Add Azure Container Apps as a host option (#1952)

* Update bicep for ACA

* First working version

* Support workload profile

* Add support for CORS and fix identity for openai

* Add aca-host

* Make acr unique

* Add doc for aca host

* Update ACA docs

* Remove unneeded bicep files

* Revert chanes to infra/main.parameters.json

* Fix markdown lint issues

* Run frontend build before building docker image

* remove symlinks and update scripts with paths relative to its own folder instead of cwd

* Merge with main.bicep

* output AZURE_CONTAINER_REGISTRY_ENDPOINT

* Fix deployment with app service

* Improve naming and README

* Fix identity name and cost esitmation for aca

* Share env vars in bicep and update docs

* Revert "remove symlinks and update scripts with paths relative to its own folder instead of cwd"

This reverts commit 40287f2.

* Add containerapps as a commented out host option

* Update app/backend/.dockerignore

* Apply suggestions from code review

* More steps for deployment guide

* Update azure.yaml

* Update comment

* cleanup bicep files and improve docs

* Update condition for running in production for credential

* Update ManagedIdentityCredential to use UAMI for containerapps

---------

Co-authored-by: Pamela Fox <[email protected]>
Co-authored-by: Pamela Fox <[email protected]>

Author: 1yefuwang1

.azdo/pipelines/azure-dev.yml

@@ -109,6 +109,8 @@ steps:
       AZURE_ADLS_GEN2_STORAGE_ACCOUNT: $(AZURE_ADLS_GEN2_STORAGE_ACCOUNT)
       AZURE_ADLS_GEN2_FILESYSTEM_PATH: $(AZURE_ADLS_GEN2_FILESYSTEM_PATH)
       AZURE_ADLS_GEN2_FILESYSTEM: $(AZURE_ADLS_GEN2_FILESYSTEM)
+      DEPLOYMENT_TARGET: $(DEPLOYMENT_TARGET)
+      AZURE_CONTAINER_APPS_WORKLOAD_PROFILE: $(AZURE_CONTAINER_APPS_WORKLOAD_PROFILE)
 
   - task: AzureCLI@2
     displayName: Deploy Application

.github/workflows/azure-dev.yml

@@ -93,6 +93,8 @@ jobs:
       AZURE_ADLS_GEN2_STORAGE_ACCOUNT: ${{ vars.AZURE_ADLS_GEN2_STORAGE_ACCOUNT }}
       AZURE_ADLS_GEN2_FILESYSTEM_PATH: ${{ vars.AZURE_ADLS_GEN2_FILESYSTEM_PATH }}
       AZURE_ADLS_GEN2_FILESYSTEM: ${{ vars.AZURE_ADLS_GEN2_FILESYSTEM }}
+      DEPLOYMENT_TARGET: ${{ vars.DEPLOYMENT_TARGET }}
+      AZURE_CONTAINER_APPS_WORKLOAD_PROFILE: ${{ vars.AZURE_CONTAINER_APPS_WORKLOAD_PROFILE }}
 
     steps:
       - name: Checkout

CONTRIBUTING.md

@@ -22,6 +22,7 @@ contact [[email protected]](mailto:[email protected]) with any additio
 - [Running unit tests](#running-unit-tests)
 - [Running E2E tests](#running-e2e-tests)
 - [Code Style](#code-style)
+- [Adding new azd environment variables](#add-new-azd-environment-variables)
 
