From cc5fda8e266e6fdf63023368240e2f52e08f8bcd Mon Sep 17 00:00:00 2001 From: bjakems <165402330+bjakems@users.noreply.github.com> Date: Fri, 2 Aug 2024 16:39:32 +0100 Subject: [PATCH] restore Vision to be key based access --- functions/ImageEnrichment/__init__.py | 4 +++- infra/core/ai/cogServices/cogServices.tf | 13 ++++++++++++- infra/core/host/functions/functions.tf | 1 + scripts/inf-import-state.sh | 3 +++ scripts/json-to-env.function.debug.sh | 19 ++++++++++++++++++- scripts/json-to-env.webapp.debug.sh | 6 +++--- 6 files changed, 40 insertions(+), 6 deletions(-) diff --git a/functions/ImageEnrichment/__init__.py b/functions/ImageEnrichment/__init__.py index 024783909..e51e85118 100644 --- a/functions/ImageEnrichment/__init__.py +++ b/functions/ImageEnrichment/__init__.py @@ -4,6 +4,7 @@ import azure.functions as func import requests +from azure.core.credentials import AzureKeyCredential from azure.ai.vision.imageanalysis import ImageAnalysisClient from azure.ai.vision.imageanalysis.models import VisualFeatures from azure.storage.blob import BlobServiceClient @@ -37,6 +38,7 @@ cosmosdb_log_container_name = os.environ["COSMOSDB_LOG_CONTAINER_NAME"] # Cognitive Services +azure_ai_key = os.environ["AZURE_AI_KEY"] azure_ai_endpoint = os.environ["AZURE_AI_ENDPOINT"] azure_ai_location = os.environ["AZURE_AI_LOCATION"] azure_ai_credential_domain = os.environ["AZURE_AI_CREDENTIAL_DOMAIN"] @@ -100,7 +102,7 @@ vision_client = ImageAnalysisClient( endpoint=azure_ai_endpoint, - credential=azure_credential + credential=AzureKeyCredential(azure_ai_key) ) FUNCTION_NAME = "ImageEnrichment" diff --git a/infra/core/ai/cogServices/cogServices.tf b/infra/core/ai/cogServices/cogServices.tf index 083913caf..0593e15e5 100644 --- a/infra/core/ai/cogServices/cogServices.tf +++ b/infra/core/ai/cogServices/cogServices.tf @@ -7,7 +7,18 @@ resource "azurerm_cognitive_account" "cognitiveService" { tags = var.tags custom_subdomain_name = var.name public_network_access_enabled = var.is_secure_mode ? false : true - local_auth_enabled = var.is_secure_mode ? false : true +} + +module "cog_service_key" { + source = "../../security/keyvaultSecret" + arm_template_schema_mgmt_api = var.arm_template_schema_mgmt_api + key_vault_name = var.key_vault_name + resourceGroupName = var.resourceGroupName + secret_name = "AZURE-AI-KEY" + secret_value = azurerm_cognitive_account.cognitiveService.primary_access_key + alias = "aisvckey" + tags = var.tags + kv_secret_expiration = var.kv_secret_expiration } data "azurerm_subnet" "subnet" { diff --git a/infra/core/host/functions/functions.tf b/infra/core/host/functions/functions.tf index d918456d1..3e425fb51 100644 --- a/infra/core/host/functions/functions.tf +++ b/infra/core/host/functions/functions.tf @@ -176,6 +176,7 @@ resource "azurerm_linux_function_app" "function_app" { SUBMIT_REQUEUE_HIDE_SECONDS = var.submitRequeueHideSeconds POLLING_BACKOFF = var.pollingBackoff MAX_READ_ATTEMPTS = var.maxReadAttempts + AZURE_AI_KEY = "@Microsoft.KeyVault(SecretUri=${var.keyVaultUri}secrets/AZURE-AI-KEY)" AZURE_AI_ENDPOINT = var.enrichmentEndpoint ENRICHMENT_NAME = var.enrichmentName AZURE_AI_LOCATION = var.enrichmentLocation diff --git a/scripts/inf-import-state.sh b/scripts/inf-import-state.sh index 7521cb119..231e8977c 100755 --- a/scripts/inf-import-state.sh +++ b/scripts/inf-import-state.sh @@ -365,6 +365,9 @@ name="infoasst-enrichment-cog-$random_text" providers="/providers/Microsoft.CognitiveServices/accounts/$name" module_path="module.cognitiveServices.azurerm_cognitive_account.cognitiveService" import_resource_if_needed "$module_path" "$resourceId$providers" +secret_id=$(get_secret "AZURE-AI-KEY") +module_path="module.cognitiveServices.azurerm_key_vault_secret.search_service_key" +import_resource_if_needed "$module_path" "$secret_id" # Key Vault echo diff --git a/scripts/json-to-env.function.debug.sh b/scripts/json-to-env.function.debug.sh index b81a1eb60..3ed938708 100755 --- a/scripts/json-to-env.function.debug.sh +++ b/scripts/json-to-env.function.debug.sh @@ -15,7 +15,24 @@ if [ -n "${IN_AUTOMATION}" ]; then az account set -s "$ARM_SUBSCRIPTION_ID" > /dev/null 2>&1 fi -jq -r ' +secrets="{" +# Name of your Key Vault +keyVaultName=$(cat inf_output.json | jq -r .AZURE_KEYVAULT_NAME.value) + +# Names of your secrets +secretNames=("AZURE-AI-KEY") + +# Retrieve and export each secret +for secretName in "${secretNames[@]}"; do + secretValue=$(az keyvault secret show --name $secretName --vault-name $keyVaultName --query value -o tsv) + envVarName=$(echo $secretName | tr '-' '_') + secrets+="\"$envVarName\": \"$secretValue\"," +done +secrets=${secrets%?} # Remove the trailing comma +secrets+="}" +secrets="${secrets%,}" + +jq -r --arg secrets "$secrets" ' [ { "path": "AZURE_STORAGE_ACCOUNT", diff --git a/scripts/json-to-env.webapp.debug.sh b/scripts/json-to-env.webapp.debug.sh index af8164c3b..4d585fab2 100755 --- a/scripts/json-to-env.webapp.debug.sh +++ b/scripts/json-to-env.webapp.debug.sh @@ -207,9 +207,9 @@ keyVaultName=$(cat inf_output.json | jq -r .AZURE_KEYVAULT_NAME.value) # Names of your secrets if [ -n "${SECURE_MODE}" ]; then - secretNames=() + secretNames=("AZURE-AI-KEY") else - secretNames=("BINGSEARCH-KEY") + secretNames=("BINGSEARCH-KEY" "AZURE-AI-KEY") fi @@ -218,4 +218,4 @@ for secretName in "${secretNames[@]}"; do secretValue=$(az keyvault secret show --name $secretName --vault-name $keyVaultName --query value -o tsv) envVarName=$(echo $secretName | tr '-' '_') echo $envVarName=\'$secretValue\' -done \ No newline at end of file +done