Skip to content

Commit 3e71489

Browse files
sarajagmeerakurup
sarajag
and
meerakurup
authored
Add UMI support for private network-secured setup for agents (#341)
* added aca env bicep * add umi pvt setup * remove princiaplId output * update azuredeply json and readme * Revert "added aca env bicep" This reverts commit d1b08be. * Update samples/microsoft/infrastructure-setup/17-private-network-standard-user-assigned-identity-agent-setup/README.md Co-authored-by: Meera Kurup <[email protected]> * update readme for classA support --------- Co-authored-by: Meera Kurup <[email protected]>
1 parent 9ca69e4 commit 3e71489

29 files changed

+5866
-0
lines changed

samples/microsoft/infrastructure-setup/17-private-network-standard-user-assigned-identity-agent-setup/README.md

Lines changed: 518 additions & 0 deletions
Large diffs are not rendered by default.

samples/microsoft/infrastructure-setup/17-private-network-standard-user-assigned-identity-agent-setup/add-project.bicep

Lines changed: 215 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,215 @@
1+
@description('Location for the project resources.')
2+
param location string = 'westus'
3+
4+
@description('Name of the existing AI Services account')
5+
param existingAccountName string
6+
7+
@description('Resource group containing the AI Services account')
8+
param accountResourceGroupName string = resourceGroup().name
9+
10+
@description('Subscription ID containing the AI Services account')
11+
param accountSubscriptionId string = subscription().subscriptionId
12+
13+
@description('Name for the new project')
14+
param projectName string
15+
16+
@description('Description for the new project')
17+
param projectDescription string = 'Additional AI Foundry project with network secured deployed Agent'
18+
19+
@description('Display name for the new project')
20+
param displayName string
21+
22+
@description('Name for the project capability host')
23+
param projectCapHost string = 'caphostproj'
24+
25+
// Existing shared resources (from your original deployment)
26+
@description('Name of the existing AI Search service')
27+
param existingAiSearchName string
28+
29+
@description('Resource group containing the AI Search service')
30+
param aiSearchResourceGroupName string
31+
32+
@description('Subscription ID containing the AI Search service')
33+
param aiSearchSubscriptionId string
34+
35+
@description('Name of the existing Storage Account')
36+
param existingStorageName string
37+
38+
@description('Resource group containing the Storage Account')
39+
param storageResourceGroupName string
40+
41+
@description('Subscription ID containing the Storage Account')
42+
param storageSubscriptionId string
43+
44+
@description('Name of the existing Cosmos DB account')
45+
param existingCosmosDBName string
46+
47+
@description('Resource group containing the Cosmos DB account')
48+
param cosmosDBResourceGroupName string
49+
50+
@description('Subscription ID containing the Cosmos DB account')
51+
param cosmosDBSubscriptionId string
52+
53+
@description('Name of the existing User Assigned Identity')
54+
param existingUserAssignedIdentityName string
55+
56+
@description('Resource group containing the User Assigned Identity')
57+
param userAssignedIdentityResourceGroupName string
58+
59+
@description('Subscription ID containing the User Assigned Identity')
60+
param userAssignedIdentitySubscriptionId string
61+
62+
63+
// Create a short, unique suffix for this project
64+
param deploymentTimestamp string = utcNow('yyyyMMddHHmmss')
65+
var uniqueSuffix = substring(uniqueString('${resourceGroup().id}-${deploymentTimestamp}'), 0, 4)
66+
var finalProjectName = toLower('${projectName}${uniqueSuffix}')
67+
68+
// Reference existing AI Services account
69+
resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = {
70+
name: existingAccountName
71+
scope: resourceGroup(accountSubscriptionId, accountResourceGroupName)
72+
}
73+
74+
// Reference existing shared resources
75+
resource aiSearch 'Microsoft.Search/searchServices@2023-11-01' existing = {
76+
name: existingAiSearchName
77+
scope: resourceGroup(aiSearchSubscriptionId, aiSearchResourceGroupName)
78+
}
79+
80+
resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' existing = {
81+
name: existingStorageName
82+
scope: resourceGroup(storageSubscriptionId, storageResourceGroupName)
83+
}
84+
85+
resource cosmosDB 'Microsoft.DocumentDB/databaseAccounts@2024-11-15' existing = {
86+
name: existingCosmosDBName
87+
scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
88+
}
89+
90+
resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = {
91+
name: existingUserAssignedIdentityName
92+
scope: resourceGroup(userAssignedIdentitySubscriptionId, userAssignedIdentityResourceGroupName)
93+
}
94+
95+
// Create the new project using the unique connection module
96+
module aiProject 'modules-network-secured/ai-project-identity-unique.bicep' = {
