Bicep Cosmos DB Backend Parity & Documentation #363
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend
…e workflow. I have also commented out all the tests for model endpoint, since that currently relies on key based access.
…ation to be insecure
- Use mcr.microsoft.com/k8se/quickstart:latest as placeholder image - Add lifecycle ignore_changes for container image (managed by update-containers) - Solves chicken-and-egg problem: Container Apps created before images exist in ACR - update-containers.yml sets real images after Docker builds complete
- Docker workflows should only run via workflow_call from orchestrate.yml - Prevents duplicate/orphan runs that occur before infrastructure exists - Manual dispatch still available for ad-hoc builds
- Add placeholder image support (mcr.microsoft.com/k8se/quickstart:latest) - Fix MCP allowInsecure when mcpInternalOnly is true - Add readiness probe to application container (/docs endpoint) - Add missing env vars: AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME, AZURE_OPENAI_EMBEDDING_DEPLOYMENT - Make AZURE_OPENAI_API_VERSION configurable via parameter - Align naming convention with environment suffix - Change image name from workshop-app to backend-app for consistency
…guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues
…guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues
- Create _backend_sqlite.py for local SQLite development - Create _backend_cosmos.py for production Cosmos DB - Update contoso_tools.py to select backend via USE_COSMOSDB env var - Remove mcp_service_cosmos.py (merged into mcp_service.py) - Remove contoso_tools_cosmos.py (merged into _backend_cosmos.py) - Remove unused sqlite3 import from mcp_service.py Usage: Set USE_COSMOSDB=true for Cosmos DB, false (default) for SQLite
…ars, add data seeding option
… state features Resolved merge conflicts: - _aca-mcp.tf: Combined MCP backend (USE_COSMOSDB, SEED_ON_STARTUP) with agent state env vars - cosmosdb.tf: Kept all containers from james-dev, added agent_state from int-agentic - variables.tf: Added seed_cosmos_data variable - main.bicep: Kept seedCosmosData parameter - mcp-service.bicep: Kept USE_COSMOSDB and SEED_ON_STARTUP env vars Accepted int-agentic's versions for: - deploy.ps1, providers.tf, dev.tfvars (cleaner structure with remote backend support) - reflection_agent.py, .env.sample, azure.yaml, SETUP.md, _backend_cosmos.py Kept james-dev's versions for: - infra/README.md (includes MCP backend documentation)
tjsullivan1
approved these changes
Jan 12, 2026
Contributor
tjsullivan1
left a comment
tjsullivan1
left a comment
There was a problem hiding this comment.
This all looks good to go.
tjsullivan1
added a commit
that referenced
this pull request
Jan 12, 2026
…st (#362) * Add workflow reflection agent documentation and update uv.lock * add infra deployment * add entra id & deployment & change to agent_modules * add secure deployment optiont * add CosmosDB as the default state store * add CosmosDB as the default state store * Potential fix for code scanning alert no. 4: Information exposure through an exception Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Converted Fraud Detection UI from Create React App to Vite * Updated Agentic AI React Frontend to proper component structure, updated NPM libraries and added Dockerfile for containerization * Updated documentation based on React UI updates * James dev (#351) * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend --------- Co-authored-by: James N. <james.nguyen@microsoft.com> * adding initial commit of terraform code. Moved bicep to sub directory * updated iteration variable * trying to figure out what changes between the two jobs when it comes to oidc login * updated environment for integration test steps * updated with tests, changed environment var in terraform steps, removed lychee checker * adding a readme for the github workflows * added use oidc * added use azuread auth too * adding orchestrator overlay function * adding orchestrator overlay function, but fixing input name * adding permissions to orchestrator layer * Updated Orchestrator name * updated workflows to segment out destruction of resources * updated workflows to segment out destruction of resources, fixed input vars * updated orchestrator to run the destroy on dev/my test branch * updated orchestrator order of if tjs-infra-as-code * updated preflight to ensure storage account is network reachable * added environment to preflight * updated with default action * Refactor environment variable logic in workflows Updated environment variable handling for jobs based on event types and branch names. * Update key vault networking settings in orchestrate.yml Added commands to ensure key vault is reachable and update its networking settings. * Enhance key vault update logic in orchestrate.yml Add checks for existing key vault before updating settings. * Add dependency on kv_secrets_cabe