Copyright (c) Microsoft Corporation. Licensed under the MIT license.

##  Automating Everything

In this lab, we will learn how to setup **LLMOps with Prompt Flow** template to deploy an end-to-end LLMOps solution using **Prompt Flow** and **Github Actions**.

## Steps
1. Check and set up prerequisites 
2. Create an Azure service principal to access AI project resources
3. Setup github repository
4. Create Azure OpenAI model deployment
5. Update Azure OpenAI connection name
6. Update template configuration parameters

### 1. Check and set up prerequisites

Check if you have the following resources to execute this hands-on steps.

- Azure subscription.
- Azure AI Project and AI Resource.
    - If you don't have an AI Project, follow the instructions in [this link](https://learn.microsoft.com/en-us/azure/ai-studio/how-to/create-projects) to create one.
    - If it's your first AI project, create an AI Resource during setup. Otherwise, use an existing one.
- GitHub account.
- Workstation with
    - [VS Code](https://code.visualstudio.com/download) Desktop (Optionaly use VS Code Web in an Azure ML compute).
    - [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
    - [Git](https://git-scm.com/downloads)

### 2. Create an Azure service principal to access AI project resources

#### 2.1. Create Service Principal

An Azure service principal (SP) is a special type of identity that can be used by automated tools to access Azure resources. 

We will use a service principal to grant GitHub Actions the permission to use the resources in our Azure subscription.

Run the following bash script after updating the **\<subscription Id\>** placeholder with your subscription id.

Note: SP name will be generated automatically with the following format, if you want a different name just add it to the spname variable.

In [None]:
%%bash

tenant_id="16b3c013-d300-468d-ac64-7eda0820b6d3"
az login --tenant $tenant_id

In [None]:
%%bash

# variables
subscriptionId="9788a92c-2f71-4629-8173-7ad449cb50e1"

spname="LLMOps-$(date +%s)"
roleName="Owner"
servicePrincipalName="Azure-ARM-${spname}"

echo "Using subscription ID $subscriptionID"
echo "> Setting subscription id"
az account set --subscription $subscriptionId

echo "Creating SP for RBAC with name $servicePrincipalName, with role $roleName and in scopes /subscriptions/$subscriptionId"
az ad sp create-for-rbac --name $servicePrincipalName --role $roleName --scopes /subscriptions/$subscriptionId --sdk-auth

echo "Please ensure that the information created here is properly saved for future use."


After running the script, you'll be presented with information related to the service principal. 

Save this information to a safe location, you'll use it later in the GitHub configuration.

#### 2.2. Managed Identity and Permissions Setup for Workspace and Keyvault Access

Run the following script to set up User-Assigned Managed Identity and Granting Permissions for ML Workspace and Keyvault Access.

In [None]:
%%bash

# variables
subscriptionId="<your azure subscription id>"
rgname="<your resource group name>"
workspace_name="<your Azure AI project>"
keyvault="<your Azure machine learning workspace associate key vault name>"
location="<your Azure machine learning workspace region>"
userAssignedId="<enter user assigned managed identifier name>"
sp_id="<your azure service principal or client id>"
sp_password="<your service principal password>"
tenant_id="<your azure tenant id>"

subscriptionId="9788a92c-2f71-4629-8173-7ad449cb50e1"
rgname="rg-paulolacerdaai7411"
workspace_name="paulolacerda-7411" 
keyvault="kv-paulolac329956538341"
location="eastus"
userAssignedId="Azure-ARM-LLMOps-1704032796"
sp_id="e0bbb6ad-9fb6-4aa5-8541-fd2958cb5659"
sp_password="ai68Q~nvhA4PHblkaulCPz-rZDea9LZUf-STnbWZ"
tenant_id="16b3c013-d300-468d-ac64-7eda0820b6d3"

echo "> Creating user-assigned managed identity"
az identity create -g $rgname -n $userAssignedId --query "id"

echo "> Getting id, principalId of user-assigned managed identity"
um_details=$(az identity show -g $rgname -n $userAssignedId --query "[id, clientId, principalId]")

echo "> Getting id of user-assigned managed identity"
# user_managed_id="$(echo $um_details | jq -r '.[0]')"
user_managed_id=$(echo $um_details | sed 's/[][]//g' | awk -F'"' '{print $2}')

echo "> Getting principal Id of user-assigned managed identity"
# principalId="$(echo $um_details | jq -r '.[2]')"
principalId=$(echo $um_details | sed 's/[][]//g' | awk -F'"' '{print $6}')

