new working configuration via managed identities and RBAC

Author: alguadam

infra/main.bicep

@@ -293,7 +293,7 @@ module applicationInsights 'br/public:avm/res/insights/component:0.6.0' = if (ap
 // WAF best practices for identity and access management: https://learn.microsoft.com/en-us/azure/well-architected/security/identity-access
 var userAssignedManagedIdentityEnabled = userAssignedManagedIdentityConfiguration.?enabled ?? true
 var userAssignedManagedIdentityResourceName = userAssignedManagedIdentityConfiguration.?name ?? 'id-${solutionPrefix}'
-module userAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = if (userAssignedManagedIdentityEnabled) {
+module userAssignedIdentityAIHub 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = if (userAssignedManagedIdentityEnabled) {
   name: take('avm.res.managed-identity.user-assigned-identity.${userAssignedManagedIdentityResourceName}', 64)
   params: {
     name: userAssignedManagedIdentityResourceName
@@ -753,7 +753,7 @@ module aiFoundryAiServices 'modules/ai-services.bicep' = if (aiFoundryAIservices
     diagnosticSettings: [{ workspaceResourceId: logAnalyticsWorkspace.outputs.resourceId }]
     sku: aiFoundryAiServicesConfiguration.?sku ?? 'S0'
     kind: 'AIServices'
-    disableLocalAuth: false //Should be set to true for WAF aligned configuration
+    disableLocalAuth: true //Should be set to true for WAF aligned configuration
     customSubDomainName: aiFoundryAiServicesResourceName
     apiProperties: {
       //staticsEnabled: false
@@ -782,11 +782,6 @@ module aiFoundryAiServices 'modules/ai-services.bicep' = if (aiFoundryAIservices
         ])
       : []
     roleAssignments: [
-      // {
-      //   principalId: userAssignedIdentity.outputs.principalId
-      //   principalType: 'ServicePrincipal'
-      //   roleDefinitionIdOrName: 'Cognitive Services OpenAI User'
-      // }
       {
         principalId: containerApp.outputs.?systemAssignedMIPrincipalId!
         principalType: 'ServicePrincipal'
@@ -811,6 +806,18 @@ module aiFoundryAiServices 'modules/ai-services.bicep' = if (aiFoundryAIservices
   }
 }
 
+var roleAssignmentAiHubAiProjectAzureAiDeveloper = '${aiFoundryAiHubResourceName}-${aiFoundryAiProjectName}-CognitiveServicesOpenAIUser'
+module resourceRoleAssignmentAiHubAiProjectAzureAiDeveloper 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = if (aiFoundryAiHubEnabled && aiFoundryAIservicesEnabled) {
+  name: take('avm.ptn.authorization.resource-role-assignment.${roleAssignmentAiHubAiProjectAzureAiDeveloper}', 64)
+  params: {
+    roleName: 'Azure AI Developer'
+    roleDefinitionId: '64702f94-c441-49e6-a78b-ef80e0188fee'
+    principalId: aiFoundryAiHub.outputs.?systemAssignedMIPrincipalId!
+    principalType: 'ServicePrincipal'
+    resourceId: aiFoundryAiProject.outputs.?resourceId
+  }
+}
+
 // AI Foundry: storage account
 // WAF best practices for Azure Blob Storage: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-blob-storage
 var storageAccountPrivateDnsZones = {
@@ -844,7 +851,7 @@ var aiFoundryStorageAccountResourceName = aiFoundryStorageAccountConfiguration.?
   ''
 )
 
