Add service to enable github issues workflow (#1)

* big bang gitub workflows * add missing settings in local.settings.json * config refactor * fix devlead plan response * swap cosmos to table storage for metadata storage * unify config via options * azd-ify WIP * add qdrant bicep WIP * working azd provision setup * consolidate SK version in projects * replace localhost :) * add fqdn to options * httpclient fixes * add managed identity to the function and assign contrib role * qdrant endpoint setting * add container instances cleanup code + wait on termination to upload to Github * formatting fixes * add tables in bicep * local getting started WIP * add azure setup instructions * add the load-waf bits * docs WIP --------- Co-authored-by: Kosta Petan <Kosta.Petan@microsoft.com>
2026-04-20 03:02:16 -04:00 · 2023-08-28 20:57:56 +02:00
parent 69a203ba07
commit d6b917faf4
80 changed files with 3712 additions and 469 deletions
--- a/infra/abbreviations.json
+++ b/infra/abbreviations.json
@@ -0,0 +1,11 @@
+{
+    "appManagedEnvironments": "cae-",
+    "containerRegistryRegistries": "cr",
+    "insightsComponents": "appi-",
+    "operationalInsightsWorkspaces": "log-",
+    "portalDashboards": "dash-",
+    "resourcesResourceGroups": "rg-",
+    "storageStorageAccounts": "st",
+    "webServerFarms": "plan-",
+    "webSitesFunctions": "func-"
+}
--- a/infra/app/sk-func.bicep
+++ b/infra/app/sk-func.bicep
@@ -0,0 +1,45 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param allowedOrigins array = []
+param applicationInsightsName string = ''
+param appServicePlanId string
+@secure()
+param appSettings object = {}
+param serviceName string = 'sk-func'
+param storageAccountName string
+
+module api '../core/host/functions.bicep' = {
+  name: '${serviceName}-functions-dotnet-isolated-module'
+  params: {
+    name: name
+    location: location
+    tags: union(tags, { 'azd-service-name': serviceName })
+    allowedOrigins: allowedOrigins
+    alwaysOn: false
+    appSettings: appSettings
+    applicationInsightsName: applicationInsightsName
+    appServicePlanId: appServicePlanId
+    runtimeName: 'dotnet-isolated'
+    runtimeVersion: '7.0'
+    storageAccountName: storageAccountName
+    scmDoBuildDuringDeployment: false
+    managedIdentity: true
+  }
+}
+
+var contributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+
+resource rgContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, resourceGroup().id, contributorRole)
+  properties: {
+    roleDefinitionId: contributorRole
+    principalType: 'ServicePrincipal'
+    principalId: api.outputs.identityPrincipalId
+  }
+}
+
+output SERVICE_API_IDENTITY_PRINCIPAL_ID string = api.outputs.identityPrincipalId
+output SERVICE_API_NAME string = api.outputs.name
+output SERVICE_API_URI string = api.outputs.uri
--- a/infra/core/database/postgresql/flexibleserver.bicep
+++ b/infra/core/database/postgresql/flexibleserver.bicep
@@ -0,0 +1,64 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param sku object
+param storage object
+param administratorLogin string
+@secure()
+param administratorLoginPassword string
+param databaseNames array = []
+param allowAzureIPsFirewall bool = false
+param allowAllIPsFirewall bool = false
+param allowedSingleIPs array = []
+
+// PostgreSQL version
+param version string
+
+// Latest official version 2022-12-01 does not have Bicep types available
+resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
+  location: location
+  tags: tags
+  name: name
+  sku: sku
+  properties: {
+    version: version
+    administratorLogin: administratorLogin
+    administratorLoginPassword: administratorLoginPassword
+    storage: storage
+    highAvailability: {
+      mode: 'Disabled'
+    }
+  }
+
+  resource database 'databases' = [for name in databaseNames: {
+    name: name
+  }]
+
+  resource firewall_all 'firewallRules' = if (allowAllIPsFirewall) {
+    name: 'allow-all-IPs'
+    properties: {
+      startIpAddress: '0.0.0.0'
+      endIpAddress: '255.255.255.255'
+    }
+  }
+
+  resource firewall_azure 'firewallRules' = if (allowAzureIPsFirewall) {
+    name: 'allow-all-azure-internal-IPs'
+    properties: {
+      startIpAddress: '0.0.0.0'
+      endIpAddress: '0.0.0.0'
+    }
+  }
+
+  resource firewall_single 'firewallRules' = [for ip in allowedSingleIPs: {
+    name: 'allow-single-${replace(ip, '.', '')}'
+    properties: {
+      startIpAddress: ip
+      endIpAddress: ip
+    }
+  }]
+
+}
+
+output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName
--- a/infra/core/database/qdrant/qdrant-aca.bicep
+++ b/infra/core/database/qdrant/qdrant-aca.bicep
@@ -0,0 +1,72 @@
+param containerAppsEnvironmentName string
+param storageName string
+param shareName string 
+param location string
+var storageAccountKey = listKeys(resourceId('Microsoft.Storage/storageAccounts', storageName), '2021-09-01').keys[0].value
+
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-11-01-preview' existing = {
+  name: containerAppsEnvironmentName
+}
+
