Skip to content
CSA Loom — the Microsoft Fabric experience for Azure tenants where Fabric isn't yet available: lakehouses, warehouses, notebooks, semantic models, Activator rules, Data Agents, across Commercial, GCC, GCC-High, and DoD IL5

CSA Loom — full push-button deploy: gap audit (2026-05-24)

Status: v2.0 Synapse slice GREEN. Full-platform push-button deploy BLOCKED by 4 bicep gaps documented below. Each is a small, well-scoped fix; together they make az deployment sub create -f platform/fiab/bicep/main.bicep -p params/commercial-full.bicepparam safe to run end-to-end.

What's GREEN today (verified live)

  • Admin Plane: VNet + NSGs + Bastion + Firewall + AGW + VPN + Front Door + ACR + KV + LAW + AppInsights + all UAMIs + all 6 Container Apps (loom-console v2.0, mcp, orchestrator, activator, mirroring, direct-lake-shim)
  • DLZ (single): spoke VNet + storage + Databricks + Synapse workspace + Dedicated SQL pool loompool (DW100c, paused) + auto-pause Logic App + private endpoints + AAD admin + ARM Contributor + EventHubs + Cosmos
  • Private DNS: 18 zones in admin RG, all linked to hub VNet, incl. new privatelink.{sql,dev}.azuresynapse.net
  • Front Door URL: https://loom-console-fvbbctd4eehqbkcs.b02.azurefd.net/api/versionv2.0

Gaps blocking push-button (in fix priority)

Gap 1 — app-deployments.bicep hardcodes :v0.1 image tags

File: platform/fiab/bicep/modules/admin-plane/main.bicep:297-365 Effect: every re-deploy would roll back all 6 Container Apps to v0.1. Fix: parameterize image tags. Either: - Add image_tag per app in the apps array (default v0.1) and let CI override per release. - OR move app-deployments out of the top-level bicep and let GHA continue to own image lifecycle (current de-facto reality). Set deployAppsEnabled=false by default so bicep doesn't touch apps unless explicitly opted in.

Recommended: option B. Cleaner separation, and the existing GHA full-app-deploy-commercial already handles image deploys correctly.

Gap 2 — loom-console env vars not surfaced in bicep

File: same module, apps array entry for loom-console. Effect: every bicep deploy drops LOOM_SYNAPSE_WORKSPACE, LOOM_SYNAPSE_DEDICATED_POOL, LOOM_SUBSCRIPTION_ID, LOOM_DLZ_RG, LOOM_BRONZE_URL, LOOM_SILVER_URL, LOOM_GOLD_URL, LOOM_LANDING_URL, LOOM_VERSION plus MSAL config (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, SESSION_SECRET). Fix: add the env: list to the loom-console entry with values sourced from DLZ outputs (per-DLZ for multi-sub). Refactor needed: app-deployments today lives inside admin-plane; DLZ outputs aren't reachable. Solutions: - Move app-deployments to the top-level orchestrator (runs after both adminPlane + singleDlz complete) — same refactor that solves Gap 1. - OR keep deploy-v2-synapse.sh post-deploy script as the source of truth for these env vars (current implementation).

Gap 3 — loom-console ingress should be external: true (Front Door)

File: app-deployments.bicep:60external: false // VNet-only; cross-app via internal DNS Effect: bicep would make loom-console VNet-internal, breaking the Front Door public URL. Fix: per-app external flag in the apps array. loom-console: external=true; mcp/orchestrator/activator/mirroring/direct-lake: external=false.

Gap 4 — ADX database loomdb-default has no parent cluster

File: platform/fiab/bicep/modules/landing-zone/adx.bicep + DLZ params with adxEnabled=true Effect: deploys child DB resource against non-existent adx-csa-loom-shared cluster → ResourceNotFound. Fix: add an admin-plane ADX cluster module (modules/admin-plane/adx-cluster.bicep) with a small SKU (Dev SKU Dev(No SLA)_Standard_D11_v2 at ~$200/mo), then DLZ's database can target it. OR leave adxEnabled=false until a budget decision.

Param overrides used this session

platform/fiab/bicep/params/commercial-full.bicepparam (new): - All access patterns ON (vpn, agw, fd) - All AI services ON (aiFoundry, aiSearch, defenderForAI) - APIM Premium ON (~$2,800/mo) — fix Gap 1+2+3 before deploying - Purview OFF (existing Enterprise tenant-level Purview in dmlz-dev-purview-eastus reused; provisioning a 2nd fails with EnterpriseTenantAlreadyExists) - adminEntraGroupId = 716f5ec5-20d0-4713-9e42-57ef931cd665 (new Loom Admins group created this session; current user added)

Safe path forward (next session)

  1. Fix Gap 1 (parameterize image tags or set deployAppsEnabled=false)
  2. Fix Gap 3 (per-app external flag)
  3. Fix Gap 4 (add ADX cluster module OR set adxEnabled=false)
  4. Gap 2 = decide: bicep owns env vars (preferred long-term) vs deploy-v2-synapse.sh continues to own them (works today)
  5. Re-run az deployment sub what-if — confirm only additive changes (APIM, AI Foundry, AI Search; no app rollback, no env-var loss)
  6. Run az deployment sub create — ~45 min (APIM Premium dominates)
  7. Verify each new service:
  8. az apim show -n apim-csa-loom-eastus2 -g rg-csa-loom-admin-eastus2
  9. az ml workspace show -n aifoundry-csa-loom-eastus2 -g rg-csa-loom-admin-eastus2
  10. az search service show -n search-loom-m56yejezt7bjo -g rg-csa-loom-admin-eastus2
  11. Wire each new service into Loom editors (APIM editor → APIM mgmt REST; AI Foundry editors → workspace REST; AI Search editor → search REST). Same pattern as Synapse v2.0 — TDS replaced with the relevant REST surface.

Cost-impact summary (if all flags stay ON)

Service Monthly cost (eastus2 Commercial) Status
Synapse Dedicated loompool DW100c (paused) ~$122 (storage only) LIVE, auto-paused nightly
Synapse Serverless $0 idle + $5/TB scanned LIVE
APIM Premium v2 (1 unit) ~$2,800 NOT deployed yet
AI Foundry hub ~$200-400 NOT deployed yet
AI Search Standard ~$250 NOT deployed yet
ADX Dev cluster ~$200 NOT deployed yet
Container Apps Consumption ~$50 LIVE
Front Door Premium + WAF ~$330 LIVE
AGW v2 + WAF ~$250 LIVE
VPN Gateway VpnGw1 ~$140 LIVE
Bastion ~$140 LIVE
Storage + Cosmos + EventHubs + Databricks workspace + KV + ACR + LAW + AppInsights ~$200-400 LIVE
Total (all on) ~$5,000/mo
Current (Synapse + access patterns only) ~$1,400/mo LIVE

Files changed this session

apps/fiab-console/.build-marker
apps/fiab-console/app/api/items/synapse-dedicated-sql-pool/[id]/{query,schema,state,resume}/route.ts (new)
apps/fiab-console/app/api/items/synapse-serverless-sql-pool/[id]/{query,schema}/route.ts (new)
apps/fiab-console/lib/azure/synapse-sql-client.ts (new)
apps/fiab-console/lib/azure/synapse-pool-arm.ts (new)
apps/fiab-console/lib/editors/synapse-sql-editors.tsx (new)
apps/fiab-console/lib/editors/registry.ts
apps/fiab-console/next.config.mjs
apps/fiab-console/package.json
platform/fiab/bicep/main.bicep
platform/fiab/bicep/params/commercial-full.bicepparam (new)
platform/fiab/bicep/modules/admin-plane/identity.bicep
platform/fiab/bicep/modules/admin-plane/main.bicep
platform/fiab/bicep/modules/admin-plane/network.bicep
platform/fiab/bicep/modules/landing-zone/main.bicep
platform/fiab/bicep/modules/landing-zone/synapse.bicep
platform/fiab/bicep/modules/landing-zone/synapse-auto-pause.bicep (new)
scripts/csa-loom/deploy-v2-synapse.sh (new)
docs/fiab/v2.0-handoff.md (new)
docs/fiab/v2.0-pushbutton-gap-audit.md (this file)

Commit

966c1251 on branch access-patterns-vpn-agw-fd.