WAF - network role update and param cleanup

Author: Seth

infra/main.bicep

@@ -39,19 +39,19 @@ param azureAiServiceLocation string = location
 param capacity int = 5
 
 @description('Enable monitoring for the resources. This will enable Application Insights and Log Analytics. Defaults to false.')
-param enableMonitoring bool = true
+param enableMonitoring bool = false
 
 @description('Enable scaling for the container apps. Defaults to false.')
-param enableScaling bool = true
+param enableScaling bool = false
 
 @description('Enable redundancy for applicable resources. Defaults to false.')
-param enableRedundancy bool = true
+param enableRedundancy bool = false
 
-@description('Optional. The secondary location for the Cosmos DB account if redundancy is enabled.')
+@description('Optional. The secondary location for the Cosmos DB account if redundancy is enabled. Defaults to false.')
 param secondaryLocation string?
 
-@description('Optional. Enable private networking for the resources. Set to true to enable private networking.')
-param enablePrivateNetworking bool = true
+@description('Optional. Enable private networking for the resources. Set to true to enable private networking. Defaults to false.')
+param enablePrivateNetworking bool = false
 
 @description('Optional. Specifies the resource tags for all the resources. Tag "azd-env-name" is automatically added to all resources.')
 param tags object = {}
@@ -89,7 +89,7 @@ module appIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.
   }
 }
 
-module aiFoundryProjectIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
+module aiFoundryIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
   name: take('identity-proj-${resourcesName}-deployment', 64)
   params: {
     name: 'id-proj-${resourcesName}'
@@ -98,12 +98,20 @@ module aiFoundryProjectIdentity 'br/public:avm/res/managed-identity/user-assigne
   }
 }
 
+// used for foundry to create and approve managed virtual network and approve private endpoint connections
+// Ref: https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/configure-managed-network?tabs=portal#approval-of-private-endpoints
+var foundryNetworkConnectionApproverRoleAssignment = {
+  principalId: aiFoundryIdentity.outputs.principalId
+  principalType: 'ServicePrincipal'
+  roleDefinitionIdOrName: 'b556d68e-0be0-4f35-a333-ad7ee1ce17ea' // Azure AI Enterprise Network Connection Approver
+}
+
 module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0.11.2' = if (enableMonitoring || enablePrivateNetworking) {
   name: take('log-analytics-${resourcesName}-deployment', 64)
   params: {
     name: 'log-${resourcesName}'
     location: location
-    skuName: 'PerGB2018'
+    skuName: 'PerGB2018' 
     dataRetention: 30
     diagnosticSettings: [{ useThisWorkspace: true }]
     tags: allTags
@@ -159,6 +167,7 @@ module storageAccount 'modules/storageAccount.bicep' = {
         principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Storage Blob Data Contributor'
       }
+      foundryNetworkConnectionApproverRoleAssignment
     ]
   }
 }
@@ -191,10 +200,11 @@ module azureAiServices 'modules/aiServices.bicep' = {
         roleDefinitionIdOrName: 'Cognitive Services OpenAI Contributor'
       }
       {
-        principalId: aiFoundryProjectIdentity.outputs.principalId
+        principalId: aiFoundryIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Cognitive Services OpenAI Contributor'
       }
+      foundryNetworkConnectionApproverRoleAssignment
     ]
     tags: allTags
   }
@@ -215,10 +225,11 @@ module keyVault 'modules/keyVault.bicep' = {
     } : null 
     roleAssignments: [
       {
-        principalId: aiFoundryProjectIdentity.outputs.principalId
+        principalId: aiFoundryIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Key Vault Reader'
       }
+      foundryNetworkConnectionApproverRoleAssignment
     ]
     tags: allTags
   }
@@ -235,7 +246,7 @@ module azureAifoundry 'modules/aiFoundry.bicep' = {
     projectName: 'proj-${resourcesName}'
     storageAccountResourceId: storageAccount.outputs.resourceId
     keyVaultResourceId: keyVault.outputs.resourceId
-    userAssignedIdentityResourceId: aiFoundryProjectIdentity.outputs.resourceId
+    userAssignedIdentityResourceId: aiFoundryIdentity.outputs.resourceId
     logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
     aiServicesName: azureAiServices.outputs.name
     privateNetworking: enablePrivateNetworking ? {
@@ -260,19 +271,22 @@ module cosmosDb 'modules/cosmosDb.bicep' = {
   params: {
     name: 'cosmos-${uniqueResourcesName}'
     location: location
-    managedIdentityPrincipalId: appIdentity.outputs.principalId
+    dataAccessIdentityPrincipalId: appIdentity.outputs.principalId
     logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspace.outputs.resourceId : ''
     zoneRedundant: enableRedundancy
     secondaryLocation: enableRedundancy && !empty(secondaryLocation) ? secondaryLocation : ''
     privateNetworking: enablePrivateNetworking ? {
       virtualNetworkResourceId: network.outputs.vnetResourceId
       subnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'data')).resourceId
     } : null
+    roleAssignments: [
+      foundryNetworkConnectionApproverRoleAssignment
+    ]
     tags: allTags
   }
 }
 
