-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathmain.bicep
179 lines (158 loc) · 5.18 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
targetScope = 'subscription'
@minLength(1)
@maxLength(64)
@description('Name which is used to generate a short unique hash for each resource')
param name string
@minLength(1)
@description('Primary location for all resources')
param location string
@description('Id of the user or app to assign application roles')
param principalId string = ''
param acaExists bool = false
@minLength(1)
@description('Location for the Azure AI resource')
// https://learn.microsoft.com/azure/ai-studio/how-to/deploy-models-serverless-availability#deepseek-models-from-microsoft
@allowed([
'eastus'
'eastus2'
'northcentralus'
'southcentralus'
'westus'
'westus3'
])
@metadata({
azd: {
type: 'location'
}
})
param aiServicesResourceLocation string
param disableKeyBasedAuth bool = true
// Parameters for the specific Azure AI deployment:
param aiServicesDeploymentName string = 'DeepSeek-R1'
@description('Service Management Reference for the Entra app registration')
param serviceManagementReference string = ''
var resourceToken = toLower(uniqueString(subscription().id, name, location))
var tags = { 'azd-env-name': name }
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: '${name}-rg'
location: location
tags: tags
}
var prefix = '${name}-${resourceToken}'
var aiServicesNameAndSubdomain = '${resourceToken}-aiservices'
module aiServices 'br/public:avm/res/cognitive-services/account:0.7.2' = {
name: 'deepseek'
scope: resourceGroup
params: {
name: aiServicesNameAndSubdomain
location: aiServicesResourceLocation
tags: tags
kind: 'AIServices'
customSubDomainName: aiServicesNameAndSubdomain
sku: 'S0'
publicNetworkAccess: 'Enabled'
deployments: [
{
name: aiServicesDeploymentName
model: {
format: 'DeepSeek'
name: 'DeepSeek-R1'
version: '1'
}
sku: {
name: 'GlobalStandard'
capacity: 1
}
}
]
disableLocalAuth: disableKeyBasedAuth
roleAssignments: [
{
principalId: principalId
principalType: 'User'
roleDefinitionIdOrName: 'Cognitive Services User'
}
]
}
}
module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
name: 'loganalytics'
scope: resourceGroup
params: {
name: '${prefix}-loganalytics'
location: location
tags: tags
}
}
// Container apps host (including container registry)
module containerApps 'core/host/container-apps.bicep' = {
name: 'container-apps'
scope: resourceGroup
params: {
name: 'app'
location: location
tags: tags
containerAppsEnvironmentName: '${prefix}-containerapps-env'
containerRegistryName: '${replace(prefix, '-', '')}registry'
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
}
}
// Container app frontend
module aca 'aca.bicep' = {
name: 'aca'
scope: resourceGroup
params: {
name: replace('${take(prefix,19)}-ca', '--', '-')
location: location
tags: tags
identityName: '${prefix}-id-aca'
containerAppsEnvironmentName: containerApps.outputs.environmentName
containerRegistryName: containerApps.outputs.registryName
aiServicesDeploymentName: aiServicesDeploymentName
aiServicesEndpoint: 'https://${aiServices.outputs.name}.services.ai.azure.com/models'
exists: acaExists
}
}
var issuer = '${environment().authentication.loginEndpoint}${tenant().tenantId}/v2.0'
module registration 'appregistration.bicep' = {
name: 'reg'
scope: resourceGroup
params: {
clientAppName: '${prefix}-entra-client-app'
clientAppDisplayName: 'DeepSeek Entra Client App'
webAppEndpoint: aca.outputs.uri
webAppIdentityId: aca.outputs.identityPrincipalId
issuer: issuer
serviceManagementReference: serviceManagementReference
}
}
module appupdate 'appupdate.bicep' = {
name: 'appupdate'
scope: resourceGroup
params: {
containerAppName: aca.outputs.name
clientId: registration.outputs.clientAppId
openIdIssuer: issuer
includeTokenStore: false
}
}
module aiServicesRoleBackend 'core/security/role.bicep' = {
scope: resourceGroup
name: 'aiservices-role-backend'
params: {
principalId: aca.outputs.identityPrincipalId
roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
principalType: 'ServicePrincipal'
}
}
output AZURE_LOCATION string = location
output AZURE_TENANT_ID string = tenant().tenantId
output AZURE_DEEPSEEK_DEPLOYMENT string = aiServicesDeploymentName
output AZURE_INFERENCE_ENDPOINT string = 'https://${aiServices.outputs.name}.services.ai.azure.com/models'
output SERVICE_ACA_IDENTITY_PRINCIPAL_ID string = aca.outputs.identityPrincipalId
output SERVICE_ACA_NAME string = aca.outputs.name
output SERVICE_ACA_URI string = aca.outputs.uri
output SERVICE_ACA_IMAGE_NAME string = aca.outputs.imageName
output AZURE_CONTAINER_ENVIRONMENT_NAME string = containerApps.outputs.environmentName
output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerApps.outputs.registryLoginServer
output AZURE_CONTAINER_REGISTRY_NAME string = containerApps.outputs.registryName