/terraform-azurerm-openai-service

Highly flexible Terraform module to deploy Azure OpenAI and saving account and model details to Azure Key vault for consumption in other Azure hosted services.

Primary LanguageHCLMIT LicenseMIT

Manual-Tests-and-Release Automated-Dependency-Tests-and-Release Dependabot

Module: Azure OpenAI Service

NOTE: Your Azure subscription will need to be whitelisted for Azure Open AI. At the release time of this module (August 2023) you will need to request access via this form and a further form for GPT 4. Once you have access deploy either GPT-35-Turbo, GPT-35-Turbo-16k or if you have access to GPT-4-32k, go forward with that model.

image.png

Description

Flexible Terraform Registry module for setting up an Azure hosted OpenAI service, deploy models on a new or existing OpenAI service, saving deployment and account details to Azure Key Vault ready for consumption by other services hosted in Azure.

See Create OpenAI Service and Models:
For an example of how to create an OpenAI Service hosted on Azure, deploy Models and saving the details to an Azure Key Vault.

See Create Models on existing OpenAI Account:
For an example of how to create Models hosted on an existing OpenAI Service and saving the details to an Azure Key Vault.

See Create OpenAI Service Only:
For an example of how to create only an OpenAI Service hosted on Azure and saving the details to an Azure Key Vault. (No models deployed)

This module is published on the Public Terraform Registry - openai-service

Want more?

Want to host your own Private ChatGPT-like service on Azure?

Check out my other Terraform module to deploy your very own private ChatBot/ChatGPT-like container apps instance hosted on Azure OpenAI and fronted by Azure Font Door + WAF:

openai-private-chatgpt

image.png

Enjoy!

Requirements

Name Version
terraform >= 1.9.5
azurerm ~> 4.0

Providers

Name Version
azurerm ~> 4.0

Modules

Name Source Version
create_model_deployment ./modules/model_deployment n/a
create_openai_service ./modules/openai_service n/a

Resources

Name Type
azurerm_key_vault.openai_kv resource
azurerm_key_vault_secret.openai_endpoint resource
azurerm_key_vault_secret.openai_model resource
azurerm_key_vault_secret.openai_model_deployment_id resource
azurerm_key_vault_secret.openai_primary_key resource
azurerm_role_assignment.kv_role_assigment resource
azurerm_client_config.current data source
azurerm_cognitive_account.openai data source

Inputs

Name Description Type Default Required
create_model_deployment Create the model deployment. bool false no
create_openai_service Create the OpenAI service. bool false no
keyvault_firewall_allowed_ips value of key vault firewall allowed ip rules. list(string) [] no
keyvault_firewall_bypass List of key vault firewall rules to bypass. string "AzureServices" no
keyvault_firewall_default_action Default action for key vault firewall rules. string "Deny" no
keyvault_firewall_virtual_network_subnet_ids value of key vault firewall allowed virtual network subnet ids. list(string) [] no
keyvault_resource_group_name Name of the resource group where the Key Vault will be hosted. string n/a yes
kv_config Key Vault configuration object to create azure key vault to store openai account details.
object({
name = string
sku = string
})
{
"name": "openaikv9000",
"sku": "standard"
}
no
location Azure region to deploy resources to. string "uksouth" no
model_deployment type = list(object({
deployment_id = (Required) The name of the Cognitive Services Account Model Deployment. Changing this forces a new resource to be created.
model_name = {
model_format = (Required) The format of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created. Possible value is OpenAI.
model_name = (Required) The name of the Cognitive Services Account Deployment model. Changing this forces a new resource to be created.
model_version = (Required) The version of Cognitive Services Account Deployment model.
}
sku = {
sku_name = (Required) The name of the SKU. Possible values include Standard, GlobalBatch, GlobalStandard and ProvisionedManaged.
sku_tier = (Optional) Possible values are Free, Basic, Standard, Premium, Enterprise. Changing this forces a new resource to be created.
sku_size = (Optional) The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. Changing this forces a new resource to be created.
sku_family = (Optional) If the service has different generations of hardware, for the same SKU, then that can be captured here. Changing this forces a new resource to be created.
sku_capacity = (Optional) Tokens-per-Minute (TPM). If the SKU supports sku out/in then the capacity integer should be included. If sku out/in is not possible for the resource this may be omitted. Default value is 1. Changing this forces a new resource to be created.
}
rai_policy_name = (Optional) The name of RAI policy. Changing this forces a new resource to be created.
}))
list(object({
deployment_id = string
model_name = string
model_format = string
model_version = string
sku_name = string
sku_tier = optional(string)
sku_size = optional(number)
sku_family = optional(string)
sku_capacity = optional(number)
rai_policy_name = optional(string)
}))
[] no
openai_account_name Name of the OpenAI service. string "demo-account" no
openai_custom_subdomain_name The subdomain name used for token-based authentication. Changing this forces a new resource to be created (normally the same as variable openai_account_name) string "demo-account" no
openai_customer_managed_key type = object({
key_vault_key_id = (Required) The ID of the Key Vault Key which should be used to Encrypt the data in this OpenAI Account.
identity_client_id = (Optional) The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the OpenAI Account.
})
object({
key_vault_key_id = string
identity_client_id = optional(string)
})
null no
openai_dynamic_throttling_enabled Determines whether or not dynamic throttling is enabled. If set to true, dynamic throttling will be enabled. If set to false, dynamic throttling will not be enabled. bool null no
openai_fqdns List of FQDNs allowed for the Cognitive Account. list(string) null no
openai_identity type = object({
type = (Required) The type of the Identity. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned.
identity_ids = (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this OpenAI Account.
})
object({
type = string
identity_ids = optional(list(string))
})
null no
openai_local_auth_enabled Whether local authentication methods is enabled for the Cognitive Account. Defaults to true. bool true no
openai_network_acls type = set(object({
default_action = (Required) The Default Action to use when no rules match from ip_rules / virtual_network_rules. Possible values are Allow and Deny.
ip_rules = (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Cognitive Account.
virtual_network_rules = optional(set(object({
subnet_id = (Required) The ID of a Subnet which should be able to access the OpenAI Account.
ignore_missing_vnet_service_endpoint = (Optional) Whether ignore missing vnet service endpoint or not. Default to false.
})))
}))
set(object({
default_action = string
ip_rules = optional(set(string))
virtual_network_rules = optional(set(object({
subnet_id = string
ignore_missing_vnet_service_endpoint = optional(bool, false)
})))
}))
null no
openai_outbound_network_access_restricted Whether or not outbound network access is restricted. bool false no
openai_public_network_access_enabled Whether or not public network access is enabled for the Cognitive Account. bool true no
openai_resource_group_name Name of the resource group where the cognitive account OpenAI service is hosted (if different from solution resource group). string n/a yes
openai_sku_name SKU name of the OpenAI service. string "S0" no
openai_storage type = list(object({
storage_account_id = (Required) Full resource id of a Microsoft.Storage resource.
identity_client_id = (Optional) The client ID of the managed identity associated with the storage resource.
}))
list(object({
storage_account_id = string
identity_client_id = optional(string)
}))
[] no
tags A map of key value pairs that is used to tag resources created. map(string)
{
"Author": "Marcel Lupo",
"Description": "Azure OpenAI service.",
"GitHub": "https://github.com/Pwd9000-ML/terraform-azurerm-openai-service",
"Terraform": "True"
}
no

Outputs

Name Description
key_vault_id The ID of the Key Vault.
key_vault_uri The URI of the Key Vault.
openai_account_name The name of the Cognitive Service Account.
openai_endpoint The endpoint used to connect to the Cognitive Service Account.
openai_primary_key The primary access key for the Cognitive Service Account.
openai_resource_group_name The name of the Resource Group hosting the Cognitive Service Account.
openai_secondary_key The secondary access key for the Cognitive Service Account.
openai_subdomain The subdomain used to connect to the Cognitive Service Account.