Merge pull request #679 from solliancenet/jdh-update-release-0-4-1

Update Azure identity auth, configuration defaults, enable hierarchical namespace, remove availability zone requirements from quick-start Event Grid

deploy/starter/infra/shared/eventgrid.bicep

@@ -20,7 +20,7 @@ resource namespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' = {
     type: 'SystemAssigned'
   }
   properties: {
-    isZoneRedundant: true
+    isZoneRedundant: false
     publicNetworkAccess: 'Enabled'
     inboundIpRules: []
   }

deploy/starter/infra/shared/storage.bicep

@@ -30,18 +30,39 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
     name: 'Standard_LRS'
   }
   tags: tags
+
+  properties: {
+    accessTier: 'Hot'
+    allowBlobPublicAccess: false
+    isHnsEnabled: true
+    minimumTlsVersion: 'TLS1_2'
+    supportsHttpsTrafficOnly: true
+  }
 }
 
 resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
   parent: storage
   name: 'default'
+
+  properties: {
+    containerDeleteRetentionPolicy: {
+      days: 30
+      enabled: true
+    }
+
+    deleteRetentionPolicy: {
+      allowPermanentDelete: false
+      days: 30
+      enabled: true
+    }
+  }
 }
 
 resource blobContainers 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = [
-  for container in containers: {
-    parent: blobService
-    name: container.name
-  }
+for container in containers: {
+  parent: blobService
+  name: container.name
+}
 ]
 
 resource queueService 'Microsoft.Storage/storageAccounts/queueServices@2023-01-01' = {
@@ -50,50 +71,50 @@ resource queueService 'Microsoft.Storage/storageAccounts/queueServices@2023-01-0
 }
 
 resource storageQueues 'Microsoft.Storage/storageAccounts/queueServices/queues@2023-01-01' = [
-  for queue in queues: {
-    parent: queueService
-    name: queue.name
-  }
+for queue in queues: {
+  parent: queueService
+  name: queue.name
+}
 ]
 
 resource blobFiles 'Microsoft.Resources/deploymentScripts@2020-10-01' = [
-  for file in files: {
-    name: file.file
-    location: location
-    kind: 'AzureCLI'
-    properties: {
-      azCliVersion: '2.26.1'
-      timeout: 'PT5M'
-      retentionInterval: 'PT1H'
-      environmentVariables: [
-        {
-          name: 'AZURE_STORAGE_ACCOUNT'
-          value: storage.name
-        }
-        {
-          name: 'AZURE_STORAGE_KEY'
-          secureValue: storage.listKeys().keys[0].value
-        }
-      ]
-      scriptContent: 'echo "${file.content}" > ${file.file} && az storage blob upload -f ${file.file} -c ${file.container} -n ${file.path}'
-    }
-    dependsOn: [ blobContainers ]
+for file in files: {
+  name: file.file
+  location: location
+  kind: 'AzureCLI'
+  properties: {
+    azCliVersion: '2.26.1'
+    timeout: 'PT5M'
+    retentionInterval: 'PT1H'
+    environmentVariables: [
+      {
+        name: 'AZURE_STORAGE_ACCOUNT'
+        value: storage.name
+      }
+      {
+        name: 'AZURE_STORAGE_KEY'
+        secureValue: storage.listKeys().keys[0].value
+      }
+    ]
+    scriptContent: 'echo "${file.content}" > ${file.file} && az storage blob upload -f ${file.file} -c ${file.container} -n ${file.path}'
   }
+  dependsOn: [ blobContainers ]
+}
 ]
 
 resource keyvault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
   name: keyvaultName
 }
 
 resource storageConnectionString 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = [
-  for secretName in secretNames: {
-    name: secretName
-    parent: keyvault
-    tags: tags
-    properties: {
-      value: 'DefaultEndpointsProtocol=https;AccountName=${name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=core.windows.net'
-    }
+for secretName in secretNames: {
+  name: secretName
+  parent: keyvault
+  tags: tags
+  properties: {
+    value: 'DefaultEndpointsProtocol=https;AccountName=${name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=core.windows.net'
   }
+}
 ]
 
 output connectionSecretName string = storageConnectionString[0].name

src/dotnet/AgentFactoryAPI/Program.cs

@@ -51,7 +51,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_AgentFactory);
@@ -61,6 +61,8 @@ public static void Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add services to the container.
             // Add the OpenTelemetry telemetry service and send telemetry data to Azure Monitor.
             builder.Services.AddOpenTelemetry().UseAzureMonitor(options =>

src/dotnet/Common/Authentication/DefaultAuthentication.cs

@@ -1,5 +1,6 @@
 using Azure.Core;
 using Azure.Identity;
+using FoundationaLLM.Common.Constants;
 
 namespace FoundationaLLM.Common.Authentication
 {
@@ -9,21 +10,16 @@ namespace FoundationaLLM.Common.Authentication
     public static class DefaultAuthentication
     {
         /// <summary>
-        /// The default Azure credential to use for authentication.
+        /// Indicates whether the environment we run in is production or not.
         /// </summary>
-        public static TokenCredential GetAzureCredential(bool development = false) => new DefaultAzureCredential(new DefaultAzureCredentialOptions
-        {
-            ExcludeAzureDeveloperCliCredential = true,
-            ExcludeAzurePowerShellCredential = true,
-            ExcludeEnvironmentCredential = true,
-            ExcludeInteractiveBrowserCredential = true,
-            ExcludeSharedTokenCacheCredential = true,
-            ExcludeVisualStudioCodeCredential = true,
-            ExcludeVisualStudioCredential = true,
-            ExcludeWorkloadIdentityCredential = true,
+        public static bool Production {  get; set; }
 
