Merge pull request #304 from microsoft/psl-bug-20357

Prajwal-Microsoft · web-flow · commit 678d77e01eaf · 2025-07-09T10:54:19.000+05:30
fix: Fix to avoid task creation for violent and meaning less prompts when deployment reuse existing AI Foundry Project.
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -697,7 +697,9 @@ module privateDnsZonesAiServices 'br/public:avm/res/network/private-dns-zone:0.7
 ]
 
 // NOTE: Required version 'Microsoft.CognitiveServices/accounts@2024-04-01-preview' not available in AVM
-var aiFoundryAiServicesResourceName = aiFoundryAiServicesConfiguration.?name ?? 'aisa-${solutionPrefix}'
+var useExistingFoundryProject = !empty(existingFoundryProjectResourceId)
+var existingAiFoundryName = useExistingFoundryProject?split( existingFoundryProjectResourceId,'/')[8]:''
+var aiFoundryAiServicesResourceName = useExistingFoundryProject? existingAiFoundryName : aiFoundryAiServicesConfiguration.?name ?? 'aisa-${solutionPrefix}'
 var aiFoundryAIservicesEnabled = aiFoundryAiServicesConfiguration.?enabled ?? true
 var aiFoundryAiServicesModelDeployment = {
   format: 'OpenAI'
@@ -738,9 +740,7 @@ module aiFoundryAiServices 'modules/account/main.bicep' = if (aiFoundryAIservice
       bypass: 'AzureServices'
       defaultAction: (virtualNetworkEnabled) ? 'Deny' : 'Allow' 
     }
-    
- 
-    privateEndpoints: virtualNetworkEnabled
+    privateEndpoints: virtualNetworkEnabled && !useExistingFoundryProject
       ? ([
           {
             name: 'pep-${aiFoundryAiServicesResourceName}'
@@ -754,7 +754,7 @@ module aiFoundryAiServices 'modules/account/main.bicep' = if (aiFoundryAIservice
             }
           }
         ])
-      : []
+      : [] 
     deployments: aiFoundryAiServicesConfiguration.?deployments ?? [
       {
         name: aiFoundryAiServicesModelDeployment.name
@@ -775,31 +775,24 @@ module aiFoundryAiServices 'modules/account/main.bicep' = if (aiFoundryAIservice
 
 // AI Foundry: AI Project
 // WAF best practices for Open AI: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-openai
-var aiFoundryAiProjectName = aiFoundryAiProjectConfiguration.?name ?? 'aifp-${solutionPrefix}'
-
-resource aiUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
-  name: '53ca6127-db72-4b80-b1b0-d745d6d5456d'
-}
+var existingAiFounryProjectName = useExistingFoundryProject ? last(split( existingFoundryProjectResourceId,'/')) : ''
+var aiFoundryAiProjectName =  useExistingFoundryProject ? existingAiFounryProjectName : aiFoundryAiProjectConfiguration.?name ?? 'aifp-${solutionPrefix}'
 
 var useExistingResourceId = !empty(existingFoundryProjectResourceId)
 
-module Newroles './modules/role.bicep' = if(!useExistingResourceId){
+module cogServiceRoleAssignmentsNew './modules/role.bicep' = if(!useExistingResourceId) {
   params: {
-    name: 'new-${guid(containerApp.name, aiFoundryAiServices.outputs.resourceId, aiUser.id)}'
-    roleDefinitionId: aiUser.id
+    name: 'new-${guid(containerApp.name, aiFoundryAiServices.outputs.resourceId)}'
     principalId: containerApp.outputs.?systemAssignedMIPrincipalId!
-    aiUserid: aiUser.id
     aiServiceName: aiFoundryAiServices.outputs.name
   }
   scope: resourceGroup(subscription().subscriptionId, resourceGroup().name)
 }
 
-module Existingroles './modules/role.bicep' = if(useExistingResourceId){
+module cogServiceRoleAssignmentsExisting './modules/role.bicep' = if(useExistingResourceId) {
   params: {
-    name: 'reuse-${guid(containerApp.name, aiFoundryAiServices.outputs.aiProjectInfo.resourceId, aiUser.id)}'
-    roleDefinitionId: aiUser.id
+    name: 'reuse-${guid(containerApp.name, aiFoundryAiServices.outputs.aiProjectInfo.resourceId)}'
     principalId: containerApp.outputs.?systemAssignedMIPrincipalId!
-    aiUserid: aiUser.id
     aiServiceName: aiFoundryAiServices.outputs.name
   }
   scope: resourceGroup( split(existingFoundryProjectResourceId, '/')[2], split(existingFoundryProjectResourceId, '/')[4])
diff --git a/infra/modules/role.bicep b/infra/modules/role.bicep
@@ -1,45 +1,37 @@
 @description('The name of the role assignment resource. Typically generated using `guid()` for uniqueness.')
 param name string
 
-@description('The ID of the role definition to assign. For example, a built-in role like "Cognitive Services User".')
-param roleDefinitionId string
-
 @description('The object ID of the principal (user, group, or service principal) to whom the role will be assigned.')
 param principalId string
 
-@description('The object ID of the user to be granted AI access (can be used for assigning multiple roles).')
-param aiUserid string
-
 @description('The name of the existing Azure Cognitive Services account.')
 param aiServiceName string
 
 resource cognitiveServiceExisting 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing =  {
   name: aiServiceName
 }
 
+resource aiUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  name: '53ca6127-db72-4b80-b1b0-d745d6d5456d'
+}
 
-resource aiUserAccessProj 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(name, 'aiUserAccessProj')
-  scope: cognitiveServiceExisting
-  properties: {
-    roleDefinitionId: roleDefinitionId
-    principalId: principalId
-  }
+resource aiDeveloper 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  name: '64702f94-c441-49e6-a78b-ef80e0188fee'
+}
+
+resource cognitiveServiceOpenAIUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
 }
 
 resource aiUserAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(name, 'aiUserAccessFoundry')
   scope: cognitiveServiceExisting
   properties: {
-    roleDefinitionId: aiUserid
+    roleDefinitionId: aiUser.id
     principalId: principalId
   }
 }
 
-resource aiDeveloper 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
-  name: '64702f94-c441-49e6-a78b-ef80e0188fee'
-}
-
 resource aiDeveloperAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(name, 'aiDeveloperAccessFoundry')
   scope: cognitiveServiceExisting
@@ -49,10 +41,6 @@ resource aiDeveloperAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-
   }
 }
 
-resource cognitiveServiceOpenAIUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
-  name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-}
-
 resource cognitiveServiceOpenAIUserAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(name, 'cognitiveServiceOpenAIUserAccessFoundry')
   scope: cognitiveServiceExisting