+var mountName = 'qdrantstoragemount'
+var volumeName = 'qdrantstoragevol'
+resource qdrantstorage 'Microsoft.App/managedEnvironments/storages@2022-11-01-preview' = {
+  name: '${containerAppsEnvironmentName}/${mountName}'
+  properties: {
+    azureFile: {
+      accountName: storageName
+      shareName: shareName
+      accountKey: storageAccountKey
+      accessMode: 'ReadWrite'
+    }
+  }
+}
+
+resource qdrant 'Microsoft.App/containerApps@2022-11-01-preview' = {
+  name: 'qdrant'
+  location: location
+  dependsOn:[
+    qdrantstorage
+  ]
+  properties: {
+    environmentId: containerAppsEnvironment.id
+    configuration: {
+        ingress: {
+          external: true
+          targetPort: 6333
+        }
+    }
+    template: {
+      containers: [
+        {
+          name: 'qdrant'
+          image: 'qdrant/qdrant'
+          resources: {
+            cpu: 1
+            memory: '2Gi'
+          }
+          volumeMounts: [
+            {
+              volumeName: volumeName
+              mountPath: '/qdrant/storage'
+            }
+          ]
+        }
+      ]
+      scale: {
+        minReplicas: 1
+        maxReplicas: 1
+      }
+      volumes: [
+        {
+          name: volumeName
+          storageName: mountName
+          storageType: 'AzureFile'
+        }
+      ]
+    }
+  }
+}
+
+output fqdn string = qdrant.properties.latestRevisionFqdn
+
--- a/infra/core/host/appservice-appsettings.bicep
+++ b/infra/core/host/appservice-appsettings.bicep
@@ -0,0 +1,16 @@
+@description('The name of the app service resource within the current resource group scope')
+param name string
+
+@description('The app settings to be applied to the app service')
+@secure()
+param appSettings object
+
+resource appService 'Microsoft.Web/sites@2022-03-01' existing = {
+  name: name
+}
+
+resource settings 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'appsettings'
+  parent: appService
+  properties: appSettings
+}
--- a/infra/core/host/appservice.bicep
+++ b/infra/core/host/appservice.bicep
@@ -0,0 +1,119 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+// Reference Properties
+param applicationInsightsName string = ''
+param appServicePlanId string
+param keyVaultName string = ''
+param managedIdentity bool
+
+// Runtime Properties
+@allowed([
+  'dotnet', 'dotnetcore', 'dotnet-isolated', 'node', 'python', 'java', 'powershell', 'custom'
+])
+param runtimeName string
+param runtimeNameAndVersion string = '${runtimeName}|${runtimeVersion}'
+param runtimeVersion string
+
+// Microsoft.Web/sites Properties
+param kind string = 'app,linux'
+
+// Microsoft.Web/sites/config
+param allowedOrigins array = []
+param alwaysOn bool = true
+param appCommandLine string = ''
+@secure()
+param appSettings object = {}
+param clientAffinityEnabled bool = false
+param enableOryxBuild bool = contains(kind, 'linux')
+param functionAppScaleLimit int = -1
+param linuxFxVersion string = runtimeNameAndVersion
+param minimumElasticInstanceCount int = -1
+param numberOfWorkers int = -1
+param scmDoBuildDuringDeployment bool = false
+param use32BitWorkerProcess bool = false
+param ftpsState string = 'FtpsOnly'
+param healthCheckPath string = ''
+
+resource appService 'Microsoft.Web/sites@2022-03-01' = {
+  name: name
+  location: location
+  tags: tags
+  kind: kind
+  properties: {
+    serverFarmId: appServicePlanId
+    siteConfig: {
+      linuxFxVersion: linuxFxVersion
+      alwaysOn: alwaysOn
+      ftpsState: ftpsState
+      minTlsVersion: '1.2'
+      appCommandLine: appCommandLine
+      numberOfWorkers: numberOfWorkers != -1 ? numberOfWorkers : null
+      minimumElasticInstanceCount: minimumElasticInstanceCount != -1 ? minimumElasticInstanceCount : null
+      use32BitWorkerProcess: use32BitWorkerProcess
+      functionAppScaleLimit: functionAppScaleLimit != -1 ? functionAppScaleLimit : null
+      healthCheckPath: healthCheckPath
+      cors: {
+        allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
+      }
+    }
+    clientAffinityEnabled: clientAffinityEnabled
+    httpsOnly: true
+  }
+
+  identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
+
+  resource configLogs 'config' = {
+    name: 'logs'
+    properties: {
+      applicationLogs: { fileSystem: { level: 'Verbose' } }
+      detailedErrorMessages: { enabled: true }
+      failedRequestsTracing: { enabled: true }
+      httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
+    }
+  }
+
+  resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = {
+    name: 'ftp'
+    location: location
+    properties: {
+      allow: false
+    }
+  }
+
+  resource basicPublishingCredentialsPoliciesScm 'basicPublishingCredentialsPolicies' = {
+    name: 'scm'
+    location: location
+    properties: {
+      allow: false
+    }
+  }
+}
+
+module config 'appservice-appsettings.bicep' = if (!empty(appSettings)) {
+  name: '${name}-appSettings'
+  params: {
+    name: appService.name
+    appSettings: union(appSettings,
+      {
