Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/Azure/terraform-azurerm-openai

Terraform module for deploying Azure OpenAI Service.
https://github.com/Azure/terraform-azurerm-openai

Last synced: 5 months ago
JSON representation

Terraform module for deploying Azure OpenAI Service.

Awesome Lists containing this project

README 

        
# [DEPRECATED] terraform-azurerm-openai



> **NOTE:** This terraform-azurerm-openai module is now deprecated. The module will no longer receive updates or support. Users are encouraged to transition to the [avm-res-cognitiveservices-account](https://registry.terraform.io/modules/Azure/avm-res-cognitiveservices-account/azurerm/latest) module for future deployments.



Azure OpenAI Terraform Module and Samples.



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.3.0 |

|  [azurerm](#requirement\_azurerm) | ~> 3.80 |

|  [modtm](#requirement\_modtm) | ~> 0.3 |

|  [random](#requirement\_random) | >= 3.0 |



## Providers



| Name | Version |

|------|---------|

|  [azurerm](#provider\_azurerm) | ~> 3.80 |

|  [modtm](#provider\_modtm) | ~> 0.3 |

|  [random](#provider\_random) | >= 3.0 |



## Modules



No modules.



## Resources



| Name | Type |

|------|------|

| [azurerm_cognitive_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_account) | resource |

| [azurerm_cognitive_deployment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_deployment) | resource |

| [azurerm_monitor_diagnostic_setting.setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |

| [azurerm_private_dns_zone.dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |

| [azurerm_private_dns_zone_virtual_network_link.dns_zone_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |

| [azurerm_private_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |

| [modtm_telemetry.this](https://registry.terraform.io/providers/Azure/modtm/latest/docs/resources/telemetry) | resource |

| [random_integer.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |

| [azurerm_client_config.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |

| [azurerm_private_dns_zone.dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |

| [azurerm_resource_group.pe_vnet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |

| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |

| [azurerm_subnet.pe_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |

| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |

| [modtm_module_source.telemetry](https://registry.terraform.io/providers/Azure/modtm/latest/docs/data-sources/module_source) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [account\_name](#input\_account\_name) | Specifies the name of the Cognitive Service Account. Changing this forces a new resource to be created. Leave this variable as default would use a default name with random suffix. | `string` | `""` | no |

|  [application\_name](#input\_application\_name) | Name of the application. A corresponding tag would be created on the created resources if `var.default_tags_enabled` is `true`. | `string` | `""` | no |

|  [custom\_subdomain\_name](#input\_custom\_subdomain\_name) | The subdomain name used for token-based authentication. Changing this forces a new resource to be created. Leave this variable as default would use a default name with random suffix. | `string` | `""` | no |

|  [customer\_managed\_key](#input\_customer\_managed\_key) | type = object({
  key\_vault\_key\_id   = (Required) The ID of the Key Vault Key which should be used to Encrypt the data in this OpenAI Account.
  identity\_client\_id = (Optional) The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the OpenAI Account.
}) | 
object({
    key_vault_key_id   = string
    identity_client_id = optional(string)
  })
 | `null` | no |

|  [default\_tags\_enabled](#input\_default\_tags\_enabled) | Determines whether or not default tags are applied to resources. If set to true, tags will be applied. If set to false, tags will not be applied. | `bool` | `false` | no |

|  [deployment](#input\_deployment) | type = map(object({
  name                 = (Required) The name of the Cognitive Services Account Deployment. Changing this forces a new resource to be created.
  cognitive\_account\_id = (Required) The ID of the Cognitive Services Account. Changing this forces a new resource to be created.
  model = {
    model\_format  = (Required) The format of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created. Possible value is OpenAI.
    model\_name    = (Required) The name of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created.
    model\_version = (Required) The version of Cognitive Services Account Deployment model.
  }
  scale = {
    scale\_type = (Required) Deployment scale type. Possible value is Standard. Changing this forces a new resource to be created.
  }
  rai\_policy\_name = (Optional) The name of RAI policy. Changing this forces a new resource to be created.
  capacity = (Optional) Tokens-per-Minute (TPM). The unit of measure for this field is in the thousands of Tokens-per-Minute. Defaults to 1 which means that the limitation is 1000 tokens per minute.
  version\_upgrade\_option = (Optional) Deployment model version upgrade option. Possible values are `OnceNewDefaultVersionAvailable`, `OnceCurrentVersionExpired`, and `NoAutoUpgrade`. Defaults to `OnceNewDefaultVersionAvailable`. Changing this forces a new resource to be created.
})) | 
map(object({
    name                   = string
    model_format           = string
    model_name             = string
    model_version          = string
    scale_type             = string
    rai_policy_name        = optional(string)
    capacity               = optional(number)
    version_upgrade_option = optional(string)
  }))
 | `{}` | no |

