Add a Cosmos DB resource for chat history

Author: fujita-h

infra/core/security/documentdb-sql-role.bicep

@@ -0,0 +1,27 @@
+metadata name = 'DocumentDB Database Account SQL Role Assignments.'
+metadata description = 'Assign RBAC role for data plane access to Azure Cosmos DB for NoSQL.'
+
+@description('Name of the Azure Cosmos DB for NoSQL account.')
+param databaseAccountName string
+
+@description('Id of the identity/principal to assign this role in the context of the account.')
+param principalId string = ''
+
+@description('Id of the role definition to assign to the targeted principal in the context of the account.')
+param roleDefinitionId string
+
+resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
+  name: databaseAccountName
+}
+
+resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-04-15' = {
+  name: guid(databaseAccount.id, principalId, roleDefinitionId)
+  parent: databaseAccount
+  properties: {
+    principalId: principalId
+    roleDefinitionId: roleDefinitionId
+    scope: databaseAccount.id
+  }
+}
+
+output sqlRoleAssignmentId string = sqlRoleAssignment.id

infra/main.bicep

@@ -59,6 +59,15 @@ param speechServiceName string = ''
 param speechServiceSkuName string // Set in main.parameters.json
 param useGPT4V bool = false
 
+@allowed(['free', 'provisioned', 'serverless'])
+param cosmosDbSkuName string // Set in main.parameters.json
+param cosmodDbResourceGroupName string = ''
+param cosmosDbLocation string = ''
+param cosmosDbAccountName string = ''
+param cosmosDbThroughput int = 400
+param chatHistoryDatabaseName string = 'chat-database'
+param chatHistoryContainerName string = 'chat-history'
+
 @description('Location for the OpenAI resource group')
 @allowed([
   'canadaeast'
@@ -198,6 +207,8 @@ param useSpeechOutputBrowser bool = false
 param useSpeechOutputAzure bool = false
 @description('Use chat history feature in browser')
 param useChatHistoryBrowser bool = false
+@description('Use chat history feature in CosmosDB')
+param useChatHistoryCosmos bool = false
 @description('Show options to use vector embeddings for searching in the app UI')
 param useVectors bool = false
 @description('Use Built-in integrated Vectorization feature of AI Search to vectorize and ingest documents')
@@ -266,6 +277,10 @@ resource speechResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' exi
   name: !empty(speechServiceResourceGroupName) ? speechServiceResourceGroupName : resourceGroup.name
 }
 
+resource cosmosDbResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(cosmodDbResourceGroupName)) {
+  name: !empty(cosmodDbResourceGroupName) ? cosmodDbResourceGroupName : resourceGroup.name
+}
+
 // Monitor application with Azure Monitor
 module monitoring 'core/monitor/monitoring.bicep' = if (useApplicationInsights) {
   name: 'monitoring'
@@ -329,7 +344,12 @@ var appEnvVariables = {
   USE_SPEECH_INPUT_BROWSER: useSpeechInputBrowser
   USE_SPEECH_OUTPUT_BROWSER: useSpeechOutputBrowser
   USE_SPEECH_OUTPUT_AZURE: useSpeechOutputAzure
+  // Chat history settings
   USE_CHAT_HISTORY_BROWSER: useChatHistoryBrowser
+  USE_CHAT_HISTORY_COSMOS: useChatHistoryCosmos
+  AZURE_COSMOSDB_ACCOUNT: (useAuthentication && useChatHistoryCosmos) ? cosmosDb.outputs.name : ''
+  AZURE_CHAT_HISTORY_DATABASE: chatHistoryDatabaseName
+  AZURE_CHAT_HISTORY_CONTAINER: chatHistoryContainerName
   // Shared by all OpenAI deployments
   OPENAI_HOST: openAiHost
   AZURE_OPENAI_EMB_MODEL_NAME: embedding.modelName
@@ -668,6 +688,64 @@ module userStorage 'core/storage/storage-account.bicep' = if (useUserUpload) {
   }
 }
 