+        SCM_DO_BUILD_DURING_DEPLOYMENT: string(scmDoBuildDuringDeployment)
+        ENABLE_ORYX_BUILD: string(enableOryxBuild)
+      },
+      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true'} : {},
+      !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
+      !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) {
+  name: applicationInsightsName
+}
+
+output identityPrincipalId string = managedIdentity ? appService.identity.principalId : ''
+output name string = appService.name
+output uri string = 'https://${appService.properties.defaultHostName}'
--- a/infra/core/host/appserviceplan.bicep
+++ b/infra/core/host/appserviceplan.bicep
@@ -0,0 +1,21 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param kind string = ''
+param reserved bool = true
+param sku object
+
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
+  name: name
+  location: location
+  tags: tags
+  sku: sku
+  kind: kind
+  properties: {
+    reserved: reserved
+  }
+}
+
+output id string = appServicePlan.id
+output name string = appServicePlan.name
--- a/infra/core/host/container-app-upsert.bicep
+++ b/infra/core/host/container-app-upsert.bicep
@@ -0,0 +1,104 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('The environment name for the container apps')
+param containerAppsEnvironmentName string
+
+@description('The number of CPU cores allocated to a single container instance, e.g., 0.5')
+param containerCpuCoreCount string = '0.5'
+
+@description('The maximum number of replicas to run. Must be at least 1.')
+@minValue(1)
+param containerMaxReplicas int = 10
+
+@description('The amount of memory allocated to a single container instance, e.g., 1Gi')
+param containerMemory string = '1.0Gi'
+
+@description('The minimum number of replicas to run. Must be at least 1.')
+@minValue(1)
+param containerMinReplicas int = 1
+
+@description('The name of the container')
+param containerName string = 'main'
+
+@description('The name of the container registry')
+param containerRegistryName string = ''
+
+@allowed([ 'http', 'grpc' ])
+@description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC')
+param daprAppProtocol string = 'http'
+
+@description('Enable or disable Dapr for the container app')
+param daprEnabled bool = false
+
+@description('The Dapr app ID')
+param daprAppId string = containerName
+
+@description('Specifies if the resource already exists')
+param exists bool = false
+
+@description('Specifies if Ingress is enabled for the container app')
+param ingressEnabled bool = true
+
+@description('The type of identity for the resource')
+@allowed([ 'None', 'SystemAssigned', 'UserAssigned' ])
+param identityType string = 'None'
+
+@description('The name of the user-assigned identity')
+param identityName string = ''
+
+@description('The name of the container image')
+param imageName string = ''
+
+@description('The secrets required for the container')
+param secrets array = []
+
+@description('The environment variables for the container')
+param env array = []
+
+@description('Specifies if the resource ingress is exposed externally')
+param external bool = true
+
+@description('The service binds associated with the container')
+param serviceBinds array = []
+
+@description('The target port for the container')
+param targetPort int = 80
+
+resource existingApp 'Microsoft.App/containerApps@2023-04-01-preview' existing = if (exists) {
+  name: name
+}
+
+module app 'container-app.bicep' = {
+  name: '${deployment().name}-update'
+  params: {
+    name: name
+    location: location
+    tags: tags
+    identityType: identityType
+    identityName: identityName
+    ingressEnabled: ingressEnabled
+    containerName: containerName
+    containerAppsEnvironmentName: containerAppsEnvironmentName
+    containerRegistryName: containerRegistryName
+    containerCpuCoreCount: containerCpuCoreCount
+    containerMemory: containerMemory
+    containerMinReplicas: containerMinReplicas
+    containerMaxReplicas: containerMaxReplicas
+    daprEnabled: daprEnabled
+    daprAppId: daprAppId
+    daprAppProtocol: daprAppProtocol
+    secrets: secrets
+    external: external
+    env: env
+    imageName: !empty(imageName) ? imageName : exists ? existingApp.properties.template.containers[0].image : ''
+    targetPort: targetPort
+    serviceBinds: serviceBinds
+  }
+}
+
+output defaultDomain string = app.outputs.defaultDomain
+output imageName string = app.outputs.imageName
+output name string = app.outputs.name
+output uri string = app.outputs.uri
--- a/infra/core/host/container-app.bicep
+++ b/infra/core/host/container-app.bicep
@@ -0,0 +1,161 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('Allowed origins')
+param allowedOrigins array = []
+
+@description('Name of the environment for container apps')
+param containerAppsEnvironmentName string
+
+@description('CPU cores allocated to a single container instance, e.g., 0.5')
+param containerCpuCoreCount string = '0.5'
+
+@description('The maximum number of replicas to run. Must be at least 1.')
