diff --git a/.github/workflows/standalone-scenarios-additional.json b/.github/workflows/standalone-scenarios-additional.json index 5c141c24bd..61d601e344 100644 --- a/.github/workflows/standalone-scenarios-additional.json +++ b/.github/workflows/standalone-scenarios-additional.json @@ -1,6 +1,7 @@ { "config_files": [ "cognitive_services/100-cognitive-services-account", + "cognitive_services/101-cognitive-services-account-managed-identity", "compute/batch/batch_certificate/100-batch-certificate - path", "compute/batch/batch_job/100-batch-job - quotas", "compute/batch/batch_pool/100-batch-pool - quotas", diff --git a/cognitive_service.tf b/cognitive_service.tf index 04659f9f28..1eebac5c8c 100644 --- a/cognitive_service.tf +++ b/cognitive_service.tf @@ -4,9 +4,13 @@ module "cognitive_services_account" { client_config = local.client_config global_settings = local.global_settings + base_tags = local.global_settings.inherit_tags + resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)] resource_group_name = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name location = lookup(each.value, "region", null) == null ? local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location : local.global_settings.regions[each.value.region] settings = each.value + + managed_identities = local.combined_objects_managed_identities } output "cognitive_services_account" { diff --git a/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars new file mode 100644 index 0000000000..79f8ab921a --- /dev/null +++ b/examples/cognitive_services/101-cognitive-services-account-managed-identity/configuration.tfvars @@ -0,0 +1,71 @@ +global_settings = { + default_region = "region1" + regions = { + region1 = "westus" + } + random_length = 5 +} + +resource_groups = { + test-rg = { + name = "rg-cognitive-test" + } +} + +managed_identities = { + cognitive_msi = { + name = "cognitive-msi" + resource_group_key = "test-rg" + } +} + +cognitive_services_account = { + test_account-1 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-test-1" + kind = "OpenAI" + sku_name = "S0" + public_network_access_enabled = true + + identity = { + type = "SystemAssigned, UserAssigned" // Can be "SystemAssigned, UserAssigned" or "SystemAssigned" or "UserAssigned" + key = "cognitive_msi" // A must with "SystemAssigned, UserAssigned" and "UserAssigned" + } + + tags = { + env = "test" + } + # custom_subdomain_name = "cs-test-1" + # network_acls = { + # default_action = "Allow" + # ip_rules = ["10.10.10.0/16"] + # } + } + test_account-2 = { + resource_group = { + # accepts either id or key to get resource group id + # id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1" + # lz_key = "examples" + key = "test-rg" + } + name = "cs-test-2" + kind = "QnAMaker" + sku_name = "F0" + + identity = { + type = "SystemAssigned" + } + + tags = { + env = "test" + } + qna_runtime_endpoint = "https://cs-alz-caf-test-2.azurewebsites.net" + + } +} + diff --git a/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf index c61ddf1707..2f3a24ff40 100644 --- a/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf +++ b/modules/cognitive_services/cognitive_services_account/cognitive_service_account.tf @@ -9,13 +9,23 @@ resource "azurecaf_name" "service" { } resource "azurerm_cognitive_account" "service" { - name = azurecaf_name.service.result - location = var.location - resource_group_name = var.resource_group_name - kind = var.settings.kind - sku_name = var.settings.sku_name - - qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) + name = azurecaf_name.service.result + location = var.location + resource_group_name = var.resource_group_name + kind = var.settings.kind + sku_name = var.settings.sku_name + public_network_access_enabled = try(var.settings.public_network_access_enabled, true) + custom_subdomain_name = try(var.settings.custom_subdomain_name, null) + tags = merge(local.tags, try(var.settings.tags, null)) + qna_runtime_endpoint = var.settings.kind == "QnAMaker" ? var.settings.qna_runtime_endpoint : try(var.settings.qna_runtime_endpoint, null) + + dynamic "identity" { + for_each = lookup(var.settings, "identity", {}) != {} ? [1] : [] + content { + type = lookup(var.settings.identity, "type", null) + identity_ids = can(var.settings.identity.ids) ? var.settings.identity.ids : can(var.settings.identity.key) ? [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.key].id] : null + } + } dynamic "network_acls" { for_each = can(var.settings.network_acls) ? [var.settings.network_acls] : [] @@ -42,8 +52,4 @@ resource "azurerm_cognitive_account" "service" { } } } - - custom_subdomain_name = try(var.settings.custom_subdomain_name, null) - - tags = try(var.settings.tags, {}) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/main.tf b/modules/cognitive_services/cognitive_services_account/main.tf index b34ed51903..b58d11de39 100644 --- a/modules/cognitive_services/cognitive_services_account/main.tf +++ b/modules/cognitive_services/cognitive_services_account/main.tf @@ -4,4 +4,12 @@ terraform { source = "aztfmod/azurecaf" } } +} + +locals { + tags = var.base_tags ? merge( + var.global_settings.tags, + try(var.resource_group.tags, null), + try(var.settings.tags, null) + ) : try(var.settings.tags, null) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/output.tf b/modules/cognitive_services/cognitive_services_account/output.tf index fd2a6239a4..4e37bd9072 100644 --- a/modules/cognitive_services/cognitive_services_account/output.tf +++ b/modules/cognitive_services/cognitive_services_account/output.tf @@ -6,4 +6,13 @@ output "id" { output "endpoint" { description = "The endpoint used to connect to the Cognitive Service Account." value = azurerm_cognitive_account.service.endpoint +} + +output "rbac_id" { + description = "The Principal ID of the Cognetive Services for Role Mapping" + value = try(azurerm_cognitive_account.service.identity[0].principal_id, null) +} + +output "identity" { + value = try(azurerm_cognitive_account.service.identity, null) } \ No newline at end of file diff --git a/modules/cognitive_services/cognitive_services_account/variables.tf b/modules/cognitive_services/cognitive_services_account/variables.tf index 6a1d64e03b..5c70771326 100644 --- a/modules/cognitive_services/cognitive_services_account/variables.tf +++ b/modules/cognitive_services/cognitive_services_account/variables.tf @@ -9,10 +9,22 @@ variable "location" { type = string } +variable "resource_group" { + description = "Resource group object to deploy the resource" +} + variable "resource_group_name" { - description = "Name of the existing resource group to deploy the virtual machine" + description = "Name of the existing resource group to deploy the resource" type = string } variable "settings" {} +variable "managed_identities" { + default = {} +} + +variable "base_tags" { + description = "Base tags for the resource to be inherited from the resource group." + type = bool +} \ No newline at end of file