Support load configuration settings from Azure Front Door

src/cdn/cdnRequestPipelinePolicy.ts

@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { PipelinePolicy } from "@azure/core-rest-pipeline";
+
+/**
+ * The pipeline policy that remove the authorization header from the request to allow anonymous access to the Azure Front Door.
+ * @remarks
+ * The policy position should be perRetry, since it should be executed after the "Sign" phase: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/core-client/src/serviceClient.ts
+ */
+export class AnonymousRequestPipelinePolicy implements PipelinePolicy {
+    name: string = "AppConfigurationAnonymousRequestPolicy";
+
+    async sendRequest(request, next) {
+        if (request.headers.has("authorization")) {
+            request.headers.delete("authorization");
+        }
+        return next(request);
+    }
+}
+
+/**
+ * The pipeline policy that remove the "sync-token" header from the request.
+ * The policy position should be perRetry. It should be executed after the SyncTokenPolicy in @azure/app-configuration, which is executed after retry phase: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/appconfiguration/app-configuration/src/appConfigurationClient.ts#L198
+ */
+export class RemoveSyncTokenPipelinePolicy implements PipelinePolicy {
+    name: string = "AppConfigurationRemoveSyncTokenPolicy";
+
+    async sendRequest(request, next) {
+        if (request.headers.has("sync-token")) {
+            request.headers.delete("sync-token");
+        }
+        return next(request);
+    }
+}

src/cdn/constants.ts

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+export const TIMESTAMP_HEADER = "x-ms-date";

src/common/errorMessages.ts

@@ -20,6 +20,8 @@ export const enum ErrorMessages {
     INVALID_LABEL_FILTER = "The characters '*' and ',' are not supported in label filters.",
     INVALID_TAG_FILTER = "Tag filter must follow the format 'tagName=tagValue'",
     CONNECTION_STRING_OR_ENDPOINT_MISSED = "A connection string or an endpoint with credential must be specified to create a client.",
+    REPLICA_DISCOVERY_NOT_SUPPORTED = "Replica discovery is not supported when loading from Azure Front Door.",
+    LOAD_BALANCING_NOT_SUPPORTED = "Load balancing is not supported when loading from Azure Front Door."
 }
 
 export const enum KeyVaultReferenceErrorMessages {

src/index.ts

@@ -3,6 +3,6 @@
 
 export { AzureAppConfiguration } from "./appConfiguration.js";
 export { Disposable } from "./common/disposable.js";
-export { load } from "./load.js";
+export { load, loadFromAzureFrontDoor } from "./load.js";
 export { KeyFilter, LabelFilter } from "./types.js";
 export { VERSION } from "./version.js";

src/load.ts

@@ -6,10 +6,18 @@ import { AzureAppConfiguration } from "./appConfiguration.js";
 import { AzureAppConfigurationImpl } from "./appConfigurationImpl.js";
 import { AzureAppConfigurationOptions } from "./appConfigurationOptions.js";
 import { ConfigurationClientManager } from "./configurationClientManager.js";
+import { AnonymousRequestPipelinePolicy, RemoveSyncTokenPipelinePolicy } from "./cdn/cdnRequestPipelinePolicy.js";
 import { instanceOfTokenCredential } from "./common/utils.js";
+import { ArgumentError } from "./common/errors.js";
+import { ErrorMessages } from "./common/errorMessages.js";
 
 const MIN_DELAY_FOR_UNHANDLED_ERROR_IN_MS: number = 5_000;
 
+// Empty token credential to be used when loading from Azure Front Door
+const emptyTokenCredential: TokenCredential = {
+    getToken: async () => ({ token: "", expiresOnTimestamp: Number.MAX_SAFE_INTEGER })
+};
+
 /**
  * Loads the data from Azure App Configuration service and returns an instance of AzureAppConfiguration.
  * @param connectionString  The connection string for the App Configuration store.
@@ -42,7 +50,8 @@ export async function load(
     }
 
