App - added secrets to keyvault. doc updates

Author: Seth

docs/sample_app_setup.md

@@ -20,6 +20,8 @@ The client ID and client secret are required for authenticating your application
 
 ## Deployment Steps
 
+### Setup Environment Variables
+
 In order to have the sample application infrastructure deployed, certain parameter requirements must be met. Set specific environment variables listed in the below AZD command block prior to running `azd up` to properly deploy the sample application. 
 
 ```sh
@@ -33,6 +35,15 @@ azd env set AZURE_AUTH_CLIENT_SECRET <your-client-secret>
 
 Replace `<your-app-id>`, `<your-client-id>`, and `<your-client-secret>` with your actual Azure credentials.
 
+### AI Models Parameter Requirements
+
+Also, the `aiModelDeployments` parameter in the [main.parameters.json](/infra/main.parameters.json) must contain two AI model deployments in this specific order (Note: the default setup meets these requirements):
+
+1. Text Embedding model (e.g., `text-embedding-ada-002`, `text-embedding-3-small`, `text-embedding-3-large`)
+2. Chat Completion model (e.g., `gpt-4`, `gpt-4o`, `gpt-4o-mini`)
+
+### Deploy
+
 Follow the [standard deployment guide](./local_environment_steps.md).
 
 ## Post-Deployment Steps

infra/main.bicep

@@ -100,7 +100,8 @@ var allTags = union(defaultTags, tags)
 var resourceToken = substring(uniqueString(subscription().id, location, name), 0, 5)
 var servicesUsername = take(replace(vmAdminUsername,'.', ''), 20)
 
-var deploySampleApp = appSampleEnabled && cosmosDbEnabled && searchEnabled && !empty(authClientId) && !empty(authClientSecret) && !empty(cosmosDatabases) && !empty(aiModelDeployments)
+var deploySampleApp = appSampleEnabled && cosmosDbEnabled && searchEnabled && !empty(authClientId) && !empty(authClientSecret) && !empty(cosmosDatabases) && !empty(aiModelDeployments) && length(aiModelDeployments) >= 2
+var authClientSecretName = 'auth-client-secret'
 
 module appIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = if (deploySampleApp) {
   name: take('${name}-identity-deployment', 64)
@@ -152,7 +153,25 @@ module keyvault 'modules/keyvault.bicep' = {
     virtualNetworkResourceId: networkIsolation ? network.outputs.resourceId : ''
     virtualNetworkSubnetResourceId: networkIsolation ? network.outputs.defaultSubnetResourceId : ''
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
-    userObjectId: userObjectId
+    roleAssignments: concat(empty(userObjectId) ? [] : [
+      {
+        principalId: userObjectId
+        principalType: 'User'
+        roleDefinitionIdOrName: 'Key Vault Secrets User'
+      }
+    ], deploySampleApp ? [
+      {
+        principalId: appIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'Key Vault Secrets User'
+      }
+    ] : [])
+    secrets: deploySampleApp ? [
+      {
+        name: authClientSecretName
+        value: authClientSecret ?? ''
+      }
+    ] : []
     tags: allTags
   }
 }
@@ -286,37 +305,6 @@ module virtualMachine './modules/virtualMachine.bicep' = if (networkIsolation)
   dependsOn: networkIsolation ? [storageAccount] : []
 }
 
-var hubOutputRules = searchEnabled ? {
-  cog_services_pep: {
-    category: 'UserDefined'
-    destination: {
-      serviceResourceId: cognitiveServices.outputs.aiServicesResourceId
-      sparkEnabled: true
-      subresourceTarget: 'account'
-    }
-    type: 'PrivateEndpoint'
-  }
-  search_pep: {
-    category: 'UserDefined'
-    destination: {
-      serviceResourceId: aiSearch.outputs.resourceId
-      sparkEnabled: true
-      subresourceTarget: 'searchService'
-    }
-    type: 'PrivateEndpoint'
-  }
-} : {
-  cog_services_pep: {
-    category: 'UserDefined'
-    destination: {
-      serviceResourceId: cognitiveServices.outputs.aiServicesResourceId
-      sparkEnabled: true