# echo "> Granting the user managed identity permission to access the workspace (AzureML Data Scientist)"
# az role assignment create --assignee $principalId --role "AzureML Data Scientist" --scope "/subscriptions/$subscriptionId/resourcegroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name"

echo "> Granting the user managed identity permission to access the workspace (Azure AI Developer)"
az role assignment create --assignee $principalId --role "Azure AI Developer" --scope "/subscriptions/$subscriptionId/resourcegroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name"

echo "> Granting the user managed identity permission to access the workspace keyvault (get and list)"
az keyvault set-policy --name $keyvault --resource-group $rgname --object-id $principalId --secret-permissions get list


In [None]:
# %%bash

# # variables
# subscriptionId=<your azure subscription id>
# rgname=<your resource group name>
# workspace_name=<your Azure machine learning workspace name> 
# userAssignedId=<enter user assigned managed identifier name>
# keyvault=<your Azure machine learning workspace associate key vault name>
# compute_name=<enter compute name>
# location=<your Azure machine learning workspace region>
# runtimeName=<enter runtime name>
# sp_id=<your azure service principal or client id>
# sp_password=<your service principal password>
# tenant_id=<your azure tenant id>

# echo "> Creating user-assigned managed identity"
# az identity create -g $rgname -n $userAssignedId --query "id"

# echo "> Getting id, principalId of user-assigned managed identity"
# um_details=$(az identity show -g $rgname -n $userAssignedId --query "[id, clientId, principalId]")

# echo "> Getting id of user-assigned managed identity"
# # user_managed_id="$(echo $um_details | jq -r '.[0]')"
# user_managed_id=$(echo $um_details | sed 's/[][]//g' | awk -F'"' '{print $2}')

# echo "> Getting principal Id of user-assigned managed identity"
# # principalId="$(echo $um_details | jq -r '.[2]')"
# principalId=$(echo $um_details | sed 's/[][]//g' | awk -F'"' '{print $6}')

# echo "> Granting the user managed identity permission to access the workspace (AzureML Data Scientist)"
# az role assignment create --assignee $principalId --role "AzureML Data Scientist" --scope "/subscriptions/$subscriptionId/resourcegroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name"

# echo "> Granting the user managed identity permission to access the workspace keyvault (get and list)"
# az keyvault set-policy --name $keyvault --resource-group $rgname --object-id $principalId --secret-permissions get list

# echo "> Login with Service Principal"
# az login --service-principal -u $sp_id -p $sp_password --tenant $tenant_id
# az account set -s $subscriptionId

# echo "> Creating compute instance and assign user managed identity to it"
# az ml compute create --name $compute_name --size Standard_E4s_v3 --identity-type UserAssigned --type ComputeInstance --resource-group $rgname --workspace-name $workspace_name --user-assigned-identities $user_managed_id

# echo "> Getting Service Principal Azure Entra token for REST API"
# # access_token=$(az account get-access-token | jq -r ".accessToken")
# access_token=$(az account get-access-token | grep -oP '"accessToken": "\K[^"]*')

# echo "> Constructing POST url for runtime"
# runtime_url_post=$(echo "https://ml.azure.com/api/$location/flow/api/subscriptions/$subscriptionId/resourceGroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name/FlowRuntimes/$runtimeName?asyncCall=true")

# echo "> Constructing GET url for runtime"
# runtime_url_get=$(echo "https://ml.azure.com/api/$location/flow/api/subscriptions/$subscriptionId/resourceGroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name/FlowRuntimes/$runtimeName")

