Bicep Module Documentation
← Back to Overview
Module openai-services
openaiService
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
| encryption | encryption | Properties of BYOK Encryption description |
| networkAcls | networkAcls | A collection of rules governing the accessibility from specific network locations. |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Whether or not public endpoint access is allowed for this account. (default: Disabled) |
| restrictOutboundNetworkAccess | bool | Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be Enabled or Disabled |
| userOwnedStorage | userOwnedStorage[] | The storage accounts for this resource. |
| allowedFqdnList | string[] | |
| amlWorkspace | amlWorkspace | The user owned AML workspace properties |
| apiProperties | apiProperties | The api properties for special APIs. |
| customSubDomainName | string | Optional subdomain name used for token-based authentication. |
| disableLocalAuth | bool | |
| dynamicThrottlingEnabled | bool | The flag to enable dynamic throttling. |
| locations | locations | The multiregion settings of Cognitive Services account. |
| migrationToken | string | Resource migration token. |
| RaiMonitorConfig | RaiMonitorConfig | Cognitive Services Rai Monitor Config. |
| sku (required) | sku | |
| kind | string | The Kind of the resource. Default: OpenAI |
| deployments | deployment[] | Deployments of OpenAI models |
| raiPolicies | raiPolicy[] | Rai policies to deploy (used for content filters and custom block lists) |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The identity type. (default: None) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
keyVaultProperties
| Property | Value | Description |
|---|---|---|
| identityClientId | string | |
| keyName | string | Name of the Key from KeyVault |
| keyVaultUri | string | Uri of KeyVault |
| keyVersion | string | Version of KeyVault |
encryption
| Property | Value | Description |
|---|---|---|
| keySource | 'Microsoft.CognitiveServices' 'Microsoft.KeyVault' |
Enumerates the possible value of keySource for Encryption |
| keyVaultProperties | keyVaultProperties | Properties of KeyVault |
ipRules
| Property | Value | Description |
|---|---|---|
| value (required) | string | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). |
virtualNetworkRules
| Property | Value | Description |
|---|---|---|
| id (required) | string | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. |
| ignoreMissingVnetServiceEndpoint (required) | bool | Ignore missing vnet service endpoint or not. |
networkAcls
| Property | Value | Description |
|---|---|---|
| bypass | 'AzureServices' 'None' |
Setting for trusted services. |
| defaultAction | 'Allow' 'Deny' |
The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. (default: Deny) |
| ipRules | ipRules[] | The list of IP address rules. |
| virtualNetworkRules | virtualNetworkRules[] | The list of virtual network rules. |
userOwnedStorage
| Property | Value | Description |
|---|---|---|
| identityClientId | string | |
| resourceId | string | Full resource id of a Microsoft.Storage resource. |
amlWorkspace
| Property | Value | Description |
|---|---|---|
| identityClientId | 'string' | Identity Client id of a AML workspace resource. |
| resourceId | 'string' | Full resource id of a AML workspace resource. |
apiProperties
| Property | Value | Description |
|---|---|---|
| aadClientId | string | (Metrics Advisor Only) The Azure AD Client Id (Application Id). |
| aadTenantId | string | (Metrics Advisor Only) The Azure AD Tenant Id. |
| eventHubConnectionString | string | (Personalization Only) The flag to enable statistics of Bing Search. Pattern = ^( )Endpoint=sb://(.);( )SharedAccessKeyName=(.);( )SharedAccessKey=(.)$ |
| qnaAzureSearchEndpointId | string | (QnAMaker Only) The Azure Search endpoint id of QnAMaker. |
| qnaAzureSearchEndpointKey | string | (QnAMaker Only) The Azure Search endpoint key of QnAMaker. |
| qnaRuntimeEndpoint | string | (QnAMaker Only) The runtime endpoint of QnAMaker. |
| statisticsEnabled (required) | bool | (Bing Search Only) The flag to enable statistics of Bing Search. |
| storageAccountConnectionString | string | (Personalization Only) The storage account connection string. Pattern = ^(( *)DefaultEndpointsProtocol=(http |
| superUser | string | (Metrics Advisor Only) The super user of Metrics Advisor. |
| websiteName | string | (Metrics Advisor Only) The website name of Metrics Advisor. |
regions
| Property | Value | Description |
|---|---|---|
| customsubdomain | string | Maps the region to the regional custom subdomain. |
| name | string | Name of the region. |
| value | int | A value for priority or weighted routing methods. |
locations
| Property | Value | Description |
|---|---|---|
| regions | regions[] | |
| routingMethod (required) | 'Performance' 'Priority' 'Weighted' |
Multiregion routing methods. |
RaiMonitorConfig
| Property | Value | Description |
|---|---|---|
| adxStorageResourceId | string | The storage resource Id. |
| identityClientId | string | The identity client Id to access the storage. |
