Skip to content

feat: Infra restructure mirror toolkit layout under infra/bicep, infra/avm#269

Draft
Prachig-Microsoft wants to merge 23 commits into
devfrom
psl/infra-restructure
Draft

feat: Infra restructure mirror toolkit layout under infra/bicep, infra/avm#269
Prachig-Microsoft wants to merge 23 commits into
devfrom
psl/infra-restructure

Conversation

@Prachig-Microsoft

@Prachig-Microsoft Prachig-Microsoft commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces several infrastructure improvements and refactoring, primarily focused on Azure Bicep modules and deployment workflows. The main highlights are the addition of new Bicep modules for AI resources and role assignments, updates to deployment parameter files, and workflow changes to reflect new script locations. These changes help modularize the infrastructure codebase, improve maintainability, and align scripts and documentation with the new directory structure.

Purpose

  • ...

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

Prachig-Microsoft and others added 5 commits June 11, 2026 14:38
@Prachig-Microsoft
Infra restructure: mirror toolkit layout under infra/bicep, infra/avm…
a5c583b 
…, infra/scripts

User Story 45200. Adds infra/bicep/ (mirror of active main.bicep with domain-organized modules under modules/{ai,identity,networking}), infra/avm/ scaffold for future AVM rewrite, and moves provisioning scripts from /scripts to infra/scripts/{pre-provision,post-provision,build,utilities}. Updates GitHub Actions workflows and QuotaCheck.md to reference new script paths. Top-level main.bicep / main.json remain the canonical deployment artifacts referenced by azure.yaml.
@Prachig-Microsoft
ci(broken-links): drop --exclude-mail flag (removed in lychee v0.23.0…
96c4f78 
…; mail excluded by default)
@Prachig-Microsoft
Infra restructure: adopt toolkit modules under infra/bicep and infra/…
1ce28de 
…avm (mimics agentic-applications PR)

User Story 45200. Replaces custom modules in infra/bicep/modules/ with toolkit
vanilla-bicep modules from mcaps-microsoft/accelerator-toolkit-core@psl/infra
(ai/, data/, identity/, monitoring/, compute/) plus Container Apps modules
(container-app.bicep, container-app-environment.bicep). Rewrites
infra/bicep/main.bicep and main_custom.bicep to call toolkit modules in the same
style as microsoft/agentic-applications-for-unified-data-foundation-solution-
accelerator@psl/infra-restructure-new.

Populates infra/avm/ with toolkit AVM modules and matching main.bicep/main.json.

Top-level infra/main.bicep / main.json remain the canonical deployment artifacts
referenced by azure.yaml - unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
infra: update toolkit modules (VM Entra ID auth, container-app-env WA…
68e00d3 
…F, role-assignment GUID fix)

- Add virtual-machine.bicep AVM module with Entra ID authentication
- Update container-app-environment.bicep (both flavors): add workloadProfiles,
  WAF params (enablePrivateNetworking, enableMonitoring, enableRedundancy)
- Fix role-assignments.bicep GUID generation: scope to target resource ID
  instead of resourceGroup().id to prevent collisions
- Add VM module call to infra/avm/main.bicep with default credentials
- Regenerate main.json for both bicep and avm flavors

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
infra: convert main.bicep to deployment router, remove old flat modules
3466b14 
Convert top-level infra/main.bicep and main_custom.bicep into thin deployment
routers (matching agentic-applications PR pattern) that dispatch to:
  - ./bicep/main.bicep (vanilla, deploymentFlavor='bicep')
  - ./avm/main.bicep   (AVM, deploymentFlavor='avm' or 'avm-waf')

Remove old flat infra/modules/ (6 camelCase files) — replaced by structured
subdirectories under infra/bicep/modules/ and infra/avm/modules/ with proper
ai/, compute/, data/, identity/, monitoring/, networking/ subfolders.

Update main.parameters.json to include deploymentFlavor param.
Update main.waf.parameters.json to set deploymentFlavor='avm-waf'.
Add SERVICE_* and CONTAINER_FRONTEND_* outputs to bicep/main_custom.bicep.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Update AZURE_OPENAI_API_VERSION from 2025-03-01-preview to v1
46f2c6b 
The Responses API requires the new v1 API endpoint. The old preview
version (2025-03-01-preview) does not support the /responses endpoint,
causing BadRequest 'API version not supported' errors at runtime.

