Merge branch 'main' into yefu/aca

.github/workflows/azure-dev-validation.yaml

@@ -22,7 +22,9 @@ jobs:
  - name: Build Bicep for linting
  uses: azure/CLI@v2
  with:
- inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+ inlineScript: |
+ export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
+ az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
 
  psrule:
  runs-on: ubuntu-latest
@@ -42,7 +44,7 @@ jobs:
  outputPath: reports/ps-rule-results.sarif
  summary: true
  continue-on-error: true
- 
+
  env:
  PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
  PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'

README.md

@@ -135,6 +135,11 @@ The steps below will provision Azure resources and deploy the application code t
  azd auth login
  ```
 
+ For GitHub Codespaces users, if the previous command fails, try: 
+ ```shell
+ azd auth login --use-device-code 
+ ```
+
 1. Create a new azd environment:
 
  ```shell

app/backend/app.py

@@ -16,7 +16,11 @@
  SpeechSynthesizer,
 )
 from azure.core.exceptions import ResourceNotFoundError
-from azure.identity.aio import DefaultAzureCredential, get_bearer_token_provider
+from azure.identity.aio import (
+ AzureDeveloperCliCredential,
+ ManagedIdentityCredential,
+ get_bearer_token_provider,
+)
 from azure.monitor.opentelemetry import configure_azure_monitor
 from azure.search.documents.aio import SearchClient
 from azure.search.documents.indexes.aio import SearchIndexClient
@@ -436,11 +440,21 @@ async def setup_clients():
  USE_SPEECH_OUTPUT_BROWSER = os.getenv("USE_SPEECH_OUTPUT_BROWSER", "").lower() == "true"
  USE_SPEECH_OUTPUT_AZURE = os.getenv("USE_SPEECH_OUTPUT_AZURE", "").lower() == "true"
 
- # Use the current user identity to authenticate with Azure OpenAI, AI Search and Blob Storage (no secrets needed,
- # just use 'az login' locally, and managed identity when deployed on Azure). If you need to use keys, use separate AzureKeyCredential instances with the
- # keys for each service
- # If you encounter a blocking error during a DefaultAzureCredential resolution, you can exclude the problematic credential by using a parameter (ex. exclude_shared_token_cache_credential=True)
- azure_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
+ # Use the current user identity for keyless authentication to Azure services.
+ # This assumes you use 'azd auth login' locally, and managed identity when deployed on Azure.
+ # The managed identity is setup in the infra/ folder.
+ azure_credential: Union[AzureDeveloperCliCredential, ManagedIdentityCredential]
+ if os.getenv("WEBSITE_HOSTNAME"): # Environment variable set on Azure Web Apps
+ current_app.logger.info("Setting up Azure credential using ManagedIdentityCredential")
+ azure_credential = ManagedIdentityCredential()
+ elif AZURE_TENANT_ID:
+ current_app.logger.info(
+ "Setting up Azure credential using AzureDeveloperCliCredential with tenant_id %s", AZURE_TENANT_ID
+ )
+ azure_credential = AzureDeveloperCliCredential(tenant_id=AZURE_TENANT_ID, process_timeout=60)
+ else:
+ current_app.logger.info("Setting up Azure credential using AzureDeveloperCliCredential for home tenant")
+ azure_credential = AzureDeveloperCliCredential(process_timeout=60)
 
  # Set up clients for AI Search and Storage
  search_client = SearchClient(

app/backend/prepdocs.py

@@ -381,11 +381,12 @@ async def main(strategy: Strategy, setup_index: bool = True):
  use_int_vectorization = args.useintvectorization and args.useintvectorization.lower() == "true"
 
  # Use the current user identity to connect to Azure services unless a key is explicitly set for any of them
- azd_credential = (
- AzureDeveloperCliCredential()
- if args.tenantid is None
- else AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60)
- )
+ if args.tenantid:
+ logger.info("Connecting to Azure services using the azd credential for tenant %s", args.tenantid)
+ azd_credential = AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60)
+ else:
+ logger.info("Connecting to Azure services using the azd credential for home tenant")
+ azd_credential = AzureDeveloperCliCredential(process_timeout=60)
 
  if args.removeall:
  document_action = DocumentAction.RemoveAll

infra/main.parameters.json

@@ -191,9 +191,6 @@
  "enableUnauthenticatedAccess": {
  "value": "${AZURE_ENABLE_UNAUTHENTICATED_ACCESS=false}"
  },
- "tenantId": {
- "value": "${AZURE_TENANT_ID}"
- },
  "authTenantId": {
  "value": "${AZURE_AUTH_TENANT_ID}"
  },

ps-rule.yaml

@@ -1,3 +1,6 @@
 # YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion
 configuration:
  AZURE_BICEP_FILE_EXPANSION: true
+ AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES:
+ - resourceToken
+ - migrationToken

tests/conftest.py

@@ -314,7 +314,7 @@ def mock_env(monkeypatch, request):
  if os.getenv("AZURE_USE_AUTHENTICATION") is not None:
  monkeypatch.delenv("AZURE_USE_AUTHENTICATION")
 
- with mock.patch("app.DefaultAzureCredential") as mock_default_azure_credential:
+ with mock.patch("app.AzureDeveloperCliCredential") as mock_default_azure_credential:
  mock_default_azure_credential.return_value = MockAzureCredential()
  yield
 
@@ -383,7 +383,7 @@ async def auth_client(
  for key, value in request.param.items():
  monkeypatch.setenv(key, value)
 
- with mock.patch("app.DefaultAzureCredential") as mock_default_azure_credential:
+ with mock.patch("app.AzureDeveloperCliCredential") as mock_default_azure_credential:
  mock_default_azure_credential.return_value = MockAzureCredential()
  quart_app = app.create_app()
 
@@ -422,7 +422,7 @@ async def auth_public_documents_client(
  for key, value in request.param.items():
  monkeypatch.setenv(key, value)
 
- with mock.patch("app.DefaultAzureCredential") as mock_default_azure_credential:
+ with mock.patch("app.AzureDeveloperCliCredential") as mock_default_azure_credential:
  mock_default_azure_credential.return_value = MockAzureCredential()
  quart_app = app.create_app()