Adding Projects to Vnet Injected Foundry (#324)

* Add Bicep file for private network agent project setup

creating additional projects for account

* Add parameters for second project setup

Added parameters for a new project setup including details for existing AI services and shared resources.

* Add script to get existing Azure resources

This script retrieves the names of existing Azure resources such as AI Services, Storage Account, AI Search Service, and Cosmos DB Account from a specified Resource Group to be used on add-project.bicepparam

* Add Bicep file for AI project identity setup

This Bicep file defines parameters and resources for setting up a project with unique connection names for CosmosDB, Azure Storage, and Azure Cognitive Search, utilizing system-assigned identity.

* Add role assignments for blob storage container

adds roles for projects in add-project.bicep

* Enhance README with multi-project deployment guide

Added a guide for adding multiple projects to AI Foundry deployment, including prerequisites and steps

Author: geabdluca

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/README.md

@@ -165,7 +165,7 @@ Click the deploy to Azure button above to open the Azure portal and deploy the t
 
 > **Note:** To access your Foundry resource securely, use either a VM, VPN, or ExpressRoute.
 
----
+---  
 
 ## Network Secured Agent Project Architecture Deep Dive
 
@@ -349,6 +349,167 @@ modules-network-secured/
 4. Review network security groups
 
 ---
+---
+# (Optional) Adding Multiple Projects to AI Foundry Deployment
+
+This guide explains how to add additional projects to your existing AI Foundry deployment with network security and capability hosts.
+
+## Overview
+
+After deploying your initial AI Foundry setup using `main.bicep`, you can add additional projects using the modular approach provided in this repository. Each new project will:
+
+- ✅ **Reuse existing shared infrastructure** (AI Services account, Storage, Cosmos DB, AI Search, VNet)
+- ✅ **Create independent projects** with unique identities and connections
+- ✅ **Set up proper role assignments** and capability hosts for each project
+- ✅ **Maintain network security** configurations from your original deployment
+- ✅ **Deploy independently** without affecting existing projects
+
+## Files Added
+
+### Core Deployment Files
+
+| File | Purpose |
+|------|---------|
+| `add-project.bicep` | Main Bicep template for adding new projects |
+| `add-project.bicepparam` | Parameters file template for new projects |
+| `modules-network-secured/ai-project-identity-unique.bicep` | Modified project module with unique connection names |
+| `modules-network-secured/blob-storage-container-role-assignments-unique.bicep` | Modified storage role assignment module |
+
+### Helper Files
+
+| File | Purpose |
+|------|---------|
+| `get-existing-resources.ps1` | PowerShell script to discover existing resource names |
+
+## Prerequisites
+
+1. ✅ **Existing AI Foundry deployment** completed using `main.bicep`
+2. ✅ **Azure CLI** installed and logged in
+3. ✅ **Proper permissions** on the resource group and existing resources
+4. ✅ **Resource names** from your existing deployment
+
+## Step-by-Step Guide
+
+### Step 1: Discover Existing Resource Names
+
+Run the PowerShell script to automatically discover your existing resource names:
+
+```powershell
+# Navigate to your repository folder
+cd "path\to\your\AgentRepro\folder"
+
+# Run the discovery script
+.\get-existing-resources.ps1 -ResourceGroupName "your-resource-group-name"
+
+# Optional: Include subscription ID if needed
+.\get-existing-resources.ps1 -ResourceGroupName "your-resource-group-name" -SubscriptionId "your-subscription-id"
+```
+
+**Example output:**
+```
+=== Summary for add-project.bicepparam ===
+param existingAccountName = 'aiservicesytlz'
+param existingAiSearchName = 'aiservicesytlzsearch'
+param existingStorageName = 'aiservicesytlzstorage'
+param existingCosmosDBName = 'aiservicesytlzcosmosdb'
+param accountResourceGroupName = 'agenticvnet'
+param aiSearchResourceGroupName = 'agenticvnet'
+param storageResourceGroupName = 'agenticvnet'
+param cosmosDBResourceGroupName = 'agenticvnet'
+```
+
+### Step 2: Configure Parameters File
+
+Copy the output from Step 1 and update your `add-project.bicepparam` file:
+
+### Step 3: Deploy the New Project
+
+Deploy using Azure CLI:
+
+```powershell
+az deployment group create `
+  --resource-group "your-resource-group" `
+  --template-file "add-project.bicep" `
+  --parameters "add-project.bicepparam"
+```
+
+## Adding Multiple Projects
+
+To add additional projects, repeat the process with different parameter values:
+
+### For a Third Project:
+
+1. **Update project-specific parameters:**
+   ```bicep
+   param projectName = 'thirdproject'  // Must be unique
+   param displayName = 'Third Project'
+   param projectCapHost = 'caphostthird'  // Must be unique
+   ```
+
+3. **Deploy using the new parameters file:**
+   ```powershell
+   az deployment group create `
+     --resource-group "your-resource-group" `
+     --template-file "add-project.bicep" `
+     --parameters "add-project.bicepparam"
+   ```
+
+## What Gets Created
+
+Each new project deployment creates:
+
+| Resource | Description |
+|----------|-------------|
+| **AI Foundry Project** | New project under your existing AI Services account |
+| **Managed Identity** | Project-specific system-assigned identity |
+| **Unique Connections** | Project-specific connections to shared resources |
+| **Capability Host** | Configured for Agents with proper connections |
+| **RBAC Assignments** | Proper permissions on shared resources |
+
+### Role Assignments Created:
+
+- ✅ **Storage Blob Data Contributor** on Storage Account
+- ✅ **Storage Blob Data Owner** on project-specific containers
+- ✅ **Cosmos DB Operator** on Cosmos DB Account
+- ✅ **Cosmos Built-In Data Contributor** on project-specific containers
+- ✅ **Search Index Data Contributor** on AI Search Service
+- ✅ **Search Service Contributor** on AI Search Service
+
+## Configuration Reference
+
+### Required Parameters (Must Customize for Each Project)
+
+| Parameter | Description | Example |
+|-----------|-------------|---------|
+| `projectName` | Unique name for the project | `'secondproject'` |
+| `displayName` | Display name in Azure portal | `'Second Project'` |
+| `projectCapHost` | Unique capability host name | `'caphostsecond'` |
+| `projectDescription` | Description of the project | `'My second AI project'` |
+
+### Existing Resource Parameters (From Script)
+
+| Parameter | Description | Source |
+|-----------|-------------|---------|
+| `existingAccountName` | AI Services account name | Output from `get-existing-resources.ps1` |
+| `existingAiSearchName` | AI Search service name | Output from `get-existing-resources.ps1` |
+| `existingStorageName` | Storage account name | Output from `get-existing-resources.ps1` |
+| `existingCosmosDBName` | Cosmos DB account name | Output from `get-existing-resources.ps1` |
+| `*ResourceGroupName` | Resource group names | Usually same as deployment RG |
+| `*SubscriptionId` | Subscription IDs | Usually same subscription |
+
+
+## Security Considerations
+
+- ✅ **Least Privilege**: Each project gets only the permissions it needs
+- ✅ **Isolated Containers**: Projects get separate storage containers
+- ✅ **Network Security**: Inherits network security from original deployment
+- ✅ **Unique Identities**: Each project has its own managed identity
+
+## Limitations
+
+- 📝 All projects share the same model deployments
+- 📝 Projects must be in the same region as the original deployment
+- 📝 Network configuration is inherited from original deployment
 