|  [diagnostic\_setting](#input\_diagnostic\_setting) | A map of objects that represent the configuration for a diagnostic setting."
type = map(object({
  name                                  = (Required) Specifies the name of the diagnostic setting. Changing this forces a new resource to be created.
  log\_analytics\_workspace\_id            = (Optional) (Optional) Specifies the resource id of an Azure Log Analytics workspace where diagnostics data should be sent.
  log\_analytics\_destination\_type        = (Optional) Possible values are `AzureDiagnostics` and `Dedicated`. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy `AzureDiagnostics` table.
  eventhub\_name                         = (Optional) Specifies the name of the Event Hub where diagnostics data should be sent.
  eventhub\_authorization\_rule\_id        = (Optional) Specifies the resource id of an Event Hub Namespace Authorization Rule used to send diagnostics data.
  storage\_account\_id                    = (Optional) Specifies the resource id of an Azure storage account where diagnostics data should be sent.
  partner\_solution\_id                   = (Optional) The resource id of the market partner solution where diagnostics data should be sent. For potential partner integrations, click to learn more about partner integration.
  audit\_log\_retention\_policy            = (Optional) Specifies the retention policy for the audit log. This is a block with the following properties:
    enabled                             = (Optional) Specifies whether the retention policy is enabled. If enabled, `days` must be a positive number.
    days                                = (Optional) Specifies the number of days to retain trace logs. If `enabled` is set to `true`, this value must be set to a positive number.
  request\_response\_log\_retention\_policy = (Optional) Specifies the retention policy for the request response log. This is a block with the following properties:
    enabled                             = (Optional) Specifies whether the retention policy is enabled. If enabled, `days` must be a positive number.
    days                                = (Optional) Specifies the number of days to retain trace logs. If `enabled` is set to `true`, this value must be set to a positive number.
  trace\_log\_retention\_policy            = (Optional) Specifies the retention policy for the trace log. This is a block with the following properties:
    enabled                             = (Optional) Specifies whether the retention policy is enabled. If enabled, `days` must be a positive number.
    days                                = (Optional) Specifies the number of days to retain trace logs. If `enabled` is set to `true`, this value must be set to a positive number.
  metric\_retention\_policy               = (Optional) Specifies the retention policy for the metric. This is a block with the following properties:
    enabled                             = (Optional) Specifies whether the retention policy is enabled. If enabled, `days` must be a positive number.
    days                                = (Optional) Specifies the number of days to retain trace logs. If `enabled` is set to `true`, this value must be set to a positive number.
})) | 
map(object({
    name                           = string
    log_analytics_workspace_id     = optional(string)
    log_analytics_destination_type = optional(string)
    eventhub_name                  = optional(string)
    eventhub_authorization_rule_id = optional(string)
    storage_account_id             = optional(string)
    partner_solution_id            = optional(string)
    audit_log_retention_policy = optional(object({
      enabled = optional(bool, true)
      days    = optional(number, 7)
    }))
    request_response_log_retention_policy = optional(object({
      enabled = optional(bool, true)
      days    = optional(number, 7)
    }))
    trace_log_retention_policy = optional(object({
      enabled = optional(bool, true)
      days    = optional(number, 7)
    }))
    metric_retention_policy = optional(object({
      enabled = optional(bool, true)
      days    = optional(number, 7)
    }))
  }))
 | `{}` | no |

|  [dynamic\_throttling\_enabled](#input\_dynamic\_throttling\_enabled) | Determines whether or not dynamic throttling is enabled. If set to `true`, dynamic throttling will be enabled. If set to `false`, dynamic throttling will not be enabled. | `bool` | `null` | no |

|  [environment](#input\_environment) | Environment of the application. A corresponding tag would be created on the created resources if `var.default_tags_enabled` is `true`. | `string` | `""` | no |

|  [fqdns](#input\_fqdns) | List of FQDNs allowed for the Cognitive Account. | `list(string)` | `null` | no |

|  [identity](#input\_identity) | type = object({
  type         = (Required) The type of the Identity. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`.
  identity\_ids = (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this OpenAI Account.
}) | 
object({
    type         = string
    identity_ids = optional(list(string))
  })
 | `null` | no |

|  [local\_auth\_enabled](#input\_local\_auth\_enabled) | Whether local authentication methods is enabled for the Cognitive Account. Defaults to `true`. | `bool` | `true` | no |

|  [location](#input\_location) | Azure OpenAI deployment region. Set this variable to `null` would use resource group's location. | `string` | n/a | yes |

