Adding deployment script for frontend application (#128)

Co-authored-by: Josh Bradley <[email protected]>

Author: tushardhadiwal

frontend/README.md

@@ -1,20 +1,22 @@
 # Frontend Application Launch Instructions
-A small frontend application, a streamlit app, is provided to demonstrate how to build a UI on top of the solution accelerator API.
+A small frontend application (a streamlit app) is provided to demonstrate how to build and deploy a UI on top of the solution accelerator API.
+This application is optional and not required for the solution accelerator API to function properly.
 
 ### 1. Deploy the GraphRAG solution accelerator
 Follow instructions from the [deployment guide](../docs/DEPLOYMENT-GUIDE.md) to deploy a full instance of the solution accelerator.
 
 ### 2. (optional) Create a `.env` file:
+If a `.env` file is not provided, the UI will prompt the user for additional login information.
 
 | Variable Name | Required | Example | Description |
 | :--- | --- | :--- | ---: |
 DEPLOYMENT_URL        | No | https://<my_apim>.azure-api.net | Base url of the deployed graphrag API. Also referred to as the APIM Gateway URL.
 APIM_SUBSCRIPTION_KEY | No | <subscription_key> | A [subscription key](https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions) generated by APIM.
 DEPLOYER_EMAIL        | No | [email protected] | Email address of the person/organization that deployed the solution accelerator.
 
-### 3. Start UI
+## Run UI locally
 
-The frontend application can be run locally as a docker container. If a `.env` file is not provided, the UI will prompt the user for additional information.
+The frontend application can run locally as a docker container.
 
 ```
 # cd to the root directory of the repo
@@ -23,4 +25,59 @@ The frontend application can be run locally as a docker container. If a `.env` f
 ```
 To access the app , visit `localhost:8080` in your browser.
 
