Skip to content

Support new container role assignment for agent thread-storage bicep #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fosteramanda merged 3 commits into from
May 6, 2025
Merged

Support new container role assignment for agent thread-storage bicep #249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
24bf4f1
support new container role assignment for agent threadstorage bicep
ShobithNandakumar May 5, 2025
2f9e3d0
Apply fix to container role assignment name and re-build ARM template
ShobithNandakumar May 5, 2025
258f23e
Modify cosmos role assignment resource name
ShobithNandakumar May 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions scenarios/Agents/setup/network-secured-agent-thread-storage/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.33.93.31351",
"templateHash": "12425839983447429475"
"templateHash": "9204291102583499292"
}
},
"parameters": {
Expand Down Expand Up @@ -2562,7 +2562,7 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('cosmos-container-role-assignments-{0}-{1}-deployment', toLower(format('{0}', parameters('defaultAiProjectName'))), parameters('uniqueSuffix'))]",
"name": "[format('cosmos-ra-{0}-{1}-deployment', toLower(format('{0}', parameters('defaultAiProjectName'))), parameters('uniqueSuffix'))]",
"subscriptionId": "[variables('cosmosDBSubscriptionId')]",
"resourceGroup": "[variables('cosmosDBResourceGroupName')]",
"properties": {
Expand Down Expand Up @@ -2591,7 +2591,7 @@
"_generator": {
"name": "bicep",
"version": "0.33.93.31351",
"templateHash": "3236725067655686559"
"templateHash": "2433285251744228821"
}
},
"parameters": {
Expand Down Expand Up @@ -2620,9 +2620,11 @@
"variables": {
"userThreadName": "[format('{0}-thread-message-store', parameters('projectWorkspaceId'))]",
"systemThreadName": "[format('{0}-system-thread-message-store', parameters('projectWorkspaceId'))]",
"agentEntityStoreName": "[format('{0}-agent-entity-store', parameters('projectWorkspaceId'))]",
"roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosAccountName'), '00000000-0000-0000-0000-000000000002')]",
"scopeSystemContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('systemThreadName'))]",
"scopeUserContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('userThreadName'))]"
"scopeUserContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('userThreadName'))]",
"scopeAgentEntityContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('agentEntityStoreName'))]"
},
"resources": [
{
Expand All @@ -2644,6 +2646,16 @@
"roleDefinitionId": "[variables('roleDefinitionId')]",
"scope": "[variables('scopeSystemContainer')]"
}
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
"apiVersion": "2022-05-15",
"name": "[format('{0}/{1}', parameters('cosmosAccountName'), guid(parameters('aiProjectId'), resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('cosmosAccountName'), 'enterprise_memory', variables('agentEntityStoreName')), variables('roleDefinitionId')))]",
"properties": {
"principalId": "[parameters('aiProjectPrincipalId')]",
"roleDefinitionId": "[variables('roleDefinitionId')]",
"scope": "[variables('scopeAgentEntityContainer')]"
}
}
]
}
Expand Down
2 changes: 1 addition & 1 deletion scenarios/Agents/setup/network-secured-agent-thread-storage/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,7 +375,7 @@ module addCapabilityHost 'modules-network-secured/network-capability-host.bicep'
}

module cosmosContainerRoleAssignments 'modules-network-secured/database/cosmos-container-role-assignment.bicep' = {
name: 'cosmos-container-role-assignments-${toLower('${defaultAiProjectName}')}-${uniqueSuffix}-deployment'
name: 'cosmos-ra-${toLower('${defaultAiProjectName}')}-${uniqueSuffix}-deployment'
scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
params: {
cosmosAccountName: aiDependencies.outputs.cosmosDBName
Expand Down
17 changes: 17 additions & 0 deletions ...nt-thread-storage/modules-network-secured/database/cosmos-container-role-assignment.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ param projectWorkspaceId string

var userThreadName = '${projectWorkspaceId}-thread-message-store'
var systemThreadName = '${projectWorkspaceId}-system-thread-message-store'
var agentEntityStoreName = '${projectWorkspaceId}-agent-entity-store'


#disable-next-line BCP081
Expand Down Expand Up @@ -41,6 +42,11 @@ resource containerSystemMessageStore 'Microsoft.DocumentDB/databaseAccounts/sqlD
name: systemThreadName
}

#disable-next-line BCP081
resource containerAgentEntityStore 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-12-01-preview' existing = {
parent: database
name: agentEntityStoreName
}

var roleDefinitionId = resourceId(
'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',
Expand All @@ -50,6 +56,7 @@ var roleDefinitionId = resourceId(

var scopeSystemContainer = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory/colls/${systemThreadName}'
var scopeUserContainer = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory/colls/${userThreadName}'
var scopeAgentEntityContainer = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory/colls/${agentEntityStoreName}'

resource containerRoleAssignmentUserContainer 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
parent: cosmosAccount
Expand All @@ -70,3 +77,13 @@ resource containerRoleAssignmentSystemContainer 'Microsoft.DocumentDB/databaseAc
scope: scopeSystemContainer
}
}