 ## References
 

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/add-project.bicep

@@ -0,0 +1,197 @@
+@description('Location for the project resources.')
+param location string = 'westus'
+
+@description('Name of the existing AI Services account')
+param existingAccountName string
+
+@description('Resource group containing the AI Services account')
+param accountResourceGroupName string = resourceGroup().name
+
+@description('Subscription ID containing the AI Services account')
+param accountSubscriptionId string = subscription().subscriptionId
+
+@description('Name for the new project')
+param projectName string
+
+@description('Description for the new project')
+param projectDescription string = 'Additional AI Foundry project with network secured deployed Agent'
+
+@description('Display name for the new project')
+param displayName string
+
+@description('Name for the project capability host')
+param projectCapHost string = 'caphostproj'
+
+// Existing shared resources (from your original deployment)
+@description('Name of the existing AI Search service')
+param existingAiSearchName string
+
+@description('Resource group containing the AI Search service')
+param aiSearchResourceGroupName string
+
+@description('Subscription ID containing the AI Search service')
+param aiSearchSubscriptionId string
+
+@description('Name of the existing Storage Account')
+param existingStorageName string
+
+@description('Resource group containing the Storage Account')
+param storageResourceGroupName string
+
+@description('Subscription ID containing the Storage Account')
+param storageSubscriptionId string
+
+@description('Name of the existing Cosmos DB account')
+param existingCosmosDBName string
+
+@description('Resource group containing the Cosmos DB account')
+param cosmosDBResourceGroupName string
+
+@description('Subscription ID containing the Cosmos DB account')
+param cosmosDBSubscriptionId string
+
+// Create a short, unique suffix for this project
+param deploymentTimestamp string = utcNow('yyyyMMddHHmmss')
+var uniqueSuffix = substring(uniqueString('${resourceGroup().id}-${deploymentTimestamp}'), 0, 4)
+var finalProjectName = toLower('${projectName}${uniqueSuffix}')
+
+// Reference existing AI Services account
+resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = {
+  name: existingAccountName
+  scope: resourceGroup(accountSubscriptionId, accountResourceGroupName)
+}
+
+// Reference existing shared resources
+resource aiSearch 'Microsoft.Search/searchServices@2023-11-01' existing = {
+  name: existingAiSearchName
+  scope: resourceGroup(aiSearchSubscriptionId, aiSearchResourceGroupName)
+}
+
+resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' existing = {
+  name: existingStorageName
+  scope: resourceGroup(storageSubscriptionId, storageResourceGroupName)
+}
+
+resource cosmosDB 'Microsoft.DocumentDB/databaseAccounts@2024-11-15' existing = {
+  name: existingCosmosDBName
+  scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
+}
+
+// Create the new project using the unique connection module
+module aiProject 'modules-network-secured/ai-project-identity-unique.bicep' = {
+  name: 'ai-${finalProjectName}-${uniqueSuffix}-deployment'
+  params: {
+    projectName: finalProjectName
+    projectDescription: projectDescription
+    displayName: displayName
+    location: location
+    
+    aiSearchName: existingAiSearchName
+    aiSearchServiceResourceGroupName: aiSearchResourceGroupName
+    aiSearchServiceSubscriptionId: aiSearchSubscriptionId
+    
+    cosmosDBName: existingCosmosDBName
+    cosmosDBSubscriptionId: cosmosDBSubscriptionId
+    cosmosDBResourceGroupName: cosmosDBResourceGroupName
+    
+    azureStorageName: existingStorageName
+    azureStorageSubscriptionId: storageSubscriptionId
