docs: enhance README with architecture diagram and deployment documentation (#33)

Author: agreaves-ms

README.md

@@ -18,6 +18,56 @@ Production-ready framework for orchestrating robotics and AI workloads on [Azure
 
 The infrastructure deploys an AKS cluster with GPU node pools running the NVIDIA GPU Operator and KAI Scheduler. Training workloads can be submitted via OSMO workflows (control plane and backend operator) and AzureML jobs (ML extension). Both platforms share common infrastructure: Azure Storage for checkpoints and data, Key Vault for secrets, and Azure Container Registry for container images. OSMO additionally uses PostgreSQL for workflow state and Redis for caching.
 
+```text
++==========================================================================+
+|  Resource Group                                                          |
+|                                                                          |
+|  :--- Virtual Network (10.0.0.0/16) ---------------------------------:   |
+|  :                                                                   :   |
+|  :  +-------------+     +------------------+     +---------------+   :   |
+|  :  | NAT Gateway |---->|  AKS Cluster     |<--->|     ACR       |   :   |
+|  :  +------+------+     +--------+---------+     +-------+-------+   :   |
+|  :         |                     |                       |           :   |
+|  :         v                     v                       |           :   |
+|  :  +-------------+     +------------------+             |           :   |
+|  :  | GPU Node    |     | AzureML Extension|-------------+           :   |
+|  :  | Pool (A10)  |     | KAI Scheduler    |                         :   |
+|  :  +-------------+     | GPU Operator     |                         :   |
+|  :                      | OSMO Backend     |                         :   |
+|  :                      +------------------+                         :   |
+|  :                              |                                    :   |
+|  :  +------------------+        |        +------------------+        :   |
+|  :  | PostgreSQL       |<-------+------->| Azure Redis      |        :   |
+|  :  | Flexible Server  |                 | (Enterprise)     |        :   |
+|  :  +------------------+                 +------------------+        :   |
+|  :                                                                   :   |
+|  :  +-- Private Endpoint Subnet --------------------------------+    :   |
+|  :  |  PE-KeyVault  PE-Storage  PE-ACR  PE-AzureML  PE-Monitor  |    :   |
+|  :  +-----------------------------------------------------------+    :   |
+|  :                                                                   :   |
+|  :-------------------------------------------------------------------:   |
+|                                                                          |
+|  +------------------+        +------------------+                        |
+|  | Key Vault        |        | Storage Account  |                        |
+|  | (RBAC-enabled)   |        | - ml-workspace   |                        |
+|  +------------------+        | - osmo           |                        |
+|                              | - datasets       |                        |
+|                              +------------------+                        |
+|                                                                          |
+|  +------------------+        +------------------+                        |
+|  | AzureML Workspace|------->| Log Analytics    |                        |
+|  | + App Insights   |        | + Grafana        |                        |
+|  +------------------+        | + Monitor WS     |                        |
+|                              +------------------+                        |
+|                                                                          |
+|  +------------------+        +------------------+                        |
+|  | Managed Identity |        | Managed Identity |                        |
+|  | (ML Workloads)   |        | (OSMO Workloads) |                        |
+|  +------------------+        +------------------+                        |
+|                                                                          |
++==========================================================================+
+```
+
 **Azure Infrastructure** (deployed by [Terraform](deploy/001-iac/)):
 
 | Component | Purpose |
@@ -67,21 +117,19 @@ OSMO orchestration on Azure enables production-scale robotics training across in
 | Tool | Version | Installation |
 |------|---------|--------------|
 | [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) | 2.50+ | `brew install azure-cli` |
-| [Terraform](https://www.terraform.io/downloads) | 1.5+ | `brew install terraform` |
+| [Terraform](https://www.terraform.io/downloads) | 1.9.8+ | `brew install terraform` |
 | [kubectl](https://kubernetes.io/docs/tasks/tools/) | 1.28+ | `brew install kubectl` |
 | [Helm](https://helm.sh/docs/intro/install/) | 3.x | `brew install helm` |
 | [jq](https://stedolan.github.io/jq/) | latest | `brew install jq` |
 | [OSMO CLI](https://developer.nvidia.com/osmo) | latest | See NVIDIA docs |
 
 ### Azure Requirements
 
-- Azure subscription with **Contributor** access
+- Azure subscription with **Contributor** + **Role Based Access Control Administrator**
+  - Scope: Subscription (if creating new resource group) or Resource Group (if using existing)
+  - Terraform creates role assignments for managed identities
+  - Alternative: **Owner** (grants more permissions than required)
 - GPU VM quota for your target region (e.g., `Standard_NV36ads_A10_v5`)
-- Permissions to create: Resource Groups, AKS, Storage, Key Vault, AzureML Workspace
-
-### NVIDIA Requirements
-
-- [NVIDIA Developer](https://developer.nvidia.com/) account with OSMO access
 
 ## 🏃 Quick Start
 
@@ -202,6 +250,25 @@ See [002-setup/README.md](deploy/002-setup/README.md) for detailed instructions.
 | [Workflows](workflows/README.md) | Job and workflow templates |
 | [MLflow Integration](docs/mlflow-integration.md) | Experiment tracking setup |
 
