Add custom subdomain support for OpenAI and Speech Service in Terraform #558
+317
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This update adds custom subdomain configuration for Azure OpenAI and Speech Service resources in the Terraform deployment template. Custom subdomains are required for managed identity (MI) authentication with Azure Cognitive Services data-plane operations.
Changes Made
1. Terraform Infrastructure Updates (
main.tf)Speech Service Resource
speech_service_nameto locals block for consistent namingazurerm_cognitive_account.speech)SpeechServicesS0(Standard tier)${base_name}-${environment}-speechOpenAI Resource Enhancement
custom_subdomain_name = local.open_ai_nameRBAC Role Assignments
Added four new role assignments for Speech Service access:
Managed Identity:
App Service System Managed Identity:
2. Documentation
docs/how-to/azure_speech_managed_identity_manul_setup.mdWhy This Change is Needed
Problem
When using managed identity authentication with Azure Cognitive Services, the AAD bearer token doesn't identify which specific resource to access. This causes authentication failures when using regional (shared) endpoints like:
https://eastus2.api.cognitive.microsoft.com(Speech)https://region.api.cognitive.microsoft.com(Generic)Solution
Custom subdomains create unique, resource-specific endpoints:
https://{resource-name}.cognitiveservices.azure.com(Speech)https://{resource-name}.openai.azure.com(OpenAI)These endpoints allow Azure to identify the target resource and properly validate the managed identity's RBAC permissions.
Authentication Comparison
Bicep Template Compatibility
Good news: The Bicep templates in
deployers/bicep/modules/already include custom subdomain configuration:openai.bicep(line 34):customSubDomainName: toLower('${appName}-${environment}-openai')speechService.bicep(line 33):customSubDomainName: toLower('${appName}-${environment}-speech')No Bicep changes needed for this feature.
Deployment Impact
New Deployments
Existing Deployments
If you have existing Speech or OpenAI resources without custom subdomains, you must manually enable them:
Important: Custom subdomain enablement is a one-way operation and cannot be disabled once set.
Testing Recommendations
1. New Deployment Test
2. Managed Identity Authentication Test
speech_service_authentication_type: managed_identity3. Validate RBAC Assignments
Expected roles:
Breaking Changes
None. This is a backward-compatible enhancement: