Open AI Workspace Service (#4075)

* Port over draft PR for OpenAI * Fixes to get OpenAI to install * Temporary hack fix for the privatelink URLS for openai * Use forked repo instead of the hack * Re-add private DNS to list * Change github URL temporarily in openai terraform as well * Parameterise OpenAI model name and version (locals for now but should be vars) * Fix private DNS links and add public access variable * Fix template schema * Open AI Model and version configurable * Terraform format * Revert back to microsoft environment configuration with new version * Remove commented code * Make parameters updateable and output the deployment id * Update porter file * Bump core version * More version bumps and documentation * Some fixes based on linting results * Remove tag lifecycle from the OpenAI deployment as it is not supported * Add tags to OpenAI instance
microsoft · Sep 16, 2024 · 4040e72 · 4040e72
1 parent c3e4c8d
commit 4040e72
Show file tree

Hide file tree

Showing 25 changed files with 531 additions and 6 deletions.
diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
@@ -401,6 +401,8 @@ jobs:
              BUNDLE_DIR: "./templates/workspace_services/ohdsi"}
           - {BUNDLE_TYPE: "workspace_service",
              BUNDLE_DIR: "./templates/workspace_services/azuresql"}
+          - {BUNDLE_TYPE: "workspace_service",
+             BUNDLE_DIR: "./templates/workspace_services/openai"}
           - {BUNDLE_TYPE: "user_resource",
              BUNDLE_DIR: "./templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm"}
           - {BUNDLE_TYPE: "user_resource",

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ COMPONENTS:
 
 FEATURES:
 * Azure SQL Workspace Service ([#3969](https://github.com/microsoft/AzureTRE/issues/3969))
+* OpenAI Workspace Service ([#3810](https://github.com/microsoft/AzureTRE/issues/3810))
 
 ENHANCEMENTS:
 * Add Case Study Docs ([#1366](https://github.com/microsoft/AzureTRE/issues/1366))

diff --git a/core/terraform/dns_zones_non_core.tf b/core/terraform/dns_zones_non_core.tf
@@ -32,6 +32,26 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azuresql" {
   lifecycle { ignore_changes = [tags] }
 }
 
+resource "azurerm_private_dns_zone_virtual_network_link" "openai" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.openai.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.openai.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "cognitivesearch" {
+  resource_group_name   = azurerm_resource_group.core.name
+  virtual_network_id    = module.network.core_vnet_id
+  private_dns_zone_name = azurerm_private_dns_zone.non_core["privatelink.cognitiveservices.azure.com"].name
+  name                  = azurerm_private_dns_zone.non_core["privatelink.cognitiveservices.azure.com"].name
+  registration_enabled  = false
+  tags                  = local.tre_core_tags
+  lifecycle { ignore_changes = [tags] }
+}
+
 # Once the deployment of the app gateway is complete, we can proceed to include the required DNS zone for Nexus, which is dependent on the FQDN of the app gateway.
 resource "azurerm_private_dns_zone" "nexus" {
   name                = "nexus-${module.appgateway.app_gateway_fqdn}"

diff --git a/core/terraform/locals.tf b/core/terraform/locals.tf
@@ -33,7 +33,9 @@ locals {
     "privatelink.postgres.database.azure.com",
     "privatelink.mysql.database.azure.com",
     "privatelink.database.windows.net",
-    "privatelink.azuredatabricks.net"
+    "privatelink.azuredatabricks.net",
+    "privatelink.openai.azure.com",
+    "privatelink.cognitiveservices.azure.com"
   ])
 
   # The followig regex extracts different parts of the service bus endpoint: scheme, fqdn, port, path, query and fragment. This allows us to extract the needed fqdn part.

diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -179,6 +179,6 @@ module "resource_processor_vmss_porter" {
 }
 
 module "terraform_azurerm_environment_configuration" {
-  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.5.0"
+  source          = "git::https://github.com/microsoft/terraform-azurerm-environment-configuration.git?ref=0.6.0"
   arm_environment = var.arm_environment
 }
diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.10.6"
+__version__ = "0.10.7"
diff --git a/docs/tre-templates/workspace-services/openai.md b/docs/tre-templates/workspace-services/openai.md
@@ -0,0 +1,22 @@
+# OpenAI Workspace Service
+
+See: [Azure OpenAI Service](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview)
+
+## Prerequisites
+
+- [A base workspace deployed](../workspaces/base.md)
+
+- The OpenAI workspace service container image needs building and pushing:
+
+  `make workspace_service_bundle BUNDLE=openai`
+
+## Authenticating
+
+1. The open AI domain and deployment id can be found from the details tab.
+2. When communicating with the API, an "api_key" is required. This can be found in the Key Vault.
+
+## Properties
+- `is_exposed_externally` - If `True`, the OpenAI workspace is accessible from outside of the workspace virtual network.
+- `openai_model` - The model to use for the OpenAI deployment `<model name> | <model version>`. The default is `gpt-35-turbo | 0301`.
+- Important note: Models are subject to different quota and region availability and the deployment may fail if you don't have the correct quota.
+Please review this link on current limits and how to request increases: [Open AI Quotas](https://learn.microsoft.com/en-us/azure/ai-services/openai/quotas-limits)
diff --git a/e2e_tests/resources/strings.py b/e2e_tests/resources/strings.py
@@ -20,6 +20,7 @@
 MYSQL_SERVICE = "tre-workspace-service-mysql"
 HEALTH_SERVICE = "tre-workspace-service-health"
 AZURESQL_SERVICE = "tre-workspace-service-azuresql"
+OPENAI_SERVICE = "tre-workspace-service-openai"
 
