NOTE: Your Azure subscription will need to be whitelisted for Azure Open AI. At the release time of this module (August 2023) you will need to request access via this form and a further form for GPT 4. Once you have access deploy either GPT-35-Turbo, GPT-35-Turbo-16k or if you have access to GPT-4-32k, go forward with that model.
Flexible Terraform Registry module for setting up an Azure hosted OpenAI service, deploy models on a new or existing OpenAI service, saving deployment and account details to Azure Key Vault ready for consumption by other services hosted in Azure.
See Create OpenAI Service and Models:
For an example of how to create an OpenAI Service hosted on Azure, deploy Models and saving the details to an Azure Key Vault.
See Create Models on existing OpenAI Account:
For an example of how to create Models hosted on an existing OpenAI Service and saving the details to an Azure Key Vault.
See Create OpenAI Service Only:
For an example of how to create only an OpenAI Service hosted on Azure and saving the details to an Azure Key Vault. (No models deployed)
This module is published on the Public Terraform Registry - openai-service
Want to host your own Private ChatGPT-like service on Azure?
Check out my other Terraform module to deploy your very own private ChatBot/ChatGPT-like container apps instance hosted on Azure OpenAI and fronted by Azure Font Door + WAF:
Enjoy!
| Name | Version |
|---|---|
| terraform | >= 1.9.5 |
| azurerm | ~> 4.0 |
| Name | Version |
|---|---|
| azurerm | ~> 4.0 |
| Name | Source | Version |
|---|---|---|
| create_model_deployment | ./modules/model_deployment | n/a |
| create_openai_service | ./modules/openai_service | n/a |
| Name | Type |
|---|---|
| azurerm_key_vault.openai_kv | resource |
| azurerm_key_vault_secret.openai_endpoint | resource |
| azurerm_key_vault_secret.openai_model | resource |
| azurerm_key_vault_secret.openai_model_deployment_id | resource |
| azurerm_key_vault_secret.openai_primary_key | resource |
| azurerm_role_assignment.kv_role_assigment | resource |
| azurerm_client_config.current | data source |
| azurerm_cognitive_account.openai | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_model_deployment | Create the model deployment. | bool |
false |
no |
| create_openai_service | Create the OpenAI service. | bool |
false |
no |
| keyvault_firewall_allowed_ips | value of key vault firewall allowed ip rules. | list(string) |
[] |
no |
| keyvault_firewall_bypass | List of key vault firewall rules to bypass. | string |
"AzureServices" |
no |
| keyvault_firewall_default_action | Default action for key vault firewall rules. | string |
"Deny" |
no |
| keyvault_firewall_virtual_network_subnet_ids | value of key vault firewall allowed virtual network subnet ids. | list(string) |
[] |
no |
| keyvault_resource_group_name | Name of the resource group where the Key Vault will be hosted. | string |
n/a | yes |
| kv_config | Key Vault configuration object to create azure key vault to store openai account details. | object({ |
{ |
no |
| location | Azure region to deploy resources to. | string |
"uksouth" |
no |
| model_deployment | type = list(object({ deployment_id = (Required) The name of the Cognitive Services Account Model Deployment. Changing this forces a new resource to be created.model_name = { model_format = (Required) The format of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created. Possible value is OpenAI. model_name = (Required) The name of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created. model_version = (Required) The version of Cognitive Services Account Deployment model. } sku = { sku_name = (Required) The name of the SKU. Possible values include Standard, GlobalBatch, GlobalStandard and ProvisionedManaged. sku_tier = (Optional) Possible values are Free, Basic, Standard, Premium, Enterprise. Changing this forces a new resource to be created. sku_size = (Optional) The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. Changing this forces a new resource to be created. sku_family = (Optional) If the service has different generations of hardware, for the same SKU, then that can be captured here. Changing this forces a new resource to be created. sku_capacity = (Optional) Tokens-per-Minute (TPM). If the SKU supports sku out/in then the capacity integer should be included. If sku out/in is not possible for the resource this may be omitted. Default value is 1. Changing this forces a new resource to be created. } rai_policy_name = (Optional) The name of RAI policy. Changing this forces a new resource to be created. })) |
list(object({ |
[] |
no |
| openai_account_name | Name of the OpenAI service. | string |
"demo-account" |
no |
| openai_custom_subdomain_name | The subdomain name used for token-based authentication. Changing this forces a new resource to be created (normally the same as variable openai_account_name) |
string |
"demo-account" |
no |
| openai_customer_managed_key | type = object({ key_vault_key_id = (Required) The ID of the Key Vault Key which should be used to Encrypt the data in this OpenAI Account. identity_client_id = (Optional) The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the OpenAI Account. }) |
object({ |
null |
no |
| openai_dynamic_throttling_enabled | Determines whether or not dynamic throttling is enabled. If set to true, dynamic throttling will be enabled. If set to false, dynamic throttling will not be enabled. |
bool |
null |
no |
| openai_fqdns | List of FQDNs allowed for the Cognitive Account. | list(string) |
null |
no |
| openai_identity | type = object({ type = (Required) The type of the Identity. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned.identity_ids = (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this OpenAI Account. }) |
object({ |
null |
no |
| openai_local_auth_enabled | Whether local authentication methods is enabled for the Cognitive Account. Defaults to true. |
bool |
true |
no |
| openai_network_acls | type = set(object({ default_action = (Required) The Default Action to use when no rules match from ip_rules / virtual_network_rules. Possible values are Allow and Deny.ip_rules = (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Cognitive Account. virtual_network_rules = optional(set(object({ subnet_id = (Required) The ID of a Subnet which should be able to access the OpenAI Account. ignore_missing_vnet_service_endpoint = (Optional) Whether ignore missing vnet service endpoint or not. Default to false.}))) })) |
set(object({ |
null |
no |
| openai_outbound_network_access_restricted | Whether or not outbound network access is restricted. | bool |
false |
no |
| openai_public_network_access_enabled | Whether or not public network access is enabled for the Cognitive Account. | bool |
true |
no |
| openai_resource_group_name | Name of the resource group where the cognitive account OpenAI service is hosted (if different from solution resource group). | string |
n/a | yes |
| openai_sku_name | SKU name of the OpenAI service. | string |
"S0" |
no |
| openai_storage | type = list(object({ storage_account_id = (Required) Full resource id of a Microsoft.Storage resource. identity_client_id = (Optional) The client ID of the managed identity associated with the storage resource. })) |
list(object({ |
[] |
no |
| tags | A map of key value pairs that is used to tag resources created. | map(string) |
{ |
no |
| Name | Description |
|---|---|
| key_vault_id | The ID of the Key Vault. |
| key_vault_uri | The URI of the Key Vault. |
| openai_account_name | The name of the Cognitive Service Account. |
| openai_endpoint | The endpoint used to connect to the Cognitive Service Account. |
| openai_primary_key | The primary access key for the Cognitive Service Account. |
| openai_resource_group_name | The name of the Resource Group hosting the Cognitive Service Account. |
| openai_secondary_key | The secondary access key for the Cognitive Service Account. |
| openai_subdomain | The subdomain used to connect to the Cognitive Service Account. |