Skip to content

Commit 2d32420

Browse files
DongbumleeDongbumlee
committed
fix circular reference issue
1 parent ec5456d commit 2d32420

1 file changed

Lines changed: 137 additions & 47 deletions

File tree

infra/main.bicep

Lines changed: 137 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -251,14 +251,14 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
251251
principalId: avmManagedIdentity.outputs.principalId
252252
roleDefinitionIdOrName: 'Storage Blob Data Contributor'
253253
}
254-
{
255-
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
256-
roleDefinitionIdOrName: 'Storage Blob Data Contributor'
257-
}
258-
{
259-
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
260-
roleDefinitionIdOrName: 'Storage Queue Data Contributor'
261-
}
254+
// {
255+
// principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
256+
// roleDefinitionIdOrName: 'Storage Blob Data Contributor'
257+
// }
258+
// {
259+
// principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
260+
// roleDefinitionIdOrName: 'Storage Queue Data Contributor'
261+
// }
262262
]
263263
networkAcls: {
264264
bypass: 'AzureServices'
@@ -270,6 +270,31 @@ module avmStorageAccount 'br/public:avm/res/storage/storage-account:0.20.0' = {
270270
}
271271
}
272272

273+
module avmStorageAccount_RoleAssignment_avmContainerApp_blob 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
274+
name: format(deployment_param.resource_name_format_string, 'role-assignment-storage-data-contributor-container-app')
275+
params: {
276+
resourceId: avmContainerApp.outputs.resourceId
277+
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
278+
roleName: 'Storage Blob Data Contributor'
279+
roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' //'Storage Blob Data Contributor'
280+
principalType: 'ServicePrincipal'
281+
}
282+
}
283+
284+
module avmStorageAccount_RoleAssignment_avmContainerApp_queue 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
285+
name: format(
286+
deployment_param.resource_name_format_string,
287+
'role-assignment-storage-data-contributor-container-app-queue'
288+
)
289+
params: {
290+
resourceId: avmContainerApp.outputs.resourceId
291+
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
292+
roleName: 'Storage Queue Data Contributor'
293+
roleDefinitionId: '974c5e8b-45b9-4653-ba55-5f855dd0fb88' //'Storage Queue Data Contributor'
294+
principalType: 'ServicePrincipal'
295+
}
296+
}
297+
273298
// module storage 'deploy_storage_account.bicep' = {
274299
// name: 'deploy_storage_account'
275300
// params: {
@@ -309,12 +334,12 @@ module avmAiServices 'br/public:avm/res/cognitive-services/account:0.10.2' = {
309334
customSubDomainName: '${abbrs.ai.aiServices}${deployment_param.solution_prefix}'
310335
disableLocalAuth: true
311336
publicNetworkAccess: 'Enabled'
312-
roleAssignments: [
313-
{
314-
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
315-
roleDefinitionIdOrName: 'Cognitive Services OpenAI User'
316-
}
317-
]
337+
// roleAssignments: [
338+
// {
339+
// principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
340+
// roleDefinitionIdOrName: 'Cognitive Services OpenAI User'
341+
// }
342+
// ]
318343
deployments: [
319344
{
320345
name: ai_deployment.gpt_model_name
@@ -333,6 +358,18 @@ module avmAiServices 'br/public:avm/res/cognitive-services/account:0.10.2' = {
333358
}
334359
}
335360

361+
// Role Assignment
362+
module avmAiServices_roleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
363+
name: format(deployment_param.resource_name_format_string, 'role-assignment-ai-services')
364+
params: {
365+
resourceId: avmContainerApp.outputs.resourceId
366+
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
367+
roleName: 'Cognitive Services OpenAI User'
368+
roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' //'Cognitive Services OpenAI User'
369+
principalType: 'ServicePrincipal'
370+
}
371+
}
372+
336373
module avmAiServices_cu 'br/public:avm/res/cognitive-services/account:0.10.2' = {
337374
name: format(deployment_param.resource_name_format_string, 'aicu-')
338375

