provision key vault and use apikey for ai search

Harsh-Microsoft · Harsh-Microsoft · commit 35ce6e99e3e7 · 2025-09-05T15:01:42.000+05:30
diff --git a/azure.yaml b/azure.yaml
@@ -5,7 +5,7 @@ metadata:
 requiredVersions:
   azd: ">=1.15.0 !=1.17.1"
 hooks:
-  postprovision:
+  postdeploy:
     windows:
       run: |
         Write-Host "To upload Team Configurations to Cosmos. Run the following command in PowerShell:"
diff --git a/azure_custom.yaml b/azure_custom.yaml
@@ -41,7 +41,7 @@ services:
           continueOnError: false
 
 hooks:
-  postprovision:
+  postdeploy:
     windows:
       run: |
         Write-Host "To upload Team Configurations to Cosmos. Run the following command in PowerShell:"
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -919,13 +919,15 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.17.0' = if (e
 }
 
 // ========== Private DNS Zones ========== //
+var keyVaultPrivateDNSZone = 'privatelink.${toLower(environment().name) == 'azureusgovernment' ? 'vaultcore.usgovcloudapi.net' : 'vaultcore.azure.net'}'
 var privateDnsZones = [
   'privatelink.cognitiveservices.azure.com'
   'privatelink.openai.azure.com'
   'privatelink.services.ai.azure.com'
   'privatelink.documents.azure.com'
   'privatelink.blob.core.windows.net'
   'privatelink.search.windows.net'
+  keyVaultPrivateDNSZone
 ]
 
 // DNS Zone Index Constants
@@ -936,6 +938,7 @@ var dnsZoneIndex = {
   cosmosDb: 3
   blob: 4
   search: 5
+  keyVault: 6
 }
 
 // List of DNS zone indices that correspond to AI-related services.
@@ -1483,7 +1486,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
           } 
           {
             name: 'AZURE_AI_SEARCH_API_KEY'
-            value: ''
+            secretRef: 'azure-ai-search-api-key'
           } 
           {
             name: 'BING_CONNECTION_NAME'
@@ -1498,6 +1501,14 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             value: storageContainerName
           }
         ]
+        
+      }
+    ]
+    secrets: [
+      {
+        name: 'azure-ai-search-api-key'
+        keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion
+        identity: userAssignedIdentity.outputs.resourceId
       }
     ]
   }
@@ -1838,13 +1849,68 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.outputs.resourceId
     searchServiceLocation: searchService.outputs.location
     searchServiceName: searchService.outputs.name
+    searchApiKey: searchService.outputs.primaryKey
   }
   dependsOn: [
     aiFoundryAiServices
   ]
 }
 
 
+// ========== KeyVault ========== //
+var keyVaultName = 'kv-${solutionSuffix}'
+module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
+  name: take('avm.res.key-vault.vault.${keyVaultName}', 64)
+  params: {
+    name: keyVaultName
+    location: location
+    tags: tags
+    sku: enableScalability ? 'premium' : 'standard'
+    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    networkAcls: {
+      defaultAction: 'Allow'
+    }
+    enableVaultForDeployment: true
+    enableVaultForDiskEncryption: true
+    enableVaultForTemplateDeployment: true
+    enableRbacAuthorization: true
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 7
+    diagnosticSettings: enableMonitoring 
+      ? [{ workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId }] 
+      : []
+    // WAF aligned configuration for Private Networking
+    privateEndpoints: enablePrivateNetworking
+      ? [
+          {
+            name: 'pep-${keyVaultName}'
+            customNetworkInterfaceName: 'nic-${keyVaultName}'
+            privateDnsZoneGroup: {
+              privateDnsZoneGroupConfigs: [{ privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId }]
+            }
+            service: 'vault'
+            subnetResourceId: virtualNetwork!.outputs.subnetResourceIds[0]
+          }
+        ]
+      : []
+    // WAF aligned configuration for Role-based Access Control
+    roleAssignments: [
+      {
+         principalId: userAssignedIdentity.outputs.principalId
+         principalType: 'ServicePrincipal'
+         roleDefinitionIdOrName: 'Key Vault Administrator'
+      }
+    ]
+    secrets: [
+      {
+        name: 'AzureAISearchAPIKey'
+        value: searchService.outputs.primaryKey
+      }
+    ]
+    enableTelemetry: enableTelemetry
+  }
+}
+
 // ============ //
 // Outputs      //
 // ============ //
@@ -1890,3 +1956,4 @@ output REASONING_MODEL_NAME string = 'o3'
 output MCP_SERVER_NAME string = 'MACAE MCP Server'
 output MCP_SERVER_DESCRIPTION string = 'MACAE MCP Server Description'
 output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
+output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -919,13 +919,15 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.17.0' = if (e
 }
 
