Fix overlapping roles

Author: dharakumarmsft

scenarios/Agents/setup/network-secured-agent/azuredeploy.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.33.93.31351",
-      "templateHash": "6468218768722945213"
+      "templateHash": "13610358180001906492"
     }
   },
   "parameters": {
@@ -327,7 +327,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.33.93.31351",
-              "templateHash": "3058877073778301143"
+              "templateHash": "2515541218015614919"
             }
           },
           "parameters": {
@@ -884,155 +884,6 @@
                 "[resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultName'))]",
                 "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
               ]
-            },
-            {
-              "condition": "[not(parameters('aiServicesExists'))]",
-              "type": "Microsoft.Resources/deployments",
-              "apiVersion": "2022-09-01",
-              "name": "[format('dependencies-{0}-cogsvc-rbac', parameters('suffix'))]",
-              "properties": {
-                "expressionEvaluationOptions": {
-                  "scope": "inner"
-                },
-                "mode": "Incremental",
-                "parameters": {
-                  "suffix": {
-                    "value": "[parameters('suffix')]"
-                  },
-                  "UAIPrincipalId": {
-                    "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName')), '2023-07-31-preview').principalId]"
-                  }
-                },
-                "template": {
-                  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-                  "contentVersion": "1.0.0.0",
-                  "metadata": {
-                    "_generator": {
-                      "name": "bicep",
-                      "version": "0.33.93.31351",
-                      "templateHash": "199126274513046121"
-                    }
-                  },
-                  "parameters": {
-                    "UAIPrincipalId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Principal ID of the managed identity"
-                      }
-                    },
-                    "suffix": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Unique suffix for role assignment naming"
-                      }
-                    }
-                  },
-                  "resources": [
-                    {
-                      "type": "Microsoft.Authorization/roleAssignments",
-                      "apiVersion": "2022-04-01",
-                      "name": "[guid(subscription().subscriptionId, resourceGroup().id, resourceId('Microsoft.Authorization/roleDefinitions', 'b78c5d69-af96-48a3-bf8d-a8b4d589de94'), parameters('suffix'))]",
-                      "properties": {
-                        "principalId": "[parameters('UAIPrincipalId')]",
-                        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b78c5d69-af96-48a3-bf8d-a8b4d589de94')]",
-                        "principalType": "ServicePrincipal"
-                      }
-                    }
-                  ],
-                  "outputs": {
-                    "roleAssignmentId": {
-                      "type": "string",
-                      "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(subscription().subscriptionId, resourceGroup().id, resourceId('Microsoft.Authorization/roleDefinitions', 'b78c5d69-af96-48a3-bf8d-a8b4d589de94'), parameters('suffix')))]"
-                    }
-                  }
-                }
-              },
-              "dependsOn": [
-                "[resourceId('Microsoft.CognitiveServices/accounts', parameters('aiServicesName'))]",
-                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
-              ]
-            },
-            {
-              "condition": "[not(parameters('aiSearchExists'))]",
-              "type": "Microsoft.Resources/deployments",
-              "apiVersion": "2022-09-01",
-              "name": "[format('dependencies-{0}-aisearch-rbac', parameters('suffix'))]",
-              "properties": {
-                "expressionEvaluationOptions": {
-                  "scope": "inner"
-                },
-                "mode": "Incremental",
-                "parameters": {
-                  "aiProjectId": {
-                    "value": "[parameters('aiSearchName')]"
-                  },
-                  "aiProjectPrincipalId": {
-                    "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName')), '2023-07-31-preview').principalId]"
-                  },
-                  "aiSearchName": {
-                    "value": "[parameters('aiSearchName')]"
-                  }
-                },
-                "template": {
-                  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-                  "contentVersion": "1.0.0.0",
-                  "metadata": {
-                    "_generator": {
-                      "name": "bicep",
-                      "version": "0.33.93.31351",
-                      "templateHash": "16079856828729639404"
-                    }
-                  },
-                  "parameters": {
-                    "aiSearchName": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Name of the AI Search service"
-                      }
-                    },
-                    "aiProjectPrincipalId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Principal ID of the managed identity"
-                      }
-                    },
-                    "aiProjectId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Unique suffix for resource naming"
-                      }
-                    }
-                  },
-                  "resources": [
-                    {
-                      "type": "Microsoft.Authorization/roleAssignments",
-                      "apiVersion": "2022-04-01",
-                      "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('aiSearchName'))]",
-                      "name": "[guid(subscription().subscriptionId, resourceGroup().id, resourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7'), parameters('aiProjectId'))]",
-                      "properties": {
-                        "principalId": "[parameters('aiProjectPrincipalId')]",
-                        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '8ebe5a00-799e-43f5-93ac-243d3dce84a7')]",
-                        "principalType": "ServicePrincipal"
-                      }
-                    },
-                    {
-                      "type": "Microsoft.Authorization/roleAssignments",
-                      "apiVersion": "2022-04-01",
-                      "scope": "[format('Microsoft.Search/searchServices/{0}', parameters('aiSearchName'))]",
-                      "name": "[guid(subscription().subscriptionId, resourceGroup().id, resourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0'), parameters('aiProjectId'))]",
-                      "properties": {
-                        "principalId": "[parameters('aiProjectPrincipalId')]",
-                        "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]",
-                        "principalType": "ServicePrincipal"
-                      }
-                    }
-                  ]
-                }
-              },
-              "dependsOn": [
-                "[resourceId('Microsoft.Search/searchServices', parameters('aiSearchName'))]",
-                "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentityName'))]"
-              ]
             }
           ],
           "outputs": {
@@ -1794,7 +1645,8 @@
       },
       "dependsOn": [
         "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--hub', parameters('name'), parameters('uniqueSuffix')))]",
-        "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--identity', parameters('name'), parameters('uniqueSuffix')))]"
+        "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--identity', parameters('name'), parameters('uniqueSuffix')))]",
+        "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--private-endpoint', parameters('name'), parameters('uniqueSuffix')))]"
       ]
     },
     {