-            ExcludeAzureCliCredential = !development,
-            ExcludeManagedIdentityCredential = development
-        });
+        /// <summary>
+        /// The default Azure credential to use for authentication.
+        /// </summary>
+        public static TokenCredential GetAzureCredential() =>
+            Production
+            ? new ManagedIdentityCredential(Environment.GetEnvironmentVariable(EnvironmentVariables.AzureClientId))
+            : new AzureCliCredential();
     }
 }

src/dotnet/Common/Constants/EnvironmentVariables.cs

@@ -11,6 +11,11 @@ namespace FoundationaLLM.Common.Constants
     /// </summary>
     public static class EnvironmentVariables
     {
+        /// <summary>
+        /// The client id of the user assigned managed identity.
+        /// </summary>
+        public const string AzureClientId = "AZURE_CLIENT_ID";
+
         /// <summary>
         /// The Azure Container App or Azure Kubernetes Service hostname.
         /// </summary>

src/dotnet/Common/Services/Azure/AzureResourceManagerService.cs

@@ -17,14 +17,11 @@ namespace FoundationaLLM.Common.Services.Azure
     /// <summary>
     /// Provides services to interact with the Azure Resource Manager (ARM) infrastructure.
     /// </summary>
-    /// <param name="environment">The <see cref="IHostEnvironment"/> providing details about the environment.</param>
     /// <param name="logger">The logger used for logging.</param>
     public class AzureResourceManagerService(
-        IHostEnvironment environment,
         ILogger<AzureResourceManagerService> logger) : IAzureResourceManagerService
     {
-        private readonly ArmClient _armClient = new(DefaultAuthentication.GetAzureCredential(
-            environment.IsDevelopment()));
+        private readonly ArmClient _armClient = new(DefaultAuthentication.GetAzureCredential());
         private readonly ILogger<AzureResourceManagerService> _logger = logger;
 
         /// <inheritdoc/>

src/dotnet/Common/Services/Events/AzureEventGridEventService.cs

@@ -1,6 +1,7 @@
 using Azure;
 using Azure.Identity;
 using Azure.Messaging.EventGrid.Namespaces;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Constants;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
@@ -331,7 +332,7 @@ private void ValidateAPIKey(string? value)
             try
             {
                 ValidateEndpoint(_settings.Endpoint);
-                client = new EventGridClient(new Uri(_settings.Endpoint!), new DefaultAzureCredential());
+                client = new EventGridClient(new Uri(_settings.Endpoint!), DefaultAuthentication.GetAzureCredential());
             }
             catch (Exception ex)
             {

src/dotnet/Common/Services/Storage/BlobStorageService.cs

@@ -4,6 +4,7 @@
 using Azure.Storage.Blobs;
 using Azure.Storage.Blobs.Models;
 using Azure.Storage.Blobs.Specialized;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Extensions;
 using FoundationaLLM.Common.Interfaces;
@@ -169,6 +170,6 @@ protected override void CreateClientFromConnectionString(string connectionString
         protected override void CreateClientFromIdentity(string accountName) =>
             _blobServiceClient = new BlobServiceClient(
                 new Uri($"https://{accountName}.dfs.core.windows.net"),
-                new DefaultAzureCredential());
+                DefaultAuthentication.GetAzureCredential());
     }
 }

src/dotnet/Common/Services/Storage/DataLakeStorageService.cs

@@ -2,6 +2,7 @@
 using Azure.Identity;
 using Azure.Storage;
 using Azure.Storage.Files.DataLake;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
 using FoundationaLLM.Common.Models.Configuration.Storage;
@@ -112,6 +113,6 @@ protected override void CreateClientFromConnectionString(string connectionString
         protected override void CreateClientFromIdentity(string accountName) =>
             _dataLakeClient = new DataLakeServiceClient(
                 new Uri($"https://{accountName}.dfs.core.windows.net"),
-                new DefaultAzureCredential());
+                DefaultAuthentication.GetAzureCredential());
     }
 }