97+
name: 'ai-${finalProjectName}-${uniqueSuffix}-deployment'
98+
params: {
99+
projectName: finalProjectName
100+
projectDescription: projectDescription
101+
displayName: displayName
102+
location: location
103+
104+
aiSearchName: existingAiSearchName
105+
aiSearchServiceResourceGroupName: aiSearchResourceGroupName
106+
aiSearchServiceSubscriptionId: aiSearchSubscriptionId
107+
108+
cosmosDBName: existingCosmosDBName
109+
cosmosDBSubscriptionId: cosmosDBSubscriptionId
110+
cosmosDBResourceGroupName: cosmosDBResourceGroupName
111+
112+
azureStorageName: existingStorageName
113+
azureStorageSubscriptionId: storageSubscriptionId
114+
azureStorageResourceGroupName: storageResourceGroupName
115+
116+
userAssignedIdentityName: existingUserAssignedIdentityName
117+
userAssignedIdentitySubscriptionId: userAssignedIdentitySubscriptionId
118+
userAssignedIdentityResourceGroupName: userAssignedIdentityResourceGroupName
119+
120+
accountName: existingAccountName
121+
122+
// Pass unique suffix for connection names
123+
uniqueConnectionSuffix: '-${finalProjectName}'
124+
}
125+
}
126+
127+
module formatProjectWorkspaceId 'modules-network-secured/format-project-workspace-id.bicep' = {
128+
name: 'format-project-workspace-id-${uniqueSuffix}-deployment'
129+
params: {
130+
projectWorkspaceId: aiProject.outputs.projectWorkspaceId
131+
}
132+
}
133+
134+
// Assign storage account role
135+
module storageAccountRoleAssignment 'modules-network-secured/azure-storage-account-role-assignment.bicep' = {
136+
name: 'storage-${existingStorageName}-${uniqueSuffix}-deployment'
137+
scope: resourceGroup(storageSubscriptionId, storageResourceGroupName)
138+
params: {
139+
azureStorageName: existingStorageName
140+
projectPrincipalId: userAssignedIdentity.properties.principalId
141+
}
142+
}
143+
144+
// Assign Cosmos DB account role
145+
module cosmosAccountRoleAssignments 'modules-network-secured/cosmosdb-account-role-assignment.bicep' = {
146+
name: 'cosmos-account-ra-${finalProjectName}-${uniqueSuffix}-deployment'
147+
scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
148+
params: {
149+
cosmosDBName: existingCosmosDBName
150+
projectPrincipalId: userAssignedIdentity.properties.principalId
151+
}
152+
}
153+
154+
// Assign AI Search role
155+
module aiSearchRoleAssignments 'modules-network-secured/ai-search-role-assignments.bicep' = {
156+
name: 'ai-search-ra-${finalProjectName}-${uniqueSuffix}-deployment'
157+
scope: resourceGroup(aiSearchSubscriptionId, aiSearchResourceGroupName)
158+
params: {
159+
aiSearchName: existingAiSearchName
160+
projectPrincipalId: userAssignedIdentity.properties.principalId
161+
}
162+
}
163+
164+
// Create capability host for the new project
165+
module addProjectCapabilityHost 'modules-network-secured/add-project-capability-host.bicep' = {
166+
name: 'capabilityHost-configuration-${uniqueSuffix}-deployment'
167+
params: {
168+
accountName: existingAccountName
169+
projectName: aiProject.outputs.projectName
170+
cosmosDBConnection: aiProject.outputs.cosmosDBConnection
171+
azureStorageConnection: aiProject.outputs.azureStorageConnection
172+
aiSearchConnection: aiProject.outputs.aiSearchConnection
173+
projectCapHost: projectCapHost
174+
}
175+
dependsOn: [
176+
cosmosAccountRoleAssignments
177+
storageAccountRoleAssignment
178+
aiSearchRoleAssignments
179+
]
180+
}
181+
182+
// Assign storage container roles after capability host creation
183+
module storageContainersRoleAssignment 'modules-network-secured/blob-storage-container-role-assignments-unique.bicep' = {
184+
name: 'storage-containers-${uniqueSuffix}-deployment'
185+
scope: resourceGroup(storageSubscriptionId, storageResourceGroupName)
186+
params: {
187+
aiProjectPrincipalId: userAssignedIdentity.properties.principalId
188+
storageName: existingStorageName
189+
workspaceId: formatProjectWorkspaceId.outputs.projectWorkspaceIdGuid
190+
uniqueSuffix: uniqueSuffix // Add this line
191+
}
192+
dependsOn: [
193+
addProjectCapabilityHost
194+
]
195+
}
196+
197+
// Assign Cosmos container roles after capability host creation
198+
module cosmosContainerRoleAssignments 'modules-network-secured/cosmos-container-role-assignments.bicep' = {
199+
name: 'cosmos-ra-${uniqueSuffix}-deployment'
200+
scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
201+
params: {
202+
cosmosAccountName: existingCosmosDBName
203+
projectWorkspaceId: formatProjectWorkspaceId.outputs.projectWorkspaceIdGuid
204+
projectPrincipalId: userAssignedIdentity.properties.principalId
205+
}
206+
dependsOn: [
207+
addProjectCapabilityHost
208+
storageContainersRoleAssignment
209+
]
210+
}
211+
212+
// Outputs
213+
output projectName string = aiProject.outputs.projectName
214+
output projectWorkspaceId string = aiProject.outputs.projectWorkspaceId
215+
output capabilityHostName string = addProjectCapabilityHost.outputs.projectCapHost

