This Azure Verified Module (AVM) deploys Azure AI Foundry along with essential and optional supporting services to enable scalable AI application development. It provisions core resources such as the AI Foundry account, projects, agent service, RBACs, and resource locks, which are always deployed for baseline functionality. The module also supports supplemental infrastructure, like networking, compute, and monitoring, through dependent resources, and offers flexibility to either deploy or integrate existing services (BYOR) such as Key Vault, Storage Account, Cosmos DB, and AI Search. These BYOR resources can be provided externally or deployed via the module itself. Example deployment configurations range from minimal public setups to enterprise-grade private environments with VNet isolation and Bastion access, ensuring adaptability across different workload and security requirements.

The following diagram illustrates the key Azure services and components deployed by this pattern module:

graph TB
    subgraph "Azure Resource Group"
        subgraph "Core AI Foundry (Required)"
            AF[AI Foundry<br/>Account]
            AFP[AI Foundry<br/>Project]
            AFS[AI Agent<br/>Service]
            AFC[AI Foundry<br/>Connections]
        end
        
        subgraph "BYOR Services (Optional)"
            KV[Key Vault]
            SA[Storage Account]
            CDB[Cosmos DB]
            AIS[AI Search<br/>Service]
        end
        
        subgraph "Supporting Services"
            LAW[Log Analytics<br/>Workspace]
            RBAC[Role<br/>Assignments]
            LOCK[Resource<br/>Locks]
        end
        
        subgraph "Networking (Private Deployment)"
            VNET[Virtual Network]
            SNET[Subnets]
            DNS[Private DNS<br/>Zones]
            PE[Private<br/>Endpoints]
            BAS[Bastion Host]
            VM[Virtual Machine]
        end
    end
    
    %% Core relationships
    AF --> AFP
    AF --> AFC
    AFP --> AFS
    AFC --> KV
    AFC --> SA
    AFC --> CDB
    AFC --> AIS
    
    %% Private networking
    PE -.-> AF
    PE -.-> KV
    PE -.-> SA
    PE -.-> CDB
    PE -.-> AIS
    SNET --> PE
    VNET --> SNET
    DNS --> PE
    
    %% Management and monitoring
    RBAC -.-> AF
    RBAC -.-> KV
    RBAC -.-> SA
    RBAC -.-> CDB
    RBAC -.-> AIS
    LOCK -.-> AF
    LAW -.-> AF
    LAW -.-> AIS
    LAW -.-> CDB
    
    %% VM management
    BAS --> VM
    VNET --> BAS
    
    classDef required fill:#e1f5fe,stroke:#01579b,stroke-width:2px
    classDef byor fill:#f3e5f5,stroke:#4a148c,stroke-width:2px  
    classDef dependent fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px
    classDef support fill:#fff3e0,stroke:#e65100,stroke-width:2px
    
    class AF,AFP,AFS,AFC required
    class KV,SA,CDB,AIS byor
    class VNET,SNET,DNS,PE,BAS,VM dependent
    class LAW,RBAC,LOCK support

Legend:

• 🔷 Blue (Required): Core resources always deployed by this module
• 🔶 Purple (BYOR): Optional services that can be deployed by the module or brought from existing infrastructure
• 🔷 Green (Dependent): Infrastructure components typically deployed in example configurations
• 🔶 Orange (Support): Management and monitoring resources

• Required: Core resources that are always deployed by this module to ensure baseline functionality of Azure AI Foundry. These include the AI Foundry account, projects, agent service, RBACs, and resource locks.

• Dependent: Infrastructure components that support the AI Foundry environment, typically deployed in example configurations. These include networking (e.g., virtual networks, subnets, private DNS zones), compute (e.g., virtual machines, Bastion), and monitoring (e.g., Log Analytics Workspace). These resources are not part of the core module but are necessary for full functionality in specific deployment scenarios. This module is designed to work seamlessly with the AI Landing Zone Accelerator, which provides broader platform capabilities and complements the dependent infrastructure setup.

• BYOR (Bring Your Own Resource): Optional services that can either be provisioned by this module or integrated as existing resources. These include Key Vault, Storage Account, Cosmos DB, and AI Search. Users can choose to deploy these via the module or reference pre-existing infrastructure to align with organizational standards or reuse existing assets.

