Open
Conversation
…reating workspace.
…osoft/Deploy-Your-AI-Application-In-Production into feat/addPostgreFabricMirror
…osoft/Deploy-Your-AI-Application-In-Production into feat/addPostgreFabricMirror
mswantek68
requested review from
Avijit-Microsoft,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft and
dgp10801
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the AI Landing Zone submodule source and reworks provisioning/automation to add PostgreSQL Flexible Server provisioning plus Fabric mirroring support, while improving resiliency of post-provision scripts (outputs-based configuration, retries, and safer error handling).
Changes:
- Switch AI Landing Zone submodule to a new upstream repo and change preprovision to deploy the submodule directly via
az deployment group create. - Add PostgreSQL Flexible Server provisioning in the wrapper Bicep, plus PowerShell automation to prep PostgreSQL for Fabric mirroring and create a mirrored database.
- Improve automation scripts to prefer
AZURE_OUTPUTS_JSON, add retries/guardrails, and introduce a Purview skip flag.
Reviewed changes
Copilot reviewed 31 out of 32 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| submodules/ai-landing-zone | Updates submodule commit pointer to the new upstream state. |
| scripts/preprovision-integrated.ps1 | Replaces preprovision flow with direct submodule deployment + env output publishing. |
| scripts/automationScripts/SecurityModule.ps1 | Enhances REST error sanitization and adds HTTP status/body diagnostics. |
| scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1 | Adds AI Foundry project existence checks to improve RBAC setup reliability. |
| scripts/automationScripts/OneLakeIndex/06_setup_ai_foundry_search_rbac.ps1 | Pulls settings from outputs, discovers project, and improves additional principals parsing. |
| scripts/automationScripts/OneLakeIndex/05_create_onelake_indexer.ps1 | Adds public access toggle + retry handling for Search requests and RBAC propagation. |
| scripts/automationScripts/OneLakeIndex/04_create_onelake_datasource.ps1 | Same Search public-access toggle + retry layer; prefers outputs for config. |
| scripts/automationScripts/OneLakeIndex/03_create_onelake_index.ps1 | Same Search public-access toggle + retry layer; prefers outputs for config. |
| scripts/automationScripts/OneLakeIndex/02_create_onelake_skillsets.ps1 | Same Search public-access toggle + retry layer; prefers outputs for config. |
| scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1 | Prefers outputs for Search/Foundry values used during RBAC. |
| scripts/automationScripts/FabricWorkspace/mirror/run_postgresql_mirroring_prep_with_public_access.ps1 | Adds wrapper to temporarily enable public access for KV/PG during mirroring prep. |
| scripts/automationScripts/FabricWorkspace/mirror/prepare_postgresql_for_mirroring.ps1 | Adds PostgreSQL mirroring preparation (params, roles/grants, seed table). |
| scripts/automationScripts/FabricWorkspace/mirror/create_postgresql_mirror.ps1 | Adds Fabric API automation for creating a mirrored database once a connection exists. |
| scripts/automationScripts/FabricWorkspace/CreateWorkspace/register_fabric_datasource.ps1 | Adds SKIP_PURVIEW_INTEGRATION short-circuit. |
| scripts/automationScripts/FabricWorkspace/CreateWorkspace/materialize_document_folders.ps1 | Improves retry behavior and idempotency checks for folder materialization. |
| scripts/automationScripts/FabricWorkspace/CreateWorkspace/create_fabric_workspace.ps1 | Moves from Power BI to Fabric API and updates admin/capacity assignment flows. |
| scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1 | Adds skip flag and retry logic around scan create/run. |
| scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1 | Adds skip flag to avoid running Purview setup. |
| scripts/automationScripts/FabricPurviewAutomation/connect_log_analytics.ps1 | Removes placeholder Log Analytics linkage script. |
| infra/main.bicepparam | Reorganizes parameters and adds PostgreSQL + mirror-related inputs/toggles. |
| infra/main.bicep | Adds PostgreSQL provisioning and updates wrapper outputs for scripts. |
| docs/quota_check.md | Clarifies terminal requirements for quota script vs deployment. |
| docs/postgresql_mirroring.md | Adds end-to-end runbook for Fabric mirroring with what’s automated vs manual. |
| docs/post_deployment_steps.md | Adds PostgreSQL mirroring verification steps and updates network isolation wording. |
| docs/automation-outputs-mapping.md | Updates mapping descriptions for resolved Fabric modes. |
| docs/PARAMETER_GUIDE.md | Updates submodule param references and documents PostgreSQL options. |
| docs/DeploymentGuide.md | Updates Windows shell guidance and reflects new preprovision/deployment flow. |
| azure.yaml | Switches preprovision to pwsh and adds PostgreSQL mirroring steps. |
| README.md | Updates architecture image, upstream link, and adds PostgreSQL mirroring doc link. |
| CHANGELOG.md | Adds Unreleased notes for new behaviors and script changes. |
| .gitmodules | Updates submodule URL to new upstream repository. |
| .gitignore | Ignores a new local copy parameter file. |
Comments suppressed due to low confidence (3)
scripts/preprovision-integrated.ps1:1
- The GUID validation regex
^[0-9a-fA-F-]{36}$is too permissive (it accepts many invalid GUID strings). Use[guid]::TryParse(...)(or a stricter GUID regex) to ensureAZURE_PRINCIPAL_ID/principalIdis a valid GUID before relying on it for RBAC and deployment parameters.
