Open rajeshkamal5050 opened 1 year ago
In an internal thread, @jongio outlined a reasonable path forward, I think.
Before sending the ARM Template to the control plane to do the deploy, walk over the template and collect all the resource types that are present in it. If any of these resource types are ones on a fixed list of types that require you to have to done this attestation for, check then to see if the user has done the attestation, and if not, display this notice and allow them to accept it. If they do, we make some API call to the control plane to signify that the user accepted this.
For Terraform, I suspect we'd do a similar thing, but instead of looking at the HCL itself, perhaps we could crack the plan (or the JSON formatting of it) to discover the list of resources and then continue along with our lives.
This would require that azd
carry with it the set of resources that require you to attest to. Perhaps we can get that list from the control plane as well at some point.
I think in the case of todo-nodejs-mongo
we wouldn't actually have to do this because it does not use any resources that require attestation. However, the OpenAI samples which use the text analytics resources would more likely be impacted by this.
Also, if in the short term we don't have an API to do the attestation, we could always give a deep link into the the portal to where the customer could accept the terms of use, as they do today.
I think it'd be great to get at least the deep link into the CLI for easy navigation sooner rather than later. Seems like the traversing of the resource types is required if we having in-command line attestation or not.
Looks good. Thanks Matt
@ellismg - What are you thoughts on how we'd know if a resource requires the attestation? (Other than hardcoding). I'm wondering if we have a ARM API that can tell us what those resources are so we could make that call (and cache it) and then check on provision against that list.
@ellismg @savannahostrowski adding it to the Germanium bucket. We can pull it into iterations/sprints as part of planning.
@rajeshkamal5050 is this a big or small item? Can we tackle this before Ignite?
Temp workaround in place - https://github.com/Azure/azure-dev/pull/2910
We can pull it back into Sprints once we have the dependency API/CLI is available for the attestation workflow.
Issue: For example,
azd up -t todo-nodejs-mongo
at the command prompt will stand up an entire application w/o any portal interaction. Right now, the provisioning of resources will fail if the AI attestation has not been given.Needs to be spiked on how to handle it.
cc: @ellismg @savannahostrowski @jongio