@@ -167,6 +167,52 @@ module processorAppOpenAIUserExisting './cross-scope-role-assignment.bicep' = if
167167 }
168168}
169169
170+ // Processor App Service → Foundry User on AI Foundry (new project, same RG)
171+ resource processorAppAiUserAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!useExistingAIProject && !empty (aiFoundryResourceId ) && !empty (processorAppServicePrincipalId )) {
172+ name : guid (solutionName , aiFoundryAccount .id , processorAppServicePrincipalId , roleDefinitions .azureAiUser )
173+ scope : aiFoundryAccount
174+ properties : {
175+ principalId : processorAppServicePrincipalId
176+ roleDefinitionId : subscriptionResourceId ('Microsoft.Authorization/roleDefinitions' , roleDefinitions .azureAiUser )
177+ principalType : 'ServicePrincipal'
178+ }
179+ }
180+
181+ // Processor App Service → Foundry User on existing AI Foundry (cross-scope)
182+ module processorAppAiUserExisting './cross-scope-role-assignment.bicep' = if (useExistingAIProject && !empty (processorAppServicePrincipalId )) {
183+ name : 'assignAiUserRoleToProcessorExisting'
184+ scope : resourceGroup (existingAIFoundrySubscription , existingAIFoundryResourceGroup )
185+ params : {
186+ principalId : processorAppServicePrincipalId
187+ roleDefinitionId : subscriptionResourceId ('Microsoft.Authorization/roleDefinitions' , roleDefinitions .azureAiUser )
188+ roleAssignmentName : guid (solutionName , existingAIFoundryName , processorAppServicePrincipalId , roleDefinitions .azureAiUser )
189+ aiFoundryName : existingAIFoundryName
190+ }
191+ }
192+
193+ // Processor App Service → Cognitive Services User on AI Foundry (new project, same RG)
194+ resource processorAppCognitiveServicesUserAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!useExistingAIProject && !empty (aiFoundryResourceId ) && !empty (processorAppServicePrincipalId )) {
195+ name : guid (solutionName , aiFoundryAccount .id , processorAppServicePrincipalId , roleDefinitions .cognitiveServicesUser )
196+ scope : aiFoundryAccount
197+ properties : {
198+ principalId : processorAppServicePrincipalId
199+ roleDefinitionId : subscriptionResourceId ('Microsoft.Authorization/roleDefinitions' , roleDefinitions .cognitiveServicesUser )
200+ principalType : 'ServicePrincipal'
201+ }
202+ }
203+
204+ // Processor App Service → Cognitive Services User on existing AI Foundry (cross-scope)
205+ module processorAppCognitiveServicesUserExisting './cross-scope-role-assignment.bicep' = if (useExistingAIProject && !empty (processorAppServicePrincipalId )) {
206+ name : 'assignCognitiveServicesUserRoleToProcessorExisting'
207+ scope : resourceGroup (existingAIFoundrySubscription , existingAIFoundryResourceGroup )
208+ params : {
209+ principalId : processorAppServicePrincipalId
210+ roleDefinitionId : subscriptionResourceId ('Microsoft.Authorization/roleDefinitions' , roleDefinitions .cognitiveServicesUser )
211+ roleAssignmentName : guid (solutionName , existingAIFoundryName , processorAppServicePrincipalId , roleDefinitions .cognitiveServicesUser )
212+ aiFoundryName : existingAIFoundryName
213+ }
214+ }
215+
170216// ============================================================================
171217// 2. SEARCH SERVICE ROLE ASSIGNMENTS
172218// AI Project and Backend identities → AI Search
0 commit comments