The following checklist must be complete before a template is published.

Repository Management

• Standards compliant README.md as the one in the example, is in place
• License is in place. Make sure you choose the correct license
• Security guidelines are in place
• Contribution guidelines are in place
• Code of conduct is in place
• Issue template is in place
• Language, model, and relevant technology topic labels are added, including azd-templates and ai-azd-templates (The latter is being created)
• Repo description is in place, describing the use case and technologies used in the solution

Source code structure and conventions

• GitHub Actions (This refers to .github/workflows/azure-dev.yml or custom workflow to run on a GitHub runner) is in place
• DevContainer (/.devcontainer folder where applicable) configuration is in place
• Infrastructure as code is in place (/infra folder where applicable, manifest files or code generators in the case of Aspire and similar )
• Azure services configuration (/azure.yml file) is in place
• Minimum coverage tests are in place

Functional requirements

• azd up successfully provisions and deploys a functional app
• GitHub Actions run tasks without errors
• DevContainer has been tested locally and runs
• Codespaces run [locally and in browser]
• All tests pass

In the absence of e2e tests,

• The application has been manually tested to work as per the requirement

Security requirements

• Microsoft Managed Identity is implemented
• microsoft/security-devops-action is integrated to the CI/CD pipeline and the analyzer were ran

When a service selected doesn't support Managed Identity, the corresponding issue must have been reported and the security considerations section in the readme, should clearly explain the alternatives.

• Azure Key Vault is a preferred alternative

The following items are not strictly enforced but may prevent the template from being added to the gallery.

Project code follows standard structure, per language. Please check one.

• Yes, follows standards
• No, doesn't follow standards

Code follows recommended style guide

• Yes, follows style guide
• No, doesn't follow style guide

Hello,

I'm on this step: https://nitya.github.io/contoso-chat/02%20%7C%20Workshop/05%20%7C%20Setup%20Promptflow/11-populate-index/ and when I click on "Select Kernel" in the top right hand corner icon, nothing happens. Theres no Kernel available. Is there a way to fix this or some kind of workaround?

Azure Developer CLI Template Guidelines

These requirements are for samples that are using azd for deployment.

Code

Infra Folder

• Bicep Format - Bicep files should be formatted with bicep format. Can possibly be automated with pre-commit or GitHub actions.

• Core Modules - main.bicep should reference modules from core, copied from azure-dev.

  cp -r ../azure-dev/templates/common/infra/bicep/core/* infra/core/.

• Dashboard - Resources should include a dashboard so that azd monitor works, either by referencing the monitoring.bicep module or creating a dashboard separately. See main.bicep

• Monitoring - Application code should include either OpenCensus or OpenTelemetry so that the monitor is populated. See todo/app.py.

• Managed Identity - Application must use Managed Identity instead of keys wherever possible.

Elsewhere

• AZD Telemetry - azure.yaml should include metadata for telemetry including version number. See azure.yaml

• Service Source - In azure.yaml, the project property for each service should point at a subfolder, not at root (.). Typically the subfolder is labeled src but that may vary. See azure.yaml

• azd Pipeline Config - .github/workflows should include azure-dev.yaml to support azd pipeline config.

• Devcontainer - .devcontainer should contain a devcontainer.json and Dockerfile/docker-compose.yaml in order to create a full local dev environment. Start with azure-dev versions and modify as needed. See docker-compose.yaml for example that includes a local database service.

• security-devops-action - The application must run microsoft/security-devops-action. Example

  • If unfamiliar with setting up GH Actions, then you can follow the instructions here: defender-for-cloud/quickstart-onboard-github

• ** Hook Scripts** - all hook scripts (pre-/post- provisioning and deployment scripts) shall include both sh and pwsh versions.

README.md

• Short Description - a must description should be included. Example

• Prerequisites - a Prerequisites section should be included. Example

• Architecture - an architecture diagram and description must be included. Example

• 'Open In __' buttons - must use same "Open in " buttons as the TODO samples. Example

• Cost Estimation - a Cost Estimation section should be included. Example

Publicizing

• Awesome AZD - Add the project to Awesome Azure Developer CLI. Instructions: Contributor Guide | Awesome Azure Developer CLI

• Learn Sample Browser - Onboard the project to the Learn Sample Browser. Instructions: Onboarding Samples to learn.microsoft.com/samples - Documentation contributor guide

  • Note: May need to request access here.

