manage terraform scripts for Azure staging environment (#17)

* Create DEPLOYMENT.md

* Update DEPLOYMENT.md

* copy over scripts from infra-modules into deploy/terraform

* update instructions

* remove copied readme

Author: kelsey-wong

DEPLOYMENT.md

@@ -0,0 +1,62 @@
+# TLM Deployment Guide
+
+## Requirements
+
+- Terraform CLI
+    ```
+    brew install terraform
+    ```
+- Azure CLI
+    ```
+    brew install azure-cli
+    ```
+- Helm
+    ```
+    brew install helm
+    ```
+- Azure account in Cleanlab's tenant 
+    - ask Kelsey if you need to be invited
+- Minimum required Azure role assignments:
+    - `Reader` on the OpenAI service resource group `tlm-staging-rg`
+    - `Storage Blob Data Reader` on the `tlmtfstate` storage account
+    
+Below are optional Azure roles to request on the `Production` subscription. Ask Kelsey if you want permissions.
+* `Reader` for global read access
+* `Azure Kubernetes Service Contributor` for access to live/historical container logs, `kubectl` usage, and more
+
+## Initial Setup
+
+Import the existing resources to Terraform:
+```
+terraform import -var-file="staging.tfvars" 'module.app.azurerm_role_assignment.openai_identity_sa' "/subscriptions/a47bf188-5236-4db5-bde5-16655f9d07ec/resourceGroups/tlm-staging-rg/providers/Microsoft.CognitiveServices/accounts/tlm-openai/providers/Microsoft.Authorization/roleAssignments/5c088622-3f50-84c7-e52e-09d253ed0325"
+
+terraform import -var-file="staging.tfvars" 'module.app.helm_release.this' tlm/tlm
+```
+
+## Deploying to Azure staging environment
+
+Follow these instructions to deploy TLM app changes through CLI. Note that after merging to main, you must wait for the `Release TLM App / build-push-chat-backend-acr` step to finish before starting the deployment process.
+
+1. Run `az login` and select the `Production` subscription
+2. Change your working directory: `cd deploy/terraform/app`
+3. Set up your Terraform variables:
+
+    * If this is your first time deploying, `cp staging.tfvars.example staging.tfvars`
+    * Modify the `.tfvars` file by setting `app_image_tag` to the Git commit SHA that you want to deploy
+
+4. `terraform init`
+5. `terraform plan -var-file="staging.tfvars" -out=tfplan.plan`
+   
+    The plan should be `0 to add, 1 to change, 0 to destroy`. It will only include modifying the Helm release resource `module.app.helm_release.this` to update the `chat_backend.image.tag`, plus modifying some metadata. If anything else is included in the plan, check that your branch has the latest version of the Terraform script, or reach out in [#azure](https://cleanlabinc.slack.com/archives/C093X788A6L).
+
+6. If the plan looks good, apply the changes by running `terraform apply tfplan.plan`. 
+
+   Note that this will **NOT** prompt you to confirm the changes because they were already saved by the planning step, so be careful!
+
+## Debugging
+
+If you encounter permission issues (4xx status codes) when running any of the `terraform` commands, try unsetting the `ARM_*` environment variables. These can interfere with Azure-related authentication when managing resources.
+
+```
+unset ARM_CLIENT_ID ARM_CLIENT_SECRET ARM_TENANT_ID ARM_SUBSCRIPTION_ID
+```

deploy/terraform/app/main.tf

@@ -11,7 +11,7 @@ locals {
   environment = "staging"
   resource_group_name = "tlm-staging-rg"
   subscription_id = "a47bf188-5236-4db5-bde5-16655f9d07ec"
-  location = "eastus"
+  location = "eastus2"
   tags = {
     environment = local.environment
     project = "tlm"
@@ -32,8 +32,6 @@ resource "azurerm_resource_group" "this" {
 
 provider "azurerm" {
   features {}
-  use_cli = false
-  use_msi = false
 
   subscription_id = local.subscription_id
 }
@@ -70,8 +68,11 @@ module "app" {
     image_pull_username = data.terraform_remote_state.infra.outputs.acr_image_pull_app_client_id
     image_pull_password = data.terraform_remote_state.infra.outputs.acr_image_pull_app_password
 
