##  Automating Everything

In this lab, we will learn how to setup **LLMOps with Prompt Flow** Solution Accelerator to deploy an end-to-end LLMOps solution using **Prompt Flow** and **Github Actions**.

## Steps

[1. Create Azure service principal](#1-create-azure-service-principal)


### TODO: Explicar melhor aqui o que será feito

### Github Workflows and Prompt Flow flows

The project template comes with a few Github workflows related to three Prompt Flow example flows for providing a jumpstart.

The Prompt Flow flows are **named_entity_recognition**, **web_classification** and **math_coding** each flow implementing a different use case.

Each flow has 2 primary GitHub workflows and 1 optional workflow. The GitHub workflows can be found in the project .github/workflows folder.

The first workflow is executed during pull request(PR) e.g. [named_entity_recognition_pr_dev_workflow.yml](../.github/workflows/named_entity_recognition_pr_dev_workflow.yml), and it helps to maintain code quality for all PRs. Usually, this pipeline uses a smaller dataset to make sure that the Prompt Flow job can be completed fast enough.

The second Github workflow [named_entity_recognition_ci_dev_workflow.yml](../.github/workflows/named_entity_recognition_ci_dev_workflow.yml) is executed automatically before a PR is merged into the *development* or *main* branch. The main idea of this pipeline is to execute bulk run and evaluation on the full dataset for all prompt variants. The workflow can be modified and extended based on the project's requirements.

The optional third Github workflow [named_entity_recognition_post_prod_eval.yml](../.github/workflows/named_entity_recognition_post_prod_eval.yml) need to be executed manually after the deployment of the Prompt Flow flow to production and collecting production logs (example log file - [production_log.jsonl](../named_entity_recognition/data/production_log.jsonl)). This workflow is used to evaluate the Prompt Flow flow performance in production.

More details about how to create a basic Github workflows in general can be found [here](https://docs.github.com/en/actions/using-workflows).

### 1. Create Azure service principal

An Azure service principal (SP) is a special type of identity that can be used by automated tools to access Azure resources. 

We will use a service principal to grant GitHub Actions the permission to use the resources in our Azure subscription.

Run the following bash script, updating the **spname** and **subscriptionId** variables with the values for your project to create the SP. 

In [None]:
%%bash

# variables
spname="LLMOps-$(date +%s)"
roleName="Owner"
subscriptionId="<subscription Id>"
servicePrincipalName="Azure-ARM-${spname}"

echo "Using subscription ID $subscriptionID"
echo "Creating SP for RBAC with name $servicePrincipalName, with role $roleName and in scopes /subscriptions/$subscriptionId"
az ad sp create-for-rbac --name $servicePrincipalName --role $roleName --scopes /subscriptions/$subscriptionId --sdk-auth 
echo "Please ensure that the information created here is properly save for future use."


> The previous ```az ad create-for-rbac ...``` command will also grant the *Contributor* role to the service principal in the subscription provided. <strong>Contributor or Owner?</strong>

After running the script, you'll be presented with information related to the service principal. 

Save this information to a safe location, you'll use it later in the GitHub configuration.

### 2. Create a Compute Instance and a Prompt Flow runtime

Prompt Flow 'flows' require runtime associated with compute instance in Azure Machine Learning workspace. 

Before we run any Prompt Flow, we need to create two things using the Service Principal: a Compute Instance and a Prompt Flow runtime. 

This ensures that Service Principal is the owner of these resources and Flows can be executed on them from Github workflows.

Update the variables with the values for your project and run the following bash script.

In [None]:
%%bash

# variables
subscriptionId=<your azure subscription id>
rgname=<your resource group name>
workspace_name=<your Azure machine learning workspace name> 
userAssignedId=<enter user assigned managed identifier name>
keyvault=<your Azure machine learning workspace associate key vault name>
compute_name=<enter compute name>
location=<your Azure machine learning workspace region>
runtimeName=<enter runtime name>
sp_id=<your azure service principal or client id>
sp_password=<your service principal password>
tenant_id=<your azure tenant id>

echo "> Creating user-assigned managed identity"
az identity create -g $rgname -n $userAssignedId --query "id"

echo "> Getting id, principalId of user-assigned managed identity"
um_details=$(az identity show -g $rgname -n $userAssignedId --query "[id, clientId, principalId]")

