Infra - refactor of modules. moved private dns to each module. various cleanup

Author: Seth

infra/main.bicep

@@ -0,0 +1,127 @@
+@description('Name of the Storage Account.')
+param name string
+
+@description('Specifies the location for all the Azure resources.')
+param location string
+
+@description('Optional. Tags to be applied to the resources.')
+param tags object = {}
+
+@description('Resource ID of the virtual network to link the private DNS zones.')
+param virtualNetworkResourceId string
+
+@description('Resource ID of the subnet for the private endpoint.')
+param virtualNetworkSubnetResourceId string
+
+@description('Resource ID of the Log Analytics workspace to use for diagnostic settings.')
+param logAnalyticsWorkspaceResourceId string
+
+@description('Resource ID of the Application Insights resource for the Hub.')
+param appInsightsResourceId string
+
+@description('Resource ID of the Key Vault for the Hub.')
+param keyVaultResourceId string
+
+@description('Resource ID of the Storage Account for the Hub.')
+param storageAccountResourceId string
+
+@description('Resource ID of the Container Registry for the Hub.')
+param containerRegistryResourceId string?
+
+@description('Specifies whether network isolation is enabled. This will create a private endpoint for the Storage Account and link the private DNS zone.')
+param networkIsolation bool = true
+
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType[]?
+
+@description('List of connections to apply to the workspace.')
+param connections connectionType[]?
+
+module mlApiPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (networkIsolation) {
+  name: 'private-dns-mlapi-deployment'
+  params: {
+    name: 'privatelink.api.${toLower(environment().name) == 'azureusgovernment' ? 'ml.azure.us' : 'azureml.ms'}'
+    virtualNetworkLinks: [
+      {
+        virtualNetworkResourceId: virtualNetworkResourceId
+      }
+    ]
+    tags: tags
+  }
+}
+
+module mlNotebooksPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (networkIsolation) {
+  name: 'private-dns-mlnotebook-deployment'
+  params: {
+    name: 'privatelink.notebooks.${toLower(environment().name) == 'azureusgovernment' ? 'azureml.us' : 'azureml.net'}'
+    virtualNetworkLinks: [
+      {
+        virtualNetworkResourceId: virtualNetworkResourceId
+      }
+    ]
+    tags: tags
+  }
+}
+
+var nameFormatted = toLower(name)
+
+module hub 'br/public:avm/res/machine-learning-services/workspace:0.10.1' = {
+  name: take('${nameFormatted}-ai-hub-deployment', 64)
+  dependsOn: [mlApiPrivateDnsZone, mlNotebooksPrivateDnsZone] // required due to optional flags that could change dependency
+  params: {
+    name: nameFormatted
+    sku: 'Standard'
+    kind: 'Hub'
+    description: nameFormatted
+    associatedApplicationInsightsResourceId: appInsightsResourceId
+    associatedContainerRegistryResourceId: containerRegistryResourceId
+    associatedKeyVaultResourceId: keyVaultResourceId
+    associatedStorageAccountResourceId: storageAccountResourceId
+    publicNetworkAccess: networkIsolation ? 'Disabled' : 'Enabled'
+    managedNetworkSettings: {
+      isolationMode: networkIsolation ? 'AllowInternetOutbound' : 'Disabled'
+    }
+    connections: connections
+    roleAssignments: roleAssignments
+    diagnosticSettings: [
+      {
+        workspaceResourceId: logAnalyticsWorkspaceResourceId
+        metricCategories: [
+          {
+            category: 'AllMetrics'
+          }
+        ]
+        logCategoriesAndGroups: [
+          {
+            category: 'ComputeInstanceEvent'
+          }
+        ]
+      }
+    ]
+    privateEndpoints: networkIsolation ? [
+      {
+        privateDnsZoneGroup: {
+          privateDnsZoneGroupConfigs: [
+            {
+              privateDnsZoneResourceId: mlNotebooksPrivateDnsZone.outputs.resourceId
+            }
+            {
+              privateDnsZoneResourceId: mlApiPrivateDnsZone.outputs.resourceId
+            }
+          ]
+        }
+        service: 'amlworkspace'
+        subnetResourceId: virtualNetworkSubnetResourceId
+      }
+    ] : []
+    location: location
+    systemDatastoresAuthMode: 'identity'
+    tags: tags
+  }
+}
+
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+import { connectionType } from 'br/public:avm/res/machine-learning-services/workspace:0.10.1'
+
+output resourceId string = hub.outputs.resourceId
+output name string = hub.outputs.name

