fix: Model Deployment When Reusing Existing Foundry Projects

Author: Avijit-Microsoft

infra/deploy_ai_foundry.bicep

@@ -250,18 +250,19 @@ module assignFoundryRoleToMIExisting 'deploy_foundry_role_assignment.bicep' = if
   params: {
     roleDefinitionId: aiUser.id
     roleAssignmentName: guid(resourceGroup().id, managedIdentityObjectId, aiUser.id, 'foundry')
-    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
-    aiProjectName: !empty(azureExistingAIProjectResourceId) ? existingAIProjectName : aiProjectName
+    aiServicesName: existingAIServicesName
+    aiProjectName: existingAIProjectName
     principalId: managedIdentityObjectId
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : solutionLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
+    aiLocation: existing_aiServicesModule.outputs.location
+    aiKind: existing_aiServicesModule.outputs.kind
+    aiSkuName: existing_aiServicesModule.outputs.skuName
+    customSubDomainName: existing_aiServicesModule.outputs.customSubDomainName
+    publicNetworkAccess: existing_aiServicesModule.outputs.publicNetworkAccess
     enableSystemAssignedIdentity: true
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    defaultNetworkAction: existing_aiServicesModule.outputs.defaultNetworkAction
+    vnetRules: existing_aiServicesModule.outputs.vnetRules
+    ipRules: existing_aiServicesModule.outputs.ipRules
+    aiModelDeployments: aiModelDeployments // Pass the model deployments to the module if model not already deployed
   }
 }
 
@@ -279,24 +280,26 @@ resource cognitiveServicesOpenAIUser 'Microsoft.Authorization/roleDefinitions@20
   name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
 }
 
-module assignOpenAIRoleToAISearch 'deploy_foundry_role_assignment.bicep' = {
-  name: 'assignOpenAIRoleToAISearch'
+resource assignOpenAIRoleToAISearch 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (empty(azureExistingAIProjectResourceId))  {
+  name: guid(resourceGroup().id, aiServices.id, cognitiveServicesOpenAIUser.id)
+  scope: aiServices
+  properties: {
+    principalId: aiSearch.identity.principalId
+    roleDefinitionId: cognitiveServicesOpenAIUser.id
+    principalType: 'ServicePrincipal'
+  }
+}
+
+module assignOpenAIRoleToAISearchExisting 'deploy_foundry_role_assignment.bicep' = if (!empty(azureExistingAIProjectResourceId)) {
+  name: 'assignOpenAIRoleToAISearchExisting'
   scope: resourceGroup(existingAIServiceSubscription, existingAIServiceResourceGroup)
   params: {
     roleDefinitionId: cognitiveServicesOpenAIUser.id
     roleAssignmentName: guid(resourceGroup().id, aiSearch.id, cognitiveServicesOpenAIUser.id, 'openai-foundry')
-    aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
-    aiProjectName: !empty(azureExistingAIProjectResourceId) ? existingAIProjectName : aiProjectName
+    aiServicesName: existingAIServicesName
+    aiProjectName: existingAIProjectName
     principalId: aiSearch.identity.principalId
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : solutionLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    enableSystemAssignedIdentity: true
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    enableSystemAssignedIdentity: false
   }
 }
 
@@ -318,7 +321,7 @@ resource assignSearchIndexDataReaderToExistingAiProject 'Microsoft.Authorization
   name: guid(resourceGroup().id, existingAIProjectName, searchIndexDataReader.id, 'Existing')
   scope: aiSearch
   properties: {
-    principalId: assignOpenAIRoleToAISearch.outputs.aiProjectPrincipalId
+    principalId: assignOpenAIRoleToAISearchExisting.outputs.aiProjectPrincipalId
     roleDefinitionId: searchIndexDataReader.id
     principalType: 'ServicePrincipal'
   }
@@ -342,7 +345,7 @@ resource assignSearchServiceContributorToExistingAiProject 'Microsoft.Authorizat
   name: guid(resourceGroup().id, existingAIProjectName, searchServiceContributor.id, 'Existing')
   scope: aiSearch
   properties: {
-    principalId: assignOpenAIRoleToAISearch.outputs.aiProjectPrincipalId
+    principalId: assignOpenAIRoleToAISearchExisting.outputs.aiProjectPrincipalId
     roleDefinitionId: searchServiceContributor.id
     principalType: 'ServicePrincipal'
   }

