diff --git a/infra/app/llama-index-nextjs.bicep b/infra/app/llama-index-nextjs.bicep index 84db5c0..bf82407 100644 --- a/infra/app/llama-index-nextjs.bicep +++ b/infra/app/llama-index-nextjs.bicep @@ -7,6 +7,13 @@ param containerRegistryName string param containerAppsEnvironmentName string param applicationInsightsName string param exists bool + +@description('Whether the deployment is running on GitHub Actions') +param runningOnGh string = '' + +@description('Id of the user or app to assign application roles') +param principalId string = '' + @secure() param appDefinition object @@ -42,17 +49,31 @@ resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { scope: containerRegistry name: guid(subscription().id, resourceGroup().id, identity.id, 'acrPullRole') properties: { - roleDefinitionId: subscriptionResourceId( - 'Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') - principalType: 'ServicePrincipal' principalId: identity.properties.principalId + roleDefinitionId: '7f951dda-4ed3-4680-a7ca-43fe172d538d' + principalType: 'ServicePrincipal' } } -// System roles -module openAiRole '../shared/role.bicep' = { + +// Roles + +// User roles +module openAiRoleUser '../shared/role.bicep' = if (empty(runningOnGh)) { scope: resourceGroup() name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiUserRole') + params: { + principalId: principalId + // Cognitive Services OpenAI User + roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' + principalType: 'User' + } +} + +// System roles +module openAiRoleBackend '../shared/role.bicep' = { + scope: resourceGroup() + name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiServicePrincipalRole') params: { principalId: app.identity.principalId // Cognitive Services OpenAI User diff --git a/infra/main.bicep b/infra/main.bicep index d8e1b33..0875039 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -9,6 +9,9 @@ param environmentName string @description('Primary location for all resources') param location string +@description('Whether the deployment is running on GitHub Actions') +param runningOnGh string = '' + param llamaIndexNextjsExists bool @secure() param llamaIndexNextjsDefinition object @@ -154,26 +157,13 @@ module openAi './shared/cognitiveservices.bicep' = if (empty(openAiUrl)) { } } -// Roles - -// User roles -module openAiRoleUser './shared/role.bicep' = { - scope: rg - name: 'openai-role-user' - params: { - principalId: principalId - // Cognitive Services OpenAI User - roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' - principalType: 'User' - } -} - module llamaIndexNextjs './app/llama-index-nextjs.bicep' = { name: 'llama-index-nextjs' params: { name: '${abbrs.appContainerApps}llama-index-${resourceToken}' location: location tags: tags + runningOnGh: runningOnGh identityName: '${abbrs.managedIdentityUserAssignedIdentities}llama-index-${resourceToken}' applicationInsightsName: monitoring.outputs.applicationInsightsName containerAppsEnvironmentName: appsEnv.outputs.name @@ -237,6 +227,10 @@ module llamaIndexNextjs './app/llama-index-nextjs.bicep' = { name: 'SYSTEM_PROMPT' value: llamaIndexConfig.system_prompt } + { + name: 'OPENAI_API_TYPE' + value: 'AzureOpenAI' + } ] }) } diff --git a/infra/main.parameters.json b/infra/main.parameters.json index a9b93fd..b543649 100644 --- a/infra/main.parameters.json +++ b/infra/main.parameters.json @@ -25,8 +25,8 @@ "openAiApiVersion": { "value": "${AZURE_OPENAI_API_VERSION=2024-02-15-preview}" }, - "isContinuousDeployment": { - "value": "${CI=false}" + "runningOnGh": { + "value": "${GITHUB_ACTIONS}" }, "azureDeploymentName": { "value": "${AZURE_DEPLOYMENT_NAME=gpt-35-turbo}" diff --git a/infra/shared/role.bicep b/infra/shared/role.bicep index 0b30cfd..ce79dbf 100644 --- a/infra/shared/role.bicep +++ b/infra/shared/role.bicep @@ -8,7 +8,7 @@ param principalId string 'ServicePrincipal' 'User' ]) -param principalType string = 'ServicePrincipal' +param principalType string = 'User' param roleDefinitionId string resource role 'Microsoft.Authorization/roleAssignments@2022-04-01' = {