BYO Storage for Speech and Language in Foundry resources (#337)

* Included BYOS for Speech and Language BICEP

* allowProjectManagement changed to true

* updated bicep template to include storage account check

* allowing for template to take in storage accounts from another subscriptions, but not create one in another sub.

* updated README.md

* updated README.md for final check

Author: andyaviles121

samples/microsoft/infrastructure-setup/02-storage-speech-language/README.md

@@ -0,0 +1,11 @@
+# Bring Your Own Azure Storage for Speech and Language capabilities (Preview)
+
+Use this template to associate your Azure Storage account to a new Foundry resource. This template allows you to bring an existing Azure Storage account as the storage for your Speech and Language usecases. Learn more about this feature's restrictions via our public documentation. 
+
+## Advanced implementation details  
+### How is this setup different from an Azure Storage connection in Foundry?
+This template does not use the Foundry connections API. The [Foundry resource connections API](https://learn.microsoft.com/en-us/rest/api/aifoundry/accountmanagement/account-connections?view=rest-aifoundry-accountmanagement-2025-06-01) and [Foundry project connections API](https://learn.microsoft.com/en-us/rest/api/aifoundry/aiprojects/connections?view=rest-aifoundry-aiprojects-v1) use the Foundry endpoint to store authentication details like API keys and target. The Azure Storage association to a Foundry resource does not use that API. Instead, there is a field under `properties` in the Foundry resource creation step, that sets the Azure Storage resource ID. This field allows for backwards compatibility with how previous Speech Services and Language kinds do.  
+
+### What authentication methods are supported?
+This association does not support API key authentication, only RBAC authentication.
+

