sfi changes v1

Rafi-Microsoft · Rafi-Microsoft · commit c1d823062bb4 · 2025-07-30T20:01:23.000+05:30
diff --git a/infra/deploy_app_service.bicep b/infra/deploy_app_service.bicep
@@ -184,6 +184,10 @@ resource Website 'Microsoft.Web/sites@2020-06-01' = {
     serverFarmId: HostingPlanName
     siteConfig: {
       appSettings: [
+        {
+          name: 'APP_ENV'
+          value: 'Prod'
+        }
         {
           name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
           value: reference(applicationInsightsId, '2015-05-01').InstrumentationKey
diff --git a/infra/main.json b/infra/main.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.36.177.2456",
-      "templateHash": "2238194529646818649"
+      "templateHash": "3253509031453285119"
     }
   },
   "parameters": {
@@ -359,7 +359,7 @@
       }
     },
     "solutionLocation": "[if(empty(parameters('AZURE_LOCATION')), resourceGroup().location, parameters('AZURE_LOCATION'))]",
-    "uniqueId": "[toLower(uniqueString(parameters('environmentName'), subscription().id, variables('solutionLocation')))]",
+    "uniqueId": "[toLower(uniqueString(parameters('environmentName'), subscription().id, variables('solutionLocation'), resourceGroup().name))]",
     "solutionPrefix": "[format('ca{0}', padLeft(take(variables('uniqueId'), 12), 12, '0'))]",
     "abbrs": "[variables('$fxv#0')]",
     "functionAppSqlPrompt": "Generate a valid T-SQL query to find {query} for tables and columns provided below:\r\n   1. Table: Clients\r\n   Columns: ClientId, Client, Email, Occupation, MaritalStatus, Dependents\r\n   2. Table: InvestmentGoals\r\n   Columns: ClientId, InvestmentGoal\r\n   3. Table: Assets\r\n   Columns: ClientId, AssetDate, Investment, ROI, Revenue, AssetType\r\n   4. Table: ClientSummaries\r\n   Columns: ClientId, ClientSummary\r\n   5. Table: InvestmentGoalsDetails\r\n   Columns: ClientId, InvestmentGoal, TargetAmount, Contribution\r\n   6. Table: Retirement\r\n   Columns: ClientId, StatusDate, RetirementGoalProgress, EducationGoalProgress\r\n   7. Table: ClientMeetings\r\n   Columns: ClientId, ConversationId, Title, StartTime, EndTime, Advisor, ClientEmail\r\n   Always use the Investment column from the Assets table as the value.\r\n   Assets table has snapshots of values by date. Do not add numbers across different dates for total values.\r\n   Do not use client name in filters.\r\n   Do not include assets values unless asked for.\r\n   ALWAYS use ClientId = {clientid} in the query filter.\r\n   ALWAYS select Client Name (Column: Client) in the query.\r\n   Query filters are IMPORTANT. Add filters like AssetType, AssetDate, etc. if needed.\r\n   When answering scheduling or time-based meeting questions, always use the StartTime column from ClientMeetings table. Use correct logic to return the most recent past meeting (last/previous) or the nearest future meeting (next/upcoming), and ensure only StartTime column is used for meeting timing comparisons.\r\n   Only return the generated SQL query. Do not return anything else.",
@@ -744,7 +744,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.177.2456",
-              "templateHash": "1124249040831466979"
+              "templateHash": "1343961496887433815"
             }
           },
           "parameters": {
@@ -1458,7 +1458,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.36.177.2456",
-                      "templateHash": "11899270249637077405"
+                      "templateHash": "10199364008784095733"
                     }
                   },
                   "parameters": {
@@ -2244,7 +2244,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.177.2456",
-              "templateHash": "10507186896960913919"
+              "templateHash": "7899619253922538038"
             }
           },
           "parameters": {
@@ -2615,6 +2615,10 @@
                 "serverFarmId": "[parameters('HostingPlanName')]",
                 "siteConfig": {
                   "appSettings": [
+                    {
+                      "name": "APP_ENV",
+                      "value": "Prod"
+                    },
                     {
                       "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
                       "value": "[reference(parameters('applicationInsightsId'), '2015-05-01').InstrumentationKey]"
@@ -2894,7 +2898,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.36.177.2456",
-                      "templateHash": "11899270249637077405"
+                      "templateHash": "10199364008784095733"
                     }
                   },
                   "parameters": {
diff --git a/infra/scripts/fabric_scripts/create_fabric_items.py b/infra/scripts/fabric_scripts/create_fabric_items.py
@@ -1,4 +1,3 @@
-from azure.identity import DefaultAzureCredential
 import base64
 import json
 import requests
@@ -8,7 +7,6 @@
 import time
 
