diff --git a/infra/main.bicep b/infra/main.bicep index 621564b07..d4f544261 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -697,7 +697,9 @@ module privateDnsZonesAiServices 'br/public:avm/res/network/private-dns-zone:0.7 ] // NOTE: Required version 'Microsoft.CognitiveServices/accounts@2024-04-01-preview' not available in AVM -var aiFoundryAiServicesResourceName = aiFoundryAiServicesConfiguration.?name ?? 'aisa-${solutionPrefix}' +var useExistingFoundryProject = !empty(existingFoundryProjectResourceId) +var existingAiFoundryName = useExistingFoundryProject?split( existingFoundryProjectResourceId,'/')[8]:'' +var aiFoundryAiServicesResourceName = useExistingFoundryProject? existingAiFoundryName : aiFoundryAiServicesConfiguration.?name ?? 'aisa-${solutionPrefix}' var aiFoundryAIservicesEnabled = aiFoundryAiServicesConfiguration.?enabled ?? true var aiFoundryAiServicesModelDeployment = { format: 'OpenAI' @@ -738,9 +740,7 @@ module aiFoundryAiServices 'modules/account/main.bicep' = if (aiFoundryAIservice bypass: 'AzureServices' defaultAction: (virtualNetworkEnabled) ? 'Deny' : 'Allow' } - - - privateEndpoints: virtualNetworkEnabled + privateEndpoints: virtualNetworkEnabled && !useExistingFoundryProject ? ([ { name: 'pep-${aiFoundryAiServicesResourceName}' @@ -754,7 +754,7 @@ module aiFoundryAiServices 'modules/account/main.bicep' = if (aiFoundryAIservice } } ]) - : [] + : [] deployments: aiFoundryAiServicesConfiguration.?deployments ?? [ { name: aiFoundryAiServicesModelDeployment.name @@ -775,31 +775,24 @@ module aiFoundryAiServices 'modules/account/main.bicep' = if (aiFoundryAIservice // AI Foundry: AI Project // WAF best practices for Open AI: https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-openai -var aiFoundryAiProjectName = aiFoundryAiProjectConfiguration.?name ?? 'aifp-${solutionPrefix}' - -resource aiUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { - name: '53ca6127-db72-4b80-b1b0-d745d6d5456d' -} +var existingAiFounryProjectName = useExistingFoundryProject ? last(split( existingFoundryProjectResourceId,'/')) : '' +var aiFoundryAiProjectName = useExistingFoundryProject ? existingAiFounryProjectName : aiFoundryAiProjectConfiguration.?name ?? 'aifp-${solutionPrefix}' var useExistingResourceId = !empty(existingFoundryProjectResourceId) -module Newroles './modules/role.bicep' = if(!useExistingResourceId){ +module cogServiceRoleAssignmentsNew './modules/role.bicep' = if(!useExistingResourceId) { params: { - name: 'new-${guid(containerApp.name, aiFoundryAiServices.outputs.resourceId, aiUser.id)}' - roleDefinitionId: aiUser.id + name: 'new-${guid(containerApp.name, aiFoundryAiServices.outputs.resourceId)}' principalId: containerApp.outputs.?systemAssignedMIPrincipalId! - aiUserid: aiUser.id aiServiceName: aiFoundryAiServices.outputs.name } scope: resourceGroup(subscription().subscriptionId, resourceGroup().name) } -module Existingroles './modules/role.bicep' = if(useExistingResourceId){ +module cogServiceRoleAssignmentsExisting './modules/role.bicep' = if(useExistingResourceId) { params: { - name: 'reuse-${guid(containerApp.name, aiFoundryAiServices.outputs.aiProjectInfo.resourceId, aiUser.id)}' - roleDefinitionId: aiUser.id + name: 'reuse-${guid(containerApp.name, aiFoundryAiServices.outputs.aiProjectInfo.resourceId)}' principalId: containerApp.outputs.?systemAssignedMIPrincipalId! - aiUserid: aiUser.id aiServiceName: aiFoundryAiServices.outputs.name } scope: resourceGroup( split(existingFoundryProjectResourceId, '/')[2], split(existingFoundryProjectResourceId, '/')[4]) diff --git a/infra/modules/role.bicep b/infra/modules/role.bicep index 70fec14c4..f700f092f 100644 --- a/infra/modules/role.bicep +++ b/infra/modules/role.bicep @@ -1,15 +1,9 @@ @description('The name of the role assignment resource. Typically generated using `guid()` for uniqueness.') param name string -@description('The ID of the role definition to assign. For example, a built-in role like "Cognitive Services User".') -param roleDefinitionId string - @description('The object ID of the principal (user, group, or service principal) to whom the role will be assigned.') param principalId string -@description('The object ID of the user to be granted AI access (can be used for assigning multiple roles).') -param aiUserid string - @description('The name of the existing Azure Cognitive Services account.') param aiServiceName string @@ -17,29 +11,27 @@ resource cognitiveServiceExisting 'Microsoft.CognitiveServices/accounts@2025-04- name: aiServiceName } +resource aiUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { + name: '53ca6127-db72-4b80-b1b0-d745d6d5456d' +} -resource aiUserAccessProj 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(name, 'aiUserAccessProj') - scope: cognitiveServiceExisting - properties: { - roleDefinitionId: roleDefinitionId - principalId: principalId - } +resource aiDeveloper 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { + name: '64702f94-c441-49e6-a78b-ef80e0188fee' +} + +resource cognitiveServiceOpenAIUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { + name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' } resource aiUserAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(name, 'aiUserAccessFoundry') scope: cognitiveServiceExisting properties: { - roleDefinitionId: aiUserid + roleDefinitionId: aiUser.id principalId: principalId } } -resource aiDeveloper 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { - name: '64702f94-c441-49e6-a78b-ef80e0188fee' -} - resource aiDeveloperAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(name, 'aiDeveloperAccessFoundry') scope: cognitiveServiceExisting @@ -49,10 +41,6 @@ resource aiDeveloperAccessFoundry 'Microsoft.Authorization/roleAssignments@2022- } } -resource cognitiveServiceOpenAIUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { - name: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' -} - resource cognitiveServiceOpenAIUserAccessFoundry 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(name, 'cognitiveServiceOpenAIUserAccessFoundry') scope: cognitiveServiceExisting