echo "> Getting id of user-assigned managed identity"
# user_managed_id="$(echo $um_details | jq -r '.[0]')"
user_managed_id=$(echo $um_details | sed 's/[][]//g' | awk -F'"' '{print $2}')

echo "> Getting principal Id of user-assigned managed identity"
# principalId="$(echo $um_details | jq -r '.[2]')"
principalId=$(echo $um_details | sed 's/[][]//g' | awk -F'"' '{print $6}')

echo "> Granting the user managed identity permission to access the workspace (AzureML Data Scientist)"
az role assignment create --assignee $principalId --role "AzureML Data Scientist" --scope "/subscriptions/$subscriptionId/resourcegroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name"

echo "> Granting the user managed identity permission to access the workspace keyvault (get and list)"
az keyvault set-policy --name $keyvault --resource-group $rgname --object-id $principalId --secret-permissions get list

echo "> Login with Service Principal"
az login --service-principal -u $sp_id -p $sp_password --tenant $tenant_id
az account set -s $subscriptionId

echo "> Creating compute instance and assign user managed identity to it"
az ml compute create --name $compute_name --size Standard_E4s_v3 --identity-type UserAssigned --type ComputeInstance --resource-group $rgname --workspace-name $workspace_name --user-assigned-identities $user_managed_id

echo "> Getting Service Principal Azure Entra token for REST API"
# access_token=$(az account get-access-token | jq -r ".accessToken")
access_token=$(az account get-access-token | grep -oP '"accessToken": "\K[^"]*')

echo "> Constructing POST url for runtime"
runtime_url_post=$(echo "https://ml.azure.com/api/$location/flow/api/subscriptions/$subscriptionId/resourceGroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name/FlowRuntimes/$runtimeName?asyncCall=true")

echo "> Constructing GET url for runtime"
runtime_url_get=$(echo "https://ml.azure.com/api/$location/flow/api/subscriptions/$subscriptionId/resourceGroups/$rgname/providers/Microsoft.MachineLearningServices/workspaces/$workspace_name/FlowRuntimes/$runtimeName")

echo "> Creating runtime using REST API"
curl --request POST \
  --url "$runtime_url_post" \
  --header "Authorization: Bearer $access_token" \
  --header 'Content-Type: application/json' \
  --data "{
    \"runtimeType\": \"ComputeInstance\",
    \"computeInstanceName\": \"$compute_name\",
}"

echo "\n> Getting runtime creation status using REST API"
curl --request GET \
  --url "$runtime_url_get" \
  --header "Authorization: Bearer $access_token"

# Use this command multiple times unless either you get output that shows createdOn with a valid date and time value or failure. 
# In case of failure, troubleshoot the issue before moving forward.
echo -e "curl --request GET --url ${runtime_url_get} --header Authorization: Bearer ${access_token}"

### 3. Set up GitHub Repository

#### 3.1. Create the repo for your project

Go to GitHub and create a new repository

*Github.com* > *New*

<p align="">
  <img src="images/new_github_repo.png" alt="New Github" width="1024">
</p><BR>


For this workshop I will use **llmops-project** as the repo name, if you chose a different repo name, you can replace llmops-project with the name you have chosen whenever you see it in the lab commands.

#### 3.2. Create a GitHub personal access token

Now you will create a Github **personal access token** to work with your repository from this notebook.

Go to your GitHub account settings by clicking on your profile photo and then clicking on Settings and execute the following steps:

1. In the left sidebar, click on Developer settings.
2. In the left sidebar, click on Personal access tokens.
3. Click on Generate new token (Fine-grained tokens).
4. Choose the repo you just created in the Repository access section.

<p align="">
  <img src="images/repository_access_token.png" alt="Access token" width="640">
</p>

5. In the Permissions session add **Read and write** to the following items: **Administation**, **Contents** and **Workflows** (Metadata is mandatory).

<p align="">
  <img src="images/repository_access_token2.png" alt="Access token" width="640">
</p><BR>

6. Click on Generate token.


Copy the token to use it in the cell bellow.

#### 3.3. Populate your repo with the LLMOps project template

Now you will populate your new repo with the [LLMOps Prompt Flow Template Repo](https://github.com/microsoft/llmops-promptflow-template.git).

In order to do that, run the following bash script, updating the variables with the values for your project.