 FIREWALL_SHARED_SERVICE = "tre-shared-service-firewall"
 GITEA_SHARED_SERVICE = "tre-shared-service-gitea"

diff --git a/e2e_tests/test_workspace_services.py b/e2e_tests/test_workspace_services.py
@@ -13,7 +13,8 @@
     strings.MLFLOW_SERVICE,
     strings.MYSQL_SERVICE,
     strings.HEALTH_SERVICE,
-    strings.AZURESQL_SERVICE
+    strings.AZURESQL_SERVICE,
+    strings.OPENAI_SERVICE
 ]
 
 

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -104,6 +104,7 @@ nav:
           - OHDSI: tre-templates/workspace-services/ohdsi.md
           - MySQL: tre-templates/workspace-services/mysql.md
           - Azure SQL: tre-templates/workspace-services/azuresql.md
+          - Open AI: tre-templates/workspace-services/openai.md
       - Shared Services:
           - Gitea (Source Mirror): tre-templates/shared-services/gitea.md
           - Nexus (Package Mirror): tre-templates/shared-services/nexus.md

diff --git a/templates/workspace_services/openai/.env.sample b/templates/workspace_services/openai/.env.sample
@@ -0,0 +1,4 @@
+ID="__CHANGE_ME__"
+WORKSPACE_ID="__CHANGE_ME__"
+IS_EXPOSED_EXTERNALLY="__CHANGE_ME__"
+OPENAI_MODEL="__CHANGE_ME__"
diff --git a/templates/workspace_services/openai/Dockerfile.tmpl b/templates/workspace_services/openai/Dockerfile.tmpl
@@ -0,0 +1,15 @@
+# syntax=docker/dockerfile-upstream:1.4.0
+FROM --platform=linux/amd64 debian:bullseye-slim
+
+# PORTER_INIT
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+# Git is required for terraform_azurerm_environment_configuration
+RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt \
+    apt-get update && apt-get install -y git --no-install-recommends
+
+# PORTER_MIXINS
+
+# Use the BUNDLE_DIR build argument to copy files into the bundle
+COPY --link . ${BUNDLE_DIR}/
diff --git a/templates/workspace_services/openai/parameters.json b/templates/workspace_services/openai/parameters.json
@@ -0,0 +1,62 @@
+{
+  "schemaType": "ParameterSet",
+  "schemaVersion": "1.0.0",
+  "namespace": "",
+  "name": "tre-workspace-service-openai",
+  "parameters": [
+    {
+      "name": "tre_id",
+      "source": {
+        "env": "TRE_ID"
+      }
+    },
+    {
+      "name": "id",
+      "source": {
+        "env": "ID"
+      }
+    },
+    {
+      "name": "tfstate_container_name",
+      "source": {
+        "env": "TERRAFORM_STATE_CONTAINER_NAME"
+      }
+    },
+    {
+      "name": "tfstate_resource_group_name",
+      "source": {
+        "env": "MGMT_RESOURCE_GROUP_NAME"
+      }
+    },
+    {
+      "name": "tfstate_storage_account_name",
+      "source": {
+        "env": "MGMT_STORAGE_ACCOUNT_NAME"
+      }
+    },
+    {
+      "name": "workspace_id",
+      "source": {
+        "env": "WORKSPACE_ID"
+      }
+    },
+    {
+      "name": "arm_environment",
+      "source": {
+        "env": "ARM_ENVIRONMENT"
+      }
+    },
+    {
+      "name": "is_exposed_externally",
+      "source": {
+        "env": "IS_EXPOSED_EXTERNALLY"
+      }
+    },
+    {
+      "name": "openai_model",
+      "source": {
+        "env": "OPENAI_MODEL"
+      }
+    }
+  ]
+}
diff --git a/templates/workspace_services/openai/porter.yaml b/templates/workspace_services/openai/porter.yaml
@@ -0,0 +1,122 @@
+---
+schemaVersion: 1.0.0
+name: tre-workspace-service-openai
+version: 1.0.0
+description: "An OpenAI workspace service"
+registry: azuretre
+dockerfile: Dockerfile.tmpl
+
+credentials:
+  - name: azure_tenant_id
+    env: ARM_TENANT_ID
+  - name: azure_subscription_id
+    env: ARM_SUBSCRIPTION_ID
+  - name: azure_client_id
+    env: ARM_CLIENT_ID
+  - name: azure_client_secret
+    env: ARM_CLIENT_SECRET
+parameters:
+  - name: workspace_id
+    type: string
+  - name: tre_id
+    type: string
+
+  # the following are added automatically by the resource processor
+  - name: id
+    type: string
+    description: "Resource ID"
+    env: id
+  - name: tfstate_resource_group_name
+    type: string
+    description: "Resource group containing the Terraform state storage account"
+  - name: tfstate_storage_account_name
+    type: string
+    description: "The name of the Terraform state storage account"
+  - name: tfstate_container_name
+    env: tfstate_container_name
+    type: string
+    default: "tfstate"
+    description: "The name of the Terraform state storage container"
