Enterprise Security Infrastructure for Azure OpenAI Workshop

.devcontainer/devcontainer.json

@@ -10,7 +10,9 @@
 		"ghcr.io/devcontainers/features/azure-cli:1": {},
 		"ghcr.io/devcontainers-extra/features/uv:1": {},
 		"ghcr.io/devcontainers/features/github-cli:1": {},
-		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
+		"ghcr.io/devcontainers/features/terraform:1": {},
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
+		"ghcr.io/devcontainers/features/powershell:1": {}
  	 },
 	"secrets": {
 		"AZURE_OPENAI_ENDPOINT": {

.github/workflows/destroy.yml

@@ -30,7 +30,7 @@ jobs:
   terraform_destroy:
     name: Terraform Destroy
     runs-on: ubuntu-latest
-    environment: ${{ inputs.environment || 'dev' }}
+    # environment: ${{ inputs.environment || 'dev' }}  # Commented out to use repo-level variables
     permissions:
       id-token: write
       contents: read
@@ -58,7 +58,7 @@ jobs:
 
           terraform init -backend-config="resource_group_name=${TFSTATE_RG}" \
                          -backend-config="key=${TFSTATE_KEY}" -backend-config="storage_account_name=${TFSTATE_ACCOUNT}" \
-                         -backend-config="container_name=${TFSTATE_CONTAINER}"
+                         -backend-config="container_name=${TFSTATE_CONTAINER}" -backend-config="use_oidc=true" -backend-config="use_azuread_auth=true"
 
           terraform destroy -auto-approve \
             -var project_name=${{ github.event.repository.name }} \

.github/workflows/docker-application.yml

@@ -0,0 +1,79 @@
+name: Build and Push Docker Image for Backend Application
+
+on:
+  # Only run via workflow_call from orchestrate.yml or manual dispatch
+  # Do not run automatically on pull_request - orchestrate.yml handles the full pipeline
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+        required: true
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Target environment
+        type: choice
+        options: [dev, integration, prod]
+        default: dev
+
+env:
+  IMAGE_NAME: backend-app
+  PROJECT_SUBPATH: agentic_ai/
+  IMAGE_TAG: ${{ inputs.environment && format('{0}-latest', inputs.environment) || 'latest' }}
+
+
+jobs:
+  build:
+    name: Build & Push Backend Image
+    runs-on: ubuntu-latest
+    # environment: ${{ inputs.environment || 'dev' }}  # Commented out to use repo-level variables
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Azure OIDC Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Determine ACR Name
+        id: acr
+        run: |
+          # Construct ACR name matching Terraform pattern: {project}{env}acr{iteration}
+          PROJECT="${{ vars.PROJECT_NAME || 'OpenAIWorkshop' }}"
+          ENV="${{ inputs.environment || 'dev' }}"
+          ITERATION="${{ vars.ITERATION || '002' }}"
+          ACR_NAME="${PROJECT}${ENV}acr${ITERATION}"
+          echo "name=${ACR_NAME}" >> $GITHUB_OUTPUT
+          echo "server=${ACR_NAME}.azurecr.io" >> $GITHUB_OUTPUT
+          echo "Using ACR: ${ACR_NAME}"
+
+      - name: Login to Azure Container Registry
+        run: |
+          # Get ACR access token using the OIDC-authenticated Azure CLI session
+          ACR_TOKEN=$(az acr login --name ${{ steps.acr.outputs.name }} --expose-token --query accessToken -o tsv)
+          echo "$ACR_TOKEN" | docker login ${{ steps.acr.outputs.server }} --username 00000000-0000-0000-0000-000000000000 --password-stdin
+
+      - name: Build and Push Image
+        run: |
+          cd ${{ env.PROJECT_SUBPATH }}
+          ACR_SERVER="${{ steps.acr.outputs.server }}"
+
+          # Build with both SHA tag and environment tag
+          docker build \
+            -t "${ACR_SERVER}/${{ env.IMAGE_NAME }}:${{ github.sha }}" \
+            -t "${ACR_SERVER}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" \
+            -t "${ACR_SERVER}/${{ env.IMAGE_NAME }}:latest" \
+            -f applications/Dockerfile .
+
+          # Push all tags
+          docker push "${ACR_SERVER}/${{ env.IMAGE_NAME }}" --all-tags
+
+          echo "✅ Pushed: ${ACR_SERVER}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}"
+          echo "ACR: ${{ steps.acr.outputs.name }}"

.github/workflows/docker-mcp.yml

@@ -1,64 +1,77 @@
-# This is a basic workflow to help you get started with Actions
+name: Build and Push Docker Image for MCP Service
 
