You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This Terraform module is composed of several submodules, which are combined in the primary module to provide a complete solution. Each submodule can also be deployed independently—see [./modules/](./modules/) for details.
15
+
16
+
For a typical deployment, refer to the quick start [Usage](#usage) example below or the examples provided in each submodule's documentation.
17
+
18
+
The module enables you to quickly and easily deploy a comprehensive AI stack on Azure, supporting everything from initial AI development to production- and enterprise-ready solutions.
19
+
20
+
We apply the highest security standards regarding networking and authentication. By default, all Azure services in this module have API key support disabled and communicate securely via Azure Identities (Entra ID Service Principals).
21
+
22
+
> [!NOTE]
23
+
> This module uses both [`azurerm` provider](https://registry.terraform.io/providers/hashicorp/azurerm) and [`azapi` provider](https://registry.terraform.io/providers/Azure/azapi) resources for Azure AI services that are not yet fully supported by the `azurerm` provider. You must configure the `azapi` provider, especially [authentication](https://registry.terraform.io/providers/Azure/azapi/latest/docs#authenticating-to-azure), in your root module.
24
+
25
+
> [!CAUTION]
26
+
> Once the `azurerm` provider fully supports all required resources for this module, we will migrate from `azapi` resources to `azurerm` resources. **This will introduce breaking changes** and will be released as a new major version in accordance with semantic versioning.
27
+
28
+
## RBAC
29
+
30
+
### Azure AI Service Role Assignments
31
+
32
+
> [!IMPORTANT]
33
+
> By default (`create_rbac = true`), this module creates all necessary Azure role assignments to enable secure communication between services. Assigning Azure roles requires Owner permissions on the resource group where the AI stack is deployed. If you do not have these permissions, you can disable role assignment creation (`create_rbac = false`). In this case, you must manually create the required Azure role assignments for the various AI service identities to ensure proper functionality.
34
+
35
+
The following role assignments are created to enable communication between AI services:
| Cognitive Services OpenAI Contributor | AI Service | AI Search Service Identity |
40
+
| Search Index Data Reader | AI Search Service | AI Service Identity |
41
+
| Search Service Contributor | AI Search Service | AI Service Identity |
42
+
| Storage Blob Data Contributor | Storage Account | AI Service Identity |
43
+
| Storage Blob Data Reader | Storage Account | AI Search Service Identity |
44
+
45
+
### AI Developer Role
46
+
47
+
> [!TIP]
48
+
> You will likely want to set the `ai_developer_principal_id` variable to grant an Entra ID group or user access to the AI stack and permissions on the individual Azure AI services.
49
+
50
+
If `ai_developer_principal_id` is set (optional), the following roles are assigned to the specified principal:
| Storage Blob Data Contributor | Storage Account |
58
+
| Storage File Data Privileged Contributor | Storage Account |
59
+
| Cognitive Services Contributor | AI Service |
60
+
| Cognitive Services OpenAI Contributor | AI Service |
61
+
| Cognitive Services User | AI Service |
62
+
| User Access Administrator | AI Service |
63
+
| Search Index Data Contributor | AI Search Service |
64
+
| Search Service Contributor | AI Search Service |
65
+
66
+
This module creates a dedicated developer resource group, granting the specified group or user (`ai_developer_principal_id`) Owner permissions. This ensures that AI developers can create additional resources without mixing them into the main resource group (`resource_group_name`) where the module's Terraform resources are deployed. The developer resource group can be disabled if not needed.◊
67
+
68
+
## External Resources
69
+
70
+
The following resources were referenced during the development of this module and may be helpful for further module development:
@@ -96,24 +186,24 @@ Description: The principal ID of a user or group of AI Developers who will have
96
186
97
187
The following roles will be assigned to the given principal ID:
98
188
99
-
| Role | Scope |
100
-
| -- | -- |
101
-
| Azure AI Developer | AI Foundry Hub |
102
-
| Azure AI Developer | AI Foundry Project |
103
-
| Contributor | Developer Resource Group |
104
-
| Storage Blob Data Contributor | Storage Account |
105
-
| Storage File Data Privileged Contributor | Storage Account |
106
-
| Cognitive Services Contributor | AI Service |
107
-
| Cognitive Services OpenAI Contributor | AI Service |
108
-
| Cognitive Services User | AI Service |
109
-
| User Access Administrator | AI Service |
110
-
| Search Index Data Contributor | AI Search Service |
111
-
| Search Service Contributor | AI Search Service |
112
-
113
-
Argument | Description
114
-
-- | --
115
-
`isolation_mode` | Isolation mode for the managed network of a machine learning workspace. Possible values are `AllowOnlyApprovedOutbound`, `AllowInternetOutbound`, or `Disabled`.
116
-
`public_network_access` | Whether requests from Public Network are allowed.
|`isolation_mode`| Isolation mode for the managed network of a machine learning workspace. Possible values are `AllowOnlyApprovedOutbound`, `AllowInternetOutbound`, or `Disabled`.|
206
+
|`public_network_access`| Whether requests from Public Network are allowed.|
117
207
118
208
**NOTE**: The `User Access Administrator` role is assigned with the condition that only the `Cognitive Services OpenAI User` role can be assigned to user principals. This is necessary to successfully deploy a Web App on top of an AI Model through the AI Foundry Hub.
