Merge with new UX updates

Author: aprilk-ms

.github/workflows/azure-dev.yml

@@ -41,7 +41,7 @@ jobs:
       USE_APPLICATION_INSIGHTS: ${{ vars.USE_APPLICATION_INSIGHTS }}
       USE_SEARCH_SERVICE: ${{ vars.USE_SEARCH_SERVICE }}
       AZURE_AI_AGENT_NAME: ${{ vars.AZURE_AI_AGENT_NAME }}
-      AZURE_AI_AGENT_ID: ${{ vars.AZURE_AI_AGENT_ID }}
+      AZURE_EXISTING_AGENT_ID: ${{ vars.AZURE_EXISTING_AGENT_ID }}
       AZURE_AI_AGENT_DEPLOYMENT_NAME: ${{ vars.AZURE_AI_AGENT_DEPLOYMENT_NAME }}
       AZURE_AI_AGENT_DEPLOYMENT_SKU: ${{ vars.AZURE_AI_AGENT_DEPLOYMENT_SKU }}
       AZURE_AI_AGENT_DEPLOYMENT_CAPACITY: ${{ vars.AZURE_AI_AGENT_DEPLOYMENT_CAPACITY }}
@@ -77,6 +77,9 @@ jobs:
       - name: Deploy Application
         run: azd deploy --no-prompt
 
+  deploy-experiments:
+        name: Deploy Experiments
+        needs: build
   update-experiments:
         name: Update Experiments
         needs: build

.github/workflows/template-validation.yml

@@ -38,7 +38,7 @@ jobs:
           USE_APPLICATION_INSIGHTS: ${{ vars.USE_APPLICATION_INSIGHTS }}
           USE_SEARCH_SERVICE: ${{ vars.USE_SEARCH_SERVICE }}
           AZURE_AI_AGENT_NAME: ${{ vars.AZURE_AI_AGENT_NAME }}
-          AZURE_AI_AGENT_ID: ${{ vars.AZURE_AI_AGENT_ID }}
+          AZURE_EXISTING_AGENT_ID: ${{ vars.AZURE_EXISTING_AGENT_ID }}
           AZURE_AI_AGENT_DEPLOYMENT_NAME: ${{ vars.AZURE_AI_AGENT_DEPLOYMENT_NAME }}
           AZURE_AI_AGENT_DEPLOYMENT_SKU: ${{ vars.AZURE_AI_AGENT_DEPLOYMENT_SKU }}
           AZURE_AI_AGENT_DEPLOYMENT_CAPACITY: ${{ vars.AZURE_AI_AGENT_DEPLOYMENT_CAPACITY }}

README.md

@@ -10,7 +10,10 @@ For a more comprehensive list of best practices and security recommendations for
 
 ## Features
 
-This solution deploys a web-based chat application with an AI agent running in Azure Container Apps. The agent leverages the Azure AI Agent service and utilizes Azure AI Search for knowledge retrieval from uploaded files, enabling it to generate responses with citations. The solution also includes built-in monitoring capabilities with tracing to ensure easier troubleshooting and optimized performance.
+This solution deploys a web-based chat application with an AI agent running in Azure Container Apps. Here is a screenshot:
+![Screenshot of chatting web application showing requests and responses between assistants and the user.](docs/webapp_screenshot.png)
+
+The agent leverages the Azure AI Agent service and utilizes Azure AI Search for knowledge retrieval from uploaded files, enabling it to generate responses with citations. The solution also includes built-in monitoring capabilities with tracing to ensure easier troubleshooting and optimized performance.
 
 This solution creates an Azure AI Foundry hub, project and connected resources including Azure AI Services, AI Search and more. More details about the resources can be found in the [resources](#resources) documentation. There are options to enable Retrieval-Augmented Generation (RAG) and use logging, tracing, and monitoring. 
 