Hi I am using the prompt flow workshop branches, and when i was trying to integrate a hugging face serveless api into the promptflow, i encounter the issues specified below:

i added connections to the pfClient, and swapped the model in the flow.dag.yaml, when running the flow.dag.yaml file the error below occurs:

First i added the connection in /connection/create-connections.ipynb

from promptflow._sdk.entities._connection import ServerlessConnection
HF_KEY = 


HF_endpoints = {"meta_llama3_instruct_8B":"https://api-inference.huggingface.co/models/meta-llama/Meta-Llama-3-8B-Instruct","meta_llama3_instruct_70B":"https://api-inference.huggingface.co/models/meta-llama/Meta-Llama-3-70B-Instruct",
                "meta_llama3_8B":"https://api-inference.huggingface.co/models/meta-llama/Meta-Llama-3-8B","meta_llama3_70B":"https://api-inference.huggingface.co/models/meta-llama/Meta-Llama-3-70B",
                "gpt2":"https://api-inference.huggingface.co/models/openai-community/gpt2",
                "Phi_3_mini_4k_instruct":"https://api-inference.huggingface.co/models/microsoft/Phi-3-mini-4k-instruct","Phi_3_mini_128k_instruct":"https://api-inference.huggingface.co/models/microsoft/Phi-3-mini-128k-instruct",
                "google_gemma":"https://api-inference.huggingface.co/models/google/gemma-1.1-7b-it",
                "Mixtral": "https://api-inference.huggingface.co/models/mistralai/Mixtral-8x7B-Instruct-v0.1", "Mixtral7B":"https://api-inference.huggingface.co/models/mistralai/Mistral-7B-v0.1",
                "bge-small":"https://api-inference.huggingface.co/models/BAAI/bge-small-en","bge-large":"https://api-inference.huggingface.co/models/BAAI/bge-large-en-v1.5"}#{name:api_base}

for name, end_point in HF_endpoints.items():
    connection =ServerlessConnection(name=name,api_key=HF_KEY,api_base=end_point)
    print(f"Creating connection {connection.name}...")
    result = pf.connections.create_or_update(connection)
    print(result)

Then i run the Yaml file below
Yaml file:

environment:
  python_requirements_txt: requirements.txt
inputs:
  chat_history:
    type: list
    default: []
    is_chat_input: false
    is_chat_history: true
  question:
    type: string
    default: What can you tell me about your jackets?
    is_chat_input: true
    is_chat_history: false
  customerId:
    type: string
    default: "2"
    is_chat_input: false
    is_chat_history: false
outputs:
  answer:
    type: string
    reference: ${llm_response.output}
    is_chat_output: true
  context:
    type: string
    reference: ${retrieve_documentation.output}
nodes:
- name: question_embedding
  type: python
  source:
    type: package
    tool: promptflow.tools.embedding.embedding
  inputs:
    connection: aoai-connection
    input: ${inputs.question}
    deployment_name: text-embedding-ada-002
  aggregation: false
- name: retrieve_documentation
  type: python
  source:
    type: code
    path: retrieve_documentation.py
  inputs:
    question: ${inputs.question}
    index_name: contoso-products
    embedding: ${question_embedding.output}
    search: contoso-search
- name: customer_lookup
  type: python
  source:
    type: code
    path: customer_lookup.py
  inputs:
    customerId: ${inputs.customerId}
    conn: contoso-cosmos
- name: customer_prompt
  type: prompt
  source:
    type: code
    path: customer_prompt.jinja2
  inputs:
    documentation: ${retrieve_documentation.output}
    customer: ${customer_lookup.output}
    history: ${inputs.chat_history}
- name: llm_response
  type: llm
  source:
    type: code
    path: llm_response.jinja2
  inputs:
    deployment_name: gpt-35-turbo
    prompt_text: ${customer_prompt.output}
    question: ${inputs.question}
  connection: Mixtral7B
  api: chat

2024-06-12 12:30:48 +0100 74066 execution WARNING [llm_response in line 0 (index starts from 0)] stderr> Exception occurs: UnprocessableEntityError: Error code: 422 - {'error': 'Template error: template not found', 'error_type': 'template_error'}
2024-06-12 12:30:48 +0100 74066 execution WARNING [llm_response in line 0 (index starts from 0)] stderr> UnprocessableEntityError #4, but no Retry-After header, Back off 18 seconds for retry.

I fiiled .env file with correct key and endpoint values in Azure Portal.
But when I run all local PromptFlow, it fails at 'text embedding' step.
I think that is OAI endpoint problem.

