feat: replacing DefaultAzureCredential with ManagedIdentityCredential

[Vamshi-Microsoft]

Purpose

This pull request introduces several changes aimed at improving the handling of Azure credentials, adding environment-specific configurations, and addressing security concerns flagged by CodeQL. The most significant updates include introducing helper functions for Azure credential management, replacing direct usage of DefaultAzureCredential with these helpers, and adding a new environment variable to differentiate between development and production environments.

Azure Credential Management Enhancements:

• Added new helper functions get_azure_credential and get_azure_credential_async in src/backend/helpers/azure_credential_utils.py to dynamically select credentials based on the APP_ENV environment variable. These functions use DefaultAzureCredential in development and ManagedIdentityCredential in production.
• Replaced direct usage of DefaultAzureCredential with calls to the new helper functions across multiple files, including src/app.py, src/backend/api/agent/browse_agent_factory.py, src/backend/api/agent/section_agent_factory.py, and src/backend/api/agent/template_agent_factory.py. [1] [2] [3] [4] [5] [6]

Environment-Specific Configuration:

• Added a new environment variable APP_ENV with a value of Prod in the Azure App Service configuration in infra/deploy_app_service.bicep and infra/main.json. This variable is used to determine the application environment (development or production). [1] [2]

Security and CodeQL Compliance:

• Annotated instances of DefaultAzureCredential usage with CodeQL comments to clarify that its usage is limited to local or development environments, addressing potential security concerns. Changes were made in several scripts, including infra/scripts/index_scripts/01_create_search_index.py, infra/scripts/index_scripts/02_process_data.py, scripts/chunk_documents.py, and scripts/embed_documents.py. [1] [2] [3] [4] [5] [6]

These changes improve the maintainability, security, and configurability of the codebase, particularly in environments where Azure credentials are used.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• I have built and tested the code locally and in a deployed app
• For frontend changes, I have pulled the latest code from main, built the frontend, and committed all static files.
• This is a change for all users of this app. No code or asset is specific to my use case or my organization.

[github-actions]

🎉 This PR is included in version 1.6.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