diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep index 317aa90fe..8efb10ac4 100644 --- a/infra/core/ai/cognitiveservices.bicep +++ b/infra/core/ai/cognitiveservices.bicep @@ -39,5 +39,3 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01 output endpoint string = account.properties.endpoint output id string = account.id output name string = account.name -#disable-next-line outputs-should-not-contain-secrets -output key string = account.listKeys().key1 diff --git a/infra/core/ai/enrichment.bicep b/infra/core/ai/enrichment.bicep index 885f53296..fac65c773 100644 --- a/infra/core/ai/enrichment.bicep +++ b/infra/core/ai/enrichment.bicep @@ -3,6 +3,7 @@ param location string = resourceGroup().location param tags object = {} param sku string = '' param isGovCloudDeployment bool +param keyVaultName string = '' resource cognitiveService 'Microsoft.CognitiveServices/accounts@2023-05-01' = if (!isGovCloudDeployment) { name: name @@ -35,9 +36,19 @@ resource cognitiveServiceGov 'Microsoft.CognitiveServices/accounts@2022-12-01' = } } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) { + name: keyVaultName +} + +resource enrichmentKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { + parent: keyVault + name: 'ENRICHMENT-KEY' + properties: { + value: (isGovCloudDeployment) ? cognitiveServiceGov.listKeys().key1 : cognitiveService.listKeys().key1 + } +} + output cognitiveServicerAccountName string = (isGovCloudDeployment) ? cognitiveServiceGov.name : cognitiveService.name output cognitiveServiceID string = (isGovCloudDeployment) ? cognitiveServiceGov.id : cognitiveService.id output cognitiveServiceEndpoint string = (isGovCloudDeployment) ? cognitiveServiceGov.properties.endpoint : cognitiveService.properties.endpoint -#disable-next-line outputs-should-not-contain-secrets -output cognitiveServiceAccountKey string = (isGovCloudDeployment) ? cognitiveServiceGov.listKeys().key1 : cognitiveService.listKeys().key1 diff --git a/infra/core/ai/formrecognizer.bicep b/infra/core/ai/formrecognizer.bicep index 4de2b7459..9175418a6 100644 --- a/infra/core/ai/formrecognizer.bicep +++ b/infra/core/ai/formrecognizer.bicep @@ -1,6 +1,7 @@ param name string param location string = resourceGroup().location param tags object = {} +param keyVaultName string = '' param customSubDomainName string = name param publicNetworkAccess string = 'Enabled' @@ -36,8 +37,18 @@ resource formRecognizerAccountGov 'Microsoft.CognitiveServices/accounts@2022-12- } } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) { + name: keyVaultName +} + +resource formRecognizerKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { + parent: keyVault + name: 'AZURE-FORM-RECOGNIZER-KEY' + properties: { + value: (isGovCloudDeployment) ? formRecognizerAccountGov.listKeys().key1 : formRecognizerAccount.listKeys().key1 + } +} + output formRecognizerAccountName string = (isGovCloudDeployment) ? formRecognizerAccountGov.name : formRecognizerAccount.name output formRecognizerAccountEndpoint string = (isGovCloudDeployment) ? formRecognizerAccountGov.properties.endpoint : formRecognizerAccount.properties.endpoint -#disable-next-line outputs-should-not-contain-secrets -output formRecognizerAccountKey string = (isGovCloudDeployment) ? formRecognizerAccountGov.listKeys().key1 : formRecognizerAccount.listKeys().key1 diff --git a/infra/core/db/cosmosdb.bicep b/infra/core/db/cosmosdb.bicep index a9881814e..0f2732728 100644 --- a/infra/core/db/cosmosdb.bicep +++ b/infra/core/db/cosmosdb.bicep @@ -1,6 +1,7 @@ param name string param location string = resourceGroup().location param tags object = {} +param keyVaultName string = '' @description('The default consistency level of the Cosmos DB account.') @@ -164,9 +165,19 @@ resource tagContainer 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/contai } } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) { + name: keyVaultName +} + +resource cosmosdbKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { + parent: keyVault + name: 'COSMOSDB-KEY' + properties: { + value: cosmosDBAccount.listKeys().primaryMasterKey + } +} + output CosmosDBEndpointURL string = cosmosDBAccount.properties.documentEndpoint -#disable-next-line outputs-should-not-contain-secrets -output CosmosDBKey string = cosmosDBAccount.listKeys().primaryMasterKey output CosmosDBLogDatabaseName string = logDatabase.name output CosmosDBLogContainerName string = logContainer.name output CosmosDBTagsDatabaseName string = tagDatabase.name diff --git a/infra/core/function/function.bicep b/infra/core/function/function.bicep index ad4acd68e..6a4714d8c 100644 --- a/infra/core/function/function.bicep +++ b/infra/core/function/function.bicep @@ -36,14 +36,6 @@ param blobStorageAccountOutputContainerName string @description('Azure Blob Storage Account Log Container Name') param blobStorageAccountLogContainerName string -@description('Azure Blob Storage Account Key') -@secure() -param blobStorageAccountKey string - -@description('Azure Blob Storage Account Connection String') -@secure() -param blobStorageAccountConnectionString string - @description('Chunk Target Size ') param chunkTargetSize string @@ -56,17 +48,9 @@ param formRecognizerApiVersion string @description('Form Recognizer Endpoint') param formRecognizerEndpoint string -@description('Form Recognizer API Key') -@secure() -param formRecognizerApiKey string - @description('CosmosDB Endpoint') param CosmosDBEndpointURL string -@description('CosmosDB Key') -@secure() -param CosmosDBKey string - @description('CosmosDB Log Database Name') param CosmosDBLogDatabaseName string @@ -121,9 +105,6 @@ param pollingBackoff string @description('The maximum number of times we will retry to read a full processed document from FR. Failures in read may be due to network issues downloading the large response') param maxReadAttempts string -@description('Key to access the enrichment service') -param enrichmentKey string - @description('Endpoint of the enrichment service') param enrichmentEndpoint string @@ -154,8 +135,8 @@ param azureSearchIndex string @description('Endpoint of the Azure Search Service to post data to for ingestion') param azureSearchServiceEndpoint string -@description('Used to connect and authenticate to Azure Search Service') -param azureSearchServiceKey string +@description('Name of the Azure KeyVault to pull Secret values and create Access Policy') +param keyVaultName string = '' // Create function app resource resource functionApp 'Microsoft.Web/sites@2022-09-01' = { @@ -177,17 +158,17 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { connectionStrings: [ { name: 'BLOB_CONNECTION_STRING' - connectionString: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${blobStorageAccountKey}' + connectionString: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${existingStorageAccount.listKeys().keys[0].value}' } ] appSettings: [ { name: 'AzureWebJobsStorage' - value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${blobStorageAccountKey}' + value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${existingStorageAccount.listKeys().keys[0].value}' } { name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' - value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${blobStorageAccountKey}' + value: 'DefaultEndpointsProtocol=https;AccountName=${blobStorageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${existingStorageAccount.listKeys().keys[0].value}' } { name: 'WEBSITE_CONTENTSHARE' @@ -235,7 +216,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { } { name: 'AZURE_BLOB_STORAGE_KEY' - value: blobStorageAccountKey + value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-BLOB-STORAGE-KEY)' } { name: 'CHUNK_TARGET_SIZE' @@ -255,11 +236,11 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { } { name: 'AZURE_FORM_RECOGNIZER_KEY' - value: formRecognizerApiKey + value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-FORM-RECOGNIZER-KEY)' } { name: 'BLOB_CONNECTION_STRING' - value: blobStorageAccountConnectionString + value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/BLOB-CONNECTION-STRING)' } { name: 'COSMOSDB_URL' @@ -267,7 +248,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { } { name: 'COSMOSDB_KEY' - value: CosmosDBKey + value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/COSMOSDB-KEY)' } { name: 'COSMOSDB_LOG_DATABASE_NAME' @@ -343,7 +324,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { } { name: 'ENRICHMENT_KEY' - value: enrichmentKey + value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/ENRICHMENT-KEY)' } { name: 'ENRICHMENT_ENDPOINT' @@ -379,7 +360,7 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { } { name: 'AZURE_SEARCH_SERVICE_KEY' - value: azureSearchServiceKey + value: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-SEARCH-SERVICE-KEY)' } { name: 'AZURE_SEARCH_SERVICE_ENDPOINT' @@ -395,5 +376,32 @@ resource functionApp 'Microsoft.Web/sites@2022-09-01' = { } } +resource existingStorageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' existing = { + name: blobStorageAccountName +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) { + name: keyVaultName +} + +resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { + parent: keyVault + name: 'add' + properties: { + accessPolicies: [ + { + tenantId: functionApp.identity.tenantId + objectId: functionApp.identity.principalId + permissions: { + secrets: [ + 'get' + 'list' + ] + } + } + ] + } +} + output name string = functionApp.name output identityPrincipalId string = functionApp.identity.principalId diff --git a/infra/core/host/appservice.bicep b/infra/core/host/appservice.bicep index 7ae59a001..d0f738e18 100644 --- a/infra/core/host/appservice.bicep +++ b/infra/core/host/appservice.bicep @@ -77,6 +77,11 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = { { SCM_DO_BUILD_DURING_DEPLOYMENT: toLower(string(scmDoBuildDuringDeployment)) ENABLE_ORYX_BUILD: string(enableOryxBuild) + AZURE_SEARCH_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-SEARCH-SERVICE-KEY)' + AZURE_OPENAI_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-OPENAI-SERVICE-KEY)' + AZURE_BLOB_STORAGE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-BLOB-STORAGE-KEY)' + COSMOSDB_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/COSMOSDB-KEY)' + AZURE_CLIENT_SECRET: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-CLIENT-SECRET)' }, !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {}, !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {}) @@ -128,6 +133,25 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty( name: keyVaultName } +resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { + parent: keyVault + name: 'add' + properties: { + accessPolicies: [ + { + tenantId: appService.identity.tenantId + objectId: appService.identity.principalId + permissions: { + secrets: [ + 'get' + 'list' + ] + } + } + ] + } +} + resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) { name: applicationInsightsName } diff --git a/infra/core/host/enrichmentappservice.bicep b/infra/core/host/enrichmentappservice.bicep index 9638a7288..496e58a44 100644 --- a/infra/core/host/enrichmentappservice.bicep +++ b/infra/core/host/enrichmentappservice.bicep @@ -68,6 +68,11 @@ properties: { { SCM_DO_BUILD_DURING_DEPLOYMENT: toLower(string(scmDoBuildDuringDeployment)) ENABLE_ORYX_BUILD: string(enableOryxBuild) + COSMOSDB_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/COSMOSDB-KEY)' + AZURE_SEARCH_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-SEARCH-SERVICE-KEY)' + BLOB_CONNECTION_STRING: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/BLOB-CONNECTION-STRING)' + AZURE_OPENAI_SERVICE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-OPENAI-SERVICE-KEY)' + AZURE_BLOB_STORAGE_KEY: '@Microsoft.KeyVault(SecretUri=${keyVault.properties.vaultUri}secrets/AZURE-BLOB-STORAGE-KEY)' }, !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {}, !