Merge pull request #48 from ks6088ts-labs/feature/issue-47_support-bicep

add bicep codes for deployment

Author: ks6088ts

apps/8_streamlit_azure_openai_batch/main.py

@@ -17,8 +17,6 @@
     )
     azure_openai_api_key = st.text_input(
         label="AZURE_OPENAI_API_KEY",
-        # DEBUG
-        value=getenv("AZURE_OPENAI_API_KEY"),
         key="AZURE_OPENAI_API_KEY",
         type="password",
     )

docs/README.dev.md

@@ -1,3 +1,5 @@
+# Developer Guide
+
 ## Development instructions
 
 ### Local development
@@ -31,16 +33,22 @@ make docker-run
 make ci-test-docker
 ```
 
-To publish the docker image to Docker Hub, you need to set the following secrets in the repository settings.
+## Deployment
+
+### Infrastructure
 
 ```shell
-gh secret set DOCKERHUB_USERNAME --body $DOCKERHUB_USERNAME
-gh secret set DOCKERHUB_TOKEN --body $DOCKERHUB_TOKEN
+cd infra
+az login
+
+make deploy
 ```
 
-## Deployment
+- ref. [Azure-Samples/azure-ai-studio-secure-bicep](https://github.com/Azure-Samples/azure-ai-studio-secure-bicep)
+
+### Application
 
-### From Docker Hub
+#### From Docker Hub
 
 You can run the docker image from Docker Hub.
 
@@ -54,7 +62,7 @@ docker run -p 8501:8501 ks6088ts/workshop-azure-openai:latest \
     python -m streamlit run apps/99_streamlit_llm_examples/main.py
 ```
 
-### App Service
+#### App Service
 
 For deploying the Streamlit application to Azure App Service, you need to set the following two configurations.
 
@@ -66,8 +74,17 @@ Notes:
 - Update the startup command as needed. App Service listens on port 8000 by default, so `--server.port 8000` is required.
 - The default port of App Service is 8000, so `--server.port 8000` is required.
 
-#### References
+##### References
 
 - [Streamlit を Azure App Service で動かす！](https://qiita.com/takashiuesaka/items/491b21e9afb34bbb6e6d)
 - [WARNING: Could not find virtual environment directory /home/site/wwwroot/antenv](https://stackoverflow.com/a/61720957)
 - [How to deploy a streamlit application on Azure App Service (WebApp)](https://learn.microsoft.com/en-us/answers/questions/1470782/how-to-deploy-a-streamlit-application-on-azure-app)
+
+### GitHub Actions
+
+To publish the docker image to Docker Hub, you need to set the following secrets in the repository settings.
+
+```shell
+gh secret set DOCKERHUB_USERNAME --body $DOCKERHUB_USERNAME
+gh secret set DOCKERHUB_TOKEN --body $DOCKERHUB_TOKEN
+```

