finalized deployment code

Author: paullizer

README.md

@@ -214,7 +214,9 @@ azd env new <environment-name>
 azd up
 ```
 
-Before running `azd up`, review the detailed guide and set any environment-specific values you need, especially networking, host counts, VM sizes, and SQL firewall access. The deployment scripts under `deploy/` now handle the Entra bootstrap, SSH key flow, post-provision role assignment, container image builds, SQL initialization, and Linux host SQL registration used by this solution.
+The deployment defaults the App Service plan to Premium v3 `P2mv3`, which provides the minimum supported baseline of 4 vCPUs and 32 GB memory for the frontend, API, and task apps.
+
+Before running `azd up`, review the detailed guide and set any environment-specific values you need, especially networking, host counts, VM sizes, App Service plan sizing, and SQL firewall access. The deployment scripts under `deploy/` now handle the Entra bootstrap, SSH key flow, App Service health checks on `/health`, Application Insights wiring for the frontend and API, post-provision role assignment, container image builds, SQL initialization, and Linux host SQL registration used by this solution.
 
 ## Contributing
 

api/app.py

@@ -11,6 +11,12 @@
 import logging
 import re
 
+from azure.monitor.opentelemetry import configure_azure_monitor
+
+connection_string = os.environ.get('APPLICATIONINSIGHTS_CONNECTION_STRING')
+if connection_string:
+    configure_azure_monitor(connection_string=connection_string, logger_name='linuxbroker.api')
+
 from flask import Flask, jsonify, request
 from azure.identity import DefaultAzureCredential
 from azure.mgmt.compute import ComputeManagementClient
@@ -31,7 +37,25 @@
 # Logging Configuration
 
 logging.basicConfig(level=logging.INFO)
-logger = logging.getLogger(__name__)
+logger = logging.getLogger('linuxbroker.api')
+
+
+@app.route('/health', methods=['GET'])
+def health():
+    conn = get_db_connection()
+    if not conn:
+        return jsonify({'status': 'unhealthy'}), 503
+
+    try:
+        cursor = conn.cursor()
+        cursor.execute('SELECT 1')
+        cursor.fetchone()
+        return jsonify({'status': 'healthy', 'version': app.config['VERSION']}), 200
+    except Exception as e:
+        logger.error("Health check failed: %s", e)
+        return jsonify({'status': 'unhealthy'}), 503
+    finally:
+        conn.close()
 
 # ===============================
 # Functions
@@ -433,7 +457,7 @@ def get_all_vms():
         conn.close()
 
         if not rows:
-            return "No VMs found.", 404
+            return jsonify([]), 200
 
         return jsonify(rows), 200
 

api/requirements.txt

@@ -2,6 +2,7 @@ Flask==2.2.2
 gunicorn
 Werkzeug==2.2.2
 pyodbc==4.0.35
+azure-monitor-opentelemetry==1.8.7
 azure-identity==1.17.1
 azure-mgmt-compute==33.0.0
 pyjwt==2.9.0

custom_script_extensions/Configure-RHEL7-Host.sh

@@ -2,6 +2,24 @@
 
 # Installs and configures the necessary packages for Linux Broker for AVD Access on RHEL 7
 
+LINUXBROKER_API_BASE_URL="${1:-}"
+LINUXBROKER_API_CLIENT_ID="${2:-}"
+
+if [ -z "$LINUXBROKER_API_BASE_URL" ] || [ -z "$LINUXBROKER_API_CLIENT_ID" ]; then
+    echo "Linux Broker API base URL and client ID are required."