-This UI application can also be hosted in Azure as a [Web App](https://azure.microsoft.com/en-us/products/app-service/web).
+## Host UI in Azure
+The frontend application can also be hosted in Azure as a Web App using the provided `frontend/deploy.sh` script.
+
+### 1. Create Azure App Registration
+
+To enable authentication and authorization for the frontend application, you need to create an Azure App Registration with ID tokens enabled. You may need Owner level permissions on the subscription for some steps.
+This app registration will be used for Authentication and Authorization to the frontend web app (not the backend). Follow the steps below:
+
+1. Go to the [Azure portal](https://portal.azure.com) and sign in with your Azure account.
+2. Navigate to the **Microsoft Entra ID** service.
+3. Select **App registrations** from the left-hand menu.
+4. Click on the **+ New registration** button.
+5. Provide a name for your app registration and select the appropriate account type.
+6. Under the **Redirect URIs** section, select the `Web` platform from dropdown menu. Add `http://localhost:8080/.auth/login/aad/callback` to the URL text field. The deployment script will update this field later with the actual URL of the webapp.
+7. Save the app registration.
+8. Under the **Manage** section select **Authentication**. Select **ID tokens** as the supported token type.
+9. In the **Overview** section of the registered app, take note of the **Application (client) ID**, **Object ID** and **Directory (tenant) ID**. This information will be used later.
+
+### 2. Populate the deploy parameters
+
+Please fill out `frontend/frontend_deploy.parameters.json` with the required values described below.
+
+1. Replace the placeholder values with actual values for the following required variables, you may also add optional variables in the json file if you wish to override the default values:
+
+| Variable Name        | Required | Example                                | Description                                                     |
+| :------------------- | :------- | :------------------------------------- | :-------------------------------------------------------------- |
+| LOCATION             | Yes      | eastus                                 | The Azure region where resources will be deployed. |
+| RESOURCE_GROUP       | Yes      | my-resource-group                      | The name of the Azure resource group where resources will be created. At this time, the name must follow [Azure Container Registry](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftcontainerregistry) naming guidelines. |
+| SUBSCRIPTION_ID      | Yes      | 12345678-1234-1234-1234-1234567890ab   | The ID of the Azure subscription where the resources will be deployed. |
+| AAD_CLIENT_ID        | Yes      | 12345678-1234-1234-1234-1234567890ab   | The client ID of the Microsoft Entra ID (AAD) app registration. |
+| AAD_OBJECT_ID        | Yes      | 12345678-1234-1234-1234-1234567890ab   | The object ID of the Microsoft Entra ID (AAD) app registration. |
+| AAD_TENANT_ID        | Yes      | 12345678-1234-1234-1234-1234567890ab   | The ID of the Microsoft Entra ID (AAD) tenant. |
+| AAD_TOKEN_ISSUER_URL | No       | https://login.microsoftonline.com/12345678-1234-1234-1234-1234567890ab/v2.0 | The URL of the Microsoft Entra ID (AAD) token issuer. Defaults to the tenant-specific issuer URL. |
+| IMAGE_NAME           | No       | graphrag:frontend                      | The name of the Docker image for the frontend application. Defaults to `graphrag:frontend`. |
+| REGISTRY_NAME        | No       | myresourcegroupreg                     | The name of the Azure Container Registry. Defaults to the resource group name with `reg` appended. |
+| APP_SERVICE_PLAN     | No       | myresourcegroup-asp                    | The name of the Azure App Service plan. Defaults to the resource group name with `asp` appended. |
+| WEB_APP              | No       | myresourcegroup-playground             | The name of the Azure Web App. Defaults to the resource group name with `playground` appended. |
+| WEB_APP_IDENTITY     | No       | myresourcegroup-playground-identity    | The name of the managed identity for the Azure Web App. Defaults to the web app name with `identity` appended. |
+
+Save the `frontend/frontend_deploy.parameters.json` file after populating the values. If you would like the webapp to automatically connect
+to the solution accelerator backend API, create and populate a `.env` file described in step 2, otherwise the webapp will ask for login credentials to the APIM service that was deployed as part of the backend API.
+
+### 3. Run the deploy script
+
+Prerequisite : Please install az-cli version >=2.61.0
+To deploy the frontend application:
+
+1. Open a terminal and navigate to the `<graphrag_repo>/frontend` directory.
+2. Run the deploy script:
+
+```
+# cd to graphrag-accelerator/frontend directory
+> bash deploy.sh -p frontend_deploy.parameters.json
+```
+
+One the frontend application has been deployed, please take note of the URL that is displayed at the end of the script. It will have the form `(https://PLACEHOLDER.azurewebsites.net)`. The Web App service will take 2-3 minutes initially to load the first time. This is expected behavior.

