@@ -114,6 +114,7 @@ module avmRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignme
114114 roleDefinitionId : '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
115115 principalType : 'ServicePrincipal'
116116 }
117+ scope : resourceGroup (resourceGroup ().name )
117118}
118119
119120// Assign Owner role to the managed identity in the resource group
@@ -174,6 +175,17 @@ module avmKeyVault './modules/key-vault.bicep' = {
174175 scope : resourceGroup (resourceGroup ().name )
175176}
176177
178+ module avmKeyVault_RoleAssignment_appConfig 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
179+ name : format (deployment_param .resource_name_format_string , 'role-assignment-keyvault-app-config' )
180+ params : {
181+ resourceId : avmKeyVault .outputs .resourceId
182+ principalId : avmAppConfig .outputs .systemAssignedMIPrincipalId
183+ roleDefinitionId : 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7' // 'Key Vault Secrets User'
184+ roleName : 'Key Vault Secret User'
185+ principalType : 'ServicePrincipal'
186+ }
187+ }
188+
177189// module kvault 'deploy_keyvault.bicep' = {
178190// name: 'deploy_keyvault'
179191// params: {
@@ -273,7 +285,7 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
273285module avmStorageAccount_RoleAssignment_avmContainerApp_blob 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
274286 name : format (deployment_param .resource_name_format_string , 'role-assignment-storage-data-contributor-container-app' )
275287 params : {
276- resourceId : avmContainerApp .outputs .resourceId
288+ resourceId : avmStorageAccount .outputs .resourceId
277289 principalId : avmContainerApp .outputs .?systemAssignedMIPrincipalId
278290 roleName : 'Storage Blob Data Contributor'
279291 roleDefinitionId : 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' //'Storage Blob Data Contributor'
@@ -284,7 +296,7 @@ module avmStorageAccount_RoleAssignment_avmContainerApp_blob 'br/public:avm/ptn/
284296module avmStorageAccount_RoleAssignment_avmContainerApp_queue 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
285297 name : format (deployment_param .resource_name_format_string , 'role-assignment-storage-contributor-container-app-queue' )
286298 params : {
287- resourceId : avmContainerApp .outputs .resourceId
299+ resourceId : avmStorageAccount .outputs .resourceId
288300 principalId : avmContainerApp .outputs .?systemAssignedMIPrincipalId
289301 roleName : 'Storage Queue Data Contributor'
290302 roleDefinitionId : '974c5e8b-45b9-4653-ba55-5f855dd0fb88' //'Storage Queue Data Contributor'
@@ -359,7 +371,7 @@ module avmAiServices 'br/public:avm/res/cognitive-services/account:0.10.2' = {
359371module avmAiServices_roleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
360372 name : format (deployment_param .resource_name_format_string , 'role-assignment-ai-services' )
361373 params : {
362- resourceId : avmContainerApp .outputs .resourceId
374+ resourceId : avmAiServices .outputs .resourceId
363375 principalId : avmContainerApp .outputs .?systemAssignedMIPrincipalId
364376 roleName : 'Cognitive Services OpenAI User'
365377 roleDefinitionId : '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' //'Cognitive Services OpenAI User'
@@ -394,7 +406,7 @@ module avmAiServices_cu 'br/public:avm/res/cognitive-services/account:0.10.2' =
394406module avmAiServices_cu_roleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
395407 name : format (deployment_param .resource_name_format_string , 'role-assignment-ai-services-cu' )
396408 params : {
397- resourceId : avmContainerApp .outputs .resourceId
409+ resourceId : avmAiServices_cu .outputs .resourceId
398410 principalId : avmContainerApp .outputs .?systemAssignedMIPrincipalId
399411 roleDefinitionId : 'a97b65f3-24c7-4388-baec-2e87135dc908' //'Cognitive Services User'
400412 principalType : 'ServicePrincipal'
@@ -562,6 +574,7 @@ module bicepAcrPullRoleAssignment 'br/public:avm/ptn/authorization/resource-role
562574 roleDefinitionId : '7f951dda-4ed3-4680-a7ca-43fe172d538d' // AcrPull role
563575 principalType : 'ServicePrincipal'
564576 }
577+ scope : resourceGroup (resourceGroup ().name )
565578}
566579
567580// module bicepAcrPullRoleAssignment_ 'modules/role_assignment.bicep' = {
@@ -979,6 +992,10 @@ module avmAppConfig 'br/public:avm/res/app-configuration/configuration-store:0.6
979992 value : '${deployment_param .resource_group_location }.api.azureml.ms;${subscription ().subscriptionId };${resourceGroup ().name };${avmAiProject .name }'
980993 //TODO: replace with actual AI project connection string
981994 }
995+ {
996+ name : 'APP_COSMOS_CONNSTR'
997+ value : avmCosmosDB .outputs .primaryReadWriteConnectionString
998+ }
982999 ]
9831000 // roleAssignments: [
9841001 // {
@@ -1000,7 +1017,7 @@ module avmAppConfig 'br/public:avm/res/app-configuration/configuration-store:0.6
10001017module avmRoleAssignment_container_app 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
10011018 name : format (deployment_param .resource_name_format_string , 'role-assignment-app-config-data-reader' )
10021019 params : {
1003- resourceId : avmContainerApp .outputs .resourceId
1020+ resourceId : avmAppConfig .outputs .resourceId
10041021 principalId : avmContainerApp .outputs .?systemAssignedMIPrincipalId
10051022 roleDefinitionId : '516239f1-63e1-4d78-a4de-a74fb236a071' // Built-in
10061023 roleName : 'App Configuration Data Reader'
@@ -1011,7 +1028,7 @@ module avmRoleAssignment_container_app 'br/public:avm/ptn/authorization/resource
10111028module avmRoleAssignment_container_app_api 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
10121029 name : format (deployment_param .resource_name_format_string , 'role-assignment-app-config-data-reader-api' )
10131030 params : {
1014- resourceId : avmContainerApp_API .outputs .resourceId
1031+ resourceId : avmAppConfig .outputs .resourceId
10151032 principalId : avmContainerApp_API .outputs .?systemAssignedMIPrincipalId
10161033 roleDefinitionId : '516239f1-63e1-4d78-a4de-a74fb236a071' // Built-in
10171034 roleName : 'App Configuration Data Reader'
@@ -1021,7 +1038,7 @@ module avmRoleAssignment_container_app_api 'br/public:avm/ptn/authorization/reso
10211038module avmRoleAssignment_container_app_web 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
10221039 name : format (deployment_param .resource_name_format_string , 'role-assignment-app-config-data-reader-web' )
10231040 params : {
1024- resourceId : avmContainerApp_Web .outputs .resourceId
1041+ resourceId : avmAppConfig .outputs .resourceId
10251042 principalId : avmContainerApp_Web .outputs .?systemAssignedMIPrincipalId
10261043 roleDefinitionId : '516239f1-63e1-4d78-a4de-a74fb236a071' // Built-in
10271044 roleName : 'App Configuration Data Reader'
0 commit comments