# echo "> Creating runtime using REST API"
# curl --request POST \
#   --url "$runtime_url_post" \
#   --header "Authorization: Bearer $access_token" \
#   --header 'Content-Type: application/json' \
#   --data "{
#     \"runtimeType\": \"ComputeInstance\",
#     \"computeInstanceName\": \"$compute_name\",
# }"

# echo "\n> Getting runtime creation status using REST API"
# curl --request GET \
#   --url "$runtime_url_get" \
#   --header "Authorization: Bearer $access_token"

# # Use this command multiple times unless either you get output that shows createdOn with a valid date and time value or failure. 
# # In case of failure, troubleshoot the issue before moving forward.
# echo -e "curl --request GET --url ${runtime_url_get} --header Authorization: Bearer ${access_token}"

### 3. Set up GitHub Repository

#### 3.1. Create the repo for your project

Go to GitHub and create a new repository

*Github.com* > *New*

![llmops workshop](images/31.12.2023_13.19.23_REC.png)

For this workshop I will use **llmops-project** as the repo name, if you chose a different repo name, you can replace llmops-project with the name you have chosen whenever you see it in the lab commands.

![llmops workshop](images/31.12.2023_13.23.18_REC.png)


#### 3.2. Create a GitHub personal access token

Now you will create a Github **personal access token** to work with your repository from this notebook.

Go to your GitHub account settings by clicking on your profile photo and then clicking on Settings and execute the following steps:

1. In the left sidebar, click on Developer settings.
2. In the left sidebar, click on Personal access tokens (Fine-grained tokens).
3. Click on Generate new token.

![llmops workshop](images/31.12.2023_13.27.45_REC.png)

4. Choose the repo you just created in the Repository access section.

![llmops workshop](images/31.12.2023_13.30.59_REC.png)

5. In the Permissions session add **Read and write** to the following items: **Administation**, **Contents** and **Workflows** (Metadata is mandatory).

![llmops workshop](images/31.12.2023_13.32.17_REC.png)

6. Click on Generate token.

Copy the token to use it in the cell bellow.

#### 3.3. Populate your repo with the LLMOps project template

Now you will populate your new repo with the [LLMOps Prompt Flow Template Repo](https://github.com/microsoft/llmops-promptflow-template.git).

In order to do that, run the following bash script, updating the variables with the values for your project.

In [None]:
%%bash
# github_org=<your github organization>
# github_repo=<your github repository>
# your-personal-access-token=<the access token you generated>
github_org=placerda
github_repo=llmops-project
your_personal_access_token=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

echo "> Cloning your project repository"
git clone https://${your_personal_access_token}@github.com/${github_org}/${github_repo}.git

cd $github_repo

echo "> Adding a new remote named 'original'"
git remote add original https://github.com/microsoft/llmops-promptflow-template.git

echo "> Fetching from 'original'"
git fetch original main

echo "> Merging with 'original/main'"
git merge original/main

echo "> Pushing to 'origin main'"
git push origin main --repo https://${your_personal_access_token}@github.com/${github_org}/${github_repo}.git

#### 3.4. Create a development branch and make it as default

The project template assumes that the team utilizes the *development* branch as the primary source for coding and enhancing the prompt quality.  

Create a *development* branch by branching off from the main branch and designate it as the default branch to ensure that all pull requests are directed towards it.  
     
To generate the *development* branch and set it as the default in the **local repository**, execute the following bash cell after modifying the variables with the appropriate values for your project.

In [None]:
%%bash
# github_repo=<your github repository>
github_repo=llmops-project

# Change directory to the cloned repository
cd ${github_repo}

echo "> Creating a development branch"
git checkout -b development

echo "> Pushing the development branch to the remote repository"
git push origin development

echo "> Setting the development branch as the default branch in the local repository"
git remote set-head origin development

To make *development* branch as default in the GitHub **remote repo**, go to your GitHub repository on the web and execute the following steps:

1. Click on the "Settings" tab.
2. In the left side menu, click on "Branches".
3. In the "Default branch" section, click the pencil icon to edit.
4. Select the branch you want to set as default from the dropdown menu.
5. Click "Update" to save your changes.