-    default_completion_model = "azure/gpt-4o-mini"
-    default_embedding_model = "azure/text-embedding-3-small"
+    default_completion_model = "azure/gpt-4.1-mini"
+    lowest_latency_model = "azure/gpt-4.1-nano"
+
+    enable_external_access = true
+    model_config_file_path = "models.json"
 
     tags = local.tags
 }

deploy/terraform/app/models.json

@@ -0,0 +1,18 @@
+{
+    "gpt-4o": {
+        "api_base": "https://azure-cognitive-fegxs.openai.azure.com/",
+        "api_version": "2024-11-20"
+    },
+    "gpt-4o-mini": {
+        "api_base": "https://azure-cognitive-fegxs.openai.azure.com/",
+        "api_version": "2024-07-18"
+    },
+    "gpt-4.1-mini": {
+        "api_base": "https://azure-cognitive-fegxs.openai.azure.com/",
+        "api_version": "2025-04-14"
+    },
+    "gpt-4.1-nano": {
+        "api_base": "https://azure-cognitive-fegxs.openai.azure.com/",
+        "api_version": "2025-04-14"
+    }
+}

deploy/terraform/app/staging.tfvars.example

@@ -0,0 +1,2 @@
+environment = "staging"
+app_image_tag = ""

deploy/terraform/infra/backend.tf

@@ -0,0 +1,8 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "tfstate-rg"
+    storage_account_name = "tlmtfstate"
+    container_name       = "tfstate"
+    key                  = "tlm/infra/terraform.tfstate"
+  }
+}

deploy/terraform/infra/main.tf

@@ -0,0 +1,69 @@
+provider "azurerm" {
+  features {}
+  subscription_id = "a47bf188-5236-4db5-bde5-16655f9d07ec"
+}
+
+locals {
+    environment = "staging"
+}
+
+module "infra" {
+    source = "git::https://github.com/cleanlab/infra-modules.git//tlm/infra"
+    # source = "../../../tlm/infra"
+
+    environment = local.environment
+    entity = "your-company-name"
+    location = "eastus2"
+
+    create_openai_service = true
+    openai_deployments = {
+        "gpt-4o-mini" = {
+            name = "gpt-4o-mini"
+            model = "gpt-4o-mini"
+            version = "2024-07-18"
+            format = "OpenAI"
+            scale = "GlobalStandard"
+            capacity = 200
+        }
+        "gpt-4o" = {
+            name = "gpt-4o"
+            model = "gpt-4o"
+            version = "2024-11-20"
+            format = "OpenAI"
+            scale = "GlobalStandard"
+            capacity = 50
+        }
+        "gpt-4.1-mini" = {
+            name = "gpt-4.1-mini"
+            model = "gpt-4.1-mini"
+            version = "2025-04-14"
+            format = "OpenAI"
+            scale = "GlobalStandard"
+            capacity = 200
+        }
+        "gpt-4.1-nano" = {
+            name = "gpt-4.1-nano"
+            model = "gpt-4.1-nano"
+            version = "2025-04-14"
+            format = "OpenAI"
+            scale = "GlobalStandard"
+            capacity = 200
+        }
+        "text-embedding-3-small" = {
+            name = "text-embedding-3-small"
+            model = "text-embedding-3-small"
+            version = "1"
+            format = "OpenAI"
+            scale = "Standard"
+            capacity = 50
+        }
+    }
+    
+    create_imagepull_app_registration = true
+
+    tags = {
+        environment = local.environment
+        project = "tlm"
+        terraform = "true"
+    }
+}

deploy/terraform/infra/outputs.tf

@@ -0,0 +1,40 @@
+output "kube_host" {
+    value = module.infra.kube_host
+    sensitive = true
+}
+
+output "kube_client_certificate" {
+    value = module.infra.kube_client_certificate
+    sensitive = true
+}
+
+output "kube_client_key" {
+    value = module.infra.kube_client_key
+    sensitive = true
+}
+
+output "kube_cluster_ca_certificate" {
+    value = module.infra.kube_cluster_ca_certificate
+    sensitive = true
+}
+
+output "cluster_oidc_issuer_url" {
+    value = module.infra.cluster_oidc_issuer_url
+}
+
+output "acr_image_pull_app_client_id" {
+    value = module.infra.acr_image_pull_app_client_id
+}
+
+output "acr_image_pull_app_password" {
+    value = module.infra.acr_image_pull_app_password
+    sensitive = true
+}
+
+output "openai_service_name" {
+    value = module.infra.openai_service_name
+}
+
+output "openai_service_resource_group_name" {
+    value = module.infra.openai_service_resource_group_name
+}