-name: Build and Push Docker Image for MCP
-
-# Controls when the action will run. 
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
-  pull_request:
-    branches: [ main ]
-
+  # Only run via workflow_call from orchestrate.yml or manual dispatch
+  # Do not run automatically on pull_request - orchestrate.yml handles the full pipeline
   workflow_call:
     inputs:
       environment:
         type: string
         required: true
 
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
+    inputs:
+      environment:
+        description: Target environment
+        type: choice
+        options: [dev, integration, prod]
+        default: dev
 
 env:
-    PROJECT_NAME: aoaiwkshp-mcp
-    PROJECT_SUBPATH: mcp/
-    SPECIFIC_RELEASE_TAG: ${{ inputs.environment && format('{0}-latest', inputs.environment) || vars.SPECIFIC_RELEASE_TAG || '' }}
+  IMAGE_NAME: mcp-service
+  PROJECT_SUBPATH: mcp/
+  IMAGE_TAG: ${{ inputs.environment && format('{0}-latest', inputs.environment) || 'latest' }}
 
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
   build:
-    # The type of runner that the job will run on
+    name: Build & Push MCP Image
     runs-on: ubuntu-latest
-    # Only run if the required variables exist
-    if: vars.REGISTRY_LOGIN_SERVER != '' && vars.REGISTRY_LOGIN_SERVER != null
+    # environment: ${{ inputs.environment || 'dev' }}  # Commented out to use repo-level variables
+    permissions:
+      id-token: write
+      contents: read
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-        
-      - uses: docker/login-action@v3
+      - uses: actions/checkout@v4
+
+      - name: Azure OIDC Login
+        uses: azure/login@v2
         with:
-          registry: ${{ vars.REGISTRY_LOGIN_SERVER }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Build registry prefix
-        id: prefix
+      - name: Determine ACR Name
+        id: acr
         run: |
-          if [[ "${{ vars.REGISTRY_LOGIN_SERVER }}" == *"docker.io"* ]]; then
-            echo "prefix=${{ vars.REGISTRY_LOGIN_SERVER }}/${{ secrets.REGISTRY_USERNAME }}/${{ env.PROJECT_NAME }}" >> $GITHUB_OUTPUT
-          else
-            echo "prefix=${{ vars.REGISTRY_LOGIN_SERVER }}/${{ env.PROJECT_NAME }}" >> $GITHUB_OUTPUT
-          fi
-
+          # Construct ACR name matching Terraform pattern: {project}{env}acr{iteration}
+          PROJECT="${{ vars.PROJECT_NAME || 'OpenAIWorkshop' }}"
+          ENV="${{ inputs.environment || 'dev' }}"
+          ITERATION="${{ vars.ITERATION || '002' }}"
+          ACR_NAME="${PROJECT}${ENV}acr${ITERATION}"
+          echo "name=${ACR_NAME}" >> $GITHUB_OUTPUT
+          echo "server=${ACR_NAME}.azurecr.io" >> $GITHUB_OUTPUT
+          echo "Using ACR: ${ACR_NAME}"
 
-      - run: |
-            if [ -z "${{ env.SPECIFIC_RELEASE_TAG }}" ]; then
-                docker build ${{ env.PROJECT_SUBPATH }} -t ${{ steps.prefix.outputs.prefix }}:${{ github.sha }} -t ${{ steps.prefix.outputs.prefix }}:latest
-            else
-                docker build ${{ env.PROJECT_SUBPATH }} -t ${{ steps.prefix.outputs.prefix }}:${{ env.SPECIFIC_RELEASE_TAG }} -t ${{ steps.prefix.outputs.prefix }}:latest
-            fi
+      - name: Login to Azure Container Registry
+        run: |
+          # Get ACR access token using the OIDC-authenticated Azure CLI session
+          ACR_TOKEN=$(az acr login --name ${{ steps.acr.outputs.name }} --expose-token --query accessToken -o tsv)
+          echo "$ACR_TOKEN" | docker login ${{ steps.acr.outputs.server }} --username 00000000-0000-0000-0000-000000000000 --password-stdin
 
-      - run: |
-          docker push ${{ steps.prefix.outputs.prefix }} --all-tags
+      - name: Build and Push Image
+        run: |
+          ACR_SERVER="${{ steps.acr.outputs.server }}"
+
+          # Build with both SHA tag and environment tag
+          docker build ${{ env.PROJECT_SUBPATH }} \
+            -t "${ACR_SERVER}/${{ env.IMAGE_NAME }}:${{ github.sha }}" \
+            -t "${ACR_SERVER}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}" \
+            -t "${ACR_SERVER}/${{ env.IMAGE_NAME }}:latest"
+
+          # Push all tags
+          docker push "${ACR_SERVER}/${{ env.IMAGE_NAME }}" --all-tags
+
+          echo "✅ Pushed: ${ACR_SERVER}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}"
+          echo "ACR: ${{ steps.acr.outputs.name }}"