feat: Implement SFI cred change

Author: Avijit-Microsoft

infra/main.bicep

@@ -530,6 +530,10 @@ module containerAppBackend 'br/public:avm/res/app/container-app:0.17.0' = {
               name: 'AZURE_CLIENT_ID'
               value: appIdentity.outputs.clientId // NOTE: This is the client ID of the managed identity, not the Entra application, and is needed for the App Service to access the Cosmos DB account.
             }
+            {
+              name: 'APP_ENV'
+              value: 'prod'
+            }
           ],
           enableMonitoring
             ? [
@@ -604,6 +608,10 @@ module containerAppFrontend 'br/public:avm/res/app/container-app:0.17.0' = {
             name: 'API_URL'
             value: 'https://${containerAppBackend.outputs.fqdn}'
           }
+          {
+            name: 'APP_ENV'
+            value: 'prod'
+          }
         ]
         image: 'cmsacontainerreg.azurecr.io/cmsafrontend:${imageVersion}'
         name: 'cmsafrontend'

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.36.177.2456",
-      "templateHash": "9967677186411813072"
+      "templateHash": "12716753818171697569"
     },
     "name": "Modernize Your Code Solution Accelerator",
     "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n"
@@ -41832,7 +41832,7 @@
               {
                 "name": "cmsabackend",
                 "image": "[format('cmsacontainerreg.azurecr.io/cmsabackend:{0}', parameters('imageVersion'))]",
-                "env": "[concat(createArray(createObject('name', 'COSMOSDB_ENDPOINT', 'value', reference('cosmosDb').outputs.endpoint.value), createObject('name', 'COSMOSDB_DATABASE', 'value', reference('cosmosDb').outputs.databaseName.value), createObject('name', 'COSMOSDB_BATCH_CONTAINER', 'value', reference('cosmosDb').outputs.containerNames.value.batch), createObject('name', 'COSMOSDB_FILE_CONTAINER', 'value', reference('cosmosDb').outputs.containerNames.value.file), createObject('name', 'COSMOSDB_LOG_CONTAINER', 'value', reference('cosmosDb').outputs.containerNames.value.log), createObject('name', 'AZURE_BLOB_ACCOUNT_NAME', 'value', reference('storageAccount').outputs.name.value), createObject('name', 'AZURE_BLOB_CONTAINER_NAME', 'value', variables('appStorageContainerName')), createObject('name', 'AZURE_OPENAI_ENDPOINT', 'value', format('https://{0}.openai.azure.com/', reference('aiServices').outputs.name.value)), createObject('name', 'MIGRATOR_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'PICKER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'FIXER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'SEMANTIC_VERIFIER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'SYNTAX_CHECKER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'SELECTION_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'TERMINATION_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME', 'value', variables('modelDeployment').name), createObject('name', 'AI_PROJECT_ENDPOINT', 'value', reference('aiServices').outputs.aiProjectInfo.value.apiEndpoint), createObject('name', 'AZURE_AI_AGENT_PROJECT_CONNECTION_STRING', 'value', reference('aiServices').outputs.aiProjectInfo.value.apiEndpoint), createObject('name', 'AZURE_AI_AGENT_PROJECT_NAME', 'value', reference('aiServices').outputs.aiProjectInfo.value.name), createObject('name', 'AZURE_AI_AGENT_RESOURCE_GROUP_NAME', 'value', resourceGroup().name), createObject('name', 'AZURE_AI_AGENT_SUBSCRIPTION_ID', 'value', subscription().subscriptionId), createObject('name', 'AZURE_AI_AGENT_ENDPOINT', 'value', reference('aiServices').outputs.aiProjectInfo.value.apiEndpoint), createObject('name', 'AZURE_CLIENT_ID', 'value', reference('appIdentity').outputs.clientId.value)), if(parameters('enableMonitoring'), createArray(createObject('name', 'APPLICATIONINSIGHTS_INSTRUMENTATION_KEY', 'value', reference('applicationInsights').outputs.instrumentationKey.value), createObject('name', 'APPLICATIONINSIGHTS_CONNECTION_STRING', 'value', reference('applicationInsights').outputs.connectionString.value)), createArray()))]",
