From f5681139104da24fe4906ac7090f31f8c9a5112b Mon Sep 17 00:00:00 2001 From: Zhijie Huang Date: Tue, 30 Jul 2024 16:12:22 +0800 Subject: [PATCH] Allow assigning role to service principal --- deploy/aca/infra/main.bicep | 34 ++++++++++--------- deploy/aca/infra/main.parameters.json | 5 ++- deploy/aks/infra/main.bicep | 4 ++- deploy/aks/infra/main.parameters.json | 3 ++ deploy/app-service/infra/main.bicep | 16 +++++---- deploy/app-service/infra/main.parameters.json | 3 ++ 6 files changed, 40 insertions(+), 25 deletions(-) diff --git a/deploy/aca/infra/main.bicep b/deploy/aca/infra/main.bicep index ed1ff73..cab7402 100644 --- a/deploy/aca/infra/main.bicep +++ b/deploy/aca/infra/main.bicep @@ -83,8 +83,10 @@ param webAppExists bool = false param indexerAppExists bool = false -@description('Id of the user to assign application roles for CLI to ingest documents') -param userPrincipalId string = '' +@description('Id of the user or app to assign application roles for CLI to ingest documents') +param principalId string = '' +@description('Type of the principal. Valid values: User,ServicePrincipal') +param principalType string = 'User' @description('Use Application Insights for monitoring and performance tracing') param useApplicationInsights bool = false @@ -413,9 +415,9 @@ module openAiRoleUser '../../shared/security/role.bicep' = { scope: openAiResourceGroup name: 'openai-role-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' - principalType: 'User' + principalType: principalType } } @@ -423,9 +425,9 @@ module formRecognizerRoleUser '../../shared/security/role.bicep' = { scope: formRecognizerResourceGroup name: 'formrecognizer-role-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908' - principalType: 'User' + principalType: principalType } } @@ -433,9 +435,9 @@ module storageRoleUser '../../shared/security/role.bicep' = { scope: storageResourceGroup name: 'storage-role-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - principalType: 'User' + principalType: principalType } } @@ -443,9 +445,9 @@ module storageContribRoleUser '../../shared/security/role.bicep' = { scope: storageResourceGroup name: 'storage-contribrole-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' - principalType: 'User' + principalType: principalType } } @@ -453,9 +455,9 @@ module searchRoleUser '../../shared/security/role.bicep' = { scope: searchServiceResourceGroup name: 'search-role-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f' - principalType: 'User' + principalType: principalType } } @@ -463,9 +465,9 @@ module searchContribRoleUser '../../shared/security/role.bicep' = { scope: searchServiceResourceGroup name: 'search-contrib-role-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7' - principalType: 'User' + principalType: principalType } } @@ -473,9 +475,9 @@ module searchSvcContribRoleUser '../../shared/security/role.bicep' = { scope: searchServiceResourceGroup name: 'search-svccontrib-role-user' params: { - principalId: userPrincipalId + principalId: principalId roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0' - principalType: 'User' + principalType: principalType } } diff --git a/deploy/aca/infra/main.parameters.json b/deploy/aca/infra/main.parameters.json index bfcfcd1..4718c6f 100644 --- a/deploy/aca/infra/main.parameters.json +++ b/deploy/aca/infra/main.parameters.json @@ -11,9 +11,12 @@ "location": { "value": "${AZURE_LOCATION}" }, - "userPrincipalId": { + "principalId": { "value": "${AZURE_PRINCIPAL_ID}" }, + "principalType": { + "value": "${AZURE_PRINCIPAL_TYPE}" + }, "openAiServiceName": { "value": "${AZURE_OPENAI_SERVICE}" }, diff --git a/deploy/aks/infra/main.bicep b/deploy/aks/infra/main.bicep index 0dd51da..43a55cc 100644 --- a/deploy/aks/infra/main.bicep +++ b/deploy/aks/infra/main.bicep @@ -82,6 +82,8 @@ param keyVaultName string = '' @description('Id of the user or app to assign application roles') param principalId string = '' +@description('Type of the principal. Valid values: User,ServicePrincipal') +param principalType string = 'User' @description('Use Application Insights for monitoring and performance tracing') param useApplicationInsights bool = false @@ -363,7 +365,7 @@ module storageContribRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' - principalType: 'User' + principalType: principalType } } diff --git a/deploy/aks/infra/main.parameters.json b/deploy/aks/infra/main.parameters.json index 06cdb87..4fd911d 100644 --- a/deploy/aks/infra/main.parameters.json +++ b/deploy/aks/infra/main.parameters.json @@ -14,6 +14,9 @@ "principalId": { "value": "${AZURE_PRINCIPAL_ID}" }, + "principalType": { + "value": "${AZURE_PRINCIPAL_TYPE}" + }, "openAiServiceName": { "value": "${AZURE_OPENAI_SERVICE}" }, diff --git a/deploy/app-service/infra/main.bicep b/deploy/app-service/infra/main.bicep index f731569..a91ddbb 100644 --- a/deploy/app-service/infra/main.bicep +++ b/deploy/app-service/infra/main.bicep @@ -80,6 +80,8 @@ param allowedOrigin string = '' // should start with https://, shouldn't end wit @description('Id of the user or app to assign application roles') param principalId string = '' +@description('Type of the principal. Valid values: User,ServicePrincipal') +param principalType string = 'User' @description('Use Application Insights for monitoring and performance tracing') param useApplicationInsights bool = false @@ -321,7 +323,7 @@ module openAiRoleUser '../../shared/security/role.bicep' = if (openAiHost == 'az params: { principalId: principalId roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' - principalType: 'User' + principalType: principalType } } @@ -331,7 +333,7 @@ module formRecognizerRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908' - principalType: 'User' + principalType: principalType } } @@ -341,7 +343,7 @@ module storageRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - principalType: 'User' + principalType: principalType } } @@ -351,7 +353,7 @@ module storageContribRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' - principalType: 'User' + principalType: principalType } } @@ -361,7 +363,7 @@ module searchRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f' - principalType: 'User' + principalType: principalType } } @@ -371,7 +373,7 @@ module searchContribRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7' - principalType: 'User' + principalType: principalType } } @@ -381,7 +383,7 @@ module searchSvcContribRoleUser '../../shared/security/role.bicep' = { params: { principalId: principalId roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0' - principalType: 'User' + principalType: principalType } } diff --git a/deploy/app-service/infra/main.parameters.json b/deploy/app-service/infra/main.parameters.json index 06cdb87..4fd911d 100644 --- a/deploy/app-service/infra/main.parameters.json +++ b/deploy/app-service/infra/main.parameters.json @@ -14,6 +14,9 @@ "principalId": { "value": "${AZURE_PRINCIPAL_ID}" }, + "principalType": { + "value": "${AZURE_PRINCIPAL_TYPE}" + }, "openAiServiceName": { "value": "${AZURE_OPENAI_SERVICE}" },