samples/microsoft/infrastructure-setup/02-storage-speech-language/main.bicep

@@ -0,0 +1,143 @@
+// Run command examples:
+// For existing storage account: az deployment group create --name AzDeploy --resource-group {RESOURCE_GROUP} --template-file main.bicep --parameters aiFoundryName={AI_FOUNDRY_NAME} userOwnedStorageResourceId={STORAGE_ACCOUNT_RESOURCE_ID} location={LOCATION}
+// For new storage account: az deployment group create --name AzDeploy --resource-group {RESOURCE_GROUP} --template-file main.bicep --parameters aiFoundryName={AI_FOUNDRY_NAME} location={LOCATION}
+
+@description('Name of the Azure AI Foundry account')
+param aiFoundryName string
+
+@description('Location for the resource')
+param location string = resourceGroup().location
+
+// Storage Account Parameters
+@description('Azure storage resource ID (leave empty to create a new storage account)')
+param userOwnedStorageResourceId string = ''
+
+@description('Name of the Storage Account derived from the resource ID or provided for new account')
+param storageAccountName string = userOwnedStorageResourceId != '' ? last(split(userOwnedStorageResourceId, '/')) : 'st${uniqueString(subscription().subscriptionId, resourceGroup().name)}aaviles' // no '-' allowed
+
+@description('Resource group name of the Storage Account derived from the resource ID or same as AI Foundry for new accounts')
+param storageResourceGroupName string = userOwnedStorageResourceId != '' ? split(userOwnedStorageResourceId, '/')[4] : resourceGroup().name
+
+// Derived values for cross-subscription support
+var targetStorageSubscriptionId = userOwnedStorageResourceId != '' ? split(userOwnedStorageResourceId, '/')[2] : subscription().subscriptionId
+// --------------------------------
+
+// ====================================================================
+// DEPLOYMENT STEPS OVERVIEW:
+// 1. Storage Account Configuration (existing vs new)
+// 2. Create Storage Account (if new - always in same RG as AI Foundry)
+// 3. Create AI Foundry with User Owned Storage 
+// 4. Create Role Assignment for AI Foundry's managed identity on the Storage Account
+// ====================================================================
+
+// ====================================================================
+// STEP 1: STORAGE ACCOUNT CONFIGURATION
+// ====================================================================
+@description('Automatically determined based on whether userOwnedStorageResourceId is provided')
+var useExistingStorageAccount bool = userOwnedStorageResourceId != ''
+
+// ====================================================================
+// STEP 2: CREATE STORAGE ACCOUNT (IF NOT USING EXISTING ONE)
+// ====================================================================
+// New storage accounts are always created in the same resource group as AI Foundry
+// For cross-subscription existing storage, we use the target subscription for role assignment
+
+// For cross-subscription storage account creation (not recommended, but supported)
+module storageAccountModule './modules/storageAccount.bicep' = if (!useExistingStorageAccount && targetStorageSubscriptionId != subscription().subscriptionId) {
+  name: 'crossSubStorageAccount'
+  scope: resourceGroup(targetStorageSubscriptionId, resourceGroup().name)
+  params: {
+    storageAccountName: storageAccountName
+    location: location
+  }
+}
+
+// For same-subscription storage account creation (recommended)
+resource storageAccount 'Microsoft.Storage/storageAccounts@2025-01-01' = if (!useExistingStorageAccount && targetStorageSubscriptionId == subscription().subscriptionId) {
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_RAGRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    // For Azure AI Foundry BYOS, these settings are required
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: true  // Must be true for AI Foundry to access
+    minimumTlsVersion: 'TLS1_2'
+    supportsHttpsTrafficOnly: true
+    encryption: {
+      services: {
+        blob: {
+          enabled: true
+        }
+        file: {
+          enabled: true
+        }
+      }
+      keySource: 'Microsoft.Storage'
+    }
+    // Required for AI Foundry BYOS
+    allowCrossTenantReplication: false
+    defaultToOAuthAuthentication: false
+  }
+}
+
+// ====================================================================
+// STEP 3: CREATE AI FOUNDRY WITH USER OWNED STORAGE
+// ====================================================================
+resource aiFoundry 'Microsoft.CognitiveServices/accounts@2025-07-01-preview' = {
+  name: aiFoundryName
+  location: location
+  sku: {
+    name: 'S0'
+  }
+  kind: 'AIServices'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    allowProjectManagement: true
+    publicNetworkAccess: 'Enabled' // or 'Disabled' 
+    disableLocalAuth: false
+    customSubDomainName: toLower(replace(aiFoundryName, '_', '-'))
+    userOwnedStorage: [{
+        resourceId: useExistingStorageAccount ? userOwnedStorageResourceId : '/subscriptions/${targetStorageSubscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Storage/storageAccounts/${storageAccountName}'
+    }]
+  }
+}
+
+// ====================================================================
+// STEP 4: CREATE ROLE ASSIGNMENT FOR AI FOUNDRY'S MANAGED IDENTITY
+// ====================================================================
+// Role assignment deployed to the correct subscription/resource group based on storage location
+module roleAssignmentModule './modules/roleAssignment.bicep' = {
+  name: 'storageRoleAssignment'
+  scope: resourceGroup(targetStorageSubscriptionId, storageResourceGroupName)
+  params: {
+    storageAccountName: storageAccountName
+    principalId: aiFoundry.identity.principalId
+    aiFoundryResourceId: aiFoundry.id
+  }
+}
+
+// ====================================================================
+// OUTPUTS
+// ====================================================================
+@description('The resource ID of the AI Foundry account')
+output aiFoundryId string = aiFoundry.id
+
+@description('The name of the AI Foundry account')
+output aiFoundryName string = aiFoundry.name
+
+@description('The resource ID of the storage account being used')
+output storageAccountId string = useExistingStorageAccount ? userOwnedStorageResourceId : '/subscriptions/${targetStorageSubscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Storage/storageAccounts/${storageAccountName}'
+
+@description('The managed identity principal ID of the AI Foundry account')
+output aiFoundryPrincipalId string = aiFoundry.identity.principalId
+
+@description('The subscription ID where the storage account is located')
+output storageSubscriptionId string = targetStorageSubscriptionId
+
+@description('Status of role assignment')
+output roleAssignmentStatus string = 'Storage Blob Data Contributor role assigned automatically via module'

samples/microsoft/infrastructure-setup/02-storage-speech-language/modules/roleAssignment.bicep

@@ -0,0 +1,23 @@
+@description('Name of the Storage Account')
+param storageAccountName string
+
+@description('Principal ID of the AI Foundry managed identity')
+param principalId string
+
+@description('AI Foundry resource ID for generating unique role assignment name')
+param aiFoundryResourceId string
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {
+  name: storageAccountName
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+  name: guid(aiFoundryResourceId, 'Storage Blob Data Contributor')
+  scope: storageAccount
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') // Storage Blob Data Contributor
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+ 

samples/microsoft/infrastructure-setup/02-storage-speech-language/modules/storageAccount.bicep

@@ -0,0 +1,41 @@
+@description('Name of the Storage Account')
+param storageAccountName string
+
+@description('Location for the storage account')
+param location string
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2025-01-01' = {
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_RAGRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    // For Azure AI Foundry BYOS, these settings are required
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: true  // Must be true for AI Foundry to access
+    minimumTlsVersion: 'TLS1_2'
+    supportsHttpsTrafficOnly: true
+    encryption: {
+      services: {
+        blob: {
+          enabled: true
+        }
+        file: {
+          enabled: true
+        }
+      }
+      keySource: 'Microsoft.Storage'
+    }
+    // Required for AI Foundry BYOS
+    allowCrossTenantReplication: false
+    defaultToOAuthAuthentication: false
+  }
+}
+
+@description('Resource ID of the created storage account')
+output storageAccountId string = storageAccount.id
+
+@description('Name of the created storage account')
+output storageAccountName string = storageAccount.name