-      subresourceTarget: 'account'
-    }
-    type: 'PrivateEndpoint'
-  }
-}
-
 module aiHub 'modules/ai-foundry/hub.bicep' = {
   name: take('${name}-ai-hub-deployment', 64)
   params: {
@@ -332,7 +320,36 @@ module aiHub 'modules/ai-foundry/hub.bicep' = {
     storageAccountResourceId: storageAccount.outputs.resourceId
     managedNetworkSettings: {
       isolationMode: networkIsolation ? 'AllowInternetOutbound' : 'Disabled'
-      outboundRules: hubOutputRules
+      outboundRules: searchEnabled ? {
+        cog_services_pep: {
+          category: 'UserDefined'
+          destination: {
+            serviceResourceId: cognitiveServices.outputs.aiServicesResourceId
+            sparkEnabled: true
+            subresourceTarget: 'account'
+          }
+          type: 'PrivateEndpoint'
+        }
+        search_pep: {
+          category: 'UserDefined'
+          destination: {
+            serviceResourceId: aiSearch.outputs.resourceId
+            sparkEnabled: true
+            subresourceTarget: 'searchService'
+          }
+          type: 'PrivateEndpoint'
+        }
+      } : {
+        cog_services_pep: {
+          category: 'UserDefined'
+          destination: {
+            serviceResourceId: cognitiveServices.outputs.aiServicesResourceId
+            sparkEnabled: true
+            subresourceTarget: 'account'
+          }
+          type: 'PrivateEndpoint'
+        }
+      }
     }
     roleAssignments:empty(userObjectId) ? [] : [
       {
@@ -442,6 +459,7 @@ module appService 'modules/appservice.bicep' = if (deploySampleApp) {
     location: location
     userAssignedIdentityName: appIdentity.outputs.name
     appInsightsName: applicationInsights.outputs.name
+    keyVaultName: keyvault.outputs.name
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspace.outputs.resourceId
     skuName: 'B3'
     skuCapacity: 1
@@ -450,7 +468,7 @@ module appService 'modules/appservice.bicep' = if (deploySampleApp) {
     virtualNetworkSubnetId: network.outputs.appSubnetResourceId
     authProvider: {
       clientId: authClientId ?? ''
-      clientSecret: authClientSecret ?? ''
+      clientSecretName: authClientSecretName
       openIdIssuer: '${environment().authentication.loginEndpoint}${tenant().tenantId}/v2.0'
     }
     searchServiceConfiguration: {
@@ -465,9 +483,9 @@ module appService 'modules/appservice.bicep' = if (deploySampleApp) {
     openAIConfiguration: {
       name: cognitiveServices.outputs.aiServicesName
       endpoint: cognitiveServices.outputs.aiServicesEndpoint
-      gptModelName: aiModelDeployments[1].model.name
-      gptModelDeploymentName: aiModelDeployments[1].?name ?? aiModelDeployments[1].model.name
-      embeddingModelDeploymentName: aiModelDeployments[0].?name ?? aiModelDeployments[0].model.name
+      gptModelName: aiModelDeployments[1].model.name // GPT model is second item in array from parameters
+      gptModelDeploymentName: aiModelDeployments[1].?name ?? aiModelDeployments[1].model.name // GPT model is second item in array from parameters
+      embeddingModelDeploymentName: aiModelDeployments[0].?name ?? aiModelDeployments[0].model.name // Embedding model is first item in array from parameters
     }
   }
 }

infra/modules/appservice.bicep

@@ -27,6 +27,9 @@ param logAnalyticsWorkspaceResourceId string
 @description('Name of an existing Application Insights resource for the App Service.')
 param appInsightsName string
 
+@description('Name of existing Key Vault to read secrets.')
+param keyVaultName string
+
 @description('Full path to container image.')
 param imagePath string
 
@@ -53,6 +56,10 @@ resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@
   name: userAssignedIdentityName
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2024-11-01' existing = {
+  name: keyVaultName
