Add app config and related feature flag capabilities

.config/feature-flags.json

@@ -0,0 +1,7 @@
+{
+  "schemaVersion": "2.0.0",
+  "feature_management": {
+    "feature_flags": [
+    ]
+  }    
+}

.config/feature-flags.json.sample

@@ -0,0 +1,40 @@
+{
+    "schemaVersion": "2.0.0",
+    "feature_management": {
+      "feature_flags": [
+        {
+          "id": "my-agent",
+          "enabled": true,
+          "variants": [
+            {
+              "name": "agent_v1",
+              "configuration_value": "<agent-id-1-placeholder>"
+            },
+            {
+              "name": "agent_v2",
+              "configuration_value": "<agent-id-2-placeholder>"
+            }
+          ],
+          "allocation": {
+            "percentile": [
+              {
+                "variant": "agent_v1",
+                "from": 0,
+                "to": 50
+              },
+              {
+                "variant": "agent_v2",
+                "from": 50,
+                "to": 100
+              }
+            ],
+            "default_when_enabled": "agent_v1",
+            "default_when_disabled": "agent_v1"
+          },
+          "telemetry": {
+            "enabled": true
+          }
+        }
+      ]
+    }    
+}

.github/workflows/azure-dev.yml

@@ -18,7 +18,9 @@ permissions:
 
 jobs:
   build:
+    name: Deploy
     runs-on: ubuntu-latest
+    if: ${{ vars.AZURE_CLIENT_ID != '' }}
     env:
       AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
@@ -74,3 +76,28 @@ jobs:
 
       - name: Deploy Application
         run: azd deploy --no-prompt
+
+  update-experiments:
+        name: Update Experiments
+        needs: build
+        runs-on: ubuntu-latest
+        env:
+          APP_CONFIGURATION_FILE: .config/feature-flags.json 
+        steps:
+          - name: Checkout
+            uses: actions/checkout@v4
+
+          - name: Azure login using Federated Credentials
+            uses: azure/login@v2
+            with:
+                client-id: ${{ vars.AZURE_CLIENT_ID }}
+                tenant-id: ${{ vars.AZURE_TENANT_ID }}
+                subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+                enable-AzPSSession: true
+
+          - name: Deploy App Config feature flags
+            uses: azure/app-configuration-deploy-feature-flags@v1-beta
+            with:
+                path: ${{ env.APP_CONFIGURATION_FILE }}
+                app-configuration-endpoint: ${{ vars.APP_CONFIGURATION_ENDPOINT }}
+                strict: false

.github/workflows/experiment-validate.yml

@@ -0,0 +1,30 @@
+name: Validate Experiments
+on:
+    workflow_dispatch:
+
+# GitHub Actions workflow to deploy to Azure using azd
+# To configure required secrets for connecting to Azure, simply run `azd pipeline config`
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+    id-token: write
+    contents: read
+
+env:
+    APP_CONFIGURATION_FILE: .config/feature-flags.json
+
+jobs:         
+    validate-feature-flags:
+        name: Validate Feature Flags
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Validate App Config feature flags
+              uses: azure/app-configuration-deploy-feature-flags@v1-beta
+              with:
+                path: ${{ env.APP_CONFIGURATION_FILE }}
+                operation: validate
+

.github/workflows/template-validation.yml

@@ -52,5 +52,6 @@ jobs:
           AZURE_AI_EMBED_MODEL_FORMAT: ${{ vars.AZURE_AI_EMBED_MODEL_FORMAT }}
           AZURE_AI_EMBED_MODEL_VERSION: ${{ vars.AZURE_AI_EMBED_MODEL_VERSION }}
           AZURE_EXISTING_AIPROJECT_CONNECTION_STRING: ${{ vars.AZURE_EXISTING_AIPROJECT_CONNECTION_STRING }}
+          APP_CONFIGURATION_ENDPOINT: ${{ vars.APP_CONFIGURATION_ENDPOINT }}
       - name: print result
         run: cat ${{ steps.validation.outputs.resultFile }}

.gitignore

@@ -9,3 +9,4 @@ ENV/
 env.bak/
 venv.bak/
 .azure
+.vscode/

azure.yaml

@@ -50,4 +50,5 @@ pipeline:
     - AZURE_AI_EMBED_MODEL_VERSION
     - AZURE_AI_EMBED_DIMENSIONS
     - AZURE_AI_SEARCH_INDEX_NAME
-    - AZURE_EXISTING_AIPROJECT_CONNECTION_STRING
+    - AZURE_EXISTING_AIPROJECT_CONNECTION_STRING
+    - APP_CONFIGURATION_ENDPOINT

infra/api.bicep

@@ -14,6 +14,7 @@ param searchServiceEndpoint string
 param agentName string
 param agentID string
 param projectName string
+param appConfigurationEndpoint string
 
 resource apiIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: identityName
@@ -65,6 +66,10 @@ var env = [
     name: 'AZURE_AI_SEARCH_ENDPOINT'
     value: searchServiceEndpoint
   }
+  {
+    name: 'APP_CONFIGURATION_ENDPOINT'
+    value: appConfigurationEndpoint
+  }
 ]
 
