-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
main.bicep
562 lines (494 loc) · 19 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
targetScope = 'subscription'
@minLength(1)
@maxLength(64)
@description('Name of the the environment which is used to generate a short unique hash used in all resources.')
param environmentName string
@minLength(1)
@description('Primary location for all resources')
param location string
param appServicePlanName string = ''
param backendServiceName string = ''
param resourceGroupName string = ''
param applicationInsightsDashboardName string = ''
param applicationInsightsName string = ''
param logAnalyticsName string = ''
param searchServiceName string = ''
param searchServiceResourceGroupName string = ''
param searchServiceLocation string = ''
// The free tier does not support managed identity (required) or semantic search (optional)
@allowed([ 'basic', 'standard', 'standard2', 'standard3', 'storage_optimized_l1', 'storage_optimized_l2' ])
param searchServiceSkuName string // Set in main.parameters.json
param searchIndexName string // Set in main.parameters.json
param searchQueryLanguage string // Set in main.parameters.json
param searchQuerySpeller string // Set in main.parameters.json
param storageAccountName string = ''
param keyVaultResourceGroupName string = ''
param storageResourceGroupName string = ''
param storageResourceGroupLocation string = location
param storageContainerName string = 'content'
param storageSkuName string // Set in main.parameters.json
@allowed([ 'azure', 'openai' ])
param openAiHost string // Set in main.parameters.json
param openAiServiceName string = ''
param openAiResourceGroupName string = ''
param useGPT4V bool = false
param keyVaultServiceName string = ''
param computerVisionSecretName string = 'computerVisionSecret'
@description('Location for the OpenAI resource group')
@allowed(['canadaeast', 'eastus', 'eastus2', 'francecentral', 'switzerlandnorth', 'uksouth', 'japaneast', 'northcentralus', 'australiaeast', 'swedencentral'])
@metadata({
azd: {
type: 'location'
}
})
param openAiResourceGroupLocation string
param openAiSkuName string = 'S0'
param openAiApiKey string = ''
param openAiApiOrganization string = ''
param formRecognizerServiceName string = ''
param formRecognizerResourceGroupName string = ''
param formRecognizerResourceGroupLocation string = location
param formRecognizerSkuName string = 'S0'
param computerVisionServiceName string = ''
param computerVisionResourceGroupName string = ''
param computerVisionResourceGroupLocation string = 'eastus' // Vision vectorize API is yet to be deployed globally
param computerVisionSkuName string = 'S1'
param chatGptDeploymentName string // Set in main.parameters.json
param chatGptDeploymentCapacity int = 30
param chatGpt4vDeploymentCapacity int = 10
param chatGptModelName string = (openAiHost == 'azure') ? 'gpt-35-turbo' : 'gpt-3.5-turbo'
param chatGptModelVersion string = '0613'
param embeddingDeploymentName string // Set in main.parameters.json
param embeddingDeploymentCapacity int = 30
param embeddingModelName string = 'text-embedding-ada-002'
param gpt4vModelName string = 'gpt-4'
param gpt4vDeploymentName string = 'gpt-4v'
param gpt4vModelVersion string = 'vision-preview'
param tenantId string = tenant().tenantId
param authTenantId string = ''
// Used for the optional login and document level access control system
param useAuthentication bool = false
param enforceAccessControl bool = false
param serverAppId string = ''
@secure()
param serverAppSecret string = ''
param clientAppId string = ''
@secure()
param clientAppSecret string = ''
// Used for optional CORS support for alternate frontends
param allowedOrigin string = '' // should start with https://, shouldn't end with a /