+  - name: arm_use_msi
+    env: ARM_USE_MSI
+    type: boolean
+    default: false
+  - name: arm_environment
+    env: ARM_ENVIRONMENT
+    type: string
+    default: "public"
+  - name: is_exposed_externally
+    env: IS_EXPOSED_EXTERNALLY
+    type: boolean
+  - name: openai_model
+    env: OPENAI_MODEL
+    type: string
+
+mixins:
+  - exec
+  - terraform:
+      clientVersion: 1.3.6
+
+outputs:
+  - name: openai_fqdn
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: openai_deployment_id
+    type: string
+    applyTo:
+      - install
+      - upgrade
+
+install:
+  - terraform:
+      description: "Deploy OpenAI workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        openai_model: ${ bundle.parameters.openai_model }
+      backendConfig:
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-openai-${ bundle.parameters.id }
+      outputs:
+        - name: openai_fqdn
+        - name: openai_deployment_id
+upgrade:
+  - terraform:
+      description: "Upgrade OpenAI workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        openai_model: ${ bundle.parameters.openai_model }
+      backendConfig:
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-openai-${ bundle.parameters.id }
+      outputs:
+        - name: openai_fqdn
+        - name: openai_deployment_id
+uninstall:
+  - terraform:
+      description: "Tear down OpenAI workspace service"
+      vars:
+        workspace_id: ${ bundle.parameters.workspace_id }
+        tre_id: ${ bundle.parameters.tre_id }
+        tre_resource_id: ${ bundle.parameters.id }
+        arm_environment: ${ bundle.parameters.arm_environment }
+        is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
+        openai_model: ${ bundle.parameters.openai_model }
+      backendConfig:
+        resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
+        storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
+        container_name: ${ bundle.parameters.tfstate_container_name }
+        key: tre-workspace-service-openai-${ bundle.parameters.id }
diff --git a/templates/workspace_services/openai/template_schema.json b/templates/workspace_services/openai/template_schema.json
@@ -0,0 +1,56 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/sql/template_schema.json",
+  "type": "object",
+  "title": "OpenAI Workspace Service",
+  "description": "Provides OpenAI within the workspace",
+  "required": [],
+  "properties": {
+    "display_name": {
+      "type": "string",
+      "title": "Name for the workspace service",
+      "description": "The name of the workspace service to be displayed to users",
+      "default": "Azure OpenAI Service",
+      "updateable": true
+    },
+    "description": {
+      "type": "string",
+      "title": "Description of the workspace service",
+      "description": "Description of the workspace service",
+      "default": "Build your own copilot and generative AI applications",
+      "updateable": true
+    },
+    "overview": {
+      "type": "string",
+      "title": "Workspace Service Overview",
+      "description": "Long form description of the workspace service, in markdown syntax",
+      "default": "Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-4, GPT-4 Turbo with Vision, GPT-3.5-Turbo, and Embeddings model series. For more information, see the [Azure OpenAI Service documentation](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview).",
+      "updateable": true
+    },
+    "is_exposed_externally": {
+      "$id": "#/properties/is_exposed_externally",
+      "type": "boolean",
+      "title": "Expose externally",
+      "description": "Should the OpenAI instance be publicly accessible?",
+      "default": false,
+      "updateable": true
+    },
+    "openai_model": {
+      "$id": "#/properties/openai_model",
+      "type": "string",
+      "title": "OpenAI Model",
+      "description": "Which OpenAI Model should be used? (be mindful of subscription limits)",
+      "enum": [
+        "gpt-35-turbo | 0301",
+        "gpt-35-turbo | 1106",
+        "gpt-35-turbo | 0163",
+        "gpt-35-turbo | 0125",
+        "gpt-4 | 0613",
+        "gpt-4 | turbo-2024-04-09",
+        "gpt-4o | 2024-05-13"
+      ],
+      "default": "gpt-35-turbo | 0301",
+      "updateable": true
+    }
+  }
+}