scripts/preprovision-integrated.ps1:1 - The GUID validation regex
^[0-9a-fA-F-]{36}$is too permissive (it accepts many invalid GUID strings). Use[guid]::TryParse(...)(or a stricter GUID regex) to ensureAZURE_PRINCIPAL_ID/principalIdis a valid GUID before relying on it for RBAC and deployment parameters.
scripts/preprovision-integrated.ps1:1 - The
Select-Stringpattern only matches parameters that start at column 0. If the submodule formats parameters with indentation (or has leading whitespace), valid params will be missed and silently dropped from$filtered.parameters, causing deployment failures due to missing required params. Use a pattern that allows leading whitespace (e.g.,^\\s*param\\s+...).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
scripts/automationScripts/FabricWorkspace/CreateWorkspace/create_fabric_workspace.ps1
Outdated
Show resolved
Hide resolved
scripts/automationScripts/FabricWorkspace/CreateWorkspace/create_fabric_workspace.ps1
Outdated
Show resolved
Hide resolved
scripts/automationScripts/FabricWorkspace/CreateWorkspace/create_fabric_workspace.ps1
Outdated
Show resolved
Hide resolved
mswantek68
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 31 out of 32 changed files in this pull request and generated 8 comments.
Comments suppressed due to low confidence (2)
scripts/preprovision-integrated.ps1:1
- The GUID validation regex
^[0-9a-fA-F-]{36}$is overly permissive (it accepts many non-GUID 36-char strings with hyphens in the wrong places). This can lead to invalidprincipalIdbeing accepted and later causing RBAC/deployment failures. Prefer strict GUID parsing (e.g.,[guid]::TryParse(...)) for validation.
scripts/preprovision-integrated.ps1:1 - The GUID validation regex
^[0-9a-fA-F-]{36}$is overly permissive (it accepts many non-GUID 36-char strings with hyphens in the wrong places). This can lead to invalidprincipalIdbeing accepted and later causing RBAC/deployment failures. Prefer strict GUID parsing (e.g.,[guid]::TryParse(...)) for validation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
scripts/automationScripts/FabricWorkspace/CreateWorkspace/create_fabric_workspace.ps1
Show resolved
Hide resolved
scripts/automationScripts/FabricWorkspace/CreateWorkspace/create_fabric_workspace.ps1
Outdated
Show resolved
Hide resolved
...utomationScripts/FabricWorkspace/mirror/run_postgresql_mirroring_prep_with_public_access.ps1
Outdated
Show resolved
Hide resolved
...utomationScripts/FabricWorkspace/mirror/run_postgresql_mirroring_prep_with_public_access.ps1
Outdated
Show resolved
Hide resolved
...utomationScripts/FabricWorkspace/mirror/run_postgresql_mirroring_prep_with_public_access.ps1
Outdated
Show resolved
Hide resolved
scripts/automationScripts/OneLakeIndex/03_create_onelake_index.ps1
Outdated
Show resolved
Hide resolved
scripts/automationScripts/FabricWorkspace/mirror/prepare_postgresql_for_mirroring.ps1
Outdated
Show resolved
Hide resolved
mswantek68
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 31 out of 32 changed files in this pull request and generated 10 comments.