This module deploys resources in three categories:

The following requirements are needed by this module:

• terraform (>= 1.12, < 2.0)

• azapi (~> 2.5)

• azurerm (~> 4.38)

• modtm (~> 0.3)

• random (~> 3.7)

The following resources are used by this module:

• azapi_resource.ai_agent_capability_host (resource)
• azapi_resource.ai_foundry (resource)
• azapi_resource.ai_model_deployment (resource)
• azapi_resource.ai_search (resource)
• azurerm_monitor_diagnostic_setting.this_aisearch (resource)
• azurerm_private_endpoint.ai_foundry (resource)
• azurerm_private_endpoint.pe_aisearch (resource)
• azurerm_role_assignment.foundry_role_assignments (resource)
• azurerm_role_assignment.this_aisearch (resource)
• modtm_telemetry.telemetry (resource)
• random_string.resource_token (resource)
• random_uuid.telemetry (resource)
• azapi_client_config.telemetry (data source)
• azurerm_client_config.current (data source)
• modtm_module_source.telemetry (data source)

The following input variables are required:

Description: The name prefix for the AI Foundry resources.

Type: string

Description: Azure region where the resource should be deployed.

Type: string

Description: The resource group resource id where the module resources will be deployed.

Type: string

The following input variables are optional (have default values):

Description: Configuration object for the Azure AI Foundry service to be created for AI workloads and model management.

• name - (Optional) The name of the AI Foundry service. If not provided, a name will be generated.
• disable_local_auth - (Optional) Whether to disable local authentication for the AI Foundry service. Default is false.
• allow_project_management - (Optional) Whether to allow project management capabilities in the AI Foundry service. Default is true.
• create_ai_agent_service - (Optional) Whether to create an AI agent service as part of the AI Foundry deployment. Default is false.
• network_injections - (Optional) List of network injection configurations for the AI Foundry service.
  • scenario - (Optional) The scenario for the network injection. Default is "agent".
  • subnetArmId - The subnet ARM ID for the AI agent service.
  • useMicrosoftManagedNetwork - (Optional) Whether to use Microsoft managed network for the injection. Default is false.
• private_dns_zone_resource_ids - (Optional) The resource IDs of the existing private DNS zones for AI Foundry. Required when create_private_endpoints is true.
• sku - (Optional) The SKU of the AI Foundry service. Default is "S0".
• role_assignments - (Optional) Map of role assignments to create on the AI Foundry service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
  • role_definition_id_or_name - The role definition ID or name to assign.
  • principal_id - The principal ID to assign the role to.
  • description - (Optional) Description of the role assignment.
  • skip_service_principal_aad_check - (Optional) Whether to skip AAD check for service principal.
  • condition - (Optional) Condition for the role assignment.
  • condition_version - (Optional) Version of the condition.
  • delegated_managed_identity_resource_id - (Optional) Resource ID of the delegated managed identity.
  • principal_type - (Optional) Type of the principal (User, Group, ServicePrincipal).

Type:

object({
    name                     = optional(string, null)
    disable_local_auth       = optional(bool, false)
    allow_project_management = optional(bool, true)
    create_ai_agent_service  = optional(bool, false)
    network_injections = optional(list(object({
      scenario                   = optional(string, "agent")
      subnetArmId                = string
      useMicrosoftManagedNetwork = optional(bool, false)
    })), null)
    private_dns_zone_resource_ids = optional(list(string), [])
    sku                           = optional(string, "S0")
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
  })

Default: {}

Description: Configuration for AI model deployments (including OpenAI). Each deployment includes:

• name - The name of the deployment
• rai_policy_name - (Optional) The name of the RAI policy
• version_upgrade_option - (Optional) How to handle version upgrades (default: "OnceNewDefaultVersionAvailable")
• model - The model configuration:
  • format - The format of the model (e.g., "OpenAI")
  • name - The name of the model to deploy
  • version - The version of the model
• scale - The scaling configuration:
  • type - The scaling type (e.g., "Standard")
  • capacity - (Optional) The capacity of the deployment
  • family - (Optional) The family of the deployment
  • size - (Optional) The size of the deployment
  • tier - (Optional) The pricing tier for the deployment

Type:

map(object({
    name                   = string
    rai_policy_name        = optional(string)
    version_upgrade_option = optional(string, "OnceNewDefaultVersionAvailable")
    model = object({
      format  = string
      name    = string
      version = string
    })
    scale = object({
      capacity = optional(number)
      family   = optional(string)
      size     = optional(string)
      tier     = optional(string)
      type     = string
    })
  }))

Default: {}

Description: Configuration map for AI Foundry projects to be created. Each project can have its own settings and connections to dependent resources.