|  [network\_acls](#input\_network\_acls) | type = set(object({
  default\_action = (Required) The Default Action to use when no rules match from ip\_rules / virtual\_network\_rules. Possible values are `Allow` and `Deny`.
  ip\_rules                    = (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Cognitive Account.
  virtual\_network\_rules = optional(set(object({
    subnet\_id                            = (Required) The ID of a Subnet which should be able to access the OpenAI Account.
    ignore\_missing\_vnet\_service\_endpoint = (Optional) Whether ignore missing vnet service endpoint or not. Default to `false`.
  })))
})) | 
set(object({
    default_action = string
    ip_rules       = optional(set(string))
    virtual_network_rules = optional(set(object({
      subnet_id                            = string
      ignore_missing_vnet_service_endpoint = optional(bool, false)
    })))
  }))
 | `null` | no |

|  [outbound\_network\_access\_restricted](#input\_outbound\_network\_access\_restricted) | Whether outbound network access is restricted for the Cognitive Account. Defaults to `false`. | `bool` | `false` | no |

|  [pe\_subresource](#input\_pe\_subresource) | A list of subresource names which the Private Endpoint is able to connect to. `subresource_names` corresponds to `group_id`. Possible values are detailed in the product [documentation](https://docs.microsoft.com/azure/private-link/private-endpoint-overview#private-link-resource) in the `Subresources` column. Changing this forces a new resource to be created. | `list(string)` | 
[
  "account"
]
 | no |

|  [private\_dns\_zone](#input\_private\_dns\_zone) | A map of object that represents the existing Private DNS Zone you'd like to use. Leave this variable as default would create a new Private DNS Zone.
type = object({
  name                = "(Required) The name of the Private DNS Zone."
  resource\_group\_name = "(Optional) The Name of the Resource Group where the Private DNS Zone exists. If the Name of the Resource Group is not provided, the first Private DNS Zone from the list of Private DNS Zones in your subscription that matches `name` will be returned."
} | 
object({
    name                = string
    resource_group_name = optional(string)
  })
 | `null` | no |

|  [private\_endpoint](#input\_private\_endpoint) | A map of objects that represent the configuration for a private endpoint."
type = map(object({
  name                               = (Required) Specifies the Name of the Private Endpoint. Changing this forces a new resource to be created.
  vnet\_rg\_name                       = (Required) Specifies the name of the Resource Group where the Private Endpoint's Virtual Network Subnet exists. Changing this forces a new resource to be created.
  vnet\_name                          = (Required) Specifies the name of the Virtual Network where the Private Endpoint's Subnet exists. Changing this forces a new resource to be created.
  subnet\_name                        = (Required) Specifies the name of the Subnet which Private IP Addresses will be allocated for this Private Endpoint. Changing this forces a new resource to be created.
  dns\_zone\_virtual\_network\_link\_name = (Optional) The name of the Private DNS Zone Virtual Network Link. Changing this forces a new resource to be created. Default to `dns_zone_link`.
  private\_dns\_entry\_enabled          = (Optional) Whether or not to create a `private_dns_zone_group` block for the Private Endpoint. Default to `false`.
  private\_service\_connection\_name    = (Optional) Specifies the Name of the Private Service Connection. Changing this forces a new resource to be created. Default to `privateserviceconnection`.
  is\_manual\_connection               = (Optional) Does the Private Endpoint require Manual Approval from the remote resource owner? Changing this forces a new resource to be created. Default to `false`.
})) | 
map(object({
    name                               = string
    vnet_rg_name                       = string
    vnet_name                          = string
    subnet_name                        = string
    location                           = optional(string, null)
    dns_zone_virtual_network_link_name = optional(string, "dns_zone_link")
    private_dns_entry_enabled          = optional(bool, false)
    private_service_connection_name    = optional(string, "privateserviceconnection")
    is_manual_connection               = optional(bool, false)
  }))
 | `{}` | no |

|  [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | Whether public network access is allowed for the Cognitive Account. Defaults to `false`. | `bool` | `false` | no |

|  [resource\_group\_name](#input\_resource\_group\_name) | Name of the azure resource group to use. The resource group must exist. | `string` | n/a | yes |

|  [sku\_name](#input\_sku\_name) | Specifies the SKU Name for this Cognitive Service Account. Possible values are `F0`, `F1`, `S0`, `S`, `S1`, `S2`, `S3`, `S4`, `S5`, `S6`, `P0`, `P1`, `P2`, `E0` and `DC0`. Default to `S0`. | `string` | `"S0"` | no |

|  [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource. | `map(string)` | `{}` | no |

|  [tracing\_tags\_enabled](#input\_tracing\_tags\_enabled) | Whether enable tracing tags that generated by BridgeCrew Yor. | `bool` | `false` | no |

|  [tracing\_tags\_prefix](#input\_tracing\_tags\_prefix) | Default prefix for generated tracing tags | `string` | `"avm_"` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [cognitive\_account\_identity](#output\_cognitive\_account\_identity) | The identity block exports the Principal ID and the Tenant ID associated with this Managed Service Identity. |

|  [openai\_endpoint](#output\_openai\_endpoint) | The endpoint used to connect to the Cognitive Service Account. |

|  [openai\_id](#output\_openai\_id) | The ID of the Cognitive Service Account. |

|  [openai\_primary\_key](#output\_openai\_primary\_key) | The primary access key for the Cognitive Service Account. |

|  [openai\_secondary\_key](#output\_openai\_secondary\_key) | The secondary access key for the Cognitive Service Account. |

|  [openai\_subdomain](#output\_openai\_subdomain) | The subdomain used to connect to the Cognitive Service Account. |

|  [private\_ip\_addresses](#output\_private\_ip\_addresses) | A map dictionary of the private IP addresses for each private endpoint. |