@@ -72,6 +75,7 @@ When you start a deployment, most parameters will have default values. You can c
 
 | **Setting** | **Description** |  **Default value** |
 |------------|----------------|  ------------|
+| **Existing Project Connection String** | Specify an existing project connection string to be used instead of provisioning new resources. |   |
 | **Azure Region** | Select a region with quota which supports your selected model. |   |
 | **Model** | Choose from the [list of models supported by Azure AI Agent Service](https://learn.microsoft.com/azure/ai-services/agents/concepts/model-region-support) for your selected region. | gpt-4o-mini |  
 | **Model Format** | Choose from OpenAI or Microsoft, depending on your model. | OpenAI |  

azure.yaml

@@ -2,10 +2,18 @@
 # TODO: do we need hooks? 
 # TODO: do we need all of the variables?
 
-name: azd-get-started-with-ai-agents
+name: azd-get-started-with-ai-agents-aprilk
 metadata:
   template: azd-get-started-with-ai-agents@0.0.1-beta
 
+services:
+  api:
+    project: ./src
+    language: py
+    host: containerapp
+    docker:
+      remoteBuild: true
+
 hooks:
   postprovision:
     windows:

docs/deploy_customization.md

@@ -22,9 +22,9 @@ Once you disable these resources, they will not be deployed when you run `azd up
 By default, this template will use a naming convention with unique strings to prevent naming collisions within Azure.
 To override default naming conventions, the following keys can be set:
 
+* `AZURE_EXISTING_AIPROJECT_CONNECTION_STRING` - An existing connection string to be use.   If specified, resources for AI Foundry Hub,  AI Foundry Project, and Azure AI service will not be created.
 * `AZURE_AIHUB_NAME` - The name of the AI Foundry Hub resource
 * `AZURE_AIPROJECT_NAME` - The name of the AI Foundry Project
-* `AZURE_AIENDPOINT_NAME` - The name of the AI Foundry online endpoint used for deployments
 * `AZURE_AISERVICES_NAME` - The name of the Azure AI service
 * `AZURE_SEARCH_SERVICE_NAME` - The name of the Azure Search service
 * `AZURE_STORAGE_ACCOUNT_NAME` - The name of the Storage Account

docs/webapp_screenshot.png

@@ -4,6 +4,8 @@ param tags object = {}
 
 param identityName string
 param containerAppsEnvironmentName string
+param containerRegistryName string
+param serviceName string = 'api'
 param projectConnectionString string
 param agentDeploymentName string
 param searchConnectionName string
@@ -27,15 +29,15 @@ var env = [
     value: apiIdentity.properties.clientId
   }
   {
-    name: 'AZURE_AIPROJECT_CONNECTION_STRING'
+    name: 'AZURE_EXISTING_AIPROJECT_CONNECTION_STRING'
     value: projectConnectionString
   }
   {
     name: 'AZURE_AI_AGENT_NAME'
     value: agentName
   }
   {
-    name: 'AZURE_AI_AGENT_ID'
+    name: 'AZURE_EXISTING_AGENT_ID'
     value: agentID
   }
   {
@@ -78,9 +80,10 @@ module app 'core/host/container-app-upsert.bicep' = {
   params: {
     name: name
     location: location
-    tags: tags
+    tags: union(tags, { 'azd-service-name': serviceName })
     identityName: apiIdentity.name
     containerAppsEnvironmentName: containerAppsEnvironmentName
+    containerRegistryName: containerRegistryName
     targetPort: 50505
     env: env
     projectName: projectName

infra/api.bicep

@@ -13,6 +13,8 @@ param aiServiceModelDeployments array = []
 param logAnalyticsName string = ''
 @description('Name of the Application Insights instance')
 param applicationInsightsName string = ''
+@description('Name of the container registry')
+param containerRegistryName string = ''
 @description('Name of the Azure Cognitive Search service')
 param searchServiceName string = ''
 
@@ -112,6 +114,15 @@ module applicationInsights '../monitor/applicationinsights.bicep' =
     }
   }
 