+@minValue(1)
+param containerMaxReplicas int = 10
+
+@description('Memory allocated to a single container instance, e.g., 1Gi')
+param containerMemory string = '1.0Gi'
+
+@description('The minimum number of replicas to run. Must be at least 1.')
+param containerMinReplicas int = 1
+
+@description('The name of the container')
+param containerName string = 'main'
+
+@description('The name of the container registry')
+param containerRegistryName string = ''
+
+@description('The protocol used by Dapr to connect to the app, e.g., http or grpc')
+@allowed([ 'http', 'grpc' ])
+param daprAppProtocol string = 'http'
+
+@description('The Dapr app ID')
+param daprAppId string = containerName
+
+@description('Enable Dapr')
+param daprEnabled bool = false
+
+@description('The environment variables for the container')
+param env array = []
+
+@description('Specifies if the resource ingress is exposed externally')
+param external bool = true
+
+@description('The name of the user-assigned identity')
+param identityName string = ''
+
+@description('The type of identity for the resource')
+@allowed([ 'None', 'SystemAssigned', 'UserAssigned' ])
+param identityType string = 'None'
+
+@description('The name of the container image')
+param imageName string = ''
+
+@description('Specifies if Ingress is enabled for the container app')
+param ingressEnabled bool = true
+
+param revisionMode string = 'Single'
+
+@description('The secrets required for the container')
+param secrets array = []
+
+@description('The service binds associated with the container')
+param serviceBinds array = []
+
+@description('The name of the container apps add-on to use. e.g. redis')
+param serviceType string = ''
+
+@description('The target port for the container')
+param targetPort int = 80
+
+resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(identityName)) {
+  name: identityName
+}
+
+// Private registry support requires both an ACR name and a User Assigned managed identity
+var usePrivateRegistry = !empty(identityName) && !empty(containerRegistryName)
+
+// Automatically set to `UserAssigned` when an `identityName` has been set
+var normalizedIdentityType = !empty(identityName) ? 'UserAssigned' : identityType
+
+module containerRegistryAccess '../security/registry-access.bicep' = if (usePrivateRegistry) {
+  name: '${deployment().name}-registry-access'
+  params: {
+    containerRegistryName: containerRegistryName
+    principalId: usePrivateRegistry ? userIdentity.properties.principalId : ''
+  }
+}
+
+resource app 'Microsoft.App/containerApps@2023-04-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  // It is critical that the identity is granted ACR pull access before the app is created
+  // otherwise the container app will throw a provision error
+  // This also forces us to use an user assigned managed identity since there would no way to 
+  // provide the system assigned identity with the ACR pull access before the app is created
+  dependsOn: usePrivateRegistry ? [ containerRegistryAccess ] : []
+  identity: {
+    type: normalizedIdentityType
+    userAssignedIdentities: !empty(identityName) && normalizedIdentityType == 'UserAssigned' ? { '${userIdentity.id}': {} } : null
+  }
+  properties: {
+    managedEnvironmentId: containerAppsEnvironment.id
+    configuration: {
+      activeRevisionsMode: revisionMode
+      ingress: ingressEnabled ? {
+        external: external
+        targetPort: targetPort
+        transport: 'auto'
+        corsPolicy: {
+          allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
+        }
+      } : null
+      dapr: daprEnabled ? {
+        enabled: true
+        appId: daprAppId
+        appProtocol: daprAppProtocol
+        appPort: ingressEnabled ? targetPort : 0
+      } : { enabled: false }
+      secrets: secrets
+      service: !empty(serviceType) ? { type: serviceType } : null
+      registries: usePrivateRegistry ? [
+        {
+          server: '${containerRegistryName}.azurecr.io'
+          identity: userIdentity.id
+        }
+      ] : []
+    }
+    template: {
+      serviceBinds: !empty(serviceBinds) ? serviceBinds : null
+      containers: [
+        {
+          image: !empty(imageName) ? imageName : 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+          name: containerName
+          env: env
+          resources: {
+            cpu: json(containerCpuCoreCount)
+            memory: containerMemory
+          }
+        }
+      ]
+      scale: {
+        minReplicas: containerMinReplicas
+        maxReplicas: containerMaxReplicas
+      }
+    }
+  }
+}
+
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' existing = {
+  name: containerAppsEnvironmentName
+}
+
+output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
+output identityPrincipalId string = normalizedIdentityType == 'None' ? '' : (empty(identityName) ? app.identity.principalId : userIdentity.properties.principalId)
