Merge pull request #10 from Azure-Samples/feature/keys

Feature/keys - enabling options to enable/disable JWT/Key-based authentication

Author: seiggy

infra/bicep/apimOaiApi.bicep

@@ -2,6 +2,12 @@ param apimInstanceName string
 param oaiApiName string
 param openAiServiceUrl string
 
+@description('Deploy the JWT-authenticated OpenAI API endpoint.')
+param enableJwt bool = true
+
+@description('Deploy the subscription-key-authenticated OpenAI API endpoint.')
+param enableKeys bool = true
+
 
 resource apimInstance 'Microsoft.ApiManagement/service@2021-08-01' existing = {
   name: apimInstanceName
@@ -18,12 +24,12 @@ resource openAiBackend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {
   }
 }
 
-resource apimOaiApi 'Microsoft.ApiManagement/service/apis@2021-08-01' = {
+resource apimJwtOaiApi 'Microsoft.ApiManagement/service/apis@2021-08-01' = if (enableJwt) {
   parent: apimInstance
-  name: oaiApiName
+  name: '${oaiApiName}-jwt'
   properties: {
     displayName: 'Azure OpenAI Service API'
-    path: 'openai'
+    path: 'jwt/openai'
     serviceUrl: openAiServiceUrl
     protocols: [
       'https'
@@ -36,8 +42,8 @@ resource apimOaiApi 'Microsoft.ApiManagement/service/apis@2021-08-01' = {
 var passthroughMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS']
 
 @batchSize(1)
-resource apimOaiApiPassthrough 'Microsoft.ApiManagement/service/apis/operations@2021-08-01' = [for method in passthroughMethods: {
-  parent: apimOaiApi
+resource apimJwtOaiApiPassthrough 'Microsoft.ApiManagement/service/apis/operations@2021-08-01' = [for method in enableJwt ? passthroughMethods : []: {
+  parent: apimJwtOaiApi
   name: 'passthrough-${toLower(method)}'
   properties: {
     displayName: 'Passthrough ${method}'
@@ -46,3 +52,33 @@ resource apimOaiApiPassthrough 'Microsoft.ApiManagement/service/apis/operations@
   }
 }]
 
+// Key-based API – subscription-key authenticated passthrough
+resource apimKeyOaiApi 'Microsoft.ApiManagement/service/apis@2021-08-01' = if (enableKeys) {
+  parent: apimInstance
+  name: '${oaiApiName}-keys'
+  properties: {
+    displayName: 'Azure OpenAI Key-Based API'
+    path: 'keys/openai'
+    serviceUrl: openAiServiceUrl
+    protocols: [
+      'https'
+    ]
+    subscriptionRequired: true
+    subscriptionKeyParameterNames: {
+      header: 'api-key'
+      query: 'api-key'
+    }
+  }
+}
+
+@batchSize(1)
+resource apimKeyOaiApiPassthrough 'Microsoft.ApiManagement/service/apis/operations@2021-08-01' = [for method in enableKeys ? passthroughMethods : []: {
+  parent: apimKeyOaiApi
+  name: 'key-passthrough-${toLower(method)}'
+  properties: {
+    displayName: 'Key Passthrough ${method}'
+    method: method
+    urlTemplate: '/*'
+  }
+}]
+

