feat(tier-1): foundation — feature flags, smart tags, KV/ACR security hardening#150
Open
pgabriel-01 wants to merge 3 commits into
Open
feat(tier-1): foundation — feature flags, smart tags, KV/ACR security hardening#150pgabriel-01 wants to merge 3 commits into
pgabriel-01 wants to merge 3 commits into
Conversation
Adds optional-by-default feature flags so users can opt out of
Application Insights, Container Registry, or the AML Compute Cluster
without forking the bicep template. Strengthens Key Vault and ACR
defaults and supports cost/governance reporting via tags.
Bicep:
- enableMonitoring, enableContainerRegistry, enableComputeCluster flags
- Conditional module deployment (App Insights, ACR, compute cluster)
- aml_workspace.bicep handles optional appinsightid/crid via empty-string
sentinels, passing null to the workspace properties when omitted
- Key Vault: enableRbacAuthorization, configurable softDelete/purgeProtection,
conditional purge protection (cannot be unset once enabled)
- ACR: adminUserEnabled set to false (use AcrPull RBAC instead)
- Smart tags: CostCenter, ManagedBy params surfaced through tags object;
Project tag now uses the project prefix instead of static 'mlops-v2'
- Fix path: LintBicepCode and deployment commands now correctly reference
infrastructure/bicep/main.bicep (was infrastructure/main.bicep)
ADO pipeline (bicep-ado-deploy-infra.yml):
- Wire feature flags and tag params from config-infra-*.yml through
validate and deploy stages
Configs:
- enable_container_registry variable added to config-infra-{dev,prod}.yml
(other variables already present from prior modernization PRs)
- Create model_settings.json with weighted metric thresholds (RMSE, R2, Spearman) - Champion/challenger pattern from enterprise AI Factory repo - Supports promote_on_all_metrics toggle and minimum sample check
- ADO: Add skipEnvironmentRegistration, skipComputeCreation, skipDataRegistration parameters - ADO: Wrap register-environment, create-compute, register-data with conditional execution - GH: Add workflow_dispatch inputs for skip_environment/data/compute - GH: Add if conditions on register-environment, register-dataset, create-compute jobs - GH: Add cancelled/failure guard on run-model-training-pipeline for skipped deps - Enterprise reference: 12 debug_disable_* flags pattern
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tier 1 of a phased enterprise-hardening initiative for the MLOps v2 project template. All changes are feature-flagged off by default; existing dev/test deployments behave identically. Opt-in via
config-infra-{dev,prod}.yml.Scope (3 commits)
1. Feature flags, smart tags, KV/ACR security hardening (
ff5f6f5)infrastructure/bicep/main.bicepenableMonitoring,enableContainerRegistry,enableComputeCluster,kvEnablePurgeProtection,kvSoftDeleteRetentionDays,tagCostCenter,tagManagedByappi!.outputs.X,cr!.outputs.X) avoids BCP318Projecttag now derived fromprefix(was hard-coded)infrastructure/bicep/modules/key_vault.bicepenableRbacAuthorization: true(Azure recommendation; access policies deprecated)@2024-04-01-previewinfrastructure/bicep/modules/container_registry.bicepadminUserEnabled: false(security baseline)infrastructure/bicep/modules/aml_workspace.bicepappinsightid/cridvia ternaries for the conditional modulesinfrastructure/bicep/pipelines/bicep-ado-deploy-infra.yml./infrastructure/main.bicep→./infrastructure/bicep/main.bicep) in 3 placesconfig-infra-{dev,prod}.yml— addsenable_container_registry: true2. Model comparison settings for taxi regression (
0f87407)classical/aml-cli-v2/mlops/azureml/train/model_settings.jsonwith threshold/baseline configuration; consumed by the model evaluation step3. Pipeline resilience — debug skip flags (
cf6b931)deploy-model-training-pipeline.yml+ GHAdeploy-model-training-pipeline-classical.ymlDiff
10 files, +154/-36. Bicep builds clean (no warnings, no BCP errors).
Compatibility
Checklist
az bicep buildclean