+output imageName string = imageName
+output name string = app.name
+output serviceBind object = !empty(serviceType) ? { serviceId: app.id, name: name } : {}
+output uri string = ingressEnabled ? 'https://${app.properties.configuration.ingress.fqdn}' : ''
--- a/infra/core/host/container-apps-environment.bicep
+++ b/infra/core/host/container-apps-environment.bicep
@@ -0,0 +1,40 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('Name of the Application Insights resource')
+param applicationInsightsName string = ''
+
+@description('Specifies if Dapr is enabled')
+param daprEnabled bool = false
+
+@description('Name of the Log Analytics workspace')
+param logAnalyticsWorkspaceName string
+
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: logAnalyticsWorkspace.properties.customerId
+        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
+      }
+    }
+    daprAIInstrumentationKey: daprEnabled && !empty(applicationInsightsName) ? applicationInsights.properties.InstrumentationKey : ''
+  }
+}
+
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
+  name: logAnalyticsWorkspaceName
+}
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (daprEnabled && !empty(applicationInsightsName)) {
+  name: applicationInsightsName
+}
+
+output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
+output id string = containerAppsEnvironment.id
+output name string = containerAppsEnvironment.name
--- a/infra/core/host/container-apps.bicep
+++ b/infra/core/host/container-apps.bicep
@@ -0,0 +1,37 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param containerAppsEnvironmentName string
+param containerRegistryName string
+param containerRegistryResourceGroupName string = ''
+param logAnalyticsWorkspaceName string
+param applicationInsightsName string = ''
+
+module containerAppsEnvironment 'container-apps-environment.bicep' = {
+  name: '${name}-container-apps-environment'
+  params: {
+    name: containerAppsEnvironmentName
+    location: location
+    tags: tags
+    logAnalyticsWorkspaceName: logAnalyticsWorkspaceName
+    applicationInsightsName: applicationInsightsName
+  }
+}
+
+module containerRegistry 'container-registry.bicep' = {
+  name: '${name}-container-registry'
+  scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
+  params: {
+    name: containerRegistryName
+    location: location
+    tags: tags
+  }
+}
+
+output defaultDomain string = containerAppsEnvironment.outputs.defaultDomain
+output environmentName string = containerAppsEnvironment.outputs.name
+output environmentId string = containerAppsEnvironment.outputs.id
+
+output registryLoginServer string = containerRegistry.outputs.loginServer
+output registryName string = containerRegistry.outputs.name
--- a/infra/core/host/container-registry.bicep
+++ b/infra/core/host/container-registry.bicep
@@ -0,0 +1,82 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('Indicates whether admin user is enabled')
+param adminUserEnabled bool = false
+
+@description('Indicates whether anonymous pull is enabled')
+param anonymousPullEnabled bool = false
+
+@description('Indicates whether data endpoint is enabled')
+param dataEndpointEnabled bool = false
+
+@description('Encryption settings')
+param encryption object = {
+  status: 'disabled'
+}
+
+@description('Options for bypassing network rules')
+param networkRuleBypassOptions string = 'AzureServices'
+
+@description('Public network access setting')
+param publicNetworkAccess string = 'Enabled'
+
+@description('SKU settings')
+param sku object = {
+  name: 'Basic'
+}
+
+@description('Zone redundancy setting')
+param zoneRedundancy string = 'Disabled'
+
+@description('The log analytics workspace ID used for logging and monitoring')
+param workspaceId string = ''
+
+// 2022-02-01-preview needed for anonymousPullEnabled
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  sku: sku
+  properties: {
+    adminUserEnabled: adminUserEnabled
+    anonymousPullEnabled: anonymousPullEnabled
+    dataEndpointEnabled: dataEndpointEnabled
+    encryption: encryption
+    networkRuleBypassOptions: networkRuleBypassOptions
+    publicNetworkAccess: publicNetworkAccess
+    zoneRedundancy: zoneRedundancy
+  }
+}
+
+// TODO: Update diagnostics to be its own module
+// Blocking issue: https://github.com/Azure/bicep/issues/622
+// Unable to pass in a `resource` scope or unable to use string interpolation in resource types
+resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {
+  name: 'registry-diagnostics'
+  scope: containerRegistry
+  properties: {
+    workspaceId: workspaceId
+    logs: [
+      {
+        category: 'ContainerRegistryRepositoryEvents'
+        enabled: true
+      }
+      {
+        category: 'ContainerRegistryLoginEvents'
+        enabled: true
+      }
+    ]
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
+        timeGrain: 'PT1M'
+      }
+    ]
+  }
+}
