Move cosmosdb database creation to bicep deployment and fix AI Search private endpoint (#255)

Author: jgbradley1

backend/graphrag_app/main.py

@@ -46,22 +46,24 @@ async def catch_all_exceptions_middleware(request: Request, call_next):
         return Response("Unexpected internal server error.", status_code=500)
 
 
+# NOTE: this function is not currently used, but it is a placeholder for future use once RBAC issues have been resolved
 def intialize_cosmosdb_setup():
-    """Initialise CosmosDB (if necessary) by setting up a database and containers that are expected at startup time."""
+    """Initialise database setup (if necessary) and configure CosmosDB containers that are expected at startup time if they do not exist."""
     azure_client_manager = AzureClientManager()
     client = azure_client_manager.get_cosmos_client()
-    db_client = client.create_database_if_not_exists("graphrag")
-    # create containers with default settings
     throughput = ThroughputProperties(
         auto_scale_max_throughput=1000, auto_scale_increment_percent=1
     )
+    db_client = client.create_database_if_not_exists(
+        "graphrag", offer_throughput=throughput
+    )
+    # create containers with default settings
     db_client.create_container_if_not_exists(
-        id="jobs", partition_key=PartitionKey(path="/id"), offer_throughput=throughput
+        id="jobs", partition_key=PartitionKey(path="/id")
     )
     db_client.create_container_if_not_exists(
         id="container-store",
         partition_key=PartitionKey(path="/id"),
-        offer_throughput=throughput,
     )
 
 
@@ -78,8 +80,8 @@ async def lifespan(app: FastAPI):
         yield
         return
 
-    # Initialize CosmosDB setup
-    intialize_cosmosdb_setup()
+    # TODO: must identify proper CosmosDB RBAC roles before databases and containers can be created by this web app
+    # intialize_cosmosdb_setup()
 
     try:
         # Check if the cronjob exists and create it if it does not exist

infra/abbreviations.json

@@ -84,6 +84,7 @@
   "networkNetworkSecurityGroupsSecurityRules": "nsgsr-",
   "networkNetworkWatchers": "nw-",
   "networkPrivateDnsZones": "pdnsz-",
+  "networkPrivateLinkScope": "pls-",
   "networkPrivateLinkServices": "pl-",
   "networkPublicIPAddresses": "pip-",
   "networkPublicIPPrefixes": "ippre-",
@@ -134,4 +135,4 @@
   "webSitesAppServiceEnvironment": "ase-",
   "webSitesFunctions": "func-",
   "webStaticSites": "stapp-"
-}
+}

infra/core/ai-search/ai-search.bicep

@@ -10,7 +10,7 @@ param location string = resourceGroup().location
 @allowed(['enabled', 'disabled'])
 param publicNetworkAccess string = 'enabled'
 
-resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
+resource search 'Microsoft.Search/searchServices@2024-06-01-preview' = {
   name: name
   location: location
   sku: {
@@ -21,9 +21,13 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
     replicaCount: 1
     partitionCount: 1
     publicNetworkAccess: publicNetworkAccess
+    networkRuleSet: {
+      ipRules: []
+      bypass: 'AzureServices'
+    }
     semanticSearch: 'disabled'
   }
 }
 
-output name string = aiSearch.name
-output id string = aiSearch.id
+output name string = search.name
+output id string = search.id

infra/core/aks/aks.bicep

@@ -50,7 +50,7 @@ param subnetId string
 
 param privateDnsZoneName string
 
-@description('Array of object ids that will have admin role of the cluster')
+@description('Array of object ids of admins that will have admin control over the cluster')
 param clusterAdmins array = []
 
 resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
@@ -187,11 +187,10 @@ resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedCluste
       schedule: {
         weekly: {
           intervalWeeks: 1
-          dayOfWeek: 'Monday'
+          dayOfWeek: 'Sunday'
         }
       }
       durationHours: 4
-      startDate: '2024-06-11'
       startTime: '12:00'
     }
   }
@@ -209,7 +208,6 @@ resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClus
         }
       }
       durationHours: 4
-      startDate: '2024-06-11'
       startTime: '12:00'
     }
   }

infra/core/apim/apim.bicep

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 @description('The name of the API Management service instance')
-param apiManagementName string = 'apiservice${uniqueString(resourceGroup().id)}'
+param apiManagementName string
 