Comments suppressed due to low confidence (1)
scripts/preprovision-integrated.ps1:1
- The regex
^param\s+(\w+)only matchesparamat column 1. In Bicep, parameters can be indented and/or preceded by decorators, so this can miss valid params and produce an incomplete$filteredParamsfile (leading to ARM/Bicep validation errors due to missing required parameters). Use a whitespace-tolerant pattern (e.g.,^\s*param\s+(\w+)) and consider accounting for decorator lines (or usingaz bicep build --stdout/a safer parsing approach) so the allowlist is accurate.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
231
to
232
| $groups = Invoke-SecureRestMethod -Uri "$apiRoot/groups?%24top=5000" -Headers $apiHeaders -Method Get -ErrorAction Stop | ||
| $g = $groups.value | Where-Object { $_.name -eq $WorkspaceName } |
| } | ||
| } | ||
|
|
||
| Invoke-SecureWebRequest -Uri "$apiRoot/workspaces/$workspaceId/roleAssignments" -Method Post -Headers ($apiHeaders) -Body (@{ principal = @{ id = $pincipalId; type = 'User' }; role = 'Admin' } | ConvertTo-Json) -ErrorAction Stop |
Comment on lines
+263
to
+265
| # Set server parameters for mirroring | ||
| $changed = $false | ||
| $needsRestart = $false |
Comment on lines
+282
to
+290
| function Set-ParamValue([string]$paramName, [string]$value, [bool]$requiresRestart) { | ||
| $current = Get-ParamValue $paramName | ||
| if ($current -ne $value) { | ||
| Log "Setting $paramName to '$value' (was '$current')" | ||
| az postgres flexible-server parameter set -g $resourceGroup -s $postgreSqlServerName -n $paramName --value $value --subscription $subscriptionId 1>$null | ||
| $script:changed = $true | ||
| if ($requiresRestart) { $script:needsRestart = $true } | ||
| } | ||
| } |
| Set-ParamValue -paramName 'max_worker_processes' -value $targetWorkers.ToString() -requiresRestart $true | ||
| } | ||
|
|
||
| if ($changed -and $needsRestart) { |
Comment on lines
+301
to
+306
| # Increase max_worker_processes by 3 per mirrored database | ||
| $maxWorkers = Get-ParamValue 'max_worker_processes' | ||
| if ($maxWorkers -and $maxWorkers -as [int]) { | ||
| $currentWorkers = [int]$maxWorkers | ||
| $targetWorkers = $currentWorkers + (3 * $MirrorCount) | ||
| Set-ParamValue -paramName 'max_worker_processes' -value $targetWorkers.ToString() -requiresRestart $true |
azure.yaml
Outdated
|
|
||
| # Stage 5: Purview Collection Creation | ||
| - run: ./scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1 | ||
| - run: "$env:SKIP_PURVIEW_INTEGRATION='true'; ./scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1" |
azure.yaml
Outdated
|
|
||
| # Stage 6: Register Fabric as Purview Data Source | ||
| - run: ./scripts/automationScripts/FabricWorkspace/CreateWorkspace/register_fabric_datasource.ps1 | ||
| - run: "$env:SKIP_PURVIEW_INTEGRATION='true'; ./scripts/automationScripts/FabricWorkspace/CreateWorkspace/register_fabric_datasource.ps1" |
azure.yaml
Outdated
|
|
||
| # Stage 17: Trigger Purview Scan (if Purview enabled) | ||
| - run: ./scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1 | ||
| - run: "$env:SKIP_PURVIEW_INTEGRATION='true'; ./scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1" |
CHANGELOG.md
Outdated
Comment on lines
+16
to
+18
| ### Fixed | ||
| - Power BI headers initialization in Log Analytics linkage script to resolve workspace ID lookups | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Replace sub module location, add postgreSQL provisioning, add Fabric mirror of PostgreSQL DB
Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Follow post_deployment_steps.md for listing
Other Information
As reviewed with team on 3-10-26