+## 💰 Cost Estimation
+
+Use the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) to estimate costs. Add these services based on the architecture:
+
+| Service | Configuration | Notes |
+|---------|---------------|-------|
+| Azure Kubernetes Service (AKS) | System pool: Standard_D4s_v3 (3 nodes) | Always-on control plane |
+| Virtual Machines (Spot) | Standard_NV36ads_A10_v5 or NC-series | GPU nodes scale to zero when idle |
+| Azure Database for PostgreSQL | Flexible Server, Burstable B1ms | OSMO workflow state |
+| Azure Cache for Redis | Basic C0 or Standard C1 | OSMO job queue |
+| Azure Machine Learning | Basic workspace | No additional compute costs (uses AKS) |
+| Storage Account | Standard LRS, ~100GB | Checkpoints and datasets |
+| Container Registry | Basic or Standard | Image storage |
+| Log Analytics | ~5GB/day ingestion | Monitoring data |
+| Azure Managed Grafana | Essential tier | Dashboards (optional) |
+| VPN Gateway | VpnGw1 | Point-to-site access (optional) |
+
+GPU Spot VMs provide significant savings (60-90%) compared to on-demand pricing. Actual costs depend on training frequency, job duration, and data volumes.
+
 ## 🪪 License
 
 MIT License. See [LICENSE.md](LICENSE.md).

deploy/001-iac/README.md

@@ -10,6 +10,20 @@ Terraform configuration for the robotics reference architecture. Deploys Azure r
 | Terraform | 1.5+ | `terraform version` |
 | GPU VM quota | Region-specific | e.g., `Standard_NV36ads_A10_v5` |
 
+### Azure RBAC Permissions
+
+| Role | Scope |
+|------|-------|
+| Contributor | Subscription (new RG) or Resource Group (existing RG) |
+| Role Based Access Control Administrator | Subscription (new RG) or Resource Group (existing RG) |
+
+Terraform creates role assignments for managed identities, requiring `Microsoft.Authorization/roleAssignments/write` permission. The Contributor role explicitly blocks this action; the RBAC Administrator role provides it.
+
+> [!NOTE]
+> Use subscription scope if creating a new resource group (`should_create_resource_group = true`). Use resource group scope if the resource group already exists.
+
+**Alternative**: Owner role (grants more permissions than required).
+
 ## 🚀 Quick Start
 
 ```bash
@@ -260,7 +274,7 @@ Issues and resolutions encountered during infrastructure deployment and teardown
 
 ### Destroy Takes a Long Time
 
-Terraform destroy removes resources in dependency order. Private Endpoints, AKS clusters, and PostgreSQL servers commonly take 10-15 minutes each.
+Terraform destroy removes resources in dependency order. Private Endpoints, AKS clusters, and PostgreSQL servers commonly take 5-10 minutes each. Full destruction typically takes 20-30 minutes.
 
 Monitor remaining resources during destruction:
 

deploy/002-setup/README.md

@@ -9,6 +9,17 @@ AKS cluster configuration for robotics workloads with AzureML and NVIDIA OSMO.
 - kubectl, Helm 3.x, jq installed
 - OSMO CLI (`osmo`) for backend deployment
 
+### Azure RBAC Permissions
+
+For least-privilege access:
+
+| Role | Scope | Purpose |
+|------|-------|---------|
+| Azure Kubernetes Service Cluster User Role | AKS Cluster | Get cluster credentials |
+| Contributor | Resource Group | Extension and FIC creation |
+| Key Vault Secrets User | Key Vault | Read PostgreSQL/Redis credentials |
+| Storage Blob Data Contributor | Storage Account | Create workflow containers |
+
 ## 🚀 Quick Start
 
 ```bash

deploy/README.md

@@ -7,8 +7,8 @@ Infrastructure deployment and cluster configuration for the robotics reference a
 | Step | Folder | Description | Time |
 |:----:|--------|-------------|------|
 | 1 | [000-prerequisites](000-prerequisites/) | Azure CLI login, subscription setup | 2 min |
-| 2 | [001-iac](001-iac/) | Terraform: AKS, ML workspace, storage, PostgreSQL, Redis | 15-20 min |
-| 3 | [002-setup](002-setup/) | Cluster config: GPU Operator, OSMO, AzureML extension | 10-15 min |
+| 2 | [001-iac](001-iac/) | Terraform: AKS, ML workspace, storage, PostgreSQL, Redis | 30-40 min |
+| 3 | [002-setup](002-setup/) | Cluster config: GPU Operator, OSMO, AzureML extension | 30 min |
 
 ## 🚀 Quick Path
 
@@ -50,8 +50,8 @@ Remove deployed components in reverse order. Cluster components must be removed
 
 | Step | Folder | Description | Time |
 |:----:|--------|-------------|------|
-| 1 | [002-setup/cleanup](002-setup/cleanup/) | Uninstall Helm charts, extensions, namespaces | 5-10 min |
-| 2 | [001-iac](001-iac/) | Terraform destroy or resource group deletion | 10-15 min |
+| 1 | [002-setup/cleanup](002-setup/cleanup/) | Uninstall Helm charts, extensions, namespaces | 10-15 min |
+| 2 | [001-iac](001-iac/) | Terraform destroy or resource group deletion | 20-30 min |
 
 ### Partial Cleanup (Cluster Components Only)