     try {
-        const appConfiguration = new AzureAppConfigurationImpl(clientManager, options);
+        const isCdnUsed: boolean = credentialOrOptions === emptyTokenCredential;
+        const appConfiguration = new AzureAppConfigurationImpl(clientManager, options, isCdnUsed);
         await appConfiguration.load();
         return appConfiguration;
     } catch (error) {
@@ -56,3 +65,34 @@ export async function load(
         throw error;
     }
 }
+
+/**
+ * Loads the data from Azure Front Door (CDN) and returns an instance of AzureAppConfiguration.
+ * @param endpoint  The URL to the Azure Front Door.
+ * @param appConfigOptions  Optional parameters.
+ */
+export async function loadFromAzureFrontDoor(endpoint: URL | string, options?: AzureAppConfigurationOptions): Promise<AzureAppConfiguration>;
+
+export async function loadFromAzureFrontDoor(
+    endpoint: string | URL,
+    appConfigOptions: AzureAppConfigurationOptions = {}
+): Promise<AzureAppConfiguration> {
+    if (appConfigOptions.replicaDiscoveryEnabled) {
+        throw new ArgumentError(ErrorMessages.REPLICA_DISCOVERY_NOT_SUPPORTED);
+    }
+    if (appConfigOptions.loadBalancingEnabled) {
+        throw new ArgumentError(ErrorMessages.LOAD_BALANCING_NOT_SUPPORTED);
+    }
+    appConfigOptions.replicaDiscoveryEnabled = false; // Disable replica discovery when loading from Azure Front Door
+
+    appConfigOptions.clientOptions = {
+        ...appConfigOptions.clientOptions,
+        additionalPolicies: [
+            ...(appConfigOptions.clientOptions?.additionalPolicies || []),
+            { policy: new AnonymousRequestPipelinePolicy(), position: "perRetry" },
+            { policy: new RemoveSyncTokenPipelinePolicy(), position: "perRetry" }
+        ]
+    };
+
+    return await load(endpoint, emptyTokenCredential, appConfigOptions);
+}

src/requestTracing/constants.ts

@@ -51,6 +51,7 @@ export const REPLICA_COUNT_KEY = "ReplicaCount";
 export const KEY_VAULT_CONFIGURED_TAG = "UsesKeyVault";
 export const KEY_VAULT_REFRESH_CONFIGURED_TAG = "RefreshesKeyVault";
 export const FAILOVER_REQUEST_TAG = "Failover";
+export const AFD_USED_TAG = "AFD";
 
 // Compact feature tags
 export const FEATURES_KEY = "Features";

src/requestTracing/utils.ts

@@ -27,6 +27,7 @@ import {
     HostType,
     KEY_VAULT_CONFIGURED_TAG,
     KEY_VAULT_REFRESH_CONFIGURED_TAG,
+    AFD_USED_TAG,
     KUBERNETES_ENV_VAR,
     NODEJS_DEV_ENV_VAL,
     NODEJS_ENV_VAR,
@@ -50,6 +51,7 @@ export interface RequestTracingOptions {
     initialLoadCompleted: boolean;
     replicaCount: number;
     isFailoverRequest: boolean;
+    isAfdUsed: boolean;
     featureFlagTracing: FeatureFlagTracingOptions | undefined;
     fmVersion: string | undefined;
     aiConfigurationTracing: AIConfigurationTracingOptions | undefined;
@@ -99,7 +101,9 @@ function applyRequestTracing<T extends OperationOptions>(requestTracingOptions:
     const actualOptions = { ...operationOptions };
     if (requestTracingOptions.enabled) {
         actualOptions.requestOptions = {
+            ...actualOptions.requestOptions,
             customHeaders: {
+                ...actualOptions.requestOptions?.customHeaders,
                 [CORRELATION_CONTEXT_HEADER_NAME]: createCorrelationContextHeader(requestTracingOptions)
             }
         };
@@ -119,6 +123,7 @@ function createCorrelationContextHeader(requestTracingOptions: RequestTracingOpt
     FFFeatures: Seed+Telemetry
     UsersKeyVault
     Failover
+    AFD
     */
     const keyValues = new Map<string, string | undefined>();
     const tags: string[] = [];
@@ -150,6 +155,9 @@ function createCorrelationContextHeader(requestTracingOptions: RequestTracingOpt
     if (requestTracingOptions.isFailoverRequest) {
         tags.push(FAILOVER_REQUEST_TAG);
     }
+    if (requestTracingOptions.isAfdUsed) {
+        tags.push(AFD_USED_TAG);
+    }
     if (requestTracingOptions.replicaCount > 0) {
         keyValues.set(REPLICA_COUNT_KEY, requestTracingOptions.replicaCount.toString());
     }

src/types.ts

@@ -95,6 +95,7 @@ export type WatchedSetting = {
 
 export type SettingWatcher = {
     etag?: string;
+    timestamp: Date;
 }
 
 export type PagedSettingsWatcher = SettingSelector & {