Merge pull request #50 from greenie-msft/bicep-cleanup

dbarkol · web-flow · commit 5c9603bb6a0f · 2025-10-15T11:31:07.000-07:00
Add DTS bicep w/ roles and env vars in the function app. Also remove AI Foundry deps and only use Azure OpenAI
diff --git a/.gitignore b/.gitignore
@@ -42,6 +42,7 @@ appsettings.json
 .env
 .env.local
 .env.*.local
+.azure/
 
 __azurite_db_blob__.json
 
diff --git a/infra/abbreviations.json b/infra/abbreviations.json
@@ -131,5 +131,7 @@
     "webSitesAppService": "app-",
     "webSitesAppServiceEnvironment": "ase-",
     "webSitesFunctions": "func-",
-    "webStaticSites": "stapp-"
+    "webStaticSites": "stapp-",
+    "dts": "dts-",
+    "taskhub": "taskhub-"
 }
diff --git a/infra/app/ai/ai-project.bicep b/infra/app/ai/ai-project.bicep
diff --git a/infra/app/ai/cognitive-services.bicep b/infra/app/ai/cognitive-services.bicep
@@ -45,6 +45,7 @@ resource aiServices 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' =
   properties: {
     customSubDomainName: toLower(aiServicesName)
     publicNetworkAccess: 'Enabled'
+    disableLocalAuth: true
   }
 }
 
@@ -86,7 +87,4 @@ output aiServicesId string = aiServices.id
 output aiServicesEndpoint string = aiServices.properties.endpoint
 output azureOpenAIServiceEndpoint string = 'https://${aiServices.properties.customSubDomainName}.openai.azure.com/'
 output embeddingDeploymentName string = embeddingModelDeployment.name
-output chatDeploymentName string = chatModelDeployment.name 
-@description('Primary key for the AI Services account.')
-@secure()
-output primaryKey string = aiServices.listKeys().key1
+output chatDeploymentName string = chatModelDeployment.name
diff --git a/infra/app/api.bicep b/infra/app/api.bicep
@@ -11,7 +11,6 @@ param instanceMemoryMB int = 2048
 param maximumInstanceCount int = 100
 param identityId string = ''
 param identityClientId string = ''
-param aiServicesId string
 param resourceToken string
 
 param runtimeName string = 'python'
@@ -93,7 +92,6 @@ module api 'br/public:avm/res/web/site:0.15.1' = {
         APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString
         APPLICATIONINSIGHTS_AUTHENTICATION_STRING: applicationInsightsIdentity
         AzureWebJobsFeatureFlags: 'EnableWorkerIndexing'
-        AZURE_OPENAI_KEY: listKeys(aiServicesId, '2025-04-01-preview').key1
         PYTHON_ENABLE_WORKER_EXTENSIONS: '1'
       })
     virtualNetworkSubnetId: !empty(virtualNetworkSubnetId) ? virtualNetworkSubnetId : null
diff --git a/infra/app/cosmos-db.bicep b/infra/app/cosmos-db.bicep
@@ -22,6 +22,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
   kind: 'GlobalDocumentDB'
   properties: {
     databaseAccountOfferType: 'Standard'
+    disableLocalAuth: true
     capabilities: [
       { name: 'EnableServerless' }
       { name: 'EnableNoSQLVectorSearch' }
diff --git a/infra/app/dts.bicep b/infra/app/dts.bicep
@@ -0,0 +1,29 @@
+param ipAllowlist array
+param location string
+param tags object = {}
+param name string
+param taskhubname string
+param skuName string 
+param skuCapacity int
+
+resource dts 'Microsoft.DurableTask/schedulers@2025-11-01' = {
+  location: location
+  tags: tags
+  name: name
+  properties: {
+    ipAllowlist: ipAllowlist
+    sku: {
+      name: skuName
+      capacity: skuCapacity
+    }
+  }
+}
+
+resource taskhub 'Microsoft.DurableTask/schedulers/taskhubs@2025-11-01' = {
+  parent: dts
+  name: taskhubname
+}
+
+output dts_NAME string = dts.name
+output dts_URL string = dts.properties.endpoint
+output TASKHUB_NAME string = taskhub.name
diff --git a/infra/app/rbac/dts-access.bicep b/infra/app/rbac/dts-access.bicep
@@ -0,0 +1,18 @@
+param principalID string
+param roleDefinitionID string
+param dtsName string
+param principalType string
+
+resource dts 'Microsoft.DurableTask/schedulers@2024-10-01-preview' existing = {
+  name: dtsName
+}
+
+resource dtsRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+  name: guid(dts.id, principalID, roleDefinitionID )
+  scope: dts
+  properties: {
+   roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionID )
+   principalId: principalID
+   principalType: principalType
+  }
+}
diff --git a/infra/app/rbac/openai-access.bicep b/infra/app/rbac/openai-access.bicep
@@ -0,0 +1,22 @@
+@description('The name of the Azure OpenAI account')
+param openAIAccountName string
+
+@description('The role definition ID for the role assignment')
+param roleDefinitionId string
+
+@description('The principal ID to assign the role to')
+param principalId string
+
+resource openAIAccount 'Microsoft.CognitiveServices/accounts@2023-05-01' existing = {
+  name: openAIAccountName
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(openAIAccount.id, principalId, roleDefinitionId)
+  scope: openAIAccount
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
diff --git a/infra/main.bicep b/infra/main.bicep
diff --git a/infra/main.parameters.json b/infra/main.parameters.json

Original file line number	Diff line number	Diff line change
`@@ -131,5 +131,7 @@`
`131`	`131`	`"webSitesAppService": "app-",`
`132`	`132`	`"webSitesAppServiceEnvironment": "ase-",`
`133`	`133`	`"webSitesFunctions": "func-",`
`134`		`- "webStaticSites": "stapp-"`
	`134`	`+ "webStaticSites": "stapp-",`
	`135`	`+ "dts": "dts-",`
	`136`	`+ "taskhub": "taskhub-"`
`135`	`137`	`}`