Enhancements to managed identity updates

README.md

@@ -3,7 +3,7 @@
 A new year brings some much requested feature updates to one of our most popular AI chat repos!
 
 - **[Managed Identity-based security](/docs/9-managed-identities.md)**. This uses Azure's underlying RBAC and removes (almost) all keys/secrets.
-- `appreg_setup.ps1` helper script to **[create the App Registration for you](/docs/3-add-identity.md#entra-id-authentication-provider)** in Entra ID (if you have the permissions). Less copypasta means happier devs 🥰
+- `appreg_setup.ps1` and `appreg_setup.sh` helper scripts to **[create the App Registration for you](/docs/3-add-identity.md#entra-id-authentication-provider)** in Entra ID (if you have the permissions). Less copypasta means happier devs 🥰
 
 # Unleash the Power of Azure OpenAI
 

docs/2-run-locally.md

@@ -12,6 +12,10 @@ Clone this repository locally or fork to your GitHub account. Run all of the the
 
 1. Change directory to the `src` folder
 2. Rename/copy the file `.env.example` to `.env.local` and populate the environment variables based on the deployed resources in Azure.
+
+  > **NOTE**  
+  > If you have used the Azure Developer CLI to deploy the Azure infrastructure required for the solution ([using the directions here](./4-deploy-to-azure.md)), you can find the values for many the required environment variables in the `.env` file the `.azure\<azd env name>` directory. This generated file will not contain any keys, however it is recommended to use managed identities as described in "Setup your local development environment" on [this page](./10-managed-identities.md).
+
 3. Install npm packages by running `npm install`
 4. Start the app by running `npm run dev`
 5. Access the app on [http://localhost:3000](http://localhost:3000)

docs/4-deploy-to-azure.md

@@ -1,3 +1,25 @@
+# ☁️ Deploy to Azure - Azure Developer CLI (azd)
+
+To deploy the application to Azure using the Azure Developer CLI, follow the steps below.
+
+> [!IMPORTANT]
+> This section will create Azure resources and deploy the solution from your local environment using the Azure Developer CLI. Note that you do not need to clone this repo to complete these steps.
+
+1. Download the [Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/overview)
+1. If you have not cloned this repo, run `azd init -t microsoft/azurechat`. If you have cloned this repo, just run 'azd init' from the repo root directory.
+1. Run `azd up` to provision and deploy the application
+
+```pwsh
+azd init -t microsoft/azurechat
+azd up
+
+# if you have already cloned the repo
+azd up
+
+# if you are wanting to see logs run with debug flag
+azd up --debug
+```
+
 # ☁️ Deploy to Azure - GitHub Actions
 
 The following steps describes how the application can be deployed to Azure App service using GitHub Actions.

docs/9-managed-identities.md

@@ -50,7 +50,12 @@ To deploy the application to Azure App Service with Managed Identities, follow t
    - Run this script to grant yourself RBAC permissions on the Azure resources so you can run AzureChat locally
    - In Powershell:
      ```powershell
-     PS> .\scripts\appreg_setup.ps1
+     PS> .\scripts\add_localdev_roles.ps1
+     ```
+   - In Bash:
+     ```bash
+     > chmod +x .\scripts\add_localdev_roles.sh
+     > .\scripts\add_localdev_roles.sh
      ```
    - You can now refer to the documentation to [run Azure Chat locally](2-run-locally.md).
 

infra/resources.bicep

@@ -106,6 +106,113 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2020-06-01' = {
   kind: 'linux'
 }
 
+var appSettingsCommon = [
+    {
+      name: 'USE_MANAGED_IDENTITIES'
+      value: disableLocalAuth
+    }
+
+    { 
+      name: 'AZURE_KEY_VAULT_NAME'
+      value: keyVaultName
+    }
+    { 
+      name: 'SCM_DO_BUILD_DURING_DEPLOYMENT'
+      value: 'true'
+    }
+    {
+      name: 'AZURE_OPENAI_API_INSTANCE_NAME'
+      value: openai_name
+    }
+    {
+      name: 'AZURE_OPENAI_API_DEPLOYMENT_NAME'
+      value: chatGptDeploymentName
+    }
+    {
+      name: 'AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME'
+      value: embeddingDeploymentName
+    }
+    {
+      name: 'AZURE_OPENAI_API_VERSION'
+      value: openai_api_version
+    }
+    {
+      name: 'AZURE_OPENAI_DALLE_API_INSTANCE_NAME'
+      value: openai_dalle_name
+    }
+    {
+      name: 'AZURE_OPENAI_DALLE_API_DEPLOYMENT_NAME'
+      value: dalleDeploymentName
+    }
+    {
+      name: 'AZURE_OPENAI_DALLE_API_VERSION'
+      value: dalleApiVersion
+    }
+    {
+      name: 'NEXTAUTH_SECRET'
+      value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::NEXTAUTH_SECRET.name})'
+    }
+    {
+      name: 'NEXTAUTH_URL'
+      value: 'https://${webapp_name}.azurewebsites.net'
+    }
+    {
+      name: 'AZURE_COSMOSDB_URI'
+      value: cosmosDbAccount.properties.documentEndpoint
+    }
+    { 
+      name: 'AZURE_SEARCH_NAME'
+      value: search_name
+    }
+    { 
+      name: 'AZURE_SEARCH_INDEX_NAME'
+      value: searchServiceIndexName
+    }
+    { 
+      name: 'AZURE_DOCUMENT_INTELLIGENCE_ENDPOINT'
+      value: 'https://${form_recognizer_name}.cognitiveservices.azure.com/'
+    }        
+    {
+      name: 'AZURE_SPEECH_REGION'
+      value: location
+    }
+    {
+      name: 'AZURE_SPEECH_KEY'
+      value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_SPEECH_KEY.name})'
+    }
+    {
+      name: 'AZURE_STORAGE_ACCOUNT_NAME'
+      value: storage_name
+    }
+  ]
+
+var appSettingsWithLocalAuth = disableLocalAuth ? [] : [ 
+  {
+    name: 'AZURE_OPENAI_API_KEY'
+    value:  '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_OPENAI_API_KEY.name})'
+  }
+  {
+    name: 'AZURE_OPENAI_DALLE_API_KEY'
+    value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_OPENAI_DALLE_API_KEY.name})'
+  }
+  {
+    name: 'AZURE_COSMOSDB_KEY'
+    value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_COSMOSDB_KEY.name})'
+  }
+  {
+    name: 'AZURE_SEARCH_API_KEY'
+    value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_SEARCH_API_KEY.name})'
+  }    
+  {
+    name: 'AZURE_DOCUMENT_INTELLIGENCE_KEY'
+    value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_DOCUMENT_INTELLIGENCE_KEY.name})'
+  }
+  {
+    name: 'AZURE_STORAGE_ACCOUNT_KEY'
+    value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_STORAGE_ACCOUNT_KEY.name})'
+  }
+]
+
 resource webApp 'Microsoft.Web/sites@2020-06-01' = {
   name: webapp_name
   location: location
@@ -119,109 +226,7 @@ resource webApp 'Microsoft.Web/sites@2020-06-01' = {
       appCommandLine: 'next start'
       ftpsState: 'Disabled'
       minTlsVersion: '1.2'
-      appSettings: [ 
-        {
-          name: 'USE_MANAGED_IDENTITIES'
-          value: disableLocalAuth
-        }
-
-        { 
-          name: 'AZURE_KEY_VAULT_NAME'
-          value: keyVaultName
-        }
-        { 
-          name: 'SCM_DO_BUILD_DURING_DEPLOYMENT'
-          value: 'true'
-        }
-        {
-          name: 'AZURE_OPENAI_API_KEY'
-          value:  disableLocalAuth ? '' :'@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_OPENAI_API_KEY.name})'
-        }
-        {
-          name: 'AZURE_OPENAI_API_INSTANCE_NAME'
-          value: openai_name
-        }
-        {
-          name: 'AZURE_OPENAI_API_DEPLOYMENT_NAME'
-          value: chatGptDeploymentName
-        }
-        {
-          name: 'AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME'
-          value: embeddingDeploymentName
-        }
-        {
-          name: 'AZURE_OPENAI_API_VERSION'
-          value: openai_api_version
-        }
-        {
-          name: 'AZURE_OPENAI_DALLE_API_KEY'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_OPENAI_DALLE_API_KEY.name})'
-        }
-        {
-          name: 'AZURE_OPENAI_DALLE_API_INSTANCE_NAME'
-          value: openai_dalle_name
-        }
-        {
-          name: 'AZURE_OPENAI_DALLE_API_DEPLOYMENT_NAME'
-          value: dalleDeploymentName
-        }
-        {
-          name: 'AZURE_OPENAI_DALLE_API_VERSION'
-          value: dalleApiVersion
-        }
-        {
-          name: 'NEXTAUTH_SECRET'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::NEXTAUTH_SECRET.name})'
-        }
-        {
-          name: 'NEXTAUTH_URL'
-          value: 'https://${webapp_name}.azurewebsites.net'
-        }
-        {
-          name: 'AZURE_COSMOSDB_URI'
-          value: cosmosDbAccount.properties.documentEndpoint
-        }
-        {
-          name: 'AZURE_COSMOSDB_KEY'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_COSMOSDB_KEY.name})'
-        }
-        {
-          name: 'AZURE_SEARCH_API_KEY'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_SEARCH_API_KEY.name})'
-        }
-        { 
-          name: 'AZURE_SEARCH_NAME'
-          value: search_name
-        }
-        { 
-          name: 'AZURE_SEARCH_INDEX_NAME'
-          value: searchServiceIndexName
-        }
-        { 
-          name: 'AZURE_DOCUMENT_INTELLIGENCE_ENDPOINT'
-          value: 'https://${form_recognizer_name}.cognitiveservices.azure.com/'
-        }        
-        {
-          name: 'AZURE_DOCUMENT_INTELLIGENCE_KEY'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_DOCUMENT_INTELLIGENCE_KEY.name})'
-        }
-        {
-          name: 'AZURE_SPEECH_REGION'
-          value: location
-        }
-        {
-          name: 'AZURE_SPEECH_KEY'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_SPEECH_KEY.name})'
-        }
-        {
-          name: 'AZURE_STORAGE_ACCOUNT_NAME'
-          value: storage_name
-        }
-        {
-          name: 'AZURE_STORAGE_ACCOUNT_KEY'
-          value: '@Microsoft.KeyVault(VaultName=${kv.name};SecretName=${kv::AZURE_STORAGE_ACCOUNT_KEY.name})'
-        }
-      ]
+      appSettings: concat(appSettingsCommon, appSettingsWithLocalAuth)
     }
   }
   identity: { type: 'SystemAssigned'}
@@ -282,15 +287,15 @@ resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
     enabledForTemplateDeployment: false
   }
 