@description('Id of the user or app to assign application roles')
param principalId string = ''
@description('Use Application Insights for monitoring and performance tracing')
param useApplicationInsights bool = false
var abbrs = loadJsonContent('abbreviations.json')
var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
var tags = { 'azd-env-name': environmentName }
var computerVisionName = !empty(computerVisionServiceName) ? computerVisionServiceName : '${abbrs.cognitiveServicesComputerVision}${resourceToken}'
var keyVaultName = !empty(keyVaultServiceName) ? keyVaultServiceName : '${abbrs.keyVaultVaults}${resourceToken}'
var tenantIdForAuth = !empty(authTenantId) ? authTenantId : tenantId
var authenticationIssuerUri = '${environment().authentication.loginEndpoint}${tenantIdForAuth}/v2.0'
// Organize resources in a resource group
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: !empty(resourceGroupName) ? resourceGroupName : '${abbrs.resourcesResourceGroups}${environmentName}'
location: location
tags: tags
}
resource openAiResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(openAiResourceGroupName)) {
name: !empty(openAiResourceGroupName) ? openAiResourceGroupName : resourceGroup.name
}
resource formRecognizerResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(formRecognizerResourceGroupName)) {
name: !empty(formRecognizerResourceGroupName) ? formRecognizerResourceGroupName : resourceGroup.name
}
resource computerVisionResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(computerVisionResourceGroupName)) {
name: !empty(computerVisionResourceGroupName) ? computerVisionResourceGroupName : resourceGroup.name
}
resource searchServiceResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(searchServiceResourceGroupName)) {
name: !empty(searchServiceResourceGroupName) ? searchServiceResourceGroupName : resourceGroup.name
}
resource storageResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(storageResourceGroupName)) {
name: !empty(storageResourceGroupName) ? storageResourceGroupName : resourceGroup.name
}
resource keyVaultResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = if (!empty(keyVaultResourceGroupName)) {
name: !empty(keyVaultResourceGroupName) ? keyVaultResourceGroupName : resourceGroup.name
}
// Monitor application with Azure Monitor
module monitoring 'core/monitor/monitoring.bicep' = if (useApplicationInsights) {
name: 'monitoring'
scope: resourceGroup
params: {
location: location
tags: tags
applicationInsightsName: !empty(applicationInsightsName) ? applicationInsightsName : '${abbrs.insightsComponents}${resourceToken}'
logAnalyticsName: !empty(logAnalyticsName) ? logAnalyticsName : '${abbrs.operationalInsightsWorkspaces}${resourceToken}'
}
}
module applicationInsightsDashboard 'backend-dashboard.bicep' = if (useApplicationInsights) {
name: 'application-insights-dashboard'
scope: resourceGroup
params: {
name: !empty(applicationInsightsDashboardName) ? applicationInsightsDashboardName : '${abbrs.portalDashboards}${resourceToken}'
location: location
applicationInsightsName: monitoring.outputs.applicationInsightsName
}
}
// Create an App Service Plan to group applications under the same payment plan and SKU
module appServicePlan 'core/host/appserviceplan.bicep' = {
name: 'appserviceplan'
scope: resourceGroup
params: {
name: !empty(appServicePlanName) ? appServicePlanName : '${abbrs.webServerFarms}${resourceToken}'
location: location
tags: tags
sku: {
name: 'B1'
capacity: 1
}
kind: 'linux'
}
}
// The application frontend
module backend 'core/host/appservice.bicep' = {
name: 'web'
scope: resourceGroup
params: {
name: !empty(backendServiceName) ? backendServiceName : '${abbrs.webSitesAppService}backend-${resourceToken}'
location: location
tags: union(tags, { 'azd-service-name': 'backend' })
appServicePlanId: appServicePlan.outputs.id
