Modernizing Bicep for FlexConsumption, updated AI resources, and MI

Signed-off-by: Paul Yuknewicz <[email protected]>

Author: paulyuk

infra/app/ai-Cog-Service-Access.bicep

@@ -0,0 +1,21 @@
+param principalID string
+param principalType string = 'ServicePrincipal' // Workaround for https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
+param roleDefinitionID string
+param aiResourceName string
+
+resource cognitiveService 'Microsoft.CognitiveServices/accounts@2023-05-01' existing = {
+  name: aiResourceName
+}
+
+// Allow access from API to this resource using a managed identity and least priv role grants
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(cognitiveService.id, principalID, roleDefinitionID)
+  scope: cognitiveService
+  properties: {
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionID)
+    principalId: principalID
+    principalType: principalType 
+  }
+}
+
+output ROLE_ASSIGNMENT_NAME string = roleAssignment.name

infra/app/ai.bicep

@@ -1,47 +1,50 @@
 param name string
 param location string = resourceGroup().location
 param tags object = {}
-
-param allowedOrigins array = []
 param applicationInsightsName string = ''
 param appServicePlanId string
 param appSettings object = {}
-param keyVaultName string
+param runtimeName string 
+param runtimeVersion string 
 param serviceName string = 'api'
 param storageAccountName string
-param openAiAccountName string
-param openAiResourceGroupName string
+param deploymentStorageContainerName string
+param virtualNetworkSubnetId string = ''
+param instanceMemoryMB int = 2048
+param maximumInstanceCount int = 100
+param identityId string = ''
+param identityClientId string = ''
+param aiServiceUrl string = ''
+
+var applicationInsightsIdentity = 'ClientId=${identityClientId};Authorization=AAD'
 
-module api '../core/host/functions.bicep' = {
-  name: '${serviceName}-functions-python-module'
+module api '../core/host/functions-flexconsumption.bicep' = {
+  name: '${serviceName}-functions-module'
   params: {
     name: name
     location: location
     tags: union(tags, { 'azd-service-name': serviceName })
-    allowedOrigins: allowedOrigins
-    alwaysOn: false
-    appSettings: union(appSettings, {
-        AZURE_OPENAI_KEY: openai.listKeys().key1
+    identityType: 'UserAssigned'
+    identityId: identityId
+    appSettings: union(appSettings,
+      {
+        AzureWebJobsStorage__clientId : identityClientId
+        APPLICATIONINSIGHTS_AUTHENTICATION_STRING: applicationInsightsIdentity
+        AZURE_OPENAI_ENDPOINT: aiServiceUrl
+        AZURE_CLIENT_ID: identityClientId
       })
     applicationInsightsName: applicationInsightsName
     appServicePlanId: appServicePlanId
-    keyVaultName: keyVaultName
-    //py
-    numberOfWorkers: 1
-    minimumElasticInstanceCount: 0
-    //--py
-    runtimeName: 'python'
-    runtimeVersion: '3.9'
+    runtimeName: runtimeName
+    runtimeVersion: runtimeVersion
     storageAccountName: storageAccountName
-    scmDoBuildDuringDeployment: false
+    deploymentStorageContainerName: deploymentStorageContainerName
+    virtualNetworkSubnetId: virtualNetworkSubnetId
+    instanceMemoryMB: instanceMemoryMB 
+    maximumInstanceCount: maximumInstanceCount
   }
 }
 
-resource openai 'Microsoft.CognitiveServices/accounts@2023-05-01' existing = {
-  name: openAiAccountName
-  scope: resourceGroup(openAiResourceGroupName)
-}
-
-output SERVICE_API_IDENTITY_PRINCIPAL_ID string = api.outputs.identityPrincipalId
 output SERVICE_API_NAME string = api.outputs.name
 output SERVICE_API_URI string = api.outputs.uri
+output SERVICE_API_IDENTITY_PRINCIPAL_ID string = api.outputs.identityPrincipalId

infra/app/api.bicep

@@ -0,0 +1,38 @@
+param location string = resourceGroup().location
+param tags object = {}
+param storageAccountId string
+
+resource unprocessedPdfSystemTopic 'Microsoft.EventGrid/systemTopics@2024-06-01-preview' = {
+  name: 'unprocessed-pdf-topic'
+  location: location
+  tags: tags
+  properties: {
+    source: storageAccountId
+    topicType: 'Microsoft.Storage.StorageAccounts'
+  }
+}
+
+// The actual event grid subscription will be created in the post deployment script as it needs the function to be deployed first
+
+// resource unprocessedPdfSystemTopicSubscription 'Microsoft.EventGrid/systemTopics/eventSubscriptions@2024-06-01-preview' = {
+//   parent: unprocessedPdfSystemTopic
+//   name: 'unprocessed-pdf-topic-subscription'
+//   properties: {
+//     destination: {
+//       endpointType: 'WebHook'
+//       properties: {
+//         //Will be set on post-deployment script once the function is created and the blobs extension code is available
+//         //endpointUrl: 'https://${function_app_blob_event_grid_name}.azurewebsites.net/runtime/webhooks/blobs?functionName=Host.Functions.Trigger_BlobEventGrid&code=${blobs_extension}'
+//       }
+//     }
+//     filter: {
+//       includedEventTypes: [
+//         'Microsoft.Storage.BlobCreated'
+//       ]
+//       subjectBeginsWith: '/blobServices/default/containers/${unprocessedPdfContainerName}/'
+//     }
+//   }
+// }
+
+output unprocessedPdfSystemTopicId string = unprocessedPdfSystemTopic.id
+output unprocessedPdfSystemTopicName string = unprocessedPdfSystemTopic.name 