 

infra/core/config/configstore.bicep

@@ -6,6 +6,9 @@ param name string
 @description('The Azure region/location for the Azure App Configuration store')
 param location string = resourceGroup().location
 
+@description('The SKU for the Azure App Configuration store')
+param sku string
+
 @description('Custom tags to apply to the Azure App Configuration store')
 param tags object = {}
 
@@ -15,16 +18,29 @@ param keyValueNames array = []
 @description('Specifies the values of the key-value resources.')
 param keyValueValues array = []
 
-@description('The principal ID to grant access to the Azure App Configuration store')
-param principalId string
+@description('The Application Insights ID linked to the Azure App Configuration store')
+param appInsightsName string
 
-resource configStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {
+resource configStore 'Microsoft.AppConfiguration/configurationStores@2023-09-01-preview' = {
   name: name
   location: location
   sku: {
-    name: 'standard'
+    name: sku
   }
   tags: tags
+  properties: {
+    encryption: {}
+    disableLocalAuth: true
+    enablePurgeProtection: false
+    experimentation:{}
+    dataPlaneProxy:{
+      authenticationMode: 'Pass-through'
+      privateLinkDelegation: 'Disabled'
+    }
+    telemetry: {
+      resourceId: appInsights.id
+    }
+  }
 }
 
 resource configStoreKeyValue 'Microsoft.AppConfiguration/configurationStores/keyValues@2023-03-01' = [for (item, i) in keyValueNames: {
@@ -36,13 +52,9 @@ resource configStoreKeyValue 'Microsoft.AppConfiguration/configurationStores/key
   }
 }]
 
-module configStoreAccess '../security/configstore-access.bicep' = {
-  name: 'app-configuration-access'
-  params: {
-    configStoreName: name
-    principalId: principalId
-  }
-  dependsOn: [configStore]
+resource appInsights  'Microsoft.Insights/components@2020-02-02-preview'  existing = {
+  name: appInsightsName
 }
 
 output endpoint string = configStore.properties.endpoint
+output name string = configStore.name

infra/main.bicep

@@ -104,12 +104,25 @@ param embedDeploymentSku string = 'Standard'
 // https://learn.microsoft.com/azure/ai-services/openai/quotas-limits
 param embedDeploymentCapacity int = 30
 
+@description('Whether to use Azure Application Insights')
 param useApplicationInsights bool = true
+
+@description('Whether to use Azure App Configuration')
+param useAppConfiguration bool = true
+
+@description('Sku for the App Configuration')
+// Recommend to upgrade for production use. See pricing plan:
+// https://azure.microsoft.com/en-us/pricing/details/app-configuration/
+param appConfigurationSku string = 'free' 
+
 @description('Do we want to use the Azure AI Search')
 param useSearchService bool = false
 
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
 @description('Random seed to be used during generation of new resources suffixes.')
-param seed string = newGuid()
+param seed string = '' //newGuid() // why do we need this?
 
 var abbrs = loadJsonContent('./abbreviations.json')
 var resourceToken = toLower(uniqueString(subscription().id, environmentName, location, seed))
@@ -257,6 +270,19 @@ module containerApps 'core/host/container-apps.bicep' = {
   }
 }
 
+// App Configuration
+module configStore 'core/config/configstore.bicep' = if (useApplicationInsights && useAppConfiguration) {
+  name: 'config-store'
+  scope: rg
+  params: {
+    location: location
+    sku: appConfigurationSku
+    name: '${abbrs.appConfigurationStores}${resourceToken}'
+    tags: tags
+    appInsightsName: ai.outputs.applicationInsightsName
+  }
+}
+
 // API app
 module api 'api.bicep' = {
   name: 'api'
@@ -277,6 +303,7 @@ module api 'api.bicep' = {
     agentName: agentName
     agentID: agentID
     projectName: projectName
+    appConfigurationEndpoint: configStore.outputs.endpoint
   }
 }
 
@@ -388,6 +415,24 @@ module backendRoleAzureAIDeveloperRG 'core/security/role.bicep' = {
   }
 }
 
