From 5021e92af4d3c3c6ce4f920b79d42c3e81cb7f31 Mon Sep 17 00:00:00 2001 From: brown9804 Date: Mon, 12 Jan 2026 10:53:36 -0600 Subject: [PATCH 1/4] Switched from API key authentication to managed identity authentication (Azure RBAC) --- src/a2a/status_automation.ps1 | 2 +- terraform-infrastructure/main.tf | 51 ++++++++++++++++---------------- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/src/a2a/status_automation.ps1 b/src/a2a/status_automation.ps1 index 9705164..55089e8 100644 --- a/src/a2a/status_automation.ps1 +++ b/src/a2a/status_automation.ps1 @@ -11,7 +11,7 @@ if () { # Check automation endpoint try { - = Invoke-RestMethod -Uri "https://zava-faf734f3-app.azurewebsites.net/a2a/automation/status" -TimeoutSec 5 + = Invoke-RestMethod -Uri "https://zava-4f64ebdc-app.azurewebsites.net/a2a/automation/status" -TimeoutSec 5 Write-Host "Automation Status: " } catch { Write-Host "Automation endpoint not accessible" diff --git a/terraform-infrastructure/main.tf b/terraform-infrastructure/main.tf index 4326941..106e1bc 100644 --- a/terraform-infrastructure/main.tf +++ b/terraform-infrastructure/main.tf @@ -105,8 +105,9 @@ resource "azapi_resource" "storage" { } # AI Foundry account (preview) using AzAPI provider. +# Using managed identity authentication (disableLocalAuth = true for better security) resource "azapi_resource" "ai_foundry" { - type = "Microsoft.CognitiveServices/accounts@2025-06-01" + type = "Microsoft.CognitiveServices/accounts@2024-10-01" name = local.ai_foundry_name location = var.location parent_id = azurerm_resource_group.rg.id @@ -118,7 +119,7 @@ resource "azapi_resource" "ai_foundry" { properties = { allowProjectManagement = true customSubDomainName = local.ai_foundry_name - disableLocalAuth = false + disableLocalAuth = true } }) } @@ -446,24 +447,21 @@ resource "azurerm_linux_web_app" "app" { DOCKER_ENABLE_CI = "true" WEBSITES_PORT = "8000" - # GPT Configuration (Key Vault referenced secrets) + # GPT Configuration (using managed identity) gpt_endpoint = "https://${local.ai_foundry_name}.cognitiveservices.azure.com/" gpt_deployment = "gpt-4o-mini" - gpt_api_key = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv.vault_uri}secrets/ai-foundry-key)" gpt_api_version = "2024-12-01-preview" - # MSFT Foundry Configuration + # MSFT Foundry Configuration (using managed identity) AZURE_AI_FOUNDRY_ENDPOINT = "https://${local.ai_foundry_name}.cognitiveservices.azure.com/" AZURE_AI_PROJECT_NAME = local.ai_project_name AZURE_AI_PROJECT_ENDPOINT = "https://${local.ai_foundry_name}.cognitiveservices.azure.com/" AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME = "gpt-4o-mini" - AZURE_AI_FOUNDRY_API_KEY = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv.vault_uri}secrets/ai-foundry-key)" - # MSFT Foundry OpenAI Configuration + # MSFT Foundry OpenAI Configuration (using managed identity) AZURE_OPENAI_CHAT_DEPLOYMENT = "gpt-4o-mini" AZURE_OPENAI_EMBEDDING_DEPLOYMENT = "text-embedding-3-small" AZURE_OPENAI_IMAGE_DEPLOYMENT = "dall-e-3" - AZURE_OPENAI_API_KEY = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv.vault_uri}secrets/ai-foundry-key)" AZURE_OPENAI_ENDPOINT = "https://${local.ai_foundry_name}.cognitiveservices.azure.com/" AZURE_OPENAI_API_VERSION = "2024-02-01" @@ -537,14 +535,9 @@ resource "azurerm_key_vault_access_policy" "app_policy" { depends_on = [azurerm_linux_web_app.app] } -# Populate Key Vault secrets (AI Foundry key, Cosmos key, Search key, Storage connection) +# Populate Key Vault secrets (Cosmos key, Search key, Storage connection) # Key Vault Secrets as Terraform resources (provides version for references) -resource "azurerm_key_vault_secret" "ai_foundry_key" { - name = "ai-foundry-key" - value = jsondecode(data.azapi_resource_action.ai_foundry_keys[0].output).key1 - key_vault_id = azurerm_key_vault.kv.id - depends_on = [azurerm_key_vault.kv] -} +# Note: AI Foundry now uses managed identity instead of keys resource "azurerm_key_vault_secret" "search_admin_key" { name = "search-admin-key" @@ -925,6 +918,23 @@ resource "azurerm_role_assignment" "search_project_contributor" { principal_type = "ServicePrincipal" } +# Role assignments for Web App managed identity to access AI Foundry +resource "azurerm_role_assignment" "webapp_foundry_openai_user" { + scope = azapi_resource.ai_foundry.id + role_definition_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Authorization/roleDefinitions/${local.cognitive_openai_user_role_id}" + principal_id = data.azurerm_linux_web_app.app_identity.identity[0].principal_id + principal_type = "ServicePrincipal" + depends_on = [azurerm_linux_web_app.app] +} + +resource "azurerm_role_assignment" "webapp_project_openai_user" { + scope = azapi_resource.ai_project.id + role_definition_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Authorization/roleDefinitions/${local.cognitive_openai_user_role_id}" + principal_id = data.azurerm_linux_web_app.app_identity.identity[0].principal_id + principal_type = "ServicePrincipal" + depends_on = [azurerm_linux_web_app.app] +} + # Storage account permissions for MSFT Foundry project resource "azurerm_role_assignment" "storage_blob_data_contributor_user" { scope = azapi_resource.storage.id @@ -1099,16 +1109,7 @@ data "azapi_resource_action" "cosmos_keys" { depends_on = [azurerm_cosmosdb_account.cosmos] } -# Get AI Foundry keys for Web App configuration -data "azapi_resource_action" "ai_foundry_keys" { - count = var.enable_ai_automation ? 1 : 0 - type = "Microsoft.CognitiveServices/accounts@2024-10-01" - resource_id = azapi_resource.ai_foundry.id - action = "listKeys" - response_export_values = ["key1"] - body = jsonencode({}) - depends_on = [azapi_resource.ai_foundry] -} +# AI Foundry now uses managed identity authentication - no keys needed # Connect resources to MSFT Foundry project using ARM templates resource "azapi_resource" "storage_connection" { From de2741f4887b819c90f32b9bc3a8028dd44534ef Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 12 Jan 2026 16:54:48 +0000 Subject: [PATCH 2/4] Update visitor count --- README.md | 4 ++-- TROUBLESHOOTING.md | 4 ++-- terraform-infrastructure/README.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 05b7547..11123f7 100644 --- a/README.md +++ b/README.md @@ -202,7 +202,7 @@ graph TD
- Total views -

