Simplify networking architecture (#123)

Author: jgbradley1

docs/DEPLOYMENT-GUIDE.md

@@ -21,11 +21,12 @@ The setup/deployment process has been mostly automated with a shell script and B
 
 
 #### RBAC Permissions
-You will need the following <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/overview">Azure Role Based Access </a>permissions at the Subscription level to deploy the GraphRAG solution accelerator.  By default, Azure resources will be deployed with <a href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview">Azure Managed Identities </a>in place, keeping with security best practices.  Due to this enhanced security configuration, higher level permissions are required in order to deploy the necessary Azure resources:
+You will need the following <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/overview">Azure Role Based Access </a>permissions to deploy the GraphRAG solution accelerator.  By default, Azure resources will be deployed with <a href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview">Azure Managed Identities </a>in place, keeping with security best practices.  Due to this enhanced security configuration, higher level permissions are required in order to deploy the necessary Azure resources:
 | Permission | Scope |
 | :--- | ---: |
-Contributor            | Subscription
+Contributor                                    | Subscription
 Role Based Access Control (RBAC) Administrator | Subscription
+Owner                                          | Resource Group
 
 #### Resource Providers
 The Azure subscription that you deploy this solution accelerator in will require both the `Microsoft.OperationsManagement` and `Microsoft.AlertsManagement` resource providers to be registered.
@@ -79,8 +80,8 @@ In the `deploy.parameters.json` file, provide values for the following required
 | :--- | :--- | --- | ---: |
 `RESOURCE_GROUP`                       | <my_resource_group>                       | Yes | The resource group that GraphRAG will be deployed in. Will get created automatically if the resource group does not exist.
 `LOCATION`                             | <my_location>                             | Yes | The azure cloud region to deploy GraphRAG resources in.
-`CONTAINER_REGISTRY_SERVER`            | <my_container_registry>.azurecr.io        | No  | Name of an existing Azure Container Registry where the `graphrag` backend docker image is hosted. Will get created automatically if not provided.
-`GRAPHRAG_IMAGE`                       | graphrag:backend                          | No  | The name and tag of the graphrag docker image in the container registry. Will default to `graphrag:backend`.
+`CONTAINER_REGISTRY_NAME`              | <my_container_registry_name>              | No  | Name of an Azure Container Registry where the `graphrag` backend docker image will be hosted. Leave off `.azurecr.io` from the name. If not provided, a unique name will be generated (recommended).
+`GRAPHRAG_IMAGE`                       | graphrag:backend                          | No  | The name and tag of the graphrag docker image in the container registry. Will default to `graphrag:backend` and be hosted at `my_container_registry_name>.azurecr.io/graphrag:backend`.
 `GRAPHRAG_API_BASE`                    | https://<my_openai_name>.openai.azure.com | Yes | Azure OpenAI service endpoint.
 `GRAPHRAG_API_VERSION`                 | 2023-03-15-preview                        | Yes | Azure OpenAI API version.
 `GRAPHRAG_LLM_MODEL`                   | gpt-4                                     | Yes | Name of the gpt-4 turbo model.
@@ -89,10 +90,11 @@ In the `deploy.parameters.json` file, provide values for the following required
 `GRAPHRAG_EMBEDDING_DEPLOYMENT_NAME`   |                                           | Yes | Deployment name of the Azure OpenAI embedding model.
 `GRAPHRAG_COGNITIVE_SERVICES_ENDPOINT` |                                           | No  | Endpoint for cognitive services identity authorization. Will default to `https://cognitiveservices.azure.com/.default` for Azure Commercial cloud but should be defined for deployments in other Azure clouds.
 `APIM_NAME`                            |                                           | No  | Hostname of the API. Must be a globally unique name. The API will be accessible at `https://<APIM_NAME>.azure-api.net`. If not provided a unique name will be generated.
+`APIM_TIER`                            |                                           | No  | The [APIM tier](https://azure.microsoft.com/en-us/pricing/details/api-management) to use. Must be either `Developer` or `StandardV2`. Will default to `Developer` for cost savings.
 `RESOURCE_BASE_NAME`                   |                                           | No  | Suffix to apply to all azure resource names. If not provided a unique suffix will be generated.
 `AISEARCH_ENDPOINT_SUFFIX`             |                                           | No  | Suffix to apply to AI search endpoint. Will default to `search.windows.net` for Azure Commercial cloud but should be overridden for deployments in other Azure clouds.
 `AISEARCH_AUDIENCE`                    |                                           | No  | Audience for AAD for AI Search. Will default to `https://search.azure.com/` for Azure Commercial cloud but should be overridden for deployments in other Azure clouds.
-`REPORTERS`                            | blob,console,app_insights                 | No  | The type of logging to enable. A comma separated string containing at least one of the following `[blob,console,file,app_insights]`. Default value = `blob,console,app_insights`
+`REPORTERS`                            | blob,console,app_insights                 | No  | The type of logging to enable. A comma separated string containing any of the following values: `[blob,console,file,app_insights]`. Will default to `"blob,console,app_insights"`.
 