 
-# credential = DefaultAzureCredential()
 from azure.identity import AzureCliCredential
 credential = AzureCliCredential()
 
diff --git a/infra/scripts/index_scripts/create_search_index.py b/infra/scripts/index_scripts/create_search_index.py
@@ -44,9 +44,7 @@
     "clienttranscripts/meeting_transcripts_metadata/transcripts_metadata.csv"
 )
 
-credential = DefaultAzureCredential(
-    managed_identity_client_id=managed_identity_client_id
-)
+credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id) # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in local environment.
 token_provider = get_bearer_token_provider(
     credential,
     "https://cognitiveservices.azure.com/.default"
diff --git a/infra/scripts/index_scripts/create_sql_tables.py b/infra/scripts/index_scripts/create_sql_tables.py
@@ -13,9 +13,7 @@
 
 def get_secrets_from_kv(kv_name, secret_name):
     key_vault_name = kv_name  # Set the name of the Azure Key Vault
-    credential = DefaultAzureCredential(
-        managed_identity_client_id=managed_identity_client_id
-    )
+    credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id) # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in local environment.
     secret_client = SecretClient(
         vault_url=f"https://{key_vault_name}.vault.azure.net/", credential=credential
     )  # Create a secret client object using the credential and Key Vault name
@@ -27,9 +25,7 @@ def get_secrets_from_kv(kv_name, secret_name):
 driver = "{ODBC Driver 18 for SQL Server}"
 
 
-credential = DefaultAzureCredential(
-    managed_identity_client_id=managed_identity_client_id
-)
+credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id) # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in local environment.
 
 token_bytes = credential.get_token(
     "https://database.windows.net/.default"
@@ -49,9 +45,7 @@ def get_secrets_from_kv(kv_name, secret_name):
 from azure.storage.filedatalake import DataLakeServiceClient
 
 account_name = get_secrets_from_kv(key_vault_name, "ADLS-ACCOUNT-NAME")
-credential = DefaultAzureCredential(
-    managed_identity_client_id=managed_identity_client_id
-)
+credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id) # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in local environment.
 
 account_url = f"https://{account_name}.dfs.core.windows.net"
 
diff --git a/infra/scripts/index_scripts/create_update_sql_dates.py b/infra/scripts/index_scripts/create_update_sql_dates.py
@@ -12,9 +12,7 @@
 
 def get_secrets_from_kv(kv_name, secret_name):
     key_vault_name = kv_name  # Set the name of the Azure Key Vault
-    credential = DefaultAzureCredential(
-        managed_identity_client_id=managed_identity_client_id
-    )
+    credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id) # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in local environment.
     secret_client = SecretClient(
         vault_url=f"https://{key_vault_name}.vault.azure.net/", credential=credential
     )  # Create a secret client object using the credential and Key Vault name
@@ -32,9 +30,7 @@ def get_secrets_from_kv(kv_name, secret_name):
 from azure.storage.filedatalake import DataLakeServiceClient
 
 account_name = get_secrets_from_kv(key_vault_name, "ADLS-ACCOUNT-NAME")
-credential = DefaultAzureCredential(
-    managed_identity_client_id=managed_identity_client_id
-)
+credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id) # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in local environment.
 
 account_url = f"https://{account_name}.dfs.core.windows.net"
 
diff --git a/src/App/.env.sample b/src/App/.env.sample
@@ -67,4 +67,5 @@ AZURE_SQL_SYSTEM_PROMPT="Generate a valid T-SQL query to find {query} for tables
 # Misc
 APPINSIGHTS_INSTRUMENTATIONKEY=
 AUTH_ENABLED="false"
-USE_INTERNAL_STREAM="True"
+USE_INTERNAL_STREAM="True"
+APP_ENV="dev"
diff --git a/src/App/app.py b/src/App/app.py
@@ -6,7 +6,9 @@
 import uuid
 from types import SimpleNamespace
 
-from azure.identity import DefaultAzureCredential, get_bearer_token_provider
+from azure.identity import get_bearer_token_provider
+from backend.helpers.azure_credential_utils import get_azure_credential
+from backend.helpers.azure_credential_utils import get_azure_credential_async
 from azure.monitor.opentelemetry import configure_azure_monitor
 
 # from quart.sessions import SecureCookieSessionInterface
@@ -185,7 +187,7 @@ def init_openai_client(use_data=SHOULD_USE_DATA):
         if not aoai_api_key:
             logging.debug("No AZURE_OPENAI_KEY found, using Azure AD auth")
             ad_token_provider = get_bearer_token_provider(
-                DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"
+                get_azure_credential(), "https://cognitiveservices.azure.com/.default"
             )
 