infra/bicep/apimOaiApi.json

@@ -0,0 +1,128 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.38.33.27573",
+      "templateHash": "16240781146342215937"
+    }
+  },
+  "parameters": {
+    "apimInstanceName": {
+      "type": "string"
+    },
+    "oaiApiName": {
+      "type": "string"
+    },
+    "openAiServiceUrl": {
+      "type": "string"
+    },
+    "enableJwt": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Deploy the JWT-authenticated OpenAI API endpoint."
+      }
+    },
+    "enableKeys": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Deploy the subscription-key-authenticated OpenAI API endpoint."
+      }
+    }
+  },
+  "variables": {
+    "passthroughMethods": [
+      "GET",
+      "POST",
+      "PUT",
+      "PATCH",
+      "DELETE",
+      "HEAD",
+      "OPTIONS"
+    ]
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ApiManagement/service/backends",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}/{1}', parameters('apimInstanceName'), 'openAiBackend')]",
+      "properties": {
+        "url": "[parameters('openAiServiceUrl')]",
+        "protocol": "http",
+        "title": "OpenAI Backend",
+        "description": "Backend for Azure OpenAI APIs"
+      }
+    },
+    {
+      "condition": "[parameters('enableJwt')]",
+      "type": "Microsoft.ApiManagement/service/apis",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}/{1}', parameters('apimInstanceName'), format('{0}-jwt', parameters('oaiApiName')))]",
+      "properties": {
+        "displayName": "Azure OpenAI Service API",
+        "path": "jwt/openai",
+        "serviceUrl": "[parameters('openAiServiceUrl')]",
+        "protocols": [
+          "https"
+        ],
+        "subscriptionRequired": false
+      }
+    },
+    {
+      "copy": {
+        "name": "apimJwtOaiApiPassthrough",
+        "count": "[length(if(parameters('enableJwt'), variables('passthroughMethods'), createArray()))]",
+        "mode": "serial",
+        "batchSize": 1
+      },
+      "type": "Microsoft.ApiManagement/service/apis/operations",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}/{1}/{2}', parameters('apimInstanceName'), format('{0}-jwt', parameters('oaiApiName')), format('passthrough-{0}', toLower(if(parameters('enableJwt'), variables('passthroughMethods'), createArray())[copyIndex()])))]",
+      "properties": {
+        "displayName": "[format('Passthrough {0}', if(parameters('enableJwt'), variables('passthroughMethods'), createArray())[copyIndex()])]",
+        "method": "[if(parameters('enableJwt'), variables('passthroughMethods'), createArray())[copyIndex()]]",
+        "urlTemplate": "/*"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ApiManagement/service/apis', parameters('apimInstanceName'), format('{0}-jwt', parameters('oaiApiName')))]"
+      ]
+    },
+    {
+      "condition": "[parameters('enableKeys')]",
+      "type": "Microsoft.ApiManagement/service/apis",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}/{1}', parameters('apimInstanceName'), format('{0}-keys', parameters('oaiApiName')))]",
+      "properties": {
+        "displayName": "Azure OpenAI Key-Based API",
+        "path": "keys/openai",
+        "serviceUrl": "[parameters('openAiServiceUrl')]",
+        "protocols": [
+          "https"
+        ],
+        "subscriptionRequired": true
+      }
+    },
+    {
+      "copy": {
+        "name": "apimKeyOaiApiPassthrough",
+        "count": "[length(if(parameters('enableKeys'), variables('passthroughMethods'), createArray()))]",
+        "mode": "serial",
+        "batchSize": 1
+      },
+      "type": "Microsoft.ApiManagement/service/apis/operations",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}/{1}/{2}', parameters('apimInstanceName'), format('{0}-keys', parameters('oaiApiName')), format('key-passthrough-{0}', toLower(if(parameters('enableKeys'), variables('passthroughMethods'), createArray())[copyIndex()])))]",
+      "properties": {
+        "displayName": "[format('Key Passthrough {0}', if(parameters('enableKeys'), variables('passthroughMethods'), createArray())[copyIndex()])]",
+        "method": "[if(parameters('enableKeys'), variables('passthroughMethods'), createArray())[copyIndex()]]",
+        "urlTemplate": "/*"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ApiManagement/service/apis', parameters('apimInstanceName'), format('{0}-keys', parameters('oaiApiName')))]"
+      ]
+    }
+  ]
+}

infra/bicep/main.bicep

@@ -60,6 +60,12 @@ param tags object = {
   Environment: 'Dev'
 }
 
+@description('Deploy the JWT-authenticated OpenAI API endpoint.')
+param enableJwt bool = true
+
+@description('Deploy the subscription-key-authenticated OpenAI API endpoint.')
+param enableKeys bool = true
+
 var abbrs = loadJsonContent('./abbrs.json')
 var roles = loadJsonContent('./roles.json')
 var resourceToken = toLower(uniqueString(subscription().id, workloadName, location))
@@ -340,6 +346,8 @@ module apimOaiApi './apimOaiApi.bicep' = {
     apimInstanceName: apimInstanceName
     oaiApiName: oaiApiName
     openAiServiceUrl: openAiServiceUrl
+    enableJwt: enableJwt
+    enableKeys: enableKeys
   }
 }