Add AI Foundry module with network ACLs and role assignments

alguadam · alguadam · commit 2b31eb07b787 · 2025-05-29T14:25:10.000+02:00
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -590,6 +590,14 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = if (vi
         addressPrefix: '10.0.0.64/26'
         networkSecurityGroupResourceId: networkSecurityGroupBastion.outputs.resourceId
       }
+      {
+        // Subnet IP address limitation: only class B and C are supported
+        // https://learn.microsoft.com/en-us/azure/ai-services/agents/how-to/virtual-networks
+        name: 'ai-foundry-agents' //This exact name is required for Azure Bastion
+        addressPrefix: '10.0.1.0/24'
+        //networkSecurityGroupResourceId: networkSecurityGroupBastion.outputs.resourceId
+        delegation: 'Microsoft.App/environments'
+      }
       {
         // If you use your own vnw, you need to provide a subnet that is dedicated exclusively to the Container App environment you deploy. This subnet isn't available to other services
         // https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#custom-vnw-configuration
@@ -729,7 +737,7 @@ var aiFoundryAiServicesModelDeployment = {
   version: '2024-08-06'
   sku: {
     name: 'GlobalStandard'
-    //Curently the capacity is set to 140 for opinanal performance. 
+    //Currently the capacity is set to 140 for optimal performance. 
     capacity: aiFoundryAiServicesConfiguration.?modelCapcity ?? 140
   }
   raiPolicyName: 'Microsoft.Default'
@@ -750,6 +758,11 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.10.2'
     apiProperties: {
       //staticsEnabled: false
     }
+    networkAcls: {
+      defaultAction: 'Allow'
+      virtualNetworkRules: []
+      ipRules: []
+    }
     //publicNetworkAccess: virtualNetworkEnabled ? 'Disabled' : 'Enabled'
     //publicNetworkAccess: virtualNetworkEnabled ? 'Disabled' : 'Enabled'
     publicNetworkAccess: 'Enabled' //TODO: connection via private endpoint is not working from containers network. Change this when fixed
diff --git a/infra/modules/ai-services.bicep b/infra/modules/ai-services.bicep
@@ -0,0 +1,323 @@
+//NOTE: this code is based on AVM module plus missing required capbilities we need for this GSA 'br/public:avm/res/cognitive-services/account:0.10.2'
+param name string
+param tags object = {}
+param location string
+param kind string
+param sku string
+import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+param diagnosticSettings diagnosticSettingFullType[]
+param publicNetworkAccess string
+param customSubDomainName string
+import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+param privateEndpoints privateEndpointSingleServiceType[]
+param networkAcls object?
+import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+@description('Optional. The managed identity definition for this resource.')
+param managedIdentities managedIdentityAllType
+param allowedFqdnList array?
+param apiProperties object
+param disableLocalAuth bool = true
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+param roleAssignments roleAssignmentType[]?
