diff --git a/use-cases/infrastructure-as-code/00-basic/azuredeploy.json b/use-cases/infrastructure-as-code/00-basic/azuredeploy.json deleted file mode 100644 index d74297770..000000000 --- a/use-cases/infrastructure-as-code/00-basic/azuredeploy.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "aiServicesName": { - "type": "string", - "defaultValue": "AIServices-viaARMtemplate", - "metadata": { - "description": "This is our AIServices resource template." - } - }, - "location": { - "type": "string", - "defaultValue": "East US 2", - "metadata": { - "description": "Location for all resources." - } - }, - "sku": { - "type": "string", - "defaultValue": "S0", - "allowedValues": [ - "S0" - ] - }, - "aiProjectName": { - "type": "string", - "defaultValue": "AIProject-viaARMtemplate", - "metadata": { - "description": "This will be the Project's name." - } - }, - "PNAflag": { - "type": "string", - "defaultValue": "Enabled", - "metadata": { - "description": "Public Network Access flag default is Enabled." - } - } - }, - "resources": [ - { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2025-04-01-preview", - "name": "[parameters('aiServicesName')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "sku": { - "name": "[parameters('sku')]" - }, - "kind": "AIServices", - "properties": { - "publicNetworkAccess": "Enabled", - "allowProjectManagement": true - } - }, - { - "type": "Microsoft.CognitiveServices/accounts/projects", - "apiVersion": "2025-04-01-preview", - "name": "[format('{0}/{1}', parameters('aiServicesName'), parameters('aiProjectName'))]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[resourceID('Microsoft.CognitiveServices/accounts', parameters('aiServicesName'))]" - ], - "properties": { - "publicNetworkAccess": "Enabled", - "allowProjectManagement": true - } - } - ] - } \ No newline at end of file diff --git a/use-cases/infrastructure-as-code/00-basic/main.bicep b/use-cases/infrastructure-as-code/00-basic/main.bicep index 52a33e315..fad087fb2 100644 --- a/use-cases/infrastructure-as-code/00-basic/main.bicep +++ b/use-cases/infrastructure-as-code/00-basic/main.bicep @@ -1,28 +1,61 @@ -param aiServicesName string = 'myaiservices123' -param location string = 'East US 2' -param sku string = 'S0' -param aiProjectName string = 'myaiservices123-proj' +param aiFoundryName string = 'resourcename' +param aiProjectName string = '${aiFoundryName}-proj' +param location string = 'westus' -resource aiService 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { - name: aiServicesName +/* + An AI Foundry resources is a variant of a CognitiveServices/account resource type +*/ +resource aiFoundry 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { + name: aiFoundryName location: location identity: { type: 'SystemAssigned' } sku: { - name: sku + name: 'S0' } kind: 'AIServices' properties: { - allowProjectManagement: true + allowProjectManagement: true // required to work in AI Foundry + + // Defines developer API endpoint subdomain + customSubDomainName: aiFoundryName } } +/* + Developer APIs are exposed via a project, which groups in- and outputs that relate to one use case, including files. + Its advisable to create one project right away, so development teams can directly get started. + Projects may be granted individual RBAC permissions and identities on top of what account provides. +*/ resource aiProject 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = { name: aiProjectName - parent: aiService + parent: aiFoundry location: location identity: { type: 'SystemAssigned' } + properties: { + displayName: 'test' + description: 'test2' + isDefault: true + } +} + +/* + Optionally deploy a model to use in playground, agents and other tools. +*/ +resource modelDeployment 'Microsoft.CognitiveServices/accounts/deployments@2024-10-01'= { + parent: aiFoundry + name: 'gpt-4o' + sku : { + capacity: 1 + name: 'GlobalStandard' + } + properties: { + model:{ + name: 'gpt-4o' + format: 'OpenAI' + } + } } diff --git a/use-cases/infrastructure-as-code/01-connections/ai-search.bicep b/use-cases/infrastructure-as-code/01-connections/ai-search.bicep new file mode 100644 index 000000000..42c8ed959 --- /dev/null +++ b/use-cases/infrastructure-as-code/01-connections/ai-search.bicep @@ -0,0 +1,50 @@ +/* +This example demonstrates how to add an Azure AI Search connection. +*/ +param aiFoundryName string = 'your-account' +param aiSearchName string = 'ais-${aiFoundryName}' + +// whether ai Search is existing or new +@allowed([ + 'new' + 'existing' +]) +param newOrExisting string = 'new' + +#disable-next-line BCP081 +resource aiFoundry 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' existing = { + name: aiFoundryName + scope: resourceGroup() +} + +resource existingSearchService 'Microsoft.Search/searchServices@2025-02-01-preview' existing = if (newOrExisting == 'existing') { + name: aiSearchName +} + +resource newSearchService 'Microsoft.Search/searchServices@2025-02-01-preview' = if (newOrExisting == 'new') { + name: aiSearchName + location: 'westus' + sku: { + name: 'basic' + } + properties: {} +} + +resource project_connection_azureai_search 'Microsoft.CognitiveServices/accounts/connections@2025-04-01-preview' = { + name: aiSearchName + parent: aiFoundry + properties: { + category: 'CognitiveSearch' + target: ((newOrExisting == 'new') ? newSearchService.properties.endpoint : existingSearchService.properties.endpoint) + authType: 'ApiKey' + isSharedToAll: true + credentials: { + key: ((newOrExisting == 'new') ? listKeys(newSearchService.id, '2020-06-10').key1 : listKeys(existingSearchService.id, '2020-06-10').key1) + } + metadata: { + ApiType: 'Azure' + ResourceId: ((newOrExisting == 'new') ? newSearchService.id : existingSearchService.id) + location: ((newOrExisting == 'new') ? newSearchService.location : existingSearchService.location) + } + } +} diff --git a/use-cases/infrastructure-as-code/10-private-network/deploy.json b/use-cases/infrastructure-as-code/10-private-network/deploy.json new file mode 100644 index 000000000..bcfcafb32 --- /dev/null +++ b/use-cases/infrastructure-as-code/10-private-network/deploy.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accounts_sansinhtest19871_name": { + "defaultValue": "sansinhtest199919", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2024-10-01", + "name": "[parameters('accounts_sansinhtest19871_name')]", + "location": "eastus", + "sku": { + "name": "S0" + }, + + "kind": "AIServices", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "allowProjectManagement": true, + "customSubDomainName": "[parameters('accounts_sansinhtest19871_name')]", + "networkAcls": { + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [] + }, + "publicNetworkAccess": "Enabled", + "networkInjections":[ + { + "scenario": "agent", + "subnetArmId" : "/subscriptions/a9216f37-b90e-4db2-b844-b171e5394fc1/resourceGroups/sansinhtest/providers/Microsoft.Network/virtualNetworks/sansinheert/subnets/default", + "useMicrosoftManagedNetwork": false + } + ] + } + + } + ] +} \ No newline at end of file diff --git a/use-cases/infrastructure-as-code/20-user-assigned-identity/main.bicep b/use-cases/infrastructure-as-code/20-user-assigned-identity/main.bicep index 0453f55ee..f6350b07f 100644 --- a/use-cases/infrastructure-as-code/20-user-assigned-identity/main.bicep +++ b/use-cases/infrastructure-as-code/20-user-assigned-identity/main.bicep @@ -2,40 +2,41 @@ AI Foundry account and project - with your User-Assigned managed identity. Description: - - Create an AI Foundry (previously known as Azure AI Services) account and project with UAI. - - Create a gpt-4o model deployment - - When creating a project, the Identity is not updateable. Please select 'SystemAssigned', 'UserAssigned' or 'SystemAssigned,UserAssigned' during creation as this cannot be updated. . - - Creating your first project is needed to support more capabilities and is the default reoute for APIs if no paramter is provided. + - Creates an AI Foundry (previously known as Azure AI Services) account and project with UAI. + - Creates a gpt-4o model deployment + + Known limitations: + - When creating a project, managed identity cannot be updated. Please select 'SystemAssigned', 'UserAssigned' or 'SystemAssigned,UserAssigned' during creation. */ @description('That name is the name of our application. It has to be unique. Type a name followed by your resource group name. (-)') -param aiServicesName string = 'aiServices-${uniqueString(resourceGroup().id)}' +param aiFoundryName string = 'your-resource' @description('Location for all resources.') -param