sku
| Property | Value | Description |
|---|---|---|
| capacity | int | If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this may be omitted. |
| family | string | If the service has different generations of hardware, for the same SKU, then that can be captured here. |
| name (required) | string | The name of the SKU. Ex - P3. It is typically a letter+number code |
| size | string | The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. |
| tier | 'Basic' 'Enterprise' 'Free' 'Premium' 'Standard' |
This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a PUT. |
deployment
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| capacitySettings | capacitySettings | Capacity settings (internal use only). |
| currentCapacity | int | The current capacity. |
| model (required) | model | Properties of Cognitive Services account deployment model. |
| parentDeploymentName | string | The name of parent deployment. |
| raiPolicyName | string | The name of RAI policy. |
| scaleSettings | scaleSettings | Properties of Cognitive Services account deployment model. (Deprecated, please use Deployment.sku instead.) |
| versionUpgradeOption | 'NoAutoUpgrade' 'OnceCurrentVersionExpired' 'OnceNewDefaultVersionAvailable' |
Deployment model version upgrade option. |
| sku (required) | sku | The resource model definition representing SKU |
capacitySettings
| Property | Value | Description |
|---|---|---|
| designatedCapacity (required) | int | The designated capacity. |
| priority (required) | int | The priority of this capacity setting. |
model
| Property | Value | Description |
|---|---|---|
| format (required) | string | Deployment model format. |
| name (required) | string | Deployment model name. |
| publisher | string | Deployment model publisher. |
| source | string | Deployment model source ARM resource ID. |
| sourceAccount | string | Source of the model, another Microsoft.CognitiveServices accounts ARM resource ID. |
| version | string | Deployment model version. If version is not specified, a default version will be assigned. The default version is different for different models and might change when there is new version available for a model. Default version for a model could be found from list models API. |
scaleSettings
| Property | Value | Description |
|---|---|---|
| capacity (required) | int | Deployment capacity. |
| scaleType (required) | 'Manual' 'Standard' |
Deployment scale type. |
raiPolicy
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_.-]*$ |
| basePolicyName (required) | string | Name of Rai policy. |
| contentFilters | contentFilters[] | The list of Content Filters. |
| customBlocklists | customBlocklists[] | The list of custom Blocklist. |
| mode (required) | 'Asynchronous_filter' 'Blocking' 'Default' 'Deferred' |
Rai policy mode. The enum value mapping is as below: Default = 0, Deferred=1, Blocking=2, Asynchronous_filter =3. Please use 'Asynchronous_filter' after 2025-04-01-preview. It is the same as 'Deferred' in previous version. |
contentFilters
| Property | Value | Description |
|---|---|---|
| blocking (required) | bool | If blocking would occur. |
| enabled (required) | bool | If the ContentFilter is enabled. |
| name (required) | string | Name of ContentFilter. |
| severityThreshold | 'High' 'Low' 'Medium' |
Level at which content is filtered. |
| source (required) | 'Completion' 'Prompt' |
Content source to apply the Content Filters. |
customBlocklists
| Property | Value | Description |
|---|---|---|
| blocking (required) | bool | If blocking would occur. |
| blocklistName (required) | string | Name of ContentFilter. |
| source (required) | 'Completion' 'Prompt' |
Content source to apply the Content Filters. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
5.5.0 (2025-10-08)
Features
- update resource api versions
5.4.2 (2025-09-25)
Bug Fixes
- conditional output primarysharedkey for disableLocalAuth
5.4.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
5.4.0 (2025-09-23)
Features
- add secure output accessKey
5.3.2 (2025-08-06)
Bug Fixes
- make bypass optional in networkAcls (not possible when used as translator service)
5.3.1 (2025-06-13)
Bug Fixes
- add dependency deployment to raiPolicy
5.3.0 (2025-06-12)
Features
- add raiPolicies
5.2.0 (2025-05-12)
Features
- add principalId output
5.1.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
5.1.0 (2025-03-26)
Features
- add resourceName output
5.0.0 (2025-03-20)
⚠ BREAKING CHANGES
- revise descriptions and default public network access to disabled
Bug Fixes
- revise descriptions and default public network access to disabled
4.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
3.0.1 (2025-01-16)
Bug Fixes
- correct the open-ai service output name
3.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
2.0.0 (2025-01-02)
⚠ BREAKING CHANGES
- add possibility to assign multiple userAssignedManagedIdentities
Features
- add possibility to assign multiple userAssignedManagedIdentities
1.0.0 (2024-12-19)
Features
- add initial version
- add initial version