From 6155fa225e4be78d07043b71d4e62596bae2b7db Mon Sep 17 00:00:00 2001
From: Zhijie Huang <zhihuan@microsoft.com>
Date: Tue, 23 Jul 2024 18:05:15 +0800
Subject: [PATCH] stop assigning roles to non-user principal

---
 infra/main.bicep           | 4 +++-
 infra/main.parameters.json | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/infra/main.bicep b/infra/main.bicep
index b79c942..9490ff2 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -35,6 +35,8 @@ param openAiUrl string = '' // Set in main.parameters.json
 param openAiApiVersion string // Set in main.parameters.json
 
 param principalId string // Set in main.parameters.json
+@description('Flag to decide where to create OpenAI role for current user')
+param createRoleForUser bool = true
 
 var finalOpenAiUrl = empty(openAiUrl) ? 'https://${openAi.outputs.name}.openai.azure.com' : openAiUrl
 var abbrs = loadJsonContent('abbreviations.json')
@@ -148,7 +150,7 @@ module openAi 'core/ai/cognitiveservices.bicep' = if (empty(openAiUrl)) {
 // Roles
 
 // User roles
-module openAiRoleUser 'core/security/role.bicep' = {
+module openAiRoleUser 'core/security/role.bicep' = if (createRoleForUser) {
   scope: resourceGroup
   name: 'openai-role-user'
   params: {
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
index 71d8d77..7bc6d0c 100644
--- a/infra/main.parameters.json
+++ b/infra/main.parameters.json
@@ -14,6 +14,9 @@
     "principalId": {
       "value": "${AZURE_PRINCIPAL_ID}"
     },
+    "createRoleForUser": {
+      "value": "${CREATE_ROLE_FOR_USER=true}"
+    },
     "openAiLocation": {
       "value": "${AZURE_OPENAI_LOCATION=swedencentral}"
     },