From 3a66e121b201b2687f1442acb29a1148ce2031ff Mon Sep 17 00:00:00 2001
From: Harry Young <harry.young@hippodigital.co.uk>
Date: Mon, 19 Aug 2024 15:24:57 +0100
Subject: [PATCH] Fix private DNS links and add public access variable

---
 core/terraform/dns_zones_non_core.tf          | 20 ++++++++++
 .../workspace_services/openai/parameters.json |  6 +++
 .../workspace_services/openai/porter.yaml     |  6 +++
 .../openai/template_schema.json               |  6 +++
 .../openai/terraform/main.tf                  |  2 +-
 .../openai/terraform/openai.tf                | 37 ++++++++-----------
 .../openai/terraform/variables.tf             | 14 +++++++
 .../workspaces/base/terraform/network/data.tf | 10 +++++
 .../base/terraform/network/zone_links.tf      | 20 ++++++++++
 9 files changed, 98 insertions(+), 23 deletions(-)

diff --git a/core/terraform/dns_zones_non_core.tf b/core/terraform/dns_zones_non_core.tf
index d2b044b349..0f6ee7338e 100644
--- a/core/terraform/dns_zones_non_core.tf
+++ b/core/terraform/dns_zones_non_core.tf
@@ -32,6 +32,26 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azuresql" {
   lifecycle { ignore_changes = [tags] }
 }
 
+resource "azurerm_private_dns_zone_virtual_network_link" "openai" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.openai.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.openai.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "cognitivesearch" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.cognitiveservices.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.cognitiveservices.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
 # Once the deployment of the app gateway is complete, we can proceed to include the required DNS zone for Nexus, which is dependent on the FQDN of the app gateway.
 resource "azurerm_private_dns_zone" "nexus" {
   name                = "nexus-${module.appgateway.app_gateway_fqdn}"
diff --git a/templates/workspace_services/openai/parameters.json b/templates/workspace_services/openai/parameters.json
index 64e656d635..61beaf7291 100644
--- a/templates/workspace_services/openai/parameters.json
+++ b/templates/workspace_services/openai/parameters.json
@@ -45,6 +45,12 @@
       "source": {
         "env": "ARM_ENVIRONMENT"
       }
+    },
+    {
+      "name": "is_exposed_externally",
+      "source": {
+        "env": "IS_EXPOSED_EXTERNALLY"
+      }
     }
   ]
 }
diff --git a/templates/workspace_services/openai/porter.yaml b/templates/workspace_services/openai/porter.yaml
index c38a4c11cf..d94cb45a0d 100644
--- a/templates/workspace_services/openai/porter.yaml
+++ b/templates/workspace_services/openai/porter.yaml
@@ -45,6 +45,9 @@ parameters:
     env: ARM_ENVIRONMENT
     type: string
     default: "public"
+  - name: is_exposed_externally
+    env: IS_EXPOSED_EXTERNALLY
+    type: boolean
 
 mixins:
   - exec
@@ -65,6 +68,7 @@ install:
         tre_id: ${ bundle.parameters.tre_id }
         tre_resource_id: ${ bundle.parameters.id }
         arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -80,6 +84,7 @@ upgrade:
         tre_id: ${ bundle.parameters.tre_id }
         tre_resource_id: ${ bundle.parameters.id }
         arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
@@ -95,6 +100,7 @@ uninstall:
         tre_id: ${ bundle.parameters.tre_id }
         tre_resource_id: ${ bundle.parameters.id }
         arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
       backendConfig:
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
diff --git a/templates/workspace_services/openai/template_schema.json b/templates/workspace_services/openai/template_schema.json
index 2fa4fa5799..344a4e56bf 100644
--- a/templates/workspace_services/openai/template_schema.json
+++ b/templates/workspace_services/openai/template_schema.json
@@ -26,6 +26,12 @@
       "description": "Long form description of the workspace service, in markdown syntax",
       "default": "Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-4, GPT-4 Turbo with Vision, GPT-3.5-Turbo, and Embeddings model series. For more information, see the [Azure OpenAI Service documentation](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview).",
       "updateable": true
+    },
+    "is_exposed_externally": {
+      "type": "boolean",
+      "title": "Expose externally",
+      "description": "Should the OpenAI instance be publicly accessible?",
+      "default": false
     }
   }
 }
diff --git a/templates/workspace_services/openai/terraform/main.tf b/templates/workspace_services/openai/terraform/main.tf
index bca1affbe3..d29e6ff36e 100644
--- a/templates/workspace_services/openai/terraform/main.tf
+++ b/templates/workspace_services/openai/terraform/main.tf
@@ -28,7 +28,7 @@ provider "azurerm" {
 }
 
 module "terraform_azurerm_environment_configuration" {
-#  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
+  #  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.2.0"
   source          = "github.com/hippo-digital/terraform-azurerm-environment-configuration"
   arm_environment = var.arm_environment
 }
diff --git a/templates/workspace_services/openai/terraform/openai.tf b/templates/workspace_services/openai/terraform/openai.tf
index 3797eff28c..ddfcce72c2 100644
--- a/templates/workspace_services/openai/terraform/openai.tf
+++ b/templates/workspace_services/openai/terraform/openai.tf
@@ -1,27 +1,25 @@
 # openai cognitive services account
 
