Enhance Azure Rambi services with new guidelines, storage queue integration, and improved Docker configurations

- Updated coding instructions with Azure best practices and architecture patterns.
- Added storage queue binding for movie posters events.
- Modified Bicep modules to include storage account and queue configurations.
- Adjusted Dockerfile to expose port 80 for FastAPI service.
- Implemented CloudEvent handling for Azure Storage Queue messages in the movie gallery service.
- Enhanced movie entity to include internal poster URL.
- Updated requirements to include necessary packages for new features.

Author: bmoussaud

.github/copilot-instructions.md

@@ -1 +1,44 @@
-- @azure Rule - Use Azure Best Practices: When generating code for Azure, running terminal commands for Azure, or performing operations related to Azure, invoke your `get_azure_best_practices` tool if available.
+# Azure Rambi Coding Instructions
+
+## Azure Guidelines
+- @azure Rule - Use Azure Best Practices: When generating code for Azure, running terminal commands for Azure, or performing operations related to Azure, invoke your `get_azure_best_practices` tool if available.
+- Use Infrastructure as Code (IaC) with Bicep for all Azure deployments
+- Prefer Azure Container Apps for microservices deployment
+- Use Managed Identity for authentication when possible
+- Configure proper RBAC permissions with least privilege
+
+## Architecture Patterns
+- Follow microservices architecture principles
+- Implement the DAPR sidecars pattern for service-to-service communication
+- Use API Management for API exposure and governance
+- Implement proper error handling and retry logic
+
+## Service-Specific Guidelines
+- **Movie Generator Service**: Use Azure OpenAI with gpt-4o model
+- **Movie Poster Service**: Use Azure OpenAI with dall-e-3 model
+- **Movie Gallery Service**": Use DAPR components.
+- **GUI Service**: Follow Flask best practices with proper templating
+
+## Security Requirements
+- Never hardcode credentials; use Key Vault references
+- Implement proper error handling that doesn't leak sensitive information
+- Follow secure networking practices
+- Enable encryption for data at rest and in transit
+
+## Performance Guidelines
+- Implement caching where appropriate (especially for movie data)
+- Use connection pooling for database operations
+- Configure proper timeouts and circuit breakers
+- Consider Redis cache for frequent operations
+
+## Development Workflow
+- Use Docker containers for local development
+- Follow GitOps principles for deployments
+- Implement proper CI/CD patterns
+- Use `azd` commands for deployment when possible
+
+## Code Quality Standards
+- Follow language-specific conventions (Python PEP8, JavaScript ESLint)
+- Use proper documentation and comments
+- Implement comprehensive logging
+- Write unit tests for critical functionality

dapr/local/components/storage-queue-binding.yaml

@@ -0,0 +1,26 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: movieposters-events-queue
+spec:
+  type: bindings.azure.storagequeues
+  version: v1
+  metadata:
+  - name: accountName
+    secretKeyRef:
+      name: AZURE_STORAGE_ACCOUNT_NAME
+      key: AZURE_STORAGE_ACCOUNT_NAME
+  - name: accountKey
+    secretKeyRef:
+      name: AZURE_STORAGE_ACCOUNT_KEY
+      key: AZURE_STORAGE_ACCOUNT_KEY
+  - name: queueName
+    value: "movieposters-events-queue"
+  - name: decodeBase64
+    value: "true"
+  - name: direction
+    value: "input"
+auth:
+  secretStore: kubernetes
+scopes:
+  - movie-gallery-svc

infra/main.bicep

@@ -476,11 +476,12 @@ module containerMovieGallerySvcApp 'modules/apps/movie-gallery-svc.bicep' = {
   params: {
     location: location
     containerName: 'movie-gallery-svc'
-    containerPort: 5000
+    containerPort: 80
     containerRegistryName: containerRegistry.name
     acrPullRoleName: uaiAzureRambiAcrPull.name
     shared_secrets: shared_secrets
     containerAppsEnvironment: containerAppsEnv.name
+    storageAccountName: storageAccountAzureRambi.name
   }
 }
 
@@ -577,6 +578,14 @@ module systemTopic 'br/public:avm/res/event-grid/system-topic:0.6.0' = {
   }
 }
 
+module userPortalAccess 'modules/user_portal_role.bicep' = {
+  name: 'user-portal-access'
+  params: {
+    kvName: kv.name
+    storageAccountName: storageAccountAzureRambi.name
+  }
+}
+
 output AZURE_LOCATION string = location
 output AZURE_CONTAINER_ENVIRONMENT_NAME string = containerAppsEnv.name
 output AZURE_CONTAINER_REGISTRY_NAME string = containerRegistry.name

infra/modules/apps/gui-svc.bicep

@@ -109,6 +109,10 @@ resource guirSvcApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
                 name: 'OTEL_RESOURCE_ATTRIBUTES'
                 value: 'service.namespace=azure-rambi,service.instance.id=${containerName}'
               }
+              {
+                name: 'PORT'
+                value: '${containerPort}'
+              }
             ],
             additionalProperties
           )

infra/modules/apps/movie-gallery-svc.bicep

@@ -18,6 +18,9 @@ param containerRegistryName string
 param containerName string = 'movie-gallery-svc'
 param containerPort int = 5000
 
+@description('Storage account name.')
+param storageAccountName string
+
 param location string = resourceGroup().location
 
 resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
@@ -28,6 +31,10 @@ resource uaiAzureRambiAcrPull 'Microsoft.ManagedIdentity/userAssignedIdentities@
   name: acrPullRoleName
 }
 