-  resource AZURE_OPENAI_API_KEY 'secrets' = {
+  resource AZURE_OPENAI_API_KEY 'secrets' = if (!disableLocalAuth) {
     name: 'AZURE-OPENAI-API-KEY'
     properties: {
       contentType: 'text/plain'
       value: azureopenai.listKeys().key1
     }
   }
 
-  resource AZURE_OPENAI_DALLE_API_KEY 'secrets' = {
+  resource AZURE_OPENAI_DALLE_API_KEY 'secrets' = if (!disableLocalAuth){
     name: 'AZURE-OPENAI-DALLE-API-KEY'
     properties: {
       contentType: 'text/plain'
@@ -306,15 +311,15 @@ resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
     }
   }
 
-  resource AZURE_COSMOSDB_KEY 'secrets' = {
+  resource AZURE_COSMOSDB_KEY 'secrets' = if (!disableLocalAuth){
     name: 'AZURE-COSMOSDB-KEY'
     properties: {
       contentType: 'text/plain'
       value: cosmosDbAccount.listKeys().secondaryMasterKey
     }
   }
 
-  resource AZURE_DOCUMENT_INTELLIGENCE_KEY 'secrets' = {
+  resource AZURE_DOCUMENT_INTELLIGENCE_KEY 'secrets' = if (!disableLocalAuth){
     name: 'AZURE-DOCUMENT-INTELLIGENCE-KEY'
     properties: {
       contentType: 'text/plain'
@@ -330,15 +335,15 @@ resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
     }
   }
 
-  resource AZURE_SEARCH_API_KEY 'secrets' = {
+  resource AZURE_SEARCH_API_KEY 'secrets' = if (!disableLocalAuth){
     name: 'AZURE-SEARCH-API-KEY'
     properties: {
       contentType: 'text/plain'
       value: searchService.listAdminKeys().secondaryKey
     }
   }
 
-  resource AZURE_STORAGE_ACCOUNT_KEY 'secrets' = {
+  resource AZURE_STORAGE_ACCOUNT_KEY 'secrets' = if (!disableLocalAuth){
     name: 'AZURE-STORAGE-ACCOUNT-KEY'
     properties: {
       contentType: 'text/plain'