resource containerRoleAssignmentAgentEntityContainer 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
parent: cosmosAccount
name: guid(aiProjectId, containerAgentEntityStore.id, roleDefinitionId)
properties: {
principalId: aiProjectPrincipalId
roleDefinitionId: roleDefinitionId
scope: scopeAgentEntityContainer
}
}
20 changes: 16 additions & 4 deletions scenarios/Agents/setup/standard-agent-with-threadstorage/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.33.93.31351",
"templateHash": "17154956640074748586"
"templateHash": "11260517981500011816"
}
},
"parameters": {
Expand Down Expand Up @@ -1594,7 +1594,7 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('cosmos-container-role-assignments-{0}-{1}-deployment', variables('projectName'), variables('uniqueSuffix'))]",
"name": "[format('cosmos-ra-{0}-{1}-deployment', toLower(format('{0}', variables('projectName'))), variables('uniqueSuffix'))]",
"subscriptionId": "[variables('cosmosDBSubscriptionId')]",
"resourceGroup": "[variables('cosmosDBResourceGroupName')]",
"properties": {
Expand Down Expand Up @@ -1623,7 +1623,7 @@
"_generator": {
"name": "bicep",
"version": "0.33.93.31351",
"templateHash": "4005997312279995865"
"templateHash": "580164018367721578"
}
},
"parameters": {
Expand Down Expand Up @@ -1652,9 +1652,11 @@
"variables": {
"userThreadName": "[format('{0}-thread-message-store', parameters('projectWorkspaceId'))]",
"systemThreadName": "[format('{0}-system-thread-message-store', parameters('projectWorkspaceId'))]",
"agentEntityStoreName": "[format('{0}-agent-entity-store', parameters('projectWorkspaceId'))]",
"roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosAccountName'), '00000000-0000-0000-0000-000000000002')]",
"scopeSystemContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('systemThreadName'))]",
"scopeUserContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('userThreadName'))]"
"scopeUserContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('userThreadName'))]",
"scopeAgentEntityContainer": "[format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.DocumentDB/databaseAccounts/{2}/dbs/enterprise_memory/colls/{3}', subscription().subscriptionId, resourceGroup().name, parameters('cosmosAccountName'), variables('agentEntityStoreName'))]"
},
"resources": [
{
Expand All @@ -1676,6 +1678,16 @@
"roleDefinitionId": "[variables('roleDefinitionId')]",
"scope": "[variables('scopeSystemContainer')]"
}
},
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
"apiVersion": "2022-05-15",
"name": "[format('{0}/{1}', parameters('cosmosAccountName'), guid(parameters('aiProjectId'), resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('cosmosAccountName'), 'enterprise_memory', variables('agentEntityStoreName')), variables('roleDefinitionId')))]",
"properties": {
"principalId": "[parameters('aiProjectPrincipalId')]",
"roleDefinitionId": "[variables('roleDefinitionId')]",
"scope": "[variables('scopeAgentEntityContainer')]"
}
}
]
}
Expand Down
2 changes: 1 addition & 1 deletion scenarios/Agents/setup/standard-agent-with-threadstorage/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ module addCapabilityHost 'modules-standard/add-capability-host.bicep' = {


module cosmosContainerRoleAssignments 'modules-standard/cosmos-container-role-assignment.bicep' = {
name: 'cosmos-container-role-assignments-${projectName}-${uniqueSuffix}-deployment'
name: 'cosmos-ra-${toLower('${projectName}')}-${uniqueSuffix}-deployment'
scope: resourceGroup(cosmosDBSubscriptionId, cosmosDBResourceGroupName)
params: {
cosmosAccountName: aiDependencies.outputs.cosmosDBName
Expand Down
16 changes: 16 additions & 0 deletions ...standard-agent-with-threadstorage/modules-standard/cosmos-container-role-assignment.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ param projectWorkspaceId string

var userThreadName = '${projectWorkspaceId}-thread-message-store'
var systemThreadName = '${projectWorkspaceId}-system-thread-message-store'
var agentEntityStoreName = '${projectWorkspaceId}-agent-entity-store'


resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2024-12-01-preview' existing = {
Expand All @@ -36,6 +37,10 @@ resource containerSystemMessageStore 'Microsoft.DocumentDB/databaseAccounts/sqlD
name: systemThreadName
}

resource containerAgentEntityStore 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-12-01-preview' existing = {
parent: database
name: agentEntityStoreName
}

var roleDefinitionId = resourceId(
'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',
Expand All @@ -45,6 +50,7 @@ var roleDefinitionId = resourceId(

var scopeSystemContainer = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory/colls/${systemThreadName}'
var scopeUserContainer = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory/colls/${userThreadName}'
var scopeAgentEntityContainer = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory/colls/${agentEntityStoreName}'

resource containerRoleAssignmentUserContainer 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
parent: cosmosAccount
Expand All @@ -65,3 +71,13 @@ resource containerRoleAssignmentSystemContainer 'Microsoft.DocumentDB/databaseAc
scope: scopeSystemContainer
}
}

resource containerRoleAssignmentAgentEntityContainer 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
parent: cosmosAccount
name: guid(aiProjectId, containerAgentEntityStore.id, roleDefinitionId)
properties: {
principalId: aiProjectPrincipalId
roleDefinitionId: roleDefinitionId
scope: scopeAgentEntityContainer
}
}
Loading