Merge pull request #23 from PerfectThymeTech/marvinbuss/fix_issues

Resolve Issues in the current setup
PerfectThymeTech · Feb 11, 2024 · 049b9fa · 049b9fa
2 parents 9d9fb4e + 0a51a2d
commit 049b9fa
Show file tree

Hide file tree

Showing 8 changed files with 82 additions and 53 deletions.
diff --git a/code/infra/locals.tf b/code/infra/locals.tf
@@ -288,12 +288,12 @@ locals {
     }
   }
   open_ai_machine_learning_workspace_outbound_rules = {
-    "${var.open_ai_enabled ? azurerm_cognitive_account.cognitive_account[0].name : ""}-account" = {
+    "${var.open_ai_enabled ? azurerm_cognitive_account.cognitive_account_openai[0].name : ""}-account" = {
       type     = "PrivateEndpoint"
       category = "UserDefined"
       status   = "Active"
       destination = {
-        serviceResourceId = var.open_ai_enabled ? azurerm_cognitive_account.cognitive_account[0].id : ""
+        serviceResourceId = var.open_ai_enabled ? azurerm_cognitive_account.cognitive_account_openai[0].id : ""
         subresourceTarget = "account"
         sparkEnabled      = true
         sparkStatus       = "Active"

diff --git a/code/infra/machinelearningconnections.tf b/code/infra/machinelearningconnections.tf
@@ -20,25 +20,25 @@ resource "azapi_resource" "machine_learning_workspace_connection_search" {
   })
 }
 
-resource "azapi_resource" "machine_learning_workspace_connection_open_ai" {
+resource "azapi_resource" "machine_learning_workspace_connection_openai" {
   count = var.open_ai_enabled ? 1 : 0
 
   type      = "Microsoft.MachineLearningServices/workspaces/connections@2023-06-01-preview"
-  name      = azurerm_cognitive_account.cognitive_account[0].name
+  name      = azurerm_cognitive_account.cognitive_account_openai[0].name
   parent_id = azurerm_machine_learning_workspace.machine_learning_workspace.id
 
   body = jsonencode({
     properties = {
       authType = "ApiKey"
       category = "AzureOpenAI"
       credentials = {
-        key = azurerm_cognitive_account.cognitive_account[0].primary_access_key
+        key = azurerm_cognitive_account.cognitive_account_openai[0].primary_access_key
       }
       metadata = {
         ApiVersion = "2023-07-01-preview"
         ApiType    = "azure"
       }
-      target = "https://${azurerm_cognitive_account.cognitive_account[0].name}.openai.azure.com/"
+      target = "https://${azurerm_cognitive_account.cognitive_account_openai[0].name}.openai.azure.com/"
     }
   })
 }
diff --git a/code/infra/openai.tf b/code/infra/openai.tf
@@ -1,7 +1,7 @@
-resource "azurerm_cognitive_account" "cognitive_account" {
+resource "azurerm_cognitive_account" "cognitive_account_openai" {
   count = var.open_ai_enabled ? 1 : 0
 
-  name                = "${local.prefix}-cog001"
+  name                = "${local.prefix}-aoai001"
   location            = var.location
   resource_group_name = data.azurerm_resource_group.resource_group.name
   tags                = var.tags
@@ -11,8 +11,11 @@ resource "azurerm_cognitive_account" "cognitive_account" {
 
   custom_subdomain_name      = "${local.prefix}-cog001"
   dynamic_throttling_enabled = false
-  fqdns = [
-    trimsuffix(replace(azurerm_storage_account.storage.primary_blob_endpoint, "https://", ""), "/")
+  fqdns = var.search_service_enabled ? [
+    trimsuffix(replace(azurerm_storage_account.storage.primary_blob_endpoint, "https://", ""), "/"),
+    "${azurerm_search_service.search_service[0].name}.search.windows.net"
+    ] : [
+    trimsuffix(replace(azurerm_storage_account.storage.primary_blob_endpoint, "https://", ""), "/"),
   ]
   kind               = "OpenAI"
   local_auth_enabled = true
@@ -21,40 +24,31 @@ resource "azurerm_cognitive_account" "cognitive_account" {
     ip_rules       = []
   }
   outbound_network_access_restricted = true
-  public_network_access_enabled      = false
+  public_network_access_enabled      = true
   sku_name                           = "S0"
 }
 
-resource "azapi_resource" "cognitive_service_open_ai_model_ada" {
+resource "azapi_update_resource" "cognitive_account_update" {
   count = var.open_ai_enabled ? 1 : 0
 
-  type      = "Microsoft.CognitiveServices/accounts/deployments@2023-05-01"
-  name      = "text-embedding-ada-002"
-  parent_id = azurerm_cognitive_account.cognitive_account[0].id
+  type        = "Microsoft.CognitiveServices/accounts@2023-10-01-preview"
+  resource_id = azurerm_cognitive_account.cognitive_account_openai[0].id
 
   body = jsonencode({
-    sku = {
-      name     = "Standard"
-      capacity = 60
-    }
     properties = {
-      model = {
-        format  = "OpenAI"
-        name    = "text-embedding-ada-002"
-        version = "2"
+      networkAcls = {
+        bypass = "AzureServices"
       }
-      raiPolicyName        = "Microsoft.Default"
-      versionUpgradeOption = "OnceNewDefaultVersionAvailable"
     }
   })
 }
 
-resource "azapi_resource" "cognitive_service_open_ai_model_gtt_35" {
+resource "azapi_resource" "cognitive_service_open_ai_model_ada" {
   count = var.open_ai_enabled ? 1 : 0
 
-  type      = "Microsoft.CognitiveServices/accounts/deployments@2023-05-01"
-  name      = "gpt-35-turbo"
-  parent_id = azurerm_cognitive_account.cognitive_account[0].id
+  type      = "Microsoft.CognitiveServices/accounts/deployments@2023-10-01-preview"
+  name      = "text-embedding-ada-002"
+  parent_id = azurerm_cognitive_account.cognitive_account_openai[0].id
 
   body = jsonencode({
     sku = {
@@ -64,30 +58,26 @@ resource "azapi_resource" "cognitive_service_open_ai_model_gtt_35" {
     properties = {
       model = {
         format  = "OpenAI"
-        name    = "gpt-35-turbo"
-        version = "0301"
+        name    = "text-embedding-ada-002"
+        version = "2"
       }
       raiPolicyName        = "Microsoft.Default"
       versionUpgradeOption = "OnceNewDefaultVersionAvailable"
     }
   })
-
-  depends_on = [
-    azapi_resource.cognitive_service_open_ai_model_ada
-  ]
 }
 
 data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_cognitive_service" {
   count = var.open_ai_enabled ? 1 : 0
 
-  resource_id = azurerm_cognitive_account.cognitive_account[0].id
+  resource_id = azurerm_cognitive_account.cognitive_account_openai[0].id
 }
 
 resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_cognitive_service" {
   count = var.open_ai_enabled ? 1 : 0
 
   name                       = "logAnalytics"
-  target_resource_id         = azurerm_cognitive_account.cognitive_account[0].id
+  target_resource_id         = azurerm_cognitive_account.cognitive_account_openai[0].id
   log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
 
   dynamic "enabled_log" {
@@ -111,23 +101,23 @@ resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_cognitive_serv
 resource "azurerm_private_endpoint" "cognitive_service_private_endpoint" {
   count = var.open_ai_enabled ? 1 : 0
 
-  name                = "${azurerm_cognitive_account.cognitive_account[0].name}-pe"
+  name                = "${azurerm_cognitive_account.cognitive_account_openai[0].name}-pe"
   location            = var.location
-  resource_group_name = azurerm_cognitive_account.cognitive_account[0].resource_group_name
+  resource_group_name = azurerm_cognitive_account.cognitive_account_openai[0].resource_group_name
   tags                = var.tags
 
-  custom_network_interface_name = "${azurerm_cognitive_account.cognitive_account[0].name}-nic"
+  custom_network_interface_name = "${azurerm_cognitive_account.cognitive_account_openai[0].name}-nic"
   private_service_connection {
-    name                           = "${azurerm_cognitive_account.cognitive_account[0].name}-pe"
+    name                           = "${azurerm_cognitive_account.cognitive_account_openai[0].name}-pe"
     is_manual_connection           = false
-    private_connection_resource_id = azurerm_cognitive_account.cognitive_account[0].id
+    private_connection_resource_id = azurerm_cognitive_account.cognitive_account_openai[0].id
     subresource_names              = ["account"]
   }
   subnet_id = var.subnet_id
   dynamic "private_dns_zone_group" {
     for_each = var.private_dns_zone_id_open_ai == "" ? [] : [1]
     content {
-      name = "${azurerm_cognitive_account.cognitive_account[0].name}-arecord"
+      name = "${azurerm_cognitive_account.cognitive_account_openai[0].name}-arecord"
       private_dns_zone_ids = [
         var.private_dns_zone_id_open_ai
       ]

diff --git a/code/infra/roleassignments_openai.tf b/code/infra/roleassignments_openai.tf
@@ -1,7 +1,23 @@
-resource "azurerm_role_assignment" "uai_role_assignment_storage_blob_reader" {
+resource "azurerm_role_assignment" "cognitive_account_openai_role_assignment_storage_blob_contributor" {
   count = var.open_ai_enabled ? 1 : 0
 
   scope                = azurerm_storage_account.storage.id
-  role_definition_name = "Storage Blob Data Reader"
-  principal_id         = azurerm_cognitive_account.cognitive_account[0].identity[0].principal_id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_cognitive_account.cognitive_account_openai[0].identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "cognitive_account_openai_role_assignment_search_index_data_reader" {
+  count = var.open_ai_enabled && var.search_service_enabled ? 1 : 0
+
+  scope                = azurerm_search_service.search_service[0].id
+  role_definition_name = "Search Index Data Reader"
+  principal_id         = azurerm_cognitive_account.cognitive_account_openai[0].identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "cognitive_account_openai_role_assignment_search_service_contributor" {
+  count = var.open_ai_enabled && var.search_service_enabled ? 1 : 0
+
+  scope                = azurerm_search_service.search_service[0].id
+  role_definition_name = "Search Service Contributor"
+  principal_id         = azurerm_cognitive_account.cognitive_account_openai[0].identity[0].principal_id
 }
diff --git a/code/infra/roleassignments_search.tf b/code/infra/roleassignments_search.tf
@@ -0,0 +1,23 @@
+resource "azurerm_role_assignment" "search_role_assignment_storage_blob_contributor" {
+  count = var.search_service_enabled ? 1 : 0
+
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_search_service.search_service[0].identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "search_role_assignment_storage_reader_and_data_access" {
+  count = var.search_service_enabled ? 1 : 0
+
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Reader and Data Access"
+  principal_id         = azurerm_search_service.search_service[0].identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "search_role_assignment_openai_contributor" {
+  count = var.open_ai_enabled && var.search_service_enabled ? 1 : 0
+
+  scope                = azurerm_cognitive_account.cognitive_account_openai[0].id
+  role_definition_name = "Cognitive Services OpenAI Contributor"
+  principal_id         = azurerm_search_service.search_service[0].identity[0].principal_id
+}
diff --git a/code/infra/roleassignments_uai.tf b/code/infra/roleassignments_uai.tf
@@ -77,9 +77,9 @@ resource "azurerm_role_assignment" "uai_role_assignment_search_service_contribut
   principal_id         = azurerm_user_assigned_identity.user_assigned_identity.principal_id
 }
 
-resource "azurerm_role_assignment" "uai_role_assignment_cognitive_account_contributor" {
+resource "azurerm_role_assignment" "uai_role_assignment_cognitive_account_openai_contributor" {
   count                = var.open_ai_enabled ? 1 : 0
-  scope                = azurerm_cognitive_account.cognitive_account[0].id
+  scope                = azurerm_cognitive_account.cognitive_account_openai[0].id
   role_definition_name = "Contributor"
   principal_id         = azurerm_user_assigned_identity.user_assigned_identity.principal_id
 }

diff --git a/code/infra/search.tf b/code/infra/search.tf
@@ -10,14 +10,14 @@ resource "azurerm_search_service" "search_service" {
   }
 
   allowed_ips                              = []
-  authentication_failure_mode              = "http403"
+  authentication_failure_mode              = "http401WithBearerChallenge"
   customer_managed_key_enforcement_enabled = false
   hosting_mode                             = "default"
   local_authentication_enabled             = true
   partition_count                          = 1
-  public_network_access_enabled            = false
+  public_network_access_enabled            = false # Can be disabled in production if users don't use the Azure Open AI studio
   replica_count                            = 1
-  sku                                      = "standard"
+  sku                                      = "basic"
 }
 
 data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_search_service" {

diff --git a/config/PerfectThymeTech/vars.tfvars b/config/PerfectThymeTech/vars.tfvars
@@ -25,8 +25,8 @@ machine_learning_compute_instances = {
 }
 
 // Service enablement variables
-open_ai_enabled        = false
-search_service_enabled = false
+open_ai_enabled        = true
+search_service_enabled = true
 cognitive_services = {
   # "frmrcg" = {
   #   kind     = "FormRecognizer"