 ## Code of Conduct
 
@@ -160,3 +161,10 @@ python -m black <path-to-file>
 ```
 
 If you followed the steps above to install the pre-commit hooks, then you can just wait for those hooks to run `ruff` and `black` for you.
+
+## Adding new azd environment variables
+
+When adding new azd environment variables, please remember to update:
+1. App Service's [azure.yaml](./azure.yaml)
+1. [ADO pipeline](.azdo/pipelines/azure-dev.yml).
+1. [Github workflows](.github/workflows/azure-dev.yml)

README.md

@@ -66,6 +66,7 @@ Pricing varies per region and usage, so it isn't possible to predict exact costs
 However, you can try the [Azure pricing calculator](https://azure.com/e/a87a169b256e43c089015fda8182ca87) for the resources below.
 
 - Azure App Service: Basic Tier with 1 CPU core, 1.75 GB RAM. Pricing per hour. [Pricing](https://azure.microsoft.com/pricing/details/app-service/linux/)
+- Azure Container Apps: Only provisioned if you deploy to Azure Container Apps following [the ACA deployment guide](docs/azure_container_apps.md). Consumption plan with 1 CPU core, 2.0 GB RAM. Pricing with Pay-as-You-Go. [Pricing](https://azure.microsoft.com/pricing/details/container-apps/)
 - Azure OpenAI: Standard tier, GPT and Ada models. Pricing per 1K tokens used, and at least 1K tokens are used per question. [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/)
 - Azure AI Document Intelligence: SO (Standard) tier using pre-built layout. Pricing per document page, sample documents have 261 pages total. [Pricing](https://azure.microsoft.com/pricing/details/form-recognizer/)
 - Azure AI Search: Basic tier, 1 replica, free level of semantic search. Pricing per hour. [Pricing](https://azure.microsoft.com/pricing/details/search/)
@@ -126,17 +127,17 @@ A related option is VS Code Dev Containers, which will open the project in your
 
 ## Deploying
 
-Follow these steps to provision Azure resources and deploy the application code:
+The steps below will provision Azure resources and deploy the application code to Azure App Service. To deploy to Azure Container Apps instead, follow [the container apps deployment guide](docs/azure_container_apps.md).
 
 1. Login to your Azure account:
 
     ```shell
     azd auth login
     ```
 
-    For GitHub Codespaces users, if the previous command fails, try: 
+    For GitHub Codespaces users, if the previous command fails, try:
    ```shell
-    azd auth login --use-device-code 
+    azd auth login --use-device-code
     ```
 
 1. Create a new azd environment:

app/backend/.dockerignore

@@ -0,0 +1,7 @@
+.git
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+env

app/backend/Dockerfile

@@ -0,0 +1,11 @@
+FROM python:3.11-bullseye
+
+WORKDIR /app
+
+COPY ./ /app
+
+RUN python -m pip install -r requirements.txt
+
+RUN python -m pip install gunicorn
+
+CMD ["python3", "-m", "gunicorn", "-b", "0.0.0.0:8000", "main:app"]

app/backend/app.py

@@ -440,13 +440,25 @@ async def setup_clients():
     USE_SPEECH_OUTPUT_BROWSER = os.getenv("USE_SPEECH_OUTPUT_BROWSER", "").lower() == "true"
     USE_SPEECH_OUTPUT_AZURE = os.getenv("USE_SPEECH_OUTPUT_AZURE", "").lower() == "true"
 
+    # WEBSITE_HOSTNAME is always set by App Service, RUNNING_IN_PRODUCTION is set in main.bicep
+    RUNNING_ON_AZURE = os.getenv("WEBSITE_HOSTNAME") is not None or os.getenv("RUNNING_IN_PRODUCTION") is not None
+
     # Use the current user identity for keyless authentication to Azure services.
     # This assumes you use 'azd auth login' locally, and managed identity when deployed on Azure.
     # The managed identity is setup in the infra/ folder.
     azure_credential: Union[AzureDeveloperCliCredential, ManagedIdentityCredential]
-    if os.getenv("WEBSITE_HOSTNAME"):  # Environment variable set on Azure Web Apps
+    if RUNNING_ON_AZURE:
         current_app.logger.info("Setting up Azure credential using ManagedIdentityCredential")
-        azure_credential = ManagedIdentityCredential()
+        if AZURE_CLIENT_ID := os.getenv("AZURE_CLIENT_ID"):
+            # ManagedIdentityCredential should use AZURE_CLIENT_ID if set in env, but its not working for some reason,
+            # so we explicitly pass it in as the client ID here. This is necessary for user-assigned managed identities.
+            current_app.logger.info(
+                "Setting up Azure credential using ManagedIdentityCredential with client_id %s", AZURE_CLIENT_ID
+            )
+            azure_credential = ManagedIdentityCredential(client_id=AZURE_CLIENT_ID)
+        else:
+            current_app.logger.info("Setting up Azure credential using ManagedIdentityCredential")
+            azure_credential = ManagedIdentityCredential()
     elif AZURE_TENANT_ID:
         current_app.logger.info(
             "Setting up Azure credential using AzureDeveloperCliCredential with tenant_id %s", AZURE_TENANT_ID

azure.yaml

@@ -7,9 +7,11 @@ services:
   backend:
     project: ./app/backend
     language: py
+    # Please check docs/azure_container_apps.md for more information on how to deploy to Azure Container Apps
+    # host: containerapp
     host: appservice
     hooks:
-      prepackage:
+      prebuild:
         windows:
           shell: pwsh
           run:  cd ../frontend;npm install;npm run build
@@ -86,6 +88,8 @@ pipeline:
       - AZURE_ADLS_GEN2_STORAGE_ACCOUNT
       - AZURE_ADLS_GEN2_FILESYSTEM_PATH
       - AZURE_ADLS_GEN2_FILESYSTEM
+      - DEPLOYMENT_TARGET
+      - AZURE_CONTAINER_APPS_WORKLOAD_PROFILE
   secrets:
       - AZURE_SERVER_APP_SECRET
       - AZURE_CLIENT_APP_SECRET

docs/appservice.md

@@ -631,15 +631,17 @@ To see any exceptions and server errors, navigate to the _Investigate -> Failure
 
 ## Configuring log levels
 
-By default, the deployed app only logs messages with a level of `WARNING` or higher.
+By default, the deployed app only logs messages from packages with a level of `WARNING` or higher,
+but logs all messages from the app with a level of `INFO` or higher.
 
 These lines of code in `app/backend/app.py` configure the logging level:
 
