feat: Merging the AVM Waf changes into byoc-researcher (#685)

* infra avm changes in bicep

* infra avm changes in bicep

* updated variables

* updated variables

* updated variables

* webapp bicep changes

* webapp bicep changes

* webapp bicep changes

* webapp bicep changes

* webapp bicep changes

* only storage account deployment

* only storage account deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* only storage, multiservice & search deployment

* added disable local auth params

* added disable local auth params set to false

* added disable local auth params set to false

* added disable local auth params set to false

* added disable local auth params set to false

* added disable local auth params set to false

* add keys to key vault

* add keys to key vault

* add keys to key vault

* added owner permission

* changed primaryscripturi to scriptcontent to resolve output error

* changed primaryscripturi to scriptcontent to resolve output error

* changed primaryscripturi to scriptcontent to resolve output error

* changed retentiondays

* added depends on

* added depends on

* added depends on

* added depends on

* added depends on

* added depends on

* added depends on

* added deployment script file in the module

* added deployment script file in the module

* added azure client id

* fetching azure client id from environment variables

* changed container registry name

* changed container registry name

* avm and waf latest changes

* fix: Added support to run the script in private network

* avm and waf latest changes

* fix: Added permission for storage and deployment script issue fix

* added private endpoint changes

* added private endpoint changes

* added private endpoint changes

* cleanup, removed abbr fiel

* cleanup, removed abbr fiel

* cleanup, removed abbr fiel

* added module for hub and project

* added module for hub and project

* Refactored the bicep code based on bicep standards and added parameters file

* updated main.json file

* Update publicNetworkAccess configuration for draft flow deployment

* Update Azure Machine Learning private link in main.bicep

* Update containerImageTag to use latest version in parameters files

* updated openai key

* Enable private networking and add monitoring, scalability, and VM admin parameters in main.parameters.json; set publicNetworkAccess to 'Enabled' in main.bicep for draft flow deployment

* bicep build

* removed system assigned managed identity

* added comment for project and hub

* added comment for project and hub

* Readme update

* Readme update, removed dev container and codespace

* Readme update, removed dev container and codespace

* condition added for vmusername and password

* Refactor networking settings to conditionally enable public network access based on private networking configuration

* updated main.json

* removed promptflow version

* Update DraftFlow.zip with latest changes

* Update default values for location and container registry hostname in Bicep and JSON templates

* Refactor deployment instructions and remove unused parameters from JSON files

* Update deployment guides to clarify WAF-aligned production deployment steps

* Update deployment templates and documentation for clarity and consistency

* Remove obsolete Bicep files and associated documentation for Azure infrastructure deployment, including AI services, app services, key vault, managed identity, storage account, and deployment scripts.

* Remove pre-requisites section from Deployment Guide for clarity and focus on deployment options

* Update project name in azure.yaml

* Enhance AI Foundry Deployment Guide with detailed Azure Bastion connection steps and troubleshooting tips; update link reference in Deployment Guide for clarity.

---------

Co-authored-by: Priyanka-Microsoft <v-prisinghal@microsoft.com>
Co-authored-by: Prajwal D C <v-dcprajwal@microsoft.com>

Author: 3 people

.github/workflows/RAdeploy.yml

@@ -106,8 +106,8 @@ jobs:
 
           az deployment group create \
             --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
-            --template-file infra/bicep/main.bicep \
-            --parameters solutionPrefix=${{ env.SOLUTION_PREFIX }} createdBy="Pipeline" tags="{'SecurityControl':'Ignore','Purpose':'Deploying and Cleaning Up Resources for Validation','CreatedDate':'$current_date'}"
+            --template-file infra/main.bicep \
+            --parameters solutionName=${{ env.SOLUTION_PREFIX }} createdBy="Pipeline" tags="{'SecurityControl':'Ignore','Purpose':'Deploying and Cleaning Up Resources for Validation','CreatedDate':'$current_date'}"
       - name: List KeyVaults and Store in Array
         id: list_keyvaults
         run: |

README.md

@@ -75,9 +75,9 @@ https://azure.microsoft.com/en-us/explore/global-infrastructure/products-by-regi
 
 2. Click the following deployment button to create the required resources for this accelerator in your Azure Subscription.
 
-   [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FBuild-your-own-copilot-Solution-Accelerator%2Fbyoc-researcher%2Finfra%2Fbicep%2Fmain.json)
+   [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FBuild-your-own-copilot-Solution-Accelerator%2Fbyoc-researcher%2Finfra%2Fmain.json)
 
-3. You will need to select an Azure Subscription, create/select a Resource group, Region, and a unique Solution Prefix.
+3. You will need to select an Azure Subscription, create/select a Resource group, Region, and a unique Solution Name.
 
