Configure Application from AZD Up command (#548)

* Add Cosmos DB post-configuration script and update requirements - Initial POC

* post deploy configure services in cosmosdb

* refactor to prevent post deploy configuration + begin support of key based auth.

* Add additional parameter validation for creating entra app

* Refactor Bicep modules for improved authentication and key management

- Added keyVault-Secrets.bicep module for storing secrets in Key Vault.
- Modified keyVault.bicep to remove enterprise app client secret handling and commented out managed identity role assignments.
- Removed openAI-existing.bicep and refactored openAI.bicep to handle model deployments dynamically.
- Added setPermissions.bicep for managing role assignments for various resources.
- Updated postconfig.py to reflect changes in environment variable handling for authentication type.

* Refactor Bicep modules to conditionally add settings based on authentication type and enable resource declarations for services

* initial support for VideoIndexer service

* Refactor Bicep modules to enhance VideoIndexer service integration and update diagnostic settings configurations

* move from using chainguard-dev builder image to python slim image.

* Updates to support post deployment app config

* Add post-deployment permissions script for CosmosDB and update authentication type handling

* fix typo in enhanced citation deployment config

* Refactor Dockerfile to use Python 3.13-slim and streamline build process

* restart web application after deployment settings applied

* remove setting for disableLocalAuth

* update to latest version of bicep deployment

* remove dead code

* code cleanup / formatting

* removed unnecessary content from readme.md

* fix token scope for commericial search service

* set permission correctly for lookup of openAI models

* fixes required to configure search with managed identity

Author: SteveCInVA

application/single_app/Dockerfile

@@ -1,5 +1,6 @@
 # Builder stage: install dependencies in a virtualenv
-FROM cgr.dev/chainguard/python:latest-dev AS builder
+# FROM cgr.dev/chainguard/python:latest-dev AS builder
+FROM python:3.13-slim AS builder
 
 USER root
 
@@ -12,14 +13,19 @@ WORKDIR /app
 RUN python -m venv /app/venv
 
 # Create and permission the flask_session directory
-RUN mkdir -p /app/flask_session && chown -R nonroot:nonroot /app/flask_session
+#RUN mkdir -p /app/flask_session && chown -R nonroot:nonroot /app/flask_session
+RUN mkdir -p /app/flask_session 
 
 # Copy requirements and install them into the virtualenv
 COPY application/single_app/requirements.txt .
 ENV PATH="/app/venv/bin:$PATH"
 RUN pip install --no-cache-dir -r requirements.txt
 
-FROM cgr.dev/chainguard/python:latest
+#FROM cgr.dev/chainguard/python:latest
+FROM python:3.13-slim
+
+# Create nonroot user
+RUN useradd -m -u 1000 nonroot
 
 WORKDIR /app
 
@@ -40,4 +46,4 @@ EXPOSE 5000
 
 USER nonroot:nonroot
 
-ENTRYPOINT [ "python", "/app/app.py" ]
+ENTRYPOINT [ "python", "/app/app.py" ]

application/single_app/config.py

@@ -184,6 +184,7 @@
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = "https://cognitiveservices.azure.com/.default"
     video_indexer_endpoint = "https://api.videoindexer.ai"
+    search_resource_manager = "https://search.azure.com"
     KEY_VAULT_DOMAIN = ".vault.azure.net"
 
 def get_redis_cache_infrastructure_endpoint(redis_hostname: str) -> str:

application/single_app/route_backend_settings.py

@@ -694,8 +694,7 @@ def _test_azure_ai_search_connection(payload):
         url = f"{endpoint.rstrip('/')}/indexes?api-version=2023-11-01"
 
         if direct_data.get('auth_type') == 'managed_identity':
-            if AZURE_ENVIRONMENT in ("usgovernment", "custom"): # change credential scopes for US Gov or custom environments
-                credential_scopes=search_resource_manager + "/.default"
+            credential_scopes=search_resource_manager + "/.default"
             arm_scope = credential_scopes
             credential = DefaultAzureCredential()
             arm_token = credential.get_token(arm_scope).token

deployers/Initialize-EntraApplication.ps1

@@ -41,9 +41,13 @@
 [CmdletBinding()]
 param(
     [Parameter(Mandatory = $true)]
+    [ValidateLength(3, 12)]                # Length between 3 and 12
+    [ValidatePattern('^[a-zA-Z0-9]+$')]    # Only letters and numbers
     [string]$AppName,
 
