Open AI Workspace Service

.bak

@@ -0,0 +1,15 @@
+---
+default-storage: mydb
+default-secrets: mysecrets
+
+storage:
+  - name: mydb
+    plugin: mongodb
+    config:
+      url: ${secret.porter-db-connection-string}
+
+secrets:
+  - name: mysecrets
+    plugin: azure.keyvault
+    config:
+      vault-url: ${env.KEY_VAULT_URL}

core/terraform/locals.tf

@@ -32,7 +32,9 @@ locals {
     "privatelink.notebooks.azure.net",
     "privatelink.postgres.database.azure.com",
     "privatelink.mysql.database.azure.com",
-    "privatelink.azuredatabricks.net"
+    "privatelink.azuredatabricks.net",
+    "privatelink.openai.azure.com",
+    "privatelink.cognitiveservices.azure.com"
   ])
 
   # The followig regex extracts different parts of the service bus endpoint: scheme, fqdn, port, path, query and fragment. This allows us to extract the needed fqdn part.

templates/workspace_services/openai/.dockerignore

@@ -0,0 +1,7 @@
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Put files here that you don't want copied into your bundle's invocation image
+.gitignore
+Dockerfile.tmpl
+
+# Local .terraform directories
+**/.terraform/*

templates/workspace_services/openai/.env.sample

@@ -0,0 +1 @@
+ID="__CHANGE_ME__"

templates/workspace_services/openai/.gitignore

@@ -0,0 +1 @@
+.cnab/

templates/workspace_services/openai/Dockerfile.tmpl

@@ -0,0 +1,15 @@
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM debian:bullseye-slim
+
+# PORTER_INIT
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+# Git is required for terraform_azurerm_environment_configuration
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && apt-get install -y git --no-install-recommends
+
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY --link . ${BUNDLE_DIR}/

templates/workspace_services/openai/parameters.json

@@ -0,0 +1,44 @@
+{
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.0",
+  "namespace": "",
+  "name": "tre-workspace-service-openai",
+  "parameters": [
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "arm_environment",
+      "source": {
+        "env": "ARM_ENVIRONMENT"
+      }
+    }
+  ]
+}

templates/workspace_services/openai/porter.yaml

@@ -0,0 +1,102 @@
+---
+schemaVersion: 1.0.0
+name: tre-workspace-service-openai
+version: 0.4.9
+description: "An OpenAI workspace service"
+registry: azuretre
+dockerfile: Dockerfile.tmpl
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+parameters:
+  - name: workspace_id
+    type: string
+  - name: tre_id
+    type: string
+
+  # the following are added automatically by the resource processor
+  - name: id
+    type: string
+    description: "Resource ID"
+    env: id
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    env: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    type: boolean
+    default: false
+  - name: arm_environment
+    env: ARM_ENVIRONMENT
+    type: string
+    default: "public"
+
+mixins:
+  - exec
+  - terraform:
+      clientVersion: 1.3.6
+
+outputs:
+  - name: openai_fqdn
+    type: string
+    applyTo:
+      - install
+
+install:
+  - terraform:
+      description: "Deploy OpenAI workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+      backendConfig:
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-openai-${ bundle.parameters.id }
+      outputs:
+        - name: openai_fqdn
+upgrade:
+  - terraform:
+      description: "Upgrade OpenAI workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+      backendConfig:
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-openai-${ bundle.parameters.id }
+      outputs:
+        - name: openai_fqdn
+uninstall:
+  - terraform:
+      description: "Tear down OpenAI workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+      backendConfig:
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-openai-${ bundle.parameters.id }

templates/workspace_services/openai/template_schema.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/sql/template_schema.json",
+  "type": "object",
+  "title": "OpenAI Workspace Service",
+  "description": "Provides OpenAI within the workspace",
+  "required": [],
+  "properties": {
+    "display_name": {
+      "type": "string",
+      "title": "Name for the workspace service",
+      "description": "The name of the workspace service to be displayed to users",
+      "default": "Azure OpenAI Service",
+      "updateable": true
+    },
+    "description": {
+      "type": "string",
+      "title": "Description of the workspace service",
+      "description": "Description of the workspace service",
+      "default": "Build your own copilot and generative AI applications",
+      "updateable": true
+    },
+    "overview": {
+      "type": "string",
+      "title": "Workspace Service Overview",
+      "description": "Long form description of the workspace service, in markdown syntax",
+      "default": "Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-4, GPT-4 Turbo with Vision, GPT-3.5-Turbo, and Embeddings model series. For more information, see the [Azure OpenAI Service documentation](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview).",
+      "updateable": true
+    }
+  }
+}