Refresh Date: 2025-12-04

+ Total views +

Refresh Date: 2026-01-12

diff --git a/TROUBLESHOOTING.md b/TROUBLESHOOTING.md index 28557dc..4f349b9 100644 --- a/TROUBLESHOOTING.md +++ b/TROUBLESHOOTING.md @@ -347,7 +347,7 @@ terraform apply
- Total views -

Refresh Date: 2025-12-04

+ Total views +

Refresh Date: 2026-01-12

diff --git a/terraform-infrastructure/README.md b/terraform-infrastructure/README.md index 2ebba4e..54585ed 100644 --- a/terraform-infrastructure/README.md +++ b/terraform-infrastructure/README.md @@ -119,7 +119,7 @@ graph TD;
- Total views -

Refresh Date: 2025-12-04

+ Total views +

Refresh Date: 2026-01-12

From b5c4ff795d9332140288bb75f6b9533c8d70504e Mon Sep 17 00:00:00 2001 From: brown9804 Date: Mon, 12 Jan 2026 10:56:52 -0600 Subject: [PATCH 3/4] Updated the workflow to use Node.js 20 --- .github/workflows/validate_and_fix_markdown.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate_and_fix_markdown.yml b/.github/workflows/validate_and_fix_markdown.yml index 4cef7ef..67746b3 100644 --- a/.github/workflows/validate_and_fix_markdown.yml +++ b/.github/workflows/validate_and_fix_markdown.yml @@ -20,9 +20,9 @@ jobs: fetch-depth: 0 - name: Set up Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: '16' + node-version: '20' - name: Install Markdown Linter run: npm install -g markdownlint-cli From e547c2920deb07e38adb5591e73341cbb80ac609 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 12 Jan 2026 16:57:58 +0000 Subject: [PATCH 4/4] Update last modified date in Markdown files --- README.md | 2 +- TROUBLESHOOTING.md | 2 +- terraform-infrastructure/README.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 11123f7..9bfd89a 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Costa Rica [![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/) [brown9804](https://github.com/brown9804) -Last updated: 2025-12-04 +Last updated: 2026-01-12 ---------- diff --git a/TROUBLESHOOTING.md b/TROUBLESHOOTING.md index 4f349b9..8b4fcc4 100644 --- a/TROUBLESHOOTING.md +++ b/TROUBLESHOOTING.md @@ -5,7 +5,7 @@ Costa Rica [![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/) [brown9804](https://github.com/brown9804) -Last updated: 2025-11-24 +Last updated: 2026-01-12 ---------- diff --git a/terraform-infrastructure/README.md b/terraform-infrastructure/README.md index 54585ed..d4eda35 100644 --- a/terraform-infrastructure/README.md +++ b/terraform-infrastructure/README.md @@ -5,7 +5,7 @@ Costa Rica [![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/) [brown9804](https://github.com/brown9804) -Last updated: 2025-12-03 +Last updated: 2026-01-12 ----------