infra/Makefile

@@ -0,0 +1,113 @@
+# Parameters
+SOURCE_FILES ?= $(shell find . -type f -name '*.bicep' -print)
+OUT_DIR ?= ./artifacts
+BICEP_MAIN ?= ./main.bicep
+BICEP_PARAMETERS ?= ./main.bicepparam
+
+# Git
+GIT_REVISION ?= $(shell git rev-parse --short HEAD)
+GIT_TAG ?= $(shell git describe --tags --abbrev=0 --always | sed -e s/v//g)
+
+# Azure
+SUBSCRIPTION_ID ?= $(shell az account show --query id --output tsv)
+SUBSCRIPTION_NAME ?= $(shell az account show --query name --output tsv)
+TENANT_ID ?= $(shell az account show --query tenantId --output tsv)
+OBJECT_ID ?= $(shell az account show --query user.name --output tsv)
+USER_ID ?= $(shell az ad user show --id $(OBJECT_ID) --query id --output tsv)
+RESOURCE_GROUP_NAME ?= rg-workshop-azure-openai
+LOCATION ?= japaneast
+DEPLOYMENT_NAME ?= main
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+.DEFAULT_GOAL := help
+
+.PHONY: info
+info: ## show information
+	@echo "GIT_REVISION: $(GIT_REVISION)"
+	@echo "GIT_TAG: $(GIT_TAG)"
+	@echo "SUBSCRIPTION_ID: $(SUBSCRIPTION_ID)"
+	@echo "SUBSCRIPTION_NAME: $(SUBSCRIPTION_NAME)"
+	@echo "TENANT_ID: $(TENANT_ID)"
+	@echo "OBJECT_ID: $(OBJECT_ID)"
+	@echo "USER_ID: $(USER_ID)"
+
+.PHONY: install-deps-dev
+install-deps-dev: ## install dependencies for development
+	@which az || echo "Please install Azure CLI: https://github.com/Azure/azure-cli#installation"
+	@az bicep upgrade
+
+.PHONY: format
+format: ## format codes
+	@$(foreach file,$(SOURCE_FILES),az bicep format --file $(file) --insert-final-newline;)
+
+.PHONY: lint
+lint: ## lint codes
+	@echo "lint: Skip since not implemented yet"
+
+.PHONY: build
+build: ## build a bicep file
+	@mkdir -p $(OUT_DIR)
+	@az bicep build \
+		--file $(BICEP_MAIN) \
+		--outfile $(OUT_DIR)/$(GIT_REVISION).json
+
+.PHONY: test
+test: deployment-what-if ## test codes
+
+.PHONY: ci-test
+ci-test: install-deps-dev lint build test ## ci test
+
+.PHONY: create-resource-group
+create-resource-group: ## create resource group
+	az group create \
+		--name $(RESOURCE_GROUP_NAME) \
+		--location $(LOCATION)
+
+.PHONY: delete-resource-group
+delete-resource-group: ## delete resource group
+	az group delete --name $(RESOURCE_GROUP_NAME) --yes --no-wait
+
+.PHONY: deployment-what-if
+deployment-what-if: ## execute a deployment What-If operation at resource group scope
+	az deployment group what-if \
+		--resource-group $(RESOURCE_GROUP_NAME) \
+		--template-file $(BICEP_MAIN) \
+		--parameters $(BICEP_PARAMETERS)
+
+.PHONY: deployment-create
+deployment-create: ## start a deployment at resource group
+	az deployment group create \
+		--resource-group $(RESOURCE_GROUP_NAME) \
+		--template-file $(BICEP_MAIN) \
+		--parameters $(BICEP_PARAMETERS)
+
+.PHONY: deployment-output
+deployment-output: ## show deployment output
+	az deployment group show \
+		--resource-group $(RESOURCE_GROUP_NAME) \
+		--name $(DEPLOYMENT_NAME) \
+		--query properties.outputs.deploymentInfo.value
+
+.PHONY: deploy
+deploy: create-resource-group deployment-what-if deployment-create ## deploy resources
+
+.PHONY: destroy
+destroy: delete-resource-group ## destroy resources
+
+# Generate deployment credentials: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=userlevel%2CCLI#generate-deployment-credentials
+.PHONY: create-for-rbac
+create-for-rbac: ## create service principal for RBAC
+	az ad sp create-for-rbac \
+		--name test-baseline-environment-on-azure-bicep \
+		--role contributor \
+		--scopes /subscriptions/$(SUBSCRIPTION_ID)/resourceGroups/$(RESOURCE_GROUP_NAME) \
+		--sdk-auth > $(OUT_DIR)/azure-credentials.json
+
+# Configure the GitHub secrets: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=userlevel%2CCLI#configure-the-github-secrets
+.PHONY: configure-github-secrets
+configure-github-secrets: ## configure GitHub secrets
+	gh secret set AZURE_CREDENTIALS < $(OUT_DIR)/azure-credentials.json
+	gh secret set AZURE_SUBSCRIPTION --body $(SUBSCRIPTION_ID)
+	gh secret set AZURE_RG --body $(RESOURCE_GROUP_NAME)