+module userRoleConfigStoreDataOwner 'core/security/role.bicep' = {
+  name: 'user-role-config-store-data-owner'
+  scope: rg
+  params: {
+    principalId: principalId
+    roleDefinitionId: '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' 
+  }
+}
+
+module backendRoleConfigStoreDataOwner 'core/security/role.bicep' = {
+  name: 'backend-role-config-store-data-reader'
+  scope: rg
+  params: {
+    principalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
+    roleDefinitionId: '516239f1-63e1-4d78-a4de-a74fb236a071' 
+  }
+}
+
 output AZURE_RESOURCE_GROUP string = rg.name
 
 // Outputs required for local development server
@@ -401,6 +446,7 @@ output AZURE_AI_SEARCH_ENDPOINT string = searchServiceEndpoint
 output AZURE_AI_EMBED_DIMENSIONS string = embeddingDeploymentDimensions
 output AZURE_AI_AGENT_NAME string = agentName
 output AZURE_AI_AGENT_ID string = agentID
+output APP_CONFIGURATION_ENDPOINT string = configStore.outputs.endpoint
 
 // Outputs required by azd for ACA
 output AZURE_CONTAINER_ENVIRONMENT_NAME string = containerApps.outputs.environmentName

infra/main.parameters.json

@@ -50,6 +50,12 @@
     "useSearchService": {
       "value": "${USE_AZURE_AI_SEARCH_SERVICE=false}"
     },
+    "useAppConfiguration": {
+      "value": "${USE_APP_CONFIGURATION=true}"
+    },
+    "appConfigurationSku": {
+      "value": "${APP_CONFIGURATION_SKU=free}"
+    },
     "agentName": {
       "value": "${AZURE_AI_AGENT_NAME=agent-template-assistant}"
     },

scripts/write_env.ps1

@@ -16,6 +16,7 @@ $azureAIEmbedDimensions = azd env get-value AZURE_AI_EMBED_DIMENSIONS
 $azureAISearchIndexName = azd env get-value AZURE_AI_SEARCH_INDEX_NAME
 $azureAISearchEndpoint = azd env get-value AZURE_AI_SEARCH_ENDPOINT
 $serviceAPIUri = azd env get-value SERVICE_API_URI
+$appConfigurationEndpoint = azd env get-value APP_CONFIGURATION_ENDPOINT
 
 Add-Content -Path $envFilePath -Value "AZURE_AIPROJECT_CONNECTION_STRING=$azureAiProjectConnectionString"
 Add-Content -Path $envFilePath -Value "AZURE_AI_AGENT_DEPLOYMENT_NAME=$azureAiagentDeploymentName"
@@ -28,6 +29,7 @@ Add-Content -Path $envFilePath -Value "AZURE_AI_SEARCH_INDEX_NAME=$azureAISearch
 Add-Content -Path $envFilePath -Value "AZURE_AI_SEARCH_ENDPOINT=$azureAISearchEndpoint"
 Add-Content -Path $envFilePath -Value "AZURE_AI_AGENT_NAME=$azureAiAgentName"
 Add-Content -Path $envFilePath -Value "AZURE_TENANT_ID=$azureTenantId"
+Add-Content -Path $envFilePath -Value "APP_CONFIGURATION_ENDPOINT=$appConfigurationEndpoint"
 
 Write-Host "Web app URL:"
 Write-Host $serviceAPIUri -ForegroundColor Cyan

scripts/write_env.sh

@@ -17,6 +17,7 @@ echo "AZURE_AI_SEARCH_INDEX_NAME=$(azd env get-value AZURE_AI_SEARCH_INDEX_NAME)
 echo "AZURE_AI_SEARCH_ENDPOINT=$(azd env get-value AZURE_AI_SEARCH_ENDPOINT)" >> $ENV_FILE_PATH
 echo "AZURE_AI_AGENT_NAME=$(azd env get-value AZURE_AI_AGENT_NAME)" >> $ENV_FILE_PATH
 echo "AZURE_TENANT_ID=$(azd env get-value AZURE_TENANT_ID)" >> $ENV_FILE_PATH
+echo "APP_CONFIGURATION_ENDPOINT=$(azd env get-value APP_CONFIGURATION_ENDPOINT)" >> $ENV_FILE_PATH
 
 echo "Web app URL:"
 echo -e "\033[0;36m $(azd env get-value SERVICE_API_URI)"

src/.env.sample

@@ -12,3 +12,6 @@ AZURE_AI_SEARCH_INDEX_NAME="" # required for index search.  Example: "index_samp
 # Highly recommended.  Example: "asst_AbCdEfGhIjKlMnOpQrStUvWxYz".  If not specified, the agent name will be used to find the agent ID.  Agent ID can be found by following https://learn.microsoft.com/en-us/azure/ai-services/agents/quickstart?pivots=ai-foundry-portal
 AZURE_AI_AGENT_ID="" 
 
+# Recommended. Enable tracing for debugging and testing feature flag capabilities.
+ENABLE_AZURE_MONITOR_TRACING=false
+AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED=false