+
+var formattedUserAssignedIdentities = reduce(
+  map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
+  {},
+  (cur, next) => union(cur, next)
+) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
+var identity = !empty(managedIdentities)
+  ? {
+      type: (managedIdentities.?systemAssigned ?? false)
+        ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
+        : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null)
+      userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
+    }
+  : null
+
+var builtInRoleNames = {
+  'Cognitive Services Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68'
+  )
+  'Cognitive Services Custom Vision Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3'
+  )
+  'Cognitive Services Custom Vision Deployment': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '5c4089e1-6d96-4d2f-b296-c1bc7137275f'
+  )
+  'Cognitive Services Custom Vision Labeler': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '88424f51-ebe7-446f-bc41-7fa16989e96c'
+  )
+  'Cognitive Services Custom Vision Reader': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '93586559-c37d-4a6b-ba08-b9f0940c2d73'
+  )
+  'Cognitive Services Custom Vision Trainer': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b'
+  )
+  'Cognitive Services Data Reader (Preview)': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'b59867f0-fa02-499b-be73-45a86b5b3e1c'
+  )
+  'Cognitive Services Face Recognizer': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '9894cab4-e18a-44aa-828b-cb588cd6f2d7'
+  )
+  'Cognitive Services Immersive Reader User': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'b2de6794-95db-4659-8781-7e080d3f2b9d'
+  )
+  'Cognitive Services Language Owner': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f07febfe-79bc-46b1-8b37-790e26e6e498'
+  )
+  'Cognitive Services Language Reader': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '7628b7b8-a8b2-4cdc-b46f-e9b35248918e'
+  )
+  'Cognitive Services Language Writer': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f2310ca1-dc64-4889-bb49-c8e0fa3d47a8'
+  )
+  'Cognitive Services LUIS Owner': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f72c8140-2111-481c-87ff-72b910f6e3f8'
+  )
+  'Cognitive Services LUIS Reader': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '18e81cdc-4e98-4e29-a639-e7d10c5a6226'
+  )
+  'Cognitive Services LUIS Writer': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '6322a993-d5c9-4bed-b113-e49bbea25b27'
+  )
+  'Cognitive Services Metrics Advisor Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'cb43c632-a144-4ec5-977c-e80c4affc34a'
+  )
+  'Cognitive Services Metrics Advisor User': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '3b20f47b-3825-43cb-8114-4bd2201156a8'
+  )
+  'Cognitive Services OpenAI Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'a001fd3d-188f-4b5d-821b-7da978bf7442'
+  )
+  'Cognitive Services OpenAI User': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
+  )
+  'Cognitive Services QnA Maker Editor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f4cc2bf9-21be-47a1-bdf1-5c5804381025'
+  )
+  'Cognitive Services QnA Maker Reader': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '466ccd10-b268-4a11-b098-b4849f024126'
+  )
+  'Cognitive Services Speech Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '0e75ca1e-0464-4b4d-8b93-68208a576181'
+  )
+  'Cognitive Services Speech User': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f2dc8367-1007-4938-bd23-fe263f013447'
+  )
+  'Cognitive Services User': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'a97b65f3-24c7-4388-baec-2e87135dc908'
+  )
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Role Based Access Control Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+  )
+  'User Access Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
+  )
+}
+
+var formattedRoleAssignments = [
+  for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
+    roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
+        roleAssignment.roleDefinitionIdOrName,
+        '/providers/Microsoft.Authorization/roleDefinitions/'
+      )
+      ? roleAssignment.roleDefinitionIdOrName
+      : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
+  })
+]
+
+resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = {
+  name: name
+  kind: kind
+  identity: identity
+  location: location
+  tags: tags
+  sku: {
+    name: sku
+  }
+  properties: {
+    customSubDomainName: customSubDomainName
+    networkAcls: !empty(networkAcls ?? {})
+      ? {
+          defaultAction: networkAcls.?defaultAction
+          virtualNetworkRules: networkAcls.?virtualNetworkRules ?? []
+          ipRules: networkAcls.?ipRules ?? []
+        }
+      : null
+    publicNetworkAccess: publicNetworkAccess != null
+      ? publicNetworkAccess
+      : (!empty(networkAcls) ? 'Enabled' : 'Disabled')
+    allowedFqdnList: allowedFqdnList
+    apiProperties: apiProperties
+    disableLocalAuth: disableLocalAuth
+    encryption: !empty(customerManagedKey)
+      ? {
+          keySource: 'Microsoft.KeyVault'
+          keyVaultProperties: {
+            identityClientId: !empty(customerManagedKey.?userAssignedIdentityResourceId ?? '')
+              ? cMKUserAssignedIdentity.properties.clientId
+              : null
+            keyVaultUri: cMKKeyVault.properties.vaultUri