+
+output loginServer string = containerRegistry.properties.loginServer
+output name string = containerRegistry.name
--- a/infra/core/host/functions.bicep
+++ b/infra/core/host/functions.bicep
@@ -0,0 +1,87 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+// Reference Properties
+param applicationInsightsName string = ''
+param appServicePlanId string
+param keyVaultName string = ''
+param managedIdentity bool
+param storageAccountName string
+
+// Runtime Properties
+@allowed([
+  'dotnet', 'dotnetcore', 'dotnet-isolated', 'node', 'python', 'java', 'powershell', 'custom'
+])
+param runtimeName string
+param runtimeNameAndVersion string = '${runtimeName}|${runtimeVersion}'
+param runtimeVersion string
+
+// Function Settings
+@allowed([
+  '~4', '~3', '~2', '~1'
+])
+param extensionVersion string = '~4'
+
+// Microsoft.Web/sites Properties
+param kind string = 'functionapp,linux'
+
+// Microsoft.Web/sites/config
+param allowedOrigins array = []
+param alwaysOn bool = true
+param appCommandLine string = ''
+@secure()
+param appSettings object = {}
+param clientAffinityEnabled bool = false
+param enableOryxBuild bool = contains(kind, 'linux')
+param functionAppScaleLimit int = -1
+param linuxFxVersion string = runtimeNameAndVersion
+param minimumElasticInstanceCount int = -1
+param numberOfWorkers int = -1
+param scmDoBuildDuringDeployment bool = true
+param use32BitWorkerProcess bool = false
+param healthCheckPath string = ''
+
+
+module functions 'appservice.bicep' = {
+  name: '${name}-functions'
+  params: {
+    name: name
+    location: location
+    tags: tags
+    allowedOrigins: allowedOrigins
+    alwaysOn: alwaysOn
+    appCommandLine: appCommandLine
+    applicationInsightsName: applicationInsightsName
+    appServicePlanId: appServicePlanId
+    appSettings: union(appSettings, {
+        AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
+        FUNCTIONS_EXTENSION_VERSION: extensionVersion
+        FUNCTIONS_WORKER_RUNTIME: runtimeName
+        'AzureOptions__FilesAccountKey': storage.listKeys().keys[0].value
+      })
+    clientAffinityEnabled: clientAffinityEnabled
+    enableOryxBuild: enableOryxBuild
+    functionAppScaleLimit: functionAppScaleLimit
+    healthCheckPath: healthCheckPath
+    keyVaultName: keyVaultName
+    kind: kind
+    linuxFxVersion: linuxFxVersion
+    managedIdentity: managedIdentity
+    minimumElasticInstanceCount: minimumElasticInstanceCount
+    numberOfWorkers: numberOfWorkers
+    runtimeName: runtimeName
+    runtimeVersion: runtimeVersion
+    runtimeNameAndVersion: runtimeNameAndVersion
+    scmDoBuildDuringDeployment: scmDoBuildDuringDeployment
+    use32BitWorkerProcess: use32BitWorkerProcess
+  }
+}
+
+resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
+  name: storageAccountName
+}
+
+output identityPrincipalId string = managedIdentity ? functions.outputs.identityPrincipalId : ''
+output name string = functions.outputs.name
+output uri string = functions.outputs.uri
--- a/infra/core/monitor/applicationinsights-dashboard.bicep
+++ b/infra/core/monitor/applicationinsights-dashboard.bicep
--- a/infra/core/monitor/applicationinsights.bicep
+++ b/infra/core/monitor/applicationinsights.bicep
@@ -0,0 +1,30 @@
+param name string
+param dashboardName string
+param location string = resourceGroup().location
+param tags object = {}
+param includeDashboard bool = true
+param logAnalyticsWorkspaceId string
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: name
+  location: location
+  tags: tags
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+    WorkspaceResourceId: logAnalyticsWorkspaceId
+  }
+}
+
+module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' =  if (includeDashboard) {
+  name: 'application-insights-dashboard'
+  params: {
+    name: dashboardName
+    location: location
+    applicationInsightsName: applicationInsights.name
+  }
+}
+
+output connectionString string = applicationInsights.properties.ConnectionString
+output instrumentationKey string = applicationInsights.properties.InstrumentationKey
+output name string = applicationInsights.name
--- a/infra/core/monitor/loganalytics.bicep
+++ b/infra/core/monitor/loganalytics.bicep
@@ -0,0 +1,21 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  properties: any({
+    retentionInDays: 30
+    features: {
+      searchVersion: 1
+    }
+    sku: {
+      name: 'PerGB2018'
+    }
+  })
+}
+
+output id string = logAnalytics.id
+output name string = logAnalytics.name
--- a/infra/core/monitor/monitoring.bicep
+++ b/infra/core/monitor/monitoring.bicep
@@ -0,0 +1,33 @@
+param logAnalyticsName string
+param applicationInsightsName string
+param applicationInsightsDashboardName string
+param location string = resourceGroup().location
+param tags object = {}
+param includeDashboard bool = true
+
+module logAnalytics 'loganalytics.bicep' = {
+  name: 'loganalytics'
+  params: {