infra/deploy_backend_docker.bicep

@@ -185,15 +185,7 @@ module assignAiUserRoleToAiProject 'deploy_foundry_role_assignment.bicep' = {
     roleAssignmentName: guid(appService.name, aiServices.id, aiUser.id)
     aiServicesName: !empty(azureExistingAIProjectResourceId) ? existingAIServicesName : aiServicesName
     aiProjectName: !empty(azureExistingAIProjectResourceId) ? split(azureExistingAIProjectResourceId, '/')[10] : ''
-    aiLocation: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.location : aideploymentsLocation
-    aiKind: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.kind : 'AIServices'
-    aiSkuName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.skuName : 'S0'
-    customSubDomainName: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.customSubDomainName : aiServicesName
-    publicNetworkAccess: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.publicNetworkAccess : 'Enabled'
-    enableSystemAssignedIdentity: true
-    defaultNetworkAction: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.defaultNetworkAction : 'Allow'
-    vnetRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.vnetRules : []
-    ipRules: !empty(azureExistingAIProjectResourceId) ? existing_aiServicesModule.outputs.ipRules : []
+    enableSystemAssignedIdentity: false
   }
 }
 

infra/deploy_foundry_role_assignment.bicep

@@ -6,15 +6,19 @@ param aiProjectName string = ''
 param aiLocation string=''
 param aiKind string=''
 param aiSkuName string=''
-param enableSystemAssignedIdentity bool = true
+param enableSystemAssignedIdentity bool = false
 param customSubDomainName string = ''
 param publicNetworkAccess string = ''
-param defaultNetworkAction string
+param defaultNetworkAction string = ''
 param vnetRules array = []
 param ipRules array = []
+param aiModelDeployments array = []
 
-// AI Services with Identity (enabled only if flag is true)
-resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = if (enableSystemAssignedIdentity) {
+resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = if (!enableSystemAssignedIdentity) {
+  name: aiServicesName
+}
+
+resource aiServicesWithIdentity 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = if (enableSystemAssignedIdentity) {
   name: aiServicesName
   location: aiLocation
   kind: aiKind
@@ -37,10 +41,31 @@ resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' =
   }
 }
 
-// AI Project with Identity (only if name provided and flag is true)
-resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!empty(aiProjectName) && enableSystemAssignedIdentity) {
+@batchSize(1)
+resource aiServicesDeployments 'Microsoft.CognitiveServices/accounts/deployments@2025-04-01-preview' = [for aiModeldeployment in aiModelDeployments: if (!empty(aiModelDeployments)) {
+  parent: aiServicesWithIdentity
+  name: aiModeldeployment.name
+  properties: {
+    model: {
+      format: 'OpenAI'
+      name: aiModeldeployment.model
+    }
+    raiPolicyName: aiModeldeployment.raiPolicyName
+  }
+  sku:{
+    name: aiModeldeployment.sku.name
+    capacity: aiModeldeployment.sku.capacity
+  }
+}]
+
+resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' existing = if (!empty(aiProjectName) && !enableSystemAssignedIdentity) {
   name: aiProjectName
   parent: aiServices
+}
+
+resource aiProjectWithIdentity 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!empty(aiProjectName) && enableSystemAssignedIdentity) {
+  name: aiProjectName
+  parent: aiServicesWithIdentity
   location: aiLocation
   identity: {
     type: 'SystemAssigned'
@@ -49,7 +74,16 @@ resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-pre
 }
 
 // Role Assignment to AI Services
-resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+resource roleAssignmentToFoundryExisting 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableSystemAssignedIdentity) {
+  name: roleAssignmentName
+  scope: aiServicesWithIdentity
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+  }
+}
+
+resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!enableSystemAssignedIdentity) {
   name: roleAssignmentName
   scope: aiServices
   properties: {
@@ -58,6 +92,14 @@ resource roleAssignmentToFoundry 'Microsoft.Authorization/roleAssignments@2022-0
   }
 }
 
-// Outputs
-output aiServicesPrincipalId string = aiServices.identity.principalId
-output aiProjectPrincipalId string = !empty(aiProjectName) ? aiProject.identity.principalId : ''
+// ========== Outputs ==========
+
+output aiServicesPrincipalId string = enableSystemAssignedIdentity
+  ? aiServicesWithIdentity.identity.principalId
+  : aiServices.identity.principalId
+
+output aiProjectPrincipalId string = !empty(aiProjectName)
+  ? (enableSystemAssignedIdentity
+      ? aiProjectWithIdentity.identity.principalId
+      : aiProject.identity.principalId)
+  : ''