Merge pull request #142 from microsoft/dev

chore: dev to main merge

Author: Roopan-Microsoft

azure.yaml

@@ -2,7 +2,6 @@ name: deploy-your-ai-application-in-production
 
 requiredVersions:
   azd: ">=1.15.0 != 1.23.9"
-  bicep: '>= 0.33.0'
 
 infra:
   provider: "bicep"

docs/deploymentguide.md

@@ -191,6 +191,42 @@ Edit `infra/main.bicepparam` or set environment variables:
 # var fabricWorkspacePreset = 'none'
 ```
 
+#### Reusing an Existing Fabric Capacity and Workspace (BYO mode)
+
+If you already have a Fabric capacity and workspace, set `byo` mode so the deployment skips creating new ones. The bicepparam variables are driven by environment variables, so the recommended approach is to set them with `azd env set` before running `azd up`:
+
+**Step 1 — Set the mode** ( The default value is `create`, so override it to `byo`):
+
+```bicep
+// infra/main.bicepparam
+var fabricCapacityPreset = readEnvironmentVariable('fabricCapacityMode', 'create')
+```
+
+The `fabricCapacityMode` env variable controls both capacity and workspace preset (they are tied together). Set it explicitly to use BYO mode:
+
+```powershell
+azd env set fabricCapacityMode byo
+```
+
+**Step 2 — Supply the existing resource identifiers:**
+
+```powershell
+# ARM resource ID of the existing Fabric capacity
+azd env set fabricCapacityResourceId "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Fabric/capacities/<capacity-name>"
+
+# GUID of the existing Fabric workspace (from the workspace URL or Fabric portal)
+azd env set FABRIC_WORKSPACE_ID "<workspace-guid>"
+
+# Display name of the existing workspace (used for naming/UX; optional but recommended)
+azd env set FABRIC_WORKSPACE_NAME "<workspace-display-name>"
+```
+
+> **How to find the workspace GUID:** Open the workspace in [app.fabric.microsoft.com](https://app.fabric.microsoft.com), copy the URL. The segment after `/groups/` is the workspace GUID (e.g., `https://app.fabric.microsoft.com/groups/e9c7ed61-0cdc-4356-a239-9d49cc755fe0/...` → `e9c7ed61-0cdc-4356-a239-9d49cc755fe0`).
+
+> **How to find the capacity resource ID:** In Azure Portal, open the Fabric capacity resource → **Properties** → copy **Resource ID**. It follows the pattern `/subscriptions/.../providers/Microsoft.Fabric/capacities/<name>`.
+
+After setting these variables, run `azd up` normally. The deployment will attach to your existing capacity and workspace instead of creating new ones.
+
 </details>
 
 <details>
@@ -209,15 +245,9 @@ For network-isolated deployments, set the VM credentials before running `azd up`
 
