@bjorntech/alchemy-azure 0.2.0-beta.57

package/src/BlobContainer.ts

@@ -0,0 +1,268 @@
+import type { BlobContainer as AzureBlobContainer } from "@azure/arm-storage";
+import * as Effect from "effect/Effect";
+import { isResolved } from "alchemy/Diff";
+import { Resource } from "alchemy";
+import * as Provider from "alchemy/Provider";
+import { Unowned } from "alchemy/AdoptPolicy";
+import { makeAzureClients } from "./Clients.ts";
+import { azureError, isNotFound } from "./Errors.ts";
+import { collectAzurePages, diffValueEqual, makePhysicalNames, resolveResourceValue } from "./Internal.ts";
+import type { Providers } from "./Providers.ts";
+import type { StorageAccount } from "./StorageAccount.ts";
+import { getResourceGroupName } from "./StorageAccount.ts";
+
+const ALCHEMY_METADATA_ID = "alchemyLogicalId";
+
+export interface BlobContainerProps {
+  /**
+   * Container name. Defaults to a deterministic physical name.
+   */
+  name?: string;
+  /**
+   * Storage account object or name.
+   */
+  storageAccount: string | StorageAccount;
+  /**
+   * Resource group name. Required when `storageAccount` is a string.
+   */
+  resourceGroup?: string;
+  /** @default "None" */
+  publicAccess?: "None" | "Blob" | "Container";
+  metadata?: Record<string, string>;
+  /** @default true */
+  delete?: boolean;
+}
+
+export type BlobContainer = Resource<
+  "Azure.BlobContainer",
+  BlobContainerProps,
+  {
+    name: string;
+    storageAccountName: string;
+    resourceGroupName: string;
+    url: string;
+    publicAccess?: string;
+    metadata?: Record<string, string>;
+  },
+  never,
+  Providers
+>;
+
+/**
+ * Azure Blob Container — object storage inside an Azure Storage Account.
+ *
+ * @example Private blob container
+ * ```ts
+ * const uploads = yield* Azure.BlobContainer("Uploads", {
+ *   storageAccount: storage,
+ * });
+ * ```
+ */
+export const BlobContainer = Resource<BlobContainer>("Azure.BlobContainer");
+
+export const BlobContainerProvider = () =>
+  Provider.effect(
+    BlobContainer,
+    Effect.gen(function* () {
+      const clients = yield* makeAzureClients;
+      const names = yield* makePhysicalNames;
+
+      const containerName = (id: string, instanceId: string, name?: string) =>
+        names.physicalName(id, instanceId, name, {
+          maxLength: 63,
+          suffixLength: 8,
+          lowercase: true,
+        });
+
+      return BlobContainer.Provider.of({
+        stables: ["name", "storageAccountName", "resourceGroupName", "url"],
+        list: () =>
+          Effect.gen(function* () {
+            const groups = yield* Effect.tryPromise({
+              try: () => collectAzurePages(clients.resources.resourceGroups.list()),
+              catch: (cause) => azureError({ operation: "list resource groups", cause }),
+            });
+            const accounts = yield* Effect.forEach(
+              groups,
+              (group) => {
+                if (!group.name) return Effect.succeed([]);
+                return Effect.tryPromise({
+                  try: () => collectAzurePages(
+                    clients.storage.storageAccounts.listByResourceGroup(group.name!),
+                  ),
+                  catch: (cause) =>
+                    azureError({ operation: "list storage accounts", resource: group.name, cause }),
+                }).pipe(Effect.map((items) => items.map((account) => [group.name!, account] as const)));
+              },
+              { concurrency: 4 },
+            );
+            const containers = yield* Effect.forEach(
+              accounts.flat(),
+              ([resourceGroupName, account]) => {
+                if (!account.name) return Effect.succeed([]);
+                return Effect.tryPromise({
+                  try: () => collectAzurePages(
+                    clients.storage.blobContainers.list(resourceGroupName, account.name!),
+                  ),
+                  catch: (cause) =>
+                    azureError({ operation: "list blob containers", resource: account.name, cause }),
+                }).pipe(
+                  Effect.map((items) =>
+                    items.map((container) => [resourceGroupName, account.name!, container] as const),
+                  ),
+                );
+              },
+              { concurrency: 4 },
+            );
+            return containers
+              .flat()
+              .filter(([, , container]) => container.metadata?.[ALCHEMY_METADATA_ID])
+              .map(([resourceGroupName, storageAccountName, container]) =>
+                toAttributes(container, resourceGroupName, storageAccountName, container.name!),
+              );
+          }),
+        diff: Effect.fnUntraced(function* ({ id, instanceId, olds, news, output }) {
+          if (!isResolved(news)) return undefined;
+          if (!output) return undefined;
+          const name = containerName(id, instanceId, news.name);
+          const oldName = output.name;
+          const storageAccountName = yield* getStorageAccountName(news.storageAccount);
+          const resourceGroupName = yield* getContainerResourceGroup(news);
+          if (
+            name !== oldName ||
+            storageAccountName !== output.storageAccountName ||
+            resourceGroupName !== output.resourceGroupName
+          ) {
+            return { action: "replace" } as const;
+          }
+          if (!diffValueEqual({
+            publicAccess: olds.publicAccess ?? "None",
+            metadata: olds.metadata ?? {},
+          }, {
+            publicAccess: news.publicAccess ?? "None",
+            metadata: news.metadata ?? {},
+          })) {
+            return { action: "update" } as const;
+          }
+          return undefined;
+        }),
+        read: Effect.fnUntraced(function* ({ id, instanceId, olds, output }) {
+          const name = output?.name ?? containerName(id, instanceId, olds?.name);
+          const storageAccountName =
+            output?.storageAccountName ??