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {}) @@ -91,6 +96,25 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty( name: keyVaultName } +resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { + parent: keyVault + name: 'add' + properties: { + accessPolicies: [ + { + tenantId: appService.identity.tenantId + objectId: appService.identity.principalId + permissions: { + secrets: [ + 'get' + 'list' + ] + } + } + ] + } +} + resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) { name: applicationInsightsName } diff --git a/infra/core/logging/logging.bicep b/infra/core/logging/logging.bicep index ad40feb73..667bab64d 100644 --- a/infra/core/logging/logging.bicep +++ b/infra/core/logging/logging.bicep @@ -28,6 +28,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02-preview' } } + output applicationInsightsId string = applicationInsights.id output logAnalyticsId string = logAnalytics.id output applicationInsightsName string = applicationInsights.name diff --git a/infra/core/search/search-services.bicep b/infra/core/search/search-services.bicep index b959ab23d..d624f6a70 100644 --- a/infra/core/search/search-services.bicep +++ b/infra/core/search/search-services.bicep @@ -9,6 +9,7 @@ param sku object = { param authOptions object = {} param semanticSearch string = 'disabled' param isGovCloudDeployment bool +param keyVaultName string = '' resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = { name: name @@ -37,9 +38,22 @@ resource search 'Microsoft.Search/searchServices@2021-04-01-preview' = { sku: sku } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) { + name: keyVaultName +} + +resource searchServiceKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { + parent: keyVault + name: 'AZURE-SEARCH-SERVICE-KEY' + properties: { + value: search.listAdminKeys().primaryKey + attributes: { + enabled: true + } + } +} + output id string = search.id output endpoint string = (isGovCloudDeployment) ? 'https://${name}.search.azure.us/' : 'https://${name}.search.windows.net/' output name string = search.name -#disable-next-line outputs-should-not-contain-secrets -output searchServiceKey string = search.listAdminKeys().primaryKey diff --git a/infra/core/security/keyvault.bicep b/infra/core/security/keyvault.bicep index b2a4f03a2..88195e15a 100644 --- a/infra/core/security/keyvault.bicep +++ b/infra/core/security/keyvault.bicep @@ -2,21 +2,9 @@ param name string param location string = resourceGroup().location param kvAccessObjectId string @secure() -param searchServiceKey string -@secure() param openaiServiceKey string @secure() -param cosmosdbKey string -@secure() -param formRecognizerKey string -@secure() -param blobConnectionString string -@secure() -param enrichmentKey string -@secure() -param spClientSecret string -@secure() -param blobStorageKey string +param spClientSecret string @@ -45,17 +33,6 @@ resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = { } } -resource searchServiceKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { - parent: kv - name: 'AZURE-SEARCH-SERVICE-KEY' - properties: { - value: searchServiceKey - attributes: { - enabled: true - } - } -} - resource openaiServiceKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { parent: kv name: 'AZURE-OPENAI-SERVICE-KEY' @@ -64,38 +41,6 @@ resource openaiServiceKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = } } -resource cosmosdbKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { - parent: kv - name: 'COSMOSDB-KEY' - properties: { - value: cosmosdbKey - } -} - -resource formRecognizerKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { - parent: kv - name: 'AZURE-FORM-RECOGNIZER-KEY' - properties: { - value: formRecognizerKey - } -} - -resource blobConnectionStringSecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { - parent: kv - name: 'BLOB-CONNECTION-STRING' - properties: { - value: blobConnectionString - } -} - -resource enrichmentKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { - parent: kv - name: 'ENRICHMENT-KEY' - properties: { - value: enrichmentKey - } -} - resource spClientKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { parent: kv name: 'AZURE-CLIENT-SECRET' @@ -104,12 +49,5 @@ resource spClientKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { } } -resource blobStorageKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { - parent: kv - name: 'AZURE-BLOB-STORAGE-KEY' - properties: { - value: blobStorageKey - } -} - output keyVaultName string = kv.name +output keyVaultUri string = kv.properties.vaultUri diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep index f4f3e3eaa..ae0fc2cfd 100644 --- a/infra/core/storage/storage-account.bicep +++ b/infra/core/storage/storage-account.bicep @@ -19,6 +19,8 @@ param sku object = { name: 'Standard_LRS' } param containers array = [] param queueNames array = [] +param keyVaultName string = '' +param storeSecretsInKeyVault bool = false resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = { name: name @@ -75,10 +77,26 @@ resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' = { } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName)) && storeSecretsInKeyVault) { + name: keyVaultName +} + +resource blobStorageKeySecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = if (storeSecretsInKeyVault) { + parent: keyVault + name: 'AZURE-BLOB-STORAGE-KEY' + properties: { + value: storage.listKeys().keys[0].value + } +} + +resource blobConnectionStringSecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = if (storeSecretsInKeyVault) { + parent: keyVault + name: 'BLOB-CONNECTION-STRING' + properties: { + value: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}' + } +} + output name string = storage.name output primaryEndpoints object = storage.properties.primaryEndpoints -#disable-next-line outputs-should-not-contain-secrets -output key string = storage.listKeys().keys[0].value -#disable-next-line outputs-should-not-contain-secrets -output connectionString string = 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}' output id string = storage.id diff --git a/infra/main.bicep b/infra/main.bicep index fafd99fcc..1b92fff57 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -199,8 +199,8 @@ module enrichmentApp 'core/host/enrichmentappservice.bicep' = { applicationInsightsName: logging.outputs.applicationInsightsName healthCheckPath: '/health' appCommandLine: 'gunicorn -w 4 -k uvicorn.workers.UvicornWorker app:app' + keyVaultName: kvModule.outputs.keyVaultName appSettings: { - AZURE_BLOB_STORAGE_KEY: storage.outputs.key EMBEDDINGS_QUEUE: embeddingsQueue LOG_LEVEL: 'DEBUG' DEQUEUE_MESSAGE_BATCH_SIZE: 3 @@ -209,7 +209,6 @@ module enrichmentApp 'core/host/enrichmentappservice.bicep' = { AZURE_BLOB_STORAGE_UPLOAD_CONTAINER: uploadContainerName AZURE_BLOB_STORAGE_ENDPOINT: storage.outputs.primaryEndpoints.blob COSMOSDB_URL: cosmosdb.outputs.CosmosDBEndpointURL - COSMOSDB_KEY: cosmosdb.outputs.CosmosDBKey COSMOSDB_LOG_DATABASE_NAME: cosmosdb.outputs.CosmosDBLogDatabaseName COSMOSDB_LOG_CONTAINER_NAME: cosmosdb.outputs.CosmosDBLogContainerName COSMOSDB_TAGS_DATABASE_NAME: cosmosdb.outputs.CosmosDBTagsDatabaseName @@ -217,19 +216,18 @@ module enrichmentApp 'core/host/enrichmentappservice.bicep' = { MAX_EMBEDDING_REQUEUE_COUNT: 5 EMBEDDING_REQUEUE_BACKOFF: 60 AZURE_OPENAI_SERVICE: useExistingAOAIService ? azureOpenAIServiceName : cognitiveServices.outputs.name - AZURE_OPENAI_SERVICE_KEY: useExistingAOAIService ? azureOpenAIServiceKey : cognitiveServices.outputs.key AZURE_OPENAI_EMBEDDING_DEPLOYMENT_NAME: azureOpenAIEmbeddingDeploymentName AZURE_SEARCH_INDEX: searchIndexName - AZURE_SEARCH_SERVICE_KEY: searchServices.outputs.searchServiceKey AZURE_SEARCH_SERVICE: searchServices.outputs.name - BLOB_CONNECTION_STRING: storage.outputs.connectionString - AZURE_STORAGE_CONNECTION_STRING: storage.outputs.connectionString TARGET_EMBEDDINGS_MODEL: useAzureOpenAIEmbeddings ? '${abbrs.openAIEmbeddingModel}${azureOpenAIEmbeddingDeploymentName}' : sentenceTransformersModelName EMBEDDING_VECTOR_SIZE: useAzureOpenAIEmbeddings ? 