samples/microsoft/infrastructure-setup/17-private-network-standard-user-assigned-identity-agent-setup/add-project.bicepparam

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
using './add-project.bicep'
2+
3+
param location = 'westus'
4+
5+
// New project details
6+
param projectName = 'secondproject'
7+
param projectDescription = 'Second AI Foundry project with network secured deployed Agent'
8+
param displayName = 'Second Project'
9+
param projectCapHost = 'caphostsecond'
10+
11+
// Existing AI Services account details (from your original deployment)
12+
// You'll need to get these from your existing deployment
13+
param existingAccountName = '' // Replace with your actual account name
14+
param accountResourceGroupName = '' // Your resource group
15+
param accountSubscriptionId = ''
16+
17+
// Existing shared resources (from your original deployment)
18+
// You'll need to get these from your existing deployment outputs
19+
param existingAiSearchName = '' // Replace with your actual search service name
20+
param aiSearchResourceGroupName = '' // Your resource group
21+
param aiSearchSubscriptionId = ''
22+
23+
param existingStorageName = '' // Replace with your actual storage account name
24+
param storageResourceGroupName = '' // Your resource group
25+
param storageSubscriptionId = ''
26+
27+
param existingCosmosDBName = '' // Replace with your actual Cosmos DB name
28+
param cosmosDBResourceGroupName = '' // Your resource group
29+
param cosmosDBSubscriptionId = ''
30+
31+
// Existing User Assigned Identity details (from your original deployment)
32+
// You'll need to get these from your existing deployment outputs
33+
param existingUserAssignedIdentityName = '' // Replace with your actual user assigned identity name
34+
param userAssignedIdentityResourceGroupName = '' // Your resource group
35+
param userAssignedIdentitySubscriptionId = '' // Your subscription ID

0 commit comments

Comments
 (0)