+            (olds ? yield* getStorageAccountName(olds.storageAccount) : undefined);
+          const resourceGroupName =
+            output?.resourceGroupName ??
+            (olds ? yield* getContainerResourceGroup(olds) : undefined);
+          if (!storageAccountName || !resourceGroupName) return undefined;
+          const container = yield* Effect.tryPromise({
+            try: () => clients.storage.blobContainers.get(resourceGroupName, storageAccountName, name),
+            catch: (cause) => azureError({ operation: "read blob container", resource: name, cause }),
+          }).pipe(Effect.catchIf(isNotFound, () => Effect.succeed(undefined)));
+          if (!container) return undefined;
+          const attrs = toAttributes(container, resourceGroupName, storageAccountName, name);
+          return container.metadata?.[ALCHEMY_METADATA_ID] === id
+            ? attrs
+            : Unowned(attrs);
+        }),
+        reconcile: Effect.fnUntraced(function* ({ id, instanceId, olds, news, output }) {
+          const name = containerName(id, instanceId, news.name);
+          validateContainerName(name);
+          const storageAccountName = yield* getStorageAccountName(news.storageAccount);
+          const resourceGroupName = yield* getContainerResourceGroup(news);
+          if (!resourceGroupName) {
+            throw new Error(
+              `BlobContainer "${id}" requires resourceGroup when storageAccount is a string.`,
+            );
+          }
+          if (output && olds) {
+            const existing = yield* Effect.tryPromise({
+              try: () => clients.storage.blobContainers.get(resourceGroupName, storageAccountName, name),
+              catch: (cause) =>
+                azureError({ operation: "read blob container before update", resource: name, cause }),
+            }).pipe(Effect.catchIf(isNotFound, () => Effect.succeed(undefined)));
+            if (
+              existing &&
+              output.metadata?.[ALCHEMY_METADATA_ID] === id &&
+              existing.metadata?.[ALCHEMY_METADATA_ID] !== id
+            ) {
+              throw new Error(`Cannot adopt resource "${name}" without --adopt.`);
+            }
+          }
+          const params = {
+            publicAccess: news.publicAccess ?? "None",
+            metadata: {
+              ...news.metadata,
+              [ALCHEMY_METADATA_ID]: id,
+            },
+          } as Parameters<typeof clients.storage.blobContainers.create>[3];
+          // `blobContainers.create` is an idempotent PUT (create-or-update). Call it
+          // directly on the client so the SDK method keeps its `this` binding; aliasing
+          // it to a local variable detaches `this` and breaks `this.client` at runtime.
+          const container = yield* Effect.tryPromise({
+            try: () =>
+              clients.storage.blobContainers.create(
+                resourceGroupName,
+                storageAccountName,
+                name,
+                params,
+              ),
+            catch: (cause) =>
+              azureError({ operation: "reconcile blob container", resource: name, cause }),
+          });
+          return toAttributes(container, resourceGroupName, storageAccountName, name);
+        }),
+        delete: Effect.fnUntraced(function* ({ olds, output, session }) {
+          if (olds.delete === false) return;
+          yield* session.note(`Deleting Azure blob container: ${output.name}`);
+          yield* Effect.tryPromise({
+            try: () => clients.storage.blobContainers.delete(
+              output.resourceGroupName,
+              output.storageAccountName,
+              output.name,
+            ),
+            catch: (cause) => azureError({ operation: "delete blob container", resource: output.name, cause }),
+          }).pipe(Effect.catchIf(isNotFound, () => Effect.void));
+        }),
+      });
+    }),
+  );
+
+function getStorageAccountName(storageAccount: string | StorageAccount) {
+  return Effect.gen(function* () {
+    if (typeof storageAccount === "string") return storageAccount;
+    return yield* resolveResourceValue(storageAccount.name);
+  });
+}
+
+function getContainerResourceGroup(props: BlobContainerProps) {
+  return Effect.gen(function* () {
+    if (props.resourceGroup) return props.resourceGroup;
+    if (typeof props.storageAccount === "string") return undefined;
+    return yield* resolveResourceValue(props.storageAccount.resourceGroupName);
+  });
+}
+
+function toAttributes(
+  container: AzureBlobContainer,
+  resourceGroupName: string,
+  storageAccountName: string,
+  name: string,
+) {
+  return {
+    name,
+    storageAccountName,
+    resourceGroupName,
+    url: `https://${storageAccountName}.blob.core.windows.net/${name}`,
+    publicAccess: container.publicAccess,
+    metadata: container.metadata,
+  } satisfies BlobContainer["Attributes"];
+}
+
+function validateContainerName(name: string) {
+  if (!/^[a-z0-9](?:[a-z0-9-]{1,61}[a-z0-9])$/.test(name) || name.includes("--")) {
+    throw new Error(
+      `Azure blob container name "${name}" is invalid. It must be 3-63 characters, lowercase letters, numbers, and hyphens, without leading, trailing, or consecutive hyphens.`,
+    );
+  }
+}

package/src/BlobState.ts

@@ -0,0 +1,289 @@
+import { BlobServiceClient, StorageSharedKeyCredential } from "@azure/storage-blob";
+import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
+import { decodeFqn, encodeFqn } from "alchemy/FQN";
+import {
+  encodeState,
+  reviveState,
+  State,
+  STATE_STORE_VERSION,
+  StateStoreError,
+  type ReplacedResourceState,
+  type ResourceState,
+  type StateService,
+} from "alchemy/State";
+
+export interface BlobStateProps {
+  /**
+   * Azure Storage account name.
+   *
+   * @default process.env.AZURE_STORAGE_ACCOUNT
+   */
+  accountName?: string;
+  /**
+   * Azure Storage account key.
+   *
+   * @default process.env.AZURE_STORAGE_KEY
+   */
+  accountKey?: string;
+  /**
+   * Blob container containing state objects.
+   *
+   * The container must already exist.
+   *
+   * @default "alchemy-state"
+   */
+  containerName?: string;
+  /**
+   * Blob key prefix. Use this to share one container across multiple stores.
+   *
+   * @default "alchemy/state"
+   */
+  prefix?: string;
+}
+
+export interface BlobStateContainer {
+  getBlobClient(name: string): {
+    delete(): Promise<unknown>;
+    download(): Promise<{ readableStreamBody?: NodeJS.ReadableStream }>;
+  };
+  getBlockBlobClient(name: string): {
+    upload(body: string, contentLength: number, options?: unknown): Promise<unknown>;
+  };
+  listBlobsFlat(options: { prefix: string }): AsyncIterable<{ name: string }>;
+}
+
+/**
+ * Azure Blob Storage-backed Alchemy v2 state store.
+ *
+ * @example
+ * ```ts
+ * export default Alchemy.Stack(
+ *   "MyApp",
+ *   {
+ *     providers: Azure.providers(),
+ *     state: Azure.blobState({
+ *       accountName: "mystorageaccount",
+ *       accountKey: process.env.AZURE_STORAGE_KEY!,
+ *       containerName: "alchemy-state",
+ *     }),
+ *   },
+ *   Effect.gen(function* () {
+ *     // resources...
+ *   }),
+ * );
+ * ```
+ */
+export const blobState = (props: BlobStateProps = {}) =>
+  Layer.effect(State, Effect.cached(makeBlobState(props)));
+
+export const makeBlobState = (props: BlobStateProps = {}) =>
+  Effect.gen(function* () {
+    const accountName = props.accountName ?? process.env.AZURE_STORAGE_ACCOUNT;
+    const accountKey = props.accountKey ?? process.env.AZURE_STORAGE_KEY;
+    const containerName = props.containerName ?? "alchemy-state";
+    const prefix = normalizePrefix(props.prefix ?? "alchemy/state");
+
+    if (!accountName) {
+      return missingBlobStateService("Azure Blob state requires accountName or AZURE_STORAGE_ACCOUNT.");
+    }
+    if (!accountKey) {
+      return missingBlobStateService("Azure Blob state requires accountKey or AZURE_STORAGE_KEY.");
+    }
+
+    const credential = new StorageSharedKeyCredential(accountName, accountKey);
+    const blob = new BlobServiceClient(`https://${accountName}.blob.core.windows.net`, credential);
+    const container = blob.getContainerClient(containerName);
+
+    return yield* makeBlobStateService(container, prefix);
+  });
+
+function missingBlobStateService(message: string): StateService {
+  const fail = () => Effect.fail(new StateStoreError({ message }));
+  return {
+    id: "azure-blob",
+    getVersion: fail,
+    listStacks: fail,
+    listStages: fail,
+    list: fail,
+    get: fail,
+    getReplacedResources: fail,
+    set: fail,
+    delete: fail,
+    deleteStack: fail,
+    getOutput: fail,
+    setOutput: fail,
+  };
+}
+
+export const makeBlobStateService = (container: BlobStateContainer, prefix: string) =>
+  Effect.gen(function* () {
+    const normalizedPrefix = normalizePrefix(prefix);
+
+    const run = <A>(thunk: () => Promise<A>) =>
+      Effect.tryPromise({
+        try: thunk,
+        catch: (cause) =>
+          new StateStoreError({
+            message: cause instanceof Error ? cause.message : String(cause),
+            cause: cause instanceof Error ? cause : undefined,
+          }),
+      });
+
+    const ignoreMissing = <A>(effect: Effect.Effect<A, StateStoreError>) =>
+      effect.pipe(
+        Effect.catchIf(
+          (error) => isMissing(error.cause) || error.message.includes("404"),
+          () => Effect.void,
+        ),
+      );
+
+    const stackPrefix = (stack: string) => `${normalizedPrefix}${encodeSegment(stack)}/`;
+    const stagePrefix = (stack: string, stage: string) =>
+      `${stackPrefix(stack)}${encodeSegment(stage)}/`;
+    const resourceBlob = (request: { stack: string; stage: string; fqn: string }) =>
+      `${stagePrefix(request.stack, request.stage)}${encodeFqn(request.fqn)}.json`;
+    const outputBlob = (request: { stack: string; stage: string }) =>
+      `${stagePrefix(request.stack, request.stage)}__stack_output__.json`;
+
+    const listBlobNames = (listPrefix: string) =>
+      run(async () => {
+        const names: string[] = [];
+        for await (const item of container.listBlobsFlat({ prefix: listPrefix })) {
+          names.push(item.name);
+        }
+        return names;
+      });
+
+    const listChildSegments = (listPrefix: string) =>
+      listBlobNames(listPrefix).pipe(
+        Effect.map((names) =>
+          Array.from(
+            new Set(
+              names.flatMap((name) => {
+                const rest = name.slice(listPrefix.length);
+                const segment = rest.split("/")[0];
+                return segment ? [decodeSegment(segment)] : [];
+              }),
+            ),
+          ).sort(),
+        ),
+      );
+
+    const service: StateService = {
+      id: "azure-blob",
+      getVersion: () => Effect.succeed(STATE_STORE_VERSION),
+      listStacks: () => listChildSegments(normalizedPrefix),
+      listStages: (stack) => listChildSegments(stackPrefix(stack)),
+      list: (request) =>
+        listBlobNames(stagePrefix(request.stack, request.stage)).pipe(
+          Effect.map((names) =>
+            names
+              .filter((name) => name.endsWith(".json") && !name.endsWith("/__stack_output__.json"))
+              .map((name) =>
+                decodeFqn(
+                  name
+                    .slice(stagePrefix(request.stack, request.stage).length)
+                    .replace(/\.json$/, ""),
+                ),
+              )
+              .sort(),
+          ),
+        ),
+      get: (request) =>
+        run(async () => {
+          const client = container.getBlobClient(resourceBlob(request));
+          const response = await client.download();
+          const text = await streamToString(response.readableStreamBody);
+          return JSON.parse(text, reviveState) as ResourceState;
+        }).pipe(
+          Effect.catchIf(
+            (error) => isMissing(error.cause) || error.message.includes("404"),
+            () => Effect.succeed(undefined),
+          ),
+        ),
+      getReplacedResources: Effect.fnUntraced(function* (request) {
+        return (yield* Effect.all(
+          (yield* service.list(request)).map((fqn) => service.get({ ...request, fqn })),