+                "env": "[concat(createArray(createObject('name', 'COSMOSDB_ENDPOINT', 'value', reference('cosmosDb').outputs.endpoint.value), createObject('name', 'COSMOSDB_DATABASE', 'value', reference('cosmosDb').outputs.databaseName.value), createObject('name', 'COSMOSDB_BATCH_CONTAINER', 'value', reference('cosmosDb').outputs.containerNames.value.batch), createObject('name', 'COSMOSDB_FILE_CONTAINER', 'value', reference('cosmosDb').outputs.containerNames.value.file), createObject('name', 'COSMOSDB_LOG_CONTAINER', 'value', reference('cosmosDb').outputs.containerNames.value.log), createObject('name', 'AZURE_BLOB_ACCOUNT_NAME', 'value', reference('storageAccount').outputs.name.value), createObject('name', 'AZURE_BLOB_CONTAINER_NAME', 'value', variables('appStorageContainerName')), createObject('name', 'AZURE_OPENAI_ENDPOINT', 'value', format('https://{0}.openai.azure.com/', reference('aiServices').outputs.name.value)), createObject('name', 'MIGRATOR_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'PICKER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'FIXER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'SEMANTIC_VERIFIER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'SYNTAX_CHECKER_AGENT_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'SELECTION_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'TERMINATION_MODEL_DEPLOY', 'value', variables('modelDeployment').name), createObject('name', 'AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME', 'value', variables('modelDeployment').name), createObject('name', 'AI_PROJECT_ENDPOINT', 'value', reference('aiServices').outputs.aiProjectInfo.value.apiEndpoint), createObject('name', 'AZURE_AI_AGENT_PROJECT_CONNECTION_STRING', 'value', reference('aiServices').outputs.aiProjectInfo.value.apiEndpoint), createObject('name', 'AZURE_AI_AGENT_PROJECT_NAME', 'value', reference('aiServices').outputs.aiProjectInfo.value.name), createObject('name', 'AZURE_AI_AGENT_RESOURCE_GROUP_NAME', 'value', resourceGroup().name), createObject('name', 'AZURE_AI_AGENT_SUBSCRIPTION_ID', 'value', subscription().subscriptionId), createObject('name', 'AZURE_AI_AGENT_ENDPOINT', 'value', reference('aiServices').outputs.aiProjectInfo.value.apiEndpoint), createObject('name', 'AZURE_CLIENT_ID', 'value', reference('appIdentity').outputs.clientId.value), createObject('name', 'APP_ENV', 'value', 'prod')), if(parameters('enableMonitoring'), createArray(createObject('name', 'APPLICATIONINSIGHTS_INSTRUMENTATION_KEY', 'value', reference('applicationInsights').outputs.instrumentationKey.value), createObject('name', 'APPLICATIONINSIGHTS_CONNECTION_STRING', 'value', reference('applicationInsights').outputs.connectionString.value)), createArray()))]",
                 "resources": {
                   "cpu": 1,
                   "memory": "2.0Gi"
@@ -43334,6 +43334,10 @@
                   {
                     "name": "API_URL",
                     "value": "[format('https://{0}', reference('containerAppBackend').outputs.fqdn.value)]"
+                  },
+                  {
+                    "name": "APP_ENV",
+                    "value": "prod"
                   }
                 ],
                 "image": "[format('cmsacontainerreg.azurecr.io/cmsafrontend:{0}', parameters('imageVersion'))]",

src/backend/.env.sample

@@ -23,4 +23,6 @@ AZURE_AI_AGENT_PROJECT_CONNECTION_STRING = ""
 AZURE_AI_AGENT_SUBSCRIPTION_ID = ""
 AZURE_AI_AGENT_RESOURCE_GROUP_NAME = ""
 AZURE_AI_AGENT_PROJECT_NAME = ""
-AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME = ""
+AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME = ""
+
+APP_ENV = "dev"

src/backend/app.py

@@ -3,8 +3,6 @@
 
 from api.api_routes import router as backend_router
 
-from azure.identity.aio import DefaultAzureCredential
-
 from common.config.config import app_config
 from common.logger.app_logger import AppLogger
 
@@ -13,6 +11,8 @@
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
+from helper.azure_credential_utils import get_azure_credential
+
 from semantic_kernel.agents.azure_ai.azure_ai_agent import AzureAIAgent  # pylint: disable=E0611
 
 from sql_agents.agent_manager import clear_sql_agents, set_sql_agents
@@ -43,7 +43,7 @@ async def lifespan(app: FastAPI):
         logger.logger.info("Initializing SQL agents...")
 
