Keyvault for secrets

.github/copilot-instructions.md

@@ -1,3 +1,7 @@
+---
+applyTo: '**'
+---
+
 # REPO SPECIFIC INSTRUCTIONS
 
 ---

.github/instructions/python-lang.instructions.md

@@ -0,0 +1,13 @@
+---
+applyTo: '**'
+---
+
+# Python Language Guide
+
+- Files should start with a comment of the file name. Ex: `# functions_personal_agents.py`
+
+- Imports should be grouped at the top of the document after the module docstring, unless otherwise indicated by the user or for performance reasons in which case the import should be as close as possible to the usage with a documented note as to why the import is not at the top of the file.
+
+- Use 4 spaces per indentation level. No tabs.
+
+- Code and definitions should occur after the imports block.

.github/workflows/docker_image_publish_nadoyle.yml

@@ -5,6 +5,7 @@ on:
   push:
     branches:
     - nadoyle
+    - keyvaultForSecrets
 
   workflow_dispatch:
 
@@ -19,11 +20,11 @@ jobs:
       uses: Azure/docker-login@v2
       with:
         # Container registry username
-        username: ${{ secrets.ACR_USERNAME }}
+        username: ${{ secrets.ACR_USERNAME_NADOYLE }}
         # Container registry password
-        password: ${{ secrets.ACR_PASSWORD }}
+        password: ${{ secrets.ACR_PASSWORD_NADOYLE }}
         # Container registry server url
-        login-server: ${{ secrets.ACR_LOGIN_SERVER }}
+        login-server: ${{ secrets.ACR_LOGIN_SERVER_NADOYLE }}
 
     - uses: actions/checkout@v3
     - name: Set up Node.js
@@ -36,7 +37,7 @@ jobs:
       run: node scripts/generate-validators.mjs
     - name: Build the Docker image
       run:         
-        docker build . --file application/single_app/Dockerfile --tag ${{ secrets.ACR_LOGIN_SERVER }}/simple-chat-dev:$(date +'%Y-%m-%d')_$GITHUB_RUN_NUMBER;
-        docker tag ${{ secrets.ACR_LOGIN_SERVER }}/simple-chat-dev:$(date +'%Y-%m-%d')_$GITHUB_RUN_NUMBER ${{ secrets.ACR_LOGIN_SERVER }}/simple-chat-dev:latest;
-        docker push ${{ secrets.ACR_LOGIN_SERVER }}/simple-chat-dev:$(date +'%Y-%m-%d')_$GITHUB_RUN_NUMBER;
-        docker push ${{ secrets.ACR_LOGIN_SERVER }}/simple-chat-dev:latest;
+        docker build . --file application/single_app/Dockerfile --tag ${{ secrets.ACR_LOGIN_SERVER_NADOYLE }}/simple-chat-dev:$(date +'%Y-%m-%d')_$GITHUB_RUN_NUMBER;
+        docker tag ${{ secrets.ACR_LOGIN_SERVER_NADOYLE }}/simple-chat-dev:$(date +'%Y-%m-%d')_$GITHUB_RUN_NUMBER ${{ secrets.ACR_LOGIN_SERVER_NADOYLE }}/simple-chat-dev:latest;
+        docker push ${{ secrets.ACR_LOGIN_SERVER_NADOYLE }}/simple-chat-dev:$(date +'%Y-%m-%d')_$GITHUB_RUN_NUMBER;
+        docker push ${{ secrets.ACR_LOGIN_SERVER_NADOYLE }}/simple-chat-dev:latest;

application/single_app/agent_logging_chat_completion.py

@@ -144,13 +144,6 @@ async def invoke(self, *args, **kwargs):
             }
         )
 
-        log_event("[Logging Agent Request] Agent invoke started", 
-                 extra={
-                     "agent": self.name,
-                     "prompt_preview": [m.content[:30] for m in args[0]] if args else None
-                 }, 
-                 level=logging.DEBUG)
-
         # Store user question context for better tool detection
         if args and args[0] and hasattr(args[0][-1], 'content'):
             self._user_question = args[0][-1].content
@@ -163,12 +156,14 @@ async def invoke(self, *args, **kwargs):
             initial_message_count = len(args[0]) if args and args[0] else 0
             result = super().invoke(*args, **kwargs)
 
-            log_event("[Logging Agent Request] Result received", 
-                     extra={
-                         "agent": self.name,
-                         "result_type": type(result).__name__
-                     }, 
-                     level=logging.DEBUG)
+            log_event(
+                "[Logging Agent Request] Result received", 
+                extra={
+                    "agent": self.name,
+                    "result_type": type(result).__name__
+                },
+                level=logging.DEBUG
+            )
 
             if hasattr(result, "__aiter__"):
                 # Streaming/async generator response
@@ -180,13 +175,15 @@ async def invoke(self, *args, **kwargs):
                 # Regular coroutine response
                 response = await result
 
-            log_event("[Logging Agent Request] Response received", 
-                     extra={
-                         "agent": self.name,
-                         "response_type": type(response).__name__,
-                         "response_preview": str(response)[:100] if response else None
-                     }, 
-                     level=logging.DEBUG)
+            log_event(
+                "[Logging Agent Request] Response received",
+                extra={
+                    "agent": self.name,
+                    "response_type": type(response).__name__,
+                    "response_preview": str(response)[:100] if response else None
+                },
+                level=logging.DEBUG
+            )
 
             # Store the response for analysis
             self._last_response = response

application/single_app/app.py

@@ -105,6 +105,7 @@
 
 from route_external_health import *
 
+#TODO: Remove this after speaking with Paul
 configure_azure_monitor()
 
 # =================== Session Configuration ===================

application/single_app/config.py

@@ -158,9 +158,6 @@
 else:
     AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
 
-# Commercial Azure Video Indexer Endpoint
-video_indexer_endpoint = "https://api.videoindexer.ai"
-
 WORD_CHUNK_SIZE = 400
 
 if AZURE_ENVIRONMENT == "usgovernment":
@@ -171,20 +168,23 @@
     cognitive_services_scope = "https://cognitiveservices.azure.us/.default"
     video_indexer_endpoint = "https://api.videoindexer.ai.azure.us"
     search_resource_manager = "https://search.azure.us"
+    KEY_VAULT_DOMAIN = ".vault.usgovcloudapi.net"
 
 elif AZURE_ENVIRONMENT == "custom":
     resource_manager = CUSTOM_RESOURCE_MANAGER_URL_VALUE
     authority = CUSTOM_IDENTITY_URL_VALUE
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = CUSTOM_COGNITIVE_SERVICES_URL_VALUE  
     search_resource_manager = CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE
+    KEY_VAULT_DOMAIN = os.getenv("KEY_VAULT_DOMAIN", ".vault.azure.net")
 else:
     OIDC_METADATA_URL = f"https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration"
     resource_manager = "https://management.azure.com"
     authority = AzureAuthorityHosts.AZURE_PUBLIC_CLOUD
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = "https://cognitiveservices.azure.com/.default"
     video_indexer_endpoint = "https://api.videoindexer.ai"
+    KEY_VAULT_DOMAIN = ".vault.azure.net"
 
 def get_redis_cache_infrastructure_endpoint(redis_hostname: str) -> str:
     """
@@ -205,6 +205,7 @@ def get_redis_cache_infrastructure_endpoint(redis_hostname: str) -> str:
     else:
         # Default to Azure Public Cloud
         return f"https://{redis_hostname}.cacheinfra.windows.net:10225/appid"
+
 
 storage_account_user_documents_container_name = "user-documents"
 storage_account_group_documents_container_name = "group-documents"