+    name: logAnalyticsName
+    location: location
+    tags: tags
+  }
+}
+
+module applicationInsights 'applicationinsights.bicep' = {
+  name: 'applicationinsights'
+  params: {
+    name: applicationInsightsName
+    location: location
+    tags: tags
+    dashboardName: applicationInsightsDashboardName
+    includeDashboard: includeDashboard
+    logAnalyticsWorkspaceId: logAnalytics.outputs.id
+  }
+}
+
+output applicationInsightsConnectionString string = applicationInsights.outputs.connectionString
+output applicationInsightsInstrumentationKey string = applicationInsights.outputs.instrumentationKey
+output applicationInsightsName string = applicationInsights.outputs.name
+output logAnalyticsWorkspaceId string = logAnalytics.outputs.id
+output logAnalyticsWorkspaceName string = logAnalytics.outputs.name
--- a/infra/core/storage/storage-account.bicep
+++ b/infra/core/storage/storage-account.bicep
@@ -0,0 +1,76 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@allowed([
+  'Cool'
+  'Hot'
+  'Premium' ])
+param accessTier string = 'Hot'
+param allowBlobPublicAccess bool = true
+param allowCrossTenantReplication bool = true
+param allowSharedKeyAccess bool = true
+param containers array = []
+param defaultToOAuthAuthentication bool = false
+param deleteRetentionPolicy object = {}
+@allowed([ 'AzureDnsZone', 'Standard' ])
+param dnsEndpointType string = 'Standard'
+param kind string = 'StorageV2'
+param minimumTlsVersion string = 'TLS1_2'
+param networkAcls object = {
+  bypass: 'AzureServices'
+  defaultAction: 'Allow'
+}
+@allowed([ 'Enabled', 'Disabled' ])
+param publicNetworkAccess string = 'Enabled'
+param sku object = { name: 'Standard_LRS' }
+param fileShares array = []
+param tables array = []
+
+resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = {
+  name: name
+  location: location
+  tags: tags
+  kind: kind
+  sku: sku
+  properties: {
+    accessTier: accessTier
+    allowBlobPublicAccess: allowBlobPublicAccess
+    allowCrossTenantReplication: allowCrossTenantReplication
+    allowSharedKeyAccess: allowSharedKeyAccess
+    defaultToOAuthAuthentication: defaultToOAuthAuthentication
+    dnsEndpointType: dnsEndpointType
+    minimumTlsVersion: minimumTlsVersion
+    networkAcls: networkAcls
+    publicNetworkAccess: publicNetworkAccess
+  }
+
+  resource blobServices 'blobServices' = if (!empty(containers)) {
+    name: 'default'
+    properties: {
+      deleteRetentionPolicy: deleteRetentionPolicy
+    }
+    resource container 'containers' = [for container in containers: {
+      name: container.name
+      properties: {
+        publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None'
+      }
+    }]
+  }
+  resource fileServices 'fileServices' = if (!empty(fileShares)) {
+    name: 'default'
+    resource share 'shares' = [for fileShare in fileShares: {
+      name: fileShare
+    }]
+  }
+
+  resource tableServices 'tableServices' = if (!empty(tables)) {
+    name: 'default'
+    resource table 'tables' = [for table in tables: {
+      name: table
+    }]
+  }
+}
+
+output name string = storage.name
+output primaryEndpoints object = storage.properties.primaryEndpoints
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -0,0 +1,165 @@
+targetScope = 'subscription'
+
+@minLength(1)
+@maxLength(64)
+@description('Name of the the environment which is used to generate a short unique hash used in all resources.')
+param environmentName string
+
+@minLength(1)
+@description('Primary location for all resources')
+param location string
+
+@secure()
+param githubAppKey string
+param githubAppId string
+param githubAppInstallationId string
+param openAIServiceType string
+param openAIServiceId string
+param openAIDeploymentId string
+param openAIEmbeddingId string
+param openAIEndpoint string
+@secure()
+param openAIKey string
+
+param apiServiceName string = ''
+param applicationInsightsDashboardName string = ''
+param applicationInsightsName string = ''
+param appServicePlanName string = ''
+param logAnalyticsName string = ''
+param resourceGroupName string = ''
+param storageAccountName string = ''
+param containerAppsEnvironmentName string = ''
+param containerRegistryName string = ''
+
+
+var aciShare = 'acishare'
+var qdrantShare = 'qdrantshare'
+
+var metadataTable = 'Metadata'
+var containerMetadataTable = 'ContainersMetadata'
+
+var abbrs = loadJsonContent('./abbreviations.json')
+var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
+var tags = { 'azd-env-name': environmentName }
+
+// Organize resources in a resource group
+resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: !empty(resourceGroupName) ? resourceGroupName : '${abbrs.resourcesResourceGroups}${environmentName}'
+  location: location
+  tags: tags
+}
+
+module storage './core/storage/storage-account.bicep' = {
+  name: 'storage'
+  scope: rg
+  params: {
+    name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${resourceToken}'
