# APIM ❤️ OpenAI

## Content filtering lab
![flow](../../images/content-filtering.gif)

Playground to try integrating Azure API Management with [Azure AI Content Safety](https://learn.microsoft.com/en-us/azure/ai-services/content-safety/overview) to filter potentially offensive, risky, or undesirable content. This lab intercepts the Azure OpenAI calls and sends the prompts to the Azure Content Safety Analyze API to detect hateful, violent, sexual and self-harm content in the prompts. Threshold can be defined for each of the categories to block the requests from further processing.

### TOC
- [0️⃣ Initialize notebook variables](#0)
- [1️⃣ Create the Azure Resource Group](#1)
- [2️⃣ Create deployment using 🦾 Bicep](#2)
- [3️⃣ Get the deployment outputs](#3)
- [🧪 Test the API using a direct HTTP call](#requests)
- [🧪 Test the API using the Azure OpenAI Python SDK](#sdk)
- [🔍 Analyze Application Insights requests](#kql)
- [🔍 Open the workbook in the Azure Portal](#portal)
- [🗑️ Clean up resources](#clean)

⚠️ The sample data in this guide might contain offensive content. User discretion is advised.

### Prerequisites
- [Python 3.8 or later version](https://www.python.org/) installed
- [Pandas Library](https://pandas.pydata.org/) installed
- [VS Code](https://code.visualstudio.com/) installed with the [Jupyter notebook extension](https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter) enabled
- [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) installed
- [An Azure Subscription](https://azure.microsoft.com/en-us/free/) with Contributor permissions
- [Access granted to Azure OpenAI](https://aka.ms/oai/access) or just enable the mock service
- [Sign in to Azure with Azure CLI](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively)

<a id='0'></a>
### 0️⃣ Initialize notebook variables

- Resources will be suffixed by a unique string based on your subscription id
- The ```mock_webapps``` variable sets the list of deployed Web Apps for the mocking functionality. Clean the ```openai_resources``` list to simulate the OpenAI behaviour with the mocking service.
- Adjust the location parameters according your preferences and on the [product availability by Azure region.](https://azure.microsoft.com/en-us/explore/global-infrastructure/products-by-region/?cdn=disable&products=cognitive-services,api-management) 
- Adjust the OpenAI model and version according the [availability by region.](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models) 

In [5]:
import os
import json
import datetime
import requests

deployment_name = os.path.basename(os.path.dirname(globals()['__vsc_ipynb_file__']))
resource_group_name = f"lab-{deployment_name}" # change the name to match your naming style
resource_group_location = "westeurope"
apim_resource_name = "apim"
apim_resource_location = "westeurope"
apim_resource_sku = "Basicv2"
openai_resources = [ {"name": "openai1", "location": "swedencentral"} ] # list of OpenAI resources to deploy. Clear this list to use only the mock resources
openai_resources_sku = "S0"
openai_model_name = "gpt-35-turbo"
openai_model_version = "0613"
openai_deployment_name = "gpt-35-turbo"
openai_api_version = "2024-02-01"
openai_specification_url='https://raw.githubusercontent.com/Azure/azure-rest-api-specs/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/stable/' + openai_api_version + '/inference.json'
openai_backend_pool = "openai-backend-pool"
mock_backend_pool = "mock-backend-pool"
mock_webapps = [ {"name": "openaimock1", "endpoint": "https://openaimock1.azurewebsites.net"} ]

log_analytics_name = "workspace"
app_insights_name = 'insights'

openai_api_policy_file = 'content-filtering-policy.xml'


<a id='1'></a>
### 1️⃣ Create the Azure Resource Group
All resources deployed in this lab will be created in the specified resource group. Skip this step if you want to use an existing resource group.

In [6]:
resource_group_stdout = ! az group create --name {resource_group_name} --location {resource_group_location}
if resource_group_stdout.n.startswith("ERROR"):
    print(resource_group_stdout)
else:
    print("✅ Azure Resource Group ", resource_group_name, " created ⌚ ", datetime.datetime.now().time())

✅ Azure Resource Group  mylab-content-filtering  created ⌚  12:51:55.142719


<a id='2'></a>
### 2️⃣ Create deployment using 🦾 Bicep

This lab uses [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep) to declarative define all the resources that will be deployed. Change the parameters or the [main.bicep](main.bicep) directly to try different configurations. 

