Added a new section to the deployments docs

docs/samples/deployments/index.md

@@ -4,3 +4,4 @@
 - [Kubernetes](k8s/index.md)
 - [Spark/Azure Databricks](spark/index.md)
 - [Azure Data Factory](data-factory/index.md)
+- [Data Protection toolkit for OpenAI](openai-anonymaztion-and-deanonymaztion-best-practices/index.md)

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.devcontainer/devcontainer.json

@@ -0,0 +1,19 @@
+{
+	"name": "Presidio Anonymization Toolkit",
+	"image": "mcr.microsoft.com/devcontainers/python:3.12-bullseye",
+	"features": {
+		"ghcr.io/devcontainers/features/azure-cli:1": {},
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
+	},
+	"postCreateCommand": "./.devcontainer/post-create.sh",
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-vscode.azure-account",
+				"ms-python.python",
+				"ms-python.flake8",
+				"ms-azuretools.azure-dev"
+			]
+		}
+	}
+}

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.devcontainer/post-create.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+pip install --upgrade pip
+python -m spacy download en_core_web_lg
+
+cd src/api
+pip install -r requirements.txt
+
+# Installing kubectl
+curl -sSL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl \
+    && chmod +x /usr/local/bin/kubectl

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.github/ISSUE_TEMPLATE/JitAccess.yml

@@ -0,0 +1,28 @@
+name: Temporary administrator access request
+description: Request for temporary repository administrator access to this repository, a.k.a Just-in-Time (JIT) access.
+title: "JIT Request"
+labels: ["jit"]
+assignees:
+  - gimsvc_microsoft
+  - 
+body:
+  - type: markdown
+    attributes:
+      value: |
+        :closed_lock_with_key: Permanent repository administrator access is not allowed as per Microsoft security policy. You can use this form to request for temporary administrator access to this repository.
+  - type: textarea
+    id: justification
+    attributes:
+      label: Justification
+      description: Describe the actions that you will perform with your temporary administrator access.
+      placeholder: I need to create secrets.
+    validations:
+      required: true
+  - type: dropdown
+    id: duration
+    attributes:
+      label: Duration (hours)
+      description: How long do you need access for? The duration you select is in hours.
+      options:
+        - 1
+        - 2

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.github/acl/access.yml

@@ -0,0 +1,30 @@
+# Documentation for ACL policy: https://aka.ms/gim/docs/policy/acl
+
+name: Access control list
+description: List of teams and their permission levels
+resource: repository
+where:
+configuration:
+  manageAccess:
+  - member: rofaucon
+    role: Maintain
+  - member: ityer
+    role: Maintain
+  - member: anmalkov
+    role: Push
+  - member: ashcostigane
+    role: Push
+  - member: alejacma
+    role: Push
+  - member: kgukov
+    role: Push
+  - member: annaciula
+    role: Push
+  - member: jeffeng
+    role: Push
+  - member: hilikbe
+    role: Push
+  - member: xiaolulu
+    role: Push
+  - member: takamara
+    role: Push

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.github/compliance/inventory.yml

@@ -0,0 +1,6 @@
+inventory:
+- source: DirectOwners
+  items:
+  - id: rofaucon@microsoft.com
+  - id: ityer@microsoft.com
+  isProduction: false

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.github/policies/jit.yml

@@ -0,0 +1,19 @@
+# Documentation for JIT policy: https://aka.ms/gim/docs/policy/jit
+
+# metadata
+id: id
+name: JIT_Access
+description: Policy for admin JIT for repos in this org
+
+# filters
+resource: repository
+
+# primitive configuration
+configuration:
+    jitAccess:
+        enabled: true
+        maxHours: 2
+        approvers:
+            role: Maintain
+        requestors:
+            role: Write

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.github/workflows/build_and_push_api.yml

@@ -0,0 +1,83 @@
+name: Build and deploy API
+on:
+  push:
+    branches: ['main']
+    paths:
+      - 'src/api/**'
+      - 'deployments/api/**'
+      - '.github/workflows/build_and_push_api.yml'
+  workflow_dispatch:
+
+# These should be set in the GH Actions settings but hardcoding them here for now
+env:
+  AZURE_CONTAINER_REGISTRY: "preshack.azurecr.io"
+  CONTAINER_NAME: "preshack-api"
+  RESOURCE_GROUP: "hackathon-2024"
+  CLUSTER_NAME: "preshack"
+  DEPLOYMENT_MANIFEST_PATH: "deployments/api"
+
+jobs:
+  buildImage:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      # Checks out the repository this file is in
+      - uses: actions/checkout@v4
+
+      # Logs in with your Azure credentials
+      - name: Azure login
+        uses: azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # Builds and pushes an image up to your Azure Container Registry
+      - name: Build and push image to ACR
+        run: |
+          az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} src/api
+
+  deploy:
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: [buildImage]
+    steps:
+      # Checks out the repository this file is in
+      - uses: actions/checkout@v4
+
+      # Logs in with your Azure credentials
+      - name: Azure login
+        uses: azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # Use kubelogin to configure your kubeconfig for Azure auth
+      - name: Set up kubelogin for non-interactive login
+        uses: azure/use-kubelogin@v1
+        with:
+          kubelogin-version: 'v0.0.25'
+
+      # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+      - name: Get K8s context
+        uses: azure/aks-set-context@v3
+        with:
+          resource-group: ${{ env.RESOURCE_GROUP }}
+          cluster-name: ${{ env.CLUSTER_NAME }}
+          admin: 'false'
+          use-kubelogin: 'true'
+
+      # Deploys application based on given manifest file
+      - name: Deploys application
+        uses: Azure/k8s-deploy@v4
+        with:
+          action: deploy
+          manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
+          images: |
+            ${{ env.AZURE_CONTAINER_REGISTRY }}/${{ env.CONTAINER_NAME }}:${{ github.sha }}

