chore: Add tags in resource group when deployment is in pre-provision state

[NirajC-Microsoft]

Purpose

This pull request improves the way resource group tags are handled during deployment, ensuring consistency and completeness of metadata across both infrastructure code and provisioning scripts. The main enhancements include pre-creating or updating the resource group with a standardized set of tags and aligning tag logic between Bicep templates and provisioning scripts.

Resource Group Tagging Improvements:

• Both preprovision-integrated.ps1 and preprovision-integrated.sh scripts now ensure the resource group exists and is updated with standardized tags before proceeding. These tags include TemplateName, Type (based on network isolation), CreatedBy (derived from user context), and Location. This logic matches the Bicep template to maintain consistency. [1] [2]

• The Bicep template for resource group tags (resourceGroupTags in main.bicep) is updated to add the azd-env-name and Location tags, ensuring these values are always present in the deployment metadata.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• ...

Other Information

[Copilot]

Pull request overview

This PR adds resource-group tagging during preprovision and expands the Bicep resource-group tag set to include environment and location metadata.

Changes:

• Adds resource group tag update logic to Bash and PowerShell preprovision scripts.
• Adds azd-env-name and Location tags to the Bicep resource group tags resource.
• Attempts to align tag values such as TemplateName, Type, and CreatedBy across scripts and infrastructure.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
scripts/preprovision-integrated.sh	Adds resource group tag handling before AI Landing Zone preprovision.
scripts/preprovision-integrated.ps1	Adds equivalent PowerShell resource group tag handling before deployment.
infra/main.bicep	Extends resource group tags with environment name and location.

Comments suppressed due to low confidence (4)

scripts/preprovision-integrated.sh:108

• This block never creates the resource group when az group exists returns false; it skips the update and still prints that the group is ready. Because this preprovision script later deploys to $AZURE_RESOURCE_GROUP, first-time local runs where the group does not already exist will fail despite the PR goal of pre-creating the tagged resource group.

RG_EXISTS="$(az group exists --name "$AZURE_RESOURCE_GROUP" --subscription "$AZURE_SUBSCRIPTION_ID" 2>/dev/null || echo 'false')"
if [ "$RG_EXISTS" = "true" ]; then
    # RG exists — merge tags without removing existing ones
    az tag update \
        --resource-id "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$AZURE_RESOURCE_GROUP" \
        --operation Merge \
        --tags \
        "TemplateName=Deploy Your AI Application in Prod" \
        "Type=$TYPE_TAG" \
        "CreatedBy=$CREATED_BY" \
        "Location=$AZURE_LOCATION" \
        --only-show-errors > /dev/null
fi

scripts/preprovision-integrated.sh:94

• The Type tag defaults to Non-WAF whenever NETWORK_ISOLATION is not explicitly set, but infra/main.bicepparam sets networkIsolation = true by default. In the normal azd path without a NETWORK_ISOLATION env value, the preprovision tag will say Non-WAF while the Bicep deployment tags the same group as WAF.

# Type tag based on networkIsolation setting
NETWORK_ISOLATION_VALUE="${NETWORK_ISOLATION:-false}"
if [ "$NETWORK_ISOLATION_VALUE" = "true" ]; then
    TYPE_TAG="WAF"
else
    TYPE_TAG="Non-WAF"
fi

scripts/preprovision-integrated.sh:107

• The preprovision tag set omits the azd-env-name tag that this PR adds to infra/main.bicep, so the script and Bicep tag logic are still not aligned. A resource group created/updated in preprovision will be missing the environment-name metadata until the later Bicep deployment succeeds.

        --tags \
        "TemplateName=Deploy Your AI Application in Prod" \
        "Type=$TYPE_TAG" \
        "CreatedBy=$CREATED_BY" \
        "Location=$AZURE_LOCATION" \
        --only-show-errors > /dev/null

scripts/preprovision-integrated.ps1:228

• The preprovision tag set omits the azd-env-name tag that this PR adds to infra/main.bicep, so the provisioning script and Bicep tag logic are not actually aligned. If preprovision creates or updates the group before the main deployment, the environment-name metadata is absent until the Bicep deployment completes.

$rgTags = @(
    "TemplateName=Deploy Your AI Application in Prod"
    "Type=$typeTag"
    "CreatedBy=$createdBy"
    "Location=$($env:AZURE_LOCATION)"
)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.