I'm in MS AI Tour Seoul 2024 now
Thank you, staffs

In step "7. Evaluating prompt flow results", the cell with the contents pf_azure_client.stream(base_run) fails with an error. The error message in the Notebook is:

(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
(Run status is 'NotStarted', continue streaming...)
The run '2024_02_02_235111chat_base_run' is in status 'NotStarted' for 5 minutes, streaming is stopped.Please make sure you are using the latest runtime.
======= Run Summary =======
Run name: "2024_02_02_235111chat_base_run"
Run status: "NotStarted"
Start time: "None"
Duration: "None"
Run url: [REDACTED]

Checking the Run URL in AI Studio, the following error appears in promptflow-automatic.log:

Error       Failed to provision Automatic runtime, id: 4bdd38a060a1f0887395eafff8895f61bbc62444bc318e0f, error code: ValidationError/ValidationError, message: [docker.io/sethjuarez/contoso-store:v20240124.1] is not a valid name for an ACR image with tag specified.

run ./provision.sh on a fresh install and you get

The target scope "subscription" does not match the deployment scope "resourceGroup".

appears as though the fix is something like this on Line 21.

az deployment sub create --name contchat --location $resourceGroupLocation --only-show-errors --template-file infra/main.bicep > /dev/null

This issue is for a: (mark with an x)

- [X] bug report -> please search issues before submitting

Minimal steps to reproduce

Launch CodeSpaces
Log into a personal Azure subscription with azd auth
azd up

Any log messages given by the failure

Failure reported for Deployment Failure-Anomalies-Alert-Rule-Deployment-95c29a3f in Azure Portal:

The subscription is not registered to use namespace 'Microsoft.AlertsManagement'. See https://aka.ms/rps-not-found for how to register subscriptions. (Code: MissingSubscriptionRegistration)

Expected/desired behavior

No deployment failures

Mention any other details that might be useful

Doesn't seem to cause any actual problems.

I tried deploying to 1 instance and to 3 and get the same error every time. Also tried selecting a different instance types. Also tried deploying in ML Studio instead of AI Studio.

Environment promptflow_a80*************************ab is not registered

There's a link in the log pointing here.

But I haven't figured out how to "register" the environment.
I can see the environment it refers to in ML Studio -> contoso-chat-aiproj -> Environments. It says "build failed". If I click the "Rebuild" button there, it rebuilds without error. But when I try to deploy the Prompt Flow, I always get the same error.

Here's the error message from ml.azure.com (I redacted part of my environment name in the two spots its shown):

Execution failed. User process 'python' exited with status code 1. Please check log file 'user_logs/std_log.txt' for error details. Error: Traceback (most recent call last):
  File "prepare.py", line 26, in <module>
    build_local_environment(args.name, args.version, args.platform)
  File "prepare.py", line 15, in build_local_environment
    environment.build_local(workspace, platform, useDocker=True, pushImageToWorkspaceAcr=True)
  File "/azureml-envs/image-build/lib/python3.8/site-packages/azureml/core/environment.py", line 1549, in build_local
    raise UserErrorException("Environment '{}' is not registered".format(self.name))
azureml.exceptions._azureml_exception.UserErrorException: UserErrorException:
	Message: Environment 'promptflow_a80*************************ab' is not registered
	InnerException None
	ErrorResponse 
{
    "error": {
        "code": "UserError",
        "message": "Environment 'promptflow_a80*************************ab' is not registered"
    }
}

Also these two warnings (redacted by Azure, not me):

AzureMLCompute job failed
ExecutionFailed: [REDACTED]
	exit_codes: 1
	Appinsights Reachable: Some(true)

Serverless job failed.

Here's what I see in the ML Studio notifications:

Also, I've been assuming that when I deploy the Prompt Flow, I do not have to use 3 instances? I've tried with 1 and with 3 and I get the same error with the same exact "not registered" environment in both cases.

Thank you!

to improve SEO update from "No description, website, or topics provided." to something more meaningful.

Nicely written sample, you might want to make it easier for people to find it.

I got 401 errors when running the flow in Azure AI Studio, triggered in question_embedding and I think in llm_response. I had to change their connection values to Default_AzureOpenAI to get them to work.

But in my Codespace, the aoai-connection worked.