frontend/deploy.sh

@@ -0,0 +1,277 @@
+#!/bin/bash
+
+set -eu # use set -eux for debugging
+
+function load_env_variables() {
+    set -a
+    source .env
+    set +a
+}
+
+function checkRequiredParams () {
+    requiredParams=(
+    LOCATION
+    RESOURCE_GROUP
+    SUBSCRIPTION_ID
+    AAD_CLIENT_ID
+    AAD_OBJECT_ID
+    AAD_TENANT_ID
+    )
+    local paramsFile=$1
+    for param in "${requiredParams[@]}"; do
+        local paramValue=$(jq -r .$param < $paramsFile)
+        if [ "null" == "$paramValue" ] || [ -z "$paramValue" ]; then
+            echo "Parameter $param is required, exiting..."
+            exit 1
+        fi
+    done
+}
+
+function populateRequiredParams () {
+    local paramsFile=$1
+    printf "Checking required parameters... "
+    checkRequiredParams $paramsFile
+    # The jq command below sets environment variables based on the key-value pairs in a JSON-formatted file
+    eval $(jq -r 'to_entries | .[] | "export \(.key)=\(.value)"' $paramsFile)
+    printf "Done.\n"
+}
+
+function set_variables() {
+    printf "Setting environment variables...\n"
+    SUBSCRIPTION_ID=${SUBSCRIPTION_ID:-""}
+    RESOURCE_GROUP=${RESOURCE_GROUP:-""}
+    LOCATION=${LOCATION:-""}
+    AAD_CLIENT_ID=${AAD_CLIENT_ID:-""}
+    AAD_OBJECT_ID=${AAD_OBJECT_ID:-""}
+    AAD_TENANT_ID=${AAD_TENANT_ID:-""}
+    AAD_TOKEN_ISSUER_URL=${AAD_TOKEN_ISSUER_URL:-"https://login.microsoftonline.com/$AAD_TENANT_ID/v2.0"}
+    IMAGE_NAME=${IMAGE_NAME:-"graphrag:frontend"}
+    REGISTRY_NAME=${REGISTRY_NAME:-"${RESOURCE_GROUP}reg"}
+    APP_SERVICE_PLAN=${APP_SERVICE_PLAN:-"${RESOURCE_GROUP}-asp"}
+    WEB_APP=${WEB_APP:-"${RESOURCE_GROUP}-playground"}
+    WEB_APP_IDENTITY=${WEB_APP_IDENTITY:-"${WEB_APP}-identity"}
+    #BACKEND_RESOURCE_GROUP=${BACKEND_RESOURCE_GROUP:-""} # needed for backend outbound vnet integration
+    printf "Done setting environment variables.\n"
+}
+
+function create_resource_group {
+    printf "Setting subsctiption to $SUBSCRIPTION_ID and Creating resource group...\n"
+    az account set --subscription $SUBSCRIPTION_ID > /dev/null
+    az group create --name $RESOURCE_GROUP --location $LOCATION > /dev/null
+    printf "Resource group created.\n"
+}
+
+function create_acr() {
+    printf "Creating Azure Container Registry...\n"
+    az acr create --resource-group $RESOURCE_GROUP \
+    --name $REGISTRY_NAME \
+    --sku Basic \
+    --admin-enabled true > /dev/null
+    printf "Azure Container Registry created.\n"
+}
+
+function build_and_push_image() {
+    printf "Building and pushing image...\n"
+    local SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]:-$0}"; )" &> /dev/null && pwd 2> /dev/null; )";
+    az acr build --registry $REGISTRY_NAME -f $SCRIPT_DIR/../docker/Dockerfile-frontend --image $IMAGE_NAME $SCRIPT_DIR/../
+    printf "Image built and pushed.\n"
+}
+
+function create_app_service_plan() {
+    printf "Creating app service plan...\n"
+    az appservice plan create --name $APP_SERVICE_PLAN \
+        --resource-group $RESOURCE_GROUP \
+        --sku B3 \
+        --is-linux > /dev/null
+    printf "App service plan created.\n"
+}
+
+function create_web_app() {
+    printf "Creating web app...\n"
+    az webapp create --resource-group $RESOURCE_GROUP \
+        --plan $APP_SERVICE_PLAN \
+        --name $WEB_APP \
+        --deployment-container-image-name $REGISTRY_NAME.azurecr.io/$IMAGE_NAME > /dev/null
+    printf "Web app created.\n"
+}
+
+function create_web_app_identity() {
+    printf "Creating web app identity...\n"
+    IDENTITY_RESULT=$(az identity create --resource-group $RESOURCE_GROUP --name $WEB_APP_IDENTITY --output json)
+    WEBAPP_IDENTITY_ID=$(jq -r .id <<< $IDENTITY_RESULT)
+    WEBAPP_IDENTITY_OBJECT_ID=$(jq -r .principalId <<< $IDENTITY_RESULT)
+    WEBAPP_IDENTITY_CLIENT_ID=$(jq -r .clientId <<< $IDENTITY_RESULT)
+    az webapp identity assign --name $WEB_APP \
+        --resource-group $RESOURCE_GROUP \
+        --identities $WEBAPP_IDENTITY_ID > /dev/null
