Fix private DNS links and add public access variable

core/terraform/dns_zones_non_core.tf

@@ -32,6 +32,26 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azuresql" {
   lifecycle { ignore_changes = [tags] }
 }
 
+resource "azurerm_private_dns_zone_virtual_network_link" "openai" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.openai.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.openai.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "cognitivesearch" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.cognitiveservices.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.cognitiveservices.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
 # Once the deployment of the app gateway is complete, we can proceed to include the required DNS zone for Nexus, which is dependent on the FQDN of the app gateway.
 resource "azurerm_private_dns_zone" "nexus" {
   name                = "nexus-${module.appgateway.app_gateway_fqdn}"

templates/workspace_services/openai/parameters.json

@@ -45,6 +45,12 @@
       "source": {
         "env": "ARM_ENVIRONMENT"
       }
+    },
+    {
+      "name": "is_exposed_externally",
+      "source": {
+        "env": "IS_EXPOSED_EXTERNALLY"
+      }
     }
   ]
 }

templates/workspace_services/openai/porter.yaml

@@ -45,6 +45,9 @@ parameters:
     env: ARM_ENVIRONMENT
     type: string
     default: "public"
+  - name: is_exposed_externally
+    env: IS_EXPOSED_EXTERNALLY
+    type: boolean
 
 mixins:
   - exec
@@ -65,6 +68,7 @@ install:
         tre_id: ${ bundle.parameters.tre_id }
         tre_resource_id: ${ bundle.parameters.id }
         arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -80,6 +84,7 @@ upgrade:
         tre_id: ${ bundle.parameters.tre_id }
         tre_resource_id: ${ bundle.parameters.id }
         arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -95,6 +100,7 @@ uninstall:
         tre_id: ${ bundle.parameters.tre_id }
         tre_resource_id: ${ bundle.parameters.id }
         arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }

templates/workspace_services/openai/template_schema.json

@@ -26,6 +26,12 @@
       "description": "Long form description of the workspace service, in markdown syntax",
       "default": "Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-4, GPT-4 Turbo with Vision, GPT-3.5-Turbo, and Embeddings model series. For more information, see the [Azure OpenAI Service documentation](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview).",
       "updateable": true
+    },
+    "is_exposed_externally": {
+      "type": "boolean",
+      "title": "Expose externally",
+      "description": "Should the OpenAI instance be publicly accessible?",
+      "default": false
     }
   }
 }

templates/workspace_services/openai/terraform/main.tf

@@ -28,7 +28,7 @@ provider "azurerm" {
 }
 
 module "terraform_azurerm_environment_configuration" {
-#  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
+  #  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
   source          = "github.com/hippo-digital/terraform-azurerm-environment-configuration"
   arm_environment = var.arm_environment
 }

templates/workspace_services/openai/terraform/openai.tf

@@ -1,39 +1,32 @@
 # openai cognitive services account
 
 resource "azurerm_cognitive_account" "openai" {
-  kind                = "OpenAI"
-  name                = "openai-${var.tre_id}-${local.short_workspace_id}"
-  resource_group_name = data.azurerm_resource_group.ws.name
-  location            = data.azurerm_resource_group.ws.location
-  sku_name            = "S0"
-}
-
-locals {
-  openai_model_name = "gpt-35-turbo"
-  openai_model_version = "0301"
+  kind                  = "OpenAI"
+  name                  = "openai-${var.tre_id}-${local.short_workspace_id}"
+  resource_group_name   = data.azurerm_resource_group.ws.name
+  location              = data.azurerm_resource_group.ws.location
+  sku_name              = "S0"
+  custom_subdomain_name = "openai-${var.tre_id}-${local.short_workspace_id}"
+  public_network_access_enabled = var.is_exposed_externally
 }
 
 resource "azurerm_cognitive_deployment" "openai" {
-  name                 = "openai-${local.openai_model_name}-${local.openai_model_version}-${var.tre_id}-${local.short_workspace_id}"
+  name                 = "openai-${var.openai_model_name}-${var.openai_model_version}-${local.service_resource_name_suffix}"
   cognitive_account_id = azurerm_cognitive_account.openai.id
+
   model {
-    format  = "OpenAI"
-#    name    = "gpt-4-32k"
-    name    = local.openai_model_name
-#    version = "0314"
-    version = local.openai_model_version
+    format = "OpenAI"
+    #    name    = "gpt-4-32k"
+    name = var.openai_model_name
+    #    version = "0314"
+    version = var.openai_model_version
   }
 
   scale {
     type = "Standard"
   }
 }
 
-resource "azurerm_private_dns_zone" "openai" {
-  name                = "privatelink.openai.azure.com"
-  resource_group_name = data.azurerm_resource_group.ws.name
-}
-
 resource "azurerm_private_endpoint" "openai_private_endpoint" {
   name                = "pe-${azurerm_cognitive_account.openai.name}"
   location            = data.azurerm_resource_group.ws.location
@@ -50,7 +43,7 @@ resource "azurerm_private_endpoint" "openai_private_endpoint" {
 
   private_dns_zone_group {
     name                 = module.terraform_azurerm_environment_configuration.private_links["privatelink.openai.azure.com"]
-    private_dns_zone_ids = [azurerm_private_dns_zone.openai.id]
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.openai.id]
   }
 
   lifecycle { ignore_changes = [tags] }

templates/workspace_services/openai/terraform/variables.tf

@@ -11,3 +11,17 @@ variable "tre_resource_id" {
 variable "arm_environment" {
   type = string
 }
+
+variable "openai_model_name" {
+  type = string
+  default = "gpt-35-turbo"
+}
+
+variable "openai_model_version" {
+  type = string
+  default = "0301"
+}
+
+variable "is_exposed_externally" {
+  type = bool
+}

templates/workspaces/base/terraform/network/data.tf

@@ -98,6 +98,16 @@ data "azurerm_private_dns_zone" "azuresql" {
   resource_group_name = local.core_resource_group_name
 }
 
+data "azurerm_private_dns_zone" "openai" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.openai.azure.com"]
+  resource_group_name = local.core_resource_group_name
+}
+
+data "azurerm_private_dns_zone" "cognitiveservices" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.cognitiveservices.azure.com"]
+  resource_group_name = local.core_resource_group_name
+}
+
 data "azurerm_public_ip" "app_gateway_ip" {
   name                = "pip-agw-${var.tre_id}"
   resource_group_name = local.core_resource_group_name

templates/workspaces/base/terraform/network/zone_links.tf

@@ -158,3 +158,23 @@ resource "azurerm_private_dns_zone_virtual_network_link" "databrickslink" {
 
   lifecycle { ignore_changes = [tags] }
 }
+
+resource "azurerm_private_dns_zone_virtual_network_link" "openailink" {
+  name                  = "openailink-${local.workspace_resource_name_suffix}"
+  resource_group_name   = local.core_resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.openai.name
+  virtual_network_id    = azurerm_virtual_network.ws.id
+  tags                  = var.tre_workspace_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "cognitveserviceslink" {
+  name                  = "cognitiveserviceslink-${local.workspace_resource_name_suffix}"
+  resource_group_name   = local.core_resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.cognitiveservices.name
+  virtual_network_id    = azurerm_virtual_network.ws.id
+  tags                  = var.tre_workspace_tags
+
+  lifecycle { ignore_changes = [tags] }
+}