• map key - The key for the map entry. This key should match the dependent resources keys when creating connections.
  • name - The name of the AI Foundry project.
  • sku - (Optional) The SKU of the AI Foundry project. Default is "S0".
  • display_name - The display name of the AI Foundry project.
  • description - The description of the AI Foundry project.
  • create_project_connections - (Optional) Whether to create connections to dependent resources. Default is false.
  • cosmos_db_connection - (Optional) Configuration for Cosmos DB connection.
    • existing_resource_id - (Optional) The resource ID of an existing Cosmos DB account to connect to.
    • new_resource_map_key - (Optional) The map key of a new Cosmos DB account to be created and connected.
  • ai_search_connection - (Optional) Configuration for AI Search connection.
    • existing_resource_id - (Optional) The resource ID of an existing AI Search service to connect to.
    • new_resource_map_key - (Optional) The map key of a new AI Search service to be created and connected.
  • key_vault_connection - (Optional) Configuration for Key Vault connection.
    • existing_resource_id - (Optional) The resource ID of an existing Key Vault to connect to.
    • new_resource_map_key - (Optional) The map key of a new Key Vault to be created and connected.
  • storage_account_connection - (Optional) Configuration for Storage Account connection.
    • existing_resource_id - (Optional) The resource ID of an existing Storage Account to connect to.
    • new_resource_map_key - (Optional) The map key of a new Storage Account to be created and connected.

Type:

map(object({
    name                       = string
    sku                        = optional(string, "S0")
    display_name               = string
    description                = string
    create_project_connections = optional(bool, false)
    cosmos_db_connection = optional(object({
      existing_resource_id = optional(string, null)
      new_resource_map_key = optional(string, null)
    }), {})
    ai_search_connection = optional(object({
      existing_resource_id = optional(string, null)
      new_resource_map_key = optional(string, null)
    }), {})
    key_vault_connection = optional(object({
      existing_resource_id = optional(string, null)
      new_resource_map_key = optional(string, null)
    }), {})
    storage_account_connection = optional(object({
      existing_resource_id = optional(string, null)
      new_resource_map_key = optional(string, null)
    }), {})
  }))

Default: {}

Description: Configuration object for the Azure AI Search service to be created as part of the enterprise and public knowledge services.

• map key - The key for the map entry. This key should match the AI project key when creating multiple projects with multiple AI search services.
  • existing_resource_id - (Optional) The resource ID of an existing AI Search service to use. If provided, the service will not be created and the other inputs will be ignored.
  • name - (Optional) The name of the AI Search service. If not provided, a name will be generated.
  • private_dns_zone_resource_id - (Optional) The resource ID of the existing private DNS zone for AI Search. If not provided, a private endpoint will not be created.
  • enable_diagnostic_settings - (Optional) Whether diagnostic settings are enabled. Default is true.
  • sku - (Optional) The SKU of the AI Search service. Default is "standard".
  • local_authentication_enabled - (Optional) Whether local authentication is enabled. Default is true.
  • partition_count - (Optional) The number of partitions for the search service. Default is 1.
  • replica_count - (Optional) The number of replicas for the search service. Default is 2.
  • semantic_search_sku - (Optional) The SKU for semantic search capabilities. Default is "standard".
  • semantic_search_enabled - (Optional) Whether semantic search is enabled. Default is false.
  • hosting_mode - (Optional) The hosting mode for the search service. Default is "default".
  • tags - (Optional) Map of tags to assign to the AI Search service.
  • role_assignments - (Optional) Map of role assignments to create on the AI Search service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
    • role_definition_id_or_name - The role definition ID or name to assign.
    • principal_id - The principal ID to assign the role to.
    • description - (Optional) Description of the role assignment.
    • skip_service_principal_aad_check - (Optional) Whether to skip AAD check for service principal.
    • condition - (Optional) Condition for the role assignment.
    • condition_version - (Optional) Version of the condition.
    • delegated_managed_identity_resource_id - (Optional) Resource ID of the delegated managed identity.
    • principal_type - (Optional) Type of the principal (User, Group, ServicePrincipal).
  • enable_telemetry - (Optional) Whether telemetry is enabled for the AI Search module. Default is true.

Type:

map(object({
    existing_resource_id         = optional(string, null)
    name                         = optional(string)
    private_dns_zone_resource_id = optional(string, null)
    enable_diagnostic_settings   = optional(bool, true)
    sku                          = optional(string, "standard")
    local_authentication_enabled = optional(bool, true)
    partition_count              = optional(number, 1)
    replica_count                = optional(number, 2)
    semantic_search_sku          = optional(string, "standard")
    semantic_search_enabled      = optional(bool, false)
    hosting_mode                 = optional(string, "default")
    tags                         = optional(map(string), {})
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
    enable_telemetry = optional(bool, true)
  }))

Default: {}

Description: Configuration object for the Azure Cosmos DB account to be created for GenAI services.

