Add optional AAD auth

[pamelafox]

Purpose

This PR adds optional AAD authentication to the App Service app, using the same approach I used in https://github.com/microsoft/sample-app-aoai-chatGPT/blob/main/README_azd.md

This is opt-in, developers must enable it using azd env set AZURE_USE_AUTHENTICATION true
That's similar to how @tonybaloney made App Insights opt-in.

This does not currently work on GitHub actions due to the service principal lacking the permissions.

In the future, I would prefer to set it up completely in Bicep (vs Bicep + 2 scripts), but am eagerly awaiting Azure/bicep#7724 for that to be possible.

Does this introduce a breaking change?

[ ] Yes
[X] No

Pull Request Type

What kind of change does this Pull Request introduce?

[ ] Bugfix
[X] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

• azd up, confirm that it works with no auth
• azd env set AZURE_USE_AUTHENTICATION true
• azd up, confirm auth is required

[pamelafox]

This could be a section versus an FAQ, I don't mind either way. I think our README could use a TOC at some point soon though. :)

[pamelafox]

FYI: Calling loadenv.sh in every script (auth_init, auth_update, prepdocs) means that it pip installs requirements every time. I could just call it in the first script, but then other hooks won't work if a dev deletes the first script hook for some reason.
I believe I also tried calling load_env as its own hook, but then the other hooks executed in a separated environment and didnt have access to the exported variables.

Another approach is to dump the env variables into a .env file and load them that way, but that'd be a larger change. That is what I do in https://github.com/pamelafox/chatgpt-quickstart/blob/main/azure.yaml

[zaffaste]

this path give me an error I replaced it with "./scripts/.venv/scripts/python.exe" and "./scripts/.venv/bin/python" in line 6

[zaffaste]

As for auth_init.ps1 line 3 and 6 should be replaced with this path:
line 3:
$venvPythonPath = "./scripts/.venv/scripts/python.exe"
line 6:
$venvPythonPath = "./scripts/.venv/bin/python"

[pamelafox]

@zaffaste I just pushed loadenv.ps1 and a related change to prepdocs.ps1, they both work for me now inside pwsh, can you try?

[zaffaste]

@zaffaste I just pushed loadenv.ps1 and a related change to prepdocs.ps1, they both work for me now inside pwsh, can you try?

@pamelafox
If I don't change $venvPythonPath = "./.venv/scripts/python.exe" to $venvPythonPath = "./scripts/.venv/scripts/python.exe" in auth_init.ps1 and auth_update.ps1 files the scripts execution returns me an error
`Line |
9 | Start-Process -FilePath $venvPythonPath -ArgumentList "./scripts/auth …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| This command cannot be run due to the error: The system cannot find the file specified.

ERROR: failed running post hooks: 'postprovision' hook failed with exit code: '1', Path: 'xxx\Local\Temp\azd-postprovision-3370852331.ps1'. : exit code: 1`

The script in loadenv.ps1 and the updates to prepdocs.ps1 works good for me, thank you!

[pamelafox]

Moving this to a draft as the new doc ACL requires slightly different setup (client/server) and @mattmsft is investigating scripting that (based on these scripts).

[github-actions]

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed.

[pamelafox]

Closing in favor of Matt's new PR.