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.github/workflows/build_and_push_client.yml

@@ -0,0 +1,83 @@
+name: Build and deploy Client
+on:
+  push:
+    branches: ['main']
+    paths:
+      - 'src/client_app/**'
+      - 'deployments/client/**'
+      - '.github/workflows/build_and_push_client.yml'
+  workflow_dispatch:
+
+# These should be set in the GH Actions settings but hardcoding them here for now
+env:
+  AZURE_CONTAINER_REGISTRY: "preshack.azurecr.io"
+  CONTAINER_NAME: "preshack-client"
+  RESOURCE_GROUP: "hackathon-2024"
+  CLUSTER_NAME: "preshack"
+  DEPLOYMENT_MANIFEST_PATH: "deployments/client"
+
+jobs:
+  buildImage:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      # Checks out the repository this file is in
+      - uses: actions/checkout@v4
+
+      # Logs in with your Azure credentials
+      - name: Azure login
+        uses: azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # Builds and pushes an image up to your Azure Container Registry
+      - name: Build and push image to ACR
+        run: |
+          az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} src/client_app
+
+  deploy:
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: [buildImage]
+    steps:
+      # Checks out the repository this file is in
+      - uses: actions/checkout@v4
+
+      # Logs in with your Azure credentials
+      - name: Azure login
+        uses: azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # Use kubelogin to configure your kubeconfig for Azure auth
+      - name: Set up kubelogin for non-interactive login
+        uses: azure/use-kubelogin@v1
+        with:
+          kubelogin-version: 'v0.0.25'
+
+      # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+      - name: Get K8s context
+        uses: azure/aks-set-context@v3
+        with:
+          resource-group: ${{ env.RESOURCE_GROUP }}
+          cluster-name: ${{ env.CLUSTER_NAME }}
+          admin: 'false'
+          use-kubelogin: 'true'
+
+      # Deploys application based on given manifest file
+      - name: Deploys application
+        uses: Azure/k8s-deploy@v4
+        with:
+          action: deploy
+          manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
+          images: |
+            ${{ env.AZURE_CONTAINER_REGISTRY }}/${{ env.CONTAINER_NAME }}:${{ github.sha }}

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/.gitignore

@@ -0,0 +1,2 @@
+**/.venv
+**/.env

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/deployments/api/configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: api-config
+data:
+  REDIS_HOSTNAME: "preshack.redis.cache.windows.net"
+  REDIS_PORT: "6380"
+  REDIS_SSL: "True"

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/deployments/api/deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api-deployment
+  labels:
+    app: api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      containers:
+      - name: preshack-api
+        image: preshack.azurecr.io/preshack-api
+        ports:
+        - containerPort: 80
+        envFrom:
+          - configMapRef:
+              name: api-config
+        env:
+        - name: REDIS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: redis-key
+              key: REDIS_KEY

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/deployments/api/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: api-service
+spec:
+  selector:
+    app: api
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 80
+  type: ClusterIP

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/deployments/client/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: client-config
+data:
+  OPENAI_ENDPOINT: https://oai-presidio-anon-toolkit.openai.azure.com/
+  OPENAI_API_VERSION: 2023-03-15-preview
+  OPENAI_DEPLOYMENT_NAME: gpt-4o
+  API_URL: http://api-service:80
+  TEXTUAL_HOST: "0.0.0.0"
+  TEXTUAL_PORT: "8081"
+  TEXTUAL_PUBLIC_URL: http://4.154.250.110

docs/samples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/deployments/client/deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: client-deployment
+  labels:
+    app: client
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: client
+  template:
+    metadata:
+      labels:
+        app: client
+    spec:
+      containers:
+      - name: preshack-client
+        image: preshack.azurecr.io/preshack-client
+        ports:
+        - containerPort: 8081
+        envFrom:
+          - configMapRef:
+              name: client-config
+        env:
+        - name: OPENAI_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: open-ai-key
+              key: OPENAI_API_KEY