Fix deployment error

Pavan-Microsoft · Pavan-Microsoft · commit bd9681b343bf · 2025-07-17T12:50:09.000+05:30
diff --git a/infra/deploy_ai_foundry.bicep b/infra/deploy_ai_foundry.bicep
@@ -250,18 +250,18 @@ module assignFoundryRoleToMIExisting 'deploy_foundry_role_assignment.bicep' = if
   params: {
     roleDefinitionId: aiUser.id
     roleAssignmentName: guid(resourceGroup().id, managedIdentityObjectId, aiUser.id, 'foundry')
-    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
-    aiProjectName: !empty(azureExistingAIProjectResourceId) ? existingAIProjectName : aiProjectName
+    aiServicesName: existingAIServicesName
+    aiProjectName: existingAIProjectName
     principalId: managedIdentityObjectId
-    // Use the existing AI project resource ID to determine the location and other properties
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : solutionLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    aiLocation: existing_aiServicesModule.outputs.location
+    aiKind: existing_aiServicesModule.outputs.kind
+    aiSkuName: existing_aiServicesModule.outputs.skuName
+    customSubDomainName: existing_aiServicesModule.outputs.customSubDomainName
+    publicNetworkAccess: existing_aiServicesModule.outputs.publicNetworkAccess
+    enableSystemAssignedIdentity: true
+    defaultNetworkAction: existing_aiServicesModule.outputs.defaultNetworkAction
+    vnetRules: existing_aiServicesModule.outputs.vnetRules
+    ipRules: existing_aiServicesModule.outputs.ipRules
     aiModelDeployments: aiModelDeployments // Pass the model deployments to the module if model not already deployed
   }
 }
@@ -280,28 +280,27 @@ resource cognitiveServicesOpenAIUser 'Microsoft.Authorization/roleDefinitions@20
   name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
 }
 
-module assignOpenAIRoleToAISearch 'deploy_foundry_role_assignment.bicep' = {
-  name: 'assignOpenAIRoleToAISearch'
+resource assignOpenAIRoleToAISearch 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (empty(azureExistingAIProjectResourceId))  {
+  name: guid(resourceGroup().id, aiServices.id, cognitiveServicesOpenAIUser.id)
+  scope: aiServices
+  properties: {
+    principalId: aiSearch.identity.principalId
+    roleDefinitionId: cognitiveServicesOpenAIUser.id
+    principalType: 'ServicePrincipal'
+  }
+}
+
+module assignOpenAIRoleToAISearchExisting 'deploy_foundry_role_assignment.bicep' = if (!empty(azureExistingAIProjectResourceId)) {
+  name: 'assignOpenAIRoleToAISearchExisting'
   scope: resourceGroup(existingAIServiceSubscription, existingAIServiceResourceGroup)
   params: {
     roleDefinitionId: cognitiveServicesOpenAIUser.id
     roleAssignmentName: guid(resourceGroup().id, aiSearch.id, cognitiveServicesOpenAIUser.id, 'openai-foundry')
-    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
-    aiProjectName: !empty(azureExistingAIProjectResourceId) ? existingAIProjectName : aiProjectName
+    aiServicesName: existingAIServicesName
+    aiProjectName: existingAIProjectName
     principalId: aiSearch.identity.principalId
-    // Use the existing AI project resource ID to determine the location and other properties
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : solutionLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    enableSystemAssignedIdentity: false
   }
-  dependsOn: [
-    assignFoundryRoleToMIExisting
-  ]
 }
 
