Continuous Integration/Continuous Deployment (CI/CD) for AI with Azure AD Service Principal

Question

Pulumi · Accepted Answer

To set up Continuous Integration/Continuous Deployment (CI/CD) for AI services on Azure, you would typically use Azure services like Azure DevOps or GitHub Actions for CI/CD pipelines and Azure Active Directory (Azure AD) for managing permissions between your pipelines and Azure resources. An Azure AD Service Principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This allows you to secure your pipelines and resources without having to use personal credentials.

The following program demonstrates how to create an Azure AD Service Principal and assign permissions to it for use in a CI/CD pipeline. We'll be using Pulumi's Azure Native provider to create the Service Principal. The program also includes creating an Azure Container Registry, which is commonly used for storing Docker images that might be produced by AI services as part of a CI/CD workflow. This registry can be pulled from or pushed to in your CI/CD pipelines.

Below is a Pulumi Python program to create these resources in Azure:

```python
import pulumi
import pulumi_azure_native.authorization as authorization
import pulumi_azure_native.azuread as azuread
import pulumi_azure_native.containerservice as containerservice

# Create a new Azure AD application
app = azuread.Application("app")

# Create a new Azure AD service principal for the application
service_principal = azuread.ServicePrincipal("servicePrincipal",
    application_id=app.application_id)

# Create a password for the service principal
sp_password = azuread.ServicePrincipalPassword("spPassword",
    service_principal_id=service_principal.id,
    # An end_date can be specified in 'YYYY-MM-DD' format. Here we're creating a never expiring password.
    end_date="2299-12-30T23:00:00Z")

# Grant the service principal the 'Contributor' role for the whole subscription
role_assignment = authorization.RoleAssignment("roleAssignment",
    principal_id=service_principal.id,
    role_definition_id=authorization.RoleDefinitionIdArgs(
        name="Contributor",
        scope=pulumi.Config("azure").require("subscriptionId")
    ),
    scope=pulumi.Config("azure").require("subscriptionId"))

# Create an Azure Container Registry for storing images
acr = containerservice.Registry("myRegistry",
    resource_group_name=pulumi.Config("azure").require("resourceGroupName"),
    sku=containerservice.SkuArgs(
        name="Standard"))

pulumi.export("application_id", app.application_id)
pulumi.export("service_principal_id", service_principal.id)
pulumi.export("sp_password_value", sp_password.value)
pulumi.export("acr_login_server", acr.login_server)
```

This program does the following:

1. It declares an Azure AD Application, which serves as an identity for CI/CD purposes.
2. It creates a Service Principal tied to the application. The Service Principal is what's used in the CI/CD pipeline to authenticate and authorize against Azure.
3. It generates a password for the Service Principal. This password (also known as a secret) will be used for authenticating in CI/CD processes.
4. It assigns the 'Contributor' role to the Service Principal, effectively giving it permission to manage resources in the entire subscription. You can scope this down to a resource group or a single resource depending on your needs.
5. It creates an Azure Container Registry with 'Standard' SKU, a place to store Docker images that may be produced during your CI/CD process.

When using this script, make sure to replace `pulumi.Config("azure").require("subscriptionId")` and `pulumi.Config("azure").require("resourceGroupName")` with your actual Azure Subscription ID and resource group name. These are necessary details that service principal needs to have proper permissions set.

After running this Pulumi program, you'll have an Azure AD Application, Service Principal, its password, and a role assignment, which are the principal components to setup secure access control for CI/CD processes. The Container Registry is where your artifacts like Docker images will be stored.

You would typically use these exported variables (`application_id`, `service_principal_id`, `sp_password_value`, `acr_login_server`) in your CI/CD pipeline configuration, so your pipeline has the necessary access rights to Azure resources. You should securely store `sp_password_value`, as it's used for authentication purposes.

Remember to be cautious with the Service Principal credentials. It's very important to keep them secure and rotate them regularly. Many CI/CD tools such as Azure DevOps and GitHub Actions provide secure ways to store and make use of such secrets.