infra/app/db.bicep

@@ -0,0 +1,21 @@
+param principalID string
+param principalType string = 'ServicePrincipal' // Workaround for https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
+param roleDefinitionID string
+param storageAccountName string
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' existing = {
+  name: storageAccountName
+}
+
+// Allow access from API to storage account using a managed identity and least priv Storage roles
+resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(storageAccount.id, principalID, roleDefinitionID)
+  scope: storageAccount
+  properties: {
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionID)
+    principalId: principalID
+    principalType: principalType
+  }
+}
+
+output ROLE_ASSIGNMENT_NAME string = storageRoleAssignment.name

infra/app/eventgrid.bicep

@@ -0,0 +1,89 @@
+// Parameters
+@description('Specifies the name of the virtual network.')
+param virtualNetworkName string
+
+@description('Specifies the name of the subnet which contains the virtual machine.')
+param subnetName string
+
+@description('Specifies the resource name of the Storage resource with an endpoint.')
+param resourceName string
+
+@description('Specifies the location.')
+param location string = resourceGroup().location
+
+param tags object = {}
+
+// Virtual Network
+resource vnet 'Microsoft.Network/virtualNetworks@2021-08-01' existing = {
+  name: virtualNetworkName
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
+  name: resourceName
+}
+
+var blobPrivateDNSZoneName = format('privatelink.blob.{0}', environment().suffixes.storage)
+var blobPrivateDnsZoneVirtualNetworkLinkName = format('{0}-link-{1}', resourceName, take(toLower(uniqueString(resourceName, virtualNetworkName)), 4))
+
+// Private DNS Zones
+resource blobPrivateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: blobPrivateDNSZoneName
+  location: 'global'
+  tags: tags
+  properties: {}
+  dependsOn: [
+    vnet
+  ]
+}
+
+// Virtual Network Links
+resource blobPrivateDnsZoneVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
+  parent: blobPrivateDnsZone
+  name: blobPrivateDnsZoneVirtualNetworkLinkName
+  location: 'global'
+  tags: tags
+  properties: {
+    registrationEnabled: false
+    virtualNetwork: {
+      id: vnet.id
+    }
+  }
+}
+
+// Private Endpoints
+resource blobPrivateEndpoint 'Microsoft.Network/privateEndpoints@2021-08-01' = {
+  name: 'blob-private-endpoint'
+  location: location
+  tags: tags
+  properties: {
+    privateLinkServiceConnections: [
+      {
+        name: 'blobPrivateLinkConnection'
+        properties: {
+          privateLinkServiceId: storageAccount.id
+          groupIds: [
+            'blob'
+          ]
+        }
+      }
+    ]
+    subnet: {
+      id: '${vnet.id}/subnets/${subnetName}'
+    }
+  }
+}
+
+resource blobPrivateDnsZoneGroupName 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2022-01-01' = {
+  parent: blobPrivateEndpoint
+  name: 'blobPrivateDnsZoneGroup'
+  properties: {
+    privateDnsZoneConfigs: [
+      {
+        name: 'storageBlobARecord'
+        properties: {
+          privateDnsZoneId: blobPrivateDnsZone.id
+        }
+      }
+    ]
+  }
+}

infra/app/storage-Access.bicep

@@ -0,0 +1,75 @@
+@description('Specifies the name of the virtual network.')
+param vNetName string
+
+@description('Specifies the location.')
+param location string = resourceGroup().location
+
+@description('Specifies the name of the subnet for the Service Bus private endpoint.')
+param peSubnetName string = 'private-endpoints-subnet'
+
+@description('Specifies the name of the subnet for Function App virtual network integration.')
+param appSubnetName string = 'app'
+
+param tags object = {}
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-05-01' = {
+  name: vNetName
+  location: location
+  tags: tags
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.0.0.0/16'
+      ]
+    }
+    encryption: {
+      enabled: false
+      enforcement: 'AllowUnencrypted'
+    }
+    subnets: [
+      {
+        name: peSubnetName
+        id: resourceId('Microsoft.Network/virtualNetworks/subnets', vNetName, 'private-endpoints-subnet')
+        properties: {
+          addressPrefixes: [
+            '10.0.1.0/24'
+          ]
+          delegations: []
+          privateEndpointNetworkPolicies: 'Disabled'
+          privateLinkServiceNetworkPolicies: 'Enabled'
+        }
+        type: 'Microsoft.Network/virtualNetworks/subnets'
+      }
+      {
+        name: appSubnetName
+        id: resourceId('Microsoft.Network/virtualNetworks/subnets', vNetName, 'app')
+        properties: {
+          addressPrefixes: [
+            '10.0.2.0/24'
+          ]
+          delegations: [
+            {
+              name: 'delegation'
+              id: resourceId('Microsoft.Network/virtualNetworks/subnets/delegations', vNetName, 'app', 'delegation')
+              properties: {
+                //Microsoft.App/environments is the correct delegation for Flex Consumption VNet integration
+                serviceName: 'Microsoft.App/environments'
+              }
+              type: 'Microsoft.Network/virtualNetworks/subnets/delegations'
+            }
+          ]
+          privateEndpointNetworkPolicies: 'Disabled'
+          privateLinkServiceNetworkPolicies: 'Enabled'
+        }
+        type: 'Microsoft.Network/virtualNetworks/subnets'
+      }
+    ]
+    virtualNetworkPeerings: []
+    enableDdosProtection: false
+  }
+}
+
+output peSubnetName string = virtualNetwork.properties.subnets[0].name
+output peSubnetID string = virtualNetwork.properties.subnets[0].id
+output appSubnetName string = virtualNetwork.properties.subnets[1].name
+output appSubnetID string = virtualNetwork.properties.subnets[1].id