 resource "azurerm_cognitive_account" "openai" {
-  kind                = "OpenAI"
-  name                = "openai-${var.tre_id}-${local.short_workspace_id}"
-  resource_group_name = data.azurerm_resource_group.ws.name
-  location            = data.azurerm_resource_group.ws.location
-  sku_name            = "S0"
-}
-
-locals {
-  openai_model_name = "gpt-35-turbo"
-  openai_model_version = "0301"
+  kind                  = "OpenAI"
+  name                  = "openai-${var.tre_id}-${local.short_workspace_id}"
+  resource_group_name   = data.azurerm_resource_group.ws.name
+  location              = data.azurerm_resource_group.ws.location
+  sku_name              = "S0"
+  custom_subdomain_name = "openai-${var.tre_id}-${local.short_workspace_id}"
+  public_network_access_enabled = var.is_exposed_externally
 }
 
 resource "azurerm_cognitive_deployment" "openai" {
-  name                 = "openai-${local.openai_model_name}-${local.openai_model_version}-${var.tre_id}-${local.short_workspace_id}"
+  name                 = "openai-${var.openai_model_name}-${var.openai_model_version}-${local.service_resource_name_suffix}"
   cognitive_account_id = azurerm_cognitive_account.openai.id
+
   model {
-    format  = "OpenAI"
-#    name    = "gpt-4-32k"
-    name    = local.openai_model_name
-#    version = "0314"
-    version = local.openai_model_version
+    format = "OpenAI"
+    #    name    = "gpt-4-32k"
+    name = var.openai_model_name
+    #    version = "0314"
+    version = var.openai_model_version
   }
 
   scale {
@@ -29,11 +27,6 @@ resource "azurerm_cognitive_deployment" "openai" {
   }
 }
 
-resource "azurerm_private_dns_zone" "openai" {
-  name                = "privatelink.openai.azure.com"
-  resource_group_name = data.azurerm_resource_group.ws.name
-}
-
 resource "azurerm_private_endpoint" "openai_private_endpoint" {
   name                = "pe-${azurerm_cognitive_account.openai.name}"
   location            = data.azurerm_resource_group.ws.location
@@ -50,7 +43,7 @@ resource "azurerm_private_endpoint" "openai_private_endpoint" {
 
   private_dns_zone_group {
     name                 = module.terraform_azurerm_environment_configuration.private_links["privatelink.openai.azure.com"]
-    private_dns_zone_ids = [azurerm_private_dns_zone.openai.id]
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.openai.id]
   }
 
   lifecycle { ignore_changes = [tags] }
diff --git a/templates/workspace_services/openai/terraform/variables.tf b/templates/workspace_services/openai/terraform/variables.tf
index c52405a68d..ce6103f4a4 100644
--- a/templates/workspace_services/openai/terraform/variables.tf
+++ b/templates/workspace_services/openai/terraform/variables.tf
@@ -11,3 +11,17 @@ variable "tre_resource_id" {
 variable "arm_environment" {
   type = string
 }
+
+variable "openai_model_name" {
+  type = string
+  default = "gpt-35-turbo"
+}
+
+variable "openai_model_version" {
+  type = string
+  default = "0301"
+}
+
+variable "is_exposed_externally" {
+  type = bool
+}
diff --git a/templates/workspaces/base/terraform/network/data.tf b/templates/workspaces/base/terraform/network/data.tf
index 48dee597b7..e05015f0e3 100644
--- a/templates/workspaces/base/terraform/network/data.tf
+++ b/templates/workspaces/base/terraform/network/data.tf
@@ -98,6 +98,16 @@ data "azurerm_private_dns_zone" "azuresql" {
   resource_group_name = local.core_resource_group_name
 }
 
+data "azurerm_private_dns_zone" "openai" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.openai.azure.com"]
+  resource_group_name = local.core_resource_group_name
+}
+
+data "azurerm_private_dns_zone" "cognitiveservices" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.cognitiveservices.azure.com"]
+  resource_group_name = local.core_resource_group_name
+}
+
 data "azurerm_public_ip" "app_gateway_ip" {
   name                = "pip-agw-${var.tre_id}"
   resource_group_name = local.core_resource_group_name
diff --git a/templates/workspaces/base/terraform/network/zone_links.tf b/templates/workspaces/base/terraform/network/zone_links.tf
index e5a0f60781..1b8bcc91dd 100644
--- a/templates/workspaces/base/terraform/network/zone_links.tf
+++ b/templates/workspaces/base/terraform/network/zone_links.tf
@@ -158,3 +158,23 @@ resource "azurerm_private_dns_zone_virtual_network_link" "databrickslink" {
 
   lifecycle { ignore_changes = [tags] }
 }
+
+resource "azurerm_private_dns_zone_virtual_network_link" "openailink" {
+  name                  = "openailink-${local.workspace_resource_name_suffix}"
+  resource_group_name   = local.core_resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.openai.name
+  virtual_network_id    = azurerm_virtual_network.ws.id
+  tags                  = var.tre_workspace_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "cognitveserviceslink" {
+  name                  = "cognitiveserviceslink-${local.workspace_resource_name_suffix}"
+  resource_group_name   = local.core_resource_group_name
+  private_dns_zone_name = data.azurerm_private_dns_zone.cognitiveservices.name
+  virtual_network_id    = azurerm_virtual_network.ws.id
+  tags                  = var.tre_workspace_tags
+
+  lifecycle { ignore_changes = [tags] }
+}