add apim connection project managed identity (#461)

Vijendra123 · vtomarmic · web-flow · commit 3956e365db5b · 2026-01-15T12:08:47.000-08:00
* chnages for pmi

* add mi

* update

* update

* update

* update azure ai url

---------

Co-authored-by: vtomar &lt;vtomar@microsoft.com&gt;
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/apim/connection-apim.bicep b/infrastructure/infrastructure-setup-bicep/01-connections/apim/connection-apim.bicep
@@ -43,7 +43,7 @@ param connectionName string = ''
 @description('APIM subscription name for API key auth')
 param apimSubscriptionName string = 'master'
 
-@allowed(['ApiKey'])
+@allowed(['ApiKey', 'ProjectManagedIdentity'])
 @description('Authentication type')
 param authType string = 'ApiKey'
 
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/apim/modules/apim-connection-common.bicep b/infrastructure/infrastructure-setup-bicep/01-connections/apim/modules/apim-connection-common.bicep
@@ -74,23 +74,23 @@ resource connectionApiKey 'Microsoft.CognitiveServices/accounts/projects/connect
   }
 }
 
-// TODO: Future AAD connection (when role assignments are implemented)
-// resource connectionAAD 'Microsoft.CognitiveServices/accounts/projects/connections@2025-04-01-preview' = if (authType == 'AAD') {
-//   name: connectionName
-//   parent: aiProject
-//   properties: {
-//     category: 'ApiManagement'
-//     target: '${existingApim.properties.gatewayUrl}/${apimApi.properties.path}'
-//     authType: 'AAD'
-//     isSharedToAll: isSharedToAll
-//     credentials: {}
-//     metadata: metadata
-//   }
-// }
+resource connectionAAD 'Microsoft.CognitiveServices/accounts/projects/connections@2025-04-01-preview' = if (authType == 'ProjectManagedIdentity') {
+  name: connectionName
+  parent: aiProject
+  properties: {
+    category: 'ApiManagement'
+    target: '${existingApim.properties.gatewayUrl}/${apimApi.properties.path}'
+    authType: 'ProjectManagedIdentity'
+    audience: 'https://cognitiveservices.azure.com'
+    isSharedToAll: isSharedToAll
+    credentials: {}
+    metadata: metadata
+  }
+}
 
 // Outputs (only from the created connection)
-output connectionName string = authType == 'ApiKey' ? connectionApiKey.name : ''
-output connectionId string = authType == 'ApiKey' ? connectionApiKey.id : ''
+output connectionName string = authType == 'ApiKey' ? connectionApiKey.name : connectionAAD.name
+output connectionId string = authType == 'ApiKey' ? connectionApiKey.id : connectionApiKey.name
 output targetUrl string = '${existingApim.properties.gatewayUrl}/${apimApi.properties.path}'
 output authType string = authType
 output metadata object = metadata
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-custom-auth-config.json b/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-custom-auth-config.json
@@ -15,6 +15,7 @@
       "value": "YOUR-CONNECTION-NAME"
     },
     "authType": {
+      "_comment": "Set to ApiKey or ProjectManagedIdentity",
       "value": "ApiKey"
     },
     "isSharedToAll": {
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-custom-headers.json b/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-custom-headers.json
@@ -15,6 +15,7 @@
       "value": "YOUR-CONNECTION-NAME"
     },
     "authType": {
+      "_comment": "Set to ApiKey or ProjectManagedIdentity",
       "value": "ApiKey"
     },
     "isSharedToAll": {
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-dynamic-discovery.json b/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-dynamic-discovery.json
@@ -15,6 +15,7 @@
       "value": "YOUR-CONNECTION-NAME"
     },
     "authType": {
+      "_comment": "Set to ApiKey or ProjectManagedIdentity",
       "value": "ApiKey"
     },
     "isSharedToAll": {
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-static-models.json b/infrastructure/infrastructure-setup-bicep/01-connections/apim/samples/parameters-static-models.json
@@ -15,6 +15,7 @@
       "value": "YOUR-CONNECTION-NAME"
     },
     "authType": {
+      "_comment": "Set to ApiKey or ProjectManagedIdentity",
       "value": "ApiKey"
     },
     "isSharedToAll": {
diff --git a/infrastructure/infrastructure-setup-bicep/01-connections/model-gateway/samples/parameters-foundryazureai.json b/infrastructure/infrastructure-setup-bicep/01-connections/model-gateway/samples/parameters-foundryazureai.json
@@ -6,7 +6,7 @@
       "value": "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/YOUR-RG/providers/Microsoft.CognitiveServices/accounts/YOUR-AI-FOUNDRY-ACCOUNT/projects/YOUR-PROJECT"
     },
     "targetUrl": {
-      "value": "https://<your-foundry-resource>.openai.azure.com/openai"
+      "value": "https://<your-foundry-resource>.services.ai.azure.com/models"
     },
     "gatewayName": {
       "value": "YOUR-GATEWAY-NAME"
