Enhance Azure Maps sample notebook and Bicep templates with improved API testing and role assignments

anotherRedbeard · anotherRedbeard · commit 93ef9315534a · 2025-06-19T11:48:46.000-05:00
diff --git a/samples/azure-maps/create.ipynb b/samples/azure-maps/create.ipynb
@@ -118,17 +118,25 @@
    "outputs": [],
    "source": [
     "import utils\n",
+    "from apimtesting import ApimTesting\n",
     "from apimrequests import ApimRequests\n",
+    "import json\n",
     "\n",
+    "tests = ApimTesting(\"AuthX-Pro Sample Tests\")\n",
     "reqs = ApimRequests(apim_gateway_url)\n",
     "\n",
     "# 1) Issue a direct request to API Management\n",
-    "reqs.singleGet('/', msg = 'Calling Hello World (Root) API. Expect 200.')\n",
+    "output = reqs.singleGet('/', msg = 'Calling Hello World (Root) API. Expect 200.')\n",
+    "tests.verify(output, 'Hello World from API Management!')\n",
     "\n",
     "# 2) Issue requests to API Management with Azure Maps APIs\n",
-    "reqs.singleGet('/map/default/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA', msg = 'Calling Default Route API with SAS Token Auth. Expect 200.')\n",
-    "reqs.singleGet('/map/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA', msg = 'Calling Geocode v2 API with AAD Auth. Expect 200.')\n",
-    "reqs.singlePostAsync('/map/geocode/batch/async', data={\n",
+    "output = reqs.singleGet('/map/default/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA', msg = 'Calling Default Route API with SAS Token Auth. Expect 200.')\n",
+    "tests.verify('address' in output, True)\n",
+    "\n",
+    "output = reqs.singleGet('/map/geocode?query=15127%20NE%2024th%20Street%20Redmond%20WA', msg = 'Calling Geocode v2 API with AAD Auth. Expect 200.')\n",
+    "tests.verify('address' in output, True)\n",
+    "\n",
+    "output = reqs.singlePostAsync('/map/geocode/batch/async', data={\n",
     "    \"batchItems\": [\n",
     "        {\"query\": \"?query=400 Broad St, Seattle, WA 98109&limit=3\"},\n",
     "        {\"query\": \"?query=One, Microsoft Way, Redmond, WA 98052&limit=3\"},\n",
@@ -137,6 +145,10 @@
     "        {\"query\": \"?query=Champ de Mars, 5 Avenue Anatole France, 75007 Paris, France&limit=1\"}\n",
     "    ]\n",
     "}, msg = 'Calling Async Geocode Batch v1 API with Share Key Auth. Expect initial 202, then a 200 on the polling response', timeout=120, poll_interval=3)\n",
+    "# confirm the response contains \"summary\": { \"successfulRequests\": 5, \"totalRequests\": 5}\n",
+    "tests.verify('summary' in output and 'successfulRequests' in output and json.loads(output)['summary']['successfulRequests'] == 5, True)\n",
+    "\n",
+    "tests.print_summary()\n",
     "\n",
     "utils.print_ok('All done!')"
    ]
diff --git a/samples/azure-maps/main.bicep b/samples/azure-maps/main.bicep
@@ -5,7 +5,7 @@
 @description('Location to be used for resources. Defaults to the resource group location')
 param location string = resourceGroup().location
 
-param mapsLocation string = 'eastus' // Azure Maps is only available in certain regions, adjust as needed
+param mapsLocation string = 'eastus' // Azure Maps is only available in certain regions: https://learn.microsoft.com/en-us/azure/azure-maps/creator-geographic-scope#geographic-and-regional-mapping
 
 @description('The unique suffix to append. Defaults to a unique string based on subscription and resource group IDs.')
 param resourceSuffix string = uniqueString(subscription().id, resourceGroup().id)
@@ -17,6 +17,12 @@ param appInsightsName string = 'appi-${resourceSuffix}'
 param userAssignedIdentityName string = 'uami-maps-${resourceSuffix}'
 param apis array = []
 
+// ------------------------------
+//    VARIABLES
+// ------------------------------
+
+var azureRoles = loadJsonContent('../../shared/azure-roles.json')
+
 // ------------------
 //    RESOURCES
 // ------------------
@@ -155,35 +161,35 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
   ]
 }]
 
-// Grant APIM managed identity access to Azure Maps, here are the RBAC roles you might need: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication#picking-a-role-definition
+// Grant APIM managed identity Azure Maps Seaarch and Render Data Reader role to Azure Maps
 resource mapsDataReaderRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(mapsAccount.id, apimService.id, '6be48352-4f82-47c9-ad5e-0acacefdb005')
+  name: guid(mapsAccount.id, apimService.id, 'Azure Maps Search and Render Data Reader')
   scope: mapsAccount
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6be48352-4f82-47c9-ad5e-0acacefdb005')
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', azureRoles.AzureMapsSearchAndRenderDataReader)
     principalId: apimService.identity.principalId
     principalType: 'ServicePrincipal'
   }
 }
 
 // Grant APIM managed identity 'Azure Maps Contributor' role to Azure Maps, this allows the creation of SAS tokens
 resource mapsContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(mapsAccount.id, apimService.id, 'dba33070-676a-4fb0-87fa-064dc56ff7fb')
+  name: guid(mapsAccount.id, apimService.id, 'Azure Maps Contributor')
   scope: mapsAccount
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'dba33070-676a-4fb0-87fa-064dc56ff7fb')
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', azureRoles.AzureMapsContributor)
     principalId: apimService.identity.principalId
     principalType: 'ServicePrincipal'
   }
 }
 
 
-// Grant user-assigned managed identity Azure Maps Data Reader role
+// Grant user-assigned managed identity Azure Maps Search and Render Data Reader role
 resource userAssignedIdentityMapsDataReaderRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(mapsAccount.id, userAssignedIdentity.id, '6be48352-4f82-47c9-ad5e-0acacefdb005')
+  name: guid(mapsAccount.id, userAssignedIdentity.id, 'Azure Maps Search and Render Data Reader')
   scope: mapsAccount
   properties: {
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6be48352-4f82-47c9-ad5e-0acacefdb005')
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', azureRoles.AzureMapsSearchAndRenderDataReader)
     principalId: userAssignedIdentity.properties.principalId
     principalType: 'ServicePrincipal'
   }
diff --git a/shared/azure-roles.json b/shared/azure-roles.json
@@ -1,5 +1,7 @@
 {
     "__source": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
     "StorageBlobDataContributor": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
-    "StorageBlobDataReader": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
+    "StorageBlobDataReader": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
+    "AzureMapsSearchAndRenderDataReader": "6be48352-4f82-47c9-ad5e-0acacefdb005",
+    "AzureMapsContributor": "dba33070-676a-4fb0-87fa-064dc56ff7fb"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"__source": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",`
`3`	`3`	`"StorageBlobDataContributor": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",`
`4`		`- "StorageBlobDataReader": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"`
	`4`	`+ "StorageBlobDataReader": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",`
	`5`	`+ "AzureMapsSearchAndRenderDataReader": "6be48352-4f82-47c9-ad5e-0acacefdb005",`
	`6`	`+ "AzureMapsContributor": "dba33070-676a-4fb0-87fa-064dc56ff7fb"`
`5`	`7`	`}`