Remember, changing the default branch will change the base branch for new pull requests and code reviews.

![llmops workshop](images/01.01.2024_10.57.37_REC.png)

#### 3.5 Set up authentication with Azure and GitHub

To start, go to the **Settings** tab of your GitHub project. Then, navigate to **Secrets and variables** followed by **Actions** and select **New repository secret**. Now, create a repository secret on GitHub called 'AZURE_CREDENTIALS' and provide the necessary Azure Service Principal details as its content. For assistance, you can refer to [this document](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-a-service-principal-secret).

![llmops workshop](images/01.01.2024_11.05.21_REC.png)

![llmops workshop](images/01.01.2024_11.19.43_REC.png)


### 4. Create Azure OpenAI model deployment


The example flows of the LLMOps template use a deployment of the Azure OpenAI model `gpt-35-turbo`. 

Please use Azure OpenAI Studio [https://ai.azure.com/](https://ai.azure.com/) to create a deployment with the same name in the AI Project you created for this workshop in step 1.

![llmops workshop](images/01.01.2024_11.25.08_REC.png)

![llmops workshop](images/01.01.2024_11.26.33_REC.png)

![llmops workshop](images/01.01.2024_11.27.15_REC.png)



### 5. Update Azure OpenAI connection name

To utilize the default connection with the Azure OpenAI resource in the project, modify the flow definition (flow.dag.yaml) of both standard and post-production-evaluation flows for the `named_entity_recognition` example. 

The flow definition file for both flows can be found in:

- named_entity_recognition\flows\standard\flow.dag.yaml
- named_entity_recognition\flows\post-production-evaluation\flow.dag.yaml

Replace the current connection name `aoai` with `Default_AzureOpenAI`.

Example:

![llmops workshop](images/01.01.2024_16.58.05_REC.png)


### 6: Update Template Configuration Parameters  
   
The purpose of this step is to modify the configuration files so that we can create a pull request for the named_entity_recognition example.

Complete the following two steps for each desired environment. For this lab, we will focus only on the pull request (pr) environment for simplicity.

#### 6.1. Update named_entity_recognization flow configuration in `llmops_config.json` file

Navigate to `named_entity_recognization` folder and update the `llmops_config.json` file. 

Update the `KEYVAULT_NAME`, `RESOURCE_GROUP_NAME` and `WORKSPACE_NAME` parameters.

**llmops_config.json**

Modify the configuration values in the `llmops_config.json`.

Example configuration (using the same resources for all environments):

![llmops workshop](images/01.01.2024_16.37.50_REC.png)

These are required for building and evaluating Prompt flows flows.

For the optional post production evaluation workflow, the above configuration will be same only `ENV_NAME` will be *postprodeval* and the respective flow path need to be mentioned in `STANDARD_FLOW_PATH` configuration.

#### 6.2. Update named_entity_recognization flow deployment configuration in `deployment_config.json` file

Navigate to `named_entity_recognization/configs` folder and update the `deployment_config.json` file. 

Update the `ENDPOINT_NAME` and `CURRENT_DEPLOYMENT_NAME` parameters. 

For more information about the deployment_config.json parameters look at [deployment_config.json](deployment_config.md)

**deployment_config.json**

Modify the configuration values in the `deployment_config.json` file in the azure_managed_endpoint section. 

These are required for deploying Prompt flows flows.

Example configuration:

![llmops workshop](images/01.01.2024_16.33.50_REC.png)

#### 6.3. Push updates to remote repo

To update the remote repository with the newly modified configurations, simply push to the development branch by executing the next cell.



In [None]:
%%bash
cd llmops-project
git add .
git commit -m "configuration update"
git push origin development