 ```powershell
 azd env set VM_ADMIN_USERNAME "youradminuser"
-azd env set VM_ADMIN_PASSWORD "Use-A-Strong-Password-Here!"
+azd env set VM_ADMIN_PASSWORD "<your-strong-password>"
 ```
 
-If you prefer source-controlled defaults, set them in [infra/main.bicepparam](../infra/main.bicepparam) instead:
-
-```bicep
-param vmUserName = 'youradminuser'
-param vmAdminPassword = 'Use-A-Strong-Password-Here!'
-```
 
 </details>
 

docs/parameter_guide.md

@@ -8,12 +8,80 @@ This guide focuses on configuration concepts for the **AI Landing Zone**.
 > - AI Landing Zone submodule parameters file (if you deploy it directly): `submodules/ai-landing-zone/main.parameters.json`
 >
 > **Fabric options in this repo** are configured in `infra/main.bicepparam` via:
-> - `fabricCapacityPreset` (`create` | `byo` | `none`)
-> - `fabricWorkspacePreset` (`create` | `byo` | `none`)
-> - BYO inputs: `fabricCapacityResourceId`, `fabricWorkspaceId`, `fabricWorkspaceName`
+> - `fabricCapacityPreset` (`create` | `byo` | `none`) — driven by the `fabricCapacityMode` env variable
+> - `fabricWorkspacePreset` (`create` | `byo` | `none`) — mirrors `fabricCapacityPreset` by default
+> - BYO inputs: `fabricCapacityResourceId` (env), `FABRIC_WORKSPACE_ID` (env), `FABRIC_WORKSPACE_NAME` (env)
 
 > **Deployment flow**: This repo deploys the AI Landing Zone submodule from `submodules/ai-landing-zone/main.bicep` during the preprovision hook. The single source of truth for parameters is `infra/main.bicepparam`.
 
+## Fabric Configuration
+
+### Modes: create, byo, none
+
+| Mode | Description |
+|------|-------------|
+| `create` | Provisions a new Fabric capacity (Bicep) and workspace (postprovision script) |
+| `byo` | Reuses an existing Fabric capacity and workspace — no new resources created |
+| `none` | Disables all Fabric automation; OneLake indexing will be skipped |
+
+Both capacity and workspace modes are controlled by the same `fabricCapacityMode` environment variable (they are tied together in `infra/main.bicepparam`).
+
+### Setting Mode via azd env
+
+The recommended way to configure Fabric mode is with `azd env set` — these values are read directly by `infra/main.bicepparam` at provision time:
+
+```powershell
+# Choose one:
+azd env set fabricCapacityMode create   # create new capacity + workspace (default if not set)
+azd env set fabricCapacityMode byo      # reuse existing capacity + workspace
+azd env set fabricCapacityMode none     # disable all Fabric automation
+```
+
+### Reusing Existing Fabric Resources (BYO)
+
+When `fabricCapacityMode` is `byo`, supply the identifiers of your existing resources:
+
+```powershell
+# ARM resource ID of the existing Fabric capacity
+azd env set fabricCapacityResourceId "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Fabric/capacities/<capacity-name>"
+
+# GUID of the existing Fabric workspace (from the workspace URL)
+azd env set FABRIC_WORKSPACE_ID "<workspace-guid>"
+
+# Display name of the existing workspace (optional, used for naming/UX)
+azd env set FABRIC_WORKSPACE_NAME "<workspace-display-name>"
+```
+
+> **How to find the workspace GUID:** Open the workspace in [app.fabric.microsoft.com](https://app.fabric.microsoft.com). The URL segment after `/groups/` is the GUID (e.g., `https://app.fabric.microsoft.com/groups/e9c7ed61-0cdc-4356-a239-9d49cc755fe0/...`).
+>
+> **How to find the capacity resource ID:** Azure Portal → Fabric capacity resource → **Properties** → **Resource ID**.
+
+You can also set these directly in `infra/main.bicepparam` if you prefer source-controlled values:
+
+```bicep
+// infra/main.bicepparam
+var fabricCapacityPreset = 'byo'
+param fabricCapacityResourceId = '/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Fabric/capacities/<name>'
+param fabricWorkspaceId = '<workspace-guid>'
+param fabricWorkspaceName = '<workspace-display-name>'
+```
+
+> **Note:** Values set via `azd env set` take precedence over hardcoded bicepparam values because `readEnvironmentVariable(...)` is evaluated at deploy time.
+
+### Creating New Fabric Resources
+
+When `fabricCapacityMode` is `create`, you must provide at least one admin principal:
+
+```bicep
+// infra/main.bicepparam
+param fabricCapacityAdmins = ['user@contoso.com']
+param fabricCapacitySku = 'F2'  // adjust SKU as needed
+```
+
+> **Permission requirement:** The identity running `azd` must have the **Fabric Administrator** role (or Power BI tenant admin) to call the workspace admin APIs used during postprovision.
+
+---
+
 ## Table of Contents
 1. [Basic Parameters](#basic-parameters)
 2. [Deployment Toggles](#deployment-toggles)

docs/post_deployment_steps.md

@@ -149,6 +149,8 @@ If the connection fails, verify RBAC roles are assigned (see Troubleshooting sec
 
 If `purviewCollectionName` is left empty in [infra/main.bicepparam](../infra/main.bicepparam), the automation now uses `collection-<AZURE_ENV_NAME>`.
 
+> **Note:** If a tenant-level Fabric datasource already exists under a different collection, the scan script automatically reparents the deployment collection as a child of the datasource's collection. This ensures scans comply with Purview's requirement that scans are created within the datasource's collection hierarchy. In the Purview portal, your deployment collection may appear nested under the datasource's collection rather than at the root.
+
 If the identity running `azd` does not have **Purview Collection Admin** (or equivalent) on the target collection, the Purview scripts will warn and skip collection, datasource, and scan steps. Grant the role, then rerun the Purview scripts.
 
