      if [[ "$NORMALIZED_ACCOUNT_NAME" == "$NAME" ]]; then
+        RESOURCE_NAME="$ACCOUNT_NAME"
+        KIND=$(echo "$COGSVC_ACCOUNTS" | jq -r ".[$j].kind")
+        echo "Matched Cognitive Service Account - Connection: '$NAME' Resource: $RESOURCE_NAME"
+        case "$KIND" in
+          ContentSafety)
+            azd env set 'AZURE_AI_CONTENT_SAFETY_ENABLED' 'true'
+            echo "Environment variable AZURE_AI_CONTENT_SAFETY_ENABLED set to true"
+            ;;
+          SpeechServices)
+            azd env set 'AZURE_AI_SPEECH_ENABLED' 'true'
+            echo "Environment variable AZURE_AI_SPEECH_ENABLED set to true"
+            ;;
+          FormRecognizer)
+            azd env set 'AZURE_AI_DOC_INTELLIGENCE_ENABLED' 'true'
+            echo "Environment variable AZURE_AI_DOC_INTELLIGENCE_ENABLED set to true"
+            ;;
+          ComputerVision)
+            azd env set 'AZURE_AI_VISION_ENABLED' 'true'
+            echo "Environment variable AZURE_AI_VISION_ENABLED set to true"
+            ;;
+          TextAnalytics)
+            azd env set 'AZURE_AI_LANGUAGE_ENABLED' 'true'
+            echo "Environment variable AZURE_AI_LANGUAGE_ENABLED set to true"
+            ;;
+          TextTranslation)
+            azd env set 'AZURE_AI_TRANSLATOR_ENABLED' 'true'
+            echo "Environment variable AZURE_AI_TRANSLATOR_ENABLED set to true"
+            ;;
+          *)
+            echo "Unknown resource kind: $KIND"
+            ;;
+        esac
+      fi
+    done
+  fi
+  echo "-------------------------"
+done
+echo "----------------------------------"