Skip to content

Commit 01282f5

Browse files
Shreyas-MicrosoftShreyas-Microsoft
committed
Role assignment done correctly
1 parent 65126ac commit 01282f5

2 files changed

Lines changed: 37 additions & 16 deletions

File tree

infra/main.parameters.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}"
2828
},
2929
"azureExistingAIProjectResourceId": {
30-
"value": "AZURE_EXISTING_AI_PROJECT_RESOURCE_ID"
30+
"value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}"
3131
},
3232
"secondaryLocation": {
3333
"value": "${AZURE_ENV_COSMOS_SECONDARY_LOCATION}"

infra/modules/ai-foundry/project.bicep

Lines changed: 36 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -20,14 +20,16 @@ param tags object = {}
2020
@description('Optional. Enable/Disable usage telemetry for module.')
2121
param enableTelemetry bool = true
2222

23-
@description('Optional. Use this parameter to use an existing AI project resource ID')
24-
param azureExistingAIProjectResourceId string?
23+
@description('Optional. Use this parameter to use an existing AI project resource ID from different resource group')
24+
param azureExistingAIProjectResourceId string = ''
2525

26-
// Endpoint from existing AI Project Resource ID if provided
27-
var existingProjEndpoint = !empty(azureExistingAIProjectResourceId) ?
28-
format('https://{0}.services.ai.azure.com/api/projects/{1}',
29-
split(azureExistingAIProjectResourceId, '/')[8], split(azureExistingAIProjectResourceId, '/')
30-
[10]) : ''
26+
// Extract components from existing AI Project Resource ID if provided
27+
var useExistingProject = !empty(azureExistingAIProjectResourceId)
28+
var existingProjName = useExistingProject ? last(split(azureExistingAIProjectResourceId, '/')) : ''
29+
var existingCogServiceName = useExistingProject ? split(azureExistingAIProjectResourceId, '/')[8] : ''
30+
var existingRgName = useExistingProject ? split(azureExistingAIProjectResourceId, '/')[4] : ''
31+
var existingSubscriptionId = useExistingProject ? split(azureExistingAIProjectResourceId, '/')[2] : ''
32+
var existingProjEndpoint = useExistingProject ? format('https://{0}.services.ai.azure.com/api/projects/{0}', existingProjName) : ''
3133

3234
// using a few built-in roles here that makes sense for Foundry projects only
3335
var builtInRoleNames = {
@@ -60,11 +62,13 @@ var formattedRoleAssignments = [
6062
})
6163
]
6264

63-
resource cogServiceReference 'Microsoft.CognitiveServices/accounts@2024-10-01' existing = {
65+
// Reference to cognitive service in current resource group for new projects
66+
resource cogServiceReference 'Microsoft.CognitiveServices/accounts@2024-10-01' existing = if (!useExistingProject) {
6467
name: aiServicesName
6568
}
6669

67-
resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (empty(azureExistingAIProjectResourceId)) {
70+
// Create new AI project only if not reusing existing one
71+
resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = if (!useExistingProject) {
6872
parent: cogServiceReference
6973
name: name
7074
tags: tags
@@ -78,9 +82,10 @@ resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-pre
7882
}
7983
}
8084

81-
module aiProjectRoleAssignement 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = [
82-
for (roleAssignment, i) in formattedRoleAssignments: {
83-
name: 'avm.ptn.authorization.resource-role-assignment.${uniqueString(name, roleAssignment.roleDefinitionId, roleAssignment.principalId)}'
85+
// Role assignments for new project
86+
module newProjectRoleAssignments 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = [
87+
for (roleAssignment, i) in (useExistingProject ? [] : formattedRoleAssignments): {
88+
name: 'new-role-${i}-${take(uniqueString(name, roleAssignment.roleDefinitionId, roleAssignment.principalId), 8)}'
8489
params: {
8590
roleDefinitionId: roleAssignment.roleDefinitionId
8691
principalId: roleAssignment.principalId
@@ -91,14 +96,30 @@ module aiProjectRoleAssignement 'br/public:avm/ptn/authorization/resource-role-a
9196
}
9297
]
9398

99+
// Role assignments for existing project from different resource group
100+
// Deploy to the same subscription but different resource group where the AI project exists
101+
module existingProjectRoleAssignments 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = [
102+
for (roleAssignment, i) in (useExistingProject ? formattedRoleAssignments : []): {
103+
name: 'existing-role-${i}-${take(uniqueString(azureExistingAIProjectResourceId, roleAssignment.roleDefinitionId, roleAssignment.principalId), 8)}'
104+
scope: resourceGroup(existingSubscriptionId, existingRgName)
105+
params: {
106+
roleDefinitionId: roleAssignment.roleDefinitionId
107+
principalId: roleAssignment.principalId
108+
principalType: 'ServicePrincipal'
109+
resourceId: azureExistingAIProjectResourceId // Use the full resource ID directly
110+
enableTelemetry: enableTelemetry
111+
}
112+
}
113+
]
114+
94115
@description('Name of the AI Foundry project.')
95-
output name string = aiProject.name
116+
output name string = useExistingProject ? existingProjName : aiProject.name
96117

97118
@description('Resource ID of the AI Foundry project.')
98-
output resourceId string = aiProject.id
119+
output resourceId string = useExistingProject ? azureExistingAIProjectResourceId : aiProject.id
99120

100121
@description('API endpoint for the AI Foundry project.')
101-
output apiEndpoint string = !empty(existingProjEndpoint) ? existingProjEndpoint : aiProject.properties.endpoints['AI Foundry API']
122+
output apiEndpoint string = useExistingProject ? existingProjEndpoint : aiProject.properties.endpoints['AI Foundry API']
102123

103124
@export()
104125
@description('Output type representing AI project information.')

0 commit comments

Comments
 (0)