runtimeName: 'python'
runtimeVersion: '3.11'
appCommandLine: 'python3 -m gunicorn main:app'
scmDoBuildDuringDeployment: true
managedIdentity: true
allowedOrigins: [allowedOrigin]
clientAppId: clientAppId
serverAppId: serverAppId
clientSecretSettingName: !empty(clientAppSecret) ? 'AZURE_CLIENT_APP_SECRET' : ''
authenticationIssuerUri: authenticationIssuerUri
appSettings: {
AZURE_STORAGE_ACCOUNT: storage.outputs.name
AZURE_STORAGE_CONTAINER: storageContainerName
AZURE_SEARCH_INDEX: searchIndexName
AZURE_SEARCH_SERVICE: searchService.outputs.name
AZURE_VISION_ENDPOINT: useGPT4V ? computerVision.outputs.endpoint : ''
VISION_SECRET_NAME: useGPT4V ? computerVisionSecretName: ''
AZURE_KEY_VAULT_NAME: useGPT4V ? keyVaultName: ''
AZURE_SEARCH_QUERY_LANGUAGE: searchQueryLanguage
AZURE_SEARCH_QUERY_SPELLER: searchQuerySpeller
APPLICATIONINSIGHTS_CONNECTION_STRING: useApplicationInsights ? monitoring.outputs.applicationInsightsConnectionString : ''
// Shared by all OpenAI deployments
OPENAI_HOST: openAiHost
AZURE_OPENAI_EMB_MODEL_NAME: embeddingModelName
AZURE_OPENAI_CHATGPT_MODEL: chatGptModelName
AZURE_OPENAI_GPT4V_MODEL: gpt4vModelName
// Specific to Azure OpenAI
AZURE_OPENAI_SERVICE: openAiHost == 'azure' ? openAi.outputs.name : ''
AZURE_OPENAI_CHATGPT_DEPLOYMENT: chatGptDeploymentName
AZURE_OPENAI_EMB_DEPLOYMENT: embeddingDeploymentName
AZURE_OPENAI_GPT4V_DEPLOYMENT: useGPT4V ? gpt4vDeploymentName : ''
// Used only with non-Azure OpenAI deployments
OPENAI_API_KEY: openAiApiKey
OPENAI_ORGANIZATION: openAiApiOrganization
// Optional login and document level access control system
AZURE_USE_AUTHENTICATION: useAuthentication
AZURE_ENFORCE_ACCESS_CONTROL: enforceAccessControl
AZURE_SERVER_APP_ID: serverAppId
AZURE_SERVER_APP_SECRET: serverAppSecret
AZURE_CLIENT_APP_ID: clientAppId
AZURE_CLIENT_APP_SECRET: clientAppSecret
AZURE_TENANT_ID: tenantId
AZURE_AUTH_TENANT_ID: tenantIdForAuth
AZURE_AUTHENTICATION_ISSUER_URI: authenticationIssuerUri
// CORS support, for frontends on other hosts
ALLOWED_ORIGIN: allowedOrigin
USE_GPT4V: useGPT4V
}
}
}
var defaultOpenAiDeployments = [
{
name: chatGptDeploymentName
model: {
format: 'OpenAI'
name: chatGptModelName
version: chatGptModelVersion
}
sku: {
name: 'Standard'
capacity: chatGptDeploymentCapacity
}
}
{
name: embeddingDeploymentName
model: {
format: 'OpenAI'
name: embeddingModelName
version: '2'
}
sku: {
name: 'Standard'
capacity: embeddingDeploymentCapacity
}
}
]
var openAiDeployments = concat(defaultOpenAiDeployments, useGPT4V ? [
{
name: gpt4vDeploymentName
model: {
format: 'OpenAI'
name: gpt4vModelName
version: gpt4vModelVersion
}
sku: {
name: 'Standard'
capacity: chatGpt4vDeploymentCapacity
}
}
] : [])
module openAi 'core/ai/cognitiveservices.bicep' = {
name: 'openai'
scope: openAiResourceGroup
params: {
name: !empty(openAiServiceName) ? openAiServiceName : '${abbrs.cognitiveServicesAccounts}${resourceToken}'
location: openAiResourceGroupLocation
tags: tags
sku: {
name: openAiSkuName
}
deployments: openAiDeployments
}
}
module formRecognizer 'core/ai/cognitiveservices.bicep' = {
name: 'formrecognizer'
scope: formRecognizerResourceGroup
params: {
name: !empty(formRecognizerServiceName) ? formRecognizerServiceName : '${abbrs.cognitiveServicesFormRecognizer}${resourceToken}'
kind: 'FormRecognizer'
location: formRecognizerResourceGroupLocation
tags: tags
sku: {
name: formRecognizerSkuName
}
}
}
module computerVision 'core/ai/cognitiveservices.bicep' = if (useGPT4V) {
name: 'computerVision'
scope: computerVisionResourceGroup
params: {
name: computerVisionName
kind: 'ComputerVision'
location: computerVisionResourceGroupLocation
tags: tags
sku: {
name: computerVisionSkuName
}
}
}
// Currently, we only need Key Vault for storing Computer Vision key,
// which is only used for GPT-4V.