119
209
@@ -133,13 +223,13 @@ Default: `[]`
133
223
134
224
Description: If set to `true` (default), the following mandatory Azure role assignments will be created:
135
225
136
-
| Role | Scope | Principal |
137
-
| -- | -- | -- |
138
-
| Cognitive Services OpenAI Contributor | AI Service | AI Search Service Identity |
139
-
| Search Index Data Reader | AI Search Service | AI Service Identity |
140
-
| Search Service Contributor | AI Search Service | AI Service Identity |
141
-
| Storage Blob Data Contributor | Storage Account | AI Service Identity |
142
-
| Storage Blob Data Reader | Storage Account | AI Search Service Identity |
| Cognitive Services OpenAI Contributor | AI Service | AI Search Service Identity |
229
+
| Search Index Data Reader | AI Search Service | AI Service Identity|
230
+
| Search Service Contributor | AI Search Service | AI Service Identity|
231
+
| Storage Blob Data Contributor | Storage Account | AI Service Identity|
232
+
| Storage Blob Data Reader | Storage Account| AI Search Service Identity |
143
233
144
234
**NOTE**: If set to `false`, these role assignments must be created manually to ensure the AI Foundry Hub Project functions correctly.
145
235
@@ -169,10 +259,10 @@ Description: Network configuration for the AI Hub.
169
259
170
260
Optional arguments:
171
261
172
-
Argument | Description
173
-
-- | --
174
-
`isolation_mode` | Isolation mode for the managed network of a machine learning workspace. Possible values are `AllowOnlyApprovedOutbound`, `AllowInternetOutbound`, or `Disabled`.
175
-
`public_network_access` | Whether requests from Public Network are allowed.
|`isolation_mode`| Isolation mode for the managed network of a machine learning workspace. Possible values are `AllowOnlyApprovedOutbound`, `AllowInternetOutbound`, or `Disabled`.|
265
+
|`public_network_access`| Whether requests from Public Network are allowed.|
176
266
177
267
**NOTE**:
178
268
@@ -209,19 +299,19 @@ Description: A list of models to deploy to the workspace.
209
299
210
300
Required parameters:
211
301
212
-
Parameter | Description
213
-
-- | --
214
-
`name` | The name of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created.
|`name`| The name of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created.|
215
305
216
306
Optional parameters:
217
307
218
-
Parameter | Description
219
-
-- | --
220
-
`deployment_name` | The name to assign to the model deployment. If not specified, the value of `name` will be used by default. This property allows you to customize the deployment resource name independently from the model name.
221
-
`format` | The format of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created. Possible value is `OpenAI`.
222
-
`sku_capacity` | Tokens-per-Minute (TPM). The unit of measure for this field is in the thousands of Tokens-per-Minute. Defaults to `1` which means that the limitation is `1000` tokens per minute. If the resources SKU supports scale in/out then the capacity field should be included in the resources' configuration. If the scale in/out is not supported by the resources SKU then this field can be safely omitted. For more information about TPM please see the [product documentation](https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest).
223
-
`sku_name` | The name of the SKU. Possible values include `Standard`, `DataZoneStandard`, `DataZoneProvisionedManaged`, `GlobalBatch`, `GlobalProvisionedManaged`, `GlobalStandard`, and `ProvisionedManaged`.
224
-
`version` | The version of Cognitive Services Account Deployment model. If `version` is not specified, the default version of the model at the time will be assigned.
|`deployment_name`| The name to assign to the model deployment. If not specified, the value of `name` will be used by default. This property allows you to customize the deployment resource name independently from the model name.|
311
+
|`format`| The format of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created. Possible value is `OpenAI`.|
312
+
|`sku_capacity`| Tokens-per-Minute (TPM). The unit of measure for this field is in the thousands of Tokens-per-Minute. Defaults to `1` which means that the limitation is `1000` tokens per minute. If the resources SKU supports scale in/out then the capacity field should be included in the resources' configuration. If the scale in/out is not supported by the resources SKU then this field can be safely omitted. For more information about TPM please see the [product documentation](https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest).|
313
+
|`sku_name`| The name of the SKU. Possible values include `Standard`, `DataZoneStandard`, `DataZoneProvisionedManaged`, `GlobalBatch`, `GlobalProvisionedManaged`, `GlobalStandard`, and `ProvisionedManaged`.|
314
+
|`version`| The version of Cognitive Services Account Deployment model. If `version` is not specified, the default version of the model at the time will be assigned.|
225
315
226
316
**Note**: `DataZoneProvisionedManaged`, `GlobalProvisionedManaged`, and `ProvisionedManaged` are purchased on-demand at an hourly basis based on the number of deployed PTUs, with substantial term discount available via the purchase of Azure Reservations. Currently, this step cannot be completed using Terraform. For more details, please refer to the [provisioned throughput onboarding documentation](https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/provisioned-throughput-onboarding).
0 commit comments