ci: fix role assignements

manekinekko · manekinekko · commit 03807489185b · 2024-06-28T23:55:40.000+02:00
diff --git a/infra/app/llama-index-nextjs.bicep b/infra/app/llama-index-nextjs.bicep
@@ -7,6 +7,10 @@ param containerRegistryName string
 param containerAppsEnvironmentName string
 param applicationInsightsName string
 param exists bool
+
+@description('Whether the deployment is running on GitHub Actions')
+param runningOnGh string = ''
+
 @secure()
 param appDefinition object
 
@@ -42,17 +46,31 @@ resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   scope: containerRegistry
   name: guid(subscription().id, resourceGroup().id, identity.id, 'acrPullRole')
   properties: {
-    roleDefinitionId:  subscriptionResourceId(
-      'Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+    roleDefinitionId: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
     principalType: 'ServicePrincipal'
     principalId: identity.properties.principalId
   }
 }
 
+
+// Roles
+
+// User roles
+module openAiRoleUser '../shared/role.bicep' = if (empty(runningOnGh)) {
+  scope: resourceGroup()
+  name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiUserRole')
+  params: {
+    principalId: app.identity.principalId
+    // Cognitive Services OpenAI User
+    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
+    principalType: 'User'
+  }
+}
+
 // System roles
 module openAiRole '../shared/role.bicep' = {
   scope: resourceGroup()
-  name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiUserRole')
+  name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiServicePrincipalRole')
   params: {
     principalId: app.identity.principalId
     // Cognitive Services OpenAI User
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -9,6 +9,9 @@ param environmentName string
 @description('Primary location for all resources')
 param location string
 
+@description('Whether the deployment is running on GitHub Actions')
+param runningOnGh string = ''
+
 param llamaIndexNextjsExists bool
 @secure()
 param llamaIndexNextjsDefinition object
@@ -154,26 +157,13 @@ module openAi './shared/cognitiveservices.bicep' = if (empty(openAiUrl)) {
   }
 }
 
-// Roles
-
-// User roles
-module openAiRoleUser './shared/role.bicep' = {
-  scope: rg
-  name: 'openai-role-user'
-  params: {
-    principalId: principalId
-    // Cognitive Services OpenAI User
-    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-    principalType: 'User'
-  }
-}
-
 module llamaIndexNextjs './app/llama-index-nextjs.bicep' = {
   name: 'llama-index-nextjs'
   params: {
     name: '${abbrs.appContainerApps}llama-index-${resourceToken}'
     location: location
     tags: tags
+    runningOnGh: runningOnGh
     identityName: '${abbrs.managedIdentityUserAssignedIdentities}llama-index-${resourceToken}'
     applicationInsightsName: monitoring.outputs.applicationInsightsName
     containerAppsEnvironmentName: appsEnv.outputs.name
@@ -237,6 +227,10 @@ module llamaIndexNextjs './app/llama-index-nextjs.bicep' = {
           name: 'SYSTEM_PROMPT' 
           value: llamaIndexConfig.system_prompt
         }
+        {
+          name: 'OPENAI_API_TYPE'
+          value: 'AzureOpenAI'
+        }
       ]
     })
   }
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
@@ -25,8 +25,8 @@
     "openAiApiVersion": {
       "value": "${AZURE_OPENAI_API_VERSION=2024-02-15-preview}"
     },
-    "isContinuousDeployment": {
-      "value": "${CI=false}"
+    "runningOnGh": {
+      "value": "${GITHUB_ACTIONS}"
     },
     "azureDeploymentName": {
       "value": "${AZURE_DEPLOYMENT_NAME=gpt-35-turbo}"
