ci: fix role assignements

Author: manekinekko

infra/app/llama-index-nextjs.bicep

@@ -7,6 +7,13 @@ param containerRegistryName string
 param containerAppsEnvironmentName string
 param applicationInsightsName string
 param exists bool
+
+@description('Whether the deployment is running on GitHub Actions')
+param runningOnGh string = ''
+
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
 @secure()
 param appDefinition object
 
@@ -42,17 +49,31 @@ resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   scope: containerRegistry
   name: guid(subscription().id, resourceGroup().id, identity.id, 'acrPullRole')
   properties: {
-    roleDefinitionId:  subscriptionResourceId(
-      'Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
-    principalType: 'ServicePrincipal'
     principalId: identity.properties.principalId
+    roleDefinitionId: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
+    principalType: 'ServicePrincipal'
   }
 }
 
-// System roles
-module openAiRole '../shared/role.bicep' = {
+
+// Roles
+
+// User roles
+module openAiRoleUser '../shared/role.bicep' = if (empty(runningOnGh)) {
   scope: resourceGroup()
   name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiUserRole')
+  params: {
+    principalId: principalId
+    // Cognitive Services OpenAI User
+    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
+    principalType: 'User'
+  }
+}
+
+// System roles
+module openAiRoleBackend '../shared/role.bicep' = {
+  scope: resourceGroup()
+  name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiServicePrincipalRole')
   params: {
     principalId: app.identity.principalId
     // Cognitive Services OpenAI User

infra/main.bicep

@@ -9,6 +9,9 @@ param environmentName string
 @description('Primary location for all resources')
 param location string
 
+@description('Whether the deployment is running on GitHub Actions')
+param runningOnGh string = ''
+
 param llamaIndexNextjsExists bool
 @secure()
 param llamaIndexNextjsDefinition object
@@ -154,26 +157,13 @@ module openAi './shared/cognitiveservices.bicep' = if (empty(openAiUrl)) {
   }
 }
 
-// Roles
-
-// User roles
-module openAiRoleUser './shared/role.bicep' = {
-  scope: rg
-  name: 'openai-role-user'
-  params: {
-    principalId: principalId
-    // Cognitive Services OpenAI User
-    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-    principalType: 'User'
-  }
-}
-
 module llamaIndexNextjs './app/llama-index-nextjs.bicep' = {
   name: 'llama-index-nextjs'
   params: {
     name: '${abbrs.appContainerApps}llama-index-${resourceToken}'
     location: location
     tags: tags
+    runningOnGh: runningOnGh
     identityName: '${abbrs.managedIdentityUserAssignedIdentities}llama-index-${resourceToken}'
     applicationInsightsName: monitoring.outputs.applicationInsightsName
     containerAppsEnvironmentName: appsEnv.outputs.name
@@ -237,6 +227,10 @@ module llamaIndexNextjs './app/llama-index-nextjs.bicep' = {
           name: 'SYSTEM_PROMPT' 
           value: llamaIndexConfig.system_prompt
         }
+        {
+          name: 'OPENAI_API_TYPE'
+          value: 'AzureOpenAI'
+        }
       ]
     })
   }

infra/main.parameters.json

@@ -25,8 +25,8 @@
     "openAiApiVersion": {
       "value": "${AZURE_OPENAI_API_VERSION=2024-02-15-preview}"
     },
-    "isContinuousDeployment": {
-      "value": "${CI=false}"
+    "runningOnGh": {
+      "value": "${GITHUB_ACTIONS}"
     },
     "azureDeploymentName": {
       "value": "${AZURE_DEPLOYMENT_NAME=gpt-35-turbo}"