role assignment * Add dependency on azurerm_role_assignment for lifecycle * Refactor Key Vault role assignment and add UAMI Updated Key Vault role assignment to use user assigned identity and added a user assigned managed identity resource for the backend container app. * Fix key vault name substring extraction * Enterprise Security Infrastructure for Azure OpenAI Workshop (#357) * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend * update authentication and bicep deployment to use AAD authentication instead of key * complete terraform deployment * update DEPLOYMENT and Terraform * update DEPLOYMENT and Terraform * Changed AZURE_OPENAI_API_VERSION to use a variable * Reverted the OIDC changes on providers.tf * Reverted the OIDC changes on providers.tf * Removing key vault referene from orchestration workflow * removing key vault reference and openai secret key from infrastructure workflow. I have also commented out all the tests for model endpoint, since that currently relies on key based access. * changing docker to build off new image * changing docker to build off new image * changing docker to build off new image * Making backend config optionally remote in the proper way * Reverting backend change, seems to have broken state connection * adding a local provider file so I can have flexible backends * upgrade version of agent-framework and allow mcp in internal communication to be insecure * Updated to work with both local and remote state * optimize reflection agent code and remove workflow reflection agent * add github workflow * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update test cases & test timeout & excluce MCP test bc mcp is deployed internal * move test to after deployment * move test to after deployment * fix api version * fix api version * fix test run * fix: Use placeholder image for Container Apps initial deployment - Use mcr.microsoft.com/k8se/quickstart:latest as placeholder image - Add lifecycle ignore_changes for container image (managed by update-containers) - Solves chicken-and-egg problem: Container Apps created before images exist in ACR - update-containers.yml sets real images after Docker builds complete * fix: Remove pull_request triggers from Docker workflows - Docker workflows should only run via workflow_call from orchestrate.yml - Prevents duplicate/orphan runs that occur before infrastructure exists - Manual dispatch still available for ad-hoc builds * feat: Add james-dev to destroy-infrastructure condition * feat: Update Bicep for feature parity with Terraform - Add placeholder image support (mcr.microsoft.com/k8se/quickstart:latest) - Fix MCP allowInsecure when mcpInternalOnly is true - Add readiness probe to application container (/docs endpoint) - Add missing env vars: AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME, AZURE_OPENAI_EMBEDDING_DEPLOYMENT - Make AZURE_OPENAI_API_VERSION configurable via parameter - Align naming convention with environment suffix - Change image name from workshop-app to backend-app for consistency * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * Updated deployment to reference tfvars file for local file/iteration value --------- Co-authored-by: James N. <james.nguyen@microsoft.com> Co-authored-by: Tim Sullivan <timothyj.sullivan1@gmail.com> * Bicep Cosmos DB Backend Parity & Documentation (#363) * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend * update authentication and bicep deployment to use AAD authentication instead of key * complete terraform deployment * update DEPLOYMENT and Terraform * update DEPLOYMENT and Terraform * Changed AZURE_OPENAI_API_VERSION to use a variable * Reverted the OIDC changes on providers.tf * Reverted the OIDC changes on providers.tf * Removing key vault referene from orchestration workflow * removing key vault reference and openai secret key from infrastructure workflow. I have also commented out all the tests for model endpoint, since that currently relies on key based access. * changing docker to build off new image * changing docker to build off new image * changing docker to build off new image * Making backend config optionally remote in the proper way * Reverting backend change, seems to have broken state connection * adding a local provider file so I can have flexible backends * upgrade version of agent-framework and allow mcp in internal communication to be insecure * Updated to work with both local and remote state * optimize reflection agent code and remove workflow reflection agent * add github workflow * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update test cases & test timeout & excluce MCP test bc mcp is deployed internal * move test to after deployment * move test to after deployment * fix api version * fix api version * fix test run * fix: Use placeholder image for Container Apps initial deployment - Use mcr.microsoft.com/k8se/quickstart:latest as placeholder image - Add