In [None]:
%%bash
# github_org=<your github organization>
# github_repo=<your github repository>
# your-personal-access-token=<the access token you generated>
github_org=placerda
github_repo=llmops-project
your_personal_access_token=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

echo "> Cloning your project repository"
git clone https://${your_personal_access_token}@github.com/${github_org}/${github_repo}.git

cd $github_repo

echo "> Adding a new remote named 'original'"
git remote add original https://github.com/microsoft/llmops-promptflow-template.git

echo "> Fetching from 'original'"
git fetch original main

echo "> Merging with 'original/main'"
git merge original/main

echo "> Pushing to 'origin main'"
git push origin main --repo https://${your_personal_access_token}@github.com/${github_org}/${github_repo}.git

#### 3.4. Create a development branch and make it as default

Create a *development* branch from main branch and also make it as default one to make sure that all PRs should go towards it. 

The project template assumes that the team works at a *development* branch as a primary source for coding and improving the prompt quality. 

Later, you can implement Github workflows that move code from the *development* branch into qa/main or execute a release process right away. 

Release management is not in part of the project template.

To create the *development* branch and set it as the default in the local repo, run the following bash cell after updating the variables with the values for your project.

In [None]:
%%bash
# github_repo=<your github repository>
github_repo=llmops-project

# Change directory to the cloned repository
cd ${github_repo}

echo "> Creating a development branch"
git checkout -b development

echo "> Pushing the development branch to the remote repository"
git push origin development

echo "> Setting the development branch as the default branch in the local repository"
git remote set-head origin development

Make *development* branch as default in the GitHub remote repo to make sure that all PRs should go towards it. 

Go to your GitHub repository on the web and execute the following steps:

1. Click on the "Settings" tab.
2. In the left side menu, click on "Branches".
3. In the "Default branch" section, click the pencil icon to edit.
4. Select the branch you want to set as default from the dropdown menu.
5. Click "Update" to save your changes.

Remember, changing the default branch will change the base branch for new pull requests and code reviews.

<p align="">
  <img src="images/default_branch.png" alt="Defaut branch" width="1024">
</p>


#### 3.5 Set up authentication with Azure and GitHub

From your GitHub project, select **Settings** -> **Secrets and  variables**,  **Actions** and **New repository secret**. Create a Github repository secret named 'AZURE_CREDENTIALS' with information related to Azure Service Principal. You can paste the service principal output as the content of the secret and use [this document](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#use-the-azure-login-action-with-a-service-principal-secret) as a 

<p align="">
  <img src="images/github-secrets.png" alt="Screenshot of GitHub Secrets" width="640">
</p>



### 5. Create Azure OpenAI deployment

The template project has 3 examples, all the examples use Azure OpenAI model `gpt-35-turbo` deployed with the same name `gpt-35-turbo`. 

Please use Azure portal [https://portal.azure.com](https://portal.azure.com) to create an Azure OpenAI resource and then to Azure OpenAI Studio [https://oai.azure.com](https://oai.azure.com) to create an Azure OpenAI gpt-35-turbo model deployment as in this example.

<p align="">
  <img src="images/azure_oai_deployment.png" alt="aoai deployment" width="1024">
</p>

### 6. Create Prompt Flow Connection

Prompt Flow Connections helps securely store and manage secret keys or other sensitive credentials required for interacting with LLM and other external tools, for example Azure OpenAI.

All three template project examples use a connection named `aoai` inside, we need to set up a connection with this name if we haven’t created it before.

Please go to Azure Machine Learning workspace portal, click `Prompt flow` -> `Connections` -> `Create` -> `Azure OpenAI`, then follow the instructions to create your own connections called `aoai`. Learn more on [connections](https://learn.microsoft.com/en-us/azure/machine-learning/prompt-flow/concept-connections?view=azureml-api-2). 

<p align="">
  <img src="images/connection.png" alt="aoai connection in Prompt Flow" width="1024">
</p>

The samples use a connection named "aoai" connecting to a gpt-35-turbo model deployed with the same name in Azure OpenAI. This connection should be created before executing the out-of-box flows provided with the template.