         # Create Azure credentials and client
-        creds = DefaultAzureCredential()
+        creds = get_azure_credential(app_config.azure_client_id)
         azure_client = AzureAIAgent.create_client(
             credential=creds,
             endpoint=app_config.ai_project_endpoint

src/backend/common/config/config.py

@@ -14,7 +14,9 @@
 
 import os
 
-from azure.identity.aio import ClientSecretCredential, DefaultAzureCredential
+from azure.identity.aio import ClientSecretCredential
+
+from helper.azure_credential_utils import get_azure_credential
 
 
 class Config:
@@ -49,7 +51,7 @@ def __init__(self):
             "SYNTAX_CHECKER_AGENT_MODEL_DEPLOY"
         )
 
-        self.__azure_credentials = DefaultAzureCredential()
+        self.__azure_credentials = get_azure_credential(self.azure_client_id)
 
     def get_azure_credentials(self):
         """Retrieve Azure credentials, either from environment variables or managed identity."""

src/backend/common/storage/blob_azure.py

@@ -1,11 +1,13 @@
 from typing import Any, BinaryIO, Dict, Optional
 
-from azure.identity import DefaultAzureCredential
 from azure.storage.blob import BlobServiceClient
 
+from common.config.config import app_config
 from common.logger.app_logger import AppLogger
 from common.storage.blob_base import BlobStorageBase
 
+from helper.azure_credential_utils import get_azure_credential
+
 
 class AzureBlobStorage(BlobStorageBase):
     def __init__(self, account_name: str, container_name: Optional[str] = None):
@@ -15,7 +17,7 @@ def __init__(self, account_name: str, container_name: Optional[str] = None):
             self.container_name = container_name
             self.service_client = None
             self.container_client = None
-            credential = DefaultAzureCredential()  # Using Entra Authentication
+            credential = get_azure_credential(app_config.azure_client_id)  # Using Entra Authentication
             self.service_client = BlobServiceClient(
                 account_url=f"https://{self.account_name}.blob.core.windows.net/",
                 credential=credential,

src/backend/helper/azure_credential_utils.py

@@ -0,0 +1,37 @@
+import os
+
+from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
+from azure.identity.aio import DefaultAzureCredential as AioDefaultAzureCredential, ManagedIdentityCredential as AioManagedIdentityCredential
+
+
+async def get_azure_credential_async(client_id=None):
+    """
+    Returns an Azure credential asynchronously based on the application environment.
+    If the environment is 'dev', it uses AioDefaultAzureCredential.
+    Otherwise, it uses AioManagedIdentityCredential.
+    Args:
+        client_id (str, optional): The client ID for the Managed Identity Credential.
+    Returns:
+        Credential object: Either AioDefaultAzureCredential or AioManagedIdentityCredential.
+    """
+    print(os.getenv("APP_ENV"))
+    if os.getenv("APP_ENV", "prod").lower() == 'dev':
+        return AioDefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+    else:
+        return AioManagedIdentityCredential(client_id=client_id)
+
+
+def get_azure_credential(client_id=None):
+    """
+    Returns an Azure credential based on the application environment.
+    If the environment is 'dev', it uses DefaultAzureCredential.
+    Otherwise, it uses ManagedIdentityCredential.
+    Args:
+        client_id (str, optional): The client ID for the Managed Identity Credential.
+    Returns:
+        Credential object: Either DefaultAzureCredential or ManagedIdentityCredential.
+    """
+    if os.getenv("APP_ENV", "prod").lower() == 'dev':
+        return DefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+    else:
+        return ManagedIdentityCredential(client_id=client_id)

src/frontend/.env.sample

@@ -11,3 +11,4 @@ ENABLE_AUTH=false
 # REACT_APP_MSAL_REDIRECT_URL="/"
 # REACT_APP_MSAL_POST_REDIRECT_URL="/"
 
+APP_ENV = "dev"