@@ -186,8 +186,8 @@ jobs:
186186 echo "Odd day detected ($DAY). Setting deployment type to Non-WAF."
187187 fi
188188
189- name : Rename Parameters File Based on Deployment Type
190- id : rename_parameters_file
189+ name : Copy Parameters File Based on Deployment Type
190+ id : copy_parameters_file
191191 run : |
192192 set -e
193193 if [ "${{ env.DEPLOYMENT_TYPE }}" == "WAF" ]; then
@@ -284,7 +284,133 @@ jobs:
284284
285285 sleep 30
286286
287- name : Deploy Infra and Import Sample Data
287+ name : Enable Public Network Access (WAF Only)
288+ if : env.DEPLOYMENT_TYPE == 'WAF'
289+ run : |
290+ set -e
291+ echo "=== Temporarily enabling public network access for WAF deployment ==="
292+
293+ # Enable public access for Storage Account
294+ echo "Enabling public access for Storage Account: ${{ env.STORAGE_ACCOUNT }}"
295+ ORIGINAL_STORAGE_PUBLIC_ACCESS=$(az storage account show \
296+ --name "${{ env.STORAGE_ACCOUNT }}" \
297+ --resource-group "${{ env.RG_NAME }}" \
298+ --query "publicNetworkAccess" \
299+ -o tsv)
300+ echo "ORIGINAL_STORAGE_PUBLIC_ACCESS=$ORIGINAL_STORAGE_PUBLIC_ACCESS" >> $GITHUB_ENV
301+
302+ ORIGINAL_STORAGE_DEFAULT_ACTION=$(az storage account show \
303+ --name "${{ env.STORAGE_ACCOUNT }}" \
304+ --resource-group "${{ env.RG_NAME }}" \
305+ --query "networkRuleSet.defaultAction" \
306+ -o tsv)
307+ echo "ORIGINAL_STORAGE_DEFAULT_ACTION=$ORIGINAL_STORAGE_DEFAULT_ACTION" >> $GITHUB_ENV
308+
309+ if [ "$ORIGINAL_STORAGE_PUBLIC_ACCESS" != "Enabled" ]; then
310+ az storage account update \
311+ --name "${{ env.STORAGE_ACCOUNT }}" \
312+ --resource-group "${{ env.RG_NAME }}" \
313+ --public-network-access Enabled \
314+ --output none
315+ echo "✓ Storage Account public access enabled"
316+ fi
317+
318+ if [ "$ORIGINAL_STORAGE_DEFAULT_ACTION" != "Allow" ]; then
319+ az storage account update \
320+ --name "${{ env.STORAGE_ACCOUNT }}" \
321+ --resource-group "${{ env.RG_NAME }}" \
322+ --default-action Allow \
323+ --output none
324+ echo "✓ Storage Account network default action set to Allow"
325+ fi
326+
327+ # Enable public access for AI Foundry
328+ AIF_ACCOUNT_RESOURCE_ID=$(echo "${{ env.AI_FOUNDRY_RESOURCE_ID }}" | sed 's|/projects/.*||')
329+ AIF_RESOURCE_NAME=$(basename "$AIF_ACCOUNT_RESOURCE_ID")
330+ AIF_RESOURCE_GROUP=$(echo "$AIF_ACCOUNT_RESOURCE_ID" | sed -n 's|.*/resourceGroups/\([^/]*\)/.*|\1|p')
331+ AIF_SUBSCRIPTION_ID=$(echo "$AIF_ACCOUNT_RESOURCE_ID" | sed -n 's|.*/subscriptions/\([^/]*\)/.*|\1|p')
332+
333+ echo "AIF_ACCOUNT_RESOURCE_ID=$AIF_ACCOUNT_RESOURCE_ID" >> $GITHUB_ENV
334+
335+ ORIGINAL_FOUNDRY_PUBLIC_ACCESS=$(az cognitiveservices account show \
336+ --name "$AIF_RESOURCE_NAME" \
337+ --resource-group "$AIF_RESOURCE_GROUP" \
338+ --subscription "$AIF_SUBSCRIPTION_ID" \
339+ --query "properties.publicNetworkAccess" \
340+ --output tsv || echo "")
