restore Vision to be key based access

microsoft · Aug 2, 2024 · cc5fda8 · cc5fda8
1 parent 761020b
commit cc5fda8
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 6 deletions.
diff --git a/functions/ImageEnrichment/__init__.py b/functions/ImageEnrichment/__init__.py
@@ -4,6 +4,7 @@
 
 import azure.functions as func
 import requests
+from azure.core.credentials import AzureKeyCredential
 from azure.ai.vision.imageanalysis import ImageAnalysisClient
 from azure.ai.vision.imageanalysis.models import VisualFeatures
 from azure.storage.blob import BlobServiceClient
@@ -37,6 +38,7 @@
 cosmosdb_log_container_name = os.environ["COSMOSDB_LOG_CONTAINER_NAME"]
 
 # Cognitive Services
+azure_ai_key = os.environ["AZURE_AI_KEY"]
 azure_ai_endpoint = os.environ["AZURE_AI_ENDPOINT"]
 azure_ai_location = os.environ["AZURE_AI_LOCATION"]
 azure_ai_credential_domain = os.environ["AZURE_AI_CREDENTIAL_DOMAIN"]
@@ -100,7 +102,7 @@
 
 vision_client = ImageAnalysisClient(
         endpoint=azure_ai_endpoint,
-        credential=azure_credential
+        credential=AzureKeyCredential(azure_ai_key)
     )
 
 FUNCTION_NAME = "ImageEnrichment"

diff --git a/infra/core/ai/cogServices/cogServices.tf b/infra/core/ai/cogServices/cogServices.tf
@@ -7,7 +7,18 @@ resource "azurerm_cognitive_account" "cognitiveService" {
   tags                          = var.tags
   custom_subdomain_name         = var.name
   public_network_access_enabled = var.is_secure_mode ? false : true
-  local_auth_enabled            = var.is_secure_mode ? false : true
+}
+
+module "cog_service_key" {
+  source                        = "../../security/keyvaultSecret"
+  arm_template_schema_mgmt_api  = var.arm_template_schema_mgmt_api
+  key_vault_name                = var.key_vault_name
+  resourceGroupName             = var.resourceGroupName
+  secret_name                   = "AZURE-AI-KEY"
+  secret_value                  = azurerm_cognitive_account.cognitiveService.primary_access_key
+  alias                         = "aisvckey"
+  tags                          = var.tags
+  kv_secret_expiration          = var.kv_secret_expiration
 }
 
 data "azurerm_subnet" "subnet" {

diff --git a/infra/core/host/functions/functions.tf b/infra/core/host/functions/functions.tf
@@ -176,6 +176,7 @@ resource "azurerm_linux_function_app" "function_app" {
     SUBMIT_REQUEUE_HIDE_SECONDS                 = var.submitRequeueHideSeconds
     POLLING_BACKOFF                             = var.pollingBackoff
     MAX_READ_ATTEMPTS                           = var.maxReadAttempts
+    AZURE_AI_KEY                                = "@Microsoft.KeyVault(SecretUri=${var.keyVaultUri}secrets/AZURE-AI-KEY)"
     AZURE_AI_ENDPOINT                           = var.enrichmentEndpoint
     ENRICHMENT_NAME                             = var.enrichmentName
     AZURE_AI_LOCATION                           = var.enrichmentLocation

diff --git a/scripts/inf-import-state.sh b/scripts/inf-import-state.sh
@@ -365,6 +365,9 @@ name="infoasst-enrichment-cog-$random_text"
 providers="/providers/Microsoft.CognitiveServices/accounts/$name"
 module_path="module.cognitiveServices.azurerm_cognitive_account.cognitiveService"
 import_resource_if_needed "$module_path" "$resourceId$providers"
+secret_id=$(get_secret "AZURE-AI-KEY")
+module_path="module.cognitiveServices.azurerm_key_vault_secret.search_service_key"
+import_resource_if_needed "$module_path" "$secret_id"
 
 # Key Vault
 echo

diff --git a/scripts/json-to-env.function.debug.sh b/scripts/json-to-env.function.debug.sh
@@ -15,7 +15,24 @@ if [ -n "${IN_AUTOMATION}" ]; then
     az account set -s "$ARM_SUBSCRIPTION_ID" > /dev/null 2>&1
 fi
 
-jq -r  '
+secrets="{"
+# Name of your Key Vault
+keyVaultName=$(cat inf_output.json | jq -r .AZURE_KEYVAULT_NAME.value)
+
+# Names of your secrets
+secretNames=("AZURE-AI-KEY")
+
+# Retrieve and export each secret
+for secretName in "${secretNames[@]}"; do
+  secretValue=$(az keyvault secret show --name $secretName --vault-name $keyVaultName --query value -o tsv)
+  envVarName=$(echo $secretName | tr '-' '_')
+  secrets+="\"$envVarName\": \"$secretValue\","
+done 
+secrets=${secrets%?} # Remove the trailing comma
+secrets+="}"
+secrets="${secrets%,}"
+
+jq -r --arg secrets "$secrets" '
     [
         {
             "path": "AZURE_STORAGE_ACCOUNT",

diff --git a/scripts/json-to-env.webapp.debug.sh b/scripts/json-to-env.webapp.debug.sh
@@ -207,9 +207,9 @@ keyVaultName=$(cat inf_output.json | jq -r .AZURE_KEYVAULT_NAME.value)
 
 # Names of your secrets
 if [ -n "${SECURE_MODE}" ]; then
-    secretNames=()
+    secretNames=("AZURE-AI-KEY")
 else
-    secretNames=("BINGSEARCH-KEY")    
+    secretNames=("BINGSEARCH-KEY" "AZURE-AI-KEY")    
 fi
 
 
@@ -218,4 +218,4 @@ for secretName in "${secretNames[@]}"; do
   secretValue=$(az keyvault secret show --name $secretName --vault-name $keyVaultName --query value -o tsv)
   envVarName=$(echo $secretName | tr '-' '_')
   echo $envVarName=\'$secretValue\'
-done        
+done