 resource searchIndexDataReader 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
@@ -322,7 +321,7 @@ resource assignSearchIndexDataReaderToExistingAiProject 'Microsoft.Authorization
   name: guid(resourceGroup().id, existingAIProjectName, searchIndexDataReader.id, 'Existing')
   scope: aiSearch
   properties: {
-    principalId: assignOpenAIRoleToAISearch.outputs.aiProjectPrincipalId
+    principalId: assignOpenAIRoleToAISearchExisting.outputs.aiProjectPrincipalId
     roleDefinitionId: searchIndexDataReader.id
     principalType: 'ServicePrincipal'
   }
@@ -346,7 +345,7 @@ resource assignSearchServiceContributorToExistingAiProject 'Microsoft.Authorizat
   name: guid(resourceGroup().id, existingAIProjectName, searchServiceContributor.id, 'Existing')
   scope: aiSearch
   properties: {
-    principalId: assignOpenAIRoleToAISearch.outputs.aiProjectPrincipalId
+    principalId: assignOpenAIRoleToAISearchExisting.outputs.aiProjectPrincipalId
     roleDefinitionId: searchServiceContributor.id
     principalType: 'ServicePrincipal'
   }
diff --git a/infra/deploy_backend_docker.bicep b/infra/deploy_backend_docker.bicep
@@ -185,14 +185,7 @@ module assignAiUserRoleToAiProject 'deploy_foundry_role_assignment.bicep' = {
     roleAssignmentName: guid(appService.name, aiServices.id, aiUser.id)
     aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
     aiProjectName: !empty(azureExistingAIProjectResourceId) ? split(azureExistingAIProjectResourceId, '/')[10] : ''
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : aideploymentsLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    enableSystemAssignedIdentity: false
   }
 }
 
diff --git a/infra/deploy_foundry_role_assignment.bicep b/infra/deploy_foundry_role_assignment.bicep
@@ -6,14 +6,19 @@ param aiProjectName string = ''
 param aiLocation string=''
 param aiKind string=''
 param aiSkuName string=''
+param enableSystemAssignedIdentity bool = false
 param customSubDomainName string = ''
 param publicNetworkAccess string = ''
-param defaultNetworkAction string
+param defaultNetworkAction string = ''
 param vnetRules array = []
 param ipRules array = []
 param aiModelDeployments array = []
 
-resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = {
+resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = if (!enableSystemAssignedIdentity) {
+  name: aiServicesName
+}
+
+resource aiServicesWithIdentity 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = if (enableSystemAssignedIdentity) {
   name: aiServicesName
   location: aiLocation
   kind: aiKind
@@ -38,7 +43,7 @@ resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' =
 
 @batchSize(1)
 resource aiServicesDeployments 'Microsoft.CognitiveServices/accounts/deployments@2025-04-01-preview' = [for aiModeldeployment in aiModelDeployments: if (!empty(aiModelDeployments)) {
-  parent: aiServices
+  parent: aiServicesWithIdentity
   name: aiModeldeployment.name
   properties: {
     model: {
@@ -53,9 +58,14 @@ resource aiServicesDeployments 'Microsoft.CognitiveServices/accounts/deployments
   }
 }]
 
-resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!empty(aiProjectName)) {
+resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' existing = if (!empty(aiProjectName) && !enableSystemAssignedIdentity) {
   name: aiProjectName
   parent: aiServices
+}
+
+resource aiProjectWithIdentity 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!empty(aiProjectName) && enableSystemAssignedIdentity) {
+  name: aiProjectName
+  parent: aiServicesWithIdentity
   location: aiLocation
   identity: {
     type: 'SystemAssigned'
@@ -64,7 +74,16 @@ resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-pre
 }
 
 // Role Assignment to AI Services
-resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+resource roleAssignmentToFoundryExisting 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableSystemAssignedIdentity) {
+  name: roleAssignmentName
+  scope: aiServicesWithIdentity
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+  }
+}
+
+resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!enableSystemAssignedIdentity) {
   name: roleAssignmentName
   scope: aiServices
   properties: {
@@ -74,5 +93,5 @@ resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-0
 }
 
 // Outputs
-output aiServicesPrincipalId string = aiServices.identity.principalId
-output aiProjectPrincipalId string = !empty(aiProjectName) ? aiProject.identity.principalId : ''
+output aiServicesPrincipalId string = enableSystemAssignedIdentity ? aiServicesWithIdentity.identity.principalId : aiServices.identity.principalId
+output aiProjectPrincipalId string = !empty(aiProjectName) && enableSystemAssignedIdentity ? aiProjectWithIdentity.identity.principalId : aiProject.identity.principalId