+}
+
 var nameFormatted = take(toLower(name), 55)
 
 module appServicePlan 'br/public:avm/res/web/serverfarm:0.4.1' = {
@@ -90,6 +97,7 @@ module appService 'br/public:avm/res/web/site:0.15.1' = {
     serverFarmResourceId: appServicePlan.outputs.resourceId
     appInsightResourceId: appInsights.id
     virtualNetworkSubnetId: virtualNetworkSubnetId
+    keyVaultAccessIdentityResourceId: userAssignedIdentity.id
     managedIdentities: {
       userAssignedResourceIds: [userAssignedIdentity.id]
     }
@@ -159,7 +167,7 @@ module appService 'br/public:avm/res/web/site:0.15.1' = {
       APPLICATIONINSIGHTS_CONFIGURATION_CONTENT: ''
       APPLICATIONINSIGHTS_CONNECTION_STRING: appInsights.properties.ConnectionString
       ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
-      AUTH_CLIENT_SECRET: authProvider.clientSecret 
+      AUTH_CLIENT_SECRET: '@Microsoft.KeyVault(VaultName=${keyVault.name};SecretName=${authProvider.clientSecretName})' // NOTE: This secret should be created in Key Vault with the name provided in authProvider.clientSecretName.
       AZURE_CLIENT_ID: userAssignedIdentity.properties.clientId // NOTE: This is the client ID of the managed identity, not the Entra application, and is needed for the App Service to access the Cosmos DB account.
       AZURE_COSMOSDB_ACCOUNT: cosmosDbConfiguration.account
       AZURE_COSMOSDB_CONVERSATIONS_CONTAINER: cosmosDbConfiguration.container
@@ -258,9 +266,8 @@ type authIdentityProvider = {
   @description('Required. The client/application ID of the Entra application.')
   clientId: string
 
-  @description('Required. The resource ID of the Azure Active Directory application secret.')
-  @secure()
-  clientSecret: string
+  @description('Required. The secret name of the Azure Active Directory application secret stored in Key Vault.')
+  clientSecretName: string
 
   @description('Required. The OpenID issuer of the Entra application.')
   openIdIssuer: string

infra/modules/keyvault.bicep

@@ -19,8 +19,11 @@ param logAnalyticsWorkspaceResourceId string
 @description('Specifies whether network isolation is enabled. This will create a private endpoint for the Key Vault and link the private DNS zone.')
 param networkIsolation bool = true
 
-@description('Specifies the object id of a Microsoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources. This defaults to the deploying user.')
-param userObjectId string
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType[]?
+
+@description('Optional. Array of secrets to create in the Key Vault.')
+param secrets secretType[]?
 
 module privateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (networkIsolation) {
   name: 'private-dns-keyvault-deployment'
@@ -37,7 +40,7 @@ module privateDnsZone 'br/public:avm/res/network/private-dns-zone:0.7.0' = if (n
 
 var nameFormatted = take(toLower(name), 24)
 
-module keyvault 'br/public:avm/res/key-vault/vault:0.11.0' = {
+module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
   name: take('${nameFormatted}-keyvault-deployment', 64)
   dependsOn: [privateDnsZone] // required due to optional flags that could change dependency
   params: {
@@ -73,15 +76,13 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.11.0' = {
         subnetResourceId: virtualNetworkSubnetResourceId
       }
     ] : []
-    roleAssignments: empty(userObjectId) ? [] : [
-      {
-        principalId: userObjectId
-        principalType: 'User'
-        roleDefinitionIdOrName: 'Key Vault Secrets User'
-      }
-    ]
+    roleAssignments: roleAssignments
+    secrets: secrets
   }
 }
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
+import { secretType } from 'br/public:avm/res/key-vault/vault:0.12.1'
+
 output resourceId string = keyvault.outputs.resourceId
 output name string = keyvault.outputs.name