infra/modules/ai-foundry/hub.bicep

@@ -0,0 +1,80 @@
+@description('Name of the Storage Account.')
+param name string
+
+@description('Specifies the location for all the Azure resources.')
+param location string
+
+@description('Optional. Tags to be applied to the resources.')
+param tags object = {}
+
+@description('Resource ID of the parent AI Hub.')
+param hubResourceId string
+
+@description('Resource ID of the Log Analytics workspace to use for diagnostic settings.')
+param logAnalyticsWorkspaceResourceId string
+
+@description('Specifies whether network isolation is enabled. This will create a private endpoint for the Storage Account and link the private DNS zone.')
+param networkIsolation bool = true
+
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType[]?
+
+var nameFormatted = toLower(name)
+
+module aiProject 'br/public:avm/res/machine-learning-services/workspace:0.10.1' = {
+  name: take('${nameFormatted}-ai-project-deployment', 64)
+  params: {
+    name: nameFormatted
+    sku: 'Standard'
+    kind: 'Project'
+    location: location
+    hubResourceId: hubResourceId
+    managedIdentities: {
+      systemAssigned: true
+    }
+    publicNetworkAccess: networkIsolation ? 'Disabled' : 'Enabled'
+    hbiWorkspace: false
+    systemDatastoresAuthMode: 'identity'
+    roleAssignments: roleAssignments
+    diagnosticSettings: [
+      {
+        workspaceResourceId: logAnalyticsWorkspaceResourceId
+        metricCategories: [
+          {
+            category: 'AllMetrics'
+          }
+        ]
+        logCategoriesAndGroups: [for log in [
+          'AmlComputeClusterEvent'
+          'AmlComputeClusterNodeEvent'
+          'AmlComputeJobEvent'
+          'AmlComputeCpuGpuUtilization'
+          'AmlRunStatusChangedEvent'
+          'ModelsChangeEvent'
+          'ModelsReadEvent'
+          'ModelsActionEvent'
+          'DeploymentReadEvent'
+          'DeploymentEventACI'
+          'DeploymentEventAKS'
+          'InferencingOperationAKS'
+          'InferencingOperationACI'
+          'EnvironmentChangeEvent'
+          'EnvironmentReadEvent'
+          'DataLabelChangeEvent'
+          'DataLabelReadEvent'
+          'DataSetChangeEvent'
+          'DataSetReadEvent'
+          'PipelineChangeEvent'
+          'PipelineReadEvent'
+          'RunEvent'
+          'RunReadEvent'
+        ]: {
+          category: log
+        }]
+      }
+    ]
+    tags: tags
+  }
+}
+
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'