+            keyName: customerManagedKey!.keyName
+            keyVersion: !empty(customerManagedKey.?keyVersion ?? '')
+              ? customerManagedKey!.?keyVersion
+              : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/'))
+          }
+        }
+      : null
+    migrationToken: migrationToken
+    restore: restore
+    restrictOutboundNetworkAccess: restrictOutboundNetworkAccess
+    userOwnedStorage: userOwnedStorage
+    dynamicThrottlingEnabled: dynamicThrottlingEnabled
+  }
+}
+
+@batchSize(1)
+resource cognitiveService_deployments 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01' = [
+  for (deployment, index) in (deployments ?? []): {
+    parent: cognitiveService
+    name: deployment.?name ?? '${name}-deployments'
+    properties: {
+      model: deployment.model
+      raiPolicyName: deployment.?raiPolicyName
+      versionUpgradeOption: deployment.?versionUpgradeOption
+    }
+    sku: deployment.?sku ?? {
+      name: sku
+      capacity: sku.?capacity
+      tier: sku.?tier
+      size: sku.?size
+      family: sku.?family
+    }
+  }
+]
+
+resource cognitiveService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [
+  for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
+    name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
+    properties: {
+      storageAccountId: diagnosticSetting.?storageAccountResourceId
+      workspaceId: diagnosticSetting.?workspaceResourceId
+      eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
+      eventHubName: diagnosticSetting.?eventHubName
+      metrics: [
+        for group in (diagnosticSetting.?metricCategories ?? [{ category: 'AllMetrics' }]): {
+          category: group.category
+          enabled: group.?enabled ?? true
+          timeGrain: null
+        }
+      ]
+      logs: [
+        for group in (diagnosticSetting.?logCategoriesAndGroups ?? [{ categoryGroup: 'allLogs' }]): {
+          categoryGroup: group.?categoryGroup
+          category: group.?category
+          enabled: group.?enabled ?? true
+        }
+      ]
+      marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
+      logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
+    }
+    scope: cognitiveService
+  }
+]
+
+module cognitiveService_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.10.1' = [
+  for (privateEndpoint, index) in (privateEndpoints ?? []): {
+    name: '${uniqueString(deployment().name, location)}-cognitiveService-PrivateEndpoint-${index}'
+    scope: resourceGroup(
+      split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[2],
+      split(privateEndpoint.?resourceGroupResourceId ?? resourceGroup().id, '/')[4]
+    )
+    params: {
+      name: privateEndpoint.?name ?? 'pep-${last(split(cognitiveService.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}'
+      privateLinkServiceConnections: privateEndpoint.?isManualConnection != true
+        ? [
+            {
+              name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(cognitiveService.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}'
+              properties: {
+                privateLinkServiceId: cognitiveService.id
+                groupIds: [
+                  privateEndpoint.?service ?? 'account'
+                ]
+              }
+            }
+          ]
+        : null
+      manualPrivateLinkServiceConnections: privateEndpoint.?isManualConnection == true
+        ? [
+            {
+              name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(cognitiveService.id, '/'))}-${privateEndpoint.?service ?? 'account'}-${index}'
+              properties: {
+                privateLinkServiceId: cognitiveService.id
+                groupIds: [
+                  privateEndpoint.?service ?? 'account'
+                ]
+                requestMessage: privateEndpoint.?manualConnectionRequestMessage ?? 'Manual approval required.'
+              }
+            }
+          ]
+        : null
+      subnetResourceId: privateEndpoint.subnetResourceId
+      enableTelemetry: enableReferencedModulesTelemetry
+      location: privateEndpoint.?location ?? reference(
+        split(privateEndpoint.subnetResourceId, '/subnets/')[0],
+        '2020-06-01',
+        'Full'
+      ).location
+      lock: privateEndpoint.?lock ?? lock
+      privateDnsZoneGroup: privateEndpoint.?privateDnsZoneGroup
+      roleAssignments: privateEndpoint.?roleAssignments
+      tags: privateEndpoint.?tags ?? tags
+      customDnsConfigs: privateEndpoint.?customDnsConfigs
+      ipConfigurations: privateEndpoint.?ipConfigurations
+      applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds
+      customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName
+    }
+  }
+]
+
+resource cognitiveService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
+    name: roleAssignment.?name ?? guid(cognitiveService.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
+    properties: {
+      roleDefinitionId: roleAssignment.roleDefinitionId
+      principalId: roleAssignment.principalId
+      description: roleAssignment.?description
+      principalType: roleAssignment.?principalType
+      condition: roleAssignment.?condition
+      conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
+      delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
+    }
+    scope: cognitiveService
+  }
+]