# Contributing



Before submitting a pull request, please make sure the following is done:



We provide a docker image to run the pre-commit checks and tests for you: `mcr.microsoft.com/azterraform:latest`



To run the pre-commit task, we can run the following command:



```shell

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

```



On Windows Powershell:



```shell

docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

```



In pre-commit task, we will:



1. Run `terraform fmt -recursive` command for your Terraform code.

2. Run `terrafmt fmt -f` command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.

3. Run `go mod tidy` and `go mod vendor` for test folder to ensure that all the dependencies have been synced.

4. Run `gofmt` for all go code files.

5. Run `gofumpt` for all go code files.

6. Run `terraform-docs` on `README.md` file, then run `markdown-table-formatter` to format markdown tables in `README.md`.



Then we can run the pr-check task to check whether our code meets our pipeline's requirement (We strongly recommend you run the following command before you commit):



```shell

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

```



On Windows Powershell:



```shell

docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

```



To run the e2e-test, we can run the following command:



```text

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

```



On Windows Powershell:



```text

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

```



## Enable or disable tracing tags



We're using [BridgeCrew Yor](https://github.com/bridgecrewio/yor) and [yorbox](https://github.com/lonegunmanb/yorbox) to help manage tags consistently across infrastructure as code (IaC) frameworks. In this module you might see tags like:



```hcl

resource "azurerm_resource_group" "rg" {

  location = "eastus"

  name     = random_pet.name

  tags = merge(var.tags, (/**/ (var.tracing_tags_enabled ? { for k, v in /**/ {

    avm_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"

    avm_git_file             = "main.tf"

    avm_git_last_modified_at = "2023-05-05 08:57:54"

    avm_git_org              = "lonegunmanb"

    avm_git_repo             = "terraform-yor-tag-test-module"

    avm_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"

  } /**/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /**/))

}

```



To enable tracing tags, set the variable to true:



```hcl

module "example" {

  source               = "{module_source}"

  ...

  tracing_tags_enabled = true

}

```



The `tracing_tags_enabled` is default to `false`.



To customize the prefix for your tracing tags, set the `tracing_tags_prefix` variable value in your Terraform configuration:



```hcl

module "example" {

  source              = "{module_source}"

  ...

  tracing_tags_prefix = "custom_prefix_"

}

```



The actual applied tags would be:



```text

{

  custom_prefix_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"

  custom_prefix_git_file             = "main.tf"

  custom_prefix_git_last_modified_at = "2023-05-05 08:57:54"

  custom_prefix_git_org              = "lonegunmanb"

  custom_prefix_git_repo             = "terraform-yor-tag-test-module"

  custom_prefix_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"

}

```



## Telemetry Collection



This module uses [terraform-provider-modtm](https://registry.terraform.io/providers/Azure/modtm/latest) to collect telemetry data. This provider is designed to assist with tracking the usage of Terraform modules. It creates a custom `modtm_telemetry` resource that gathers and sends telemetry data to a specified endpoint. The aim is to provide visibility into the lifecycle of your Terraform modules - whether they are being created, updated, or deleted. This data can be invaluable in understanding the usage patterns of your modules, identifying popular modules, and recognizing those that are no longer in use.



The ModTM provider is designed with respect for data privacy and control. The only data collected and transmitted are the tags you define in module's `modtm_telemetry` resource, an uuid which represents a module instance's identifier, and the operation the module's caller is executing (Create/Update/Delete/Read). No other data from your Terraform modules or your environment is collected or transmitted.



One of the primary design principles of the ModTM provider is its non-blocking nature. The provider is designed to work in a way that any network disconnectedness or errors during the telemetry data sending process will not cause a Terraform error or interrupt your Terraform operations. This makes the ModTM provider safe to use even in network-restricted or air-gaped environments.



If the telemetry data cannot be sent due to network issues, the failure will be logged, but it will not affect the Terraform operation in progress(it might delay your operations for no more than 5 seconds). This ensures that your Terraform operations always run smoothly and without interruptions, regardless of the network conditions.



You can turn off the telemetry collection by declaring the following `provider` block in your root module:



```hcl

provider "modtm" {

  enabled = false

}

```