Add custom subdomain support for OpenAI and Speech Service in Terraform #558
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds custom subdomain support for Azure OpenAI and Speech Service resources in the Terraform deployment template, enabling managed identity authentication for Azure Cognitive Services data-plane operations. The changes create a new Speech Service resource with proper RBAC assignments and update the OpenAI resource configuration to support managed identity authentication.
Key changes:
- Added Speech Service resource to Terraform with custom subdomain configuration
- Enhanced OpenAI resource with custom subdomain for managed identity support
- Created RBAC role assignments for both user-assigned and system-assigned managed identities on Speech Service
- Added comprehensive documentation explaining the technical requirements and setup process
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
deployers/terraform/main.tf |
Added Speech Service resource definition with custom subdomain, updated OpenAI resource with custom subdomain configuration, and added four RBAC role assignments for Speech Service access (Speech User and Speech Contributor roles for both managed identity and App Service system identity) |
docs/how-to/azure_speech_managed_identity_manul_setup.md |
Created detailed setup guide explaining regional vs resource-specific endpoints, why managed identity requires custom subdomains, and includes step-by-step configuration instructions with troubleshooting guidance |
Co-authored-by: Copilot <[email protected]>
paullizer
previously approved these changes
Jan 30, 2026
vivche
dismissed
paullizer’s stale review
The merge-base changed after approval.
paullizer
added a commit
that referenced
this pull request
Jan 30, 2026
* Add custom subdomain support for OpenAI and Speech Service in Terraform - Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide * Fix Azure AI Search test connection with managed identity Replaced REST API approach with SearchIndexClient SDK to properly handle managed identity authentication in Azure public cloud. The SDK automatically handles token acquisition and endpoint construction, eliminating the 'search_resource_manager is not defined' error that occurred with the REST API approach. * Fix Azure AI Search test connection with managed identity Replaced REST API approach with SearchIndexClient SDK to properly handle managed identity authentication in Azure public cloud. The SDK automatically handles token acquisition and endpoint construction, eliminating the 'search_resource_manager is not defined' error that occurred with the REST API approach. * Corrected file folder name * Corrected the version number to reference 0.236.012 * Removed unneeded folder and document * Revert terraform main.tf to upstream/Development version * updated the logging logic when running retention delete with archiving enabled (#642) * Corrected version to 0.236.011 (#645) * v0.237.001 (#649) * Use Microsoft python base image * Add python ENV vars * Add python ENV vars * Install deps to systme * Add temp dir to image and pip conf support * Add custom-ca-certificates dir * Logo bug fix (#654) * release note updating for github coplilot * fixed logo bug issue * added 2,3,4,5,6,14 days to rentention policy * added retention policy time updates * Rentention policy (#657) * Critical Retention Policy Deletion Fix * Create RETENTION_POLICY_NULL_LAST_ACTIVITY_FIX.md * fixed retention policy runtime bug and sidebar bug (#672) * Fix: Windows Unicode encoding issue for video uploads (#662) - Added explicit UTF-8 encoding when reading file content on Windows - Prevents UnicodeDecodeError when processing non-ASCII filenames - Ensures consistent file handling across different operating systems Co-authored-by: Chen, Vivien <[email protected]> * Update docs/how-to/azure_speech_managed_identity_manul_setup.md (#675) Co-authored-by: vivche <[email protected]> Co-authored-by: Copilot <[email protected]> * Add custom subdomain support for OpenAI and Speech Service in Terraform (#558) * Add custom subdomain support for OpenAI and Speech Service in Terraform - Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide * Update docs/how-to/azure_speech_managed_identity_manul_setup.md Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Chen, Vivien <[email protected]> Co-authored-by: Copilot <[email protected]> * 0.237.006 (#676) * Update chat-sidebar-conversations.js * 0.237.006 * Update release_notes.md --------- Co-authored-by: Chen, Vivien <[email protected]> Co-authored-by: Ed Clark <[email protected]> Co-authored-by: Bionic711 <[email protected]> Co-authored-by: vivche <[email protected]> Co-authored-by: Copilot <[email protected]>
paullizer
added a commit
that referenced
this pull request
Jan 30, 2026