+    exit 1
+fi
+
+case "$LINUXBROKER_API_BASE_URL" in
+    https://*) ;;
+    *)
+        echo "Linux Broker API base URL must start with https://"
+        exit 1
+        ;;
+esac
+
+LINUXBROKER_API_BASE_URL="${LINUXBROKER_API_BASE_URL%/}"
+
 # ===============================
 # Variables
 
@@ -28,8 +46,8 @@ CURRENT_USERS_DETAILS="$output_directory/xrdp-loggedin-users.txt"
 
 CRON_SCHEDULE="0 * * * *"
 
-YOUR_LINUXBROKER_API_CLIENT_ID="my_actual_client_id"
-YOUR_LINUXBROKER_API_URL="my.actual.linuxbroker.api.url"
+YOUR_LINUXBROKER_API_CLIENT_ID="$LINUXBROKER_API_CLIENT_ID"
+YOUR_LINUXBROKER_API_BASE_URL="$LINUXBROKER_API_BASE_URL"
 
 # ===============================
 # Execution
@@ -122,7 +140,8 @@ echo "Downloading release-session.sh..."
 sudo wget -O "$SCRIPT_PATH" "$release_session_url"
 
 sudo sed -i "s|YOUR_LINUX_BROKER_API_CLIENT_ID|$YOUR_LINUXBROKER_API_CLIENT_ID|g" "$SCRIPT_PATH"
-sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_BASE_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
 
 echo "Downloading xrdp-who-xnc.sh..."
 sudo wget -O "$output_directory/xrdp-who-xnc.sh" "$xrdp_who_xnc_url"

custom_script_extensions/Configure-RHEL8-Host.sh

@@ -2,6 +2,24 @@
 
 # Installs and configures the necessary packages for Linux Broker for AVD Access on RHEL 8
 
+LINUXBROKER_API_BASE_URL="${1:-}"
+LINUXBROKER_API_CLIENT_ID="${2:-}"
+
+if [ -z "$LINUXBROKER_API_BASE_URL" ] || [ -z "$LINUXBROKER_API_CLIENT_ID" ]; then
+    echo "Linux Broker API base URL and client ID are required."
+    exit 1
+fi
+
+case "$LINUXBROKER_API_BASE_URL" in
+    https://*) ;;
+    *)
+        echo "Linux Broker API base URL must start with https://"
+        exit 1
+        ;;
+esac
+
+LINUXBROKER_API_BASE_URL="${LINUXBROKER_API_BASE_URL%/}"
+
 # ===============================
 # Variables
 
@@ -50,8 +68,8 @@ CURRENT_USERS_DETAILS="$output_directory/xrdp-loggedin-users.txt"
 
 CRON_SCHEDULE="0 * * * *" 
 
-YOUR_LINUXBROKER_API_CLIENT_ID="my_actual_client_id"
-YOUR_LINUXBROKER_API_URL="my.actual.linuxbroker.api.url"
+YOUR_LINUXBROKER_API_CLIENT_ID="$LINUXBROKER_API_CLIENT_ID"
+YOUR_LINUXBROKER_API_BASE_URL="$LINUXBROKER_API_BASE_URL"
 
 # ===============================
 # Execution
@@ -145,7 +163,8 @@ echo "Downloading release-session.sh..."
 sudo wget -O "$SCRIPT_PATH" "$release_session_url"
 
 sudo sed -i "s|YOUR_LINUX_BROKER_API_CLIENT_ID|$YOUR_LINUXBROKER_API_CLIENT_ID|g" "$SCRIPT_PATH"
-sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_BASE_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
 
 echo "Downloading xrdp-who-xorg.sh..."
 sudo wget -O "$output_directory/xrdp-who-xorg.sh" "$xrdp_who_xorg_url"

custom_script_extensions/Configure-RHEL9-Host.sh

@@ -2,6 +2,21 @@
 
 # Installs and configures the necessary packages for Linux Broker for AVD Access on RHEL 9
 
+LINUXBROKER_API_BASE_URL="${1:-}"
+LINUXBROKER_API_CLIENT_ID="${2:-}"
+
+if [[ -z "$LINUXBROKER_API_BASE_URL" || -z "$LINUXBROKER_API_CLIENT_ID" ]]; then
+    echo "Linux Broker API base URL and client ID are required."