infra/modules/ai-foundry/project.bicep

@@ -0,0 +1,80 @@
+@description('Name of the AI Search resource.')
+param name string
+
+@description('Specifies the location for all the Azure resources.')
+param location string
+
+@description('Optional. Tags to be applied to the resources.')
+param tags object = {}
+
+@description('Resource ID of the virtual network to link the private DNS zones.')
+param virtualNetworkResourceId string
+
+@description('Resource ID of the subnet for the private endpoint.')
+param virtualNetworkSubnetResourceId string
+
+@description('Resource ID of the Log Analytics workspace to use for diagnostic settings.')
+param logAnalyticsWorkspaceResourceId string
+
+@description('Specifies whether network isolation is enabled. This will create a private endpoint for the AI Search resource and link the private DNS zone.')
+param networkIsolation bool = true
+
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType[]?
+
+module privateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (networkIsolation)  {
+  name: 'private-dns-search-deployment'
+  params: {
+    name: 'privatelink.search.windows.net'
+    virtualNetworkLinks: [
+      {
+        virtualNetworkResourceId: virtualNetworkResourceId
+      }
+    ]
+    tags: tags
+  }
+}
+
+var nameFormatted = take(toLower(name), 60)
+
+module aiSearch 'br/public:avm/res/search/search-service:0.9.2' = {
+  name: take('${nameFormatted}-search-services-deployment', 64)
+  dependsOn: [privateDnsZone] // required due to optional flags that could change dependency
+  params: {
+      name: nameFormatted
+      location: location
+      cmkEnforcement: 'Enabled'
+      managedIdentities: {
+        systemAssigned: true
+      }
+      publicNetworkAccess: networkIsolation ? 'Disabled' : 'Enabled'
+      disableLocalAuth: true
+      sku: 'standard'
+      partitionCount:1
+      replicaCount:3
+      roleAssignments: roleAssignments
+      diagnosticSettings: [
+        {
+          workspaceResourceId: logAnalyticsWorkspaceResourceId
+        }
+      ]
+      privateEndpoints: networkIsolation ? [
+        {
+          privateDnsZoneGroup: {
+            privateDnsZoneGroupConfigs: [
+              {
+                privateDnsZoneResourceId: privateDnsZone.outputs.resourceId
+              }
+            ]
+          }
+          subnetResourceId: virtualNetworkSubnetResourceId
+        }
+      ] : []
+      tags: tags
+  }
+}
+
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+
+output resourceId string = aiSearch.outputs.resourceId
+output name string = aiSearch.outputs.name

infra/modules/aisearch.bicep

@@ -28,12 +28,16 @@ param networkIsolation bool = false
 @description('The resource ID of the Log Analytics workspace to use for diagnostic settings.')
 param logAnalyticsWorkspaceResourceId string
 
-@description('Private DNS zone and Subnet information for the API Management service.')
-param privateEndpoint privateEndpointType?
+@description('Resource ID of the virtual network to link the private DNS zones.')
+param virtualNetworkResourceId string
+
+@description('Resource ID of the subnet for the private endpoint.')
+param virtualNetworkSubnetResourceId string
 
 @description('Optional tags to be applied to the resources.')
 param tags object = {}
 
+
 module apiManagementService 'br/public:avm/res/api-management/service:0.9.1' = {
   name: take('${name}-apim-deployment', 64)
   params: {
@@ -119,15 +123,29 @@ module apiManagementService 'br/public:avm/res/api-management/service:0.9.1' = {
   }
 }
 
-module apimPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' = if (networkIsolation && privateEndpoint != null) {
+module apiManagementPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (networkIsolation)  {
+  name: 'private-dns-apim-deployment'
+  params: {
+    name: 'privatelink.apim.windows.net'
+    virtualNetworkLinks: [
+      {
+        virtualNetworkResourceId: virtualNetworkResourceId
+      }
+    ]
+    tags: tags
+  }
+}
+
+
+module apimPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' = if (networkIsolation) {
   name: take('${name}-apim-private-endpoint-deployment', 64)
   params: {
     name: toLower('pep-${apiManagementService.outputs.name}')
-    subnetResourceId: privateEndpoint.?subnetResourceId ?? ''
+    subnetResourceId: virtualNetworkSubnetResourceId
     privateDnsZoneGroup: {
       privateDnsZoneGroupConfigs: [
         {
-          privateDnsZoneResourceId: privateEndpoint.?privateDnsZoneResourceId ?? ''
+          privateDnsZoneResourceId: apiManagementPrivateDnsZone.outputs.resourceId
         }
       ]
     }
@@ -145,11 +163,6 @@ module apimPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' =
   }
 }
 
-type privateEndpointType = {
- subnetResourceId: string
-  privateDnsZoneResourceId: string
-}
-
 output resourceId string = apiManagementService.outputs.resourceId
 output name string = apiManagementService.outputs.name
 output privateEndpointId string = apimPrivateEndpoint.outputs.resourceId