location string = resourceGroup().location +param location string = 'eastus' @description('Name of the first project') -param defaultProjectName string = '${aiServicesName}-proj' +param defaultProjectName string = '${aiFoundryName}-proj' param defaultProjectDisplayName string = 'Project' param defaultProjectDescription string = 'Describe what your project is about.' /* Step 1: Get your existing/previously created Managed Identity -*/ -@description('User Assigned Identity Name') -param userAssignedIdentityName string +*/ @description('User Assigned Identity Resource Group Name') param userIdentityResourceGroupName string = resourceGroup().name +@description('User Assigned Identity Name') +param userAssignedIdentityName string = 'aifoundry-test-uai' + var userAssignedIdentityId = extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, '${userIdentityResourceGroupName}'), 'Microsoft.ManagedIdentity/userAssignedIdentities', '${userAssignedIdentityName}') /* Step 2: Create a Cognitive Services Account - */ resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { - name: aiServicesName + name: aiFoundryName location: location identity: { type: 'SystemAssigned,UserAssigned' // Select 'UserAssigned' or 'SystemAssigned,UserAssigned' during creation as this cannot be updated. @@ -51,19 +52,20 @@ resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { // Networking publicNetworkAccess: 'Enabled' - // Specifies wheether this resource support project management as child resources, used as containers for access management, data isolation, and cost in AI Foundry. + // Specifies whether this resource support project management as child resources, used as containers for access management, data isolation, and cost in AI Foundry. allowProjectManagement: true + // Defines developer API endpoint subdomain + customSubDomainName: aiFoundryName + // Auth - disableLocalAuth: true + disableLocalAuth: false } } /* Step 3: Deploy gpt-4o model - */ - resource modelDeployment 'Microsoft.CognitiveServices/accounts/deployments@2024-10-01'= { parent: account name: 'gpt-4o' @@ -82,7 +84,6 @@ resource modelDeployment 'Microsoft.CognitiveServices/accounts/deployments@2024- /* Step 4: Create a Project - */ resource project 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = { name: defaultProjectName @@ -92,7 +93,7 @@ resource project 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-previ identity: { type: 'SystemAssigned,UserAssigned' // Select 'UserAssigned' or 'SystemAssigned,UserAssigned' during creation as this cannot be updated. userAssignedIdentities: { - '${userAssignedIdentityId}': {} + '${userAssignedIdentityId}': {} } } @@ -103,6 +104,10 @@ resource project 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-previ } } +/* Step 5: + Grant managed identity 'Azure AI Administrator' role on account +*/ + output accountId string = account.id output accountName string = account.name output project string = project.name diff --git a/use-cases/infrastructure-as-code/30-customer-managed-keys/azuredeploy.json b/use-cases/infrastructure-as-code/30-customer-managed-keys/azuredeploy.json deleted file mode 100644 index 48f9e689d..000000000 --- a/use-cases/infrastructure-as-code/30-customer-managed-keys/azuredeploy.json +++ /dev/null @@ -1,144 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "aiServicesName": { - "defaultValue": "[format('aiServices-{0}', uniqueString(resourceGroup().id))]", - "type": "string", - "metadata": { - "description": "That name is the name of our application. It has to be unique.Type a name followed by your resource group name. (-)" - } - }, - "location": { - "defaultValue": "[resourceGroup().location]", - "type": "string", - "metadata": { - "description": "Location for all resources." - } - }, - "defaultProjectName": { - "defaultValue": "[format('{0}-proj', parameters('aiServicesName'))]", - "type": "string", - "metadata": { - "description": "Name of the first project" - } - }, - "defaultProjectDisplayName": { - "defaultValue": "Project", - "type": "string" - }, - "defaultProjectDescription": { - "defaultValue": "Describe what your project is about.", - "type": "string" - }, - "azureKeyVaultName": { - "type": "string", - "metadata": { - "description": "Name of the customers existing Azure Key