Merge pull request #141 from Harmanpreet-Microsoft/dev

Roopan-Microsoft · web-flow · commit 39f0cebc9e6e · 2026-04-28T11:16:45.000+05:30
fix: Improve RBAC setup reliability using FabricWorkspaceId for OneLake indexing (BYO support &amp; enhanced logging)
diff --git a/scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1 b/scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1
@@ -96,11 +96,12 @@ try {
   if (-not $aiSearchSubscriptionId) { $aiSearchSubscriptionId = $env_vars['aiSearchSubscriptionId'] }
   if (-not $aiFoundryName -and $outputs -and $outputs.aiFoundryName -and $outputs.aiFoundryName.value) { $aiFoundryName = $outputs.aiFoundryName.value }
   if (-not $aiFoundryName) { $aiFoundryName = $env_vars['aiFoundryName'] }
-  if (-not $fabricWorkspaceName -and $outputs -and $outputs.desiredFabricWorkspaceName -and $outputs.desiredFabricWorkspaceName.value) { $fabricWorkspaceName = $outputs.desiredFabricWorkspaceName.value }
-  if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['desiredFabricWorkspaceName'] }
+  # Prefer FABRIC_WORKSPACE_NAME (actual BYO name) over desiredFabricWorkspaceName (requested name that may differ in BYO mode)
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['FABRIC_WORKSPACE_NAME'] }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env:FABRIC_WORKSPACE_NAME }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'FABRIC_WORKSPACE_NAME' }
+  if (-not $fabricWorkspaceName -and $outputs -and $outputs.desiredFabricWorkspaceName -and $outputs.desiredFabricWorkspaceName.value) { $fabricWorkspaceName = $outputs.desiredFabricWorkspaceName.value }
+  if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['desiredFabricWorkspaceName'] }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'fabricWorkspaceNameOut' }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'desiredFabricWorkspaceName' }
   if (-not $fabricWorkspaceName -and (Test-Path (Join-Path ([IO.Path]::GetTempPath()) 'fabric_workspace.env'))) {
@@ -109,6 +110,14 @@ try {
     }
   }
   if (-not $fabricWorkspaceName -and $env:AZURE_ENV_NAME) { $fabricWorkspaceName = "workspace-$($env:AZURE_ENV_NAME.Trim())" }
+
+  # Resolve Fabric workspace ID for direct role assignment (avoids fragile displayName lookup)
+  $fabricWorkspaceId = ''
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = $env_vars['FABRIC_WORKSPACE_ID'] }
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = $env:FABRIC_WORKSPACE_ID }
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = Get-AzdEnvValue -Key 'FABRIC_WORKSPACE_ID' }
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = Get-AzdEnvValue -Key 'fabricWorkspaceIdOut' }
+  if (-not $fabricWorkspaceId -and $outputs -and $outputs.fabricWorkspaceIdOut -and $outputs.fabricWorkspaceIdOut.value) { $fabricWorkspaceId = $outputs.fabricWorkspaceIdOut.value }
   if (-not $aiSearchResourceId -and $outputs -and $outputs.aiSearchResourceId -and $outputs.aiSearchResourceId.value) { $aiSearchResourceId = $outputs.aiSearchResourceId.value }
   if (-not $aiSearchResourceId) { $aiSearchResourceId = $env_vars['aiSearchResourceId'] }
 
@@ -182,6 +191,7 @@ try {
     Warn "  AI Foundry: not detected"
   }
   Log "  Fabric Workspace: $fabricWorkspaceName"
+  if ($fabricWorkspaceId) { Log "  Fabric Workspace ID: $fabricWorkspaceId" }
   if ($principalId) { Log "  Principal ID: $principalId" }
 
   # Setup RBAC permissions
@@ -190,21 +200,25 @@ try {
     Log "🔐 Setting up RBAC permissions for OneLake indexing..."
     
     try {
-      & "$PSScriptRoot/setup_ai_services_rbac.ps1" `
-        -ExecutionManagedIdentityPrincipalId $principalId `
-        -AISearchName $aiSearchName `
-        -AIFoundryName $aiFoundryName `
-        -AIFoundryResourceGroup $aiFoundryResourceGroup `
-        -AISearchResourceGroup $aiSearchResourceGroup `
-        -FabricWorkspaceName $fabricWorkspaceName
+      $rbacArgs = @{
+        ExecutionManagedIdentityPrincipalId = $principalId
+        AISearchName = $aiSearchName
+        AIFoundryName = $aiFoundryName
+        AIFoundryResourceGroup = $aiFoundryResourceGroup
+        AISearchResourceGroup = $aiSearchResourceGroup
+        FabricWorkspaceName = $fabricWorkspaceName
+      }
+      if ($fabricWorkspaceId) { $rbacArgs['FabricWorkspaceId'] = $fabricWorkspaceId }
+
+      & "$PSScriptRoot/setup_ai_services_rbac.ps1" @rbacArgs
       
