Add second container for agent

Author: pamelafox

agents/Dockerfile

@@ -0,0 +1,39 @@
+# ------------------- Stage 1: Build Stage ------------------------------
+# We use Alpine for smaller image size (~329MB vs ~431MB for Debian slim).
+# Trade-off: We must install build tools to compile native extensions (cryptography, etc.)
+# since pre-built musl wheels aren't available. Debian -slim would skip compilation
+# but produces a larger final image due to glibc wheel sizes.
+FROM python:3.13-alpine AS build
+
+# Install build dependencies for packages with native extensions (cryptography, etc.)
+# https://cryptography.io/en/latest/installation/#building-cryptography-on-linux
+RUN apk add --no-cache gcc g++ musl-dev python3-dev libffi-dev openssl-dev cargo pkgconfig
+
+COPY --from=ghcr.io/astral-sh/uv:0.9.14 /uv /uvx /bin/
+
+WORKDIR /code
+
+# Install dependencies first (for layer caching)
+RUN --mount=type=cache,target=/root/.cache/uv \
+    --mount=type=bind,source=uv.lock,target=uv.lock \
+    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+    uv sync --locked --no-install-project
+
+# Copy the project and sync
+COPY . .
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --locked
+
+# ------------------- Stage 2: Final Stage ------------------------------
+FROM python:3.13-alpine AS final
+
+RUN addgroup -S app && adduser -S app -G app
+
+COPY --from=build --chown=app:app /code /code
+
+WORKDIR /code/agents
+USER app
+
+ENV PATH="/code/.venv/bin:$PATH"
+
+ENTRYPOINT ["python", "agentframework_http.py"]

azure.yaml

@@ -5,13 +5,20 @@ metadata:
   template: [email protected]
 services:
   # Not using remoteBuild due to private endpoint usage
-  aca:
+  server:
     project: .
     language: docker
     host: containerapp
     docker:
       path: ./servers/Dockerfile
       context: .
+  agent:
+    project: .
+    language: docker
+    host: containerapp
+    docker:
+      path: ./agents/Dockerfile
+      context: .
 hooks:
   postprovision:
     posix:
@@ -21,4 +28,4 @@ hooks:
     windows:
       shell: pwsh
       run: ./infra/write_env.ps1
-      continueOnError: true
+      continueOnError: true

infra/agent.bicep

@@ -0,0 +1,59 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param identityName string
+param containerAppsEnvironmentName string
+param containerRegistryName string
+param serviceName string = 'agent'
+param exists bool
+param openAiDeploymentName string
+param openAiEndpoint string
+param mcpServerUrl string
+
+resource agentIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: identityName
+  location: location
+}
+
+module app 'core/host/container-app-upsert.bicep' = {
+  name: '${serviceName}-container-app-module'
+  params: {
+    name: name
+    location: location
+    tags: union(tags, { 'azd-service-name': serviceName })
+    identityName: agentIdentity.name
+    exists: exists
+    containerAppsEnvironmentName: containerAppsEnvironmentName
+    containerRegistryName: containerRegistryName
+    ingressEnabled: false
+    env: [
+      {
+        name: 'AZURE_OPENAI_CHAT_DEPLOYMENT'
+        value: openAiDeploymentName
+      }
+      {
+        name: 'AZURE_OPENAI_ENDPOINT'
+        value: openAiEndpoint
+      }
+      {
+        name: 'API_HOST'
+        value: 'azure'
+      }
+      {
+        name: 'AZURE_CLIENT_ID'
+        value: agentIdentity.properties.clientId
+      }
+      {
+        name: 'MCP_SERVER_URL'
+        value: mcpServerUrl
+      }
+    ]
+  }
+}
+
+output identityPrincipalId string = agentIdentity.properties.principalId
+output name string = app.outputs.name
+output hostName string = app.outputs.hostName
+output uri string = app.outputs.uri
+output imageName string = app.outputs.imageName

infra/core/host/container-app.bicep

@@ -124,5 +124,5 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
 output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
 output imageName string = imageName
 output name string = app.name
-output hostName string = app.properties.configuration.ingress.fqdn
+output hostName string = ingressEnabled ? app.properties.configuration.ingress.fqdn : ''
 output uri string = ingressEnabled ? 'https://${app.properties.configuration.ingress.fqdn}' : ''

infra/main.bicep

@@ -12,7 +12,9 @@ param location string
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
 
-param acaExists bool = false
+param serverExists bool = false
+
+param agentExists bool = false
 
 @description('Location for the OpenAI resource group')
 @allowed([
@@ -653,23 +655,41 @@ module cosmosDbPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.
   }
 }
 
-// Container app frontend
-module aca 'aca.bicep' = {
-  name: 'aca'
+// Container app for MCP server
+module server 'server.bicep' = {
+  name: 'server'
   scope: resourceGroup
   params: {
-    name: replace('${take(prefix,19)}-ca', '--', '-')
+    name: replace('${take(prefix,15)}-server', '--', '-')
     location: location
     tags: tags
-    identityName: '${prefix}-id-aca'
+    identityName: '${prefix}-id-server'
     containerAppsEnvironmentName: containerApps.outputs.environmentName
     containerRegistryName: containerApps.outputs.registryName
     openAiDeploymentName: openAiDeploymentName
     openAiEndpoint: openAi.outputs.endpoint
     cosmosDbAccount: cosmosDb.outputs.name
     cosmosDbDatabase: cosmosDbDatabaseName
     cosmosDbContainer: cosmosDbContainerName
-    exists: acaExists
+    exists: serverExists
+  }
+}
+
+// Container app for agent
+module agent 'agent.bicep' = {
+  name: 'agent'
+  scope: resourceGroup
+  params: {
+    name: replace('${take(prefix,15)}-agent', '--', '-')
+    location: location
+    tags: tags
+    identityName: '${prefix}-id-agent'
+    containerAppsEnvironmentName: containerApps.outputs.environmentName
+    containerRegistryName: containerApps.outputs.registryName
+    openAiDeploymentName: openAiDeploymentName
+    openAiEndpoint: openAi.outputs.endpoint
+    mcpServerUrl: '${server.outputs.uri}/mcp/'
+    exists: agentExists
   }
 }
 