The configuration for connection used while authoring the repo:

<p align="">
  <img src="images/connection-details.png" alt="connection details" width="640">
</p>



### 7. Update project configurations for Prompt flow and GitHub Actions

Update code so that we can create a pull request. Update the `llmops_config.json` file for any one of the examples (e.g. `named_entity_recognization`). Update configuration so that we can create a pull request for any one of the example scenarios (e.g. named_entity_recognition). Navigate to scenario folder and update the `llmops_config.json` file. Update the KEYVAULT_NAME, RESOURCE_GROUP_NAME, RUNTIME_NAME and WORKSPACE_NAME. Update the `ENDPOINT_NAME` and `CURRENT_DEPLOYMENT_NAME` in `configs/deployment_config.json` file. Update the `ENDPOINT_NAME` and `CURRENT_DEPLOYMENT_NAME` in `configs/deployment_config.json` file.

### Update llmops_config.json

Modify the configuration values in the `llmops_config.json` file available for each example based on description.

- `ENV_NAME`:  This represents the environment type. (The template supports *pr* and *dev* environments.)
- `RUNTIME_NAME`:  This is the name of a Prompt Flow runtime environment, used for executing the prompt flows. Add values to this field only when you are using dedicated runtime and compute. The template uses automatic runtime by default.
- `KEYVAULT_NAME`:  This points to an Azure Key Vault related to the Azure ML service, a service for securely storing and managing secrets, keys, and certificates.
- `RESOURCE_GROUP_NAME`:  Name of the Azure resource group related to Azure ML workspace.
- `WORKSPACE_NAME`:  This is name of Azure ML workspace.
- `STANDARD_FLOW_PATH`:  This is the relative folder path to files related to a standard flow. e.g.  e.g. "flows/standard_flow.yml"
- `EVALUATION_FLOW_PATH`:  This is a string value referring to relative evaluation flow paths. It can have multiple comma separated values- one for each evaluation flow. e.g. "flows/eval_flow_1.yml,flows/eval_flow_2.yml"

For the optional post production evaluation workflow, the above configuration will be same only `ENV_NAME` will be *postprodeval* and the respective flow path need to be mentioned in `STANDARD_FLOW_PATH` configuration.

### Update deployment_config.json in config folder

Modify the configuration values in the `deployment_config.json` file for each environment. These are required for deploying Prompt flows in Azure ML. Ensure the values for `ENDPOINT_NAME` and `CURRENT_DEPLOYMENT_NAME` are changed before pushing the changes to remote repository.

- `ENV_NAME`: This indicates the environment name, referring to the "development" or "production" or any other environment where the prompt will be deployed and used in real-world scenarios.
- `TEST_FILE_PATH`: The value represents the file path containing sample input used for testing the deployed model.
- `ENDPOINT_NAME`: The value represents the name or identifier of the deployed endpoint for the prompt flow.
- `ENDPOINT_DESC`: It provides a description of the endpoint. It describes the purpose of the endpoint, which is to serve a prompt flow online.
- `DEPLOYMENT_DESC`: It provides a description of the deployment itself.
- `PRIOR_DEPLOYMENT_NAME`: The name of prior deployment. Used during A/B deployment. The value is "" if there is only a single deployment. Refer to CURRENT_DEPLOYMENT_NAME property for the first deployment.
- `PRIOR_DEPLOYMENT_TRAFFIC_ALLOCATION`:  The traffic allocation of prior deployment. Used during A/B deployment. The value is "" if there is only a single deployment. Refer to CURRENT_DEPLOYMENT_TRAFFIC_ALLOCATION property for the first deployment.
- `CURRENT_DEPLOYMENT_NAME`: The name of current deployment.
- `CURRENT_DEPLOYMENT_TRAFFIC_ALLOCATION`: The traffic allocation of current deployment. A value of 100 indicates that all traffic is directed to this deployment.
- `DEPLOYMENT_VM_SIZE`: This parameter specifies the size or configuration of the virtual machine instances used for the deployment.
- `DEPLOYMENT_BASE_IMAGE_NAME`: This parameter represents the name of the base image used for creating the Prompt Flow runtime.
-  `DEPLOYMENT_CONDA_PATH`: This parameter specifies the path to a Conda environment configuration file (usually named conda.yml), which is used to set up the deployment environment.
- `DEPLOYMENT_INSTANCE_COUNT`:This parameter specifies the number of instances (virtual machines) that should be deployed for this particular configuration.
- `ENVIRONMENT_VARIABLES`: This parameter represents a set of environment variables that can be passed to the deployment.