         # Deployment
@@ -233,7 +235,7 @@ def init_cosmosdb_client():
             )
 
             if not config.AZURE_COSMOSDB_ACCOUNT_KEY:
-                credential = DefaultAzureCredential()
+                credential = get_azure_credential()
             else:
                 credential = config.AZURE_COSMOSDB_ACCOUNT_KEY
 
diff --git a/src/App/backend/agents/agent_factory.py b/src/App/backend/agents/agent_factory.py
@@ -10,8 +10,8 @@
 from typing import Optional
 
 from azure.ai.projects import AIProjectClient
-from azure.identity import DefaultAzureCredential as DefaultAzureCredentialSync
-from azure.identity.aio import DefaultAzureCredential
+from backend.helpers.azure_credential_utils import get_azure_credential
+from backend.helpers.azure_credential_utils import get_azure_credential_async
 from semantic_kernel.agents import AzureAIAgent, AzureAIAgentSettings
 
 from backend.common.config import config
@@ -35,7 +35,7 @@ async def get_wealth_advisor_agent(cls):
         async with cls._lock:
             if cls._wealth_advisor_agent is None:
                 ai_agent_settings = AzureAIAgentSettings()
-                creds = DefaultAzureCredential()
+                creds = await get_azure_credential_async()
                 client = AzureAIAgent.create_client(
                     credential=creds, endpoint=ai_agent_settings.endpoint
                 )
@@ -76,7 +76,7 @@ async def get_search_agent(cls):
 
                 project_client = AIProjectClient(
                     endpoint=config.AI_PROJECT_ENDPOINT,
-                    credential=DefaultAzureCredentialSync(),
+                    credential=get_azure_credential(),
                     api_version="2025-05-01",
                 )
 
@@ -137,7 +137,7 @@ async def get_sql_agent(cls) -> dict:
 
                 project_client = AIProjectClient(
                     endpoint=config.AI_PROJECT_ENDPOINT,
-                    credential=DefaultAzureCredentialSync(),
+                    credential=get_azure_credential(),
                     api_version="2025-05-01",
                 )
 
diff --git a/src/App/backend/helpers/azure_credential_utils.py b/src/App/backend/helpers/azure_credential_utils.py
@@ -0,0 +1,41 @@
+import os
+from azure.identity import ManagedIdentityCredential, DefaultAzureCredential
+from azure.identity.aio import ManagedIdentityCredential as AioManagedIdentityCredential, DefaultAzureCredential as AioDefaultAzureCredential
+
+
+async def get_azure_credential_async(client_id=None):
+    """
+    Returns an Azure credential asynchronously based on the application environment.
+
+    If the environment is 'dev', it uses AioDefaultAzureCredential.
+    Otherwise, it uses AioManagedIdentityCredential.
+
+    Args:
+        client_id (str, optional): The client ID for the Managed Identity Credential.
+
+    Returns:
+        Credential object: Either AioDefaultAzureCredential or AioManagedIdentityCredential.
+    """
+    if os.getenv("APP_ENV", "prod").lower() == 'dev':
+        return AioDefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+    else:
+        return AioManagedIdentityCredential(client_id=client_id)
+
+
+def get_azure_credential(client_id=None):
+    """
+    Returns an Azure credential based on the application environment.
+
+    If the environment is 'dev', it uses DefaultAzureCredential.
+    Otherwise, it uses ManagedIdentityCredential.
+
+    Args:
+        client_id (str, optional): The client ID for the Managed Identity Credential.
+
+    Returns:
+        Credential object: Either DefaultAzureCredential or ManagedIdentityCredential.
+    """
+    if os.getenv("APP_ENV", "prod").lower() == 'dev':
+        return DefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+    else:
+        return ManagedIdentityCredential(client_id=client_id)
diff --git a/src/App/backend/plugins/chat_with_data_plugin.py b/src/App/backend/plugins/chat_with_data_plugin.py
@@ -9,7 +9,8 @@
     MessageRole,
 )
 from azure.ai.projects import AIProjectClient
-from azure.identity import DefaultAzureCredential, get_bearer_token_provider
+from azure.identity import get_bearer_token_provider
+from backend.helpers.azure_credential_utils import get_azure_credential
 from semantic_kernel.functions.kernel_function_decorator import kernel_function
 
 from backend.common.config import config
@@ -202,7 +203,7 @@ async def get_answers_from_calltranscripts(
 
     def get_openai_client(self):
         token_provider = get_bearer_token_provider(
-            DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"
+            get_azure_credential(), "https://cognitiveservices.azure.com/.default"
         )
         openai_client = openai.AzureOpenAI(
             azure_endpoint=config.AZURE_OPENAI_ENDPOINT,
@@ -213,7 +214,7 @@ def get_openai_client(self):
 