Updated across all infra templates: bicep, avm, and compiled JSON.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prachig-Microsoft and others added 2 commits June 12, 2026 14:31
@Prachig-Microsoft
Update AZURE_OPENAI_API_VERSION from 2025-03-01-preview to v1
e0d8aab 
The Responses API requires the new v1 API endpoint. The old preview
version (2025-03-01-preview) does not support the /responses endpoint,
causing BadRequest 'API version not supported' errors at runtime.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Revert "Update AZURE_OPENAI_API_VERSION from 2025-03-01-preview to v1"
145ff7c 
This reverts commit e0d8aab.
@Prachig-Microsoft
infra: add Storage Queue Data Contributor role for backend and processor
6b72d16 
Both backend and processor use Azure Queue Storage for processing pipeline.
Added storageQueueDataContributor role definition and assignments for both
app identities in avm and bicep flavors.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Add STORAGE_QUEUE_ACCOUNT env var for processor container app
9aaa32d 
The processor code reads STORAGE_QUEUE_ACCOUNT (not STORAGE_ACCOUNT_NAME) to
build the queue service URL. Without it, the default value 'http://<storage
queue url>' was used, causing a double-prefixed URL (https://http://...) and
DNS resolution failure for host 'http'.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prachig-Microsoft and others added 2 commits June 15, 2026 20:29
@Prachig-Microsoft
Add Cognitive Services OpenAI User role for processor identity
d47e766 
Processor needs OpenAI access to run migration analysis. Added role
assignment for both new and existing AI Foundry project paths in both
avm and bicep flavors.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Revert azure.yaml metadata commenting
880d375 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Add Foundry User and Cognitive Services User RBAC roles for processor
9be8c0a 
Adds Foundry User and Cognitive Services User role assignments for the
processor container app on AI Foundry, for both new and existing project
deployment paths. Required for processor to access OpenAI Responses API.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Sync toolkit modules, add custom bicep, VNet/Bastion wiring, README a…
6e82c6b 
…lignment

- Sync 13 toolkit modules from psl/infra (cognitiveServicesEndpoint now upstream)
- Add standalone main_custom.bicep vanilla bicep orchestrator (CKM pattern)
- Wire VNet, Bastion Host, and VM subnet in avm/main.bicep
- Add Processor RBAC: Foundry User + Cognitive Services User (bicep role-assignments)
- Use cognitiveServicesEndpoint in avm/main.bicep and bicep/main.bicep
- Align README with agentic PR structure (nav links, Supporting Documentation table,
  Choose the Path, Responsible AI note, System Assigned identity fix)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Fix resource group Type tag to reflect WAF vs Non-WAF based on enable…
abcd686 
…PrivateNetworking

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
docs: add Deployment Flavor row and AVM intermediate note to deployme…
18e7ef7 
…nt guide

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
Sync toolkit modules and align DEPLOYMENT_FLAVOR env var with agentic PR
87f1bf9 
- Sync container-registry.bicep (avm + bicep): SKU default Standard, retention policy
- Sync cosmos-db-mongo.bicep (avm): networkAclBypass AzureServices
- Rename AZURE_ENV_DEPLOYMENT_FLAVOR to DEPLOYMENT_FLAVOR in main.parameters.json

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Prachig-Microsoft
docs: add Entra ID Bastion VM connection instructions to deployment g…
ecce3ae 
…uide

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft will be requested when the pull request is marked ready for review Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft will be requested when the pull request is marked ready for review Roopan-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft will be requested when the pull request is marked ready for review aniaroramsft is a code owner

@Dongbumlee Dongbumlee Awaiting requested review from Dongbumlee Dongbumlee will be requested when the pull request is marked ready for review Dongbumlee is a code owner

@sethsteenken sethsteenken Awaiting requested review from sethsteenken sethsteenken will be requested when the pull request is marked ready for review sethsteenken is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft will be requested when the pull request is marked ready for review toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi will be requested when the pull request is marked ready for review nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 will be requested when the pull request is marked ready for review dgp10801 is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Prachig-Microsoft