     [Parameter(Mandatory = $true)]
+    [ValidateLength(2, 10)]                # Length between 2 and 10
+    [ValidatePattern('^[a-zA-Z0-9]+$')]    # Only letters and numbers
     [string]$Environment,
 
     [Parameter(Mandatory = $false)]

deployers/azure.yaml

@@ -5,6 +5,48 @@ infra:
   provider: bicep
   path: bicep
 hooks:
+  postprovision:
+    posix:
+      shell: sh
+      run: |
+        # Set up variables
+
+        export var_configureApplication=${var_configureApplication}
+        export var_cosmosDb_uri=${var_cosmosDb_uri}
+        export var_subscriptionId=${AZURE_SUBSCRIPTION_ID}
+        export var_rgName=${var_rgName}
+        export var_keyVaultUri=${var_keyVaultUri}
+
+        export var_authenticationType=${var_authenticationType}
+
+        export var_openAIEndpoint=${var_openAIEndpoint}
+        export var_openAIResourceGroup=${var_openAIResourceGroup}
+        export var_openAIGPTModel=${var_openAIGPTModel}
+        export var_openAITextEmbeddingModel=${var_openAITextEmbeddingModel}
+        export var_blobStorageEndpoint=${var_blobStorageEndpoint}
+        export var_contentSafetyEndpoint=${var_contentSafetyEndpoint}
+        export var_searchServiceEndpoint=${var_searchServiceEndpoint}
+        export var_documentIntelligenceServiceEndpoint=${var_documentIntelligenceServiceEndpoint}
+        export var_videoIndexerName=${var_videoIndexerName}
+        export var_deploymentLocation=${var_deploymentLocation}
+        export var_videoIndexerAccountId=${var_videoIndexerAccountId}
+        export var_speechServiceEndpoint=${var_speechServiceEndpoint}
+
+        # Execute post-configuration script if enabled
+        if [ "${var_configureApplication}" = "true" ]; then
+            echo "Grant permissions to CosmosDB for post deployment steps..."
+            bash ./bicep/cosmosDb-postDeployPerms.sh
+            echo "Running post-deployment configuration..."
+            python3 -m pip install --user -r ./bicep/requirements.txt
+            python3 ./bicep/postconfig.py
+            echo "Post-deployment configuration completed."
+            echo "Restarting web service to apply new settings..."
+            az webapp restart --name ${var_webService} --resource-group ${var_rgName}
+            echo "Web service restarted."
+        else
+            echo "Skipping post-deployment configuration (var_configureApplication is not true)"
+        fi
+
   predeploy:
     posix:
       shell: sh

deployers/bicep/README.md

@@ -25,16 +25,6 @@ The folloiwng variables will be used within this document:
 - *\<imageName\>* - Should be presented in the form *imageName:label* **Example:** *simple-chat:latest*
 
 
-The following variables may be entered with a blank depending on the response to other parameters:
-
-If *\<useExistingAcr\>* = *true* then the following variables need to be set with applicable values, if *false* a blank is permitted
-- *\<existingACRResourceGroup\>* - Resource group name for the existing Azure Container Registry.
-- *\<existingACRResourceName\>* - Azure Container Registry name
-
-if *\<useExistingOpenAISvc\>* = *true* then the following variables need to be set with applicable values, if *false* a blank is permitted.
-- *\<existingOpenAIResourceGroupName\>* - Resource group name for the existing Azure OpenAI service.
-- *\<existingOpenAIResourceName\>* - Azure OpenAI service name.
-
 ## Deployment Process
 
 The below steps cover the process to deploy the Simple Chat application to an Azure Subscription.  It is assumed the user has administrative rights to the subscription for deployment.  If the user does not also have permissions to create an Application Registration in Entra, a stand-alone script can be provided to an administrator with the correct permissions.
@@ -113,26 +103,19 @@ Using the bash terminal in Visual Studio Code
 
