├── .github └── workflows │ └── main.yml ├── .gitignore ├── Dockerfile ├── LICENSE ├── README.md ├── requirements.txt └── webapp └── main.py /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Trigger auto deployment for demo-container 2 | 3 | #env: 4 | # AZURE_CONTAINER_APP_NAME: demo-container 5 | # AZURE_GROUP_NAME: demo-container 6 | 7 | # When this action will be executed 8 | on: 9 | # Automatically trigger it when detected changes in repo. Remove comments to enable 10 | #push: 11 | # branches: 12 | # [ main ] 13 | 14 | # Allow mannually trigger 15 | workflow_dispatch: 16 | 17 | jobs: 18 | build: 19 | runs-on: ubuntu-latest 20 | 21 | steps: 22 | - name: Checkout to the branch 23 | uses: actions/checkout@v2 24 | 25 | - name: Set up Docker Buildx 26 | uses: docker/setup-buildx-action@v1 27 | 28 | - name: Log in to GitHub container registry 29 | uses: docker/login-action@v1.10.0 30 | with: 31 | registry: demoalfredo.azurecr.io 32 | username: ${{ secrets.ACR_USERNAME }} 33 | password: ${{ secrets.ACR_PASSWORD }} 34 | 35 | - name: Lowercase the repo name and username 36 | run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} 37 | 38 | - name: Build and push container image to ACR registry 39 | uses: docker/build-push-action@v2 40 | with: 41 | push: true 42 | tags: demoalfredo.azurecr.io/${{ env.REPO }}:${{ github.sha }} 43 | file: ./Dockerfile 44 | 45 | deploy: 46 | runs-on: ubuntu-latest 47 | needs: build 48 | 49 | steps: 50 | - name: Azure Login 51 | uses: azure/login@v1 52 | with: 53 | creds: ${{ secrets.AZURE_CREDENTIALS }} 54 | 55 | 56 | - name: Deploy to containerapp 57 | uses: azure/CLI@v1 58 | with: 59 | inlineScript: | 60 | az config set extension.use_dynamic_install=yes_without_prompt 61 | az containerapp registry set -n demo-container -g demo-container --server demoalfredo.azurecr.io --username ${{ secrets.ACR_USERNAME }} --password ${{ secrets.ACR_PASSWORD }} 62 | az containerapp update -n demo-container -g demo-container --cpu 2 --memory 4Gi 63 | az containerapp update -n demo-container -g demo-container --image demoalfredo.azurecr.io/alfredodeza/huggingface-azure-acr:${{ github.sha }} 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | COPY ./requirements.txt /webapp/requirements.txt 4 | 5 | WORKDIR /webapp 6 | 7 | RUN pip install -r requirements.txt 8 | 9 | COPY webapp/* /webapp 10 | 11 | EXPOSE 8000 12 | 13 | ENTRYPOINT [ "uvicorn" ] 14 | 15 | CMD [ "--host", "0.0.0.0", "main:app" ] 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Alfredo Deza 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MLOps deployment to Azure Container Apps 2 | 3 | _Take advantage of insta-scaling for live inferencing_ 4 | 5 | Learn how to deploy an ML container with FastAPI and deploy it to [Azure Container Apps](https://docs.microsoft.com/azure/container-apps/overview?WT.mc_id=academic-0000-alfredodeza) with GitHub Actions. This repository gives you a good starting point with a Dockerfile, GitHub Actions workflow, and Python code. 6 | 7 | ## Generate a PAT 8 | 9 | The access token will need to be added as an Action secret. [Create one](https://github.com/settings/tokens/new?description=Azure+Container+Apps+access&scopes=write:packages) with enough permissions to write to packages. 10 | 11 | ## Create an Azure Service Principal 12 | 13 | You'll need the following: 14 | 15 | 1. An Azure subscription ID [find it here](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) or [follow this guide](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) 16 | 1. A Service Principal with the following details the AppID, password, and tenant information. Create one with: `az ad sp create-for-rbac -n "REST API Service Principal"` and assign the IAM role for the subscription. Alternatively set the proper role access using the following command (use a real subscription id and replace it): 17 | 18 | ``` 19 | az ad sp create-for-rbac --name "CICD" --role contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID --sdk-auth 20 | ``` 21 | 22 | 23 | ## Azure Container Apps 24 | 25 | Make sure you have one instance already created, and then capture the name and resource group. These will be used in the workflow file. 26 | 27 | ## Change defaults 28 | 29 | Make sure you use 2 CPU cores and 4GB of memory per container. Otherwise you may get an error because loading HuggingFace with FastAPI requires significant memory upfront. 30 | 31 | ## Gotchas 32 | 33 | There are a few things that might get you into a failed state when deploying: 34 | 35 | * Not having enough RAM per container 36 | * Not using authentication for accessing the remote registry (ghcr.io in this case). Authentication is always required 37 | * Not using a PAT (Personal Access Token) or using a PAT that doesn't have write permissions for "packages". 38 | * Different port than 80 in the container. By default Azure Container Apps use 80. Update to match the container. 39 | 40 | If running into trouble, check logs in the portal or use the following with the Azure CLI: 41 | 42 | ``` 43 | az containerapp logs show --name $CONTAINER_APP_NAME --resource-group $RESOURCE_GROUP_NAME --follow 44 | ``` 45 | 46 | Update both variables to match your environment 47 | 48 | ## API Best Practices 49 | 50 | Although there are a few best practices for using the FastAPI framework, there are many different other suggestions to build solid HTTP APIs that can be applicable anywhere. 51 | 52 | ### Use HTTP Error codes 53 | The HTTP specification has several error codes available. Make use of the appropriate error code to match the condition that caused it. For example the `401` HTTP code can be used when access is unauthorized. You shouldn't use a single error code as a catch-all error. 54 | 55 | Here are some common scenarios associated with HTTP error codes: 56 | 57 | - `400 Bad request`: Use this to indicate a schema problem. For example if the server expected a string but got an integer 58 | - `401 Unauthorized`: When authentication is required and it wasn't present or satisfied 59 | - `404 Not found`: When the resource doesn't exist 60 | 61 | Note that it is a good practice to use `404 Not Found` to protect from requests that try to find if a resource exists without being authenticated. A good example of this is a service that doesn't want to expose usernames unless you are authenticated. 62 | 63 | 64 | ### Accept request types sparingly 65 | 66 | | GET | POST | PUT | HEAD| 67 | |---|---|---|---| 68 | | Read Only | Write Only | Update existing | Does it exist? | 69 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | transformers==4.20.1 2 | tensorflow==2.9.1 3 | fastapi==0.78.0 4 | uvicorn[standard] 5 | -------------------------------------------------------------------------------- /webapp/main.py: -------------------------------------------------------------------------------- 1 | from transformers import pipeline 2 | from fastapi import FastAPI, Response 3 | from pydantic import BaseModel 4 | 5 | generator = pipeline('text-generation', model='gpt2') 6 | 7 | app = FastAPI() 8 | 9 | 10 | class Body(BaseModel): 11 | text: str 12 | 13 | 14 | @app.get('/') 15 | def root(): 16 | return Response("

A self-documenting API to interact with a GPT2 model and generate text

") 17 | 18 | 19 | @app.post('/generate') 20 | def predict(body: Body): 21 | results = generator(body.text, max_length=35, num_return_sequences=1) 22 | return results[0] 23 | --------------------------------------------------------------------------------