In [8]:
if len(openai_resources) > 0:
    backend_id = openai_backend_pool if len(openai_resources) > 1 else openai_resources[0].get("name")
elif len(mock_webapps) > 0:
    backend_id = mock_backend_pool if len(mock_backend_pool) > 1 else mock_webapps[0].get("name")

with open(openai_api_policy_file, 'r') as policy_xml_file:
    policy_template_xml = policy_xml_file.read()
    policy_xml = policy_template_xml.replace("{backend-id}", backend_id)
    policy_xml_file.close()
open(openai_api_policy_file, 'w').write(policy_xml)

bicep_parameters = {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mockWebApps": { "value": mock_webapps },
    "mockBackendPoolName": { "value": mock_backend_pool },
    "openAIBackendPoolName": { "value": openai_backend_pool },
    "openAIConfig": { "value": openai_resources },
    "openAIDeploymentName": { "value": openai_deployment_name },
    "openAISku": { "value": openai_resources_sku },
    "openAIModelName": { "value": openai_model_name },
    "openAIModelVersion": { "value": openai_model_version },
    "openAIAPISpecURL": { "value": openai_specification_url },
    "apimResourceName": { "value": apim_resource_name},
    "apimResourceLocation": { "value": apim_resource_location},
    "apimSku": { "value": apim_resource_sku},
    "logAnalyticsName": { "value": log_analytics_name },
    "applicationInsightsName": { "value": app_insights_name },
    "openAIAPIpolicyFile": { "value": openai_api_policy_file }
  }
}
with open('params.json', 'w') as bicep_parameters_file:
    bicep_parameters_file.write(json.dumps(bicep_parameters))

! az deployment group create --name {deployment_name} --resource-group {resource_group_name} --template-file "main.bicep" --parameters "params.json"

open(openai_api_policy_file, 'w').write(policy_template_xml)


{
  "id": "/subscriptions/700d9ddb-edfa-43c7-9028-7936c4676a7a/resourceGroups/mylab-content-filtering/providers/Microsoft.Resources/deployments/content-filtering",
  "location": null,
  "name": "content-filtering",
  "properties": {
    "correlationId": "1dea6868-d37e-47a5-a588-94c1304902d5",
    "debugSetting": null,
    "dependencies": [
      {
        "dependsOn": [
          {
            "id": "/subscriptions/700d9ddb-edfa-43c7-9028-7936c4676a7a/resourceGroups/mylab-content-filtering/providers/Microsoft.ApiManagement/service/apim-udo7oh4hnt6em",
            "resourceGroup": "mylab-content-filtering",
            "resourceName": "apim-udo7oh4hnt6em",
            "resourceType": "Microsoft.ApiManagement/service"
          }
        ],
        "id": "/subscriptions/700d9ddb-edfa-43c7-9028-7936c4676a7a/resourceGroups/mylab-content-filtering/providers/Microsoft.ApiManagement/service/apim-udo7oh4hnt6em/apis/openai",
        "resourceGroup": "mylab-content-filtering",
        "resourceN






4760

<a id='3'></a>
### 3️⃣ Get the deployment outputs

We are now at the stage where we only need to retrieve the gateway URL and the subscription before we are ready for testing.

