Summary
Extract APIM Consumption instance and cross-service role assignments from infra/terraform/main.tf into infra/terraform/stacks/gateway-rbac/.
Parent epic: #119
Business Context
APIM Consumption SKU provisioning takes ~2 min but competes with other heavy resources in the current monolith. More importantly, the Cognitive Services RBAC and agent role assignments require both ACA app principal IDs (from stacks/aca-apps/) and the Foundry ID (from stacks/data-ai/). This stack runs after both parallel stacks complete, making it the natural join-point in the DAG.
Scope
Resources to extract
| Current address |
Notes |
azurerm_api_management.main |
Consumption SKU |
azurerm_role_assignment.container_app_cognitive_services (for_each × 8) |
Scoped to module.ai_foundry.ai_foundry_id |
azurerm_role_assignment.agent_permissions (for_each) |
Multi-scope role assignments |
Resources to remove (already migrated to per-service stacks)
| Current address |
Status |
azurerm_api_management_api.backend_services |
Managed by stacks/services/{svc}/ — remove with removed block |
azurerm_api_management_api_operation.backend_catch_all |
Same |
azurerm_api_management_api_policy.backend_services_hardening |
Same |
Cross-stack inputs
| Input |
Source stack |
Output key |
aca_principal_ids |
aca-apps |
principal_ids (map[service]→principal_id) |
ai_foundry_id |
data-ai |
ai_foundry_id |
resource_group_name |
foundation |
resource_group_name |
acr_id |
foundation |
acr_id |
storage_account_id |
foundation |
storage_account_id |
cosmos_account_id |
data-ai |
cosmos_account_id |
Acceptance Criteria
Risk
| Risk |
Likelihood |
Mitigation |
| APIM loses API definitions during stack migration |
Low |
Per-service stacks own APIs; foundation copies are already stale guards gated by manage_apim_service_edge_in_foundation |
| Role assignments duplicated |
Low |
Terraform is source of truth; removed block prevents foundation from recreating |
Summary
Extract APIM Consumption instance and cross-service role assignments from
infra/terraform/main.tfintoinfra/terraform/stacks/gateway-rbac/.Parent epic: #119
Business Context
APIM Consumption SKU provisioning takes ~2 min but competes with other heavy resources in the current monolith. More importantly, the Cognitive Services RBAC and agent role assignments require both ACA app principal IDs (from
stacks/aca-apps/) and the Foundry ID (fromstacks/data-ai/). This stack runs after both parallel stacks complete, making it the natural join-point in the DAG.Scope
Resources to extract
azurerm_api_management.mainazurerm_role_assignment.container_app_cognitive_services(for_each × 8)module.ai_foundry.ai_foundry_idazurerm_role_assignment.agent_permissions(for_each)Resources to remove (already migrated to per-service stacks)
azurerm_api_management_api.backend_servicesstacks/services/{svc}/— remove withremovedblockazurerm_api_management_api_operation.backend_catch_allazurerm_api_management_api_policy.backend_services_hardeningCross-stack inputs
aca_principal_idsprincipal_ids(map[service]→principal_id)ai_foundry_idai_foundry_idresource_group_nameresource_group_nameacr_idacr_idstorage_account_idstorage_account_idcosmos_account_idcosmos_account_idAcceptance Criteria
terraform planonstacks/gateway-rbac/shows 0 changes after migrationCognitive Services Userrole on Foundry endpointstacks/services/) continue to work with the APIM created by this stackRisk
manage_apim_service_edge_in_foundationremovedblock prevents foundation from recreating