@bjorntech/alchemy-azure 0.2.0-beta.57

package/README.md

@@ -0,0 +1,241 @@
+# alchemy-azure
+
+Microsoft Azure providers for [Alchemy v2](https://v2.alchemy.run/).
+
+This package follows Alchemy's official custom-provider model: resources are declared with `Resource`, lifecycle implementations are registered with `Provider.effect`, credentials resolve through an `AuthProvider`, and all Azure providers are exposed as a single `Azure.providers()` layer.
+
+## Compatibility
+
+`@bjorntech/alchemy-azure` tracks the `alchemy` v2 beta line. The trailing number in our beta releases mirrors the `alchemy` beta we were tested against.
+
+| `@bjorntech/alchemy-azure` | `alchemy` (peer) | `effect` (peer) | Notes |
+| --------------- | ---------------- | --------------- | ----- |
+| `0.2.0-beta.57` | `2.0.0-beta.57`  | `>=4.0.0-beta.84 || >=4.0.0` | Current beta. |
+| `0.1.1-beta.57` | `2.0.0-beta.57`  | `>=4.0.0-beta.84 || >=4.0.0` | Blob container fix and heartbeat groundwork. |
+| `0.1.0-beta.57` | `2.0.0-beta.57`  | `>=4.0.0-beta.84 || >=4.0.0` | Initial beta.57 compatibility release. |
+| `0.1.0-beta.35` | `2.0.0-beta.35`  | `>=4.0.0-beta.60` | Initial public beta. |
+
+The `alchemy` peer dependency is exact-pinned to a specific beta because the v2 API is still evolving. The `effect` peer accepts the tested beta line or stable Effect 4. Bump compatibility docs and release metadata together when the tested Alchemy beta changes.
+
+## Install
+
+```sh
+bun add alchemy@2.0.0-beta.57 effect @bjorntech/alchemy-azure
+```
+
+`alchemy` and `effect` are peer dependencies — install them in your app, not just transitively.
+
+`@bjorntech/alchemy-azure` ships raw TypeScript (matching the upstream `alchemy` package) and uses `.ts` import suffixes internally. Your `tsconfig.json` needs `"moduleResolution": "Bundler"` (or `"NodeNext"`) and `"allowImportingTsExtensions": true`. This is the default for Bun, Vite, and tsx; plain `tsc`-without-bundler users will need to set it explicitly.
+
+## Alignment with Alchemy v2 principles
+
+This package follows the patterns documented at [v2.alchemy.run](https://v2.alchemy.run/):
+
+- **Resource declarations** use `Resource<Type, Props, Attributes>` with deterministic physical names via `createPhysicalName`.
+- **Provider implementations** use `Provider.effect(R, Effect.gen(...))` returning `R.Provider.of({ ... })` with a single convergent `reconcile` (observe → ensure → sync → return), idempotent `delete`, optional `diff` (with `isResolved` guards and `stables`), and `read` for state recovery + adoption.
+- **Ownership** is detected via the `alchemy:logical-id` tag (or `alchemyLogicalId` blob metadata for blob containers); foreign resources surface as `Unowned(attrs)` so `--adopt` is required to take them over.
+- **Authentication** follows the `AuthProviderLayer` pattern with `env` and `stored` methods, interactive `Clank` prompts in TTYs, and non-interactive defaults in CI.
+- **Secrets** (storage keys, connection strings, registry passwords, client secrets) are returned as `Redacted<string>`; Container App `Redacted` env values are sent through Container Apps secrets and `secretRef`.
+- **Errors** use a tagged `AzureError` (via `Schema.TaggedErrorClass`) for `Effect.catchTag` interop.
+- **Provider layers** bundle into `Azure.providers()` alongside `ProfileLive`, `CredentialsStoreLive`, and the `AzureAuth` registration — same shape as `Cloudflare.providers()` / `Axiom.providers()`.
+
+For a deeper walkthrough, see [`ARCHITECTURE.md`](./ARCHITECTURE.md).
+
+## Credentials
+
+Two authentication methods are supported via Alchemy's profile system:
+
+### `env` (default)
+
+Set `AZURE_SUBSCRIPTION_ID`. Authentication uses a service principal when all of these are present:
+
+```sh
+AZURE_SUBSCRIPTION_ID=...
+AZURE_TENANT_ID=...
+AZURE_CLIENT_ID=...
+AZURE_CLIENT_SECRET=...
+```
+
+If only `AZURE_SUBSCRIPTION_ID` is set, Azure SDK `DefaultAzureCredential` is used, so `az login`, managed identity, and other Azure SDK credential sources can work.
+
+### `stored`
+
+Run `alchemy login` and select **Service Principal or Subscription** to walk through an interactive flow that stores credentials under `~/.alchemy/credentials/{profile}/azure-stored.json`. You can store either a Service Principal (tenant + client + secret) or just a subscription id when relying on `DefaultAzureCredential`.
+
+CI environments always default to `env` regardless of profile config, so unattended runs work as long as the environment variables are set.
+
+## Errors
+
+Azure SDK failures inside provider lifecycle methods are wrapped as the tagged `AzureError`, carrying `operation`, `resource`, `statusCode`, `code`, and the original `cause`. The Alchemy engine surfaces them in `plan` / `deploy` output.
+
+If you build your own custom resource on top of `@bjorntech/alchemy-azure` clients, you can match `AzureError` with `Effect.catchTag` inside the provider effect:
+
+```ts
+import * as Effect from "effect/Effect";
+import { AzureError } from "@bjorntech/alchemy-azure";
+
+const ensureContainer = Effect.gen(function* () {
+  // ...your reconcile body, calling Azure clients via Effect.tryPromise
+}).pipe(
+  Effect.catchTag("AzureError", (error) =>
+    error.statusCode === 409
+      ? Effect.logWarning(`Skipping: ${error.resource} already exists`)
+      : Effect.fail(error),
+  ),
+);
+```
+
+> Note: `Effect.catchTag` does not intercept errors from `yield* Azure.X(...)` directly — resource declarations register on the stack, and the engine runs `reconcile` later. To inspect or recover from `AzureError`, do it inside a custom resource's `reconcile`.
+
+## Usage
+
+```ts
+import * as Alchemy from "alchemy";
+import * as Azure from "@bjorntech/alchemy-azure";
+import * as Effect from "effect/Effect";
+
+export default Alchemy.Stack(
+  "azure-demo",
+  { providers: Azure.providers() },
+  Effect.gen(function* () {
+    const group = yield* Azure.ResourceGroup("Group", {
+      location: "westeurope",
+      tags: { app: "azure-demo" },
+    });
+
+    const storage = yield* Azure.StorageAccount("Storage", {
+      resourceGroup: group,
+      sku: "Standard_LRS",
+    });
+
+    const uploads = yield* Azure.BlobContainer("Uploads", {
+      storageAccount: storage,
+      publicAccess: "None",
+    });
+
+    return {
+      resourceGroup: group.name,
+      storageAccount: storage.name,
+      uploadsUrl: uploads.url,
+    };
+  }),
+);
+```
+
+## Resources
+
+- `ResourceGroup` - Azure Resource Group lifecycle.
+- `ResourceProviderRegistration` - Azure resource provider namespace registration.
+- `StorageAccount` - Azure Storage Account lifecycle with keys and connection string returned as `Redacted` values.
+- `BlobContainer` - Azure Blob container lifecycle.
+- `UserAssignedIdentity` - User-assigned managed identity lifecycle.
+- `VirtualNetwork` - Virtual network and subnet lifecycle.
+- `NetworkSecurityGroup` - Network security group lifecycle.
+- `PublicIPAddress` - Public IP address lifecycle.
+- `CognitiveServices` - Azure AI/Cognitive Services account lifecycle.
+- `ServiceBus` - Service Bus namespace lifecycle.
+- `CosmosDBAccount` - Cosmos DB account lifecycle.
+- `SqlServer` - Azure SQL server lifecycle.
+- `SqlDatabase` - Azure SQL database lifecycle.
+- `KeyVault` - Key Vault lifecycle.
+- `AppServicePlan` - App Service plan lifecycle.
+- `AppService` - App Service web app lifecycle.
+- `FunctionApp` - Function App lifecycle.
+- `StaticWebApp` - Static Web App lifecycle.
+- `ContainerInstance` - Azure Container Instance lifecycle.
+- `ContainerAppEnvironment` - Azure Container Apps managed environment lifecycle.
+- `ContainerRegistry` - Azure Container Registry lifecycle with admin credentials returned as `Redacted` values.
+- `ContainerImage` - Local Docker build and push to Azure Container Registry.
+- `ContainerApp` - Experimental Azure Container Apps runtime host from an explicit image.
+- `VirtualMachine` - Virtual Machine lifecycle.
+
+## Experimental Container App Host
+
+`ContainerApp` is an experimental v2 `Platform` host. It deploys either an explicit image or an `Azure.ContainerImage` build artifact to Azure Container Apps; pass an external build hash to force a new revision when your build output changes.
+
+```ts
+const environment =
+  yield *
+  Azure.ContainerAppEnvironment("Env", {
+    resourceGroup: group,
+  });
+
+const registry =
+  yield *
+  Azure.ContainerRegistry("Registry", {
+    resourceGroup: group,
+  });
+
+const image =
+  yield *
+  Azure.ContainerImage("Image", {
+    registry,
+    context: ".",
+    buildHash: build.hash,
+  });
+
+const api =
+  yield *
+  Azure.ContainerApp("Api", {
+    resourceGroup: group,
+    environment,
+    image,
+    registry,
+    buildHash: build.hash,
+    targetPort: 3000,
+    env: {
+      NODE_ENV: "production",
+    },
+  });
+
+return api.url;
+```
+
+## Provider Layer
+
+Merge Azure with other providers using Effect layers:
+
+```ts
+import * as Layer from "effect/Layer";
+
+providers: Layer.mergeAll(Cloudflare.providers(), Azure.providers());
+```
+
+## Azure Blob State
+
+Use an existing Azure Blob container as the Alchemy state backend:
+
+```ts
+export default Alchemy.Stack(
+  "MyApp",
+  {
+    providers: Azure.providers(),
+    state: Azure.blobState({
+      accountName: process.env.AZURE_STORAGE_ACCOUNT!,
+      accountKey: process.env.AZURE_STORAGE_KEY!,
+      containerName: "alchemy-state",
+    }),
+  },
+  Effect.gen(function* () {
+    // resources...
+  }),
+);
+```
+
+## Live Smoke Tests
+
+Live Azure smoke tests are opt-in and create real Azure resources. They require `AZURE_SUBSCRIPTION_ID` plus either service principal env vars (`AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`) or an Azure SDK-compatible login such as `az login`.
+
+```sh
+AZURE_LIVE_TEST=1 bun run smoke:azure
+AZURE_LIVE_TEST=1 AZURE_SMOKE_PREFIX=<prefix-from-run> bun run smoke:azure:nuke
+AZURE_LIVE_NEGATIVE_TEST=1 bun run smoke:azure:negative
+```
+
+The production and negative smoke runners both execute a scoped `alchemy unsafe nuke` cleanup after `destroy`, targeting only smoke resource groups and using smoke run tags to spare non-smoke groups. Azure then deletes all contained resources. `smoke:azure:nuke` is also exposed for manual cleanup if a smoke process is interrupted before its `finally` block runs.
+
+Useful flags:
+
+- `AZURE_SMOKE_LOCATION` - Azure region, defaults to `westeurope`.
+- `AZURE_SMOKE_FULL=1` - include quota/cost-sensitive optional resources such as Cosmos DB, SQL, VM, Cognitive Services, Key Vault, and Static Web App. App Service Plan, App Service, and Function App are included in the default smoke stack.
+- `AZURE_SMOKE_BUILD_IMAGE=1` - build and push the included Docker smoke image to ACR; requires Docker.

package/env.example

@@ -0,0 +1,13 @@
+# Required. The Azure subscription resources are created in.
+AZURE_SUBSCRIPTION_ID=your-azure-subscription-id
+
+# Service principal credentials. Set all three to authenticate with a service
+# principal. If they are omitted, the Azure SDK DefaultAzureCredential is used
+# (az login, managed identity, environment, etc.).
+AZURE_TENANT_ID=your-azure-tenant-id
+AZURE_CLIENT_ID=your-azure-client-id
+AZURE_CLIENT_SECRET=your-azure-client-secret
+
+# Optional. Used by the Azure Blob state backend example (Azure.blobState).
+AZURE_STORAGE_ACCOUNT=your-storage-account-name
+AZURE_STORAGE_KEY=your-storage-account-key

package/package.json

@@ -0,0 +1,87 @@
+{
+  "name": "@bjorntech/alchemy-azure",
+  "version": "0.2.0-beta.57",
+  "description": "Microsoft Azure providers for Alchemy v2",
+  "license": "Apache-2.0",
+  "type": "module",
+  "sideEffects": false,
+  "keywords": [
+    "alchemy",
+    "alchemy-effect",
+    "azure",
+    "iac",
+    "infrastructure-as-code",
+    "effect",
+    "typescript"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/bjorntech/alchemy-azure.git"
+  },
+  "homepage": "https://github.com/bjorntech/alchemy-azure#readme",
+  "bugs": {
+    "url": "https://github.com/bjorntech/alchemy-azure/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "ARCHITECTURE.md",
+    "CHANGELOG.md",
+    "env.example",
+    "LICENSE"
+  ],
+  "exports": {
+    ".": {
+      "types": "./src/index.ts",
+      "import": "./src/index.ts"
+    }
+  },
+  "scripts": {
+    "check": "tsc --noEmit",
+    "coverage": "bun test --coverage --coverage-reporter=lcov",
+    "coverage:check": "bun run scripts/coverage-floor.ts",
+    "crap": "bun run scripts/crap-index.ts",
+    "smoke:azure": "bun run scripts/azure-production-smoke.ts",
+    "smoke:azure:nuke": "bun run scripts/azure-smoke-nuke.ts",
+    "smoke:azure:negative": "bun run scripts/azure-negative-smoke.ts",
+    "test": "bun test",
+    "format": "oxfmt .",
+    "prepublishOnly": "bun run check && bun test && bun run coverage:check"
+  },
+  "dependencies": {
+    "@azure/arm-appcontainers": "^3.0.0",
+    "@azure/arm-appservice": "^17.0.0",
+    "@azure/arm-cognitiveservices": "^7.1.0",
+    "@azure/arm-compute": "^23.0.0",
+    "@azure/arm-containerinstance": "^9.1.0",
+    "@azure/arm-containerregistry": "^12.0.0",
+    "@azure/arm-cosmosdb": "^9.1.0",
+    "@azure/arm-keyvault": "^5.0.0",
+    "@azure/arm-msi": "^2.1.0",
+    "@azure/arm-network": "^34.0.0",
+    "@azure/arm-resources": "^6.1.0",
+    "@azure/arm-servicebus": "^6.1.0",
+    "@azure/arm-sql": "^10.0.0",
+    "@azure/arm-storage": "^18.5.0",
+    "@azure/identity": "^4.13.0",
+    "@azure/ms-rest-js": "^2.7.0",
+    "@azure/storage-blob": "^12.29.1"
+  },
+  "peerDependencies": {
+    "alchemy": "2.0.0-beta.57",
+    "effect": ">=4.0.0-beta.84 || >=4.0.0"
+  },
+  "devDependencies": {
+    "@effect/platform-bun": "4.0.0-beta.84",
+    "@effect/platform-node": "4.0.0-beta.84",
+    "@effect/platform-node-shared": "4.0.0-beta.84",
+    "@types/bun": "latest",
+    "alchemy": "2.0.0-beta.57",
+    "effect": "4.0.0-beta.84",
+    "oxfmt": "latest",
+    "typescript": "latest"
+  }
+}

package/src/AuthProvider.ts

@@ -0,0 +1,332 @@
+import * as Console from "effect/Console";
+import * as Effect from "effect/Effect";
+import * as Match from "effect/Match";
+import * as Redacted from "effect/Redacted";
+import {
+  AuthError,
+  AuthProviderLayer,
+  type ConfigureContext,
+} from "alchemy/Auth/AuthProvider";
+import { CredentialsStore, displayRedacted } from "alchemy/Auth/Credentials";
+import { getEnv, getEnvRedacted, retryOnce } from "alchemy/Auth/Env";
+import * as Clank from "alchemy/Util/Clank";
+
+export const AZURE_AUTH_PROVIDER_NAME = "Azure";
+
+export const AZURE_AUTH_STORAGE_KEY = "azure-stored";
+
+/**
+ * Azure auth methods supported by `alchemy login`:
+ *
+ * - `env` — read AZURE_SUBSCRIPTION_ID + (optional) AZURE_TENANT_ID,
+ *   AZURE_CLIENT_ID, AZURE_CLIENT_SECRET. Falls back to
+ *   `DefaultAzureCredential` when only the subscription is set, so
+ *   `az login` and managed identity also work.
+ * - `stored` — Service Principal credentials saved under
+ *   `~/.alchemy/credentials/{profile}/azure-stored.json`. Only the
+ *   subscription id is required; the rest is optional and unlocks
+ *   service-principal auth when supplied.
+ */
+export type AzureAuthConfig =
+  | { method: "env" }
+  | { method: "stored" };
+
+/**
+ * Persisted shape for `method: "stored"`. Only `subscriptionId` is
+ * required; supply `tenantId` + `clientId` + `clientSecret` to
+ * authenticate as a Service Principal, otherwise the SDK falls back
+ * to `DefaultAzureCredential` resolved via the SDK's own credential
+ * chain.
+ */
+export interface AzureStoredCredentials {
+  subscriptionId: string;
+  tenantId?: string;
+  clientId?: string;
+  clientSecret?: string;
+}
+
+export type AzureResolvedCredentials =
+  | {
+      method: "servicePrincipal";
+      subscriptionId: string;
+      tenantId: string;
+      clientId: string;
+      clientSecret: Redacted.Redacted<string>;
+      source: { type: AzureAuthConfig["method"] };
+    }
+  | {
+      method: "default";
+      subscriptionId: string;
+      tenantId?: string;
+      source: { type: AzureAuthConfig["method"] };
+    };
+
+/**
+ * Resolve {@link AzureResolvedCredentials} from environment variables.
+ *
+ * Returns `servicePrincipal` when AZURE_TENANT_ID + AZURE_CLIENT_ID +
+ * AZURE_CLIENT_SECRET are all set; otherwise returns `default` so the
+ * Azure SDK's `DefaultAzureCredential` chain (managed identity,
+ * `az login`, etc.) is used. Fails with {@link AuthError} when
+ * AZURE_SUBSCRIPTION_ID is missing.
+ *
+ * Exported for testing and for callers that want to skip the
+ * AuthProvider registry.
+ */
+export const resolveFromEnv = (): Effect.Effect<AzureResolvedCredentials, AuthError> =>
+  Effect.gen(function* () {
+    const subscriptionId = yield* getEnv("AZURE_SUBSCRIPTION_ID");
+    if (!subscriptionId) {
+      return yield* new AuthError({
+        message: "Azure env credentials not found. Set AZURE_SUBSCRIPTION_ID.",
+      });
+    }
+    const tenantId = yield* getEnv("AZURE_TENANT_ID");
+    const clientId = yield* getEnv("AZURE_CLIENT_ID");
+    const clientSecret = yield* getEnvRedacted("AZURE_CLIENT_SECRET");
+
+    if (tenantId && clientId && clientSecret) {
+      const resolved: AzureResolvedCredentials = {
+        method: "servicePrincipal",
+        subscriptionId,
+        tenantId,
+        clientId,
+        clientSecret,
+        source: { type: "env" },
+      };
+      return resolved;
+    }
+
+    const resolved: AzureResolvedCredentials = {
+      method: "default",
+      subscriptionId,
+      tenantId: tenantId ?? undefined,
+      source: { type: "env" },
+    };
+    return resolved;
+  });
+
+/**
+ * Resolve {@link AzureResolvedCredentials} from a previously-stored
+ * `AzureStoredCredentials` payload (typically loaded from
+ * `~/.alchemy/credentials/{profile}/azure-stored.json`). Pass
+ * `undefined` to surface the "credentials not found" error.
+ *
+ * Exported for testing.
+ */
+export const resolveFromStored = (
+  creds: AzureStoredCredentials | undefined,
+): Effect.Effect<AzureResolvedCredentials, AuthError> =>
+  Effect.gen(function* () {
+    if (creds == null) {
+      return yield* new AuthError({
+        message: "Azure stored credentials not found. Run: alchemy login --configure",
+      });
+    }
+    if (creds.tenantId && creds.clientId && creds.clientSecret) {
+      const resolved: AzureResolvedCredentials = {
+        method: "servicePrincipal",
+        subscriptionId: creds.subscriptionId,
+        tenantId: creds.tenantId,
+        clientId: creds.clientId,
+        clientSecret: Redacted.make(creds.clientSecret),
+        source: { type: "stored" },
+      };
+      return resolved;
+    }
+    const resolved: AzureResolvedCredentials = {
+      method: "default",
+      subscriptionId: creds.subscriptionId,
+      tenantId: creds.tenantId,
+      source: { type: "stored" },
+    };
+    return resolved;
+  });
+
+/**
+ * Layer that registers the Azure {@link AuthProvider} into the
+ * {@link AuthProviders} registry when built. Included in the Azure
+ * `providers()` layer so `alchemy login` can discover it and walk
+ * users through interactive credential setup.
+ */
+export const AzureAuth = AuthProviderLayer<
+  AzureAuthConfig,
+  AzureResolvedCredentials
+>()(
+  AZURE_AUTH_PROVIDER_NAME,
+  Effect.gen(function* () {
+    const store = yield* CredentialsStore;
+
+    const promptStored = Effect.fnUntraced(function* (profileName: string) {
+      const subscriptionId = yield* Clank.text({
+        message: "Azure Subscription ID",
+        placeholder: (yield* getEnv("AZURE_SUBSCRIPTION_ID")) ?? "",
+        validate: (v) =>
+          v.length === 0
+            ? "Required"
+            : isUuid(v)
+              ? undefined
+              : "Expected a UUID",
+      }).pipe(retryOnce);
+
+      const useServicePrincipal = yield* Clank.confirm({
+        message: "Use a Service Principal? (No = use DefaultAzureCredential / az login)",
+        initialValue: false,
+      }).pipe(retryOnce);
+
+      let tenantId: string | undefined;
+      let clientId: string | undefined;
+      let clientSecret: string | undefined;
+
+      if (useServicePrincipal) {
+        tenantId = yield* Clank.text({
+          message: "Azure Tenant ID",
+          placeholder: (yield* getEnv("AZURE_TENANT_ID")) ?? "",
+          validate: (v) => (v.length === 0 ? "Required" : isUuid(v) ? undefined : "Expected a UUID"),
+        }).pipe(retryOnce);
+
+        clientId = yield* Clank.text({
+          message: "Azure Client ID",
+          placeholder: (yield* getEnv("AZURE_CLIENT_ID")) ?? "",
+          validate: (v) => (v.length === 0 ? "Required" : isUuid(v) ? undefined : "Expected a UUID"),
+        }).pipe(retryOnce);
+
+        clientSecret = yield* Clank.password({
+          message: "Azure Client Secret",
+          validate: (v) => (v.length === 0 ? "Required" : undefined),
+        }).pipe(retryOnce);
+      }
+
+      yield* store.write<AzureStoredCredentials>(profileName, AZURE_AUTH_STORAGE_KEY, {
+        subscriptionId,
+        tenantId,
+        clientId,
+        clientSecret,
+      });
+      yield* Clank.success("Azure: credentials saved.");
+
+      return { method: "stored" as const };
+    });
+
+    const configureCredentials = (profileName: string, ctx: ConfigureContext) =>
+      Effect.gen(function* () {
+        if (ctx.ci) {
+          return { method: "env" as const };
+        }
+
+        const method = yield* Clank.select({
+          message: "Azure authentication method",
+          options: [
+            {
+              value: "env" as const,
+              label: "Environment Variables",
+              hint: "AZURE_SUBSCRIPTION_ID (+ optional AZURE_TENANT_ID/CLIENT_ID/CLIENT_SECRET)",
