Merge pull request #60 from microsoft/fix/ai-search-role-assign

Prajwal-Microsoft · web-flow · commit be3f3cb26b27 · 2025-07-04T00:22:13.000+05:30
Search - fix role assignments
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -281,13 +281,17 @@ module aiSearch 'modules/aisearch.bicep' = if (searchEnabled) {
     virtualNetworkResourceId: networkIsolation ? network.outputs.virtualNetworkId : ''
     virtualNetworkSubnetResourceId: networkIsolation ? network.outputs.vmSubnetId : ''
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
-    userObjectId: userObjectId
     roleAssignments: union(empty(userObjectId) ? [] : [
       {
         principalId: userObjectId
         principalType: 'User'
         roleDefinitionIdOrName: 'Search Index Data Contributor'
       }
+      {
+        principalId: userObjectId
+        principalType: 'User'
+        roleDefinitionIdOrName: 'Search Index Data Reader'
+      }
     ], [
       {
         principalId: cognitiveServices.outputs.aiServicesSystemAssignedMIPrincipalId
diff --git a/infra/main.json b/infra/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.36.1.42791",
-      "templateHash": "1266095135796943159"
+      "templateHash": "4273186265838174664"
     }
   },
   "definitions": {
@@ -55937,11 +55937,8 @@
           "logAnalyticsWorkspaceResourceId": {
             "value": "[reference('logAnalyticsWorkspace').outputs.resourceId.value]"
           },
-          "userObjectId": {
-            "value": "[parameters('userObjectId')]"
-          },
           "roleAssignments": {
-            "value": "[union(if(empty(parameters('userObjectId')), createArray(), createArray(createObject('principalId', parameters('userObjectId'), 'principalType', 'User', 'roleDefinitionIdOrName', 'Search Index Data Contributor'))), createArray(createObject('principalId', reference('cognitiveServices').outputs.aiServicesSystemAssignedMIPrincipalId.value, 'principalType', 'ServicePrincipal', 'roleDefinitionIdOrName', 'Search Index Data Contributor'), createObject('principalId', reference('cognitiveServices').outputs.aiServicesSystemAssignedMIPrincipalId.value, 'principalType', 'ServicePrincipal', 'roleDefinitionIdOrName', 'Search Service Contributor')))]"
+            "value": "[union(if(empty(parameters('userObjectId')), createArray(), createArray(createObject('principalId', parameters('userObjectId'), 'principalType', 'User', 'roleDefinitionIdOrName', 'Search Index Data Contributor'), createObject('principalId', parameters('userObjectId'), 'principalType', 'User', 'roleDefinitionIdOrName', 'Search Index Data Reader'))), createArray(createObject('principalId', reference('cognitiveServices').outputs.aiServicesSystemAssignedMIPrincipalId.value, 'principalType', 'ServicePrincipal', 'roleDefinitionIdOrName', 'Search Index Data Contributor'), createObject('principalId', reference('cognitiveServices').outputs.aiServicesSystemAssignedMIPrincipalId.value, 'principalType', 'ServicePrincipal', 'roleDefinitionIdOrName', 'Search Service Contributor')))]"
           },
           "tags": {
             "value": "[variables('allTags')]"
@@ -55955,7 +55952,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.1.42791",
-              "templateHash": "10624928188153796868"
+              "templateHash": "7886886176219744151"
             }
           },
           "definitions": {
@@ -56080,12 +56077,6 @@
                 "description": "Specifies whether network isolation is enabled. This will create a private endpoint for the AI Search resource and link the private DNS zone."
               }
             },
-            "userObjectId": {
-              "type": "string",
-              "metadata": {
-                "description": "Specifies the object id of a Microsoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources. This defaults to the deploying user."
-              }
-            },
             "roleAssignments": {
               "type": "array",
               "items": {
@@ -59181,7 +59172,9 @@
                   "replicaCount": {
                     "value": 3
                   },
-                  "roleAssignments": "[if(empty(parameters('userObjectId')), createObject('value', createArray()), createObject('value', createArray(createObject('principalId', parameters('userObjectId'), 'principalType', 'User', 'roleDefinitionIdOrName', 'Search Index Data Contributor'), createObject('principalId', parameters('userObjectId'), 'principalType', 'User', 'roleDefinitionIdOrName', 'Search Index Data Reader'))))]",
+                  "roleAssignments": {
+                    "value": "[parameters('roleAssignments')]"
+                  },
                   "diagnosticSettings": {
                     "value": [
                       {
diff --git a/infra/modules/aisearch.bicep b/infra/modules/aisearch.bicep
@@ -19,9 +19,7 @@ param logAnalyticsWorkspaceResourceId string
 @description('Specifies whether network isolation is enabled. This will create a private endpoint for the AI Search resource and link the private DNS zone.')
 param networkIsolation bool = true
 
-@description('Specifies the object id of a Microsoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources. This defaults to the deploying user.')
-param userObjectId string
-
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
@@ -54,20 +52,9 @@ module aiSearch 'br/public:avm/res/search/search-service:0.9.2' = {
       publicNetworkAccess: networkIsolation ? 'Disabled' : 'Enabled'
       disableLocalAuth: true
       sku: 'standard'
-      partitionCount:1
-      replicaCount:3
-      roleAssignments: empty(userObjectId) ? [] : [
-        {
-          principalId: userObjectId
-          principalType: 'User'
-          roleDefinitionIdOrName: 'Search Index Data Contributor'
-        }
-        {
-          principalId: userObjectId
-          principalType: 'User'
-          roleDefinitionIdOrName: 'Search Index Data Reader'
-        }
-      ]
+      partitionCount: 1
+      replicaCount: 3
+      roleAssignments: roleAssignments
       diagnosticSettings: [
         {
           workspaceResourceId: logAnalyticsWorkspaceResourceId
@@ -89,7 +76,7 @@ module aiSearch 'br/public:avm/res/search/search-service:0.9.2' = {
   }
 }
 
-import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+
 
 output resourceId string = aiSearch.outputs.resourceId
 output name string = aiSearch.outputs.name

Original file line number	Diff line number	Diff line change
`@@ -281,13 +281,17 @@ module aiSearch 'modules/aisearch.bicep' = if (searchEnabled) {`
`281`	`281`	`virtualNetworkResourceId: networkIsolation ? network.outputs.virtualNetworkId : ''`
`282`	`282`	`virtualNetworkSubnetResourceId: networkIsolation ? network.outputs.vmSubnetId : ''`
`283`	`283`	`logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.resourceId`
`284`		`- userObjectId: userObjectId`
`285`	`284`	`roleAssignments: union(empty(userObjectId) ? [] : [`
`286`	`285`	`{`
`287`	`286`	`principalId: userObjectId`
`288`	`287`	`principalType: 'User'`
`289`	`288`	`roleDefinitionIdOrName: 'Search Index Data Contributor'`
`290`	`289`	`}`
	`290`	`+ {`
	`291`	`+ principalId: userObjectId`
	`292`	`+ principalType: 'User'`
	`293`	`+ roleDefinitionIdOrName: 'Search Index Data Reader'`
	`294`	`+ }`
`291`	`295`	`], [`
`292`	`296`	`{`
`293`	`297`	`principalId: cognitiveServices.outputs.aiServicesSystemAssignedMIPrincipalId`