     def get_project_openai_client(self):
         project = AIProjectClient(
-            endpoint=config.AI_PROJECT_ENDPOINT, credential=DefaultAzureCredential()
+            endpoint=config.AI_PROJECT_ENDPOINT, credential=get_azure_credential()
         )
         openai_client = project.inference.get_azure_openai_client(
             api_version=config.AZURE_OPENAI_PREVIEW_API_VERSION
diff --git a/src/App/backend/services/sqldb_service.py b/src/App/backend/services/sqldb_service.py
@@ -3,7 +3,7 @@
 import struct
 
 import pyodbc
-from azure.identity import DefaultAzureCredential
+from backend.helpers.azure_credential_utils import get_azure_credential
 from dotenv import load_dotenv
 
 from backend.common.config import config
@@ -40,7 +40,7 @@ def get_connection():
 
     for attempt in range(max_retries):
         try:
-            credential = DefaultAzureCredential(managed_identity_client_id=mid_id)
+            credential = get_azure_credential(client_id=mid_id)
 
             token_bytes = credential.get_token(
                 "https://database.windows.net/.default"
diff --git a/src/App/tests/backend/agents/test_agent_factory.py b/src/App/tests/backend/agents/test_agent_factory.py
@@ -21,7 +21,7 @@ def reset_singleton(self):
 
     @pytest.mark.asyncio
     @patch("backend.agents.agent_factory.AzureAIAgent")
-    @patch("backend.agents.agent_factory.DefaultAzureCredential")
+    @patch("backend.agents.agent_factory.get_azure_credential_async")
     @patch("backend.agents.agent_factory.AzureAIAgentSettings")
     @patch("backend.agents.agent_factory.ChatWithDataPlugin")
     async def test_get_wealth_advisor_agent_creates_agent_when_none_exists(
@@ -74,7 +74,7 @@ async def test_get_wealth_advisor_agent_returns_existing_agent(
     @pytest.mark.asyncio
     @patch("backend.agents.agent_factory.config")
     @patch("backend.agents.agent_factory.AIProjectClient")
-    @patch("backend.agents.agent_factory.DefaultAzureCredentialSync")
+    @patch("backend.agents.agent_factory.get_azure_credential")
     async def test_get_search_agent_creates_agent_when_none_exists(
         self, mock_credential_sync, mock_ai_project_client, mock_config, reset_singleton
     ):
@@ -112,7 +112,7 @@ async def test_get_search_agent_creates_agent_when_none_exists(
     @pytest.mark.asyncio
     @patch("backend.agents.agent_factory.config")
     @patch("backend.agents.agent_factory.AIProjectClient")
-    @patch("backend.agents.agent_factory.DefaultAzureCredentialSync")
+    @patch("backend.agents.agent_factory.get_azure_credential")
     async def test_get_search_agent_with_default_instructions(
         self, mock_credential_sync, mock_ai_project_client, mock_config, reset_singleton
     ):
@@ -174,7 +174,7 @@ async def test_multiple_calls_return_same_wealth_advisor_instance(
             )
             mock_agent_class.return_value = mock_agent_instance
 
-            with patch("backend.agents.agent_factory.DefaultAzureCredential"):
+            with patch("backend.agents.agent_factory.get_azure_credential_async"):
                 with patch("backend.agents.agent_factory.AzureAIAgentSettings"):
                     with patch("backend.agents.agent_factory.ChatWithDataPlugin"):
                         # Act
@@ -193,7 +193,7 @@ async def test_multiple_calls_return_same_search_agent_instance(
             with patch(
                 "backend.agents.agent_factory.AIProjectClient"
             ) as mock_ai_project_client:
-                with patch("backend.agents.agent_factory.DefaultAzureCredentialSync"):
+                with patch("backend.agents.agent_factory.get_azure_credential"):
                     mock_config.CALL_TRANSCRIPT_SYSTEM_PROMPT = "Test instructions"
                     mock_config.AI_PROJECT_ENDPOINT = "https://test.endpoint.com"
                     mock_config.AZURE_OPENAI_MODEL = "test-model"
diff --git a/src/App/tests/backend/helpers/test_azure_credential_utils.py b/src/App/tests/backend/helpers/test_azure_credential_utils.py
diff --git a/src/App/tests/backend/plugins/test_chat_with_data_plugin.py b/src/App/tests/backend/plugins/test_chat_with_data_plugin.py
diff --git a/src/App/tests/backend/services/test_sqldb_service.py b/src/App/tests/backend/services/test_sqldb_service.py