templates/workspace_services/openai/terraform/locals.tf

@@ -0,0 +1,13 @@
+locals {
+  short_service_id               = substr(var.tre_resource_id, -4, -1)
+  short_workspace_id             = substr(var.workspace_id, -4, -1)
+  workspace_resource_name_suffix = "${var.tre_id}-ws-${local.short_workspace_id}"
+  service_resource_name_suffix   = "${var.tre_id}-ws-${local.short_workspace_id}-svc-${local.short_service_id}"
+  keyvault_name                  = lower("kv-${substr(local.workspace_resource_name_suffix, -20, -1)}")
+  core_resource_group_name       = "rg-${var.tre_id}"
+  workspace_service_tags = {
+    tre_id                   = var.tre_id
+    tre_workspace_id         = var.workspace_id
+    tre_workspace_service_id = var.tre_resource_id
+  }
+}

templates/workspace_services/openai/terraform/main.tf

@@ -0,0 +1,59 @@
+# Azure Provider source and version being used
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.84.0"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      # Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
+      purge_soft_delete_on_destroy               = false
+      purge_soft_deleted_secrets_on_destroy      = false
+      purge_soft_deleted_certificates_on_destroy = false
+      purge_soft_deleted_keys_on_destroy         = false
+      # When recreating an environment, recover any previously soft deleted secrets - set to true by default
+      recover_soft_deleted_key_vaults   = true
+      recover_soft_deleted_secrets      = true
+      recover_soft_deleted_certificates = true
+      recover_soft_deleted_keys         = true
+    }
+  }
+}
+
+module "terraform_azurerm_environment_configuration" {
+  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
+  arm_environment = var.arm_environment
+}
+
+
+data "azurerm_resource_group" "ws" {
+  name = "rg-${var.tre_id}-ws-${local.short_workspace_id}"
+}
+
+data "azurerm_virtual_network" "ws" {
+  name                = "vnet-${var.tre_id}-ws-${local.short_workspace_id}"
+  resource_group_name = "rg-${var.tre_id}-ws-${local.short_workspace_id}"
+}
+
+data "azurerm_key_vault" "ws" {
+  name                = local.keyvault_name
+  resource_group_name = data.azurerm_resource_group.ws.name
+}
+
+data "azurerm_subnet" "services" {
+  name                 = "ServicesSubnet"
+  virtual_network_name = data.azurerm_virtual_network.ws.name
+  resource_group_name  = data.azurerm_resource_group.ws.name
+}
+
+# data "azurerm_private_dns_zone" "openai" {
+#   name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.openai.database.azure.com"]
+#   resource_group_name = local.core_resource_group_name
+# }

templates/workspace_services/openai/terraform/openai.tf

@@ -0,0 +1,51 @@
+# openai cognitive services account
+
+resource "azurerm_cognitive_account" "openai" {
+  kind                = "OpenAI"
+  name                = "openai-${var.tre_id}-${local.short_workspace_id}"
+  resource_group_name = data.azurerm_resource_group.ws.name
+  location            = data.azurerm_resource_group.ws.location
+  sku_name            = "S0"
+}
+
+resource "azurerm_cognitive_deployment" "openai" {
+  name                 = "openai-gpt-4-32k-0314"
+  cognitive_account_id = azurerm_cognitive_account.openai.id
+  model {
+    format  = "OpenAI"
+    name    = "gpt-4-32k"
+    version = "0314"
+  }
+
+  scale {
+    type = "Standard"
+  }
+}
+
+resource "azurerm_private_dns_zone" "openai" {
+  name                = "privatelink.openai.azure.com"
+  resource_group_name = data.azurerm_resource_group.ws.name
+}
+
+resource "azurerm_private_endpoint" "openai_private_endpoint" {
+  name                = "pe-${azurerm_cognitive_account.openai.name}"
+  location            = data.azurerm_resource_group.ws.location
+  resource_group_name = data.azurerm_resource_group.ws.name
+  subnet_id           = data.azurerm_subnet.services.id
+  tags                = local.workspace_service_tags
+
+  private_service_connection {
+    private_connection_resource_id = azurerm_cognitive_account.openai.id
+    name                           = "psc-${azurerm_cognitive_account.openai.name}"
+    subresource_names              = ["account"]
+    is_manual_connection           = false
+  }
+
+  private_dns_zone_group {
+    # name                 = module.terraform_azurerm_environment_configuration.private_links["privatelink.mysql.database.azure.com"]
+    name                 = "privatelink.openai.azure.com"
+    private_dns_zone_ids = [azurerm_private_dns_zone.openai.id]
+  }
+
+  lifecycle { ignore_changes = [tags] }
+}

templates/workspace_services/openai/terraform/outputs.tf

@@ -0,0 +1,3 @@
+output "openai_fqdn" {
+  value = azurerm_cognitive_account.openai.endpoint
+}