1536 : sentenceTransformerEmbeddingVectorSize AZURE_SEARCH_SERVICE_ENDPOINT: searchServices.outputs.endpoint WEBSITES_CONTAINER_START_TIME_LIMIT: 600 } } + dependsOn: [ + kvModule + ] } // The application frontend @@ -248,18 +246,17 @@ module backend 'core/host/appservice.bicep' = { applicationInsightsName: logging.outputs.applicationInsightsName logAnalyticsWorkspaceName: logging.outputs.logAnalyticsName isGovCloudDeployment: isGovCloudDeployment + keyVaultName: kvModule.outputs.keyVaultName appSettings: { AZURE_BLOB_STORAGE_ACCOUNT: storage.outputs.name AZURE_BLOB_STORAGE_ENDPOINT: storage.outputs.primaryEndpoints.blob AZURE_BLOB_STORAGE_CONTAINER: containerName AZURE_BLOB_STORAGE_UPLOAD_CONTAINER: uploadContainerName - AZURE_BLOB_STORAGE_KEY: storage.outputs.key AZURE_OPENAI_SERVICE: useExistingAOAIService ? azureOpenAIServiceName : cognitiveServices.outputs.name AZURE_OPENAI_RESOURCE_GROUP: useExistingAOAIService ? azureOpenAIResourceGroup : rg.name AZURE_SEARCH_INDEX: searchIndexName AZURE_SEARCH_SERVICE: searchServices.outputs.name AZURE_SEARCH_SERVICE_ENDPOINT: searchServices.outputs.endpoint - AZURE_SEARCH_SERVICE_KEY: searchServices.outputs.searchServiceKey AZURE_OPENAI_CHATGPT_DEPLOYMENT: !empty(chatGptDeploymentName) ? chatGptDeploymentName : !empty(chatGptModelName) ? chatGptModelName : 'gpt-35-turbo-16k' AZURE_OPENAI_CHATGPT_MODEL_NAME: chatGptModelName AZURE_OPENAI_CHATGPT_MODEL_VERSION: chatGptModelVersion @@ -267,17 +264,14 @@ module backend 'core/host/appservice.bicep' = { EMBEDDING_DEPLOYMENT_NAME: useAzureOpenAIEmbeddings ? azureOpenAIEmbeddingDeploymentName : sentenceTransformersModelName AZURE_OPENAI_EMBEDDINGS_MODEL_NAME: azureOpenAIEmbeddingsModelName AZURE_OPENAI_EMBEDDINGS_MODEL_VERSION: azureOpenAIEmbeddingsModelVersion - AZURE_OPENAI_SERVICE_KEY: useExistingAOAIService ? azureOpenAIServiceKey : cognitiveServices.outputs.key APPINSIGHTS_INSTRUMENTATIONKEY: logging.outputs.applicationInsightsInstrumentationKey COSMOSDB_URL: cosmosdb.outputs.CosmosDBEndpointURL - COSMOSDB_KEY: cosmosdb.outputs.CosmosDBKey COSMOSDB_LOG_DATABASE_NAME: cosmosdb.outputs.CosmosDBLogDatabaseName COSMOSDB_LOG_CONTAINER_NAME: cosmosdb.outputs.CosmosDBLogContainerName COSMOSDB_TAGS_DATABASE_NAME: cosmosdb.outputs.CosmosDBTagsDatabaseName COSMOSDB_TAGS_CONTAINER_NAME: cosmosdb.outputs.CosmosDBTagsContainerName QUERY_TERM_LANGUAGE: queryTermLanguage AZURE_CLIENT_ID: aadMgmtClientId - AZURE_CLIENT_SECRET: aadMgmtClientSecret AZURE_TENANT_ID: tenantId AZURE_SUBSCRIPTION_ID: subscriptionId IS_GOV_CLOUD_DEPLOYMENT: isGovCloudDeployment @@ -286,10 +280,11 @@ module backend 'core/host/appservice.bicep' = { ENRICHMENT_APPSERVICE_NAME: enrichmentApp.outputs.name APPLICATION_TITLE: applicationtitle } - - aadClientId: aadWebClientId } + dependsOn: [ + kvModule + ] } module cognitiveServices 'core/ai/cognitiveservices.bicep' = if (!useExistingAOAIService) { @@ -344,6 +339,7 @@ module formrecognizer 'core/ai/formrecognizer.bicep' = { name: formRecognizerSkuName } isGovCloudDeployment: isGovCloudDeployment + keyVaultName: kvModule.outputs.keyVaultName } } @@ -356,6 +352,7 @@ module enrichment 'core/ai/enrichment.bicep' = { tags: tags sku: enrichmentSkuName isGovCloudDeployment: isGovCloudDeployment + keyVaultName: kvModule.outputs.keyVaultName } } @@ -364,6 +361,7 @@ module searchServices 'core/search/search-services.bicep' = { name: 'search-services' params: { name: !empty(searchServicesName) ? searchServicesName : '${prefix}-${abbrs.searchSearchServices}${randomString}' + keyVaultName: kvModule.outputs.keyVaultName location: location tags: tags authOptions: { @@ -386,6 +384,8 @@ module storage 'core/storage/storage-account.bicep' = { name: !empty(storageAccountName) ? storageAccountName : '${prefix}${abbrs.storageStorageAccounts}${randomString}' location: location tags: tags + keyVaultName: kvModule.outputs.keyVaultName + storeSecretsInKeyVault: true publicNetworkAccess: 'Enabled' sku: { name: 'Standard_LRS' @@ -447,6 +447,8 @@ module storageMedia 