@@ -348,12 +385,22 @@ module avmAiServices_cu 'br/public:avm/res/cognitive-services/account:0.10.2' =
348385
}
349386
customSubDomainName: 'aicu-${deployment_param.solution_prefix}'
350387
disableLocalAuth: true
351-
roleAssignments: [
352-
{
353-
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
354-
roleDefinitionIdOrName: 'Cognitive Services User'
355-
}
356-
]
388+
// roleAssignments: [
389+
// {
390+
// principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
391+
// roleDefinitionIdOrName: 'Cognitive Services User'
392+
// }
393+
// ]
394+
}
395+
}
396+
397+
module avmAiServices_cu_roleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
398+
name: format(deployment_param.resource_name_format_string, 'role-assignment-ai-services-cu')
399+
params: {
400+
resourceId: avmContainerApp.outputs.resourceId
401+
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
402+
roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908' //'Cognitive Services User'
403+
principalType: 'ServicePrincipal'
357404
}
358405
}
359406

@@ -510,18 +557,28 @@ module avmContainerRegistryReader 'br/public:avm/res/managed-identity/user-assig
510557
scope: resourceGroup(resourceGroup().name)
511558
}
512559

513-
module bicepAcrPullRoleAssignment 'modules/role_assignment.bicep' = {
514-
name: format(deployment_param.resource_name_format_string, 'rbac-acr-pull')
560+
module bicepAcrPullRoleAssignment 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
561+
name: format(deployment_param.resource_name_format_string, 'rabc-acr-pull')
515562
params: {
516-
managedIdentityResourceId: avmContainerRegistryReader.outputs.resourceId
517-
managedIdentityPrincipalId: avmContainerRegistryReader.outputs.principalId
518-
roleDefinitionId: subscriptionResourceId(
519-
'Microsoft.Authorization/roleDefinitions',
520-
'7f951dda-4ed3-4680-a7ca-43fe172d538d'
521-
) // AcrPull role
563+
resourceId: avmContainerRegistry.outputs.resourceId
564+
principalId: avmContainerRegistryReader.outputs.principalId
565+
roleDefinitionId: '7f951dda-4ed3-4680-a7ca-43fe172d538d' // AcrPull role
566+
principalType: 'ServicePrincipal'
522567
}
523568
}
524569