+    exit 1
+fi
+
+if [[ "$LINUXBROKER_API_BASE_URL" != https://* ]]; then
+    echo "Linux Broker API base URL must start with https://"
+    exit 1
+fi
+
+LINUXBROKER_API_BASE_URL="${LINUXBROKER_API_BASE_URL%/}"
+
 # ===============================
 # Variables
 
@@ -28,8 +43,8 @@ CURRENT_USERS_DETAILS="$output_directory/xrdp-loggedin-users.txt"
 
 CRON_SCHEDULE="0 * * * *"
 
-YOUR_LINUXBROKER_API_CLIENT_ID="my_actual_client_id"
-YOUR_LINUXBROKER_API_URL="my.actual.linuxbroker.api.url"
+YOUR_LINUXBROKER_API_CLIENT_ID="$LINUXBROKER_API_CLIENT_ID"
+YOUR_LINUXBROKER_API_BASE_URL="$LINUXBROKER_API_BASE_URL"
 
 # ===============================
 # Execution
@@ -134,7 +149,8 @@ echo "Downloading release-session.sh..."
 sudo wget -O "$SCRIPT_PATH" "$release_session_url"
 
 sudo sed -i "s|YOUR_LINUX_BROKER_API_CLIENT_ID|$YOUR_LINUXBROKER_API_CLIENT_ID|g" "$SCRIPT_PATH"
-sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_BASE_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
 
 echo "Downloading xrdp-who-xnc.sh..."
 sudo wget -O "$output_directory/xrdp-who-xnc.sh" "$xrdp_who_xnc_url"

custom_script_extensions/Configure-Ubuntu24_desktop-Host.sh

@@ -2,6 +2,21 @@
 
 # Installs and configures the necessary packages for Linux Broker for AVD Access on Ubuntu 24 desktop
 
+LINUXBROKER_API_BASE_URL="${1:-}"
+LINUXBROKER_API_CLIENT_ID="${2:-}"
+
+if [[ -z "$LINUXBROKER_API_BASE_URL" || -z "$LINUXBROKER_API_CLIENT_ID" ]]; then
+    echo "Linux Broker API base URL and client ID are required."
+    exit 1
+fi
+
+if [[ "$LINUXBROKER_API_BASE_URL" != https://* ]]; then
+    echo "Linux Broker API base URL must start with https://"
+    exit 1
+fi
+
+LINUXBROKER_API_BASE_URL="${LINUXBROKER_API_BASE_URL%/}"
+
 # ===============================
 # Variables
 
@@ -20,8 +35,8 @@ CURRENT_USERS_DETAILS="$output_directory/xrdp-loggedin-users.txt"
 
 CRON_SCHEDULE="0 * * * *" 
 
-YOUR_LINUXBROKER_API_CLIENT_ID="my_actual_client_id"
-YOUR_LINUXBROKER_API_URL="my.actual.linuxbroker.api.url"
+YOUR_LINUXBROKER_API_CLIENT_ID="$LINUXBROKER_API_CLIENT_ID"
+YOUR_LINUXBROKER_API_BASE_URL="$LINUXBROKER_API_BASE_URL"
 
 # ===============================
 # Execution
@@ -108,7 +123,8 @@ echo "Downloading release-session.sh..."
 sudo wget -O "$SCRIPT_PATH" "$release_session_url"
 
 sudo sed -i "s|YOUR_LINUX_BROKER_API_CLIENT_ID|$YOUR_LINUXBROKER_API_CLIENT_ID|g" "$SCRIPT_PATH"
-sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_BASE_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
+sudo sed -i "s|YOUR_LINUX_BROKER_API_URL|$YOUR_LINUXBROKER_API_BASE_URL|g" "$SCRIPT_PATH"
 
 echo "Downloading xrdp-who-xnc.sh..."
 sudo wget -O "$output_directory/xrdp-who-xnc.sh" "$xrdp_who_xnc_url"

deploy/Build-ContainerImages.ps1

@@ -22,6 +22,50 @@ param(
 Set-StrictMode -Version Latest
 $ErrorActionPreference = 'Stop'
 
+function Invoke-AzCommandWithRetry {
+    param(
+        [Parameter(Mandatory = $true)]
+        [scriptblock]$Command,
+
+        [Parameter(Mandatory = $true)]
+        [string]$Description,
+
+        [Parameter(Mandatory = $false)]
+        [int]$MaxAttempts = 4,
+
+        [Parameter(Mandatory = $false)]
+        [int]$InitialDelaySeconds = 5
+    )
+
+    $lastError = ''
+
+    for ($attempt = 1; $attempt -le $MaxAttempts; $attempt++) {
+        $commandOutput = & $Command 2>&1 | Out-String
+        if ($LASTEXITCODE -eq 0) {
+            return
+        }
+
+        $lastError = $commandOutput.Trim()
+        if ($attempt -ge $MaxAttempts) {
+            break
+        }
+
+        $delaySeconds = [Math]::Min($InitialDelaySeconds * [Math]::Pow(2, $attempt - 1), 30)
+        Write-Warning "$Description failed on attempt $attempt of $MaxAttempts. Retrying in $([int]$delaySeconds) seconds."
