Use keyvault for secrets

Author: Pavan-Microsoft

.github/workflows/docker-build.yml

@@ -49,7 +49,7 @@ jobs:
         id: determine_tag
         run: |
          if [[ "${{ github.ref_name }}" == "main" ]]; then
-          echo "tagname=latest" >> $GITHUB_OUTPUT
+          echo "tagname=latest_migra" >> $GITHUB_OUTPUT
          elif [[ "${{ github.ref_name }}" == "dev" ]]; then
           echo "tagname=dev" >> $GITHUB_OUTPUT
          elif [[ "${{ github.ref_name }}" == "demo" ]]; then
@@ -70,22 +70,12 @@ jobs:
             ${{ secrets.ACR_LOGIN_SERVER }}/km-app:${{ steps.determine_tag.outputs.tagname }}
             ${{ secrets.ACR_LOGIN_SERVER }}/km-app:${{ steps.determine_tag.outputs.tagname }}_${{ steps.date.outputs.date }}_${{ github.run_number }}
 
-      - name: Build and Push Docker Image for km-rag-function
+      - name: Build and Push Docker Image for api
         uses: docker/build-push-action@v6
         with:
-          context: ./src/api/km-rag-function
-          file: ./src/api/km-rag-function/Dockerfile
+          context: ./src/api
+          file: ./src/api/ApiApp.Dockerfile
           push: ${{ github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo'  || github.ref_name == 'dependabotchanges' }}
           tags: |
-            ${{ secrets.ACR_LOGIN_SERVER }}/km-rag-function:${{ steps.determine_tag.outputs.tagname }}
-            ${{ secrets.ACR_LOGIN_SERVER }}/km-rag-function:${{ steps.determine_tag.outputs.tagname }}_${{ steps.date.outputs.date }}_${{ github.run_number }}
-
-      - name: Build and Push Docker Image for km-charts-function
-        uses: docker/build-push-action@v6
-        with:
-          context: ./src/api/km-charts-function
-          file: ./src/api/km-charts-function/Dockerfile
-          push: ${{ github.ref_name == 'main' || github.ref_name == 'dev' || github.ref_name == 'demo'  || github.ref_name == 'dependabotchanges' }}
-          tags: |
-            ${{ secrets.ACR_LOGIN_SERVER }}/km-charts-function:${{ steps.determine_tag.outputs.tagname }}
-            ${{ secrets.ACR_LOGIN_SERVER }}/km-charts-function:${{ steps.determine_tag.outputs.tagname }}_${{ steps.date.outputs.date }}_${{ github.run_number }}
+            ${{ secrets.ACR_LOGIN_SERVER }}/km-api:${{ steps.determine_tag.outputs.tagname }}
+            ${{ secrets.ACR_LOGIN_SERVER }}/km-api:${{ steps.determine_tag.outputs.tagname }}_${{ steps.date.outputs.date }}_${{ github.run_number }}

infra/deploy_backend_docker.bicep

@@ -4,15 +4,8 @@ param solutionName string
 @secure()
 param appSettings object = {}
 param appServicePlanId string
-@secure()
-param azureOpenAIKey string
-@secure()
-param azureAiProjectConnString string
-@secure()
-param azureSearchAdminKey string
-// param azureOpenAIKeyName string
-// param keyVaultName string
 param userassignedIdentityId string
+param keyVaultName string
 
 var imageName = 'DOCKER|kmcontainerreg.azurecr.io/km-api:${imageTag}'
 var name = '${solutionName}-api'
@@ -91,10 +84,7 @@ module appService 'deploy_app_service.bicep' = {
     appSettings: union(
       appSettings,
       {
-        AZURE_OPENAI_API_KEY: azureOpenAIKey
         APPINSIGHTS_INSTRUMENTATIONKEY: reference(applicationInsightsId, '2015-05-01').InstrumentationKey
-        AZURE_AI_SEARCH_API_KEY: azureSearchAdminKey
-        AZURE_AI_PROJECT_CONN_STRING:azureAiProjectConnString
         REACT_APP_LAYOUT_CONFIG: reactAppLayoutConfig
       }
     )
@@ -120,4 +110,25 @@ resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+var keyVaultSecretsOfficerId='b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
+@description('The built-in role for Key Vault Secrets Officer.')
+resource keyVaultSecretsOfficerRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: keyVaultSecretsOfficerId
+}
+
+resource keyVaultSecretsOfficerRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: keyVault
+  name: guid(keyVault.id, keyVaultSecretsOfficerRoleDefinition.id)
+  properties: {
+    roleDefinitionId: keyVaultSecretsOfficerRoleDefinition.id
+    principalId: appService.outputs.identityPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 output appUrl string = appService.outputs.appUrl