    ![image](docs/images/readMe/armDeployment.png)
 
@@ -93,6 +93,13 @@ The next steps are optional for additional learning. Not required to deploy the
 
 8. Optional - Follow steps in [Promptflow Safety Evaluation guide](./docs/PromptFlowSafetyEvaluation.md) to set up the safety evaluation flows.
 
+### **Deploying with Azure Developer CLI (AZD)**
+
+Follow the quick deploy steps on the deployment guide to deploy this solution using Azure Developer CLI(AZD) to your own Azure subscription.
+
+[Click here to launch the deployment guide](./docs/DeploymentGuide.md)
+<br/><br/>
+
 
 <br/>
 <br>

azure.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/Azure/azure-dev/main/schemas/v1.0/azure.yaml.json
+name: byoc-research-assistant
+
+requiredVersions:
+  azd: ">= 1.15.0"
+
+metadata:
+  template: byoc-research-assistant@1.0

docs/AIFoundryDeployment.md

@@ -1,4 +1,40 @@
 # AI Foundry Deployment Guide 
+
+> **Important**: For WAF-aligned production deployments, ensure you are logged into the designated virtual machine before proceeding with the below steps.
+
+### Accessing the Virtual Machine via Azure Bastion
+
+For WAF-aligned production environments, you must perform these deployment steps from within the designated virtual machine. Follow these steps to connect:
+
+1. **Navigate to your Virtual Machine in Azure Portal**
+   - Go to [Azure Portal](https://portal.azure.com/)
+   - Search for "Virtual machines" in the top search bar
+   - Click on your VM named `vm-{your-deployment-prefix}` or similar
+
+2. **Connect using Azure Bastion**
+   - In your VM overview page, click the **Connect** button
+   - Select **Connect via Bastion** from the dropdown menu
+
+3. **Enter your credentials**
+   - **Username**: Use the admin username you specified during the initial deployment (e.g., `JumpboxAdminUser` or the custom username you provided)
+   - **Password**: Enter the admin password you set during the deployment process
+   - **Authentication Type**: Select "Password" 
+   - Click **Connect**
+
+4. **Wait for connection**
+   - The Bastion connection may take 30-60 seconds to establish
+   - A new browser tab will open with your VM desktop environment
+
+5. **Open a web browser in the VM**
+   - Once connected to the VM, open Microsoft Edge or Chrome
+   - Navigate to [AI Foundry](https://ai.azure.com/) from within the VM
+   - Sign in with your Azure credentials
+
+> **Troubleshooting**: If you forgot your VM credentials:
+> - You can reset the password in Azure Portal: Go to your VM → **Reset password** in the left menu
+> - Or contact your Azure administrator for assistance
+---
+
 Please follow the steps below to configure the Prompt flow endpoint in App service configuration.
 
 ## Step 1: OpenAI Foundry Project

docs/CustomizingAzdParameters.md

@@ -0,0 +1,39 @@
+## [Optional]: Customizing resource names 
+
+By default this template will use the environment name as the prefix to prevent naming collisions within Azure. The parameters below show the default values. You only need to run the statements below if you need to change the values. 
+
+
+> To override any of the parameters, run `azd env set <PARAMETER_NAME> <VALUE>` before running `azd up`. On the first azd command, it will prompt you for the environment name. Be sure to choose 3-20 charaters alphanumeric unique name. 
+
+## Parameters
+
+| Name                          | Type    | Default Value       | Purpose                                                                                              |
+| -----------------------------| ------- | ------------------- | ---------------------------------------------------------------------------------------------------- |
+| `AZURE_ENV_NAME`            | string  | `azdtemp`           | Used as a prefix for all resource names to ensure uniqueness across environments.                    |
+| `AZURE_LOCATION`            | string  | `<User selects during deployment>`         | Sets the Azure region for resource deployment.  |
+| `AZURE_OPENAI_MODEL_DEPLOYMENT_TYPE`             | string  | `Standard`    | Change the Model Deployment Type (allowed values: Standard, GlobalStandard).                         |
+| `AZURE_OPENAI_DEPLOYMENT_MODEL`               | string  | `gpt-35-turbo`            | Set the GPT model name (allowed values: `gpt-35-turbo`, `gpt-4`, `gpt-4o`).                                                      |
+| `AZURE_OPENAI_API_VERSION`     | string  | `0125`        | Set the Azure OpenAI model version.                                       |
+| `AZURE_OPENAI_DEPLOYMENT_MODEL_CAPACITY`     | integer | `30`               | Set the model capacity for GPT deployment. Choose based on your Azure quota and usage needs.         |
+| `AZURE_OPENAI_EMBEDDING_MODEL`            | string  | `text-embedding-ada-002`  | Set the model name used for embeddings.                                                              |
+| `AZURE_OPENAI_EMBEDDING_MODEL_VERSION`            | string  | `2`  | Set the version for the embedding model.                                                              |
+| `AZURE_OPENAI_EMBEDDING_MODEL_CAPACITY` | integer | `45`              | Set the capacity for embedding model deployment.                                                     |
+| `AZURE_ENV_IMAGETAG`                  | string  | `latest`            | Set the container image tag (allowed values: `latest`, `dev`, `hotfix`).                                             |
+| `AZURE_ENV_ENABLE_TELEMETRY`                  | boolean  | `true`            | Enable or disable telemetry collection for the deployment.                                             |
+| `AZURE_ENV_VM_ADMIN_USERNAME`            | string  | `<Set when enablePrivateNetworking=true>`         | Admin username for the jumpbox VM when private networking is enabled.   |
+| `AZURE_ENV_VM_ADMIN_PASSWORD`            | string  | `<Set when enablePrivateNetworking=true>`         | Admin password for the jumpbox VM when private networking is enabled.   |
+
+
+## How to Set a Parameter
+To customize any of the above values, run the following command **before** `azd up`:
+
+```bash
+azd env set <PARAMETER_NAME> <VALUE>
+
+```
+
+**Example:**
+
+```bash
+azd env set AZURE_LOCATION westus2
+```