 @description('The email address of the owner of the service')
 @minLength(1)

infra/core/cosmosdb/cosmosdb.bicep

@@ -10,6 +10,8 @@ param location string = resourceGroup().location
 @allowed(['Enabled', 'Disabled'])
 param publicNetworkAccess string = 'Disabled'
 
+var maxThroughput = 1000
+
 resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2024-11-15' = {
   name: cosmosDbName
   location: location
@@ -64,7 +66,101 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2024-11-15' = {
     }
     networkAclBypassResourceIds: []
     capacity: {
-      totalThroughputLimit: 4000
+      totalThroughputLimit: maxThroughput
+    }
+  }
+}
+
+// create a single database that is used to maintain state information for graphrag indexing
+// NOTE: The current CosmosDB role assignments are not sufficient to allow the aks workload identity to create databases and containers so we must do it in bicep at deployment time.
+// TODO: Identify and assign appropriate RBAC roles that allow the workload identity to create new databases and containers instead of relying on this bicep implementation.
+resource graphragDatabase 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-11-15' = {
+  parent: cosmosDb
+  name: 'graphrag'
+  properties: {
+    options: {
+      autoscaleSettings: {
+        maxThroughput: maxThroughput
+      }
+    }
+    resource: {
+      id: 'graphrag'
+    }
+  }
+}
+
+resource jobsContainer 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-11-15' = {
+  parent: graphragDatabase
+  name: 'jobs'
+  properties: {
+    resource: {
+      id: 'jobs'
+      indexingPolicy: {
+        indexingMode: 'consistent'
+        automatic: true
+        includedPaths: [
+          {
+            path: '/*'
+          }
+        ]
+        excludedPaths: [
+          {
+            path: '/"_etag"/?'
+          }
+        ]
+      }
+      partitionKey: {
+        paths: [
+          '/id'
+        ]
+        kind: 'Hash'
+        version: 2
+      }
+      uniqueKeyPolicy: {
+        uniqueKeys: []
+      }
+      conflictResolutionPolicy: {
+        mode: 'LastWriterWins'
+        conflictResolutionPath: '/_ts'
+      }
+    }
+  }
+}
+
+resource containerStoreContainer 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-11-15' = {
+  parent: graphragDatabase
+  name: 'container-store'
+  properties: {
+    resource: {
+      id: 'container-store'
+      indexingPolicy: {
+        indexingMode: 'consistent'
+        automatic: true
+        includedPaths: [
+          {
+            path: '/*'
+          }
+        ]
+        excludedPaths: [
+          {
+            path: '/"_etag"/?'
+          }
+        ]
+      }
+      partitionKey: {
+        paths: [
+          '/id'
+        ]
+        kind: 'Hash'
+        version: 2
+      }
+      uniqueKeyPolicy: {
+        uniqueKeys: []
+      }
+      conflictResolutionPolicy: {
+        mode: 'LastWriterWins'
+        conflictResolutionPath: '/_ts'
+      }
     }
   }
 }

infra/core/identity/identity.bicep

@@ -24,5 +24,6 @@ resource federatedCredentialResources 'Microsoft.ManagedIdentity/userAssignedIde
 ]
 
 output name string = identity.name
+output id string = identity.id
 output clientId string = identity.properties.clientId
 output principalId string = identity.properties.principalId

infra/core/monitor/app-insights.bicep

@@ -25,6 +25,7 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
   }
 }
 
+output name string = appInsights.name
 output id string = appInsights.id
 output connectionString string = appInsights.properties.ConnectionString
 output instrumentationKey string = appInsights.properties.InstrumentationKey

infra/core/monitor/private-link-scope.bicep

@@ -6,7 +6,7 @@ param privateLinkScopedResources array = []
 param queryAccessMode string = 'Open'
 param ingestionAccessMode string = 'PrivateOnly'
 
-resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = {
+resource privateLinkScope 'microsoft.Insights/privateLinkScopes@2021-07-01-preview' = {
   name: privateLinkScopeName
   location: 'global'
   properties: {
@@ -17,7 +17,7 @@ resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-previ
   }
 }
 
-resource scopedResources 'microsoft.insights/privateLinkScopes/scopedResources@2021-07-01-preview' = [
+resource scopedResources 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = [
   for id in privateLinkScopedResources: {
     name: uniqueString(id)
     parent: privateLinkScope