-module aiFoundryStorageAccount 'br/public:avm/res/storage/storage-account:0.18.2' = if (aiFoundryStorageAccountEnabled) {
+module aiFoundryStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = if (aiFoundryStorageAccountEnabled) {
   name: take('avm.res.storage.storage-account.${aiFoundryStorageAccountResourceName}', 64)
   dependsOn: [
     privateDnsZonesAiFoundryStorageAccount
@@ -880,9 +887,13 @@ module aiFoundryStorageAccount 'br/public:avm/res/storage/storage-account:0.18.2
       : null
     roleAssignments: [
       {
-        principalId: userAssignedIdentity.outputs.principalId
+        principalId: containerApp.?outputs.?systemAssignedMIPrincipalId!
         roleDefinitionIdOrName: 'Storage Blob Data Contributor'
       }
+      {
+        principalId: containerApp.?outputs.?systemAssignedMIPrincipalId!
+        roleDefinitionIdOrName: '69566ab7-960f-475b-8e7c-b3118f30c6bd' //'Storage File Privileged Contributor'
+      }
     ]
   }
 }
@@ -896,7 +907,10 @@ var mlPrivateDnsZones = {
 }
 module privateDnsZonesAiFoundryWorkspaceHub 'br/public:avm/res/network/private-dns-zone:0.3.1' = [
   for zone in objectKeys(mlPrivateDnsZones): if (virtualNetworkEnabled && aiFoundryAiHubEnabled) {
-    name: take('avm.res.network.private-dns-zone.ai-hub.${uniqueString(aiFoundryAiHubName,zone)}.${solutionPrefix}', 64)
+    name: take(
+      'avm.res.network.private-dns-zone.ai-hub.${uniqueString(aiFoundryAiHubResourceName,zone)}.${solutionPrefix}',
+      64
+    )
     params: {
       name: zone
       enableTelemetry: enableTelemetry
@@ -911,14 +925,14 @@ module privateDnsZonesAiFoundryWorkspaceHub 'br/public:avm/res/network/private-d
   }
 ]
 var aiFoundryAiHubEnabled = aiFoundryAiHubConfiguration.?enabled ?? true
-var aiFoundryAiHubName = aiFoundryAiHubConfiguration.?name ?? 'aih-${solutionPrefix}'
+var aiFoundryAiHubResourceName = aiFoundryAiHubConfiguration.?name ?? 'aih-${solutionPrefix}'
 module aiFoundryAiHub 'modules/ai-hub.bicep' = if (aiFoundryAiHubEnabled) {
-  name: take('module.ai-hub.${aiFoundryAiHubName}', 64)
+  name: take('module.ai-hub.${aiFoundryAiHubResourceName}', 64)
   dependsOn: [
     privateDnsZonesAiFoundryWorkspaceHub
   ]
   params: {
-    name: aiFoundryAiHubName
+    name: aiFoundryAiHubResourceName
     location: aiFoundryAiHubConfiguration.?location ?? azureOpenAILocation
     tags: aiFoundryAiHubConfiguration.?tags ?? tags
     sku: aiFoundryAiHubConfiguration.?sku ?? 'Basic'
@@ -931,8 +945,8 @@ module aiFoundryAiHub 'modules/ai-hub.bicep' = if (aiFoundryAiHubEnabled) {
     privateEndpoints: virtualNetworkEnabled
       ? [
           {
-            name: 'pep-${aiFoundryAiHubName}'
-            customNetworkInterfaceName: 'nic-${aiFoundryAiHubName}'
+            name: 'pep-${aiFoundryAiHubResourceName}'
+            customNetworkInterfaceName: 'nic-${aiFoundryAiHubResourceName}'
             service: mlTargetSubResource
             subnetResourceId: virtualNetworkEnabled
               ? aiFoundryAiHubConfiguration.?subnetResourceId ?? virtualNetwork.?outputs.?subnetResourceIds[0]
@@ -965,6 +979,7 @@ module aiFoundryAiProject 'br/public:avm/res/machine-learning-services/workspace
     sku: aiFoundryAiProjectConfiguration.?sku ?? 'Basic'
     kind: 'Project'
     hubResourceId: aiFoundryAiHub.outputs.resourceId
+    managedIdentities: { systemAssigned: true }
     roleAssignments: [
       {
         principalId: containerApp.outputs.?systemAssignedMIPrincipalId!
@@ -975,6 +990,21 @@ module aiFoundryAiProject 'br/public:avm/res/machine-learning-services/workspace
   }
 }
 