@@ -683,11 +703,21 @@ module openAiRoleUser 'core/security/role.bicep' = {
   }
 }
 
-module openAiRoleBackend 'core/security/role.bicep' = {
+module openAiRoleServer 'core/security/role.bicep' = {
+  scope: resourceGroup
+  name: 'openai-role-server'
+  params: {
+    principalId: server.outputs.identityPrincipalId
+    roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' // Cognitive Services OpenAI User
+    principalType: 'ServicePrincipal'
+  }
+}
+
+module openAiRoleAgent 'core/security/role.bicep' = {
   scope: resourceGroup
-  name: 'openai-role-backend'
+  name: 'openai-role-agent'
   params: {
-    principalId: aca.outputs.identityPrincipalId
+    principalId: agent.outputs.identityPrincipalId
     roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' // Cognitive Services OpenAI User
     principalType: 'ServicePrincipal'
   }
@@ -704,13 +734,13 @@ module cosmosDbRoleUser 'core/security/documentdb-sql-role.bicep' = {
   }
 }
 
-// Cosmos DB Data Contributor role for backend
-module cosmosDbRoleBackend 'core/security/documentdb-sql-role.bicep' = {
+// Cosmos DB Data Contributor role for server
+module cosmosDbRoleServer 'core/security/documentdb-sql-role.bicep' = {
   scope: resourceGroup
-  name: 'cosmosdb-role-backend'
+  name: 'cosmosdb-role-server'
   params: {
     databaseAccountName: cosmosDb.outputs.name
-    principalId: aca.outputs.identityPrincipalId
+    principalId: server.outputs.identityPrincipalId
     roleDefinitionId: '/${subscription().id}/resourceGroups/${resourceGroup.name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosDb.outputs.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
   }
 }
@@ -725,10 +755,15 @@ output AZURE_OPENAI_ENDPOINT string = openAi.outputs.endpoint
 output AZURE_OPENAI_RESOURCE string = openAi.outputs.name
 output AZURE_OPENAI_RESOURCE_LOCATION string = openAi.outputs.location
 
-output SERVICE_ACA_IDENTITY_PRINCIPAL_ID string = aca.outputs.identityPrincipalId
-output SERVICE_ACA_NAME string = aca.outputs.name
-output SERVICE_ACA_URI string = aca.outputs.uri
-output SERVICE_ACA_IMAGE_NAME string = aca.outputs.imageName
+output SERVICE_SERVER_IDENTITY_PRINCIPAL_ID string = server.outputs.identityPrincipalId
+output SERVICE_SERVER_NAME string = server.outputs.name
+output SERVICE_SERVER_URI string = server.outputs.uri
+output SERVICE_SERVER_IMAGE_NAME string = server.outputs.imageName
+
+output SERVICE_AGENT_IDENTITY_PRINCIPAL_ID string = agent.outputs.identityPrincipalId
+output SERVICE_AGENT_NAME string = agent.outputs.name
+output SERVICE_AGENT_URI string = agent.outputs.uri
+output SERVICE_AGENT_IMAGE_NAME string = agent.outputs.imageName
 
 output AZURE_CONTAINER_ENVIRONMENT_NAME string = containerApps.outputs.environmentName
 output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerApps.outputs.registryLoginServer

infra/aca.bicep infra/server.bicepinfra/aca.bicep renamed to infra/server.bicep

@@ -5,15 +5,15 @@ param tags object = {}
 param identityName string
 param containerAppsEnvironmentName string
 param containerRegistryName string
-param serviceName string = 'aca'
+param serviceName string = 'server'
 param exists bool
 param openAiDeploymentName string
 param openAiEndpoint string
 param cosmosDbAccount string
 param cosmosDbDatabase string
 param cosmosDbContainer string
 
-resource acaIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+resource serverIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: identityName
   location: location
 }
@@ -24,7 +24,7 @@ module app 'core/host/container-app-upsert.bicep' = {
     name: name
     location: location
     tags: union(tags, { 'azd-service-name': serviceName })
-    identityName: acaIdentity.name
+    identityName: serverIdentity.name
     exists: exists
     containerAppsEnvironmentName: containerAppsEnvironmentName
     containerRegistryName: containerRegistryName
@@ -44,7 +44,7 @@ module app 'core/host/container-app-upsert.bicep' = {
       }
       {
         name: 'AZURE_CLIENT_ID'
-        value: acaIdentity.properties.clientId
+        value: serverIdentity.properties.clientId
       }
       {
         name: 'AZURE_COSMOSDB_ACCOUNT'
@@ -63,7 +63,7 @@ module app 'core/host/container-app-upsert.bicep' = {
   }
 }
 
-output identityPrincipalId string = acaIdentity.properties.principalId
+output identityPrincipalId string = serverIdentity.properties.principalId
 output name string = app.outputs.name
 output hostName string = app.outputs.hostName
 output uri string = app.outputs.uri