The ´.env´ file suggests to only give the name of the created AI Search service - which is also needed by other code parts. Then, building the endpoint URL in the mentioned notebook fails. Suggest to change cell 3 in this notebook to (like it is already done in the other cells):

def delete_index(search_service: str, search_index: str, search_api_key: str):
    print(f"Deleting index {search_index} in {search_service}...")
    response = requests.delete(
        f"https://{search_service}.search.windows.net/indexes/{search_index}",
        headers={"api-key": search_api_key},
    )
    print(response.status_code)
    return response.status_code

This issue is for a: (mark with an x)

- [X ] feature request

Minimal steps to reproduce

Launch a Codespace on the aitour-fy25 branch. It will take several minutes to build the codespace.

Expected/desired behavior

Launching the Codespace takes less than a minute

Mention any other details that might be useful

Enabling prebuilds on the branch should help

This needs to be updated to ask user to click on the "Manage" tab in Azure AI, then click on "Connections" on the left hand side bar.

Trying to deploy service chat but keep getting the following error:

RESPONSE 404: 404 Not Found
ERROR CODE: UserError

{
"error": {
"code": "UserError",
"message": "Deployment chat-deployment-1718994551 not found in endpoint mloe-eqs2edvbximzo, workspace ai-project-eqs2edvbximzo",
"details": [],

  {
    "type": "MessageParameters",
    "info": {
      "value": {
        "deploymentName": "chat-deployment-1718994551",
        "endpointName": "mloe-eqs2edvbximzo",
        "workspaceName": "ai-project-eqs2edvbximzo"
      }
    }
  }

However, I checked the azure portal and I can see the deployment succeeded.

When running the "evaluate-chat-prompt-flow.ipynb" notebook in codespaces I get the following error..
Has something changed in this cell? I forked the latest version of the repo...

The codespaces dev container can't provision properly when forking from this repo.
Logging here as problem seems to be specific to this repo.

How to Reproduce

• Fork this repo
• Create Codespaces on main

You may also try creating codespaces on https://github.com/raffertyuy/fork-contoso-chat to reproduce.

Test attempts

• Creating a codespace on this specific repo (https://github.com/Azure-Samples/contoso-chat) works, but fails on forked repos.
• Tried creating codespaces on https://github.com/raffertyuy/fork-contoso-chat using 2 different github accounts, both failed.
• Tried full rebuild of the container, still failed.
• Tried creating codespaces on other samples in https://aka.ms/azd-ai-templates, such as this and it was successful (meaning there's nothing wrong with my account).

I authenticated using az login --use-device-code in the previous cell successfully...

It looks like the prompt flow cannot fetch products based on the chat history. For instance, if I asked for rain jackets, it would suggest a few. But if I ask "Can you suggest more?", then it provides random products without considering the chat history.

I saw them yesterday, I'm sure. But now I don't see them. I don't know if it's an issue with the Sweden Central region or something else.

EDIT: After getting no hint of the problem anywhere else, I decided, like a cornered wild animal, to frantically click on every button I could find on ai.azure.com. I came across the "Explore" tab, where I found the "Model Catalog". There, I searched for gpt-35-turbo and found this:

I shall now continue clicking haphazardly until I can figure out whether its my subscription, or the region, that is preventing me from using this resource. Unless anyone has any tips. Thanks!

ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:
Deployment Error Details:
ValidationError: Endpoint resources are no longer supported, and have been migrated to connections. Please delete this resource and re-create it as a connection.

while deploying "Azure.ContentSaftey?

This repository is currently missing a LICENSE.MD file outlining its license. A license helps users understand how to use your project in a compliant manner. You can find the standard MIT license text at the Microsoft repo templates LICENSE file: https://github.com/microsoft/repo-templates/blob/main/shared/LICENSE.
If you would like to learn more about open source licenses, please visit the document at https://aka.ms/license.

I'm running this locally in VS Code using a venv. When I try to run the flow through the visual editor, it fails with AttributeError: 'EntryPoints' object has no attribute 'get'

In the visual editor, I see that the question_embedding node shows an error: "Can't find tool promptflow.tools.embedding.embedding
The package may not be installed in your Python environment."

I can see an embeddings.py file in my venv folder:

Here's a screen shot of the error in the PF visual editor in VS Code

I get the following error: InvalidRunStatusError: The input for batch run is incorrect. Input from key 'run.outputs' is an empty list, which means we cannot generate a single line input for the flow run. Please rectify the input and try again.

when I run this cell pf_azure_client.stream(eval_run_variant)

Can anyone tell me what I am missing?

Hi
I am trying to deploy the prompt flow to Azure AI Studio but when I run a test it indicates that the contoso-cosmos connection was not found, even though the connection is created, I attach the screen shots. Any idea how it can be solved?

I tried setting up the project using azd up and I noticed that the endpointName var is not set correctly. This is because azd hooks only run in sh or pwsh and $RANDOM does not exist in sh.

Code reference

As a workaround, I've added my own random_number generator which does similar.

random_number=$(od -An -N2 -i /dev/urandom | awk '{print $1}')

Get the below error when using push_and_deploy_pf.ipynb to deploy on the 'pf_azure_client.flows.create_or_update' step. Also notice the logs message is truncated so don't see full extent of what happened. Thoughts?

ResourceNotFoundError: (UserError) Please make sure that you are passing valid secret names and that the keyvault https://ainorthcentus/
Code: UserError
Message: Please make sure that you are passing valid secret names and that the keyvault https://ainorthcentus/

Please ping me when this is added.

Section 4.5 of README.md suggests that the prompt flow connections should have been created by ./provision.sh, but the output of pf connection list is empty.

The solution is as suggested, to open connections/create-connections.ipynb and run the notebook, which creates the required connections.

Required to successfully run evaluate-chat-prompt-flow.ipynb

Creating Custom Connection (contoso-cosmos)

1. Visit https://ml.azure.com instead
2. Under Recent Workspaces, click project (contoso-chat-aiproj)
3. Select Prompt flow (sidebar), then Connections (tab)
4. Click Create and select Custom from dropdown
5. Name: contoso-cosmos
6. Provider: Custom (default)
7. Key-value pairs: Add 4 entries (get env var values from .env)
8. key: key, value: "COSMOS_KEY", check "is secret"
   1. key: endpoint, value: "COSMOS_ENDPOINT"
   2. key: containerId, value: customers
   3. key: databaseId, value: contoso-outdoor
   4. Click Save to complete step.

AI Gallery Standard Validation: FAILED

Repository Management:

• README.md File.
• LICENSE.md File.
• SECURITY.md File.
• CODE_OF_CONDUCT.md File.
• CONTRIBUTING.md File.
• ISSUE_TEMPLATE.md File.
• Topics on repo contains ['azd-templates', 'ai-azd-templates'].

Source code structure and conventions:

• azure-dev.yaml File.
• azure.yaml File.
• ./infra Folder.
• .devcontainer Folder.

Functional Requirements:

• azd up.
• azd down.

Security Requirements:

• microsoft/security-devops-action is integrated to the CI/CD pipeline.

• ⚠️ Security scan. [How to fix?]

  Details

  • ❌ error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.
    Configure service endpoints and private links where appropriate.

  • ❌ error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits.
    With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing.
    Once you decide to use Azure AD authentication, you can disable authentication using keys.

  • ❌ warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
    Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.

  • ❌ error: AZR-000053 - API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management.

  • ❌ error: AZR-000055 - API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'.
    The following ciphers are considered weak or deprecated:

    • TripleDes168
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_GCM_SHA256.

  • ❌ error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
    After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

    • Azure services on the trusted service list.
    • IP address or CIDR range.
    • Private endpoint connections.
    • Azure virtual network subnets with a Service Endpoint.

    If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall:

    • enabledForDeployment - Azure Virtual Machines for deployment.
    • enabledForDiskEncryption - Azure Disk Encryption for volume encryption.
    • enabledForTemplateDeployment - Azure Resource Manager for template deployment.

  • ❌ error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.

  • ❌ error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:

    • kube-audit or kube-audit-admin, or both.
      • kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.
      • kube-audit-admin - Is a subset of the kube-audit log category.
        kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log.
    • guard - Contains logs for Azure Active Directory (AAD) authorization integration.
      For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out.

  • ❌ error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.

  • ❌ error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.
    All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.
    Restricting authorized IP addresses for the API server has the following limitations:

    • Requires AKS clusters configured with a Standard Load Balancer SKU.
    • This feature is not compatible with clusters that use Public IP per Node.
    • This feature is not compatible with AKS private clusters.

    When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32.
    You should add these ranges to the allow list:

    • Include output IP addresses for cluster nodes
    • Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems.

  • ❌ error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.

    • Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
    • Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.

    Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).
    When Azure RBAC is enabled:

    • Azure AD principals will be validated exclusively by Azure RBAC.
    • Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.