570+
// module bicepAcrPullRoleAssignment_ 'modules/role_assignment.bicep' = {
571+
// name: format(deployment_param.resource_name_format_string, 'rbac-acr-pull')
572+
// params: {
573+
// managedIdentityResourceId: avmContainerRegistryReader.outputs.resourceId
574+
// managedIdentityPrincipalId: avmContainerRegistryReader.outputs.principalId
575+
// roleDefinitionId: subscriptionResourceId(
576+
// 'Microsoft.Authorization/roleDefinitions',
577+
// '7f951dda-4ed3-4680-a7ca-43fe172d538d'
578+
// ) // AcrPull role
579+
// }
580+
// }
581+
525582
// module containerAppEnv './container_app/deploy_container_app_env.bicep' = {
526583
// name: 'deploy_container_app_env'
527584
// params: {
@@ -750,7 +807,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.16.0' = {
750807
env: [
751808
{
752809
name: 'APP_API_BASE_URL'
753-
value: 'avmContainerApp_API.outputs.fqdn'
810+
value: avmContainerApp_API.outputs.fqdn
754811
}
755812
{
756813
name: 'APP_WEB_CLIENT_ID'
@@ -850,15 +907,15 @@ module avmAppConfig 'br/public:avm/res/app-configuration/configuration-store:0.6
850907
keyValues: [
851908
{
852909
name: 'APP_AZURE_OPENAI_ENDPOINT'
853-
value: avmAiServices.outputs.endpoint
910+
value: avmAiServices.outputs.endpoint //TODO: replace with actual endpoint
854911
}
855912
{
856913
name: 'APP_AZURE_OPENAI_MODEL'
857914
value: gptModelName
858915
}
859916
{
860917
name: 'APP_CONTENT_UNDERSTANDING_ENDPOINT'
861-
value: avmAiServices_cu.outputs.endpoint
918+
value: avmAiServices_cu.outputs.endpoint //TODO: replace with actual endpoint
862919
}
863920
{
864921
name: 'APP_COSMOS_CONTAINER_PROCESS'
@@ -914,31 +971,64 @@ module avmAppConfig 'br/public:avm/res/app-configuration/configuration-store:0.6
914971
}
915972
{
916973
name: 'APP_STORAGE_BLOB_URL'
917-
value: avmStorageAccount.outputs.serviceEndpoints.blob
974+
value: avmStorageAccount.outputs.serviceEndpoints.blob //TODO: replace with actual blob URL
918975
}
919976
{
920977
name: 'APP_STORAGE_QUEUE_URL'
921-
value: avmStorageAccount.outputs.serviceEndpoints.queue
978+
value: avmStorageAccount.outputs.serviceEndpoints.queue //TODO: replace with actual queue URL
922979
}
923980
{
924981
name: 'APP_AI_PROJECT_CONN_STR'
925982
value: '${deployment_param.resource_group_location}.api.azureml.ms;${subscription().subscriptionId};${resourceGroup().name};${avmAiProject.name}'
983+
//TODO: replace with actual AI project connection string
926984
}
927985
]
928-
roleAssignments: [
929-
{
930-
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
931-
roleDefinitionIdOrName: 'App Configuration Data Reader'
932-
}
933-
{
934-
principalId: avmContainerApp_API.outputs.?systemAssignedMIPrincipalId
935-
roleDefinitionIdOrName: 'App Configuration Data Reader'
936-
}
937-
// {
938-
// principalId: avmContainerApp_Web.outputs.?systemAssignedMIPrincipalId
939-
// roleDefinitionIdOrName: 'App Configuration Data Reader'
940-
// }
941-
]
986+
// roleAssignments: [
987+
// {
988+
// principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
989+
// roleDefinitionIdOrName: 'App Configuration Data Reader'
990+
// }
991+
// {
992+
// principalId: avmContainerApp_API.outputs.?systemAssignedMIPrincipalId
993+
// roleDefinitionIdOrName: 'App Configuration Data Reader'
994+
// }
995+
// {
996+
// principalId: avmContainerApp_Web.outputs.?systemAssignedMIPrincipalId
997+
// roleDefinitionIdOrName: 'App Configuration Data Reader'
998+
// }
999+
// ]
1000+
}
1001+
}
1002+
1003+
module avmRoleAssignment_container_app 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
1004+
name: format(deployment_param.resource_name_format_string, 'role-assignment-app-config-data-reader')
1005+
params: {
1006+
resourceId: avmContainerApp.outputs.resourceId
1007+
principalId: avmContainerApp.outputs.?systemAssignedMIPrincipalId
1008+
roleDefinitionId: '516239f1-63e1-4d78-a4de-a74fb236a071' // Built-in
1009+
roleName: 'App Configuration Data Reader'
1010+
principalType: 'ServicePrincipal'
1011+
}
1012+
}
1013+
1014+
module avmRoleAssignment_container_app_api 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
1015+
name: format(deployment_param.resource_name_format_string, 'role-assignment-app-config-data-reader-api')
1016+
params: {
1017+
resourceId: avmContainerApp_API.outputs.resourceId
1018+
principalId: avmContainerApp_API.outputs.?systemAssignedMIPrincipalId
1019+
roleDefinitionId: '516239f1-63e1-4d78-a4de-a74fb236a071' // Built-in
1020+
roleName: 'App Configuration Data Reader'
1021+
principalType: 'ServicePrincipal'
1022+
}
1023+
}
1024+
module avmRoleAssignment_container_app_web 'br/public:avm/ptn/authorization/resource-role-assignment:0.1.2' = {
1025+
name: format(deployment_param.resource_name_format_string, 'role-assignment-app-config-data-reader-web')
1026+
params: {
1027+
resourceId: avmContainerApp_Web.outputs.resourceId
1028+
principalId: avmContainerApp_Web.outputs.?systemAssignedMIPrincipalId
1029+
roleDefinitionId: '516239f1-63e1-4d78-a4de-a74fb236a071' // Built-in
1030+
roleName: 'App Configuration Data Reader'
1031+
principalType: 'ServicePrincipal'
9421032
}
9431033
}
9441034

0 commit comments

Comments
 (0)