scenarios/Agents/setup/network-secured-agent/main.bicep

@@ -233,6 +233,9 @@ module aiProject 'modules-network-secured/network-secured-ai-project.bicep' = {
     aiHubId: aiHub.outputs.aiHubID
     uaiName: identity.outputs.uaiName
   }
+  dependsOn: [
+    privateEndpointAndDNS
+  ]
 }
 module waitScript 'modules-network-secured/common/wait-script.bicep' = {
   name: 'wait-script-${uniqueSuffix}-deployment'

scenarios/Agents/setup/network-secured-agent/modules-network-secured/network-secured-dependent-resources.bicep

@@ -46,22 +46,22 @@ param aiSearchName string
 param storageName string
 
 @description('Model name for deployment')
-param modelName string 
+param modelName string
 
 @description('Model format for deployment')
-param modelFormat string 
+param modelFormat string
 
 @description('Model version for deployment')
-param modelVersion string 
+param modelVersion string
 
 @description('Model deployment SKU name')
-param modelSkuName string 
+param modelSkuName string
 
 @description('Model deployment capacity')
-param modelCapacity int 
+param modelCapacity int
 
 @description('Model/AI Resource deployment location')
-param modelLocation string 
+param modelLocation string
 
 @description('The Kind of AI Service, can be "OpenAI" or "AIService"')
 param aisKind string
@@ -337,25 +337,6 @@ module keyVaultAccessAssignment './keyvault-role-assignments.bicep' = if(!keyvau
   dependsOn: [ defaultKeyVault ]
 }
 
-module cognitiveServicesAccessAssignment './cognitive-services-role-assignments.bicep' = if(!aiServicesExists){
-  name: 'dependencies-${suffix}-cogsvc-rbac'
-  params: {
-    suffix: suffix
-    UAIPrincipalId: uai.properties.principalId
-    }
-  dependsOn: [ defaultAiServices ]
-}
-
-module aiSearchAccessAssignment 'ai-search-role-assignments.bicep' = if(!aiSearchExists){
-  name: 'dependencies-${suffix}-aisearch-rbac'
-  params: {
-    aiProjectId: aiSearchName
-    aiProjectPrincipalId: uai.properties.principalId
-    aiSearchName: aiSearchName
-    }
-  dependsOn: [ defaultAiSearch ]
-}
-
 /* -------------------------------------------- Output Variables -------------------------------------------- */
 
 var aiServiceParts = aiServicesExists ? split(existingAiServices.id, '/') : split(defaultAiServices.id, '/')
@@ -366,7 +347,7 @@ output aiServicesName string =  aiServicesExists ? existingAiServices.name : def
 output aiservicesID string = aiServicesExists ? existingAiServices.id : defaultAiServices.id
 output aiservicesTarget string = aiServicesExists ? existingAiServices.properties.endpoint : defaultAiServices.properties.endpoint
 output aiServiceAccountResourceGroupName string = aiServiceParts[4]
-output aiServiceAccountSubscriptionId string = aiServiceParts[2] 
+output aiServiceAccountSubscriptionId string = aiServiceParts[2]
 
 output aiSearchName string = aiSearchExists ? existingAiSearch.name : defaultAiSearch.name
 output aisearchID string = aiSearchExists ? existingAiSearch.id : defaultAiSearch.id