Skip role assignments for free Azure Search SKU (#2848) (#2886)

* Fix: skip role assignments when principalId is empty to avoid InvalidPrincipalId for free Search SKU (#2848)

* Add checks to each role in main.bicep that is assigned to searchService.outputs.systemAssignedPrincipalId

* Add checks to each role in main.bicep that is assigned to searchService.outputs.systemAssignedPrincipalId

* Add limitations in docs

* Revert unneeded change to role.bicep

---------

Co-authored-by: bnodir <[email protected]>
Co-authored-by: Pamela Fox <[email protected]>
Co-authored-by: Pamela Fox <[email protected]>

Author: 3 people

docs/deploy_lowcost.md

@@ -54,6 +54,7 @@ However, if your goal is to minimize costs while prototyping your application, f
     reuse your [existing search service](../README.md#existing-azure-ai-search-resource).
     2. The free tier does not support semantic ranker, so the app UI will no longer display
     the option to use the semantic ranker. Note that will generally result in [decreased search relevance](https://techcommunity.microsoft.com/blog/azure-ai-services-blog/azure-ai-search-outperforming-vector-search-with-hybrid-retrieval-and-ranking-ca/3929167).
+    3. The free tier does not support managed identities. As a result, cloud ingestion and multimodal/vector features that require role assignments to the search service principal will have those role assignments skipped during provisioning. If you need those permissions, use a non-free tier (for example, `Basic`/`B1` or `Standard`).
 
 1. Use the free tier of Azure Document Intelligence (used in analyzing files):
 

infra/main.bicep

@@ -1154,7 +1154,7 @@ module openAiRoleBackend 'core/security/role.bicep' = if (isAzureOpenAiHost && d
   }
 }
 
-module openAiRoleSearchService 'core/security/role.bicep' = if (isAzureOpenAiHost && deployAzureOpenAi) {
+module openAiRoleSearchService 'core/security/role.bicep' = if (isAzureOpenAiHost && deployAzureOpenAi && searchServiceSkuName != 'free') {
   scope: openAiResourceGroup
   name: 'openai-role-searchservice'
   params: {
@@ -1164,7 +1164,7 @@ module openAiRoleSearchService 'core/security/role.bicep' = if (isAzureOpenAiHos
   }
 }
 
-module visionRoleSearchService 'core/security/role.bicep' = if (useMultimodal) {
+module visionRoleSearchService 'core/security/role.bicep' = if (useMultimodal && searchServiceSkuName != 'free') {
   scope: visionResourceGroup
   name: 'vision-role-searchservice'
   params: {
@@ -1199,7 +1199,7 @@ module storageOwnerRoleBackend 'core/security/role.bicep' = if (useUserUpload) {
 }
 
 // Search service needs blob read access for both integrated vectorization and cloud ingestion indexer data source
-module storageRoleSearchService 'core/security/role.bicep' = if (useIntegratedVectorization || useCloudIngestion) {
+module storageRoleSearchService 'core/security/role.bicep' = if ((useIntegratedVectorization || useCloudIngestion) && searchServiceSkuName != 'free') {
   scope: storageResourceGroup
   name: 'storage-role-searchservice'
   params: {
@@ -1209,7 +1209,7 @@ module storageRoleSearchService 'core/security/role.bicep' = if (useIntegratedVe
   }
 }
 
-module storageRoleContributorSearchService 'core/security/role.bicep' = if (useIntegratedVectorization && useMultimodal) {
+module storageRoleContributorSearchService 'core/security/role.bicep' = if ((useIntegratedVectorization && useMultimodal) && searchServiceSkuName != 'free') {
   scope: storageResourceGroup
   name: 'storage-role-contributor-searchservice'
   params: {