* Add custom subdomain support for OpenAI and Speech Service in Terraform - Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide * Fix Azure AI Search test connection with managed identity Replaced REST API approach with SearchIndexClient SDK to properly handle managed identity authentication in Azure public cloud. The SDK automatically handles token acquisition and endpoint construction, eliminating the 'search_resource_manager is not defined' error that occurred with the REST API approach. * Fix Azure AI Search test connection with managed identity Replaced REST API approach with SearchIndexClient SDK to properly handle managed identity authentication in Azure public cloud. The SDK automatically handles token acquisition and endpoint construction, eliminating the 'search_resource_manager is not defined' error that occurred with the REST API approach. * Corrected file folder name * Corrected the version number to reference 0.236.012 * Removed unneeded folder and document * Revert terraform main.tf to upstream/Development version * updated the logging logic when running retention delete with archiving enabled (#642) * Corrected version to 0.236.011 (#645) * v0.237.001 (#649) * Use Microsoft python base image * Add python ENV vars * Add python ENV vars * Install deps to systme * Add temp dir to image and pip conf support * Add custom-ca-certificates dir * Logo bug fix (#654) * release note updating for github coplilot * fixed logo bug issue * added 2,3,4,5,6,14 days to rentention policy * added retention policy time updates * Rentention policy (#657) * Critical Retention Policy Deletion Fix * Create RETENTION_POLICY_NULL_LAST_ACTIVITY_FIX.md * fixed retention policy runtime bug and sidebar bug (#672) * Fix: Windows Unicode encoding issue for video uploads (#662) - Added explicit UTF-8 encoding when reading file content on Windows - Prevents UnicodeDecodeError when processing non-ASCII filenames - Ensures consistent file handling across different operating systems Co-authored-by: Chen, Vivien <[email protected]> * Update docs/how-to/azure_speech_managed_identity_manul_setup.md (#675) Co-authored-by: vivche <[email protected]> Co-authored-by: Copilot <[email protected]> * Add custom subdomain support for OpenAI and Speech Service in Terraform (#558) * Add custom subdomain support for OpenAI and Speech Service in Terraform - Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide * Update docs/how-to/azure_speech_managed_identity_manul_setup.md Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Chen, Vivien <[email protected]> Co-authored-by: Copilot <[email protected]> * 0.237.006 (#676) * Update chat-sidebar-conversations.js * 0.237.006 * Update release_notes.md * fixed sidebar race condition (#679) --------- Co-authored-by: Chen, Vivien <[email protected]> Co-authored-by: Ed Clark <[email protected]> Co-authored-by: Bionic711 <[email protected]> Co-authored-by: vivche <[email protected]> Co-authored-by: Copilot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This update adds custom subdomain configuration for Azure OpenAI and Speech Service resources in the Terraform deployment template. Custom subdomains are required for managed identity (MI) authentication with Azure Cognitive Services data-plane operations.
Changes Made
1. Terraform Infrastructure Updates (
main.tf)Speech Service Resource
speech_service_nameto locals block for consistent namingazurerm_cognitive_account.speech)SpeechServicesS0(Standard tier)${base_name}-${environment}-speechOpenAI Resource Enhancement
custom_subdomain_name = local.open_ai_nameRBAC Role Assignments
Added four new role assignments for Speech Service access:
Managed Identity:
App Service System Managed Identity:
2. Documentation
docs/how-to/azure_speech_managed_identity_manul_setup.mdWhy This Change is Needed
Problem
When using managed identity authentication with Azure Cognitive Services, the AAD bearer token doesn't identify which specific resource to access. This causes authentication failures when using regional (shared) endpoints like:
https://eastus2.api.cognitive.microsoft.com(Speech)https://region.api.cognitive.microsoft.com(Generic)Solution
Custom subdomains create unique, resource-specific endpoints:
https://{resource-name}.cognitiveservices.azure.com(Speech)https://{resource-name}.openai.azure.com(OpenAI)These endpoints allow Azure to identify the target resource and properly validate the managed identity's RBAC permissions.
Authentication Comparison
Bicep Template Compatibility
Good news: The Bicep templates in
deployers/bicep/modules/already include custom subdomain configuration:openai.bicep(line 34):customSubDomainName: toLower('${appName}-${environment}-openai')speechService.bicep(line 33):customSubDomainName: toLower('${appName}-${environment}-speech')No Bicep changes needed for this feature.
Deployment Impact
New Deployments
Existing Deployments
If you have existing Speech or OpenAI resources without custom subdomains, you must manually enable them:
Important: Custom subdomain enablement is a one-way operation and cannot be disabled once set.
Testing Recommendations
1. New Deployment Test
2. Managed Identity Authentication Test
speech_service_authentication_type: managed_identity3. Validate RBAC Assignments
Expected roles:
Breaking Changes
None. This is a backward-compatible enhancement: