Merge pull request #236 from microsoft/dev

feat: Use ManagedIdentityCredential fir Prod Workloads and DefaultAzureCredential for dev

Author: Vinay-Microsoft

infra/main.bicep

@@ -810,6 +810,10 @@ module avmContainerApp 'br/public:avm/res/app/container-app:0.17.0' = {
             name: 'APP_CONFIG_ENDPOINT'
             value: ''
           }
+          {
+            name: 'APP_ENV'
+            value: 'prod'
+          }
         ]
       }
     ]
@@ -854,6 +858,10 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.17.0' = {
             name: 'APP_CONFIG_ENDPOINT'
             value: ''
           }
+          {
+            name: 'APP_ENV'
+            value: 'prod'
+          }
         ]
         probes: [
           // Liveness Probe - Checks if the app is still running
@@ -1272,6 +1280,10 @@ module avmContainerApp_update 'br/public:avm/res/app/container-app:0.17.0' = {
             name: 'APP_CONFIG_ENDPOINT'
             value: avmAppConfig.outputs.endpoint
           }
+          {
+            name: 'APP_ENV'
+            value: 'prod'
+          }
         ]
       }
     ]
@@ -1327,6 +1339,10 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.17.0' =
             name: 'APP_CONFIG_ENDPOINT'
             value: avmAppConfig.outputs.endpoint
           }
+          {
+            name: 'APP_ENV'
+            value: 'prod'
+          }
         ]
         probes: [
           // Liveness Probe - Checks if the app is still running

src/ContentProcessor/conftest.py

@@ -0,0 +1,34 @@
+"""
+Global test configuration and fixtures for ContentProcessor tests.
+"""
+import sys
+import os
+import pytest
+from unittest.mock import patch, MagicMock
+
+# Add src directory to Python path for imports
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), 'src'))
+
+pytest_plugins = ["pytest_mock"]
+
+
+@pytest.fixture(autouse=True, scope="function")
+def mock_azure_credentials_for_helpers(request):
+    """
+    Mock Azure credentials for azure_helper classes only.
+    Skip this for credential utility tests that need to test the actual logic.
+    """
+    # Skip mocking for credential utility tests
+    if "test_azure_credential_utils" in str(request.fspath):
+        yield
+        return
+
+    with patch("helpers.azure_credential_utils.get_azure_credential") as mock_get_cred, \
+         patch("helpers.azure_credential_utils.get_azure_credential_async") as mock_get_cred_async:
+
+        # Create mock credential objects
+        mock_credential = MagicMock()
+        mock_get_cred.return_value = mock_credential
+        mock_get_cred_async.return_value = mock_credential
+
+        yield mock_credential

src/ContentProcessor/pytest.ini

@@ -0,0 +1,6 @@
+[tool:pytest]
+addopts = -v --strict-markers --disable-warnings
+python_files = tests.py test_*.py *_tests.py
+testpaths = src/tests
+markers =
+    asyncio: marks tests as async

src/ContentProcessor/src/helpers/azure_credential_utils.py

@@ -0,0 +1,44 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+import os
+from azure.identity import ManagedIdentityCredential, DefaultAzureCredential
+from azure.identity.aio import ManagedIdentityCredential as AioManagedIdentityCredential, DefaultAzureCredential as AioDefaultAzureCredential
+
+
+async def get_azure_credential_async(client_id=None):
+    """
+    Returns an Azure credential asynchronously based on the application environment.
+
+    If the environment is 'dev', it uses AioDefaultAzureCredential.
+    Otherwise, it uses AioManagedIdentityCredential.
+
+    Args:
+        client_id (str, optional): The client ID for the Managed Identity Credential.
+
+    Returns:
+        Credential object: Either AioDefaultAzureCredential or AioManagedIdentityCredential.
+    """
+    if os.getenv("APP_ENV", "prod").lower() == 'dev':
+        return AioDefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+    else:
+        return AioManagedIdentityCredential(client_id=client_id)
+
+
+def get_azure_credential(client_id=None):
+    """
+    Returns an Azure credential based on the application environment.
+
+    If the environment is 'dev', it uses DefaultAzureCredential.
+    Otherwise, it uses ManagedIdentityCredential.
+
+    Args:
+        client_id (str, optional): The client ID for the Managed Identity Credential.
+
+    Returns:
+        Credential object: Either DefaultAzureCredential or ManagedIdentityCredential.
+    """
+    if os.getenv("APP_ENV", "prod").lower() == 'dev':
+        return DefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+    else:
+        return ManagedIdentityCredential(client_id=client_id)

src/ContentProcessor/src/libs/application/application_context.py

@@ -1,4 +1,6 @@
-from azure.identity import DefaultAzureCredential
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+from typing import Any
 
 from libs.application.application_configuration import AppConfiguration
 from libs.base.application_models import AppModelBase
@@ -11,10 +13,10 @@ class AppContext(AppModelBase):
     """
 
     configuration: AppConfiguration = None
-    credential: DefaultAzureCredential = None
+    credential: Any = None  # Azure credential object
 
     def set_configuration(self, configuration: AppConfiguration):
         self.configuration = configuration
 