lifecycle ignore_changes for container image (managed by update-containers) - Solves chicken-and-egg problem: Container Apps created before images exist in ACR - update-containers.yml sets real images after Docker builds complete * fix: Remove pull_request triggers from Docker workflows - Docker workflows should only run via workflow_call from orchestrate.yml - Prevents duplicate/orphan runs that occur before infrastructure exists - Manual dispatch still available for ad-hoc builds * feat: Add james-dev to destroy-infrastructure condition * feat: Update Bicep for feature parity with Terraform - Add placeholder image support (mcr.microsoft.com/k8se/quickstart:latest) - Fix MCP allowInsecure when mcpInternalOnly is true - Add readiness probe to application container (/docs endpoint) - Add missing env vars: AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME, AZURE_OPENAI_EMBEDDING_DEPLOYMENT - Make AZURE_OPENAI_API_VERSION configurable via parameter - Align naming convention with environment suffix - Change image name from workshop-app to backend-app for consistency * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * refactor: merge MCP backends into unified contoso_tools with env switch - Create _backend_sqlite.py for local SQLite development - Create _backend_cosmos.py for production Cosmos DB - Update contoso_tools.py to select backend via USE_COSMOSDB env var - Remove mcp_service_cosmos.py (merged into mcp_service.py) - Remove contoso_tools_cosmos.py (merged into _backend_cosmos.py) - Remove unused sqlite3 import from mcp_service.py Usage: Set USE_COSMOSDB=true for Cosmos DB, false (default) for SQLite * Update Cosmos DB setup scripts to reference unified backend with USE_COSMOSDB env var * Enable MCP deployment with CosmosDB: add all 12 containers, fix env vars, add data seeding option * Simplify deploy.ps1 for local-only execution with sensible defaults * Remove unused local.env.ps1 - all config is in dev.tfvars * Updated deployment to reference tfvars file for local file/iteration value * update mcp service to support CosmosDB * add bicep update & MCP with Cosmos * fix bicep script * update infra readme and mcp readme for CosmosDB as option for mcp backend --------- Co-authored-by: James N. <james.nguyen@microsoft.com> Co-authored-by: Tim Sullivan <timothyj.sullivan1@gmail.com> * Add permissions for contents in integration tests There is a security warning if we don't set permissions on the GitHub token. I'm adding contents read as a minimum, this may or may not be enough. --------- Co-authored-by: James N. <james.nguyen@microsoft.com> Co-authored-by: Tim Sullivan <timothyj.sullivan1@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: DCMattyG <mgarrett0402@gmail.com> Co-authored-by: Tim Sullivan <tisulliv@microsoft.com>
tjsullivan1
added a commit
that referenced
this pull request
Jan 12, 2026
…eferences (#366) * Add workflow reflection agent documentation and update uv.lock * add infra deployment * add entra id & deployment & change to agent_modules * add secure deployment optiont * add CosmosDB as the default state store * add CosmosDB as the default state store * Potential fix for code scanning alert no. 4: Information exposure through an exception Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Converted Fraud Detection UI from Create React App to Vite * Updated Agentic AI React Frontend to proper component structure, updated NPM libraries and added Dockerfile for containerization * Updated documentation based on React UI updates * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend * James dev (#351) * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend --------- Co-authored-by: James N. <james.nguyen@microsoft.com> * adding initial commit of terraform code. Moved bicep to sub directory * updated iteration variable * trying to figure out what changes between the two jobs when it comes to oidc login * updated environment for integration test steps * updated with tests, changed environment var in terraform steps, removed lychee checker * adding a readme for the github workflows * added use oidc * added use azuread auth too * adding orchestrator overlay function * adding orchestrator overlay function, but fixing input name * adding permissions to orchestrator layer * Updated Orchestrator name * updated workflows to segment out destruction of resources * updated workflows to segment out destruction of resources, fixed input vars * updated orchestrator to run the destroy on dev/my test branch * updated orchestrator order of if tjs-infra-as-code * updated preflight to ensure storage account is network reachable * added environment to preflight * updated with default action * Refactor environment variable logic in workflows Updated environment variable handling for jobs based on event types and branch names. * Update key vault networking settings in orchestrate.yml Added commands to ensure key vault is reachable and