 ### 5. Deploy solution accelerator to the resource group
 ```shell

infra/core/acr/acr.bicep

@@ -1,14 +1,14 @@
 @description('The name of the Container Registry resource. Will be automatically generated if not provided.')
-param name string = ''
+param registryName string
 
 @description('The location of the Container Registry resource.')
 param location string = resourceGroup().location
 
-var resourceBaseNameFinal = !empty(name) ? name : toLower(uniqueString('${subscription().id}/resourceGroups/${resourceGroup().name}'))
-var abbrs = loadJsonContent('../../abbreviations.json')
+@description('Array of objects with fields principalId, principalType, roleDefinitionId')
+param roleAssignments array = []
 
 resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
-  name: !empty(name) ? name : '${abbrs.containerRegistryRegistries}${resourceBaseNameFinal}'
+  name: registryName
   location: location
   sku: {
     name: 'Standard'
@@ -27,5 +27,14 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' =
   }
 }
 
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for role in roleAssignments: {
+    name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
+    scope: registry
+    properties: role
+  }
+]
+
 output name string = registry.name
+output id string = registry.id
 output loginServer string = registry.properties.loginServer

infra/core/ai-search/ai-search.bicep

@@ -29,12 +29,12 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
 }
 
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
-  for roleAssignment in roleAssignments: {
-    name: guid('${roleAssignment.principalId}-${roleAssignment.principalType}-${roleAssignment.roleDefinitionId}')
+  for role in roleAssignments: {
+    name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
     scope: aiSearch
-    properties: roleAssignment
+    properties: role
   }
 ]
 
-output id string = aiSearch.id
 output name string = aiSearch.name
+output id string = aiSearch.id

infra/core/aks/aks.bicep

@@ -49,11 +49,22 @@ param sshRSAPublicKey string
 @description('Enable encryption at host')
 param enableEncryptionAtHost bool = false
 
-@description('Resource ID of subnet to use for all node pools.')
-param vnetSubnetId string = ''
-var vnetSubnetIdVar = !empty(vnetSubnetId) ? vnetSubnetId : null
+param subnetId string
 
-resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = {
+param privateDnsZoneName string
+
+@description('Array of objects with fields principalType, roleDefinitionId')
+param ingressRoleAssignments array = []
+
+@description('Array of objects with fields principalType, roleDefinitionId')
+param systemRoleAssignments array = []
+
+
+resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
+  name: privateDnsZoneName
+}
+
+resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
   name: clusterName
   location: location
   identity: {
@@ -85,13 +96,21 @@ resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = {
         osType: 'Linux'
         mode: 'System'
         enableEncryptionAtHost: enableEncryptionAtHost
-        vnetSubnetID: vnetSubnetIdVar
+        vnetSubnetID: subnetId
         type: 'VirtualMachineScaleSets'
       }
     ]
     autoScalerProfile: {
       expander: 'least-waste'
     }
+    ingressProfile: {
+      webAppRouting: {
+        enabled: true
+        dnsZoneResourceIds: [
+          privateDnsZone.id
+        ]
+      }
+    }
     linuxProfile: {
       adminUsername: linuxAdminUsername
       ssh: {
@@ -132,7 +151,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = {
       osType: 'Linux'
       mode: 'User'
       enableEncryptionAtHost: enableEncryptionAtHost
-      vnetSubnetID: vnetSubnetIdVar
+      vnetSubnetID: subnetId
       nodeLabels: {
         workload: 'graphrag'
       }
@@ -152,7 +171,7 @@ resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedCluste
       schedule: {
         weekly: {
           intervalWeeks: 1
-          dayOfWeek: 'Sunday'
+          dayOfWeek: 'Monday'
         }
       }
       durationHours: 4
@@ -180,9 +199,35 @@ resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClus
   }
 }
 
+// role assignment to ingress identity
+resource webAppRoutingPrivateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for role in ingressRoleAssignments: {
+    name: guid('${role.roleDefinitionId}-${privateDnsZone.id}')
+    scope: privateDnsZone
+    properties: {
+      principalId: aks.properties.ingressProfile.webAppRouting.identity.objectId
+      principalType: role.principalType
+      roleDefinitionId: role.roleDefinitionId
+    }
+  }
+]
+
+// role assignment to AKS system identity
+resource systemRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for role in systemRoleAssignments: {
+    name: guid('${role.roleDefinitionId}-${aks.id}')
+    scope: resourceGroup()
+    properties: {
+      principalId: aks.identity.principalId
+      principalType: role.principalType
+      roleDefinitionId: role.roleDefinitionId
+    }
+  }
+]
+
 output name string = aks.name
+output id string = aks.id
 output managedResourceGroup string = aks.properties.nodeResourceGroup
-output controlPlaneFQDN string = aks.properties.fqdn
-output principalId string = aks.identity.principalId
+output controlPlaneFqdn string = aks.properties.fqdn
 output kubeletPrincipalId string = aks.properties.identityProfile.kubeletidentity.objectId
 output issuer string = aks.properties.oidcIssuerProfile.issuerURL