+    location: location
+    tags: tags
+    fileShares: [ 
+      aciShare
+      qdrantShare
+   ]
+   tables: [ 
+    metadataTable
+    containerMetadataTable
+    ]
+  }
+}
+
+// Monitor application with Azure Monitor
+module monitoring './core/monitor/monitoring.bicep' = {
+  name: 'monitoring'
+  scope: rg
+  params: {
+    location: location
+    tags: tags
+    logAnalyticsName: !empty(logAnalyticsName) ? logAnalyticsName : '${abbrs.operationalInsightsWorkspaces}${resourceToken}'
+    applicationInsightsName: !empty(applicationInsightsName) ? applicationInsightsName : '${abbrs.insightsComponents}${resourceToken}'
+    applicationInsightsDashboardName: !empty(applicationInsightsDashboardName) ? applicationInsightsDashboardName : '${abbrs.portalDashboards}${resourceToken}'
+  }
+}
+
+// Container apps host (including container registry)
+module containerApps './core/host/container-apps.bicep' = {
+  name: 'container-apps'
+  scope: rg
+  params: {
+    name: 'app'
+    location: location
+    tags: tags
+    containerAppsEnvironmentName: !empty(containerAppsEnvironmentName) ? containerAppsEnvironmentName : '${abbrs.appManagedEnvironments}${resourceToken}'
+    containerRegistryName: !empty(containerRegistryName) ? containerRegistryName : '${abbrs.containerRegistryRegistries}${resourceToken}'
+    logAnalyticsWorkspaceName: monitoring.outputs.logAnalyticsWorkspaceName
+    applicationInsightsName: monitoring.outputs.applicationInsightsName
+  }
+}
+
+module qdrant './core/database/qdrant/qdrant-aca.bicep' = {
+  name: 'qdrant-deploy'
+  scope: rg
+  params: {
+    location: location
+    containerAppsEnvironmentName: containerApps.outputs.environmentName
+    shareName: qdrantShare
+    storageName: storage.outputs.name
+  }
+}
+
+// Create an App Service Plan to group applications under the same payment plan and SKU
+module appServicePlan './core/host/appserviceplan.bicep' = {
+  name: 'appserviceplan'
+  scope: rg
+  params: {
+    name: !empty(appServicePlanName) ? appServicePlanName : '${abbrs.webServerFarms}${resourceToken}'
+    location: location
+    tags: tags
+    sku: {
+      name: 'Y1'
+      tier: 'Dynamic'
+    }
+  }
+}
+
+var appName = !empty(apiServiceName) ? apiServiceName : '${abbrs.webSitesFunctions}api-${resourceToken}'
+
+// The application backend
+module skfunc './app/sk-func.bicep' = {
+  name: 'skfunc'
+  scope: rg
+  params: {
+    name: appName
+    location: location
+    tags: tags
+    applicationInsightsName: monitoring.outputs.applicationInsightsName
+    appServicePlanId: appServicePlan.outputs.id
+    storageAccountName: storage.outputs.name
+    appSettings: {
+      SANDBOX_IMAGE: 'mcr.microsoft.com/dotnet/sdk:7.0'
+      AzureWebJobsFeatureFlags: 'EnableHttpProxying'
+      FUNCTIONS_FQDN: 'https://${appName}.azurewebsites.net'
+      'GithubOptions__AppKey': githubAppKey
+      'GithubOptions__AppId': githubAppId
+      'GithubOptions__InstallationId': githubAppInstallationId
+      'AzureOptions__SubscriptionId': subscription().subscriptionId
+      'AzureOptions__Location': location
+      'AzureOptions__ContainerInstancesResourceGroup': rg.name
+      'AzureOptions__FilesShareName': aciShare
+      'AzureOptions__FilesAccountName': storage.outputs.name
+      'OpenAIOptions__ServiceType': openAIServiceType
+      'OpenAIOptions__ServiceId': openAIServiceId
+      'OpenAIOptions__DeploymentOrModelId': openAIDeploymentId
+      'OpenAIOptions__EmbeddingDeploymentOrModelId': openAIEmbeddingId
+      'OpenAIOptions__Endpoint': openAIEndpoint
+      'OpenAIOptions__ApiKey': openAIKey
+      'QdrantOptions__Endpoint':'https://${qdrant.outputs.fqdn}'
+      'QdrantOptions__VectorSize':'1536'
+    }
+  }
+}
+
+// App outputs
+output APPLICATIONINSIGHTS_CONNECTION_STRING string = monitoring.outputs.applicationInsightsConnectionString
+output AZURE_LOCATION string = location
+output AZURE_TENANT_ID string = tenant().tenantId
+
--- a/infra/main.parameters.json
+++ b/infra/main.parameters.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "environmentName": {
+      "value": "${AZURE_ENV_NAME}"
+    },
+    "location": {
+      "value": "${AZURE_LOCATION}"
+    },
+    "githubAppKey": {
+      "value": "${GH_APP_KEY}"
+    },
+    "githubAppId": {
+      "value": "${GH_APP_ID}"
+    },
+    "githubAppInstallationId": {
+      "value": "${GH_APP_INST_ID}"
+    },
+    "openAIServiceType": {
+      "value": "${OAI_SERVICE_TYPE}"
+    },
+    "openAIServiceId": {
+      "value": "${OAI_SERVICE_ID}"
+    },
+    "openAIDeploymentId": {
+      "value": "${OAI_DEPLOYMENT_ID}"
+    },
+    "openAIEmbeddingId": {
+      "value": "${OAI_EMBEDDING_ID}"
+    },
+    "openAIEndpoint": {
+      "value": "${OAI_ENDPOINT}"
+    },
+    "openAIKey": {
+      "value": "${OAI_KEY}"
+    },
+    "principalId": {
+      "value": "${AZURE_PRINCIPAL_ID}"
+    }
+  }
+}