Bicep Module Documentation
← Back to Overview
Module openai-services
openaiService
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identityType | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' |
The Azure Active Directory identity of the server. The identity type. Set this to SystemAssigned in order to automatically create and assign an Azure Active Directory principal for the resource. (default: none) |
| managedIdentityId | string | User assigned managed identity id to access other resources |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
| encryption | encryption | Properties of BYOK Encryption description |
| networkAcls | networkAcls | Set firewall rules |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Allow public access to the keyvault (default: Enabled) |
| restrictOutboundNetworkAccess | bool | Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be Enabled or Disabled |
| userOwnedStorage | userOwnedStorage[] | The storage accounts for this resource. |
| allowedFqdnList | string[] | |
| amlWorkspace | amlWorkspace | The user owned AML workspace properties |
| apiProperties | apiProperties | The api properties for special APIs. |
| customSubDomainName | string | Optional subdomain name used for token-based authentication. |
| disableLocalAuth | bool | |
| dynamicThrottlingEnabled | bool | The flag to enable dynamic throttling. |
| locations | locations | The multiregion settings of Cognitive Services account. |
| migrationToken | string | Resource migration token. |
| RaiMonitorConfig | RaiMonitorConfig | Cognitive Services Rai Monitor Config. |
| sku (required) | sku | |
| kind (required) | string | The Kind of the resource. |
keyVaultProperties
| Property | Value | Description |
|---|---|---|
| identityClientId | string | |
| keyName | string | Name of the Key from KeyVault |
| keyVaultUri | string | Uri of KeyVault |
| keyVersion | string | Version of KeyVault |
encryption
| Property | Value | Description |
|---|---|---|
| keySource | 'Microsoft.CognitiveServices' 'Microsoft.KeyVault' |
Enumerates the possible value of keySource for Encryption |
| keyVaultProperties | keyVaultProperties | Properties of KeyVault |
networkAcls
| Property | Value | Description |
|---|---|---|
| bypass | 'AzureServices' 'None' |
(default: None) |
| defaultAction | 'Allow' 'Deny' |
(default: deny) |
| ipRules | openaiServiceIpRule[] | Add allowed rules to keyvault [Array of IP rules] |
| virtualNetworkRules | openaiServiceVirtualNetworkRule[] | Add allowed virtual networks to keyvault [ResourceIds] |
userOwnedStorage
| Property | Value | Description |
|---|---|---|
| identityClientId | string | |
| resourceId | string | Full resource id of a Microsoft.Storage resource. |
amlWorkspace
| Property | Value | Description |
|---|---|---|
| identityClientId | 'string' | Identity Client id of a AML workspace resource. |
| resourceId | 'string' | Full resource id of a AML workspace resource. |
apiProperties
| Property | Value | Description |
|---|---|---|
| aadClientId | string | (Metrics Advisor Only) The Azure AD Client Id (Application Id). |
| aadTenantId | string | (Metrics Advisor Only) The Azure AD Tenant Id. |
| eventHubConnectionString | string | (Personalization Only) The flag to enable statistics of Bing Search. Pattern = ^( )Endpoint=sb://(.);( )SharedAccessKeyName=(.);( )SharedAccessKey=(.)$ |
| qnaAzureSearchEndpointId | string | (QnAMaker Only) The Azure Search endpoint id of QnAMaker. |
| qnaAzureSearchEndpointKey | string | (QnAMaker Only) The Azure Search endpoint key of QnAMaker. |
| qnaRuntimeEndpoint | string | (QnAMaker Only) The runtime endpoint of QnAMaker. |
| statisticsEnabled (required) | bool | (Bing Search Only) The flag to enable statistics of Bing Search. |
| storageAccountConnectionString | string | (Personalization Only) The storage account connection string. Pattern = ^(( *)DefaultEndpointsProtocol=(http |
| superUser | string | (Metrics Advisor Only) The super user of Metrics Advisor. |
| websiteName | string | (Metrics Advisor Only) The website name of Metrics Advisor. |
regions
| Property | Value | Description |
|---|---|---|
| customsubdomain | string | Maps the region to the regional custom subdomain. |
| name | string | Name of the region. |
| value | int | A value for priority or weighted routing methods. |
locations
| Property | Value | Description |
|---|---|---|
| regions | regions[] | |
| routingMethod (required) | 'Performance' 'Priority' 'Weighted' |
Multiregion routing methods. |
RaiMonitorConfig
| Property | Value | Description |
|---|---|---|
| adxStorageResourceId | string | The storage resource Id. |
| identityClientId | string | The identity client Id to access the storage. |
sku
| Property | Value | Description |
|---|---|---|
| capacity | int | If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this may be omitted. |
| family | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. |
| name (required) | string | The name of the SKU. Ex - P3. It is typically a letter+number code |
| size | string | The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. |
| tier | 'Basic' 'Enterprise' 'Free' 'Premium' 'Standard' |
This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a PUT. |
openaiServiceIpRule
| Property | Value | Description |
|---|---|---|
| value (required) | string | [[CIDR notation or IP address only IPv4] |
openaiServiceVirtualNetworkRule
| Property | Value | Description |
|---|---|---|
| id (required) | string | The virtual network Id which should be allowed |
| ignoreMissingVnetServiceEndpoint (required) | bool | Ignore the fact that there is no service endpoint for keyvault in the virtual network. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Cant end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they cant modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
| principalType (required) | 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
The principal type of the assigned principal ID |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
5.5.0 (2025-10-08)
Features
- update resource api versions
5.4.2 (2025-09-25)
Bug Fixes
- conditional output primarysharedkey for disableLocalAuth
5.4.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
5.4.0 (2025-09-23)
Features
- add secure output accessKey
5.3.2 (2025-08-06)
Bug Fixes
- make bypass optional in networkAcls (not possible when used as translator service)
5.3.1 (2025-06-13)
Bug Fixes
- add dependency deployment to raiPolicy
5.3.0 (2025-06-12)
Features
- add raiPolicies
5.2.0 (2025-05-12)
Features
- add principalId output
5.1.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
5.1.0 (2025-03-26)
Features
- add resourceName output
5.0.0 (2025-03-20)
⚠ BREAKING CHANGES
- revise descriptions and default public network access to disabled
Bug Fixes
- revise descriptions and default public network access to disabled
4.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
3.0.1 (2025-01-16)
Bug Fixes
- correct the open-ai service output name
3.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
2.0.0 (2025-01-02)
⚠ BREAKING CHANGES
- add possibility to assign multiple userAssignedManagedIdentities
Features
- add possibility to assign multiple userAssignedManagedIdentities
1.0.0 (2024-12-19)
Features
- add initial version
- add initial version