+    azureStorageResourceGroupName: storageResourceGroupName
+    
+    accountName: existingAccountName
+    
+    // Pass unique suffix for connection names
+    uniqueConnectionSuffix: '-${finalProjectName}'
+  }
+}
+
+module formatProjectWorkspaceId 'modules-network-secured/format-project-workspace-id.bicep' = {
+  name: 'format-project-workspace-id-${uniqueSuffix}-deployment'
+  params: {
+    projectWorkspaceId: aiProject.outputs.projectWorkspaceId
+  }
+}
+
+// Assign storage account role
+module storageAccountRoleAssignment 'modules-network-secured/azure-storage-account-role-assignment.bicep' = {
+  name: 'storage-${existingStorageName}-${uniqueSuffix}-deployment'
+  scope: resourceGroup(storageSubscriptionId, storageResourceGroupName)
+  params: {
+    azureStorageName: existingStorageName
+    projectPrincipalId: aiProject.outputs.projectPrincipalId
+  }
+}
+
+// Assign Cosmos DB account role
+module cosmosAccountRoleAssignments 'modules-network-secured/cosmosdb-account-role-assignment.bicep' = {
+  name: 'cosmos-account-ra-${finalProjectName}-${uniqueSuffix}-deployment'
+  scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
+  params: {
+    cosmosDBName: existingCosmosDBName
+    projectPrincipalId: aiProject.outputs.projectPrincipalId
+  }
+}
+
+// Assign AI Search role
+module aiSearchRoleAssignments 'modules-network-secured/ai-search-role-assignments.bicep' = {
+  name: 'ai-search-ra-${finalProjectName}-${uniqueSuffix}-deployment'
+  scope: resourceGroup(aiSearchSubscriptionId, aiSearchResourceGroupName)
+  params: {
+    aiSearchName: existingAiSearchName
+    projectPrincipalId: aiProject.outputs.projectPrincipalId
+  }
+}
+
+// Create capability host for the new project
+module addProjectCapabilityHost 'modules-network-secured/add-project-capability-host.bicep' = {
+  name: 'capabilityHost-configuration-${uniqueSuffix}-deployment'
+  params: {
+    accountName: existingAccountName
+    projectName: aiProject.outputs.projectName
+    cosmosDBConnection: aiProject.outputs.cosmosDBConnection
+    azureStorageConnection: aiProject.outputs.azureStorageConnection
+    aiSearchConnection: aiProject.outputs.aiSearchConnection
+    projectCapHost: projectCapHost
+  }
+  dependsOn: [
+    cosmosAccountRoleAssignments
+    storageAccountRoleAssignment
+    aiSearchRoleAssignments
+  ]
+}
+
+// Assign storage container roles after capability host creation
+module storageContainersRoleAssignment 'modules-network-secured/blob-storage-container-role-assignments-unique.bicep' = {
+  name: 'storage-containers-${uniqueSuffix}-deployment'
+  scope: resourceGroup(storageSubscriptionId, storageResourceGroupName)
+  params: {
+    aiProjectPrincipalId: aiProject.outputs.projectPrincipalId
+    storageName: existingStorageName
+    workspaceId: formatProjectWorkspaceId.outputs.projectWorkspaceIdGuid
+    uniqueSuffix: uniqueSuffix  // Add this line
+  }
+  dependsOn: [
+    addProjectCapabilityHost
+  ]
+}
+
+// Assign Cosmos container roles after capability host creation
+module cosmosContainerRoleAssignments 'modules-network-secured/cosmos-container-role-assignments.bicep' = {
+  name: 'cosmos-ra-${uniqueSuffix}-deployment'
+  scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
+  params: {
+    cosmosAccountName: existingCosmosDBName
+    projectWorkspaceId: formatProjectWorkspaceId.outputs.projectWorkspaceIdGuid
+    projectPrincipalId: aiProject.outputs.projectPrincipalId
+  }
+  dependsOn: [
+    addProjectCapabilityHost
+    storageContainersRoleAssignment
+  ]
+}
+
+// Outputs
+output projectName string = aiProject.outputs.projectName
+output projectPrincipalId string = aiProject.outputs.projectPrincipalId
+output projectWorkspaceId string = aiProject.outputs.projectWorkspaceId
+output capabilityHostName string = addProjectCapabilityHost.outputs.projectCapHost