Skip to content

Commit 9e076fa

Browse files
AjitPadhi-MicrosoftAjitPadhi-Microsoft
committed
updated bicep resources
1 parent a9a4d63 commit 9e076fa

2 files changed

Lines changed: 531 additions & 3705 deletions

File tree

infra/main.bicep

Lines changed: 50 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ param secondaryLocation string = 'uksouth'
4545
]
4646
}
4747
})
48-
param aiDeploymentsLocation string
48+
param azureAiServiceLocation string
4949

5050
@minLength(1)
5151
@allowed([
@@ -402,7 +402,7 @@ var dnsZoneIndex = {
402402
@batchSize(5)
403403
module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
404404
for (zone, i) in privateDnsZones: if (enablePrivateNetworking) {
405-
name: 'avm.res.network.private-dns-zone.${contains(zone, 'azurecontainerapps.io') ? 'containerappenv' : split(zone, '.')[1]}'
405+
name: 'avm.res.network.private-dns-zone.${split(zone, '.')[1]}'
406406
params: {
407407
name: zone
408408
tags: tags
@@ -417,60 +417,6 @@ module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
417417
}
418418
]
419419

420-
// ==========Key Vault Module ========== //
421-
var keyVaultName = 'kv-${solutionSuffix}'
422-
module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
423-
name: take('avm.res.key-vault.vault.${keyVaultName}', 64)
424-
params: {
425-
name: keyVaultName
426-
location: solutionLocation
427-
tags: tags
428-
sku: 'standard'
429-
publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
430-
networkAcls: {
431-
defaultAction: 'Allow'
432-
}
433-
enableVaultForDeployment: true
434-
enableVaultForDiskEncryption: true
435-
enableVaultForTemplateDeployment: true
436-
enableRbacAuthorization: true
437-
enableSoftDelete: true
438-
enablePurgeProtection: enablePurgeProtection
439-
softDeleteRetentionInDays: 7
440-
diagnosticSettings: enableMonitoring
441-
? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }]
442-
: []
443-
// WAF aligned configuration for Private Networking
444-
privateEndpoints: enablePrivateNetworking
445-
? [
446-
{
447-
name: 'pep-${keyVaultName}'
448-
customNetworkInterfaceName: 'nic-${keyVaultName}'
449-
privateDnsZoneGroup: {
450-
privateDnsZoneGroupConfigs: [
451-
{ privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId }
452-
]
453-
}
454-
service: 'vault'
455-
subnetResourceId: network!.outputs.subnetPrivateEndpointsResourceId
456-
}
457-
]
458-
: []
459-
// WAF aligned configuration for Role-based Access Control
460-
roleAssignments: [
461-
{
462-
principalId: userAssignedIdentity.outputs.principalId
463-
principalType: 'ServicePrincipal'
464-
roleDefinitionIdOrName: 'Key Vault Administrator'
465-
}
466-
]
467-
enableTelemetry: enableTelemetry
468-
}
469-
dependsOn:[
470-
avmPrivateDnsZones
471-
]
472-
}
473-
474420
// ========== AI Foundry: AI Services ========== //
475421
resource existingAiFoundryAiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = if (useExistingAiFoundryAiProject) {
476422
name: aiFoundryAiServicesResourceName
@@ -521,7 +467,7 @@ module aiFoundryAiServices 'br:mcr.microsoft.com/bicep/avm/res/cognitive-service
521467
name: take('avm.res.cognitive-services.account.${aiFoundryAiServicesResourceName}', 64)
522468
params: {
523469
name: aiFoundryAiServicesResourceName
524-
location: aiDeploymentsLocation
470+
location: azureAiServiceLocation
525471
tags: tags
526472
sku: 'S0'
527473
kind: 'AIServices'
@@ -611,7 +557,7 @@ module aiFoundryAiServicesProject 'modules/ai-project.bicep' = if (!useExistingA
611557
name: take('module.ai-project.${aiFoundryAiProjectResourceName}', 64)
612558
params: {
613559
name: aiFoundryAiProjectResourceName
614-
location: aiDeploymentsLocation
560+
location: azureAiServiceLocation
615561
tags: tags
616562
desc: aiFoundryAiProjectDescription
617563
//Implicit dependencies below
@@ -651,7 +597,7 @@ module searchServiceToExistingAiServicesRoleAssignment 'modules/role-assignment.
651597
// ========== AI Foundry: AI Search ========== //
652598
var nenablePrivateNetworking = false
653599
module aiSearch 'br/public:avm/res/search/search-service:0.11.1' = {
654-
name: take('avm.res.cognitive-search-services.${aiSearchName}', 64)
600+
name: take('avm.res.search.search-service.${aiSearchName}', 64)
655601
params: {
656602
name: aiSearchName
657603
authOptions: {
@@ -815,7 +761,6 @@ module storageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
815761
]
816762
: []
817763
}
818-
scope: resourceGroup(resourceGroup().name)
819764
}
820765