+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {
+  name: storageAccountName
+}
+
 resource containerAppsEnv 'Microsoft.App/managedEnvironments@2024-10-02-preview' existing = {
   name: containerAppsEnvironment
   resource statestoreComponent 'daprComponents@2022-03-01' = {
@@ -61,6 +68,33 @@ resource containerAppsEnv 'Microsoft.App/managedEnvironments@2024-10-02-preview'
       ]
     }
   }
+
+  resource queueComponent 'daprComponents@2022-03-01' = {
+    name: 'movieposters-events-queue'
+    properties: {
+      componentType: 'bindings.azure.storagequeues'
+      version: 'v1'
+      initTimeout: '5m'
+      secrets: []
+      metadata: [
+        {
+          name: 'storageAccount'
+          value: storageAccount.name
+        }
+        {
+          name: 'queue'
+          value: 'movieposters-events'
+        }
+        {
+          name: 'azureClientId'
+          value: managedIdentity.properties.clientId
+        }
+      ]
+      scopes: [
+        containerName
+      ]
+    }
+  }
 }
 
 resource containerMovieGallerySvcApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
@@ -131,6 +165,18 @@ resource containerMovieGallerySvcApp 'Microsoft.App/containerApps@2024-10-02-pre
               name: 'OTEL_RESOURCE_ATTRIBUTES'
               value: 'service.namespace=azure-rambi,service.instance.id=${containerName}'
             }
+            {
+              name: 'STORAGE_ACCOUNT_NAME'
+              value: 'azrambi4vcyb7vq3byju'
+            }
+            {
+              name: 'STORAGE_QUEUE_NAME'
+              value: 'movieposters-events'
+            }
+            {
+              name: 'PORT'
+              value: '${containerPort}'
+            }
           ]
           probes: [
             {
@@ -159,7 +205,7 @@ resource containerMovieGallerySvcApp 'Microsoft.App/containerApps@2024-10-02-pre
 }
 
 resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' = {
-  name: 'azrambi-cosmos-account'
+  name: 'azrambi-cosmos-dbaccount'
   location: location
   kind: 'GlobalDocumentDB'
   properties: {
@@ -233,5 +279,16 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-
   location: location
 }
 
+// Role assignment for Storage Queue Data Contributor to the managed identity
+resource storageQueueDataContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, storageAccount.name, managedIdentity.id)
+  scope: storageAccount
+  properties: {
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88') // Storage Queue Data Contributor role
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 output name string = containerMovieGallerySvcApp.name
 output fqdn string = containerMovieGallerySvcApp.properties.configuration.ingress.fqdn

infra/modules/apps/movie-generator-svc.bicep

@@ -99,6 +99,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
                 name: 'OTEL_RESOURCE_ATTRIBUTES'
                 value: 'service.namespace=azure-rambi,service.instance.id=${containerName}'
               }
+              {
+                name: 'PORT'
+                value: '${containerPort}'
+              }
             ],
             additionalProperties
           )

infra/modules/apps/movie-poster-svc.bicep

@@ -98,6 +98,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
               name: 'OTEL_RESOURCE_ATTRIBUTES'
               value: 'service.namespace=azure-rambi,service.instance.id=${containerName}'
             }
+            {
+              name: 'PORT'
+              value: '${containerPort}'
+            }
           ])
           probes: [
             {

infra/user_portal_role.bicep infra/modules/user_portal_role.bicepinfra/user_portal_role.bicep renamed to infra/modules/user_portal_role.bicep

@@ -1,9 +1,10 @@
-var kvName = 'rambikv${uniqueString(resourceGroup().id)}'
-var storageAccountName = 'azrambi${uniqueString(resourceGroup().id)}'
+param kvName string
+param storageAccountName string
 
 resource kv 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = {
   name: kvName
 }
+
 @description('This is the built-in Key Vault Secrets Officer role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security#key-vault-secrets-user')
 resource keyVaultSecretsUserRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
   scope: subscription()

src/movie_gallery_svc/Dockerfile

@@ -14,6 +14,6 @@ RUN pip install --no-cache-dir --upgrade -r requirements.txt
 COPY . .
 
 # Expose the default FastAPI port
-EXPOSE 5000
+EXPOSE 80
 # Command to run the FastAPI service
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "5000"]
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "80"]

src/movie_gallery_svc/cloudevent_sample.json

@@ -0,0 +1,23 @@
+{
+    "id": "576df06a-101e-006e-1d2d-ad9840069ee4",
+    "source": "/subscriptions/9479b396-5d3e-467a-b89f-ba8400aeb7dd/resourceGroups/rg-azr-dev/providers/Microsoft.Storage/storageAccounts/azrambirpolpzd22ykfo",
+    "specversion": "1.0",
+    "type": "Microsoft.Storage.BlobCreated",
+    "subject": "/blobServices/default/containers/movieposters/blobs/313369_194_Romance_11844.png",
+    "time": "2025-04-14T11:06:12.5258854Z",
+    "data": {
+        "api": "PutBlob",
+        "clientRequestId": "79d3c724-1920-11f0-ad17-96f9d8066883",
+        "requestId": "576df06a-101e-006e-1d2d-ad9840000000",
+        "eTag": "0x8DD7B445E38E866",
+        "contentType": "application/octet-stream",
+        "contentLength": 5526153,
+        "blobType": "BlockBlob",
+        "accessTier": "Default",
+        "url": "https://azrambirpolpzd22ykfo.blob.core.windows.net/movieposters/313369_194_Romance_11844.png",
+        "sequencer": "00000000000000000000000000015BA60000000002ce278f",
+        "storageDiagnostics": {
+            "batchId": "e169facb-c006-0042-002d-ad74ef000000"
+        }
+    }
+}²