foundry role assignment

Author: Pavan-Microsoft

infra/deploy_ai_foundry.bicep

@@ -233,6 +233,17 @@ resource aiUserAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01
   }
 }
 
+module assignAiUserRoleToManagedIdentity 'deploy_foundry_role_assignment.bicep' = if(!empty(azureExistingAIProjectResourceId)) {
+  name: 'assignAiUserRoleToManagedIdentity'
+  scope: resourceGroup(existingAIServiceSubscription, existingAIServiceResourceGroup)
+  params: {
+    roleDefinitionId: aiUser.id
+    roleAssignmentName: guid(managedIdentityObjectId, aiServices.id, aiUser.id)
+    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
+    userassignedIdentityId: managedIdentityObjectId
+  }
+}
+
 resource tenantIdEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
   parent: keyVault
   name: 'TENANT-ID'
@@ -289,6 +300,14 @@ resource azureOpenAICUEndpointEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-0
   }
 }
 
+resource azureOpenAICUApiKeyEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
+  parent: keyVault
+  name: 'AZURE-OPENAI-CU-KEY'
+  properties: {
+    value: aiServices_CU.listKeys().key1
+  }
+}
+
 resource azureOpenAICUApiVersionEntry 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
   parent: keyVault
   name: 'AZURE-OPENAI-CU-VERSION'

infra/deploy_backend_docker.bicep

@@ -9,13 +9,15 @@ param solutionLocation string
 param appSettings object = {}
 param appServicePlanId string
 param userassignedIdentityId string
-param aiProjectName string
 param keyVaultName string
 param aiServicesName string
 param useLocalBuild string
+param azureExistingAIProjectResourceId string = ''
+var existingAIServiceSubscription = !empty(azureExistingAIProjectResourceId) ? split(azureExistingAIProjectResourceId, '/')[2] : subscription().subscriptionId
+var existingAIServiceResourceGroup = !empty(azureExistingAIProjectResourceId) ? split(azureExistingAIProjectResourceId, '/')[4] : resourceGroup().name
+var existingAIServicesName = !empty(azureExistingAIProjectResourceId) ? split(azureExistingAIProjectResourceId, '/')[8] : ''
 
 var imageName = 'DOCKER|${acrName}.azurecr.io/km-api:${imageTag}'
-//var name = '${solutionName}-api'
 param name string 
 var reactAppLayoutConfig ='''{
   "appConfig": {
@@ -121,24 +123,7 @@ resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-
 
 resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = {
   name: aiServicesName
-}
-
-resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' existing = {
-  parent: aiServices
-  name: aiProjectName
-}
-
-resource aiDeveloper 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
-  name: '64702f94-c441-49e6-a78b-ef80e0188fee'
-}
-
-resource aiDeveloperAccessProj 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(appService.name, aiProject.id, aiDeveloper.id)
-  scope: aiProject
-  properties: {
-    roleDefinitionId: aiDeveloper.id
-    principalId: appService.outputs.identityPrincipalId
-  }
+  scope: resourceGroup(existingAIServiceSubscription, existingAIServiceResourceGroup)
 }
 
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
@@ -162,21 +147,14 @@ resource aiUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing =
   name: '53ca6127-db72-4b80-b1b0-d745d6d5456d'
 }
 
-resource aiUserAccessProj 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(appService.name, aiProject.id, aiUser.id)
-  scope: aiProject
-  properties: {
-    roleDefinitionId: aiUser.id
+module assignAiUserRoleToAiProject 'deploy_foundry_role_assignment.bicep' = if (!empty(azureExistingAIProjectResourceId)){
+  name: 'assignAiUserRoleToAiProject'
+  scope: resourceGroup(existingAIServiceSubscription, existingAIServiceResourceGroup)
+  params: {
     principalId: appService.outputs.identityPrincipalId
-  }
-}
-
-resource aiUserAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(appService.name, aiServices.id, aiUser.id)
-  scope: aiServices
-  properties: {
     roleDefinitionId: aiUser.id
-    principalId: appService.outputs.identityPrincipalId
+    roleAssignmentName: guid(appService.name, aiServices.id, aiUser.id)
+    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
   }
 }
 

infra/deploy_foundry_role_assignment.bicep

@@ -0,0 +1,28 @@
+param principalId string = ''
+param roleDefinitionId string
+param roleAssignmentName string = ''
+param aiServicesName string
+param userassignedIdentityId string = ''
+
+resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = {
+  name: aiServicesName
+}
+
+resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(aiServicesName) && !empty(principalId)) {
+  name: roleAssignmentName
+  scope: aiServices
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+  }
+}
+
+resource roleAssignmentToManagedIdentity 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(userassignedIdentityId)) {
+  name: roleAssignmentName
+  scope: aiServices
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: userassignedIdentityId
+    principalType: 'ServicePrincipal'
+  }
+}

infra/main.bicep

@@ -209,10 +209,10 @@ module backend_docker 'deploy_backend_docker.bicep' = {
     appServicePlanId: hostingplan.outputs.name
     applicationInsightsId: aifoundry.outputs.applicationInsightsId
     userassignedIdentityId: managedIdentityModule.outputs.managedIdentityBackendAppOutput.id
-    aiProjectName: aifoundry.outputs.aiProjectName
     keyVaultName: kvault.outputs.keyvaultName
     aiServicesName: aifoundry.outputs.aiServicesName
     useLocalBuild: useLocalBuildLower
+    azureExistingAIProjectResourceId: azureExistingAIProjectResourceId 
     appSettings: {
       AZURE_OPENAI_DEPLOYMENT_MODEL: gptModelName
       AZURE_OPENAI_ENDPOINT: aifoundry.outputs.aiServicesTarget