Add custom subdomain support for OpenAI and Speech Service in Terraform #558
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds custom subdomain support for Azure OpenAI and Speech Service resources in the Terraform deployment template, enabling managed identity authentication for Azure Cognitive Services data-plane operations. The changes create a new Speech Service resource with proper RBAC assignments and update the OpenAI resource configuration to support managed identity authentication.
Key changes:
- Added Speech Service resource to Terraform with custom subdomain configuration
- Enhanced OpenAI resource with custom subdomain for managed identity support
- Created RBAC role assignments for both user-assigned and system-assigned managed identities on Speech Service
- Added comprehensive documentation explaining the technical requirements and setup process
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
deployers/terraform/main.tf |
Added Speech Service resource definition with custom subdomain, updated OpenAI resource with custom subdomain configuration, and added four RBAC role assignments for Speech Service access (Speech User and Speech Contributor roles for both managed identity and App Service system identity) |
docs/how-to/azure_speech_managed_identity_manul_setup.md |
Created detailed setup guide explaining regional vs resource-specific endpoints, why managed identity requires custom subdomains, and includes step-by-step configuration instructions with troubleshooting guidance |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This update adds custom subdomain configuration for Azure OpenAI and Speech Service resources in the Terraform deployment template. Custom subdomains are required for managed identity (MI) authentication with Azure Cognitive Services data-plane operations.
Changes Made
1. Terraform Infrastructure Updates (
main.tf)Speech Service Resource
speech_service_nameto locals block for consistent namingazurerm_cognitive_account.speech)SpeechServicesS0(Standard tier)${base_name}-${environment}-speechOpenAI Resource Enhancement
custom_subdomain_name = local.open_ai_nameRBAC Role Assignments
Added four new role assignments for Speech Service access:
Managed Identity:
App Service System Managed Identity:
2. Documentation
docs/how-to/azure_speech_managed_identity_manul_setup.mdWhy This Change is Needed
Problem
When using managed identity authentication with Azure Cognitive Services, the AAD bearer token doesn't identify which specific resource to access. This causes authentication failures when using regional (shared) endpoints like:
https://eastus2.api.cognitive.microsoft.com(Speech)https://region.api.cognitive.microsoft.com(Generic)Solution
Custom subdomains create unique, resource-specific endpoints:
https://{resource-name}.cognitiveservices.azure.com(Speech)https://{resource-name}.openai.azure.com(OpenAI)These endpoints allow Azure to identify the target resource and properly validate the managed identity's RBAC permissions.
Authentication Comparison
Bicep Template Compatibility
Good news: The Bicep templates in
deployers/bicep/modules/already include custom subdomain configuration:openai.bicep(line 34):customSubDomainName: toLower('${appName}-${environment}-openai')speechService.bicep(line 33):customSubDomainName: toLower('${appName}-${environment}-speech')No Bicep changes needed for this feature.
Deployment Impact
New Deployments
Existing Deployments
If you have existing Speech or OpenAI resources without custom subdomains, you must manually enable them:
Important: Custom subdomain enablement is a one-way operation and cannot be disabled once set.
Testing Recommendations
1. New Deployment Test
2. Managed Identity Authentication Test
speech_service_authentication_type: managed_identity3. Validate RBAC Assignments
Expected roles:
Breaking Changes
None. This is a backward-compatible enhancement: