search

Azure / azure-dev

A developer CLI that reduces the time it takes for you to get started on Azure. The Azure Developer CLI (azd) provides a set of developer-friendly commands that map to key stages in your workflow - code, build, deploy, monitor, repeat.
https://aka.ms/azd
MIT License
402 stars 195 forks source link

[Design/Spike] Handling Responsible AI terms/attestation flow #2557

Open rajeshkamal5050 opened 1 year ago

rajeshkamal5050 commented 1 year ago

Issue: For example, azd up -t todo-nodejs-mongo at the command prompt will stand up an entire application w/o any portal interaction. Right now, the provisioning of resources will fail if the AI attestation has not been given.

Image

Needs to be spiked on how to handle it.

cc: @ellismg @savannahostrowski @jongio

ellismg commented 1 year ago

In an internal thread, @jongio outlined a reasonable path forward, I think.

Before sending the ARM Template to the control plane to do the deploy, walk over the template and collect all the resource types that are present in it. If any of these resource types are ones on a fixed list of types that require you to have to done this attestation for, check then to see if the user has done the attestation, and if not, display this notice and allow them to accept it. If they do, we make some API call to the control plane to signify that the user accepted this.

For Terraform, I suspect we'd do a similar thing, but instead of looking at the HCL itself, perhaps we could crack the plan (or the JSON formatting of it) to discover the list of resources and then continue along with our lives.

This would require that azd carry with it the set of resources that require you to attest to. Perhaps we can get that list from the control plane as well at some point.

ellismg commented 1 year ago

I think in the case of todo-nodejs-mongo we wouldn't actually have to do this because it does not use any resources that require attestation. However, the OpenAI samples which use the text analytics resources would more likely be impacted by this.

ellismg commented 1 year ago

Also, if in the short term we don't have an API to do the attestation, we could always give a deep link into the the portal to where the customer could accept the terms of use, as they do today.

savannahostrowski commented 1 year ago

I think it'd be great to get at least the deep link into the CLI for easy navigation sooner rather than later. Seems like the traversing of the resource types is required if we having in-command line attestation or not.

jongio commented 1 year ago

Looks good. Thanks Matt

jongio commented 1 year ago

@ellismg - What are you thoughts on how we'd know if a resource requires the attestation? (Other than hardcoding). I'm wondering if we have a ARM API that can tell us what those resources are so we could make that call (and cache it) and then check on provision against that list.

rajeshkamal5050 commented 1 year ago

@ellismg @savannahostrowski adding it to the Germanium bucket. We can pull it into iterations/sprints as part of planning.

savannahostrowski commented 11 months ago

@rajeshkamal5050 is this a big or small item? Can we tackle this before Ignite?

rajeshkamal5050 commented 9 months ago

Temp workaround in place - https://github.com/Azure/azure-dev/pull/2910

We can pull it back into Sprints once we have the dependency API/CLI is available for the attestation workflow.