 // ========== Private DNS Zones ========== //
+var keyVaultPrivateDNSZone = 'privatelink.${toLower(environment().name) == 'azureusgovernment' ? 'vaultcore.usgovcloudapi.net' : 'vaultcore.azure.net'}'
 var privateDnsZones = [
   'privatelink.cognitiveservices.azure.com'
   'privatelink.openai.azure.com'
   'privatelink.services.ai.azure.com'
   'privatelink.documents.azure.com'
   'privatelink.blob.core.windows.net'
   'privatelink.search.windows.net'
+  keyVaultPrivateDNSZone
 ]
 
 // DNS Zone Index Constants
@@ -936,6 +938,7 @@ var dnsZoneIndex = {
   cosmosDb: 3
   blob: 4
   search: 5
+  keyVault: 6
 }
 
 // List of DNS zone indices that correspond to AI-related services.
@@ -1516,7 +1519,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
           } 
           {
             name: 'AZURE_AI_SEARCH_API_KEY'
-            value: ''
+            value: 'azure-ai-search-api-key'
           } 
           {
             name: 'BING_CONNECTION_NAME'
@@ -1533,6 +1536,13 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
         ]
       }
     ]
+    secrets: [
+      {
+        name: 'azure-ai-search-api-key'
+        keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion
+        identity: userAssignedIdentity.outputs.resourceId
+      }
+    ]
   }
 }
 
@@ -1880,13 +1890,68 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.outputs.resourceId
     searchServiceLocation: searchService.outputs.location
     searchServiceName: searchService.outputs.name
+    searchApiKey: searchService.outputs.primaryKey
   }
   dependsOn: [
     aiFoundryAiServices
   ]
 }
 
 
+// ========== KeyVault ========== //
+var keyVaultName = 'kv-${solutionSuffix}'
+module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
+  name: take('avm.res.key-vault.vault.${keyVaultName}', 64)
+  params: {
+    name: keyVaultName
+    location: location
+    tags: tags
+    sku: enableScalability ? 'premium' : 'standard'
+    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    networkAcls: {
+      defaultAction: 'Allow'
+    }
+    enableVaultForDeployment: true
+    enableVaultForDiskEncryption: true
+    enableVaultForTemplateDeployment: true
+    enableRbacAuthorization: true
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 7
+    diagnosticSettings: enableMonitoring 
+      ? [{ workspaceResourceId: logAnalyticsWorkspace!.outputs.resourceId }] 
+      : []
+    // WAF aligned configuration for Private Networking
+    privateEndpoints: enablePrivateNetworking
+      ? [
+          {
+            name: 'pep-${keyVaultName}'
+            customNetworkInterfaceName: 'nic-${keyVaultName}'
+            privateDnsZoneGroup: {
+              privateDnsZoneGroupConfigs: [{ privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId }]
+            }
+            service: 'vault'
+            subnetResourceId: virtualNetwork!.outputs.subnetResourceIds[0]
+          }
+        ]
+      : []
+    // WAF aligned configuration for Role-based Access Control
+    roleAssignments: [
+      {
+         principalId: userAssignedIdentity.outputs.principalId
+         principalType: 'ServicePrincipal'
+         roleDefinitionIdOrName: 'Key Vault Administrator'
+      }
+    ]
+    secrets: [
+      {
+        name: 'AzureAISearchAPIKey'
+        value: searchService.outputs.primaryKey
+      }
+    ]
+    enableTelemetry: enableTelemetry
+  }
+}
+
 // ============ //
 // Outputs      //
 // ============ //
@@ -1948,3 +2013,4 @@ output REASONING_MODEL_NAME string = 'o3'
 output MCP_SERVER_NAME string = 'MACAE MCP Server'
 output MCP_SERVER_DESCRIPTION string = 'MACAE MCP Server Description'
 output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
+output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
diff --git a/infra/modules/aifp-connections.bicep b/infra/modules/aifp-connections.bicep
@@ -4,13 +4,18 @@ param searchServiceResourceId string
 param searchServiceLocation string
 param aiFoundryName string
 param aiFoundryProjectName string
+@secure()
+param searchApiKey string
 
 resource aiSearchFoundryConnection 'Microsoft.CognitiveServices/accounts/projects/connections@2025-04-01-preview' = {
   name: '${aiFoundryName}/${aiFoundryProjectName}/${aifSearchConnectionName}'
   properties: {
     category: 'CognitiveSearch'
     target: 'https://${searchServiceName}.search.windows.net'
-    authType: 'AAD'
+    authType: 'ApiKey'
+    credentials: {
+      key: searchApiKey
+    }
     isSharedToAll: true
     metadata: {
       ApiType: 'Azure'