+var roleAssignmentAiProjectAiServicesCognitiveServicesOpenAIUser = '${aiFoundryAiProjectName}-${aiFoundryAiHubResourceName}-CognitiveServicesOpenAIUser'
+module resourceRoleAssignmentAiProjectAiServicesCognitiveServicesOpenAIUser 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = if (aiFoundryAiHubEnabled && aiFoundryAIservicesEnabled) {
+  name: take(
+    'avm.ptn.authorization.resource-role-assignment.${roleAssignmentAiProjectAiServicesCognitiveServicesOpenAIUser}',
+    64
+  )
+  params: {
+    roleName: 'Cognitive Services OpenAI User'
+    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
+    principalId: aiFoundryAiProject.outputs.?systemAssignedMIPrincipalId!
+    principalType: 'ServicePrincipal'
+    resourceId: aiFoundryAiServices.outputs.resourceId
+  }
+}
+
 // ========== Cosmos DB ========== //
 // WAF best practices for Cosmos DB: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/cosmos-db
 module privateDnsZonesCosmosDb 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (virtualNetworkEnabled) {
@@ -1049,7 +1079,7 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.12.0' = if (co
       'EnableServerless'
     ]
     sqlRoleAssignmentsPrincipalIds: [
-      //userAssignedIdentity.outputs.principalId
+      //userAssignedIdentityAIHub.outputs.principalId
       containerApp.outputs.?systemAssignedMIPrincipalId
     ]
     sqlRoleDefinitions: [
@@ -1110,7 +1140,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.14.2' = if (container
     environmentResourceId: containerAppConfiguration.?environmentResourceId ?? containerAppEnvironment.outputs.resourceId
     managedIdentities: {
       systemAssigned: true //Replace with user assigned identity
-      userAssignedResourceIds: [userAssignedIdentity.outputs.resourceId]
+      //userAssignedResourceIds: [userAssignedIdentityAIHub.outputs.resourceId]
     }
     ingressTargetPort: containerAppConfiguration.?ingressTargetPort ?? 8000
     ingressExternal: true

infra/modules/ai-hub.bicep

@@ -15,7 +15,7 @@ resource aiServices 'Microsoft.CognitiveServices/accounts@2023-05-01' existing =
   name: aiFoundryAiServicesName
 }
 
-module aiFoundryAiHub 'br/public:avm/res/machine-learning-services/workspace:0.10.1' = {
+module aiFoundryAiHub 'br/public:avm/res/machine-learning-services/workspace:0.12.1' = {
   name: take('avm.res.machine-learning-services.workspace.${name}', 64)
   params: {
     name: name
@@ -28,7 +28,15 @@ module aiFoundryAiHub 'br/public:avm/res/machine-learning-services/workspace:0.1
     description: 'AI Hub for Multi Agent Custom Automation Engine Solution Accelerator template'
     //associatedKeyVaultResourceId: keyVaultResourceId
     associatedStorageAccountResourceId: storageAccountResourceId
+    systemDatastoresAuthMode: 'Identity'
     associatedApplicationInsightsResourceId: applicationInsightsResourceId
+    //primaryUserAssignedIdentity: managedIdentityResourceId //Required if 'userAssignedIdentities' is not empty
+    managedIdentities: {
+      // userAssignedResourceIds: [
+      //   managedIdentityResourceId
+      // ]
+      systemAssigned: true
+    }
     connections: [
       {
         name: 'connection-AzureOpenAI'
@@ -40,10 +48,7 @@ module aiFoundryAiHub 'br/public:avm/res/machine-learning-services/workspace:0.1
           ResourceId: aiServices.id
         }
         connectionProperties: {
-          authType: 'ApiKey'
-          credentials: {
-            key: aiServices.listKeys().key1
-          }
+          authType: 'AAD'
         }
       }
     ]
@@ -60,3 +65,4 @@ module aiFoundryAiHub 'br/public:avm/res/machine-learning-services/workspace:0.1
 }
 
 output resourceId string = aiFoundryAiHub.outputs.resourceId
+output systemAssignedMIPrincipalId string = aiFoundryAiHub.outputs.?systemAssignedMIPrincipalId!