 - Select an Azure Subscription to use: *\<select from available list\>*
 - Enter a value for the 'appName' infrastructure parameter: *\<appName\>*
+- Enter a value for the 'authenticationType' infrastructure parameter: *\<authType\>*
+- Enter a vaule for the 'cloudEnvironment' infrastructure parameter: *\<AzureCloud | AzureUSGovernment\>*
+- Enter a value for the 'configureApplicationPermissions' infrastructure parameter: \<true | false\>*
 - Enter a value for the 'deployContentSafety' infrastructure parameter: *\<true | false\>*
 - Enter a value for the 'deployRedisCache' infrastructure parameter: *\<true | false\>*
 - Enter a value for the 'deploySpeechService' infrastructure parameter: *\<true | false\>*
+- Enter a value for the 'deployVideoIndexerService' infrastructure parameter: *\<true | false\>*
 - Enter a value for the 'enableDiagLogging' infrastructure parameter: *\<true | false\>*
 - Enter a value for the 'enterpriseAppClientId' infrastructure parameter: *\<clientID\>*
 - Enter a value for the 'enterpriseAppClientSecret' infrastructure secured parameter: *\<clientSecret\>*
 - Enter a value for the 'environment' infrastructure parameter: *\<environment\>*
-
->Note:  The following variables may be blank depending on other parameter settings
-
-- Enter a value for the 'existingAcrResourceGroup' infrastructure parameter:
-- Enter a value for the 'existingAcrResourceName' infrastructure parameter:
-- Enter a value for the 'existingOpenAIResourceGroupName' infrastructure parameter:
-- Enter a value for the 'existingOpenAIResourceName' infrastructure parameter:
-
->Remaining parameters 
 - Enter a value for the 'imageName' infrastructure parameter: *\<imageName\>*
 - Enter a value for the 'location' infrastructure parameter: *\<select from the list provided\>*
-- Enter a value for the 'useExistingAcr' infrastructure parameter: *\<true | false\>*
-- Enter a value for the 'useExistingOpenAISvc' infrastructure parameter: *\<true | false\>*
 
 Provisioning may take between 10-40 minutes depending on the options selected.
 
@@ -142,31 +125,24 @@ On the completion of the deployment, a URL will be presented, the user may use t
 
 ### Post Deployment Tasks:
 
-Once logged in to the newly deployed application with admin credentials, the application will need to be configured with several configurations:
+Once logged in to the newly deployed application with admin credentials, the application will need to be set up with several configurations:
 
-1. Admin Settings > Health Check > "Enable External Health Check Endpoint" - Set to "ON"
-1. AI Models > GPT Configuration & Embeddings Configuration.  Use managed Identity.  Configure the subscription and resource group.  Click Save
+1. AI Models > GPT Configuration & Embeddings Configuration.  Application is pre-configured with the chosen security model (key / managed identity).  Select "Test GPT Connection" and "Test Embedding Connection" to verify connection.
 
     > Known Bug:  User will be unable to Fetch GPT or Embedding models. </br>
 Workaround:  Set configurations in CosmosDB.  For details see [Workarounds](##Workarounds) below.
 
-1. Agents and Actions > Agents Configuration > "Enable Agents" - Set to "ON"
 1. Logging > Application Insights Logging  > "Enable Application Insights Global Logging - Set to "ON"
 1. Citations > Ehnahced Citations > "Enable Enhanced Citations" - Set to "ON"
     -  Configure "All Filetypes"
         - "Storage Account Authentication Type" = Managed Identity
         - "Storage Account Blob Endpoint" = "https://\<appName\>\<environment\>sa.blob.core.windows.net" (or appropiate domain if in Azure Gov.)
-1. Workflow > Workflow Settings > "Enable Workflow" - Set to "ON"
-    > Note if the deployment option for "deployContentSafety" was set to true follow the next step.
-1. Safety > Content Safety > "Enable Content Safety" - Set to "ON"
-    - "Content Safety Endpoint" - "https://\<appName\>-\<environment\>-contentsafety.cognitiveservices.azure.com/" (or appropiate domain if in Azure Gov.)
 1. Safety > Conversation Archiving > "Enable Conversation Archiving" - Set to "ON"
-1. PII Analysis > PII Analysis > "Enable PII Analysis" - Set to "ON"
 1. Search & Extract > Azure AI Search 
     - "Search Endpoint" = "https://\<appName\>-\<environment\>-search.search.windows.net" (or appropiate domain if in Azure Gov.)
     > Known Bug:  Unable to configure "Managed Identity" authentication type.  Must use "Key"
     - "Authentication Type" - Key
-    - "Search Key" - Retreive from the deployed search service.
+    - "Search Key" - *Pre-populated from key vault value*.
     - At the top of the Admin Page you'll see warning boxes indicating Index Schema Mismatch.
         - Click "Create user Index"
         - Click "Create group Index"