module keyVault 'core/security/keyvault.bicep' = if (useGPT4V) {
name: 'keyvault'
scope: keyVaultResourceGroup
params: {
name: keyVaultName
location: location
principalId: principalId
}
}
module webKVAccess 'core/security/keyvault-access.bicep' = if (useGPT4V) {
name: 'web-keyvault-access'
scope: keyVaultResourceGroup
params: {
keyVaultName: keyVaultName
principalId: backend.outputs.identityPrincipalId
}
}
module secrets 'secrets.bicep' = if (useGPT4V) {
name: 'secrets'
scope: keyVaultResourceGroup
params: {
keyVaultName: keyVaultName
storeComputerVisionSecret: useGPT4V
computerVisionId: useGPT4V ? computerVision.outputs.id : ''
computerVisionSecretName: computerVisionSecretName
}
}
module searchService 'core/search/search-services.bicep' = {
name: 'search-service'
scope: searchServiceResourceGroup
params: {
name: !empty(searchServiceName) ? searchServiceName : 'gptkb-${resourceToken}'
location: !empty(searchServiceLocation) ? searchServiceLocation : location
tags: tags
authOptions: {
aadOrApiKey: {
aadAuthFailureMode: 'http401WithBearerChallenge'
}
}
sku: {
name: searchServiceSkuName
}
semanticSearch: 'free'
}
}
module storage 'core/storage/storage-account.bicep' = {
name: 'storage'
scope: storageResourceGroup
params: {
name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${resourceToken}'
location: storageResourceGroupLocation
tags: tags
allowBlobPublicAccess: false
publicNetworkAccess: 'Enabled'
sku: {
name: storageSkuName
}
deleteRetentionPolicy: {
enabled: true
days: 2
}
containers: [
{
name: storageContainerName
publicAccess: 'None'
}
]
}
}
// USER ROLES
module openAiRoleUser 'core/security/role.bicep' = if (openAiHost == 'azure') {
scope: openAiResourceGroup
name: 'openai-role-user'
params: {
principalId: principalId
roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
principalType: 'User'
}
}
module formRecognizerRoleUser 'core/security/role.bicep' = {
scope: formRecognizerResourceGroup
name: 'formrecognizer-role-user'
params: {
principalId: principalId
roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
principalType: 'User'
}
}
module storageRoleUser 'core/security/role.bicep' = {
scope: storageResourceGroup
name: 'storage-role-user'
params: {
principalId: principalId
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
principalType: 'User'
}
}
module storageContribRoleUser 'core/security/role.bicep' = {
scope: storageResourceGroup
name: 'storage-contribrole-user'
params: {
principalId: principalId
roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
principalType: 'User'
}
}
module searchRoleUser 'core/security/role.bicep' = {
scope: searchServiceResourceGroup
name: 'search-role-user'
params: {
principalId: principalId
roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
principalType: 'User'
}
}
module searchContribRoleUser 'core/security/role.bicep' = {
scope: searchServiceResourceGroup
name: 'search-contrib-role-user'
params: {
principalId: principalId
roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
principalType: 'User'
}
}
module searchSvcContribRoleUser 'core/security/role.bicep' = {
scope: searchServiceResourceGroup
name: 'search-svccontrib-role-user'
params: {
principalId: principalId
roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0'
principalType: 'User'
}
}
// SYSTEM IDENTITIES
module openAiRoleBackend 'core/security/role.bicep' = if (openAiHost == 'azure') {