update its networking settings. * Enhance key vault update logic in orchestrate.yml Add checks for existing key vault before updating settings. * Add dependency on kv_secrets_cabe role assignment * Add dependency on azurerm_role_assignment for lifecycle * Refactor Key Vault role assignment and add UAMI Updated Key Vault role assignment to use user assigned identity and added a user assigned managed identity resource for the backend container app. * Fix key vault name substring extraction * update authentication and bicep deployment to use AAD authentication instead of key * complete terraform deployment * update DEPLOYMENT and Terraform * update DEPLOYMENT and Terraform * Changed AZURE_OPENAI_API_VERSION to use a variable * Reverted the OIDC changes on providers.tf * Reverted the OIDC changes on providers.tf * Removing key vault referene from orchestration workflow * removing key vault reference and openai secret key from infrastructure workflow. I have also commented out all the tests for model endpoint, since that currently relies on key based access. * changing docker to build off new image * changing docker to build off new image * changing docker to build off new image * Making backend config optionally remote in the proper way * Reverting backend change, seems to have broken state connection * adding a local provider file so I can have flexible backends * upgrade version of agent-framework and allow mcp in internal communication to be insecure * Updated to work with both local and remote state * optimize reflection agent code and remove workflow reflection agent * add github workflow * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update test cases & test timeout & excluce MCP test bc mcp is deployed internal * move test to after deployment * move test to after deployment * fix api version * fix api version * fix test run * fix: Use placeholder image for Container Apps initial deployment - Use mcr.microsoft.com/k8se/quickstart:latest as placeholder image - Add lifecycle ignore_changes for container image (managed by update-containers) - Solves chicken-and-egg problem: Container Apps created before images exist in ACR - update-containers.yml sets real images after Docker builds complete * fix: Remove pull_request triggers from Docker workflows - Docker workflows should only run via workflow_call from orchestrate.yml - Prevents duplicate/orphan runs that occur before infrastructure exists - Manual dispatch still available for ad-hoc builds * feat: Add james-dev to destroy-infrastructure condition * feat: Update Bicep for feature parity with Terraform - Add placeholder image support (mcr.microsoft.com/k8se/quickstart:latest) - Fix MCP allowInsecure when mcpInternalOnly is true - Add readiness probe to application container (/docs endpoint) - Add missing env vars: AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME, AZURE_OPENAI_EMBEDDING_DEPLOYMENT - Make AZURE_OPENAI_API_VERSION configurable via parameter - Align naming convention with environment suffix - Change image name from workshop-app to backend-app for consistency * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * refactor: merge MCP backends into unified contoso_tools with env switch - Create _backend_sqlite.py for local SQLite development - Create _backend_cosmos.py for production Cosmos DB - Update contoso_tools.py to select backend via USE_COSMOSDB env var - Remove mcp_service_cosmos.py (merged into mcp_service.py) - Remove contoso_tools_cosmos.py (merged into _backend_cosmos.py) - Remove unused sqlite3 import from mcp_service.py Usage: Set USE_COSMOSDB=true for Cosmos DB, false (default) for SQLite * Update Cosmos DB setup scripts to reference unified backend with USE_COSMOSDB env var * Enable MCP deployment with CosmosDB: add all 12 containers, fix env vars, add data seeding option * Simplify deploy.ps1 for local-only execution with sensible defaults * Remove unused local.env.ps1 - all config is in dev.tfvars * Updated deployment to reference tfvars file for local file/iteration value * Enterprise Security Infrastructure for Azure OpenAI Workshop (#357) * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend * update authentication and bicep deployment to use AAD authentication instead of key * complete terraform deployment * update DEPLOYMENT and Terraform * update DEPLOYMENT and Terraform * Changed AZURE_OPENAI_API_VERSION to use a variable * Reverted the OIDC changes on providers.tf * Reverted the OIDC changes on providers.tf * Removing key vault referene from orchestration workflow * removing key vault reference and openai secret key from infrastructure workflow. I have also commented out all the tests for model endpoint, since that currently relies on key based access. * changing docker to build off new image * changing docker to build off new image * changing docker to build off new image * Making backend config optionally remote in the proper way * Reverting backend change, seems to have broken state connection * adding a local provider file so I can have flexible backends * upgrade version of agent-framework and allow mcp in internal communication to be insecure * Updated to work with both local and remote state * optimize reflection agent code and remove workflow reflection agent * add github workflow * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update test cases & test timeout & excluce MCP test bc mcp is deployed internal * move test to after deployment * move test to after deployment * fix api version * fix api version * fix test run * fix: Use placeholder image for Container Apps initial deployment - Use mcr.microsoft.com/k8se/quickstart:latest as placeholder image - Add lifecycle ignore_changes for container image (managed by update-containers) - Solves chicken-and-egg problem: Container Apps created before images exist in ACR - update-containers.yml sets real images after Docker builds complete * fix: Remove pull_request triggers from Docker workflows - Docker workflows should only run via workflow_call from orchestrate.yml - Prevents duplicate/orphan runs that occur before infrastructure exists - Manual dispatch still available for ad-hoc builds * feat: Add james-dev to destroy-infrastructure condition * feat: Update Bicep for feature parity with Terraform - Add placeholder image support (mcr.microsoft.com/k8se/quickstart:latest) - Fix MCP allowInsecure when mcpInternalOnly is true - Add readiness probe to application container (/docs endpoint) - Add missing env vars: AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME, AZURE_OPENAI_EMBEDDING_DEPLOYMENT - Make AZURE_OPENAI_API_VERSION configurable via parameter - Align naming convention with environment suffix - Change image name from workshop-app to backend-app for consistency * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * Updated deployment to reference tfvars file for local file/iteration value --------- Co-authored-by: James N. <james.nguyen@microsoft.com> Co-authored-by: Tim Sullivan <timothyj.sullivan1@gmail.com> * update mcp service to support CosmosDB * add bicep update & MCP with Cosmos * fix bicep script * update infra readme and mcp readme for CosmosDB as option for mcp backend * Bicep Cosmos DB Backend Parity & Documentation (#363) * WIP: Save local changes before switching to int-agentic * Fix WebSocket reconnect issue and Vite build compatibility - Add intentionalClose flag to WebSocket manager to prevent auto-reconnect on intentional close - Fix Dockerfile to copy from Vite 'dist' instead of CRA 'build' directory - Update backend static file serving to handle both Vite (assets/) and CRA (static/) structures - Add catch-all exception handler for WebSocket disconnections in backend * update authentication and bicep deployment to use AAD authentication instead of key * complete terraform deployment * update DEPLOYMENT and Terraform * update DEPLOYMENT and Terraform * Changed AZURE_OPENAI_API_VERSION to use a variable * Reverted the OIDC changes on providers.tf * Reverted the OIDC changes on providers.tf * Removing key vault referene from orchestration workflow * removing key vault reference and openai secret key from infrastructure workflow. I have also commented out all the tests for model endpoint, since that currently relies on key based access. * changing docker to build off new image * changing docker to build off new image * changing docker to build off new image * Making backend config optionally remote in the proper way * Reverting backend change, seems to have broken state connection * adding a local provider file so I can have flexible backends * upgrade version of agent-framework and allow mcp in internal communication to be insecure * Updated to work with both local and remote state * optimize reflection agent code and remove workflow reflection agent * add github workflow * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update github workflow to use repo level variables * update test cases & test timeout & excluce MCP test bc mcp is deployed internal * move test to after deployment * move test to after deployment * fix api version * fix api version * fix test run * fix: Use placeholder image for Container Apps initial deployment - Use mcr.microsoft.com/k8se/quickstart:latest as placeholder image - Add lifecycle ignore_changes for container image (managed by update-containers) - Solves chicken-and-egg problem: Container Apps created before images exist in ACR - update-containers.yml sets real images after Docker builds complete * fix: Remove pull_request triggers from Docker workflows - Docker workflows should only run via workflow_call from orchestrate.yml - Prevents duplicate/orphan runs that occur before infrastructure exists - Manual dispatch still available for ad-hoc builds * feat: Add james-dev to destroy-infrastructure condition * feat: Update Bicep for feature