src/dotnet/Configuration/Services/DependencyInjection.cs

@@ -33,8 +33,7 @@ public static void AddConfigurationResourceProvider(this IHostApplicationBuilder
             {
                 var keyVaultUri = builder.Configuration[AppConfigurationKeys.FoundationaLLM_Configuration_KeyVaultURI];
                 clientBuilder.AddSecretClient(new Uri(keyVaultUri!))
-                    .WithCredential(DefaultAuthentication.GetAzureCredential(
-                        builder.Environment.IsDevelopment()));
+                    .WithCredential(DefaultAuthentication.GetAzureCredential());
                 clientBuilder.AddConfigurationClient(
                     builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
             });

src/dotnet/CoreAPI/Program.cs

@@ -47,7 +47,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_CosmosDB);
@@ -58,7 +58,9 @@ public static void Main(string[] args)
             });
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
-
+
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             var allowAllCorsOrigins = "AllowAllOrigins";
             builder.Services.AddCors(policyBuilder =>
             {

src/dotnet/CoreWorker/Program.cs

@@ -1,4 +1,5 @@
 using Azure.Identity;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Constants;
 using FoundationaLLM.Core.Interfaces;
 using FoundationaLLM.Core.Models.Configuration;
@@ -16,7 +17,7 @@
 
     options.ConfigureKeyVault(options =>
     {
-        options.SetCredential(new DefaultAzureCredential());
+        options.SetCredential(DefaultAuthentication.GetAzureCredential());
     });
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_CoreWorker);
     options.Select(AppConfigurationKeyFilters.FoundationaLLM_CosmosDB);

src/dotnet/GatekeeperAPI/Program.cs

@@ -46,7 +46,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_Refinement);
@@ -55,6 +55,8 @@ public static void Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add services to the container.
             // Add the OpenTelemetry telemetry service and send telemetry data to Azure Monitor.
             builder.Services.AddOpenTelemetry().UseAzureMonitor(options =>

src/dotnet/ManagementAPI/Program.cs

@@ -51,7 +51,7 @@ public static async Task Main(string[] args)
             builder.Configuration.AddAzureAppConfiguration(options =>
             {
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
-                options.ConfigureKeyVault(options => { options.SetCredential(new DefaultAzureCredential()); });
+                options.ConfigureKeyVault(options => { options.SetCredential(DefaultAuthentication.GetAzureCredential()); });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_Instance);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_CosmosDB);
@@ -67,6 +67,8 @@ public static async Task Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add the Configuration resource provider
             builder.AddConfigurationResourceProvider();
 

src/dotnet/SemanticKernel/Services/AzureAISearchIndexingService.cs

@@ -1,4 +1,5 @@
 using Azure.Identity;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
 using FoundationaLLM.Common.Models.TextEmbedding;
@@ -77,7 +78,7 @@ private AzureAISearchMemoryStore CreateMemoryStoreFromAPIKey(string endpoint, st
         /// <param name="endpoint">The endpoint of the Azure AI Search deployment.</param>
         /// <returns>The <see cref="Kernel"/> instance.</returns>
         private AzureAISearchMemoryStore CreateMemoryStoreFromIdentity(string endpoint) =>
-            new(endpoint, new DefaultAzureCredential());
+            new(endpoint, DefaultAuthentication.GetAzureCredential());
 
         private void ValidateEndpoint(string? value)
         {

src/dotnet/SemanticKernel/Services/SemanticKernelTextEmbeddingService.cs

@@ -1,4 +1,5 @@
 using Azure.Identity;
+using FoundationaLLM.Common.Authentication;
 using FoundationaLLM.Common.Exceptions;
 using FoundationaLLM.Common.Interfaces;
 using FoundationaLLM.Common.Models.TextEmbedding;
@@ -76,7 +77,7 @@ private Kernel CreateKernelFromAPIKey(string deploymentName, string endpoint, st
         private Kernel CreateKernelFromIdentity(string deploymentName, string endpoint)
         {
             var builder = Kernel.CreateBuilder();
-            builder.AddAzureOpenAITextEmbeddingGeneration(deploymentName, endpoint, new DefaultAzureCredential());
+            builder.AddAzureOpenAITextEmbeddingGeneration(deploymentName, endpoint, DefaultAuthentication.GetAzureCredential());
             return builder.Build();
         }
 

src/dotnet/SemanticKernelAPI/Program.cs

@@ -38,7 +38,7 @@ public static void Main(string[] args)
                 options.Connect(builder.Configuration[EnvironmentVariables.FoundationaLLM_AppConfig_ConnectionString]);
                 options.ConfigureKeyVault(options =>
                 {
-                    options.SetCredential(new DefaultAzureCredential());
+                    options.SetCredential(DefaultAuthentication.GetAzureCredential());
                 });
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_APIs);
                 options.Select(AppConfigurationKeyFilters.FoundationaLLM_DurableSystemPrompt);
@@ -53,6 +53,8 @@ public static void Main(string[] args)
             if (builder.Environment.IsDevelopment())
                 builder.Configuration.AddJsonFile("appsettings.development.json", true, true);
 
+            DefaultAuthentication.Production = builder.Environment.IsProduction();
+
             // Add services to the container.
             //builder.Services.AddApplicationInsightsTelemetry();
             builder.Services.AddAuthorization();