+            },
+            {
+              value: "stored" as const,
+              label: "Service Principal or Subscription",
+              hint: "enter interactively, stored in ~/.alchemy/credentials",
+            },
+          ],
+        }).pipe(retryOnce);
+
+        return yield* Match.value(method).pipe(
+          Match.when("env", () => Effect.succeed({ method: "env" as const })),
+          Match.when("stored", () => promptStored(profileName)),
+          Match.exhaustive,
+        );
+      }).pipe(
+        Effect.mapError(
+          (e) =>
+            new AuthError({
+              message: "failed to configure credentials",
+              cause: e,
+            }),
+        ),
+      );
+
+    const resolveCredentials = (
+      profileName: string,
+      config: AzureAuthConfig,
+    ): Effect.Effect<AzureResolvedCredentials, AuthError> =>
+      Match.value(config).pipe(
+        Match.when({ method: "env" }, () => resolveFromEnv()),
+        Match.when({ method: "stored" }, () =>
+          store
+            .read<AzureStoredCredentials>(profileName, AZURE_AUTH_STORAGE_KEY)
+            .pipe(Effect.flatMap(resolveFromStored)),
+        ),
+        Match.exhaustive,
+      );
+
+    const login = (profileName: string, config: AzureAuthConfig) =>
+      Match.value(config)
+        .pipe(
+          Match.when({ method: "env" }, () => Effect.void),
+          Match.when({ method: "stored" }, () =>
+            store
+              .read<AzureStoredCredentials>(profileName, AZURE_AUTH_STORAGE_KEY)
+              .pipe(
+                Effect.flatMap((creds) =>
+                  creds == null ? promptStored(profileName).pipe(Effect.asVoid) : Effect.void,
+                ),
+              ),
+          ),
+          Match.exhaustive,
+        )
+        .pipe(
+          Effect.mapError(
+            (e) => new AuthError({ message: "login failed", cause: e }),
+          ),
+        );
+
+    const logout = (profileName: string, config: AzureAuthConfig) =>
+      Match.value(config).pipe(
+        Match.when({ method: "env" }, () => Effect.void),
+        Match.when({ method: "stored" }, () =>
+          store
+            .delete(profileName, AZURE_AUTH_STORAGE_KEY)
+            .pipe(Effect.andThen(Clank.success("Azure: stored credentials removed"))),
+        ),
+        Match.exhaustive,
+      );
+
+    const prettyPrint = (profileName: string, config: AzureAuthConfig) =>
+      resolveCredentials(profileName, config).pipe(
+        Effect.tap((credentials) =>
+          Match.value(credentials).pipe(
+            Match.when({ method: "servicePrincipal" }, (c) =>
+              Effect.all([
+                Console.log(`  subscriptionId: ${c.subscriptionId}`),
+                Console.log(`  tenantId: ${c.tenantId}`),
+                Console.log(`  clientId: ${c.clientId}`),
+                Console.log(`  clientSecret: ${displayRedacted(c.clientSecret, 4)}`),
+                Console.log(`  source: ${c.source.type}`),
+              ]),
+            ),
+            Match.when({ method: "default" }, (c) =>
+              Effect.all([
+                Console.log(`  subscriptionId: ${c.subscriptionId}`),
+                Console.log(`  tenantId: ${c.tenantId ?? "<auto>"}`),
+                Console.log("  credential: DefaultAzureCredential"),
+                Console.log(`  source: ${c.source.type}`),
+              ]),
+            ),
+            Match.exhaustive,
+          ),
+        ),
+        Effect.catch((e) => Console.error(`  Failed to retrieve credentials: ${e}`)),
+      );
+
+    return {
+      configure: configureCredentials,
+      login,
+      logout,
+      prettyPrint,
+      read: resolveCredentials,
+    };
+  }),
+);
+
+const isUuid = (value: string) =>
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);