       Log "✅ RBAC configuration completed successfully"
       Log "✅ Managed identity can now access AI Search and AI Foundry"
       Log "✅ OneLake indexing permissions are configured"
     } catch {
       Warn "RBAC setup failed: $_"
       Log "You can run RBAC setup manually later with:"
-      Log "  ./scripts/OneLakeIndex/setup_ai_services_rbac.ps1 -ExecutionManagedIdentityPrincipalId '$principalId' -AISearchName '$aiSearchName' -AIFoundryName '$aiFoundryName' -FabricWorkspaceName '$fabricWorkspaceName'"
+      Log "  ./scripts/OneLakeIndex/setup_ai_services_rbac.ps1 -ExecutionManagedIdentityPrincipalId '$principalId' -AISearchName '$aiSearchName' -AIFoundryName '$aiFoundryName' -FabricWorkspaceName '$fabricWorkspaceName' -FabricWorkspaceId '$fabricWorkspaceId'"
       throw
     }
   }
diff --git a/scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1 b/scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1
@@ -14,7 +14,9 @@ param(
     [Parameter(Mandatory = $false)]
     [string]$AISearchResourceGroup = "",
     [Parameter(Mandatory = $false)]
-    [string]$FabricWorkspaceName = ""
+    [string]$FabricWorkspaceName = "",
+    [Parameter(Mandatory = $false)]
+    [string]$FabricWorkspaceId = ""
 )
 
 Set-StrictMode -Version Latest
@@ -341,7 +343,7 @@ try {
     }
 
     # Setup Fabric workspace permissions for OneLake access
-    if ($FabricWorkspaceName) {
+    if ($FabricWorkspaceId -or $FabricWorkspaceName) {
         Log "Setting up Fabric workspace permissions..."
         
         # Get Fabric access token
@@ -355,23 +357,40 @@ try {
                 # Create Fabric headers
                 $fabricHeaders = New-SecureHeaders -Token $fabricToken
                 
-                # Find the workspace
-                $workspacesUrl = "https://api.fabric.microsoft.com/v1/workspaces"
-                $workspacesResponse = Invoke-SecureRestMethod -Uri $workspacesUrl -Headers $fabricHeaders -Method Get
-                
-                # Debug: Log available workspaces and their properties
-                Log "Available workspaces:"
-                foreach ($ws in $workspacesResponse.value) {
-                    Log "  - Name: '$($ws.displayName)' ID: $($ws.id)"
+                $workspaceId = $null
+
+                # Use workspace ID directly if provided (avoids fragile displayName lookup, critical for BYO workspaces)
+                if ($FabricWorkspaceId) {
+                    $workspaceId = $FabricWorkspaceId.Trim()
+                    Log "Using provided Fabric workspace ID: $workspaceId"
                 }
-                
-                # Find workspace by displayName only (name property may not exist)
-                $workspace = $workspacesResponse.value | Where-Object { $_.displayName -eq $FabricWorkspaceName }
-                
-                if ($workspace) {
-                    $workspaceId = $workspace.id
-                    Log "Found Fabric workspace: $FabricWorkspaceName (ID: $workspaceId)"
+
+                # Fall back to displayName lookup if no ID provided
+                if (-not $workspaceId) {
+                    # Find the workspace
+                    $workspacesUrl = "https://api.fabric.microsoft.com/v1/workspaces"
+                    $workspacesResponse = Invoke-SecureRestMethod -Uri $workspacesUrl -Headers $fabricHeaders -Method Get
+                    
+                    # Debug: Log available workspaces and their properties
+                    Log "Available workspaces:"
+                    foreach ($ws in $workspacesResponse.value) {
+                        Log "  - Name: '$($ws.displayName)' ID: $($ws.id)"
+                    }
+                    
+                    # Find workspace by displayName only (name property may not exist)
+                    $workspace = $workspacesResponse.value | Where-Object { $_.displayName -eq $FabricWorkspaceName }
                     
+                    if ($workspace) {
+                        $workspaceId = $workspace.id
+                        Log "Found Fabric workspace: $FabricWorkspaceName (ID: $workspaceId)"
+                    } else {
+                        Warn "Could not find Fabric workspace: '$FabricWorkspaceName'"
+                        Log "Available workspace names: $($workspacesResponse.value.displayName -join ', ')"
+                        Log "Make sure the workspace name matches exactly (case-sensitive)"
+                    }
+                }
+
+                if ($workspaceId) {
                     # Add the managed identity as a workspace member with Contributor role
                     $roleAssignmentUrl = "https://api.fabric.microsoft.com/v1/workspaces/$workspaceId/roleAssignments"
                     $rolePayload = @{
@@ -382,7 +401,7 @@ try {
                         role = "Contributor"
                     } | ConvertTo-Json -Depth 3
                     
-                    Log "Assigning Contributor role to managed identity in workspace..."
+                    Log "Assigning Contributor role to managed identity in workspace $workspaceId..."
                     try {
                         Invoke-SecureRestMethod -Uri $roleAssignmentUrl -Headers @{ 
                             Authorization = "Bearer $fabricToken"
@@ -399,10 +418,6 @@ try {
                             Log "  2. Add managed identity $ExecutionManagedIdentityPrincipalId as Contributor"
                         }
                     }
-                } else {
-                    Warn "Could not find Fabric workspace: '$FabricWorkspaceName'"
-                    Log "Available workspace names: $($workspacesResponse.value.displayName -join ', ')"
-                    Log "Make sure the workspace name matches exactly (case-sensitive)"
                 }
             }
         } catch {
@@ -423,8 +438,9 @@ try {
             Log "  - AI Foundry project identity has Search roles"
         }
     }
-    if ($FabricWorkspaceName) {
-        Log "  - Contributor on Fabric workspace $FabricWorkspaceName"
+    if ($FabricWorkspaceId -or $FabricWorkspaceName) {
+        $wsLabel = if ($FabricWorkspaceId) { "Fabric workspace ID $FabricWorkspaceId" } else { "Fabric workspace $FabricWorkspaceName" }
+        Log "  - Contributor on $wsLabel"
     }
 
 } catch {
