Fix Cosmos DB role assignment to use built-in Data Contributor role

Co-authored-by: spboyer <[email protected]>

Author: Copilot

infra/app/cosmos-role-assignment.bicep

@@ -0,0 +1,13 @@
+param cosmosAccountName string
+param apiPrincipalId string
+
+// Create a role assignment for the API's managed identity to access Cosmos DB
+// Using the built-in "Cosmos DB Built-in Data Contributor" role
+resource apiCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
+  name: '${cosmosAccountName}/${guid(apiPrincipalId, cosmosAccountName, '00000000-0000-0000-0000-000000000002')}'
+  properties: {
+    roleDefinitionId: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
+    principalId: apiPrincipalId
+    scope: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}'
+  }
+}

infra/app/cosmos-role-assignment.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.36.1.42791",
+      "templateHash": "7411539156170877165"
+    }
+  },
+  "parameters": {
+    "cosmosAccountName": {
+      "type": "string"
+    },
+    "apiPrincipalId": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
+      "apiVersion": "2024-05-15",
+      "name": "[format('{0}/{1}', parameters('cosmosAccountName'), guid(parameters('apiPrincipalId'), parameters('cosmosAccountName'), '00000000-0000-0000-0000-000000000002'))]",
+      "properties": {
+        "roleDefinitionId": "[format('{0}/providers/Microsoft.DocumentDB/databaseAccounts/{1}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002', resourceGroup().id, parameters('cosmosAccountName'))]",
+        "principalId": "[parameters('apiPrincipalId')]",
+        "scope": "[format('{0}/providers/Microsoft.DocumentDB/databaseAccounts/{1}', resourceGroup().id, parameters('cosmosAccountName'))]"
+      }
+    }
+  ]
+}

infra/main.bicep

@@ -123,14 +123,13 @@ module cosmos './app/db-avm.bicep' = {
   }
 }
 
-// Give the API managed identity access to Cosmos DB
-module apiCosmosRoleAssignment 'br/public:avm/ptn/authorization/role-assignment:0.1.0' = {
-  name: 'api-cosmos-role-assignment'
+// Give the API managed identity access to Cosmos DB using built-in Data Contributor role
+module apiCosmosRoleAssignment './app/cosmos-role-assignment.bicep' = {
+  name: 'api-cosmos-role'
   scope: rg
   params: {
-    principalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
-    resourceId: cosmos.outputs.resourceId
+    cosmosAccountName: cosmos.outputs.accountName
+    apiPrincipalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
   }
 }