• map key - The key for the map entry. This key should match the AI project key when creating multiple projects and multiple CosmosDB accounts.
  • existing_resource_id - (Optional) The resource ID of an existing Cosmos DB account to use. If provided, the account will not be created and the other inputs will be ignored.
  • private_dns_zone_resource_id - (Optional) The resource ID of the existing private DNS zone for Cosmos DB. If one is not provided a private endpoint will not be created.
  • enable_diagnostic_settings - (Optional) Whether diagnostic settings are enabled. Default is true.
  • name - (Optional) The name of the Cosmos DB account. If not provided, a name will be generated.
  • secondary_regions - (Optional) List of secondary regions for geo-replication.
    • location - The Azure region for the secondary location.
    • zone_redundant - (Optional) Whether zone redundancy is enabled for the secondary region. Default is true.
    • failover_priority - (Optional) The failover priority for the secondary region. Default is 0.
  • public_network_access_enabled - (Optional) Whether public network access is enabled. Default is false.
  • analytical_storage_enabled - (Optional) Whether analytical storage is enabled. Default is true.
  • automatic_failover_enabled - (Optional) Whether automatic failover is enabled. Default is false.
  • local_authentication_disabled - (Optional) Whether local authentication is disabled. Default is true.
  • partition_merge_enabled - (Optional) Whether partition merge is enabled. Default is false.
  • multiple_write_locations_enabled - (Optional) Whether multiple write locations are enabled. Default is false.
  • analytical_storage_config - (Optional) Analytical storage configuration.
    • schema_type - The schema type for analytical storage.
  • consistency_policy - (Optional) Consistency policy configuration.
    • max_interval_in_seconds - (Optional) Maximum staleness interval in seconds. Default is 300.
    • max_staleness_prefix - (Optional) Maximum staleness prefix. Default is 100001.
    • consistency_level - (Optional) The consistency level. Default is "Session".
  • backup - (Optional) Backup configuration.
    • retention_in_hours - (Optional) Backup retention in hours.
    • interval_in_minutes - (Optional) Backup interval in minutes.
    • storage_redundancy - (Optional) Storage redundancy for backups.
    • type - (Optional) The backup type.
    • tier - (Optional) The backup tier.
  • capabilities - (Optional) Set of capabilities to enable on the Cosmos DB account.
    • name - The name of the capability.
  • capacity - (Optional) Capacity configuration.
    • total_throughput_limit - (Optional) Total throughput limit. Default is -1 (unlimited).
  • cors_rule - (Optional) CORS rule configuration.
    • allowed_headers - Set of allowed headers.
    • allowed_methods - Set of allowed HTTP methods.
    • allowed_origins - Set of allowed origins.
    • exposed_headers - Set of exposed headers.
    • max_age_in_seconds - (Optional) Maximum age in seconds for CORS.
  • role_assignments - (Optional) Map of role assignments to create on the Cosmos DB account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
    • role_definition_id_or_name - The role definition ID or name to assign.
    • principal_id - The principal ID to assign the role to.
    • description - (Optional) Description of the role assignment.
    • skip_service_principal_aad_check - (Optional) Whether to skip AAD check for service principal.
    • condition - (Optional) Condition for the role assignment.
    • condition_version - (Optional) Version of the condition.
    • delegated_managed_identity_resource_id - (Optional) Resource ID of the delegated managed identity.
    • principal_type - (Optional) Type of the principal (User, Group, ServicePrincipal).
  • tags - (Optional) Map of tags to assign to the Cosmos DB account.

Type:

map(object({
    existing_resource_id         = optional(string, null)
    private_dns_zone_resource_id = optional(string, null)
    enable_diagnostic_settings   = optional(bool, true)
    name                         = optional(string)
    secondary_regions = optional(list(object({
      location          = string
      zone_redundant    = optional(bool, true)
      failover_priority = optional(number, 0)
    })), [])
    public_network_access_enabled    = optional(bool, false)
    analytical_storage_enabled       = optional(bool, true)
    automatic_failover_enabled       = optional(bool, true)
    local_authentication_disabled    = optional(bool, true)
    partition_merge_enabled          = optional(bool, false)
    multiple_write_locations_enabled = optional(bool, false)
    analytical_storage_config = optional(object({
      schema_type = string
    }), null)
    consistency_policy = optional(object({
      max_interval_in_seconds = optional(number, 300)
      max_staleness_prefix    = optional(number, 100001)
      consistency_level       = optional(string, "Session")
    }), {})
    backup = optional(object({
      retention_in_hours  = optional(number)
      interval_in_minutes = optional(number)
      storage_redundancy  = optional(string)
      type                = optional(string)
      tier                = optional(string)
    }), {})
    capabilities = optional(set(object({
      name = string
    })), [])
    capacity = optional(object({
      total_throughput_limit = optional(number, -1)
    }), {})
    cors_rule = optional(object({
      allowed_headers    = set(string)
      allowed_methods    = set(string)
      allowed_origins    = set(string)
      exposed_headers    = set(string)
      max_age_in_seconds = optional(number, null)
    }), null)
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
    tags = optional(map(string), {})
  }))

Default: {}

Description: Whether to create resources such as AI Search, Cosmos DB, Key Vault, and Storage Account in this deployment. If set to false, these resources will not be created or linked, and the module will only create the AI Foundry account and project.

Type: bool

Default: false

Description: Whether to create private endpoints for AI Foundry, Cosmos DB, Key Vault, and AI Search. If set to false, private endpoints will not be created.

Type: bool

Default: false

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: true

Description: Configuration object for the Azure Key Vault to be created for GenAI services.

• map key - The key for the map entry. This key should match the AI project key when creating multiple projects with multiple Key Vaults. This can be used in naming, so short alphanumeric keys are required to avoid hitting naming length limits for the Key Vault when using the base name naming option.
  • existing_resource_id - (Optional) The resource ID of an existing Key Vault to use. If provided, the vault will not be created and the other inputs will be ignored.
  • name - (Optional) The name of the Key Vault. If not provided, a name will be generated.
  • private_dns_zone_resource_id - (Optional) The resource ID of the existing private DNS zone for Key Vault. If one is not provided a private endpoint will not be created.
  • enable_diagnostic_settings - (Optional) Whether diagnostic settings are enabled. Default is true.
  • sku - (Optional) The SKU of the Key Vault. Default is "standard".
  • tenant_id - (Optional) The tenant ID for the Key Vault. If not provided, the current tenant will be used.
  • role_assignments - (Optional) Map of role assignments to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
    • role_definition_id_or_name - The role definition ID or name to assign.
    • principal_id - The principal ID to assign the role to.
    • description - (Optional) Description of the role assignment.
    • skip_service_principal_aad_check - (Optional) Whether to skip AAD check for service principal.
    • condition - (Optional) Condition for the role assignment.
    • condition_version - (Optional) Version of the condition.
    • delegated_managed_identity_resource_id - (Optional) Resource ID of the delegated managed identity.
    • principal_type - (Optional) Type of the principal (User, Group, ServicePrincipal).
  • tags - (Optional) Map of tags to assign to the Key Vault.

Type:

map(object({
    existing_resource_id         = optional(string, null)
    name                         = optional(string)
    private_dns_zone_resource_id = optional(string, null)
    enable_diagnostic_settings   = optional(bool, true)
    sku                          = optional(string, "standard")
    tenant_id                    = optional(string)
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
    tags = optional(map(string), {})
  }))

Default: {}

Description: Configuration object for the Log Analytics Workspace to be created for monitoring and logging.

• map key - The key for the map entry. This key should match the AI project key when creating multiple projects with multiple Log Analytics Workspaces.
  • existing_resource_id - (Optional) The resource ID of an existing Log Analytics Workspace to use. If provided, the workspace will not be created and the other inputs will be ignored.
  • name - (Optional) The name of the Log Analytics Workspace. If not provided, a name will be generated.
  • retention - (Optional) The data retention period in days for the workspace. Default is 30.
  • sku - (Optional) The SKU of the Log Analytics Workspace. Default is "PerGB2018".
  • tags - (Optional) Map of tags to assign to the Log Analytics Workspace.

Type:

map(object({
    existing_resource_id = optional(string, null)
    name                 = optional(string)
    retention            = optional(number, 30)
    sku                  = optional(string, "PerGB2018")
    tags                 = optional(map(string), {})
  }))

Default: {}

Description: (Optional) The subnet ID for private endpoints.

Type: string

Default: null

Description: Custom names for each resource. If not provided, names will be generated using base_name or name.