docs/DeploymentGuide.md

@@ -0,0 +1,78 @@
+# Deployment Guide 
+
+## Deployment Options
+
+### Sandbox or WAF Aligned Deployment Options
+
+The [`infra`](../infra) folder of the Build-your-own-copilot-Solution-Accelerator contains the [`main.bicep`](../infra/main.bicep) Bicep script, which defines all Azure infrastructure components for this solution.
+
+By default, the `azd up` command uses the [`main.parameters.json`](../infra/main.parameters.json) file to deploy the solution. This file is pre-configured for a **sandbox environment** — ideal for development and proof-of-concept scenarios, with minimal security and cost controls for rapid iteration.
+
+For **production deployments**, the repository also provides [`main.waf.parameters.json`](../infra/main.waf.parameters.json), which applies a [Well-Architected Framework (WAF) aligned](https://learn.microsoft.com/en-us/azure/well-architected/) configuration. This option enables additional Azure best practices for reliability, security, cost optimization, operational excellence, and performance efficiency, such as:
+
+  - Enhanced network security (e.g., Network protection with private endpoints)
+  - Stricter access controls and managed identities
+  - Logging, monitoring, and diagnostics enabled by default
+  - Resource tagging and cost management recommendations
+
+---
+
+**How to choose your deployment configuration:**
+
+* Use the default `main.parameters.json` file for a **sandbox/dev environment**
+* For a **WAF-aligned, production-ready deployment**, copy the contents of `main.waf.parameters.json` into `main.parameters.json` before running `azd up`
+
+### VM Credentials Configuration
+
+By default, the solution sets the VM administrator username and password from environment variables.
+
+To set your own VM credentials before deployment, use:
+
+```sh
+azd env set AZURE_ENV_VM_ADMIN_USERNAME <your-username>
+azd env set AZURE_ENV_VM_ADMIN_PASSWORD <your-password>
+```
+
+> [!TIP]
+> Always review and adjust parameter values (such as region, capacity, security settings and log analytics workspace configuration) to match your organization’s requirements before deploying. For production, ensure you have sufficient quota and follow the principle of least privilege for all identities and role assignments.
+
+
+> [!IMPORTANT]
+> The WAF-aligned configuration is under active development. More Azure Well-Architected recommendations will be added in future updates.
+
+---
+
+### Deploying with AZD
+
+Once you've opened the project in locally, you can deploy it to Azure by following these steps:
+
+1. Login to Azure:
+
+    ```shell
+    azd auth login
+    ```
+
+    #### To authenticate with Azure Developer CLI (`azd`), use the following command with your **Tenant ID**:
+
+    ```sh
+    azd auth login --tenant-id <tenant-id>
+    ```
+
+2. Provision and deploy all the resources:
+
+    ```shell
+    azd up
+    ```
+
+3. Provide an `azd` environment name (e.g., "resass").
+4. Select a subscription from your Azure account and choose a location that has quota for all the resources. 
+    -- This deployment will take *15-20 minutes* to provision the resources in your account and set up the solution with sample data.
+    - If you encounter an error or timeout during deployment, changing the location may help, as there could be availability constraints for the resources.
+
+5. When Deployment is complete, follow steps in [AI Foundry Deployment guide](./AIFoundryDeployment.md) to configure the grant draft proposal endpoint.
+
+5. Open the [Azure Portal](https://portal.azure.com/), go to the deployed resource group, find the App Service, and get the app URL from `Default domain`.
+
+6. If you are done trying out the application, you can delete the resources by running `azd down`.
+
+---