+    printf "Web app identity created.\n"
+}
+function configure_registry_credentials() {
+    printf "Configuring registry credentials...\n"
+    ACR_ID=$(az acr show --name $REGISTRY_NAME --resource-group $RESOURCE_GROUP --query id --output tsv)
+    az role assignment create --assignee $WEBAPP_IDENTITY_CLIENT_ID \
+        --role AcrPull \
+        --scope $ACR_ID > /dev/null
+    az webapp config container set --name $WEB_APP \
+        --resource-group $RESOURCE_GROUP \
+        --container-image-name $REGISTRY_NAME.azurecr.io/$IMAGE_NAME > /dev/null
+    printf "Registry credentials configured.\n"
+}
+
+function configure_app_settings() {
+    printf "Configuring app settings...\n"
+    APP_SETTINGS=""
+    while IFS='=' read -r name value
+    do
+        value="${value%\"}"   # Remove opening quote
+        value="${value#\"}"   # Remove closing quote
+        APP_SETTINGS="$APP_SETTINGS $name=$value"
+    done < .env
+    # echo $APP_SETTINGS
+    az webapp config appsettings set --name $WEB_APP \
+        --resource-group $RESOURCE_GROUP \
+        --settings $APP_SETTINGS > /dev/null
+    printf "App settings configured.\n"
+}
+
+function create_federated_identity_credentials() {
+    printf "Creating federated identity credentials...\n"
+    EXISTING_CREDENTIAL_SUBJECTS=$(az rest --method GET --uri "https://graph.microsoft.com/beta/applications/$AAD_OBJECT_ID/federatedIdentityCredentials" -o json | jq -r '.value[].subject')
+    if [[ "$EXISTING_CREDENTIAL_SUBJECTS" == *"$WEBAPP_IDENTITY_OBJECT_ID"* ]]; then
+        echo "Federated identity credential already exists for the subject: $WEBAPP_IDENTITY_OBJECT_ID"
+    else
+        az webapp auth update \
+            --name $WEB_APP \
+            --resource-group $RESOURCE_GROUP \
+            --enabled true \
+            --action LoginWithAzureActiveDirectory \
+            --aad-client-id $AAD_CLIENT_ID \
+            --aad-token-issuer-url $AAD_TOKEN_ISSUER_URL > /dev/null
+        az rest --method POST \
+            --uri "https://graph.microsoft.com/beta/applications/$AAD_OBJECT_ID/federatedIdentityCredentials" \
+            --body "{'name': '$WEB_APP', 'issuer': '$AAD_TOKEN_ISSUER_URL', 'subject': '$WEBAPP_IDENTITY_OBJECT_ID', 'audiences': [ 'api://AzureADTokenExchange' ]}" > /dev/null
+    fi
+    printf "Federated identity credentials created.\n"
+}
+
+function configure_auth_settings() {
+    printf "Configuring auth settings...\n"
+    az webapp config appsettings set --resource-group $RESOURCE_GROUP \
+        --name $WEB_APP \
+        --slot-settings OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID=$WEBAPP_IDENTITY_CLIENT_ID \
+        --verbose > /dev/null
+    az webapp config appsettings list --resource-group $RESOURCE_GROUP \
+        --name $WEB_APP > /dev/null
+
+    authSettings=$(az rest --method GET --url "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/sites/$WEB_APP/config/authsettingsV2/list?api-version=2020-12-01" --output json)
+    echo $authSettings > auth.json
+    jq '.properties.identityProviders.azureActiveDirectory.registration.clientSecretSettingName = "OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID"' auth.json > tmp.json && mv tmp.json auth.json
+    az rest --method PUT \
+        --url "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/sites/$WEB_APP/config/authsettingsV2?api-version=2020-12-01" \
+        --body @auth.json \
+        --headers "Content-Type=application/json" > /dev/null
+    rm auth.json
+    printf "Auth settings configured.\n"
+}
+
+function enable_https() {
+    printf "Enabling HTTPS...\n"
+    az webapp update --name $WEB_APP \
+        --resource-group $RESOURCE_GROUP \
+        --set httpsOnly=true > /dev/null
+    printf "HTTPS enabled.\n"
+}
+
+function update_appreg_redirect_uris() {
+    printf "Updating app registration redirect URIs...\n"
+    WEB_APP_URL=$(az webapp show --name $WEB_APP --resource-group $RESOURCE_GROUP --query defaultHostName --output tsv)