+module containerRegistry '../host/container-registry.bicep' =
+  if (!empty(containerRegistryName)) {
+    name: 'containerRegistry'
+    params: {
+      location: location
+      tags: tags
+      name: containerRegistryName
+    }
+  }
 
 module cognitiveServices '../ai/cognitiveservices.bicep' = {
   name: 'cognitiveServices'
@@ -143,6 +154,10 @@ output keyVaultEndpoint string = keyVault.outputs.endpoint
 output storageAccountId string = storageAccount.outputs.id
 output storageAccountName string = storageAccount.outputs.name
 
+output containerRegistryId string = !empty(containerRegistryName) ? containerRegistry.outputs.id : ''
+output containerRegistryName string = !empty(containerRegistryName) ? containerRegistry.outputs.name : ''
+output containerRegistryEndpoint string = !empty(containerRegistryName) ? containerRegistry.outputs.loginServer : ''
+
 output applicationInsightsId string = !empty(applicationInsightsName) ? applicationInsights.outputs.id : ''
 output applicationInsightsName string = !empty(applicationInsightsName) ? applicationInsights.outputs.name : ''
 output logAnalyticsWorkspaceId string = !empty(logAnalyticsName) ? logAnalytics.outputs.id : ''

infra/core/ai/hub-dependencies.bicep

@@ -35,6 +35,7 @@ module hubDependencies '../ai/hub-dependencies.bicep' = {
     tags: tags
     keyVaultName: keyVaultName
     storageAccountName: storageAccountName
+    containerRegistryName: containerRegistryName
     applicationInsightsName: applicationInsightsName
     logAnalyticsName: logAnalyticsName
     aiServicesName: aiServicesName
@@ -92,6 +93,10 @@ output keyVaultEndpoint string = hubDependencies.outputs.keyVaultEndpoint
 output applicationInsightsName string = hubDependencies.outputs.applicationInsightsName
 output logAnalyticsWorkspaceName string = hubDependencies.outputs.logAnalyticsWorkspaceName
 
+// Container Registry
+output containerRegistryName string = hubDependencies.outputs.containerRegistryName
+output containerRegistryEndpoint string = hubDependencies.outputs.containerRegistryEndpoint
+
 // Storage Account
 output storageAccountName string = hubDependencies.outputs.storageAccountName
 

infra/core/host/ai-environment.bicep

@@ -23,6 +23,12 @@ param containerMinReplicas int = 1
 @description('The name of the container')
 param containerName string = 'main'
 
+@description('The name of the container registry')
+param containerRegistryName string = ''
+
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @allowed([ 'http', 'grpc' ])
 @description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC')
 param daprAppProtocol string = 'http'
@@ -43,6 +49,9 @@ param identityType string = 'None'
 @description('The name of the user-assigned identity')
 param identityName string = ''
 
+@description('The name of the container image')
+param imageName string = ''
+
 @description('The secrets required for the container')
 @secure()
 param secrets object = {}
@@ -73,6 +82,8 @@ module app 'container-app.bicep' = {
     ingressEnabled: ingressEnabled
     containerName: containerName
     containerAppsEnvironmentName: containerAppsEnvironmentName
+    containerRegistryName: containerRegistryName
+    containerRegistryHostSuffix: containerRegistryHostSuffix
     containerCpuCoreCount: containerCpuCoreCount
     containerMemory: containerMemory
     containerMinReplicas: containerMinReplicas
@@ -83,12 +94,14 @@ module app 'container-app.bicep' = {
     secrets: secrets
     external: external
     env: env
+    imageName: imageName
     targetPort: targetPort
     serviceBinds: serviceBinds
     dependOn: projectName
   }
 }
 
 output defaultDomain string = app.outputs.defaultDomain
+output imageName string = app.outputs.imageName
 output name string = app.outputs.name
 output uri string = app.outputs.uri

infra/core/host/container-app-upsert.bicep

@@ -25,6 +25,12 @@ param containerMinReplicas int = 1
 @description('The name of the container')
 param containerName string = 'main'
 