 ```python
+# Set root level to WARNING to avoid seeing overly verbose logs from SDKS
+logging.basicConfig(level=logging.WARNING)
+# Set the app logger level to INFO by default
 default_level = "INFO"
-if os.getenv("WEBSITE_HOSTNAME"):  # In production, don't log as heavily
-    default_level = "WARNING"
-logging.basicConfig(level=os.getenv("APP_LOG_LEVEL", default_level))
+app.logger.setLevel(os.getenv("APP_LOG_LEVEL", default_level))
 ```
 
 To change the default level, either change `default_level` or set the `APP_LOG_LEVEL` environment variable

docs/azure_container_apps.md

@@ -0,0 +1,55 @@
+# Deploying on Azure Container Apps
+
+Due to [a limitation](https://github.com/Azure/azure-dev/issues/2736) of the Azure Developer CLI (`azd`), there can be only one host option in the [azure.yaml](../azure.yaml) file.
+By default, `host: appservice` is used and `host: containerapp` is commented out.
+
+To deploy to Azure Container Apps, please follow the following steps:
+
+1. Comment out `host: appservice` and uncomment `host: containerapp` in the [azure.yaml](../azure.yaml) file.
+
+2. Login to your Azure account:
+
+    ```bash
+    azd auth login
+    ```
+
+3. Create a new `azd` environment to store the deployment parameters:
+
+    ```bash
+    azd env new
+    ```
+
+    Enter a name that will be used for the resource group.
+    This will create a new folder in the `.azure` folder, and set it as the active environment for any calls to `azd` going forward.
+
+4. Set the deployment target to `containerapps`:
+
+    ```bash
+    azd env set DEPLOYMENT_TARGET containerapps
+    ```
+
+5. (Optional) This is the point where you can customize the deployment by setting other `azd1 environment variables, in order to [use existing resources](docs/deploy_existing.md), [enable optional features (such as auth or vision)](docs/deploy_features.md), or [deploy to free tiers](docs/deploy_lowcost.md).
+6. Provision the resources and deploy the code:
+
+    ```bash
+    azd up
+    ```
+
+    This will provision Azure resources and deploy this sample to those resources, including building the search index based on the files found in the `./data` folder.
+
+    **Important**: Beware that the resources created by this command will incur immediate costs, primarily from the AI Search resource. These resources may accrue costs even if you interrupt the command before it is fully executed. You can run `azd down` or delete the resources manually to avoid unnecessary spending.
+
+## Customizing Workload Profile
+
+The default workload profile is Consumption. If you want to use a dedicated workload profile like D4, please run:
+
+```bash
+azd env AZURE_CONTAINER_APPS_WORKLOAD_PROFILE D4
+```
+
+For a full list of workload profiles, please check [here](https://learn.microsoft.com/azure/container-apps/workload-profiles-overview#profile-types).
+Please note dedicated workload profiles have a different billing model than Consumption plan. Please check [here](https://learn.microsoft.com/azure/container-apps/billing) for details.
+
+## Private endpoints
+
+Private endpoints is still in private preview for Azure Conainer Apps and not supported for now.