-    def set_credential(self, credential: DefaultAzureCredential):
+    def set_credential(self, credential: Any):
         self.credential = credential

src/ContentProcessor/src/libs/azure_helper/app_configuration.py

@@ -1,16 +1,18 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 import os
 
 from azure.appconfiguration import AzureAppConfigurationClient
-from azure.identity import DefaultAzureCredential
+from helpers.azure_credential_utils import get_azure_credential
 
 
 class AppConfigurationHelper:
-    credential: DefaultAzureCredential = None
     app_config_endpoint: str = None
     app_config_client: AzureAppConfigurationClient = None
 
     def __init__(self, app_config_endpoint: str):
-        self.credential = DefaultAzureCredential()
+        self.credential = get_azure_credential()
         self.app_config_endpoint = app_config_endpoint
         self._initialize_client()
 

src/ContentProcessor/src/libs/azure_helper/azure_openai.py

@@ -1,9 +1,13 @@
-from azure.identity import DefaultAzureCredential, get_bearer_token_provider
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+from azure.identity import get_bearer_token_provider
+from helpers.azure_credential_utils import get_azure_credential
 from openai import AzureOpenAI
 
 
 def get_openai_client(azure_openai_endpoint: str) -> AzureOpenAI:
-    credential = DefaultAzureCredential()
+    credential = get_azure_credential()
     token_provider = get_bearer_token_provider(
         credential, "https://cognitiveservices.azure.com/.default"
     )

src/ContentProcessor/src/libs/azure_helper/content_understanding.py

@@ -7,22 +7,21 @@
 from pathlib import Path
 
 import requests
-from azure.identity import DefaultAzureCredential
+from helpers.azure_credential_utils import get_azure_credential
 from requests.models import Response
 
 COGNITIVE_SERVICES_SCOPE = "https://cognitiveservices.azure.com/.default"
 
 
 class AzureContentUnderstandingHelper:
-    credential: DefaultAzureCredential = None
 
     def __init__(
         self,
         endpoint: str,
         api_version: str = "2024-12-01-preview",
         x_ms_useragent: str = "cps-contentunderstanding/client",
     ):
-        self.credential = DefaultAzureCredential()
+        self.credential = get_azure_credential()
 
         if not api_version:
             raise ValueError("API version must be provided.")

src/ContentProcessor/src/libs/azure_helper/storage_blob.py

@@ -3,20 +3,19 @@
 
 from typing import IO, Union
 
-from azure.identity import DefaultAzureCredential
+from helpers.azure_credential_utils import get_azure_credential
 from azure.storage.blob import BlobServiceClient
 
 
 class StorageBlobHelper:
-    credential: DefaultAzureCredential = None
     blob_service_client: BlobServiceClient = None
 
     @staticmethod
     def get(account_url: str, container_name: str = None):
         return StorageBlobHelper(account_url=account_url, container_name=container_name)
 
     def __init__(self, account_url: str, container_name=None):
-        self.credential = DefaultAzureCredential()
+        self.credential = get_azure_credential()
         self.blob_service_client = BlobServiceClient(
             account_url=account_url, credential=self.credential
         )

src/ContentProcessor/src/libs/pipeline/pipeline_queue_helper.py

@@ -4,7 +4,7 @@
 import logging
 
 from azure.core.exceptions import ResourceNotFoundError
-from azure.identity import DefaultAzureCredential
+from helpers.azure_credential_utils import get_azure_credential
 from azure.storage.queue import QueueClient, QueueMessage
 
 from libs.pipeline import pipeline_step_helper
@@ -28,7 +28,7 @@ def invalidate_queue(queue_client: QueueClient):
 
 
 def create_or_get_queue_client(
-    queue_name: str, accouont_url: str, credential: DefaultAzureCredential
+    queue_name: str, accouont_url: str, credential: get_azure_credential
 ) -> QueueClient:
     queue_client = QueueClient(
         account_url=accouont_url, queue_name=queue_name, credential=credential
@@ -55,7 +55,7 @@ def has_messages(queue_client: QueueClient) -> bool:
 
 
 def pass_data_pipeline_to_next_step(
-    data_pipeline: DataPipeline, account_url: str, credential: DefaultAzureCredential
+    data_pipeline: DataPipeline, account_url: str, credential: get_azure_credential
 ):
     next_step_name = pipeline_step_helper.get_next_step_name(
         data_pipeline.pipeline_status, data_pipeline.pipeline_status.active_step
@@ -70,7 +70,7 @@ def pass_data_pipeline_to_next_step(
 
 
 def _create_queue_client(
-    account_url: str, queue_name: str, credential: DefaultAzureCredential
+    account_url: str, queue_name: str, credential: get_azure_credential
 ) -> QueueClient:
     queue_client = QueueClient(
         account_url=account_url, queue_name=queue_name, credential=credential