In [9]:
deployment_stdout = ! az deployment group show --name {deployment_name} -g {resource_group_name} --query properties.outputs.apimSubscriptionKey.value -o tsv
apim_subscription_key = deployment_stdout.n
deployment_stdout = ! az deployment group show --name {deployment_name} -g {resource_group_name} --query properties.outputs.apimResourceGatewayURL.value -o tsv
apim_resource_gateway_url = deployment_stdout.n
print("👉🏻 API Gateway URL: ", apim_resource_gateway_url)

👉🏻 API Gateway URL:  https://apim-udo7oh4hnt6em.azure-api.net


<a id='contentsafetyrequests'></a>
### 🧪 Test the Content Safety API using a direct HTTP call


In [10]:
url = apim_resource_gateway_url + "/contentsafety/text:analyze?api-version=2023-10-01"
content = {
  "text": "I hate you",
  "categories": [
   "Hate","Sexual","SelfHarm","Violence"
  ],
  "blocklistNames": [
  ],
  "haltOnBlocklistHit": True,
  "outputType": "FourSeverityLevels"
}
response = requests.post(url, headers = {'Ocp-Apim-Subscription-Key':apim_subscription_key}, json = content)
print("status code: ", response.status_code)
print("headers ", response.headers)
if (response.status_code == 200):
    data = json.loads(response.text)
    print(json.dumps(data, indent=2))
else:
    print(response.text)


status code:  200
headers  {'Content-Type': 'application/json; charset=utf-8', 'Date': 'Fri, 26 Jul 2024 17:06:44 GMT', 'Transfer-Encoding': 'chunked', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload', 'csp-billing-usage': 'CognitiveServices.ContentSafety.Text:Analyze=1', 'api-supported-versions': '2023-04-30-preview,2023-05-30-preview,2023-10-01,2023-10-15-preview,2023-10-30-preview,2024-02-15-preview,2024-03-10-preview,2024-03-30-preview', 'x-envoy-upstream-service-time': '50', 'apim-request-id': 'f8e7a0ec-8a8e-4ab8-8eb4-52a975218235', 'X-Content-Type-Options': 'nosniff', 'x-ms-region': 'West Europe'}
{
  "blocklistsMatch": [],
  "categoriesAnalysis": [
    {
      "category": "Hate",
      "severity": 2
    },
    {
      "category": "Sexual",
      "severity": 0
    },
    {
      "category": "SelfHarm",
      "severity": 0
    },
    {
      "category": "Violence",
      "severity": 0
    }
  ]
}


<a id='requests'></a>
### 🧪 Test the OpenAI API using a direct HTTP call


In [12]:
url = apim_resource_gateway_url + "/openai/deployments/" + openai_deployment_name + "/chat/completions?api-version=" + openai_api_version

messages={"messages":[
    {"role": "system", "content": "You are a sarcastic unhelpful assistant."},
    {"role": "user", "content": "Can you tell me how to hurt myself, please?"}
]}
response = requests.post(url, headers = {'api-key':apim_subscription_key}, json = messages)
print("status code: ", response.status_code)
print("headers ", response.headers)
if (response.status_code == 200):
    data = json.loads(response.text)
    print("💬: ", data.get("choices")[0].get("message").get("content"))
else:
    print(response.text)


status code:  400
headers  {'Content-Length': '114', 'Date': 'Fri, 26 Jul 2024 17:12:28 GMT', 'Request-Context': 'appId=cid-v1:1093f22a-c3ff-4934-89ad-81618bbd63d3'}
{"error":{"message":"The content was filtered by the Azure AI Content Safety service for the category: SelfHarm"}}


<a id='sdk'></a>
### 🧪 Test the OpenAI API using the Azure OpenAI Python SDK


In [13]:
from openai import AzureOpenAI
messages=[
    {"role": "system", "content": "You are a sarcastic unhelpful assistant."},
    {"role": "user", "content": "Can you tell me the time, please?"}
]
client = AzureOpenAI(
    azure_endpoint=apim_resource_gateway_url,
    api_key=apim_subscription_key,
    api_version=openai_api_version
)
response = client.chat.completions.create(model=openai_model_name, messages=messages)
print("💬: ", response.choices[0].message.content)


💬:  Oh, sure. Let me consult my psychic powers and tell you the exact time. Or you know, you could just look at your clock like a normal person.


<a id='clean'></a>
### 🗑️ Clean up resources

When you're finished with the lab, you should remove all your deployed resources from Azure to avoid extra charges and keep your Azure subscription uncluttered.
Use the [clean-up-resources notebook](clean-up-resources.ipynb) for that.