+          { concurrency: "unbounded" },
+        )).filter((state): state is ReplacedResourceState => state?.status === "replaced");
+      }),
+      set: (request) =>
+        run(async () => {
+          const body = JSON.stringify(encodeState(request.value), null, 2);
+          await container
+            .getBlockBlobClient(resourceBlob(request))
+            .upload(body, Buffer.byteLength(body), {
+              blobHTTPHeaders: { blobContentType: "application/json" },
+            });
+          return request.value;
+        }),
+      delete: (request) =>
+        ignoreMissing(run(() => container.getBlobClient(resourceBlob(request)).delete())),
+      getOutput: (request) =>
+        run(async () => {
+          const client = container.getBlobClient(outputBlob(request));
+          const response = await client.download();
+          const text = await streamToString(response.readableStreamBody);
+          return JSON.parse(text, reviveState) as unknown;
+        }).pipe(
+          Effect.catchIf(
+            (error) => isMissing(error.cause) || error.message.includes("404"),
+            () => Effect.succeed(undefined),
+          ),
+        ),
+      setOutput: (request) =>
+        run(async () => {
+          const body = JSON.stringify(encodeState(request.value as any), null, 2);
+          await container
+            .getBlockBlobClient(outputBlob(request))
+            .upload(body, Buffer.byteLength(body), {
+              blobHTTPHeaders: { blobContentType: "application/json" },
+            });
+          return request.value;
+        }),
+      deleteStack: ({ stack, stage }) =>
+        listBlobNames(stage ? stagePrefix(stack, stage) : stackPrefix(stack)).pipe(
+          Effect.flatMap((names) =>
+            Effect.all(
+              names.map((name) => ignoreMissing(run(() => container.getBlobClient(name).delete()))),
+              { concurrency: "unbounded" },
+            ),
+          ),
+          Effect.asVoid,
+        ),
+    };
+
+    return service;
+  });
+
+function normalizePrefix(prefix: string) {
+  const trimmed = prefix.replace(/^\/+|\/+$/g, "");
+  return trimmed.length === 0 ? "" : `${trimmed}/`;
+}
+
+function encodeSegment(value: string) {
+  return encodeURIComponent(value);
+}
+
+function decodeSegment(value: string) {
+  return decodeURIComponent(value);
+}
+
+function isMissing(error: unknown) {
+  return (
+    !!error &&
+    typeof error === "object" &&
+    (("statusCode" in error && error.statusCode === 404) ||
+      ("code" in error && error.code === "BlobNotFound"))
+  );
+}
+
+async function streamToString(stream: NodeJS.ReadableStream | undefined) {
+  if (!stream) return "";
+  const chunks: Buffer[] = [];
+  for await (const chunk of stream) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}

package/src/Clients.ts

@@ -0,0 +1,122 @@
+import { WebSiteManagementClient } from "@azure/arm-appservice";
+import type { TokenCredential } from "@azure/identity";
+import { ContainerAppsAPIClient } from "@azure/arm-appcontainers";
+import { ContainerRegistryManagementClient } from "@azure/arm-containerregistry";
+import { CognitiveServicesManagementClient } from "@azure/arm-cognitiveservices";
+import { ComputeManagementClient } from "@azure/arm-compute";
+import { ContainerInstanceManagementClient } from "@azure/arm-containerinstance";
+import { CosmosDBManagementClient } from "@azure/arm-cosmosdb";
+import { KeyVaultManagementClient } from "@azure/arm-keyvault";
+import { ManagedServiceIdentityClient } from "@azure/arm-msi";
+import { NetworkManagementClient } from "@azure/arm-network";
+import { ResourceManagementClient } from "@azure/arm-resources";
+import { ServiceBusManagementClient } from "@azure/arm-servicebus";
+import { SqlManagementClient } from "@azure/arm-sql";
+import { StorageManagementClient } from "@azure/arm-storage";
+import * as Context from "effect/Context";
+import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
+import type { ServiceClientCredentials } from "@azure/ms-rest-js";
+import { AzureCredentials } from "./Credentials.ts";
+
+export interface AzureClientsShape {
+  resources: ResourceManagementClient;
+  storage: StorageManagementClient;
+  msi: ManagedServiceIdentityClient;
+  appService: WebSiteManagementClient;
+  cosmosDB: CosmosDBManagementClient;
+  sql: SqlManagementClient;
+  network: NetworkManagementClient;
+  containerInstance: ContainerInstanceManagementClient;
+  compute: ComputeManagementClient;
+  keyVault: KeyVaultManagementClient;
+  serviceBus: ServiceBusManagementClient;
+  cognitiveServices: CognitiveServicesManagementClient;
+  appContainers: ContainerAppsAPIClient;
+  containerRegistry: ContainerRegistryManagementClient;
+  subscriptionId: string;
+  tenantId?: string;
+}
+
+/**
+ * Injectable Azure SDK client bundle. Provider lifecycle effects depend on this
+ * service rather than constructing clients directly, so tests can supply a
+ * fake implementation via {@link AzureClients} without touching the network.