+module cosmosDb 'br/public:avm/res/document-db/database-account:0.6.1' = if (useAuthentication && useChatHistoryCosmos) {
+  name: 'cosmosdb'
+  scope: cosmosDbResourceGroup
+  params: {
+    name: !empty(cosmosDbAccountName) ? cosmosDbAccountName : '${abbrs.documentDBDatabaseAccounts}${resourceToken}'
+    location: !empty(cosmosDbLocation) ? cosmosDbLocation : location
+    locations: [
+      {
+        locationName: !empty(cosmosDbLocation) ? cosmosDbLocation : location
+        failoverPriority: 0
+        isZoneRedundant: false
+      }
+    ]
+    enableFreeTier: cosmosDbSkuName == 'free'
+    capabilitiesToAdd: cosmosDbSkuName == 'serverless' ? ['EnableServerless'] : []
+    networkRestrictions: {
+      ipRules: []
+      networkAclBypass: bypass
+      publicNetworkAccess: publicNetworkAccess
+      virtualNetworkRules: []
+    }
+    sqlDatabases: [
+      {
+        name: chatHistoryDatabaseName
+        throughput: (cosmosDbSkuName == 'serverless') ? null : cosmosDbThroughput
+        containers: [
+          {
+            name: chatHistoryContainerName
+            paths: [
+              '/entra_oid'
+            ]
+            indexingPolicy: {
+              indexingMode: 'consistent'
+              automatic: true
+              includedPaths: [
+                {
+                  path: '/*'
+                }
+              ]
+              excludedPaths: [
+                {
+                  path: '/title/?'
+                }
+                {
+                  path: '/answers/*'
+                }
+                {
+                  path: '/"_etag"/?'
+                }
+              ]
+            }
+          }
+        ]
+      }
+    ]
+  }
+}
+
 // USER ROLES
 var principalType = empty(runningOnGh) && empty(runningOnAdo) ? 'User' : 'ServicePrincipal'
 
@@ -762,6 +840,31 @@ module searchSvcContribRoleUser 'core/security/role.bicep' = {
   }
 }
 
+module cosmosDbAccountContribRoleUser 'core/security/role.bicep' = if (useAuthentication && useChatHistoryCosmos) {
+  scope: cosmosDbResourceGroup
+  name: 'cosmosdb-account-contrib-role-user'
+  params: {
+    principalId: principalId
+    roleDefinitionId: '5bd9cd88-fe45-4216-938b-f97437e15450'
+    principalType: principalType
+  }
+}
+
+// RBAC for Cosmos DB
+// https://learn.microsoft.com/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access
+module cosmosDbDataContribRoleUser 'core/security/documentdb-sql-role.bicep' = if (useAuthentication && useChatHistoryCosmos) {
+  scope: cosmosDbResourceGroup
+  name: 'cosmosdb-data-contrib-role-user'
+  params: {
+    databaseAccountName: (useAuthentication && useChatHistoryCosmos) ? cosmosDb.outputs.name : ''
+    principalId: principalId
+    // Cosmos DB Built-in Data Contributor role
+    roleDefinitionId: (useAuthentication && useChatHistoryCosmos)
+      ? '/${subscription().id}/resourceGroups/${cosmosDb.outputs.resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosDb.outputs.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
+      : ''
+  }
+}
+
 // SYSTEM IDENTITIES
 module openAiRoleBackend 'core/security/role.bicep' = if (isAzureOpenAiHost && deployAzureOpenAi) {
   scope: openAiResourceGroup
@@ -845,6 +948,23 @@ module speechRoleBackend 'core/security/role.bicep' = {
   }
 }
 
