FabricFabricHarness
Deployment

Azure

Azure OpenAI, Key Vault, Blob artifacts, Container Apps Jobs, ACI, AKS, and Foundry Agent Service helpers.

Fabric Harness keeps Azure-specific integration code in @fabric-harness/azure so the core SDK stays provider-neutral. The package now includes model, storage, secret, Foundry Agent Service, and Azure ARM control-plane helpers.

Status: package-level helpers with unit tests and live-gated tests. Foundry Hosted Agent build scaffolding exists. AKS now has a full SandboxEnv backend (aksSandbox); ACA and ACI remain control-plane tools only.

Install

npm install @fabric-harness/azure @fabric-harness/sdk

Azure OpenAI

Use Azure OpenAI as a model provider:

import { AzureOpenAIModelProvider } from '@fabric-harness/azure';

const provider = new AzureOpenAIModelProvider({
  endpoint: process.env.AZURE_OPENAI_ENDPOINT!,
  apiKey: process.env.AZURE_OPENAI_API_KEY!,
  deployment: process.env.AZURE_OPENAI_DEPLOYMENT!,
});

const fabric = await init({ modelProvider: provider });

The provider sends chat-completions requests to:

/openai/deployments/{deployment}/chat/completions

Blob artifact store

import { createAzureBlobArtifactStore } from '@fabric-harness/azure';

const blobs = createAzureBlobArtifactStore({
  accountUrl: 'https://acct.blob.core.windows.net',
  container: 'fabric-artifacts',
  token: async () => getAzureAccessToken(),
});

await blobs.put('reports/triage.md', markdown, 'text/markdown');

Use this when Fabric session artifacts need to land in Azure Storage. The helper is intentionally narrow; session-store integration and retention policy are controlled by your app.

Key Vault secret resolver

import { createAzureKeyVaultSecretResolver } from '@fabric-harness/azure';
import { defineCommand, secret } from '@fabric-harness/sdk';

const resolveSecret = createAzureKeyVaultSecretResolver({
  vaultUrl: process.env.AZURE_KEY_VAULT_URL!,
  token: async () => getAzureAccessToken(),
});

const gh = defineCommand('gh', {
  env: { GH_TOKEN: secret('github-token') },
});

const fabric = await init({ resolveSecret });

Secrets stay in Key Vault and are resolved only at command execution time.

Azure ARM client

import { createAzureArmClient } from '@fabric-harness/azure';

const arm = createAzureArmClient({
  subscriptionId: process.env.AZURE_SUBSCRIPTION_ID!,
  token: async () => getAzureAccessToken(),
});

The ARM client is used by the control-plane tools below.

Container Apps Jobs

import { azureContainerAppsJobTool } from '@fabric-harness/azure';

const tools = [azureContainerAppsJobTool(arm)];

The tool starts an existing Azure Container Apps Job. It is useful when a Fabric agent should trigger a prebuilt containerized workload, for example a data import, validation run, or batch repair.

Input shape:

{
  resourceGroup: string;
  name: string;
  environmentVariables?: Record<string, string>;
}

AKS sandbox (SandboxEnv)

Run agent code inside an AKS pod via aksSandbox. This is the full sandbox interface — exec/readFile/writeFile/mkdir/rm all work — backed by @kubernetes/client-node against credentials pulled from Azure ARM.

import { init } from '@fabric-harness/sdk';
import { createAzureArmClient } from '@fabric-harness/azure';
import { aksSandbox } from '@fabric-harness/azure/aks-sandbox';

const arm = createAzureArmClient({
  subscriptionId: process.env.AZURE_SUBSCRIPTION_ID!,
  token: process.env.AZURE_ACCESS_TOKEN!,
});

const sandbox = await aksSandbox({
  arm,
  resourceGroup: 'my-rg',
  clusterName: 'my-aks',
  // Either attach to an existing pod:
  podName: 'agent-pod',
  // Or create an ephemeral pod from an image (auto-deleted on cleanup):
  // image: 'alpine:latest',
});

const fabric = await init({ sandbox });

Requires @kubernetes/client-node as a peer dependency.