  • ❌ error: AZR-000361 - Using managed identities have the following benefits:

    • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
    • You can use role-based access control to grant specific permissions to a managed identity.
    • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
    • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
    • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
    • You can use managed identity to create connections for Dapr-enabled applications via Dapr components.

  • ❌ error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet.
    Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
    Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.
    This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.
    To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

  • ❌ error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.

  • ❌ error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled:

    • kube-audit or kube-audit-admin, or both.
      • kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post.
      • kube-audit-admin - Is a subset of the kube-audit log category.
        kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log.
    • guard - Contains logs for Azure Active Directory (AAD) authorization integration.
      For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out.

  • ❌ error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD.

  • ❌ error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities.
    All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges.
    Restricting authorized IP addresses for the API server has the following limitations:

    • Requires AKS clusters configured with a Standard Load Balancer SKU.
    • This feature is not compatible with clusters that use Public IP per Node.
    • This feature is not compatible with AKS private clusters.

    When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32.
    You should add these ranges to the allow list:

    • Include output IP addresses for cluster nodes
    • Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems.

  • ❌ error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC.

    • Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources.
    • Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC.

    Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM).
    When Azure RBAC is enabled:

    • Azure AD principals will be validated exclusively by Azure RBAC.
    • Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC.

  • ❌ error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

  • ❌ error: AZR-000361 - Using managed identities have the following benefits:

    • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
    • You can use role-based access control to grant specific permissions to a managed identity.
    • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
    • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
    • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
    • You can use managed identity to create connections for Dapr-enabled applications via Dapr components.

  • ❌ error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

  • ❌ error: AZR-000291 - Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities:

    • Centralizes identity management and auditing.
    • Allows granting of permissions using role-based access control (RBAC).
    • Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable.

    To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.
    When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed.

  • ❌ error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
    After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:

    • Azure services on the trusted service list.
    • IP address or CIDR range.
    • Private endpoint connections.
    • Azure virtual network subnets with a Service Endpoint.

  • ❌ error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.
    Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.

  • ❌ error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database:

    • Azure Active Directory identity (Azure AD).
      Can be used to authorize account and resource management operations.
    • Keys and resource tokens.
      Can be used to authorize resource management and data operations.
      Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.

  • ❌ error: AZR-000186 - Enable Microsoft Defender for Azure SQL logical server.

  • ❌ error: AZR-000187 - Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.

  • ❌ error: AZR-000188 - Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including:

    • Support for Azure Multi-Factor Authentication (MFA).
    • Conditional-based access with Conditional Access.

    It is also possible to disable SQL authentication entirely and only use AAD authentication.

  • ❌ error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
    Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.

  • ❌ error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
    Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.

  • ❌ error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
    Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.

  • ❌ error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type.
    Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history.

  • ❌ warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
    Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.

  • ❌ warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.

  • ❌ warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
    Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.

  • ❌ warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity.

  • ❌ warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.
    Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.
    Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.
    The Azure RBAC permission model is not enabled by default.

  • ❌ warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.
    When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity.
    If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions.
    In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail.

  • ❌ warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.
    These components are installed when the Defender profile is enabled on the cluster.
    The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

  • ❌ warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies.
    When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity.
    If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions.
    In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail.

  • ❌ warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.
    These components are installed when the Defender profile is enabled on the cluster.
    The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

  • ❌ warning: AZR-000390 - Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.
    By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
    Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.
    Azure AD-only authentication is only supported for the flexible server deployment model.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Hi,

I haven't been able to provision the required resources for this project. I was approved to use OpenAI, but I wasn't able to increase the quota tokens even though I've submitted 2 requests to do so.

Below are the 2 requests I sent and the most recent error code I've received. The original error was for gpt-35-turbo, the current error is for GPT4.

@mroopram ➜ /workspaces/contoso-chat-mr (cc2e808) $ ./provision.sh
Running provisioning using this subscription:
{
  "name": "Azure subscription 1",
  "subscriptionId": "a36d451c-ca02-4072-b151-d92c51e3a9ed"
}
If that is not the correct subscription, please run 'az account set --subscription "<SUBSCRIPTION-NAME>"'
Creating resource group contchat-rg in swedencentral...
Provisioning resources in resource group contchat-rg...
ERROR: {"code": "InvalidTemplateDeployment", "message": "The template deployment 'contchat' is not valid according to the validation procedure. The tracking id is '70e2f569-cf28-4458-909e-7caaaaf19381'. See inner errors for details."}

Inner Errors: 
{"code": "InsufficientQuota", "message": "This operation require 10 new capacity in quota Tokens Per Minute (thousands) - GPT-4, which is bigger than the current available capacity 1. The current quota usage is 0 and the quota limit is 1 for quota Tokens Per Minute (thousands) - GPT-4."}
ERROR: Failed to provision resources. Please check the error message above.

