Add Azure AI Foundry workspace service

CHANGELOG.md

@@ -4,7 +4,7 @@
 * _No changes yet_
 
 ENHANCEMENTS:
-* _No changes yet_
+* Add Azure AI Foundry workspace service with support for AI Hub, AI Search, Cosmos DB, and VNet injection for Standard Agents ([#4509](https://github.com/microsoft/AzureTRE/issues/4509))
 
 BUG FIXES:
 * _No changes yet_

core/terraform/dns_zones_non_core.tf

@@ -52,6 +52,44 @@ resource "azurerm_private_dns_zone_virtual_network_link" "cognitivesearch" {
   lifecycle { ignore_changes = [tags] }
 }
 
+# AI Foundry service DNS zones - these are not yet in the environment configuration module,
+# so we define them directly rather than via the for_each non_core pattern.
+resource "azurerm_private_dns_zone" "ai_services" {
+  name                = "privatelink.services.ai.azure.com"
+  resource_group_name = azurerm_resource_group.core.name
+  tags                = local.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "ai_services" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.ai_services.name
+  name                  = azurerm_private_dns_zone.ai_services.name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone" "ai_search" {
+  name                = "privatelink.search.windows.net"
+  resource_group_name = azurerm_resource_group.core.name
+  tags                = local.tre_core_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "ai_search" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.ai_search.name
+  name                  = azurerm_private_dns_zone.ai_search.name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
 # Once the deployment of the app gateway is complete, we can proceed to include the required DNS zone for Nexus, which is dependent on the FQDN of the app gateway.
 resource "azurerm_private_dns_zone" "nexus" {
   name                = "nexus-${module.appgateway.app_gateway_fqdn}"

templates/workspace_services/ai-foundry/Dockerfile.tmpl

@@ -0,0 +1,15 @@
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM --platform=linux/amd64 debian:bookworm-slim
+
+# PORTER_INIT
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+# Git is required for terraform init
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && apt-get install -y git jq --no-install-recommends
+
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY --link . ${BUNDLE_DIR}/

templates/workspace_services/ai-foundry/porter.yaml

@@ -0,0 +1,203 @@
+---
+schemaVersion: 1.0.0
+name: tre-workspace-service-ai-foundry
+version: 0.2.28
+description: "Azure AI Foundry workspace service - provides AI/ML capabilities with private endpoint access"
+registry: azuretre
+dockerfile: Dockerfile.tmpl
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+
+parameters:
+  - name: workspace_id
+    type: string
+  - name: tre_id
+    type: string
+
+  # the following are added automatically by the resource processor
+  - name: id
+    type: string
+    description: "Resource ID"
+    env: id
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    env: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    type: boolean
+    default: false
+  - name: arm_environment
+    env: ARM_ENVIRONMENT
+    type: string
+    default: "public"
+
+  # AI Foundry specific parameters
+  - name: display_name
+    type: string
+    default: "Azure AI Foundry"
+    description: "Display name for the AI Foundry service"
+  - name: openai_model
+    type: string
+    default: "gpt-4o | 2024-05-13"
+    description: "OpenAI model to deploy"
+  - name: openai_model_capacity
+    type: integer
+    default: 10
+    description: "Capacity for the OpenAI model deployment"
+  - name: is_exposed_externally
+    type: boolean
+    default: false
+    description: "Determines if the AI Foundry resources are accessible from outside the workspace network"
+    env: IS_EXPOSED_EXTERNALLY
+  - name: enable_ai_search
+    type: boolean
+    default: false
+    description: "Enable Azure AI Search for RAG and knowledge retrieval scenarios"
+  - name: enable_cosmos_db
+    type: boolean
+    default: false
+    description: "Enable Azure Cosmos DB for agent state persistence and conversation history"
+  - name: enable_agent_networking
+    type: boolean
+    default: false
+    description: "Enable VNet injection for Standard Agents (can take 30-60+ min). Deploy without this first, then upgrade to enable."
+  - name: address_space
+    type: string
+    description: "Address space for the AI Foundry agent subnet"
+  - name: workspace_owners_group_id
+    type: string
+    description: "Object ID of the workspace owners AAD group"
+  - name: workspace_researchers_group_id
+    type: string
+    description: "Object ID of the workspace researchers AAD group"
+
+mixins:
+  - exec
+  - terraform:
+      clientVersion: 1.14.3
+
+outputs:
+  - name: ai_foundry_id
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: ai_foundry_name
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: connection_uri
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: workspace_address_spaces
+    type: string
+    applyTo:
+      - install
+      - upgrade
+
+install:
+  - terraform:
+      description: "Deploy AI Foundry workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+        display_name: ${ bundle.parameters.display_name }
+        openai_model: ${ bundle.parameters.openai_model }
+        openai_model_capacity: ${ bundle.parameters.openai_model_capacity }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        enable_ai_search: ${ bundle.parameters.enable_ai_search }
+        enable_cosmos_db: ${ bundle.parameters.enable_cosmos_db }
+        enable_agent_networking: ${ bundle.parameters.enable_agent_networking }
+        address_space: ${ bundle.parameters.address_space }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
+      backendConfig:
+        use_azuread_auth: "true"
+        use_oidc: "true"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-ai-foundry-${ bundle.parameters.id }
+      outputs:
+        - name: ai_foundry_id
+        - name: ai_foundry_name
+        - name: connection_uri
+        - name: workspace_address_spaces
+
+upgrade:
+  - terraform:
+      description: "Upgrade AI Foundry workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+        display_name: ${ bundle.parameters.display_name }
+        openai_model: ${ bundle.parameters.openai_model }
+        openai_model_capacity: ${ bundle.parameters.openai_model_capacity }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        enable_ai_search: ${ bundle.parameters.enable_ai_search }
+        enable_cosmos_db: ${ bundle.parameters.enable_cosmos_db }
+        enable_agent_networking: ${ bundle.parameters.enable_agent_networking }
+        address_space: ${ bundle.parameters.address_space }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
+      backendConfig:
+        use_azuread_auth: "true"
+        use_oidc: "true"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-ai-foundry-${ bundle.parameters.id }
+      outputs:
+        - name: ai_foundry_id
+        - name: ai_foundry_name
+        - name: connection_uri
+        - name: workspace_address_spaces
+
+uninstall:
+  - terraform:
+      description: "Tear down AI Foundry workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+        display_name: ${ bundle.parameters.display_name }
+        openai_model: ${ bundle.parameters.openai_model }
+        openai_model_capacity: ${ bundle.parameters.openai_model_capacity }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        enable_ai_search: ${ bundle.parameters.enable_ai_search }
+        enable_cosmos_db: ${ bundle.parameters.enable_cosmos_db }
+        enable_agent_networking: ${ bundle.parameters.enable_agent_networking }
+        address_space: ${ bundle.parameters.address_space }
+        workspace_owners_group_id: ${ bundle.parameters.workspace_owners_group_id }
+        workspace_researchers_group_id: ${ bundle.parameters.workspace_researchers_group_id }
+      backendConfig:
+        use_azuread_auth: "true"
+        use_oidc: "true"
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-ai-foundry-${ bundle.parameters.id }