scope: openAiResourceGroup
name: 'openai-role-backend'
params: {
principalId: backend.outputs.identityPrincipalId
roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
principalType: 'ServicePrincipal'
}
}
module storageRoleBackend 'core/security/role.bicep' = {
scope: storageResourceGroup
name: 'storage-role-backend'
params: {
principalId: backend.outputs.identityPrincipalId
roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
principalType: 'ServicePrincipal'
}
}
// Used to issue search queries
// https://learn.microsoft.com/azure/search/search-security-rbac
module searchRoleBackend 'core/security/role.bicep' = {
scope: searchServiceResourceGroup
name: 'search-role-backend'
params: {
principalId: backend.outputs.identityPrincipalId
roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
principalType: 'ServicePrincipal'
}
}
// Used to read index definitions (required when using authentication)
// https://learn.microsoft.com/azure/search/search-security-rbac
module searchReaderRoleBackend 'core/security/role.bicep' = if (useAuthentication) {
scope: searchServiceResourceGroup
name: 'search-reader-role-backend'
params: {
principalId: backend.outputs.identityPrincipalId
roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
principalType: 'ServicePrincipal'
}
}
output AZURE_LOCATION string = location
output AZURE_TENANT_ID string = tenantId
output AZURE_AUTH_TENANT_ID string = authTenantId
output AZURE_RESOURCE_GROUP string = resourceGroup.name
// Shared by all OpenAI deployments
output OPENAI_HOST string = openAiHost
output AZURE_OPENAI_EMB_MODEL_NAME string = embeddingModelName
output AZURE_OPENAI_CHATGPT_MODEL string = chatGptModelName
output AZURE_OPENAI_GPT4V_MODEL string = gpt4vModelName
// Specific to Azure OpenAI
output AZURE_OPENAI_SERVICE string = (openAiHost == 'azure') ? openAi.outputs.name : ''
output AZURE_OPENAI_RESOURCE_GROUP string = (openAiHost == 'azure') ? openAiResourceGroup.name : ''
output AZURE_OPENAI_CHATGPT_DEPLOYMENT string = (openAiHost == 'azure') ? chatGptDeploymentName : ''
output AZURE_OPENAI_EMB_DEPLOYMENT string = (openAiHost == 'azure') ? embeddingDeploymentName : ''
output AZURE_OPENAI_GPT4V_DEPLOYMENT string = (openAiHost == 'azure') ? gpt4vDeploymentName : ''
// Used only with non-Azure OpenAI deployments
output OPENAI_API_KEY string = (openAiHost == 'openai') ? openAiApiKey : ''
output OPENAI_ORGANIZATION string = (openAiHost == 'openai') ? openAiApiOrganization : ''
output AZURE_VISION_ENDPOINT string = useGPT4V ? computerVision.outputs.endpoint : ''
output VISION_SECRET_NAME string = useGPT4V ? computerVisionSecretName : ''
output AZURE_KEY_VAULT_NAME string = useGPT4V ? keyVault.outputs.name : ''
output AZURE_FORMRECOGNIZER_SERVICE string = formRecognizer.outputs.name
output AZURE_FORMRECOGNIZER_RESOURCE_GROUP string = formRecognizerResourceGroup.name
output AZURE_SEARCH_INDEX string = searchIndexName
output AZURE_SEARCH_SERVICE string = searchService.outputs.name
output AZURE_SEARCH_SERVICE_RESOURCE_GROUP string = searchServiceResourceGroup.name
output AZURE_STORAGE_ACCOUNT string = storage.outputs.name
output AZURE_STORAGE_CONTAINER string = storageContainerName
output AZURE_STORAGE_RESOURCE_GROUP string = storageResourceGroup.name
output AZURE_USE_AUTHENTICATION bool = useAuthentication
output BACKEND_URI string = backend.outputs.uri