infra/deploy_keyvault.bicep

@@ -68,3 +68,4 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
 
 output keyvaultName string = keyvaultName
 output keyvaultId string = keyVault.id
+output keyvaultUri string = keyVault.properties.vaultUri

infra/main.bicep

@@ -63,15 +63,15 @@ param embeddingModel string = 'text-embedding-ada-002'
 @description('Capacity of the Embedding Model deployment')
 param embeddingDeploymentCapacity int = 80
 
-param imageTag string = 'migra'
+param imageTag string = 'latest_migra'
 
 var uniqueId = toLower(uniqueString(subscription().id, environmentName, resourceGroup().location))
 var solutionPrefix = 'km${padLeft(take(uniqueId, 12), 12, '0')}'
 var resourceGroupLocation = resourceGroup().location
 // var resourceGroupName = resourceGroup().name
 
 var solutionLocation = resourceGroupLocation
-var baseUrl = 'https://raw.githubusercontent.com/microsoft/Conversation-Knowledge-Mining-Solution-Accelerator/psl-pk-dev-api-migration/'
+var baseUrl = 'https://raw.githubusercontent.com/microsoft/Conversation-Knowledge-Mining-Solution-Accelerator/main/'
 
 
 // ========== Managed Identity ========== //
@@ -195,17 +195,15 @@ module backend_docker 'deploy_backend_docker.bicep'= {
     appServicePlanId: hostingplan.outputs.name
     applicationInsightsId: aifoundry.outputs.applicationInsightsId
     solutionName: solutionPrefix
-    azureOpenAIKey:keyVault.getSecret('AZURE-OPENAI-KEY')
-    azureAiProjectConnString:keyVault.getSecret('AZURE-AI-PROJECT-CONN-STRING')
-    azureSearchAdminKey:keyVault.getSecret('AZURE-SEARCH-KEY')
     userassignedIdentityId: managedIdentityModule.outputs.managedIdentityBackendAppOutput.id
-    // azureOpenAIKeyName:aifoundry.outputs.azureOpenAIKeyName
-    // keyVaultName: kvault.outputs.keyvaultName
+    keyVaultName:aifoundry.outputs.keyvaultName
     appSettings:{
         AZURE_OPEN_AI_DEPLOYMENT_MODEL:gptModelName
         AZURE_OPEN_AI_ENDPOINT:aifoundry.outputs.aiServicesTarget
         AZURE_OPENAI_API_VERSION: azureOpenAIApiVersion
         AZURE_OPENAI_RESOURCE:aifoundry.outputs.aiServicesName
+        AZURE_OPENAI_API_KEY:'AZURE-OPENAI-KEY'
+        AZURE_KEY_VAULT_URL: kvault.outputs.keyvaultUri
         USE_CHAT_HISTORY_ENABLED:'True'
         AZURE_COSMOSDB_ACCOUNT: cosmosDBModule.outputs.cosmosAccountName
         AZURE_COSMOSDB_CONVERSATIONS_CONTAINER: cosmosDBModule.outputs.cosmosContainerName
@@ -214,11 +212,14 @@ module backend_docker 'deploy_backend_docker.bicep'= {
         SQLDB_DATABASE:sqlDBModule.outputs.sqlDbName
         SQLDB_SERVER: sqlDBModule.outputs.sqlServerName
         SQLDB_USERNAME: sqlDBModule.outputs.sqlDbUser
+        SQLDB_USER_MID: managedIdentityModule.outputs.managedIdentityBackendAppOutput.clientId
+
         OPENAI_API_VERSION: azureOpenAIApiVersion
         AZURE_AI_SEARCH_ENDPOINT: aifoundry.outputs.aiSearchTarget
         AZURE_AI_SEARCH_INDEX: 'call_transcripts_index'
-        SQLDB_USER_MID: managedIdentityModule.outputs.managedIdentityBackendAppOutput.clientId
+        AZURE_AI_SEARCH_API_KEY:'AZURE-SEARCH-KEY'
         USE_AI_PROJECT_CLIENT:'False'
+        AZURE_AI_PROJECT_CONN_STRING:'AZURE-AI-PROJECT-CONN-STRING'
         DISPLAY_CHART_DEFAULT:'True'
       }
   }