 If you need to rerun the Purview steps after provisioning:
@@ -289,10 +291,13 @@ pwsh ./scripts/automationScripts/OneLakeIndex/06_setup_ai_foundry_search_rbac.ps
 2. Check scan configuration:
    - Purview Portal → Data Map → Sources → Fabric source → Scans
 
-3. Re-run the registration script:
+3. **`Scan_CollectionOutOfBound` error:** Purview requires that scans are created under the datasource's collection or a child of it. If your deployment collection is not under the datasource's collection, the scan script will attempt to reparent it automatically. If this fails, manually move your deployment collection under the datasource's collection in Purview Portal → Data Map → Collections.
+
+4. Re-run the scan pipeline:
    ```bash
    eval $(azd env get-values)
    pwsh ./scripts/automationScripts/FabricWorkspace/CreateWorkspace/register_fabric_datasource.ps1
+   pwsh ./scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1
    ```
 
 ### Post-Provision Hooks Failed

infra/main.bicep

@@ -273,7 +273,7 @@ param postgreSqlFabricUserSecretName string = 'postgres-fabric-user-password'
 param postgreSqlMirrorConnectionMode string = 'fabricUser'
 
 @description('Authentication configuration for PostgreSQL Flexible Server. Defaults to both Microsoft Entra and password authentication enabled so Fabric mirroring can be configured immediately after deployment.')
-param postgreSqlAuthConfig resourceInput<'Microsoft.DBforPostgreSQL/flexibleServers@2025-06-01-preview'>.properties.authConfig = {
+param postgreSqlAuthConfig resourceInput<'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01'>.properties.authConfig = {
   activeDirectoryAuth: 'Enabled'
   passwordAuth: 'Enabled'
 }
@@ -369,17 +369,17 @@ var effectivePostgreSqlAdminPassword = postgreSqlAdminPassword == '$(secretOrRan
   ? '${uniqueString(subscription().id, resourceGroup().id, postgreSqlServerName)}!${replace(generatedPostgreSqlAdminPassword, '-', '')}'
   : postgreSqlAdminPassword
 
-resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+resource keyVault 'Microsoft.KeyVault/vaults@2026-02-01' existing = {
   name: last(split(effectiveKeyVaultResourceId, '/'))
 }
 
-resource postgreSqlPrivateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = if (deployPostgreSql && postgreSqlNetworkIsolation) {
+resource postgreSqlPrivateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = if (deployPostgreSql && postgreSqlNetworkIsolation) {
   name: postgreSqlPrivateDnsZoneName
   location: 'global'
   tags: deploymentTags
 }
 
-resource postgreSqlPrivateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (deployPostgreSql && postgreSqlNetworkIsolation && deployPostgreSqlPrivateDnsLink) {
+resource postgreSqlPrivateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = if (deployPostgreSql && postgreSqlNetworkIsolation && deployPostgreSqlPrivateDnsLink) {
   name: effectivePostgreSqlPrivateDnsLinkName
   parent: postgreSqlPrivateDnsZone
   location: 'global'
@@ -428,11 +428,11 @@ module postgreSqlFlexibleServer 'br/public:avm/res/db-for-postgre-sql/flexible-s
   }
 }
 
-resource postgreSqlFlexibleServerResource 'Microsoft.DBforPostgreSQL/flexibleServers@2025-06-01-preview' existing = if (deployPostgreSql) {
+resource postgreSqlFlexibleServerResource 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' existing = if (deployPostgreSql) {
   name: postgreSqlServerName
 }
 
-resource postgreSqlAllowAzureServicesFirewallRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2025-01-01-preview' = if (deployPostgreSql && !postgreSqlNetworkIsolation && postgreSqlAllowAzureServices) {
+resource postgreSqlAllowAzureServicesFirewallRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2025-08-01' = if (deployPostgreSql && !postgreSqlNetworkIsolation && postgreSqlAllowAzureServices) {
   parent: postgreSqlFlexibleServerResource
   name: 'AllowAzureServices'
   properties: {
@@ -444,7 +444,7 @@ resource postgreSqlAllowAzureServicesFirewallRule 'Microsoft.DBforPostgreSQL/fle
   ]
 }
 
-resource postgreSqlAdminSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = if (deployPostgreSql && enablePostgreSqlKeyVaultSecret) {
+resource postgreSqlAdminSecret 'Microsoft.KeyVault/vaults/secrets@2026-02-01' = if (deployPostgreSql && enablePostgreSqlKeyVaultSecret) {
   name: postgreSqlAdminSecretName
   parent: keyVault
   properties: {

infra/main.bicepparam

@@ -236,11 +236,11 @@ var fabricWorkspacePreset = fabricCapacityPreset
 param deployFabricCapacity = fabricCapacityPreset != 'none'
 
 param fabricCapacityMode = fabricCapacityPreset
-param fabricCapacityResourceId = '' // required when fabricCapacityPreset='byo'
+param fabricCapacityResourceId = readEnvironmentVariable('fabricCapacityResourceId', '') // required when fabricCapacityPreset='byo'
 
 param fabricWorkspaceMode = fabricWorkspacePreset
-param fabricWorkspaceId = '' // required when fabricWorkspacePreset='byo'
-param fabricWorkspaceName = '' // optional (helpful for naming/UX)
+param fabricWorkspaceId = readEnvironmentVariable('FABRIC_WORKSPACE_ID', readEnvironmentVariable('fabricWorkspaceId', '')) // required when fabricWorkspacePreset='byo'
+param fabricWorkspaceName = readEnvironmentVariable('FABRIC_WORKSPACE_NAME', readEnvironmentVariable('fabricWorkspaceName', '')) // optional (helpful for naming/UX)
 
 // Fabric capacity SKU.
 param fabricCapacitySku = 'F8'