chore: dev to main merge#155
Open
Saswato-Microsoft wants to merge 6 commits into
Open
Conversation
…urceId Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…tion Insights integration Co-authored-by: Copilot <copilot@github.com>
…greSQL diagnostics Co-authored-by: Copilot <copilot@github.com>
feat: Support BYO Log Analytics workspace for Foundry app and PostgreSQL diagnostics
Saswato-Microsoft
requested review from
Avijit-Microsoft,
Prajwal-Microsoft,
Roopan-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801 and
toherman-msft
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds BYO Log Analytics workspace support for observability, allowing PostgreSQL diagnostics and a wrapper-created Application Insights component to target an existing workspace.
Changes:
- Adds
existingLogAnalyticsWorkspaceResourceIdparameter and related BYO observability variables. - Creates conditional BYO Application Insights and PostgreSQL diagnostic settings.
- Documents BYO workspace setup, outputs, and permissions.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
infra/main.bicep |
Adds BYO workspace parameter, conditional App Insights resource, PostgreSQL diagnostic settings, and outputs. |
infra/main.bicepparam |
Reads the BYO workspace resource ID from an azd environment variable. |
infra/main.json |
Generated ARM template updates reflecting the Bicep changes. |
docs/parameter_guide.md |
Adds BYO Log Analytics setup, outputs, and permissions guidance. |
docs/deploymentguide.md |
Adds BYO workspace parameter and deployment guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+125
to
+129
| The identity running the deployment needs permission to attach diagnostic settings to the workspace and to create the Application Insights component: | ||
|
|
||
| - **`Microsoft.Insights/diagnosticSettings/write`** on the BYO Log Analytics workspace (or its resource group). The built-in **Log Analytics Contributor** role on the workspace (or its RG) covers this — there is no need to grant subscription-wide rights. | ||
| - **`Microsoft.Insights/components/write`** on the deployment resource group (covered by **Contributor** on the deployment RG, which the deployment identity already needs to provision the rest of the stack). | ||
| - The PostgreSQL Flexible Server that emits diagnostics is wrapper-managed in the deployment RG, so no additional cross-resource permissions are required. |
| 1. Route PostgreSQL diagnostic logs and metrics to your workspace (when PostgreSQL is deployed by the wrapper). | ||
| 2. Create an Application Insights component in the deployment resource group, linked to your existing workspace — only when Application Insights deployment is enabled and the deployment is not creating a new Log Analytics workspace (i.e. `deployAppInsights = true` and `deployLogAnalytics = false`, which are the wrapper defaults). | ||
|
|
||
| The workspace may live in a different resource group or subscription within the same tenant. The identity running `azd up` needs **`Microsoft.Insights/diagnosticSettings/write`** on the workspace itself (covered by the built-in **Log Analytics Contributor** role scoped to the workspace or its resource group — subscription-wide rights are not required). See the **Observability — Bring Your Own Log Analytics Workspace** section in the [Parameter Guide](./parameter_guide.md) for the full output reference (including App Insights values when that component is deployed) and notes on deployment-history exposure of those values. |
| param aiFoundryCosmosDBAccountResourceId string = '' | ||
| param keyVaultResourceId string = '' | ||
|
|
||
| @description('Optional. Full ARM resource ID of an existing Log Analytics workspace to use for observability of the deployed Foundry application and wrapper-managed PostgreSQL. When provided, an Application Insights component is created in the deployment resource group and linked to this workspace, and diagnostic settings on the wrapper-managed PostgreSQL flexible server are routed to it. Leave empty to skip BYO behavior. Format: /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{name}.') |
| ## Observability — Bring Your Own Log Analytics Workspace | ||
|
|
||
| By default the wrapper sets `deployLogAnalytics = false`, so the AI Landing Zone does not create a new Log Analytics workspace and Application Insights is not provisioned. If you already have a centralized Log Analytics workspace (for example one shared across the platform), you can wire the deployed Foundry application and the wrapper-managed PostgreSQL Flexible Server to it. | ||
|
|
Comment on lines
+432
to
+433
| publicNetworkAccessForIngestion: 'Enabled' | ||
| publicNetworkAccessForQuery: 'Enabled' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
This pull request introduces support for "Bring Your Own" (BYO) Log Analytics Workspace for observability in the deployment. It allows users to specify an existing Log Analytics workspace for routing diagnostic logs and metrics from the wrapper-managed PostgreSQL Flexible Server and for linking a new Application Insights component to this workspace, instead of creating new observability resources by default. The change is fully documented and exposes relevant outputs for downstream automation.
Key changes grouped by theme:
Infrastructure and Parameterization:
existingLogAnalyticsWorkspaceResourceIdparameter toinfra/main.bicep,infra/main.bicepparam, andinfra/main.json, allowing users to specify an existing Log Analytics workspace for observability. [1] [2] [3]deployAppInsightsis true, anddeployLogAnalyticsis false. [1] [2]Outputs and Automation:
Documentation:
docs/deploymentguide.mdanddocs/parameter_guide.mdwith detailed instructions, permissions required, and security notes for using a BYO Log Analytics workspace, including how to set the parameter and expected outputs. [1] [2] [3]Miscellaneous:
These changes provide more flexibility for organizations with centralized observability infrastructure and improve the security and manageability of diagnostic data.
Does this introduce a breaking change?
Golden Path Validation
Deployment Validation
What to Check
Verify that the following are valid
Other Information