infra/main.bicep

@@ -0,0 +1,130 @@
+// Parameters
+@description('Specifies the name prefix for all the Azure resources.')
+@minLength(4)
+@maxLength(10)
+param prefix string = substring(uniqueString(resourceGroup().id, location), 0, 4)
+
+@description('Specifies the location for all the Azure resources.')
+param location string = resourceGroup().location
+
+@description('Specifies the name of the Azure Log Analytics resource.')
+param logAnalyticsName string = ''
+
+@description('Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB.')
+@allowed([
+  'Free'
+  'Standalone'
+  'PerNode'
+  'PerGB2018'
+])
+param logAnalyticsSku string = 'PerNode'
+
+@description('Specifies the workspace data retention in days. -1 means Unlimited retention for the Unlimited Sku. 730 days is the maximum allowed for all other Skus.')
+param logAnalyticsRetentionInDays int = 60
+
+@description('Specifies the name of the Azure AI Services resource.')
+param aiServicesName string = ''
+
+@description('Specifies the resource model definition representing SKU.')
+param aiServicesSku object = {
+  name: 'S0'
+}
+
+@description('Specifies the identity of the Azure AI Services resource.')
+param aiServicesIdentity object = {
+  type: 'SystemAssigned'
+}
+
+@description('Specifies an optional subdomain name used for token-based authentication.')
+param aiServicesCustomSubDomainName string = ''
+
+@description('Specifies whether disable the local authentication via API key.')
+param aiServicesDisableLocalAuth bool = false
+
+@description('Specifies whether or not public endpoint access is allowed for this account..')
+@allowed([
+  'Enabled'
+  'Disabled'
+])
+param aiServicesPublicNetworkAccess string = 'Enabled'
+
+@description('Specifies the OpenAI deployments to create.')
+param openAiDeployments array = []
+
+@description('Specifies the resource tags for all the resoources.')
+param tags object = {}
+
+@description('Specifies the object id of a Microsoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources.')
+param userObjectId string = ''
+
+@description('Specifies the name of the Azure AI Search resource.')
+param aiSearchName string = '${prefix}aisearch'
+
+@description('Specifies the name of the Azure Cosmos DB resource.')
+param cosmosDbName string = '${prefix}cosmosdb'
+
+// Resources
+module workspace 'modules/logAnalytics.bicep' = {
+  name: 'workspace'
+  params: {
+    // properties
+    name: empty(logAnalyticsName) ? toLower('${prefix}-log-analytics') : logAnalyticsName
+    location: location
+    tags: tags
+    sku: logAnalyticsSku
+    retentionInDays: logAnalyticsRetentionInDays
+  }
+}
+
+module aiServices 'modules/aiServices.bicep' = {
+  name: 'aiServices'
+  params: {
+    // properties
+    name: empty(aiServicesName) ? toLower('${prefix}-ai-services') : aiServicesName
+    location: location
+    tags: tags
+    sku: aiServicesSku
+    identity: aiServicesIdentity
+    customSubDomainName: empty(aiServicesCustomSubDomainName)
+      ? toLower('${prefix}-ai-services')
+      : aiServicesCustomSubDomainName
+    disableLocalAuth: aiServicesDisableLocalAuth
+    publicNetworkAccess: aiServicesPublicNetworkAccess
+    deployments: openAiDeployments
+    workspaceId: workspace.outputs.id
+
+    // role assignments
+    userObjectId: userObjectId
+  }
+}
+
+module aiSearch './modules/aiSearch.bicep' = {
+  name: 'aiSearch'
+  params: {
+    name: aiSearchName
+    location: location
+    tags: tags
+  }
+}
+
+module cosmosDb './modules/cosmosDb.bicep' = {
+  name: 'cosmosDb'
+  params: {
+    name: cosmosDbName
+    location: location
+    tags: tags
+    primaryRegion: location
+    secondaryRegion: 'japanwest'
+  }
+}
+
+output deploymentInfo object = {
+  subscriptionId: subscription().subscriptionId
+  resourceGroupName: resourceGroup().name
+  location: location
+  aiServicesName: aiServices.outputs.name
+  aiServicesEndpoint: aiServices.outputs.endpoint
+  aiSearchName: aiSearch.outputs.name
+  cosmosDbAccountName: cosmosDb.outputs.accountName
+  cosmosDbAccountEndpoint: cosmosDb.outputs.accountEndpoint
+}

infra/main.bicepparam

@@ -0,0 +1,32 @@
+using './main.bicep'
+
+// param prefix = 'secure'
+// param suffix = 'test'
+// param userObjectId = '<user-object-id>'
+// param logAnalyticsName = '${prefix}loganalytics'
+param openAiDeployments = [
+  {
+    model: {
+      name: 'text-embedding-3-large'
+      version: '1'
+    }
+    sku: {
+      name: 'Standard'
+      capacity: 10
+    }
+  }
+  {
+    model: {
+      name: 'gpt-4o'
+      version: '2024-05-13'
+    }
+    sku: {
+      name: 'GlobalStandard'
+      capacity: 10
+    }
+  }
+]
+param tags = {
+  environment: 'development'
+  iac: 'bicep'
+}