feat: Migrate to Azure AI Foundry with managed identity#48
Merged
Conversation
- Add LOG_LEVEL setting to config.py for environment-based log level control - Create logging_config.py with setup_logging() for single-point configuration - Call setup_logging() early in main.py before other imports - Remove scattered basicConfig() calls from 8 modules - Replace print() with logger.error() in gallery.py error handler - Remove redundant function-level logging imports This ensures consistent log format and predictable behavior regardless of module import order. Log level can be controlled via LOG_LEVEL env var.
- Replace color system with pure B/W + single red accent (#FF0000) - Swap fonts to Bebas Neue (display) + Source Sans 3 (body) - Set all border-radius to 0px for sharp, architectural edges - Apply uppercase + wide letter-spacing to all headings/labels - Increase whitespace and spacing throughout (8rem+ gaps) - Oversized typography with clamp() and font-weight 900 - Dramatic 404 page with massive type - Bold minimal login page - Clean card overlays with no rounded corners - Tighter grid gaps for gallery views - Updated sidebar with bold section labels and border accents - Dark mode: deep black (#0A0A0A) with white text Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Red Thread — a signature 2px red accent line (#E40010) that weaves through the entire interface as the single memorable element: - Slides under active page headers and sidebar brand - Draws across hover states on gallery cards (bottom edge) - Climbs vertically on stat cards on hover - Appears as a divider on login and empty states Atmosphere & texture: - Film grain overlay via SVG noise filter (body::after) - Red text selection color across the entire app - Red focus rings for keyboard navigation - Refined color palette with warmer neutrals Motion & reveals: - Custom @Keyframes: reveal-up, fade-in, line-draw - Stagger delay classes (.stagger-1 through .stagger-6) - Dramatic 404 page with layered animations - Login page with sequenced entrance (title → red line → subtitle → form) - Refined page transitions with cubic-bezier(0.22, 1, 0.36, 1) Typography refinements: - Tighter heading line-height (0.9) for dramatic stacking - Wider letter-spacing on labels (0.2em+) - 404 scaled up to clamp(10rem, 30vw, 24rem) - Stat numbers at text-5xl with -0.05em tracking Editorial details: - Settings tabs restyled as underlined editorial navigation - Theme toggle icon turns red on hover - Gallery card hover: border goes foreground + red bottom line - Login card border thickens on hover (2px → foreground) - prefers-reduced-motion fully respected Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…dule Add IMAGEGEN_15_DEPLOYMENT and IMAGEGEN_1_MINI_DEPLOYMENT params to containerApp.bicep and pass them as env vars. Remove unnecessary dependsOn entries that Bicep infers from output references. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace RowBasedMasonryGrid with Aceternity UI's LayoutGrid component for the image gallery. Cards animate on click with Framer Motion layout transitions. Existing interactions (delete, move, detail view) preserved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace 3 separate Azure OpenAI resources with a single AI Foundry resource (Microsoft.CognitiveServices/accounts kind AIServices). Migrate all service connections from API key/account key auth to managed identity (DefaultAzureCredential). Infrastructure: - New Bicep modules: aiFoundry, aiFoundryProject, aiFoundryModelDeployment, aiFoundryRoleAssignment, storageRoleAssignment - 5 model deployments: gpt-4o, gpt-image-1, gpt-image-1.5, gpt-image-1-mini, sora (chained sequentially) - RBAC: Cognitive Services OpenAI User, Storage Blob Data Contributor, Storage Blob Delegator, Cosmos DB Data Contributor - Remove openAiDeployment.bicep, all API key parameters - Remove storage account key output Backend: - All OpenAI clients use azure_ad_token_provider via get_bearer_token_provider - Sora httpx client uses cached bearer token via token_provider - Blob Storage uses DefaultAzureCredential (no account key) - SAS tokens generated via User Delegation Keys - Cosmos DB simplified to managed identity only - GPTImageClient auto-creates credentials when not passed - Remove all API key settings from config.py Tests: - Update unit and integration test fixtures for managed identity - Remove stale API key environment variables Docs: - Update .env.example, DEPLOYMENT.md for Foundry deployment - Document az login requirement for local development Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
gpt-image-1 not available in swedencentral. sora version: 2025-05-02. Make base image deployment conditional (same as 1.5/mini). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sora 2025-05-02 deprecated since 2026-02-28, gpt-image-1 not in swedencentral. All model deployments now conditional (deploy if name non-empty). gpt-4o deploys as the base model. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
deployImageGenModels and deploySoraModel control whether Bicep creates model deployments. IMAGEGEN_DEPLOYMENT/SORA_DEPLOYMENT only set the env var for the container app, supporting models deployed via CLI (e.g., FLUX.1-Kontext-pro). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update DEFAULT_IMAGE_MODEL, all Field defaults, deployment params, Bicep defaults, .env.example, and docs to use gpt-image-1.5. gpt-image-1 kept as legacy alias in deployment mapping. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…UX Kontext Pro Remove gpt-image-1 from dropdown and all defaults. Three model options: gpt-image-1.5 (default), gpt-image-1-mini, FLUX Kontext Pro. Updated 6 frontend files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add FLUX_KONTEXT_DEPLOYMENT config setting + Bicep plumbing - Add deployment mapping for flux-kontext-pro in GPTImageClient - Strip gpt-image-specific params (background, quality, moderation, output_compression) when FLUX model is selected - Frontend: hide Background/Format/Quality dropdowns for FLUX models - Update model validator, env status, .env.example Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configure Microsoft tenant-restricted auth on the frontend Container App: - authConfigs child resource with Entra ID provider - Issuer locked to Microsoft tenant (72f988bf) - Unauthenticated users redirected to login - Auth params (CLIENT_ID, SECRET, ISSUER) in azd env - Survives azd up reprovisioning Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
AUTH_ISSUER now defaults to empty string. Auth only activates when AUTH_CLIENT_ID is set in azd env. Fully parameterized — no tenant-specific values in the repo. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace gpt-image-1 with gpt-image-1.5 as primary model - Add FLUX Kontext Pro and GPT-Image-1-Mini to feature list - Remove all API key references and USE_MANAGED_IDENTITY - Remove Cosmos DB key-based auth section - Update architecture section with Foundry + MI - Update env var table (AI_FOUNDRY_ENDPOINT, no keys) - Update azd deployment instructions - Add az login requirement for local dev Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…-identity # Conflicts: # .env.example # backend/core/__init__.py # backend/core/config.py # backend/main.py # frontend/components/RowBasedMasonryGrid.tsx # infra/modules/containerApp.bicep # pyproject.toml # tests/conftest.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces 3 separate Azure OpenAI resources with a single Azure AI Foundry resource and migrates all service connections from API key auth to managed identity (DefaultAzureCredential).
Infrastructure
Backend
azure_ad_token_providerviaget_bearer_token_providerDefaultAzureCredential(User Delegation SAS tokens)Frontend
Docs
Verified
vs-lab-foundryenvironment (Sweden Central)