341+ echo "ORIGINAL_FOUNDRY_PUBLIC_ACCESS=$ORIGINAL_FOUNDRY_PUBLIC_ACCESS" >> $GITHUB_ENV
342+
343+ if [ -n "$ORIGINAL_FOUNDRY_PUBLIC_ACCESS" ] && [ "$ORIGINAL_FOUNDRY_PUBLIC_ACCESS" != "Enabled" ]; then
344+ az resource update \
345+ --ids "$AIF_ACCOUNT_RESOURCE_ID" \
346+ --api-version 2024-10-01 \
347+ --set properties.publicNetworkAccess=Enabled properties.apiProperties="{}" \
348+ --output none || echo "⚠ Warning: Failed to enable AI Foundry public access"
349+ echo "✓ AI Foundry public access enabled"
350+ fi
351+
352+ # Enable public access for Key Vault
353+ echo "Enabling public access for Key Vault: ${{ env.KEYVAULT_NAME }}"
354+ ORIGINAL_KEYVAULT_PUBLIC_ACCESS=$(az keyvault show \
355+ --name "${{ env.KEYVAULT_NAME }}" \
356+ --resource-group "${{ env.RG_NAME }}" \
357+ --query "properties.publicNetworkAccess" \
358+ -o tsv)
359+ echo "ORIGINAL_KEYVAULT_PUBLIC_ACCESS=$ORIGINAL_KEYVAULT_PUBLIC_ACCESS" >> $GITHUB_ENV
360+
361+ if [ "$ORIGINAL_KEYVAULT_PUBLIC_ACCESS" != "Enabled" ]; then
362+ az keyvault update \
363+ --name "${{ env.KEYVAULT_NAME }}" \
364+ --resource-group "${{ env.RG_NAME }}" \
365+ --public-network-access Enabled \
366+ --output none
367+ echo "✓ Key Vault public access enabled"
368+ fi
369+
370+ # Enable public access for SQL Server
371+ echo "Enabling public access for SQL Server: ${{ env.SQL_SERVER_NAME }}"
372+ ORIGINAL_SQL_PUBLIC_ACCESS=$(az sql server show \
373+ --name "${{ env.SQL_SERVER_NAME }}" \
374+ --resource-group "${{ env.RG_NAME }}" \
375+ --query "publicNetworkAccess" \
376+ -o tsv)
377+ echo "ORIGINAL_SQL_PUBLIC_ACCESS=$ORIGINAL_SQL_PUBLIC_ACCESS" >> $GITHUB_ENV
378+
379+ if [ "$ORIGINAL_SQL_PUBLIC_ACCESS" != "Enabled" ]; then
380+ az sql server update \
381+ --name "${{ env.SQL_SERVER_NAME }}" \
382+ --resource-group "${{ env.RG_NAME }}" \
383+ --enable-public-network true \
384+ --output none
385+ echo "✓ SQL Server public access enabled"
386+ fi
387+
388+ # Add temporary firewall rule allowing all IPs
389+ EXISTING_ALLOW_ALL_RULE=$(az sql server firewall-rule list \
390+ --server "${{ env.SQL_SERVER_NAME }}" \
391+ --resource-group "${{ env.RG_NAME }}" \
392+ --query "[?name=='temp-allow-all-ip'] | [0].name" \
393+ -o tsv 2>/dev/null || echo "")
394+
395+ if [ -z "$EXISTING_ALLOW_ALL_RULE" ]; then
396+ az sql server firewall-rule create \
397+ --resource-group "${{ env.RG_NAME }}" \
398+ --server "${{ env.SQL_SERVER_NAME }}" \
399+ --name "temp-allow-all-ip" \
400+ --start-ip-address 0.0.0.0 \
401+ --end-ip-address 255.255.255.255 \
402+ --output none || echo "⚠ Warning: Failed to create allow-all firewall rule"
403+ echo "CREATED_SQL_FIREWALL_RULE=true" >> $GITHUB_ENV
404+ echo "✓ Temporary allow-all firewall rule created"
405+ else
406+ echo "CREATED_SQL_FIREWALL_RULE=false" >> $GITHUB_ENV
407+ fi
408+
409+ echo "Waiting for network access changes to propagate..."
