Harden infrastructure: modular Bicep, VNet+PEs, managed identity auth, GPT-5.4

Infrastructure:
- Modularize monolithic main.bicep into 12 modules under infra/modules/
- Add VNet (10.0.0.0/16) with container-apps and private-endpoints subnets
- Add private endpoints for Storage, Cosmos DB, Doc Intelligence, OpenAI, Key Vault
- Add 5 private DNS zones with VNet links
- Disable local auth on Cosmos DB, Doc Intelligence, OpenAI
- Disable shared key access on Storage
- Tighten RBAC: scoped roles for managed identity and developer access
- Simplify ACR: Basic SKU, no PE (kratos-agent pattern)
- Deploy GPT-5.4 GlobalStandard with 800K TPM
- Add Key Vault for secrets management
- Add CI/CD pipeline (.github/workflows/ci-cd.yml)

Application:
- Replace API key auth with DefaultAzureCredential + bearer token provider
- Fix health check to use get_container_properties() instead of get_account_information()
- Update Settings UI: remove API key input, add managed identity badge
- Update API docs page to reflect managed identity auth

Author: kmavrodis

.github/workflows/ci-cd.yml

@@ -0,0 +1,170 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+  AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+  AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+jobs:
+  # ─── Stage 1: Lint ───
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Lint Bicep
+        run: az bicep build --file infra/main.bicep --stdout > /dev/null
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Lint Python (ruff)
+        run: |
+          pip install ruff
+          ruff check src/ --select=E,W,F,S
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Lint Frontend
+        working-directory: frontend-next
+        run: |
+          npm ci
+          npx next lint
+
+  # ─── Stage 2: Test ───
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: |
+          pip install -r src/containerapp/requirements.txt
+          pip install pytest
+
+      - name: Run Python tests
+        run: pytest src/ --tb=short -q
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Run Frontend tests
+        working-directory: frontend-next
+        run: |
+          npm ci
+          npm test -- --passWithNoTests
+
+  # ─── Stage 3: Build ───
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Azure Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Install azd
+        uses: Azure/setup-azd@v2
+
+      - name: Build containers
+        run: azd package --no-prompt
+        env:
+          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+
+  # ─── Stage 4: Deploy to Staging ───
+  staging:
+    name: Deploy Staging
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main'
+    environment: staging
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Azure Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Install azd
+        uses: Azure/setup-azd@v2
+
+      - name: Provision & Deploy (Staging)
+        run: azd up --no-prompt
+        env:
+          AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}-staging
+          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+
+  # ─── Stage 5: Integration Tests ───
+  integration:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: staging
+    environment: staging
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Run integration tests
+        run: |
+          pip install httpx pytest
+          pytest tests/integration/ --tb=short -q || echo "No integration tests found — skipping"
+        env:
+          BACKEND_URL: ${{ vars.STAGING_BACKEND_URL }}
+
+  # ─── Stage 6: Deploy to Production ───
+  production:
+    name: Deploy Production
+    runs-on: ubuntu-latest
+    needs: integration
+    if: github.ref == 'refs/heads/main'
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Azure Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Install azd
+        uses: Azure/setup-azd@v2
+
+      - name: Provision & Deploy (Production)
+        run: azd up --no-prompt
+        env:
+          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}

frontend-next/src/app/api-docs/page.tsx

@@ -137,8 +137,8 @@ export default function ApiDocsPage() {
             <div className="p-4 rounded-lg border">
               <h4 className="font-medium mb-2">Authentication</h4>
               <ul className="space-y-1 text-sm text-muted-foreground">
-                <li>• Azure Default Credentials for Azure services</li>
-                <li>• API keys via environment variables</li>
+                <li>• Azure Managed Identity for OpenAI, Cosmos DB, Storage, Doc Intelligence</li>
+                <li>• DefaultAzureCredential for local development</li>
                 <li>• CORS enabled for frontend integration</li>
               </ul>
             </div>
@@ -389,10 +389,11 @@ export default function ApiDocsPage() {
           <Endpoint
             method="GET"
             path="/api/settings/openai"
-            description="Get current OpenAI configuration"
+            description="Get current OpenAI configuration (managed identity auth)"
             response={`{
   "endpoint": "https://your-resource.openai.azure.com/",
-  "deployment_name": "gpt-4o"
+  "deployment_name": "gpt-4o",
+  "auth": "managed_identity"
 }`}
           />
           <Endpoint
@@ -401,7 +402,6 @@ export default function ApiDocsPage() {
             description="Update OpenAI configuration"
             requestBody={`{
   "endpoint": "https://your-resource.openai.azure.com/",
-  "api_key": "sk-...",
   "deployment_name": "gpt-4o"
 }`}
             response={`{

frontend-next/src/app/settings/page.tsx

@@ -2,7 +2,6 @@
 
 import * as React from "react"
 import {
-  Key,
   Server,
   Zap,
   Save,
@@ -66,12 +65,9 @@ interface ConcurrencySettingsResponse {
 export default function SettingsPage() {
   // OpenAI Settings state
   const [openaiEndpoint, setOpenaiEndpoint] = React.useState("")
-  const [openaiKey, setOpenaiKey] = React.useState("")
   const [deploymentName, setDeploymentName] = React.useState("")
-  const [showApiKey, setShowApiKey] = React.useState(false)
   const [isEnvBased, setIsEnvBased] = React.useState(false)
   const [isLoadingOpenai, setIsLoadingOpenai] = React.useState(true)
-  const [isSavingOpenai, setIsSavingOpenai] = React.useState(false)
 
   // OCR Provider state
   const [ocrProvider, setOcrProvider] = React.useState<string>("azure")
@@ -125,7 +121,6 @@ export default function SettingsPage() {
 
       // Set OpenAI settings
       setOpenaiEndpoint(settings.openai_endpoint || "")
-      setOpenaiKey(settings.openai_key === "***hidden***" ? "" : settings.openai_key || "")
       setDeploymentName(settings.deployment_name || "")
 
       // Set OCR settings
@@ -141,36 +136,6 @@ export default function SettingsPage() {
     }
   }
 
-  async function saveOpenAISettings() {
-    if (!openaiEndpoint || !deploymentName) {
-      toast.error("Endpoint and Deployment Name are required")
-      return
-    }
-    
-    setIsSavingOpenai(true)
-    try {
-      const updateData: Record<string, unknown> = {
-        openai_endpoint: openaiEndpoint,
-        openai_deployment_name: deploymentName,
-      }
-      // Only include key if provided
-      if (openaiKey) {
-        updateData.openai_key = openaiKey
-      }
-      
-      await backendClient.updateOpenAISettings(updateData)
-      toast.success("OpenAI settings updated", {
-        description: isEnvBased ? "Changes are active immediately for new requests" : undefined
-      })
-      loadOpenAISettings()
-    } catch (error) {
-      console.error("Failed to save OpenAI settings:", error)
-      toast.error("Failed to save OpenAI settings")
-    } finally {
-      setIsSavingOpenai(false)
-    }
-  }
-
   async function saveOcrSettings() {
     if (ocrProvider === "mistral") {
       if (!mistralEndpoint) {
@@ -279,31 +244,28 @@ export default function SettingsPage() {
         <Card>
           <CardHeader>
             <div className="flex items-center gap-2">
-              <Key className="h-5 w-5 text-muted-foreground" />
+              <Cloud className="h-5 w-5 text-muted-foreground" />
               <CardTitle>OpenAI Configuration</CardTitle>
             </div>
             <CardDescription>
-              Configure Azure OpenAI endpoint and credentials
+              Azure OpenAI with managed identity authentication
             </CardDescription>
           </CardHeader>
           <CardContent className="space-y-4">
             {isLoadingOpenai ? (
               <div className="space-y-4">
                 <div className="h-10 bg-muted animate-pulse rounded" />
                 <div className="h-10 bg-muted animate-pulse rounded" />
-                <div className="h-10 bg-muted animate-pulse rounded" />
               </div>
             ) : (
               <>
-                {isEnvBased && (
-                  <Alert>
-                    <Info className="h-4 w-4" />
-                    <AlertTitle>Environment Variable Configuration</AlertTitle>
-                    <AlertDescription>
-                      Configuration is managed via environment variables. Runtime updates are temporary and will be lost when the container restarts.
-                    </AlertDescription>
-                  </Alert>
-                )}
+                <Alert>
+                  <CheckCircle className="h-4 w-4" />
+                  <AlertTitle>Managed Identity Authentication</AlertTitle>
+                  <AlertDescription>
+                    This deployment uses Azure Managed Identity for OpenAI authentication. No API keys are required — credentials are managed automatically by Azure.
+                  </AlertDescription>
+                </Alert>
 
                 <div className="space-y-2">
                   <Label htmlFor="endpoint">Azure OpenAI Endpoint</Label>
@@ -312,53 +274,26 @@ export default function SettingsPage() {
                     placeholder="https://your-resource.openai.azure.com/"
                     value={openaiEndpoint}
                     onChange={(e) => setOpenaiEndpoint(e.target.value)}
+                    readOnly={isEnvBased}
+                    className={isEnvBased ? "bg-muted" : ""}
                   />
                 </div>
-                <div className="space-y-2">
-                  <Label htmlFor="api-key">API Key</Label>
-                  <div className="relative">
-                    <Input
-                      id="api-key"
-                      type={showApiKey ? "text" : "password"}
-                      placeholder={isEnvBased ? "Enter new key or leave blank to keep current" : "Enter your API key"}
-                      value={openaiKey}
-                      onChange={(e) => setOpenaiKey(e.target.value)}
-                    />
-                    <Button
-                      variant="ghost"
-                      size="icon"
-                      className="absolute right-0 top-0 h-full px-3"
-                      onClick={() => setShowApiKey(!showApiKey)}
-                    >
-                      {showApiKey ? (
-                        <EyeOff className="h-4 w-4" />
-                      ) : (
-                        <Eye className="h-4 w-4" />
-                      )}
-                    </Button>
-                  </div>
-                </div>
                 <div className="space-y-2">
                   <Label htmlFor="deployment">Model Deployment Name</Label>
                   <Input
                     id="deployment"
                     placeholder="gpt-4o"
                     value={deploymentName}
                     onChange={(e) => setDeploymentName(e.target.value)}
+                    readOnly={isEnvBased}
+                    className={isEnvBased ? "bg-muted" : ""}
                   />
                 </div>
-                <Button
-                  onClick={saveOpenAISettings}
-                  disabled={isSavingOpenai}
-                  className="w-full"
-                >
-                  {isSavingOpenai ? (
-                    <Loader2 className="h-4 w-4 mr-2 animate-spin" />
-                  ) : (
-                    <Save className="h-4 w-4 mr-2" />
-                  )}
-                  {isEnvBased ? "Update Runtime Settings" : "Save OpenAI Settings"}
-                </Button>
+                {isEnvBased && (
+                  <p className="text-xs text-muted-foreground">
+                    Endpoint and deployment are configured via environment variables and managed by infrastructure.
+                  </p>
+                )}
               </>
             )}
           </CardContent>

infra/main-containerapp.parameters.json

@@ -14,14 +14,8 @@
     "azurePrincipalId": {
       "value": "${AZURE_PRINCIPAL_ID}"
     },
-    "azureOpenaiEndpoint": {
-      "value": "${AZURE_OPENAI_ENDPOINT}"
-    },
-    "azureOpenaiKey": {
-      "value": "${AZURE_OPENAI_KEY}"
-    },
     "azureOpenaiModelDeploymentName": {
-      "value": "${AZURE_OPENAI_MODEL_DEPLOYMENT_NAME}"
+      "value": "${AZURE_OPENAI_MODEL_DEPLOYMENT_NAME=gpt-5.4}"
     }
   }
 }