+    NEW_REDIRECT_URI=https://$WEB_APP_URL/.auth/login/aad/callback
+    # Fetch the current list of web redirect URIs
+    CURRENT_URIS=$(az ad app show --id $AAD_CLIENT_ID --query "web.redirectUris" --output tsv)
+    if ! echo "${CURRENT_URIS}" | grep -q "${NEW_REDIRECT_URI}"; then
+        az ad app update --id $AAD_CLIENT_ID --web-redirect-uris ${CURRENT_URIS[@]} "$NEW_REDIRECT_URI" > /dev/null
+    fi
+    printf "App registration redirect URIs updated.\n"
+}
+
+function restart_web_app() {
+    printf "Restarting web app...\n"
+    az webapp restart --name $WEB_APP --resource-group $RESOURCE_GROUP > /dev/null
+    printf "Waiting for webapp to restart, webapp might take a few minutes to load.....\n"
+    sleep 180
+    printf "Web app restarted. \n"
+}
+
+## The following function adds outbound vnet integration on the webapp so that the frontend container can access resources in the AKS cluster directly.
+## This will create a new subnet named "frontend" in the backend resource group's vnet if it does not exist.
+## This may not be needed in simplified backend architecture but useful for folks using a prior version of the accelerator that had a different network architecture.
+# function add_vnet_integration() {
+#     VNET_NAME=$(az network vnet list --resource-group $BACKEND_RESOURCE_GROUP --query "[0].name" --output tsv)
+#     VNET_ID=$(az network vnet list --resource-group $BACKEND_RESOURCE_GROUP --query "[0].id" --output tsv)
+#     SUBNET_NAMES=$(az network vnet subnet list --resource-group $BACKEND_RESOURCE_GROUP --vnet-name $VNET_NAME --query "[].name" --output tsv)
+#     SUBNET_NAME="frontend"
+#     if [[ $SUBNET_NAMES == *$SUBNET_NAME* ]]; then
+#         echo "Subnet with name $SUBNET_NAME already exists"
+#     else
+#         echo "Subnet with name $SUBNET_NAME does not exist, creating one now."
+#         az network vnet subnet create --resource-group $BACKEND_RESOURCE_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --address-prefixes 10.0.10.0/24
+#     fi
+#     az webapp vnet-integration add --name $WEB_APP --resource-group $RESOURCE_GROUP --vnet $VNET_ID --subnet $SUBNET_NAME
+# }
+
+function usage() {
+   echo
+   echo "Usage: bash $0 [-h] -p <frontend_deploy.parameters.json>"
+   echo "Description: Deployment script for the Frontend App for GraphRAG Solution Accelerator."
+   echo "options:"
+   echo "  -h     Print this help menu."
+   echo "  -p     A JSON file containing the deployment parameters (frontend_deploy.parameters.json)."
+   echo
+}
+
+function main() {
+    load_env_variables
+    populateRequiredParams $PARAMS_FILE
+    set_variables
+    create_resource_group
+    create_acr
+    build_and_push_image
+    create_app_service_plan
+    create_web_app
+    create_web_app_identity
+    configure_registry_credentials
+    configure_app_settings
+    create_federated_identity_credentials
+    configure_auth_settings
+    enable_https
+    # add_vnet_integration
+    update_appreg_redirect_uris
+    restart_web_app
+    echo "**********Graphrag Frontend Web app deployment successful!**********"
+    echo "Please visit the webapp at https://$WEB_APP_URL"
+    echo "*******************************************************************"
+}
+
+# print usage if no arguments are supplied
+[ $# -eq 0 ] && usage && exit 0
+PARAMS_FILE=""
+while getopts ":p:h" option; do
+    case "${option}" in
+        p)
+            PARAMS_FILE=${OPTARG}
+            ;;
+        h | *)
+            usage
+            exit 0
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+# check if required arguments are supplied
+if [ ! -f $PARAMS_FILE ]; then
+    echo "Error: invalid required argument."
+    usage
+    exit 1
+fi
+
+main

frontend/frontend_deploy.parameters.json

@@ -0,0 +1,8 @@
+{
+  "SUBSCRIPTION_ID": "<your_subscription_id>",
+  "RESOURCE_GROUP": "<your_resource_group>",
+  "LOCATION": "<your_location>",
+  "AAD_CLIENT_ID": "<your_aad_client_id>",
+  "AAD_OBJECT_ID": "<your_aad_object_id>",
+  "AAD_TENANT_ID": "<your_aad_tenant_id>"
+}