'core/storage/storage-account.bicep' = { scope: rg params: { name: !empty(storageAccountName) ? storageAccountName : '${prefix}${abbrs.storageStorageAccounts}media${randomString}' + keyVaultName: kvModule.outputs.keyVaultName + storeSecretsInKeyVault: false //Not needed for media service location: location tags: tags publicNetworkAccess: 'Enabled' @@ -458,6 +460,9 @@ module storageMedia 'core/storage/storage-account.bicep' = { days: 7 } } + dependsOn: [ + kvModule + ] } module cosmosdb 'core/db/cosmosdb.bicep' = { @@ -467,11 +472,15 @@ module cosmosdb 'core/db/cosmosdb.bicep' = { name: !empty(cosmosdbName) ? cosmosdbName : '${prefix}-${abbrs.cosmosDBAccounts}${randomString}' location: location tags: tags + keyVaultName: kvModule.outputs.keyVaultName logDatabaseName: 'statusdb' logContainerName: 'statuscontainer' tagDatabaseName: 'tagdb' tagContainerName: 'tagcontainer' } + dependsOn: [ + kvModule + ] } @@ -485,19 +494,16 @@ module functions 'core/function/function.bicep' = { tags: tags appServicePlanId: funcServicePlan.outputs.id runtime: 'python' + keyVaultName: kvModule.outputs.keyVaultName appInsightsConnectionString: logging.outputs.applicationInsightsConnectionString appInsightsInstrumentationKey: logging.outputs.applicationInsightsInstrumentationKey - blobStorageAccountKey: storage.outputs.key blobStorageAccountName: storage.outputs.name blobStorageAccountEndpoint: storage.outputs.primaryEndpoints.blob - blobStorageAccountConnectionString: storage.outputs.connectionString blobStorageAccountOutputContainerName: containerName blobStorageAccountUploadContainerName: uploadContainerName blobStorageAccountLogContainerName: functionLogsContainerName formRecognizerEndpoint: formrecognizer.outputs.formRecognizerAccountEndpoint - formRecognizerApiKey: formrecognizer.outputs.formRecognizerAccountKey CosmosDBEndpointURL: cosmosdb.outputs.CosmosDBEndpointURL - CosmosDBKey: cosmosdb.outputs.CosmosDBKey CosmosDBLogDatabaseName: cosmosdb.outputs.CosmosDBLogDatabaseName CosmosDBLogContainerName: cosmosdb.outputs.CosmosDBLogContainerName CosmosDBTagsDatabaseName: cosmosdb.outputs.CosmosDBTagsDatabaseName @@ -519,7 +525,6 @@ module functions 'core/function/function.bicep' = { submitRequeueHideSeconds: submitRequeueHideSeconds pollingBackoff: pollingBackoff maxReadAttempts: maxReadAttempts - enrichmentKey: enrichment.outputs.cognitiveServiceAccountKey enrichmentEndpoint: enrichment.outputs.cognitiveServiceEndpoint enrichmentName: enrichment.outputs.cognitiveServicerAccountName enrichmentLocation: location @@ -530,13 +535,13 @@ module functions 'core/function/function.bicep' = { EMBEDDINGS_QUEUE: embeddingsQueue azureSearchIndex: searchIndexName azureSearchServiceEndpoint: searchServices.outputs.endpoint - azureSearchServiceKey: searchServices.outputs.searchServiceKey } dependsOn: [ appServicePlan storage cosmosdb + kvModule ] } @@ -704,14 +709,8 @@ module kvModule 'core/security/keyvault.bicep' = { name: '${prefix}-${abbrs.keyvault}${randomString}' location: location kvAccessObjectId: kvAccessObjectId - searchServiceKey: searchServices.outputs.searchServiceKey openaiServiceKey: azureOpenAIServiceKey - cosmosdbKey: cosmosdb.outputs.CosmosDBKey - formRecognizerKey: formrecognizer.outputs.formRecognizerAccountKey - blobConnectionString: storage.outputs.connectionString - enrichmentKey: enrichment.outputs.cognitiveServiceAccountKey spClientSecret: aadMgmtClientSecret - blobStorageKey: storage.outputs.key } } @@ -756,7 +755,6 @@ output AZURE_BLOB_LOG_STORAGE_CONTAINER string = functionLogsContainerName output CHUNK_TARGET_SIZE string = chunkTargetSize output FR_API_VERSION string = formRecognizerApiVersion output TARGET_PAGES string = targetPages -output AzureWebJobsStorage string = storage.outputs.connectionString output ENRICHMENT_ENDPOINT string = enrichment.outputs.cognitiveServiceEndpoint output ENRICHMENT_NAME string = enrichment.outputs.cognitiveServicerAccountName output TARGET_TRANSLATION_LANGUAGE string = targetTranslationLanguage