AKS Run Command (control-plane tool)

For invoking AKS Run Command from the agent's tool surface (without entering a pod):

import { azureAksRunCommandTool } from '@fabric-harness/azure';

const tools = [azureAksRunCommandTool(arm)];

Treat this as a privileged execute effect and guard it with policy:

const policy = {
  toolPolicy: {
    requireApproval: ['azure_aks_run_command'],
  },
};

Azure Container Instances exec

import { azureContainerInstanceExecTool } from '@fabric-harness/azure';

const tools = [azureContainerInstanceExecTool(arm)];

The ACI tool creates an exec session for a configured container group/container. It is a control-plane primitive, not a complete remote shell stream. Use it for operator workflows where your app handles the returned exec session details.

Build targets

Two Azure-specific build targets emit deployable artifacts:

--target aks

fh build --target aks

Emits Dockerfile, .dockerignore, and k8s/ manifests:

  • k8s/deployment.yaml — Deployment with /health and /ready probes
  • k8s/service.yaml — ClusterIP Service on port 80 → 3000
  • k8s/README.md — push-and-apply walkthrough

Build the image, push to your ACR, then kubectl apply -f k8s/.

--target aca (Azure Container Apps)

fh build --target aca
azd up

Emits Dockerfile, azure.yaml (azd project), and infra/ Bicep:

  • infra/main.bicep — managed environment + ACR (Basic) + Container App with scale-to-zero
  • infra/main.parameters.jsonazd-driven parameters
  • infra/README.mdazd up walkthrough

The Container App ingresses externally on port 3000 with /health and /ready probes.

Foundry Agent Service

For Foundry Agent Service invocation and lifecycle helpers, see Foundry Hosted Agents.

Live tests

Live tests are skipped unless enabled:

FABRIC_AZURE_OPENAI_TEST=1 \
AZURE_OPENAI_ENDPOINT=... \
AZURE_OPENAI_API_KEY=... \
AZURE_OPENAI_DEPLOYMENT=... \
pnpm --filter @fabric-harness/azure test
FABRIC_AZURE_FOUNDRY_TEST=1 \
AZURE_FOUNDRY_PROJECT_ENDPOINT=... \
AZURE_FOUNDRY_AGENT_ID=... \
AZURE_TOKEN=... \
pnpm --filter @fabric-harness/azure test
FABRIC_AZURE_ARM_TEST=1 \
AZURE_SUBSCRIPTION_ID=... \
AZURE_TOKEN=... \
pnpm --filter @fabric-harness/azure test

Optional ARM resources:

AZURE_CONTAINER_APPS_JOB_RESOURCE_GROUP=...
AZURE_CONTAINER_APPS_JOB_NAME=...
AZURE_AKS_RESOURCE_GROUP=...
AZURE_AKS_CLUSTER_NAME=...
AZURE_ACI_RESOURCE_GROUP=...
AZURE_ACI_CONTAINER_GROUP=...
AZURE_ACI_CONTAINER_NAME=...

What is still left

  • ACA / ACI runtime SandboxEnv backends (AKS sandbox shipped — see above).
  • Foundry Hosted Agent SandboxEnv runtime adapter (build target ships; runtime adapter waits on Foundry GA).
  • Managed identity token acquisition helpers.
  • Application Insights exporter presets.

See docs/ROADMAP.md for status.

Foundry Hosted Agents (Azure)

Build scaffolds and invoke Azure AI Foundry Agent Service from Fabric Harness.

GitHub Actions

Build, sign, and deploy from GitHub Actions.

On this page

InstallAzure OpenAIBlob artifact storeKey Vault secret resolverAzure ARM clientContainer Apps JobsAKS sandbox (SandboxEnv)AKS Run Command (control-plane tool)Azure Container Instances execBuild targets--target aks--target aca (Azure Container Apps)Foundry Agent ServiceLive testsWhat is still left