+        if (-not [string]::IsNullOrWhiteSpace($lastError)) {
+            Write-Warning $lastError
+        }
+
+        Start-Sleep -Seconds ([int]$delaySeconds)
+    }
+
+    if ([string]::IsNullOrWhiteSpace($lastError)) {
+        throw "Failed to $Description after $MaxAttempts attempts."
+    }
+
+    throw "Failed to $Description after $MaxAttempts attempts. Last error: $lastError"
+}
+
 if ([string]::IsNullOrWhiteSpace($EnvironmentName)) {
     $EnvironmentName = if (-not [string]::IsNullOrWhiteSpace($env:AZURE_ENV_NAME)) {
         $env:AZURE_ENV_NAME
@@ -91,19 +135,16 @@ try {
         }
     }
 
-    az webapp restart --name $FrontendAppName --resource-group $ResourceGroupName | Out-Null
-    if ($LASTEXITCODE -ne 0) {
-        throw "Failed to restart frontend app '$FrontendAppName'."
+    Invoke-AzCommandWithRetry -Description "restart frontend app '$FrontendAppName'" -Command {
+        az webapp restart --name $FrontendAppName --resource-group $ResourceGroupName --only-show-errors --output none
     }
 
-    az webapp restart --name $ApiAppName --resource-group $ResourceGroupName | Out-Null
-    if ($LASTEXITCODE -ne 0) {
-        throw "Failed to restart API app '$ApiAppName'."
+    Invoke-AzCommandWithRetry -Description "restart API app '$ApiAppName'" -Command {
+        az webapp restart --name $ApiAppName --resource-group $ResourceGroupName --only-show-errors --output none
     }
 
-    az functionapp restart --name $TaskAppName --resource-group $ResourceGroupName | Out-Null
-    if ($LASTEXITCODE -ne 0) {
-        throw "Failed to restart task app '$TaskAppName'."
+    Invoke-AzCommandWithRetry -Description "restart task app '$TaskAppName'" -Command {
+        az functionapp restart --name $TaskAppName --resource-group $ResourceGroupName --only-show-errors --output none
     }
 }
 finally {

deploy/DEPLOYMENT.md

@@ -78,6 +78,7 @@ The checked-in [bicep/main.parameters.example.json](bicep/main.parameters.exampl
 
 - `appName`: base name for generated resources.
 - `AZURE_LOCATION`: deployment region.
+- `appServicePlanSku`: App Service plan SKU. The deployment baseline defaults to Premium v3 `P2mv3` for 4 vCPUs and 32 GB memory.
 - `allowedClientIp`: your public client IP for SQL bootstrap from the local machine.
 - `deployLinuxHosts`: `true` or `false`.
 - `deployAvdHosts`: `true` or `false`.
@@ -190,6 +191,8 @@ Important deployment characteristics:
 - SQL public network access is enabled.
 - Azure services are allowed through the SQL firewall.
 - A client-IP firewall rule is added only if `allowedClientIp` is set.
+- The frontend and API App Services enable App Service health checks on `/health`.
+- The frontend and API apps are instrumented with Azure Monitor OpenTelemetry and receive `APPLICATIONINSIGHTS_CONNECTION_STRING` and `OTEL_SERVICE_NAME` through app settings.
 - Linux host auth defaults to `SSH`.
 - Key Vault stores `db-password` and `linux-host`.
 - The API app receives Key Vault Secrets User access so it can read those secrets at runtime.