821766
// ========== Cosmos DB module ========== //
@@ -903,20 +848,56 @@ module cosmosDB 'br/public:avm/res/document-db/database-account:0.15.0' = {
903848
}
904849
]
905850
}
906-
scope: resourceGroup(resourceGroup().name)
907851
}
908852

909-
// working version of saving storage account secrets in key vault using AVM module
910-
module saveSecretsInKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
911-
name: take('saveSecretsInKeyVault.${keyVaultName}', 64)
853+
// ==========Key Vault Module ========== //
854+
var keyVaultName = 'kv-${solutionSuffix}'
855+
module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
856+
name: take('avm.res.key-vault.vault.${keyVaultName}', 64)
912857
params: {
913858
name: keyVaultName
859+
location: solutionLocation
860+
tags: tags
861+
sku: 'standard'
862+
publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
863+
networkAcls: {
864+
defaultAction: 'Allow'
865+
}
914866
enableVaultForDeployment: true
915867
enableVaultForDiskEncryption: true
916868
enableVaultForTemplateDeployment: true
917869
enableRbacAuthorization: true
918870
enableSoftDelete: true
871+
enablePurgeProtection: enablePurgeProtection
919872
softDeleteRetentionInDays: 7
873+
diagnosticSettings: enableMonitoring
874+
? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }]
875+
: []
876+
// WAF aligned configuration for Private Networking
877+
privateEndpoints: enablePrivateNetworking
878+
? [
879+
{
880+
name: 'pep-${keyVaultName}'
881+
customNetworkInterfaceName: 'nic-${keyVaultName}'
882+
privateDnsZoneGroup: {
883+
privateDnsZoneGroupConfigs: [
884+
{ privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId }
885+
]
886+
}
887+
service: 'vault'
888+
subnetResourceId: network!.outputs.subnetPrivateEndpointsResourceId
889+
}
890+
]
891+
: []
892+
// WAF aligned configuration for Role-based Access Control
893+
roleAssignments: [
894+
{
895+
principalId: userAssignedIdentity.outputs.principalId
896+
principalType: 'ServicePrincipal'
897+
roleDefinitionIdOrName: 'Key Vault Administrator'
898+
}
899+
]
900+
enableTelemetry: enableTelemetry
920901
secrets: [
921902
{
922903
name: 'ADLS-ACCOUNT-NAME'
@@ -950,17 +931,13 @@ module saveSecretsInKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
950931
name: 'AZURE-COSMOSDB-ENABLE-FEEDBACK'
951932
value: 'True'
952933
}
953-
{name: 'AZURE-LOCATION', value: aiDeploymentsLocation}
934+
{name: 'AZURE-LOCATION', value: azureAiServiceLocation }
954935
{name: 'AZURE-RESOURCE-GROUP', value: resourceGroup().name}
955936
{name: 'AZURE-SUBSCRIPTION-ID', value: subscription().subscriptionId}
956937
{
957938
name: 'COG-SERVICES-NAME'
958939
value: aiFoundryAiServicesResourceName
959940
}
960-
// {
961-
// name: 'COG-SERVICES-KEY'
962-
// value: !useExistingAiFoundryAiProject ? existingAiFoundryAiServices!.listKeys().key1 : aiFoundryAiServices!.listKeys().key1
963-
// }
964941
{
965942
name: 'COG-SERVICES-ENDPOINT'
966943
value: 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
@@ -984,6 +961,9 @@ module saveSecretsInKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
984961
{name: 'TENANT-ID', value: subscription().tenantId}
985962
]
986963
}
964+
dependsOn:[
965+
avmPrivateDnsZones
966+
]
987967
}
988968

989969
// ========== Frontend server farm ========== //
@@ -1079,7 +1059,7 @@ module webSite 'modules/web-sites.bicep' = {
10791059
AZURE_CLIENT_ID: userAssignedIdentity.outputs.clientId
10801060
}
10811061
// WAF aligned configuration for Monitoring
1082-
applicationInsightResourceId: (enableMonitoring && !useExistingLogAnalytics) ? applicationInsights!.outputs.resourceId : null
1062+
applicationInsightResourceId: enableMonitoring ? applicationInsights!.outputs.resourceId : null
10831063
}
10841064
]
10851065
diagnosticSettings: enableMonitoring ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }] : null

0 commit comments

Comments
 (0)