Type:

object({
    ai_agent_host                   = optional(string)
    ai_foundry                      = optional(string)
    ai_foundry_project              = optional(string)
    ai_foundry_project_display_name = optional(string)
  })

Default: {}

Description: Configuration object for the Azure Storage Account to be created for GenAI services.

• map key - The key for the map entry. This key should match the AI project key when creating multiple projects with multiple Storage Accounts. This can be used in naming, so short alphanumeric keys are required to avoid hitting naming length limits for the Storage Account when using the base name naming option.
  • existing_resource_id - (Optional) The resource ID of an existing Storage Account to use. If provided, the account will not be created and the other inputs will be ignored.
  • enable_diagnostic_settings - (Optional) Whether diagnostic settings are enabled. Default is true.
  • name - (Optional) The name of the Storage Account. If not provided, a name will be generated.
  • account_kind - (Optional) The kind of storage account. Default is "StorageV2".
  • account_tier - (Optional) The performance tier of the storage account. Default is "Standard".
  • account_replication_type - (Optional) The replication type for the storage account. Default is "ZRS".
  • endpoints - (Optional) Map of endpoint configurations to enable. Default includes blob endpoint.
    • type - The type of endpoint (e.g., "blob", "file", "queue", "table").
    • private_dns_zone_resource_id - (Optional) The resource ID of the existing private DNS zone for the endpoint. If not provided, a private endpoint will not be created.
  • access_tier - (Optional) The access tier for the storage account. Default is "Hot".
  • shared_access_key_enabled - (Optional) Whether shared access keys are enabled. Default is false.
  • role_assignments - (Optional) Map of role assignments to create on the Storage Account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
    • role_definition_id_or_name - The role definition ID or name to assign.
    • principal_id - The principal ID to assign the role to.
    • description - (Optional) Description of the role assignment.
    • skip_service_principal_aad_check - (Optional) Whether to skip AAD check for service principal.
    • condition - (Optional) Condition for the role assignment.
    • condition_version - (Optional) Version of the condition.
    • delegated_managed_identity_resource_id - (Optional) Resource ID of the delegated managed identity.
    • principal_type - (Optional) Type of the principal (User, Group, ServicePrincipal).
  • tags - (Optional) Map of tags to assign to the Storage Account.

Type:

map(object({
    existing_resource_id       = optional(string, null)
    enable_diagnostic_settings = optional(bool, true)
    name                       = optional(string, null)
    account_kind               = optional(string, "StorageV2")
    account_tier               = optional(string, "Standard")
    account_replication_type   = optional(string, "ZRS")
    endpoints = optional(map(object({
      type                         = string
      private_dns_zone_resource_id = optional(string, null)
      })), {
      blob = {
        type = "blob"
      }
    })
    access_tier               = optional(string, "Hot")
    shared_access_key_enabled = optional(bool, false)
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })), {})
    tags = optional(map(string), {})

    #TODO:
    # Implement subservice passthrough here
  }))

Default: {}

Description: (Optional) Tags to be applied to all resources.

Type: map(string)

Default: null

The following outputs are exported:

Description: The resource ID of the account-level AI agent capability host.

Description: The resource ID of the AI agent capability host.

Description: The resource ID of the AI Foundry account.

Description: The name of the AI Foundry account.

Description: The resource ID of the AI Foundry Project.

Description: The internal ID of the AI Foundry project used for container naming.

Description: The name of the AI Foundry Project.

Description: The principal ID of the AI Foundry project's system-assigned managed identity.

Description: The resource IDs of all AI model deployments.

Description: The resource ID of the AI Search service.

Description: The name of the AI Search service.

Description: The resource ID of the Cosmos DB account.

Description: The name of the Cosmos DB account.

Description: The resource ID of the Key Vault.

Description: The name of the Key Vault.

Description: The project ID formatted as GUID for container naming (only available when AI agent service is enabled).

Description: The resource ID of the resource group.

Description: The name of the resource group.

Description: The resource IDs of the AI Foundry resource.

Description: The resource ID of the storage account.

Description: The name of the storage account.

The following Modules are called:

Source: ./modules/ai-foundry-project

Version:

Source: Azure/avm-utl-regions/azurerm

Version: 0.5.2

Source: Azure/avm-res-documentdb-databaseaccount/azurerm

Version: 0.10.0

Source: Azure/avm-res-keyvault-vault/azurerm

Version: 0.10.0

Source: Azure/avm-res-operationalinsights-workspace/azurerm

Version: 0.4.2

Source: Azure/avm-res-storage-storageaccount/azurerm

Version: 0.6.4

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.