Vault resource" - } - }, - "azureKeyVaultTarget": { - "defaultValue": "[format('https://{0}.vault.azure.net/', parameters('azureKeyVaultName'))]", - "type": "string", - "metadata": { - "description": "Name of the Azure Key Vault target" - } - }, - "azureKeyVaultResourceGroupName": { - "defaultValue": "[resourceGroup().name]", - "type": "string", - "metadata": { - "description": "Resource Group name of the Azure Key Vault resource" - } - }, - "azureKeyVaultSubscriptionId": { - "defaultValue": "[subscription().subscriptionId]", - "type": "string", - "metadata": { - "description": "Subscription ID of the Azure Key Vault resource" - } - }, - "azureKeyName": { - "type": "string", - "metadata": { - "description": "Name of the Azure Key Vault key" - } - }, - "azureKeyVersion": { - "type": "string", - "metadata": { - "description": "Version of the Azure Key Vault key" - } - } - }, - "resources": [ - { - "type": "Microsoft.CognitiveServices/accounts", - "apiVersion": "2025-04-01-preview", - "name": "[parameters('aiServicesName')]", - "location": "[parameters('location')]", - "sku": { - "name": "S0" - }, - "kind": "AIServices", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "publicNetworkAccess": "Disabled", - "allowProjectManagement": true, - "disableLocalAuth": false - } - }, - { - "type": "Microsoft.CognitiveServices/accounts/deployments", - "apiVersion": "2024-10-01", - "name": "[format('{0}/{1}', parameters('aiServicesName'), 'gpt-4o')]", - "dependsOn": [ - "[resourceId('Microsoft.CognitiveServices/accounts', parameters('aiServicesName'))]" - ], - "sku": { - "capacity": 1, - "name": "GlobalStandard" - }, - "properties": { - "model": { - "name": "gpt-4o", - "format": "OpenAI", - "version": "2024-08-06" - } - } - }, - { - "type": "Microsoft.CognitiveServices/accounts/projects", - "apiVersion": "2025-04-01-preview", - "name": "[format('{0}/{1}', parameters('aiServicesName'), parameters('defaultProjectName'))]", - "location": "[parameters('location')]", - "dependsOn": [ - "[resourceId('Microsoft.CognitiveServices/accounts', parameters('aiServicesName'))]" - ], - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "displayName": "[parameters('defaultProjectDisplayName')]", - "description": "[parameters('defaultProjectDescription')]", - "isDefault": true - } - } - ], - "outputs": { - "accountId": { - "type": "string", - "value": "[resourceId('Microsoft.CognitiveServices/accounts', parameters('aiServicesName'))]" - }, - "accountName": { - "type": "string", - "value": "[parameters('aiServicesName')]" - }, - "project": { - "type": "string", - "value": "[parameters('defaultProjectName')]" - } - } -} \ No newline at end of file diff --git a/use-cases/infrastructure-as-code/30-customer-managed-keys/azuredeploy.parameters.json b/use-cases/infrastructure-as-code/30-customer-managed-keys/azuredeploy.parameters.json deleted file mode 100644 index 3d8a74f5a..000000000 --- a/use-cases/infrastructure-as-code/30-customer-managed-keys/azuredeploy.parameters.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "aiServicesName": { - "value": "aiServices" - }, - "location": { - "value": "eastus" - }, - "defaultProjectName": { - "value": "aiServices" - }, - "defaultProjectDisplayName": { - "value": "Project" - }, - "defaultProjectDescription": { - "value": "Describe what your project is about." - }, - "azureKeyVaultName": { - "value": "" - }, - "azureKeyVaultTarget": { - "value": "" - }, - "azureKeyVaultResourceGroupName": { - "value": "" - }, - "azureKeyVaultSubscriptionId": { - "value": "" - }, - "azureKeyName": { - "value": "key" - }, - "azureKeyVersion": { - "value": "" - } - } - } \ No newline at end of file diff --git a/use-cases/infrastructure-as-code/30-customer-managed-keys/main.bicep b/use-cases/infrastructure-as-code/30-customer-managed-keys/main.bicep index bc5f8a2ea..a75a2bee6 100644 --- a/use-cases/infrastructure-as-code/30-customer-managed-keys/main.bicep +++ b/use-cases/infrastructure-as-code/30-customer-managed-keys/main.bicep @@ -1,10 +1,12 @@ /* - Azure AI Fouondry accoutn and project - with Customer Managed Key (CMK) + AI Foundry using Customer Managed Keys (CMK) for data encryption Description: - - Create an Azure AI Foundry account and project with CMK + - Create an Azure AI Foundry account + - Create a project - Create a model deployment - + + Important: Agent APIs do not support customer-managed key encryption in basic setup. This requires 'standard' setup, where you bring your own storage resources. Refer to standard Agent setup examples. */ @description('That name is the name of our application. It has to be unique.Type a name followed by your resource group name. (-)') param aiServicesName string = 'aiServices-${uniqueString(resourceGroup().id)}' @@ -17,10 +19,11 @@ param defaultProjectName string = '${aiServicesName}-proj' param defaultProjectDisplayName string = 'Project' param defaultProjectDescription string = 'Describe what your project is about.' -// Azure Key Vault -// These parameters are used under the encryption section of the Cognitive Services Account resource +/* + Reference your encryption key from an Azure Key Vault resource +*/ @description('Name of the customers existing Azure Key Vault resource') -param azureKeyVaultName string +param azureKeyVaultName string = 'es2euapdeeik' @description('Name of the Azure Key Vault target') param azureKeyVaultTarget string = 'https://${azureKeyVaultName}.vault.azure.net/' @description('Resource Group name of the Azure Key Vault resource') @@ -28,13 +31,12 @@ param azureKeyVaultResourceGroupName string = resourceGroup().name @description('Subscription ID of the Azure Key Vault resource') param azureKeyVaultSubscriptionId string = subscription().subscriptionId @description('Name of the Azure Key Vault key') -param azureKeyName string +param azureKeyName string = 'es2euapdeeik' @description('Version of the Azure Key Vault key') -param azureKeyVersion string +param azureKeyVersion string = 'a1f7ef03275b48ad8612d279350607d7' /* - Step 2: Create a Cognitive Services Account - + An AI Foundry resources is a variant of a CognitiveServices/account resource type */ resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { name: aiServicesName @@ -50,8 +52,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { // Networking publicNetworkAccess: 'Disabled' - // Encryption - /* + // Encryption properties may only be set at update, after creation, in case of system-assigned managed identity since the identity must be created first. encryption: { keySource: 'Microsoft.KeyVault' keyVaultProperties: { @@ -60,21 +61,40 @@ resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = { keyVersion: azureKeyVersion } } - */ // When set, we provision hub virtual workspace on existing Account // Below property cannot be reversed once set allowProjectManagement: true + // temporarily needed + customSubDomainName: aiServicesName + // auth disableLocalAuth: false } } /* - Step 3: Deploy gpt-4o model - - - Agents will use the build-in model deployments + Developer APIs are exposed via a project, which groups in- and outputs that relate to one use case, including files. + Its advisable to create one project right away, so development teams can directly get started. + Projects may be granted individual RBAC permissions and identities on top of what account provides. +*/ +resource project 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = { + name: defaultProjectName + parent: account + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + displayName: defaultProjectDisplayName + description: defaultProjectDescription + isDefault: true //can't be updated after creation; can only be set by one project in the account + } +} + +/* + Optionally deploy a model to use in playground, agents and other tools. */ resource modelDeployment 'Microsoft.CognitiveServices/accounts/deployments@2024-10-01'= { parent: account @@ -92,25 +112,6 @@ resource modelDeployment 'Microsoft.CognitiveServices/accounts/deployments@2024- } } -/* - Step 5: Create a Project. This resource maps to virtual Azure ML project - -*/ -resource project 'Microsoft.CognitiveServices/accounts/projects@2025-04-01-preview' = { - name: defaultProjectName - parent: account - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - displayName: defaultProjectDisplayName - description: defaultProjectDescription - - isDefault: true //can't be updated after creation; can only be set by one project in the account - } -} - output accountId string = account.id output accountName string = account.name output project string = project.name