-var containerAppsEnvironmentName = 'cae-${resourcesName}${enablePrivateNetworking ? '-frontend' : ''}'
+var containerAppsEnvironmentName = 'cae-${resourcesName}'
 
 module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.2' = {
   name: take('container-env-${resourcesName}-deployment', 64)
@@ -283,7 +297,7 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
     infrastructureResourceGroupName: '${resourceGroup().name}-ME-${containerAppsEnvironmentName}'
     location: location
     zoneRedundant: enableRedundancy && enablePrivateNetworking
-    publicNetworkAccess: 'Enabled' // public access required for frontend (and backend if private networking is not enabled)
+    publicNetworkAccess: 'Enabled' // public access required for frontend
     infrastructureSubnetResourceId: enablePrivateNetworking ? first(filter(network.outputs.subnets, s => s.name == 'web')).resourceId : null
     managedIdentities: {
       userAssignedResourceIds: [
@@ -308,7 +322,7 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
   }
 }
 
-module containerAppFrontend 'br/public:avm/res/app/container-app:0.16.0' = {
+module containerAppFrontend 'br/public:avm/res/app/container-app:0.17.0' = {
   name: take('container-app-frontend-${resourcesName}-deployment', 64)
   params: {
     name: take('ca-${uniqueResourcesName}frontend', 32)
@@ -336,7 +350,7 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.16.0' = {
       }
     ]
     ingressTargetPort: 3000
-    ingressExternal: true // public access required for frontend
+    ingressExternal: true
     scaleSettings: {
       maxReplicas: enableScaling ? 3 : 1
       minReplicas: 1
@@ -355,52 +369,14 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.16.0' = {
   }
 }
 
-var containerAppsEnvironmentBackendName = 'cae-${resourcesName}-backend'
-
-module containerAppsEnvironmentBackend 'br/public:avm/res/app/managed-environment:0.11.2' = if (enablePrivateNetworking) {
-  name: take('container-env-backend-${resourcesName}-deployment', 64)
-  #disable-next-line no-unnecessary-dependson
-  dependsOn: [applicationInsights, logAnalyticsWorkspace] // required due to optional flags that could change dependency
-  params: {
-    name: containerAppsEnvironmentBackendName
-    infrastructureResourceGroupName: '${resourceGroup().name}-ME-${containerAppsEnvironmentBackendName}'
-    location: location
-    zoneRedundant: enableRedundancy
-    publicNetworkAccess: 'Disabled' // public access denied for backend
-    infrastructureSubnetResourceId: first(filter(network.outputs.subnets, s => s.name == 'app')).resourceId
-    managedIdentities: {
-      userAssignedResourceIds: [
-        appIdentity.outputs.resourceId
-      ]
-    }
-    appInsightsConnectionString: enableMonitoring ? applicationInsights.outputs.connectionString : null
-    appLogsConfiguration: enableMonitoring ? {
-      destination: 'log-analytics'
-      logAnalyticsConfiguration: {
-        customerId: logAnalyticsWorkspace.outputs.logAnalyticsWorkspaceId
-        sharedKey: logAnalyticsWorkspace.outputs.primarySharedKey
-      }
-    } : {}
-    workloadProfiles: [ // NOTE: workload profiles are required for private networking
-      {
-        name: 'Consumption'
-        workloadProfileType: 'Consumption'
-      }
-    ]
-    tags: allTags
-  }
-}
-
-var containerAppsEnvironmentResourceId = enablePrivateNetworking ? containerAppsEnvironmentBackend.outputs.resourceId : containerAppsEnvironment.outputs.resourceId
-
-module containerAppBackend 'br/public:avm/res/app/container-app:0.16.0' = {
+module containerAppBackend 'br/public:avm/res/app/container-app:0.17.0' = {
   name: take('container-app-backend-${resourcesName}-deployment', 64)
   #disable-next-line no-unnecessary-dependson
-  dependsOn: [applicationInsights, containerAppsEnvironmentBackend] // required due to optional flags that could change dependency
+  dependsOn: [applicationInsights] // required due to optional flags that could change dependency
   params: {
     name: take('ca-${uniqueResourcesName}backend', 32)
     location: location
-    environmentResourceId: containerAppsEnvironmentResourceId
+    environmentResourceId: containerAppsEnvironment.outputs.resourceId
     managedIdentities: {
       userAssignedResourceIds: [
         appIdentity.outputs.resourceId
@@ -523,7 +499,13 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.16.0' = {
       }
     ]
     ingressTargetPort: 8000
-    ingressExternal: false // set to false to prevent public access
+    ingressExternal: true
+    // TODO - need way to set this CORS policy after frontend container app is deployed (issue is circular dependency since frontend needs backend to be deployed first)
+    // corsPolicy: {
+    //   allowedOrigins: [
+    //     'https://${containerAppFrontend.outputs.fqdn}'
+    //   ]
+    // }
     scaleSettings: {
       maxReplicas: enableScaling ? 3 : 1
       minReplicas: 1
@@ -541,3 +523,4 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.16.0' = {
     tags: allTags
   }
 }
+

