chore: fix role assignments

manekinekko · manekinekko · commit feff606595ef · 2024-07-10T14:05:17.000Z
diff --git a/infra/app/llama-index-nextjs.bicep b/infra/app/llama-index-nextjs.bicep
@@ -33,10 +33,6 @@ resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31'
   location: location
 }
 
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
-  name: containerRegistryName
-}
-
 resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
   name: containerAppsEnvironmentName
 }
@@ -45,22 +41,10 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing
   name: applicationInsightsName
 }
 
-resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  scope: containerRegistry
-  name: guid(subscription().id, resourceGroup().id, identity.id, 'acrPullRole')
-  properties: {
-    principalId: identity.properties.principalId
-    roleDefinitionId: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
-    principalType: 'ServicePrincipal'
-  }
-}
-
-
 // Roles
 
 // User roles
 module openAiRoleUser '../shared/role.bicep' = if (empty(runningOnGh)) {
-  scope: resourceGroup()
   name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiUserRole')
   params: {
     principalId: principalId
@@ -72,7 +56,6 @@ module openAiRoleUser '../shared/role.bicep' = if (empty(runningOnGh)) {
 
 // System roles
 module openAiRoleBackend '../shared/role.bicep' = {
-  scope: resourceGroup()
   name: guid(subscription().id, resourceGroup().id, identity.id, 'openaiServicePrincipalRole')
   params: {
     principalId: app.identity.principalId
@@ -81,6 +64,14 @@ module openAiRoleBackend '../shared/role.bicep' = {
     principalType: 'ServicePrincipal'
   }
 }
+module acrPullRole '../shared/role.bicep' = {
+  name: guid(subscription().id, resourceGroup().id, identity.id, 'acrPullRole')
+  params: {
+    principalId: identity.properties.principalId
+    roleDefinitionId: '7f951dda-4ed3-4680-a7ca-43fe172d538d'
+    principalType: 'ServicePrincipal'
+  }
+}
 
 module fetchLatestImage '../modules/fetch-container-image.bicep' = {
   name: '${name}-fetch-image'
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -169,6 +169,7 @@ module llamaIndexNextjs './app/llama-index-nextjs.bicep' = {
     containerAppsEnvironmentName: appsEnv.outputs.name
     containerRegistryName: registry.outputs.name
     exists: llamaIndexNextjsExists
+    principalId: principalId
     appDefinition: union(llamaIndexNextjsDefinition, {
       settings: [
         {

Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,7 @@ module llamaIndexNextjs './app/llama-index-nextjs.bicep' = {`
`169`	`169`	`containerAppsEnvironmentName: appsEnv.outputs.name`
`170`	`170`	`containerRegistryName: registry.outputs.name`
`171`	`171`	`exists: llamaIndexNextjsExists`
	`172`	`+ principalId: principalId`
`172`	`173`	`appDefinition: union(llamaIndexNextjsDefinition, {`
`173`	`174`	`settings: [`
`174`	`175`	`{`