Though the readme is quite good, it would be great if the manual can be shared.

1. Default for Cosmos DB is Provisioned throughput. Serverless should be much cheaper for this sample program.
2. Default for Prompt Flow deployment is 3 instances. Would 1 work? What about different instance types?

Question
If I create a new Cosmos DB using Serverless, can I swap it out with my current provisioned DB? Can I just create a new connection for it in Azure and update .env in the Codespace.
Or I could start over with the updated repo and edit the bicep file section for Cosmos DB, but that seems like a lot more work.

After I create the codespace, I am being presented with an authorizatin dialog over and over again.

fresh install running ./provision.sh

ERROR: {"code": "InvalidTemplate", "message": "Deployment template validation failed: 'The provided value for the template parameter 'environmentName' is not valid. Length of the value should be greater than or equal to '1'. Please see https://aka.ms/arm-syntax-parameters for usage details.'.", "additionalInfo": [{"type": "TemplateViolation", "info": {"lineNumber": 14, "linePosition": 20, "path": "properties.template.parameters.environmentName.minLength"}}]}
ERROR: Failed to provision resources. Please check the error message above.

I also had to change provision.sh to overcome Issue 79: #79

I came across some variables defined in the readme file, but I am unable to find them in the Azure portal. I have made several attempts to locate them but to no avail. Can you please suggest a way to help me out? The variables I'm looking for are SUPPORT_ENDPOINT, SUPPORT_KEY, CHAT_ENDPOINT, and CHAT_KEY which are mentioned in the .env file.

please help me !

Describe the issue:
After running azd up, click the links output in the console log, and the page fails to load with the following error:

• Workspace service page:
  
• Deployment service page:
  
• Scoring service page:
  
• Swagger service page:
  

Repro Steps:

1. Run azd auth login
2. Run azd up

Environment:

• Azd version: azd version 1.9.5 (commit cd2b7af9995d358aab33c782614f801ac1997dde)
• OS: Codespaces, Dev Containers and Windows.

Expected behavior:
After azd up, the page can be loaded successfully.

@jongio, @cassiebreviu and @nitya for notification.

I was wondering there was example code in one of these Jupyter notebooks in this repo or another repo for how to test a prompt flow endpoint after deploying it? A Sample notebook that would include history from with multiple follow up questions.

Thanks in advance!

Apparently the file ./provision.sh has been moved or replaced. How can I create azure resources now?

P.D. I was planning a pull request including a provision.ps1 so you don't need WSL to create azure resources. Would that make sense now?

Hello Azure team,

Thanks for this good repo!

I am facing a small issue during the installation.

I am very close to run it.

Any idea how could it be fixed?

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Get this error when running evaluate-chat-prompt-flow.ipynb, which points to the connection definition in AI Studio. Could a sample be provided to compare?

...
Reason: NotSupported ConnectionType 0 for connection contoso-cosmos. 
Error message: (UserError) NotSupported ConnectionType 0 for connection contoso-cosmos.
Code: UserError

• Testing works following the Readme, Codespaces is the priority
• Make sure azd works in Codespaces (flag to fix if not)
• We have verification step in README after the resources are deployed, there is a description of what the customer needs to do next
• Ensure managed identity is implemented and working
• If local doesn't work, we need a note in the README (make this explicit)

Nice to have (but document if not working)

• runs local

Must have two testers approval, minimum.

When I run "azd up", I see that all services have been created successfully. However, I receive an error message afterwards. I have searched for a solution, but have not been successful. Can anyone provide me with any recommendations?
please help me.

(-) Skipped: Didn't find new changes.
<3>WSL (10) ERROR: CreateProcessParseCommon:711: Failed to translate D:\Workspace\contoso-chat
<3>WSL (10) ERROR: CreateProcessParseCommon:757: getpwuid(0) failed 2
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate d:\Workspace\contoso-chat.venv\Scripts
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Java\jdk1.8.0_351\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Common Files\Oracle\Java\javapath
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files (x86)\Common Files\Oracle\Java\javapath
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\WINDOWS\system32
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\WINDOWS
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\WINDOWS\System32\Wbem
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\WINDOWS\System32\WindowsPowerShell\v1.0
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\WINDOWS\System32\OpenSSH
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate D:\download\apache-maven-3.8.7-bin\apache-maven-3.8.7\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\PostgreSQL\13\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Git\cmd
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Roaming\nvm
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\nodejs
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\PuTTY
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Java\scripts
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\MySQL\MySQL Server 8.0\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\Documents\cdk
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\RedHat\java-1.8.0-openjdk-1.8.0.372-1\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\RedHat\java-1.8.0-openjdk-1.8.0.372-1\jre\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Git\usr\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Python\Python39
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Python\Python39\Scripts
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Python\Python311
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Python\Python311\Scripts
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Amazon\AWSCLIV2
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\Downloads\sqlite3
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\Downloads\sqlite
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Docker\Docker\resources\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\dotnet
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\anaconda3
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\MongoDB\mongosh-2.2.2-win32-x64\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate D:\file\Release-24.02.0-0.zip\poppler-24.02.0\Library\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Gradle\gradle-7.0.2\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Microsoft SQL Server\160\Tools\Binn
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\Microsoft SQL Server\160\DTS\Binn
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files (x86)\Microsoft SQL Server\160\DTS\Binn
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\scoop\shims
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Python\Python39\Scripts
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Python\Python39
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\MySQL\MySQL Shell 8.0\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Microsoft\WindowsApps
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Roaming\npm
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Roaming\nvm
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\nodejs
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Microsoft VS Code\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\RedHat\Podman
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\mongosh
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Ollama
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Program Files\JetBrains\IntelliJ IDEA 2024.1\bin
<3>WSL (10) ERROR: UtilTranslatePathList:2866: Failed to translate C:\Users\dbhoang\AppData\Local\Programs\Azure Dev CLI
Processing fstab with mount -a failed.
Failed to mount C:, see dmesg for more details.
Failed to mount D:, see dmesg for more details.

<3>WSL (10) ERROR: CreateProcessEntryCommon:334: getpwuid(0) failed 2
<3>WSL (10) ERROR: CreateProcessEntryCommon:505: execvpe /bin/bash failed 2
<3>WSL (10) ERROR: CreateProcessEntryCommon:508: Create process not expected to return

ERROR: failed running post hooks: 'postprovision' hook failed with exit code: '1', Path: 'infra\hooks\postprovision.sh'. : exit code: 1

ERROR: error executing step command 'provision': failed running post hooks: 'postprovision' hook failed with exit code: '1', Path: 'infra\hooks\postprovision.sh'. : exit code: 1

The error I get is: "InvalidRunStatusError: The input for batch run is incorrect. Input from key 'run.outputs' is an empty list, which means we cannot generate a single line input for the flow run. Please rectify the input and try again"

Log shows its running successfully until it starts the aml run step...

If you run the provision.sh script once, delete the created resource group, and then attempt to run it a second time you will get an error message like this:

[{"code":"ConflictError","message":"A vault with the same name already exists in deleted state. You need to either recover or purge existing key vault. Follow this link https://go.microsoft.com/fwlink/?linkid=2149745 for more information on soft delete."}]}}

To redeploy, you will first need to purge the deleted keyvault with a command like:

az keyvault purge --name kv-contosooipsaukqmp24o --location swedencentral

or search for "Key Vaults" in the Azure Portal and then click on "Manage Deleted Vaults" to purge it.

After completing deployment I can see the endpoint on AI Studio. Following the instructions in the README I proceed to test it with the following input:

{"question": "Tell me about hiking shoes", "customerId": "2", "chat_history": []}

The above produces an error, however, triggered during the instantiation of the AzureOpenAIModelConfiguration object. As seen in the logs:

"Execution failure in 'get_response': (InvalidConnectionError) AzureOpenAIModel parameters are incomplete. Please ensure azure_endpoint, api_version, and api_key are provided."

Although we do explicitly provide the version and endpoint here, we don't do the same for the API key. In fact, inspecting my local azd env, the value of AZURE_OPENAI_API_KEY is not set. This feels like something that should be part of the postprovision script. Diving deeper, I noticed that a relevant looking key (is it the same one?) used to be set among others here prior to the May 2024 updates. Why was this dropped?

I'm currently using the following package versions:

prompt_toolkit==3.0.45
promptflow==1.10.0
promptflow-azure==1.10.0
promptflow-core==1.10.0
promptflow-devkit==1.10.0
promptflow-evals==0.3.0
promptflow-tools==1.4.0
promptflow-tracing==1.10.0