infra/main.bicepparam

@@ -1,6 +1,4 @@
 using './main.bicep'
 
-param location = readEnvironmentVariable('AZURE_LOCATION','japaneast')
-param azureAiServiceLocation = location
-param environmentName = readEnvironmentVariable('AZURE_ENV_NAME','azdtemp')
-
+param environmentName = readEnvironmentVariable('AZURE_ENV_NAME')
+param location = readEnvironmentVariable('AZURE_LOCATION')

infra/modules/aiFoundry.bicep

@@ -84,9 +84,24 @@ module hub 'br/public:avm/res/machine-learning-services/workspace:0.12.1' = {
     associatedStorageAccountResourceId: storageAccountResourceId
     associatedApplicationInsightsResourceId: applicationInsightsResourceId
     publicNetworkAccess: privateNetworking != null ? 'Disabled' : 'Enabled'
+    managedNetworkSettings: {
+      isolationMode: privateNetworking != null ? 'AllowInternetOutbound' : 'Disabled'
+      outboundRules: {
+        cog_services_pep: {
+          category: 'UserDefined'
+          destination: {
+            serviceResourceId: aiServices.id
+            sparkEnabled: true
+            subresourceTarget: 'account'
+          }
+          type: 'PrivateEndpoint'
+        }
+      }
+    }
     managedIdentities: {
       systemAssigned: true
     }
+    systemDatastoresAuthMode: 'Identity'
     diagnosticSettings: !empty(logAnalyticsWorkspaceResourceId) ? [{workspaceResourceId: logAnalyticsWorkspaceResourceId}] : []
     privateEndpoints: privateNetworking != null ? [
       {
@@ -133,6 +148,8 @@ module project 'br/public:avm/res/machine-learning-services/workspace:0.12.1' =
     sku: 'Standard'
     location: location
     hubResourceId: hub.outputs.resourceId
+    hbiWorkspace: false
+    systemDatastoresAuthMode: 'Identity'
     publicNetworkAccess: privateNetworking != null ? 'Disabled' : 'Enabled'
     managedIdentities: {
       userAssignedResourceIds: [userAssignedIdentityResourceId]

infra/modules/cosmosDb.bicep

@@ -8,7 +8,7 @@ param location string
 param tags object = {}
 
 @description('Managed Identity princpial to assign data plane roles for the Cosmos DB Account.')
-param managedIdentityPrincipalId string
+param dataAccessIdentityPrincipalId string
 
 @description('Optional. The resource ID of an existing Log Analytics workspace to associate with AI Foundry for monitoring.')
 param logAnalyticsWorkspaceResourceId string?
@@ -22,6 +22,9 @@ param secondaryLocation string?
 @description('Optional. Values to establish private networking for the Cosmos DB resource.')
 param privateNetworking resourcePrivateNetworkingType?
 
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType[]?
+
 module privateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.1' = if (privateNetworking != null && empty(privateNetworking.?privateDnsZoneResourceId)) {
   name: take('${name}-documents-pdns-deployment', 64)
   params: {
@@ -131,15 +134,17 @@ module cosmosAccount 'br/public:avm/res/document-db/database-account:0.15.0' = {
     ]
     dataPlaneRoleAssignments: [
       {
-        principalId: managedIdentityPrincipalId
+        principalId: dataAccessIdentityPrincipalId
         roleDefinitionId: sqlContributorRoleDefinition.id
       }
     ]
+    roleAssignments: roleAssignments
     tags: tags
   }
 }
 
 import { resourcePrivateNetworkingType } from 'customTypes.bicep'
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 
 output resourceId string = cosmosAccount.outputs.resourceId
 output name string = cosmosAccount.outputs.name