+@description('The name of the container registry')
+param containerRegistryName string = ''
+
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
 @description('The protocol used by Dapr to connect to the app, e.g., http or grpc')
 @allowed([ 'http', 'grpc' ])
 param daprAppProtocol string = 'http'
@@ -48,6 +54,8 @@ param identityName string = ''
 @allowed([ 'None', 'SystemAssigned', 'UserAssigned' ])
 param identityType string = 'None'
 
+@description('The name of the container image')
+param imageName string = ''
 
 @description('Specifies if Ingress is enabled for the container app')
 param ingressEnabled bool = true
@@ -76,6 +84,17 @@ resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-
 // Automatically set to `UserAssigned` when an `identityName` has been set
 var normalizedIdentityType = !empty(identityName) ? 'UserAssigned' : identityType
 
+// Private registry support requires both an ACR name and a User Assigned managed identity
+var usePrivateRegistry = !empty(identityName) && !empty(containerRegistryName)
+
+module containerRegistryAccess '../security/registry-access.bicep' = if (usePrivateRegistry) {
+  name: '${deployment().name}-registry-access'
+  params: {
+    containerRegistryName: containerRegistryName
+    principalId: usePrivateRegistry ? userIdentity.properties.principalId : ''
+  }
+}
+
 resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
   name: name
   location: location
@@ -84,7 +103,7 @@ resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
   // otherwise the container app will throw a provision error
   // This also forces us to use an user assigned managed identity since there would no way to 
   // provide the system assigned identity with the ACR pull access before the app is created
-  dependsOn: empty(dependOn)? [] : [dependOn]
+  dependsOn: usePrivateRegistry ? [ containerRegistryAccess ] : []
   identity: {
     type: normalizedIdentityType
     userAssignedIdentities: !empty(identityName) && normalizedIdentityType == 'UserAssigned' ? { '${userIdentity.id}': {} } : null
@@ -112,7 +131,12 @@ resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
         value: secret.value
       }]
       service: !empty(serviceType) ? { type: serviceType } : null
-      registries: []
+      registries: usePrivateRegistry ? [
+        {
+          server: '${containerRegistryName}.${containerRegistryHostSuffix}'
+          identity: userIdentity.id
+        }
+      ] : []
     }
     template: {
       serviceBinds: !empty(serviceBinds) ? serviceBinds : null
@@ -141,6 +165,7 @@ resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01'
 
 output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
 output identityPrincipalId string = normalizedIdentityType == 'None' ? '' : (empty(identityName) ? app.identity.principalId : userIdentity.properties.principalId)
+output imageName string = imageName
 output name string = app.name
 output serviceBind object = !empty(serviceType) ? { serviceId: app.id, name: name } : {}
 output uri string = ingressEnabled ? 'https://${app.properties.configuration.ingress.fqdn}' : ''

infra/core/host/container-app.bicep

@@ -4,6 +4,9 @@ param location string = resourceGroup().location
 param tags object = {}
 
 param containerAppsEnvironmentName string
+param containerRegistryName string
+param containerRegistryResourceGroupName string = ''
+param containerRegistryAdminUserEnabled bool = false
 param logAnalyticsWorkspaceName string
 param applicationInsightsName string = ''
 
@@ -18,7 +21,20 @@ module containerAppsEnvironment 'container-apps-environment.bicep' = {
   }
 }
 
+module containerRegistry 'container-registry.bicep' = {
+  name: '${name}-container-registry'
+  scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
+  params: {
+    name: containerRegistryName
+    location: location
+    adminUserEnabled: containerRegistryAdminUserEnabled
+    tags: tags
+  }
+}
+
 output defaultDomain string = containerAppsEnvironment.outputs.defaultDomain
 output environmentName string = containerAppsEnvironment.outputs.name
 output environmentId string = containerAppsEnvironment.outputs.id
 
+output registryLoginServer string = containerRegistry.outputs.loginServer
+output registryName string = containerRegistry.outputs.name