parity with Terraform - Add placeholder image support (mcr.microsoft.com/k8se/quickstart:latest) - Fix MCP allowInsecure when mcpInternalOnly is true - Add readiness probe to application container (/docs endpoint) - Add missing env vars: AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME, AZURE_OPENAI_EMBEDDING_DEPLOYMENT - Make AZURE_OPENAI_API_VERSION configurable via parameter - Align naming convention with environment suffix - Change image name from workshop-app to backend-app for consistency * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * docs: enhance README with Mermaid diagrams and enterprise deployment guide - Replace ASCII architecture diagrams with interactive Mermaid diagrams - Add comprehensive enterprise security sections (VNet, Private Endpoints, Managed Identity) - Document security profiles (Dev/Staging/Production) - Add CI/CD with GitHub Actions OIDC section linking to GITHUB_ACTIONS_SETUP.md - Update main README with enterprise deployment table linking to all guides - Add data flow and authentication flow sequence diagrams - Include troubleshooting guide with common issues * refactor: merge MCP backends into unified contoso_tools with env switch - Create _backend_sqlite.py for local SQLite development - Create _backend_cosmos.py for production Cosmos DB - Update contoso_tools.py to select backend via USE_COSMOSDB env var - Remove mcp_service_cosmos.py (merged into mcp_service.py) - Remove contoso_tools_cosmos.py (merged into _backend_cosmos.py) - Remove unused sqlite3 import from mcp_service.py Usage: Set USE_COSMOSDB=true for Cosmos DB, false (default) for SQLite * Update Cosmos DB setup scripts to reference unified backend with USE_COSMOSDB env var * Enable MCP deployment with CosmosDB: add all 12 containers, fix env vars, add data seeding option * Simplify deploy.ps1 for local-only execution with sensible defaults * Remove unused local.env.ps1 - all config is in dev.tfvars * Updated deployment to reference tfvars file for local file/iteration value * update mcp service to support CosmosDB * add bicep update & MCP with Cosmos * fix bicep script * update infra readme and mcp readme for CosmosDB as option for mcp backend --------- Co-authored-by: James N. <james.nguyen@microsoft.com> Co-authored-by: Tim Sullivan <timothyj.sullivan1@gmail.com> * Add permissions for contents in integration tests There is a security warning if we don't set permissions on the GitHub token. I'm adding contents read as a minimum, this may or may not be enough. * clean up old documentation references --------- Co-authored-by: James N. <james.nguyen@microsoft.com> Co-authored-by: Tim Sullivan <timothyj.sullivan1@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: DCMattyG <mgarrett0402@gmail.com> Co-authored-by: Tim Sullivan <tisulliv@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR: Bicep Cosmos DB Backend Parity & Documentation
Summary
Brings Bicep deployment to feature parity with Terraform for Cosmos DB backend support, including automatic data seeding and comprehensive documentation.
Changes
Bicep Infrastructure (bicep)
modules/cosmosdb.bicep
Added 8 missing Cosmos DB containers to match Terraform:
Invoices (partition key: /subscription_id)
Payments (partition key: /invoice_id)
SecurityLogs (partition key: /customer_id)
Orders (partition key: /customer_id)
SupportTickets (partition key: /customer_id)
DataUsage (partition key: /subscription_id)
ServiceIncidents (partition key: /subscription_id)
KnowledgeDocuments (partition key: /category, excludes /embedding/* from indexing)
modules/mcp-service.bicep
Added seedOnStartup parameter
Added environment variables: USE_COSMOSDB=true, SEED_ON_STARTUP
Fixed COSMOS_DB_NAME → COSMOS_DATABASE_NAME to match Terraform
main.bicep
Added seedCosmosData parameter (default: false)
deploy.ps1
Added parameters: -SeedCosmosData, -UseCosmosManagedIdentity, -McpInternalOnly
Fixed Container App naming pattern: {baseName}-{service}-{env} (was {baseName}-{env}-{service})
Changed container update to use az containerapp update --image instead of revision restart
MCP Service (mcp)
data_seeding.py
Changed default SEED_CUSTOMER_COUNT from 50 to 250 to match create_db.py
Documentation
README.md
Added "MCP Backend Options" section documenting:
SQLite vs Cosmos DB backend selection
All environment variables for Cosmos DB
Complete list of 12 containers with partition keys
Data seeding configuration and force re-seed instructions
README.md
Added "Backend Storage Options" section with SQLite and Cosmos DB setup instructions
Added environment variables table
Added note about managed identity authentication
Testing
✅ Deployed Bicep infrastructure with UseCosmosManagedIdentity=true, McpInternalOnly=true, SeedCosmosData=true
✅ Verified all 13 containers created in Cosmos DB
✅ Verified data seeding completed (250 customers, 9 scenarios, knowledge documents)
✅ Verified MCP service running with Cosmos DB backend