diff --git a/scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1 b/scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1 index 1507992..ce2e3c6 100644 --- a/scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1 +++ b/scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1 @@ -96,11 +96,12 @@ try { if (-not $aiSearchSubscriptionId) { $aiSearchSubscriptionId = $env_vars['aiSearchSubscriptionId'] } if (-not $aiFoundryName -and $outputs -and $outputs.aiFoundryName -and $outputs.aiFoundryName.value) { $aiFoundryName = $outputs.aiFoundryName.value } if (-not $aiFoundryName) { $aiFoundryName = $env_vars['aiFoundryName'] } - if (-not $fabricWorkspaceName -and $outputs -and $outputs.desiredFabricWorkspaceName -and $outputs.desiredFabricWorkspaceName.value) { $fabricWorkspaceName = $outputs.desiredFabricWorkspaceName.value } - if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['desiredFabricWorkspaceName'] } + # Prefer FABRIC_WORKSPACE_NAME (actual BYO name) over desiredFabricWorkspaceName (requested name that may differ in BYO mode) if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['FABRIC_WORKSPACE_NAME'] } if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env:FABRIC_WORKSPACE_NAME } if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'FABRIC_WORKSPACE_NAME' } + if (-not $fabricWorkspaceName -and $outputs -and $outputs.desiredFabricWorkspaceName -and $outputs.desiredFabricWorkspaceName.value) { $fabricWorkspaceName = $outputs.desiredFabricWorkspaceName.value } + if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['desiredFabricWorkspaceName'] } if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'fabricWorkspaceNameOut' } if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'desiredFabricWorkspaceName' } if (-not $fabricWorkspaceName -and (Test-Path (Join-Path ([IO.Path]::GetTempPath()) 'fabric_workspace.env'))) { @@ -109,6 +110,14 @@ try { } } if (-not $fabricWorkspaceName -and $env:AZURE_ENV_NAME) { $fabricWorkspaceName = "workspace-$($env:AZURE_ENV_NAME.Trim())" } + + # Resolve Fabric workspace ID for direct role assignment (avoids fragile displayName lookup) + $fabricWorkspaceId = '' + if (-not $fabricWorkspaceId) { $fabricWorkspaceId = $env_vars['FABRIC_WORKSPACE_ID'] } + if (-not $fabricWorkspaceId) { $fabricWorkspaceId = $env:FABRIC_WORKSPACE_ID } + if (-not $fabricWorkspaceId) { $fabricWorkspaceId = Get-AzdEnvValue -Key 'FABRIC_WORKSPACE_ID' } + if (-not $fabricWorkspaceId) { $fabricWorkspaceId = Get-AzdEnvValue -Key 'fabricWorkspaceIdOut' } + if (-not $fabricWorkspaceId -and $outputs -and $outputs.fabricWorkspaceIdOut -and $outputs.fabricWorkspaceIdOut.value) { $fabricWorkspaceId = $outputs.fabricWorkspaceIdOut.value } if (-not $aiSearchResourceId -and $outputs -and $outputs.aiSearchResourceId -and $outputs.aiSearchResourceId.value) { $aiSearchResourceId = $outputs.aiSearchResourceId.value } if (-not $aiSearchResourceId) { $aiSearchResourceId = $env_vars['aiSearchResourceId'] } @@ -182,6 +191,7 @@ try { Warn " AI Foundry: not detected" } Log " Fabric Workspace: $fabricWorkspaceName" + if ($fabricWorkspaceId) { Log " Fabric Workspace ID: $fabricWorkspaceId" } if ($principalId) { Log " Principal ID: $principalId" } # Setup RBAC permissions @@ -190,13 +200,17 @@ try { Log "🔐 Setting up RBAC permissions for OneLake indexing..." try { - & "$PSScriptRoot/setup_ai_services_rbac.ps1" ` - -ExecutionManagedIdentityPrincipalId $principalId ` - -AISearchName $aiSearchName ` - -AIFoundryName $aiFoundryName ` - -AIFoundryResourceGroup $aiFoundryResourceGroup ` - -AISearchResourceGroup $aiSearchResourceGroup ` - -FabricWorkspaceName $fabricWorkspaceName + $rbacArgs = @{ + ExecutionManagedIdentityPrincipalId = $principalId + AISearchName = $aiSearchName + AIFoundryName = $aiFoundryName + AIFoundryResourceGroup = $aiFoundryResourceGroup + AISearchResourceGroup = $aiSearchResourceGroup + FabricWorkspaceName = $fabricWorkspaceName + } + if ($fabricWorkspaceId) { $rbacArgs['FabricWorkspaceId'] = $fabricWorkspaceId } + + & "$PSScriptRoot/setup_ai_services_rbac.ps1" @rbacArgs Log "✅ RBAC configuration completed successfully" Log "✅ Managed identity can now access AI Search and AI Foundry" @@ -204,7 +218,7 @@ try { } catch { Warn "RBAC setup failed: $_" Log "You can run RBAC setup manually later with:" - Log " ./scripts/OneLakeIndex/setup_ai_services_rbac.ps1 -ExecutionManagedIdentityPrincipalId '$principalId' -AISearchName '$aiSearchName' -AIFoundryName '$aiFoundryName' -FabricWorkspaceName '$fabricWorkspaceName'" + Log " ./scripts/OneLakeIndex/setup_ai_services_rbac.ps1 -ExecutionManagedIdentityPrincipalId '$principalId' -AISearchName '$aiSearchName' -AIFoundryName '$aiFoundryName' -FabricWorkspaceName '$fabricWorkspaceName' -FabricWorkspaceId '$fabricWorkspaceId'" throw } } diff --git a/scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1 b/scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1 index 9cac831..7cd9807 100644 --- a/scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1 +++ b/scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1 @@ -14,7 +14,9 @@ param( [Parameter(Mandatory = $false)] [string]$AISearchResourceGroup = "", [Parameter(Mandatory = $false)] - [string]$FabricWorkspaceName = "" + [string]$FabricWorkspaceName = "", + [Parameter(Mandatory = $false)] + [string]$FabricWorkspaceId = "" ) Set-StrictMode -Version Latest @@ -341,7 +343,7 @@ try { } # Setup Fabric workspace permissions for OneLake access - if ($FabricWorkspaceName) { + if ($FabricWorkspaceId -or $FabricWorkspaceName) { Log "Setting up Fabric workspace permissions..." # Get Fabric access token @@ -355,23 +357,40 @@ try { # Create Fabric headers $fabricHeaders = New-SecureHeaders -Token $fabricToken - # Find the workspace - $workspacesUrl = "https://api.fabric.microsoft.com/v1/workspaces" - $workspacesResponse = Invoke-SecureRestMethod -Uri $workspacesUrl -Headers $fabricHeaders -Method Get - - # Debug: Log available workspaces and their properties - Log "Available workspaces:" - foreach ($ws in $workspacesResponse.value) { - Log " - Name: '$($ws.displayName)' ID: $($ws.id)" + $workspaceId = $null + + # Use workspace ID directly if provided (avoids fragile displayName lookup, critical for BYO workspaces) + if ($FabricWorkspaceId) { + $workspaceId = $FabricWorkspaceId.Trim() + Log "Using provided Fabric workspace ID: $workspaceId" } - - # Find workspace by displayName only (name property may not exist) - $workspace = $workspacesResponse.value | Where-Object { $_.displayName -eq $FabricWorkspaceName } - - if ($workspace) { - $workspaceId = $workspace.id - Log "Found Fabric workspace: $FabricWorkspaceName (ID: $workspaceId)" + + # Fall back to displayName lookup if no ID provided + if (-not $workspaceId) { + # Find the workspace + $workspacesUrl = "https://api.fabric.microsoft.com/v1/workspaces" + $workspacesResponse = Invoke-SecureRestMethod -Uri $workspacesUrl -Headers $fabricHeaders -Method Get + + # Debug: Log available workspaces and their properties + Log "Available workspaces:" + foreach ($ws in $workspacesResponse.value) { + Log " - Name: '$($ws.displayName)' ID: $($ws.id)" + } + + # Find workspace by displayName only (name property may not exist) + $workspace = $workspacesResponse.value | Where-Object { $_.displayName -eq $FabricWorkspaceName } + if ($workspace) { + $workspaceId = $workspace.id + Log "Found Fabric workspace: $FabricWorkspaceName (ID: $workspaceId)" + } else { + Warn "Could not find Fabric workspace: '$FabricWorkspaceName'" + Log "Available workspace names: $($workspacesResponse.value.displayName -join ', ')" + Log "Make sure the workspace name matches exactly (case-sensitive)" + } + } + + if ($workspaceId) { # Add the managed identity as a workspace member with Contributor role $roleAssignmentUrl = "https://api.fabric.microsoft.com/v1/workspaces/$workspaceId/roleAssignments" $rolePayload = @{ @@ -382,7 +401,7 @@ try { role = "Contributor" } | ConvertTo-Json -Depth 3 - Log "Assigning Contributor role to managed identity in workspace..." + Log "Assigning Contributor role to managed identity in workspace $workspaceId..." try { Invoke-SecureRestMethod -Uri $roleAssignmentUrl -Headers @{ Authorization = "Bearer $fabricToken" @@ -399,10 +418,6 @@ try { Log " 2. Add managed identity $ExecutionManagedIdentityPrincipalId as Contributor" } } - } else { - Warn "Could not find Fabric workspace: '$FabricWorkspaceName'" - Log "Available workspace names: $($workspacesResponse.value.displayName -join ', ')" - Log "Make sure the workspace name matches exactly (case-sensitive)" } } } catch { @@ -423,8 +438,9 @@ try { Log " - AI Foundry project identity has Search roles" } } - if ($FabricWorkspaceName) { - Log " - Contributor on Fabric workspace $FabricWorkspaceName" + if ($FabricWorkspaceId -or $FabricWorkspaceName) { + $wsLabel = if ($FabricWorkspaceId) { "Fabric workspace ID $FabricWorkspaceId" } else { "Fabric workspace $FabricWorkspaceName" } + Log " - Contributor on $wsLabel" } } catch {