UpdatedBicepV3

Author: UtkarshMishra-Microsoft

infra/main.bicep

@@ -20,6 +20,10 @@ param existingLogAnalyticsWorkspaceId string = ''
 
 param azureopenaiVersion string = '2025-01-01-preview'
 
+//Get the current deployer's information
+var deployerInfo = deployer()
+var deployingUserPrincipalId = deployerInfo.objectId
+
 // Restricting deployment to only supported Azure OpenAI regions validated with GPT-4o model
 @metadata({
   azd : {
@@ -812,6 +816,36 @@ module cogServiceRoleAssignmentsExisting './modules/role.bicep' = if(useExisting
   scope: resourceGroup( split(existingFoundryProjectResourceId, '/')[2], split(existingFoundryProjectResourceId, '/')[4])
 }
 
+// User Role Assignment for Azure OpenAI - New Resources
+module userOpenAiRoleAssignment './modules/role.bicep' = if (aiFoundryAIservicesEnabled && !useExistingResourceId) {
+  name: take('user-openai-${uniqueString(deployingUserPrincipalId, aiFoundryAiServicesResourceName)}', 64)
+  params: {
+    name: 'user-openai-${uniqueString(deployingUserPrincipalId, aiFoundryAiServicesResourceName)}'
+    principalId: deployingUserPrincipalId
+    aiServiceName: aiFoundryAiServices.outputs.name
+    principalType: 'User'
+  }
+  scope: resourceGroup(subscription().subscriptionId, resourceGroup().name)
+  dependsOn: [
+    aiFoundryAiServices
+  ]
+}
+
+// User Role Assignment for Azure OpenAI - Existing Resources
+module userOpenAiRoleAssignmentExisting './modules/role.bicep' = if (aiFoundryAIservicesEnabled && useExistingResourceId) {
+  name: take('user-openai-existing-${uniqueString(deployingUserPrincipalId, aiFoundryAiServicesResourceName)}', 64)
+  params: {
+    name: 'user-openai-existing-${uniqueString(deployingUserPrincipalId, aiFoundryAiServicesResourceName)}'
+    principalId: deployingUserPrincipalId
+    aiServiceName: aiFoundryAiServices.outputs.name
+    principalType: 'User'
+  }
+  scope: resourceGroup(split(existingFoundryProjectResourceId, '/')[2], split(existingFoundryProjectResourceId, '/')[4])
+  dependsOn: [
+    aiFoundryAiServices
+  ]
+}
+
 // ========== Cosmos DB ========== //
 // WAF best practices for Cosmos DB: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db
 module privateDnsZonesCosmosDb 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (virtualNetworkEnabled) {
@@ -886,9 +920,11 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.12.0' = if (co
     capabilitiesToAdd: [
       'EnableServerless'
     ]
-    sqlRoleAssignmentsPrincipalIds: [
-      containerApp.outputs.?systemAssignedMIPrincipalId
-    ]
+    
+    sqlRoleAssignmentsPrincipalIds: concat(
+      [containerApp.outputs.?systemAssignedMIPrincipalId],
+      [deployingUserPrincipalId]
+    )
     sqlRoleDefinitions: [
       {
         // Replace this with built-in role definition Cosmos DB Built-in Data Contributor: https://docs.azure.cn/en-us/cosmos-db/nosql/security/reference-data-plane-roles#cosmos-db-built-in-data-contributor