410+ sleep 10
411+ echo "=== Public network access enabled successfully ==="
412+
413+ name : Import Sample Data (Post-Deployment Scripts)
288414 run : |
289415 set -e
290416 az account set --subscription "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
@@ -325,6 +451,84 @@ jobs:
325451
326452 echo "=== Post-Deployment Script Completed Successfully ==="
327453
454+ name : Restore Network Access (WAF Only)
455+ if : always() && env.DEPLOYMENT_TYPE == 'WAF'
456+ run : |
457+ set -e
458+ echo "=== Restoring original network access settings ==="
459+
460+ # Restore Storage Account access
461+ if [ -n "${{ env.ORIGINAL_STORAGE_PUBLIC_ACCESS }}" ] && [ "${{ env.ORIGINAL_STORAGE_PUBLIC_ACCESS }}" != "Enabled" ]; then
462+ echo "Restoring Storage Account public access to: ${{ env.ORIGINAL_STORAGE_PUBLIC_ACCESS }}"
463+ RESTORE_VALUE="${{ env.ORIGINAL_STORAGE_PUBLIC_ACCESS }}"
464+ az storage account update \
465+ --name "${{ env.STORAGE_ACCOUNT }}" \
466+ --resource-group "${{ env.RG_NAME }}" \
467+ --public-network-access "$RESTORE_VALUE" \
468+ --output none || echo "✗ Failed to restore Storage Account access"
469+ echo "✓ Storage Account access restored"
470+ fi
471+
472+ # Restore Storage Account network default action
473+ if [ -n "${{ env.ORIGINAL_STORAGE_DEFAULT_ACTION }}" ] && [ "${{ env.ORIGINAL_STORAGE_DEFAULT_ACTION }}" != "Allow" ]; then
474+ echo "Restoring Storage Account network default action to: ${{ env.ORIGINAL_STORAGE_DEFAULT_ACTION }}"
475+ az storage account update \
476+ --name "${{ env.STORAGE_ACCOUNT }}" \
477+ --resource-group "${{ env.RG_NAME }}" \
478+ --default-action "${{ env.ORIGINAL_STORAGE_DEFAULT_ACTION }}" \
479+ --output none || echo "✗ Failed to restore Storage Account network default action"
480+ echo "✓ Storage Account network default action restored"
481+ fi
482+
483+ # Restore AI Foundry access
484+ if [ -n "${{ env.ORIGINAL_FOUNDRY_PUBLIC_ACCESS }}" ] && [ "${{ env.ORIGINAL_FOUNDRY_PUBLIC_ACCESS }}" != "Enabled" ]; then
485+ echo "Restoring AI Foundry public access to: ${{ env.ORIGINAL_FOUNDRY_PUBLIC_ACCESS }}"
486+ az resource update \
487+ --ids "${{ env.AIF_ACCOUNT_RESOURCE_ID }}" \
488+ --api-version 2024-10-01 \
489+ --set properties.publicNetworkAccess="${{ env.ORIGINAL_FOUNDRY_PUBLIC_ACCESS }}" \
490+ --set properties.apiProperties.qnaAzureSearchEndpointKey="" \
491+ --set properties.networkAcls.bypass="AzureServices" \
492+ --output none 2>/dev/null || echo "⚠ Warning: Failed to restore AI Foundry access automatically"
493+ echo "✓ AI Foundry access restored"
494+ fi
495+
496+ # Restore Key Vault access
497+ if [ -n "${{ env.ORIGINAL_KEYVAULT_PUBLIC_ACCESS }}" ] && [ "${{ env.ORIGINAL_KEYVAULT_PUBLIC_ACCESS }}" != "Enabled" ]; then
498+ echo "Restoring Key Vault public access to: ${{ env.ORIGINAL_KEYVAULT_PUBLIC_ACCESS }}"
499+ RESTORE_VALUE="${{ env.ORIGINAL_KEYVAULT_PUBLIC_ACCESS }}"
500+ az keyvault update \
501+ --name "${{ env.KEYVAULT_NAME }}" \
502+ --resource-group "${{ env.RG_NAME }}" \
503+ --public-network-access "$RESTORE_VALUE" \
504+ --output none || echo "✗ Failed to restore Key Vault access"
505+ echo "✓ Key Vault access restored"
506+ fi
507+
508+ # Restore SQL Server public access
509+ if [ -n "${{ env.ORIGINAL_SQL_PUBLIC_ACCESS }}" ] && [ "${{ env.ORIGINAL_SQL_PUBLIC_ACCESS }}" != "Enabled" ]; then
510+ echo "Restoring SQL Server public access to: ${{ env.ORIGINAL_SQL_PUBLIC_ACCESS }}"
511+ az sql server update \
512+ --name "${{ env.SQL_SERVER_NAME }}" \
513+ --resource-group "${{ env.RG_NAME }}" \
514+ --enable-public-network false \
515+ --output none || echo "✗ Failed to restore SQL Server access"
516+ echo "✓ SQL Server access restored"
517+ fi
518+
519+ # Remove temporary firewall rule if we created it
520+ if [ "${{ env.CREATED_SQL_FIREWALL_RULE }}" == "true" ]; then
521+ echo "Removing temporary allow-all firewall rule..."
522+ az sql server firewall-rule delete \
523+ --resource-group "${{ env.RG_NAME }}" \
524+ --server "${{ env.SQL_SERVER_NAME }}" \
525+ --name "temp-allow-all-ip" \
526+ --output none || echo "⚠ Warning: Failed to remove temporary firewall rule"
527+ echo "✓ Temporary firewall rule removed"
528+ fi
529+
530+ echo "=== Network access restoration completed ==="
531+
328532name : Set Deployment Status
329533 id : deployment_status
330534 if : always()
0 commit comments