application/single_app/functions_appinsights.py

@@ -44,29 +44,36 @@ def log_event(
         exceptionTraceback (Any, optional): If set to True, includes exception traceback.
     """
     try:
+        # Limit message to 32767 characters
+        if message and isinstance(message, str) and len(message) > 32767:
+            message = message[:32767]
+
         # Get logger - use Azure Monitor logger if configured, otherwise standard logger
         logger = get_appinsights_logger()
         if not logger:
+            print(f"[Log] {message} -- {extra}")
             logger = logging.getLogger('standard')
             if not logger.handlers:
                 logger.addHandler(logging.StreamHandler())
                 logger.setLevel(logging.INFO)
-        
+
         # Enhanced exception handling for Application Insights
         # When exceptionTraceback=True, ensure we capture full exception context
         exc_info_to_use = exceptionTraceback
-        
+
         # For ERROR level logs with exceptionTraceback=True, always log as exception
         if level >= logging.ERROR and exceptionTraceback:
             if logger and hasattr(logger, 'exception'):
                 # Use logger.exception() for better exception capture in Application Insights
-                logger.exception(message, extra=extra, stacklevel=stacklevel)
+                logger.exception(message, extra=extra, stacklevel=stacklevel, stack_info=includeStack, exc_info=True)
                 return
             else:
                 # Fallback to standard logging with exc_info
                 exc_info_to_use = True
-        
+
         # Format message with extra properties for structured logging
+
+        print(f"[Log] {message} -- {extra}")  # Debug print to console
         if extra:
             # For modern Azure Monitor, extra properties are automatically captured
             logger.log(
@@ -85,24 +92,24 @@ def log_event(
                 stack_info=includeStack,
                 exc_info=exc_info_to_use
             )
-            
+
         # For Azure Monitor, ensure exception-level logs are properly categorized
         if level >= logging.ERROR and _azure_monitor_configured:
             # Add a debug print to verify exception logging is working
             print(f"[Azure Monitor] Exception logged: {message[:100]}...")
-            
+
     except Exception as e:
         # Fallback to basic logging if anything fails
         try:
             fallback_logger = logging.getLogger('fallback')
             if not fallback_logger.handlers:
                 fallback_logger.addHandler(logging.StreamHandler())
                 fallback_logger.setLevel(logging.INFO)
-            
+
             fallback_message = f"{message} | Original error: {str(e)}"
             if extra:
                 fallback_message += f" | Extra: {extra}"
-            
+
             fallback_logger.log(level, fallback_message)
         except:
             # If even basic logging fails, print to console

application/single_app/functions_global_actions.py

@@ -10,10 +10,10 @@
 import json
 import traceback
 from datetime import datetime
-
 from config import cosmos_global_actions_container
+from functions_keyvault import keyvault_plugin_save_helper, keyvault_plugin_get_helper, keyvault_plugin_delete_helper, SecretReturnType
 
-def get_global_actions():
+def get_global_actions(return_type=SecretReturnType.TRIGGER):
     """
     Get all global actions.
 
@@ -25,7 +25,8 @@ def get_global_actions():
             query="SELECT * FROM c",
             enable_cross_partition_query=True
         ))
-
+        # Resolve Key Vault references for each action
+        actions = [keyvault_plugin_get_helper(a, scope_value=a.get('id'), scope="global", return_type=return_type) for a in actions]
         return actions
 
     except Exception as e:
@@ -34,7 +35,7 @@ def get_global_actions():
         return []
 
 
-def get_global_action(action_id):
+def get_global_action(action_id, return_type=SecretReturnType.TRIGGER):
     """
     Get a specific global action by ID.
 
@@ -45,13 +46,12 @@ def get_global_action(action_id):
         dict: Action data or None if not found
     """
     try:
-        from config import cosmos_global_actions_container
-
         action = cosmos_global_actions_container.read_item(
             item=action_id,
             partition_key=action_id
         )
-
+        # Resolve Key Vault references
+        action = keyvault_plugin_get_helper(action, scope_value=action_id, scope="global", return_type=return_type)
         print(f"✅ Found global action: {action_id}")
         return action
 
@@ -71,21 +71,17 @@ def save_global_action(action_data):
         dict: Saved action data or None if failed
     """
     try:
-        from config import cosmos_global_actions_container
-
         # Ensure required fields
         if 'id' not in action_data:
             action_data['id'] = str(uuid.uuid4())
-
         # Add metadata
         action_data['is_global'] = True
         action_data['created_at'] = datetime.utcnow().isoformat()
         action_data['updated_at'] = datetime.utcnow().isoformat()
-
         print(f"💾 Saving global action: {action_data.get('name', 'Unknown')}")
-
+        # Store secrets in Key Vault before upsert
+        action_data = keyvault_plugin_save_helper(action_data, scope_value=action_data.get('id'), scope="global")
         result = cosmos_global_actions_container.upsert_item(body=action_data)
-
         print(f"✅ Global action saved successfully: {result['id']}")
         return result
 
@@ -106,15 +102,15 @@ def delete_global_action(action_id):
         bool: True if successful, False otherwise
     """
     try:
-        from config import cosmos_global_actions_container
-
         print(f"🗑️ Deleting global action: {action_id}")
-
+        # Delete secrets from Key Vault before deleting the action
+        action = get_global_action(action_id)
+        if action:
+            keyvault_plugin_delete_helper(action, scope_value=action_id, scope="global")
         cosmos_global_actions_container.delete_item(
             item=action_id,
             partition_key=action_id
         )
-
         print(f"✅ Global action deleted successfully: {action_id}")
         return True