+ */
+export class AzureClients extends Context.Service<AzureClients, AzureClientsShape>()(
+  "Azure.Clients",
+) {}
+
+/**
+ * Yield the Azure client bundle from context. Kept as a named export so every
+ * provider reads clients the same way (`const clients = yield* makeAzureClients`).
+ */
+export const makeAzureClients = AzureClients;
+
+/** Build the real Azure SDK clients from resolved {@link AzureCredentials}. */
+export const buildAzureClients = (credentials: {
+  credential: TokenCredential;
+  subscriptionId: string;
+  tenantId?: string;
+}): AzureClientsShape => {
+  const { credential, subscriptionId, tenantId } = credentials;
+  const serviceClientCredentials = toServiceClientCredentials(credential);
+  return {
+    resources: new ResourceManagementClient(credential, subscriptionId),
+    storage: new StorageManagementClient(credential, subscriptionId),
+    msi: new ManagedServiceIdentityClient(credential, subscriptionId),
+    appService: new WebSiteManagementClient(credential, subscriptionId),
+    cosmosDB: new CosmosDBManagementClient(serviceClientCredentials, subscriptionId),
+    sql: new SqlManagementClient(credential, subscriptionId),
+    network: new NetworkManagementClient(credential, subscriptionId),
+    containerInstance: new ContainerInstanceManagementClient(credential, subscriptionId),
+    compute: new ComputeManagementClient(credential, subscriptionId),
+    keyVault: new KeyVaultManagementClient(credential, subscriptionId),
+    serviceBus: new ServiceBusManagementClient(credential, subscriptionId),
+    cognitiveServices: new CognitiveServicesManagementClient(credential, subscriptionId),
+    appContainers: new ContainerAppsAPIClient(credential, subscriptionId),
+    containerRegistry: new ContainerRegistryManagementClient(credential, subscriptionId),
+    subscriptionId,
+    tenantId,
+  } satisfies AzureClientsShape;
+};
+
+/** Live layer that constructs Azure SDK clients from {@link AzureCredentials}. */
+export const AzureClientsLive = Layer.effect(
+  AzureClients,
+  Effect.gen(function* () {
+    const credentials = yield* AzureCredentials;
+    const tenantId = credentials.tenantId ?? (yield* resolveTenantId(credentials.credential));
+    return buildAzureClients({ ...credentials, tenantId });
+  }),
+);
+
+const resolveTenantId = (credential: TokenCredential) =>
+  Effect.tryPromise(async () => {
+    const token = await credential.getToken("https://management.azure.com/.default");
+    if (!token) return undefined;
+    const [, payload] = token.token.split(".");
+    if (!payload) return undefined;
+    const decoded = JSON.parse(Buffer.from(base64UrlToBase64(payload), "base64").toString("utf8")) as {
+      tid?: string;
+    };
+    return decoded.tid;
+  }).pipe(Effect.catch(() => Effect.succeed(undefined)));
+
+function base64UrlToBase64(value: string) {
+  const base64 = value.replaceAll("-", "+").replaceAll("_", "/");
+  return base64.padEnd(Math.ceil(base64.length / 4) * 4, "=");
+}
+
+export function toServiceClientCredentials(credential: TokenCredential): ServiceClientCredentials {
+  return {
+    signRequest: async (webResource) => {
+      const token = await credential.getToken("https://management.azure.com/.default");
+      if (!token) {
+        throw new Error("Failed to acquire Azure management token");
+      }
+      webResource.headers.set("Authorization", `Bearer ${token.token}`);
+      return webResource;
+    },
+  };
+}