+// RBAC for Cosmos DB
+// https://learn.microsoft.com/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access
+module cosmosDbRoleBackend 'core/security/documentdb-sql-role.bicep' = if (useAuthentication && useChatHistoryCosmos) {
+  scope: cosmosDbResourceGroup
+  name: 'cosmosdb-role-backend'
+  params: {
+    databaseAccountName: (useAuthentication && useChatHistoryCosmos) ? cosmosDb.outputs.name : ''
+    principalId: (deploymentTarget == 'appservice')
+      ? backend.outputs.identityPrincipalId
+      : acaBackend.outputs.identityPrincipalId
+    // Cosmos DB Built-in Data Contributor role
+    roleDefinitionId: (useAuthentication && useChatHistoryCosmos)
+      ? '/${subscription().id}/resourceGroups/${cosmosDb.outputs.resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosDb.outputs.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
+      : ''
+  }
+}
+
 module isolation 'network-isolation.bicep' = {
   name: 'networks'
   scope: resourceGroup
@@ -891,6 +1011,11 @@ var otherPrivateEndpointConnections = (usePrivateEndpoint && deploymentTarget ==
         dnsZoneName: 'privatelink.azurewebsites.net'
         resourceIds: [backend.outputs.id]
       }
+      {
+        groupId: 'cosmosdb'
+        dnsZoneName: 'privatelink.documents.azure.com'
+        resourceIds: (useAuthentication && useChatHistoryCosmos) ? [cosmosDb.outputs.resourceId] : []
+      }
     ]
   : []
 
@@ -997,6 +1122,10 @@ output AZURE_SEARCH_SERVICE_RESOURCE_GROUP string = searchServiceResourceGroup.n
 output AZURE_SEARCH_SEMANTIC_RANKER string = actualSearchServiceSemanticRankerLevel
 output AZURE_SEARCH_SERVICE_ASSIGNED_USERID string = searchService.outputs.principalId
 
+output AZURE_COSMOSDB_ACCOUNT string = (useAuthentication && useChatHistoryCosmos) ? cosmosDb.outputs.name : ''
+output AZURE_CHAT_HISTORY_DATABASE string = chatHistoryDatabaseName
+output AZURE_CHAT_HISTORY_CONTAINER string = chatHistoryContainerName
+
 output AZURE_STORAGE_ACCOUNT string = storage.outputs.name
 output AZURE_STORAGE_CONTAINER string = storageContainerName
 output AZURE_STORAGE_RESOURCE_GROUP string = storageResourceGroup.name

infra/main.parameters.json

@@ -185,9 +185,6 @@
     "useSpeechOutputAzure": {
       "value": "${USE_SPEECH_OUTPUT_AZURE=false}"
     },
-    "useChatHistoryBrowser": {
-      "value": "${USE_CHAT_HISTORY_BROWSER=false}"
-    },
     "speechServiceName": {
       "value": "${AZURE_SPEECH_SERVICE}"
     },
@@ -200,6 +197,27 @@
     "speechServiceLocation": {
       "value": "${AZURE_SPEECH_SERVICE_LOCATION}"
     },
+    "useChatHistoryBrowser": {
+      "value": "${USE_CHAT_HISTORY_BROWSER=false}"
+    },
+    "useChatHistoryCosmos": {
+      "value": "${USE_CHAT_HISTORY_COSMOS=false}"
+    },
+    "cosmosDbSkuName": {
+      "value": "${AZURE_COSMOSDB_SKU=serverless}"
+    },
+    "cosmodDbResourceGroupName": {
+      "value": "${AZURE_COSMOSDB_RESOURCE_GROUP}"
+    },
+    "cosmosDbLocation": {
+      "value": "${AZURE_COSMOSDB_LOCATION}"
+    },
+    "cosmosDbAccountName": {
+      "value": "${AZURE_COSMOSDB_ACCOUNT}"
+    },
+    "cosmosDbThroughput": {
+      "value": "${AZURE_COSMOSDB_THROUGHPUT}"
+    },
     "useAuthentication": {
       "value": "${AZURE_USE_AUTHENTICATION=false}"
     },