Merge pull request #28 from Azure-Samples/copilot/fix-27

Fix Azure Cosmos DB authentication to use managed identity instead of connection strings

Author: spboyer

infra/app/cosmos-role-assignment.bicep

@@ -0,0 +1,13 @@
+param cosmosAccountName string
+param apiPrincipalId string
+
+// Create a role assignment for the API's managed identity to access Cosmos DB
+// Using the built-in "Cosmos DB Built-in Data Contributor" role
+resource apiCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
+  name: '${cosmosAccountName}/${guid(apiPrincipalId, cosmosAccountName, '00000000-0000-0000-0000-000000000002')}'
+  properties: {
+    roleDefinitionId: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
+    principalId: apiPrincipalId
+    scope: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}'
+  }
+}

infra/app/cosmos-role-assignment.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.36.1.42791",
+      "templateHash": "7411539156170877165"
+    }
+  },
+  "parameters": {
+    "cosmosAccountName": {
+      "type": "string"
+    },
+    "apiPrincipalId": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
+      "apiVersion": "2024-05-15",
+      "name": "[format('{0}/{1}', parameters('cosmosAccountName'), guid(parameters('apiPrincipalId'), parameters('cosmosAccountName'), '00000000-0000-0000-0000-000000000002'))]",
+      "properties": {
+        "roleDefinitionId": "[format('{0}/providers/Microsoft.DocumentDB/databaseAccounts/{1}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002', resourceGroup().id, parameters('cosmosAccountName'))]",
+        "principalId": "[parameters('apiPrincipalId')]",
+        "scope": "[format('{0}/providers/Microsoft.DocumentDB/databaseAccounts/{1}', resourceGroup().id, parameters('cosmosAccountName'))]"
+      }
+    }
+  ]
+}

infra/app/db-avm.bicep

@@ -2,43 +2,17 @@ param accountName string
 param location string = resourceGroup().location
 param tags object = {}
 param cosmosDatabaseName string = ''
-param keyVaultResourceId string
-param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING'
-param collections array = [
+param containers array = [
   {
     name: 'TodoList'
-    id: 'TodoList'
-    shardKey: {
-      keys: [
-        'Hash'
-      ]
-    }
-    indexes: [
-      {
-        key: {
-          keys: [
-            '_id'
-          ]
-        }
-      }
+    paths: [
+      '/id'
     ]
   }
   {
     name: 'TodoItem'
-    id: 'TodoItem'
-    shardKey: {
-      keys: [
-        'Hash'
-      ]
-    }
-    indexes: [
-      {
-        key: {
-          keys: [
-            '_id'
-          ]
-        }
-      }
+    paths: [
+      '/id'
     ]
   }
 ]
@@ -47,7 +21,7 @@ var defaultDatabaseName = 'Todo'
 var actualDatabaseName = !empty(cosmosDatabaseName) ? cosmosDatabaseName : defaultDatabaseName
 
 module cosmos 'br/public:avm/res/document-db/database-account:0.6.0' = {
-  name: 'cosmos-mongo'
+  name: 'cosmos-sql'
   params: {
     locations: [
       {
@@ -58,20 +32,18 @@ module cosmos 'br/public:avm/res/document-db/database-account:0.6.0' = {
     ]
     name: accountName
     location: location
-    mongodbDatabases: [
+    disableLocalAuth: true
+    sqlDatabases: [
       {
         name: actualDatabaseName
         tags: tags
-        collections: collections
+        containers: containers
       }
     ]
-    secretsExportConfiguration: {
-      keyVaultResourceId: keyVaultResourceId
-      primaryWriteConnectionStringSecretName: connectionStringKey
-    }
   }
 }
 
-output connectionStringKey string = connectionStringKey
 output databaseName string = actualDatabaseName
 output endpoint string = cosmos.outputs.endpoint
+output accountName string = accountName
+output resourceId string = cosmos.outputs.resourceId

infra/main.bicep

@@ -74,9 +74,8 @@ module api './app/api-appservice-avm.bicep' = {
     }
     appSettings: {
       AZURE_KEY_VAULT_ENDPOINT: keyVault.outputs.uri
-      AZURE_COSMOS_CONNECTION_STRING_KEY: cosmos.outputs.connectionStringKey
       AZURE_COSMOS_DATABASE_NAME: cosmos.outputs.databaseName
-      AZURE_COSMOS_ENDPOINT: 'https://${cosmos.outputs.databaseName}.documents.azure.com:443/'
+      AZURE_COSMOS_ENDPOINT: cosmos.outputs.endpoint
       API_ALLOW_ORIGINS: web.outputs.SERVICE_WEB_URI
       SCM_DO_BUILD_DURING_DEPLOYMENT: true
     }
@@ -121,7 +120,16 @@ module cosmos './app/db-avm.bicep' = {
     accountName: !empty(cosmosAccountName) ? cosmosAccountName : '${abbrs.documentDBDatabaseAccounts}${resourceToken}'
     location: location
     tags: tags
-    keyVaultResourceId: keyVault.outputs.resourceId
+  }
+}
+
+// Give the API managed identity access to Cosmos DB using built-in Data Contributor role
+module apiCosmosRoleAssignment './app/cosmos-role-assignment.bicep' = {
+  name: 'api-cosmos-role'
+  scope: rg
+  params: {
+    cosmosAccountName: cosmos.outputs.accountName
+    apiPrincipalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
   }
 }
 
@@ -217,8 +225,8 @@ module apimApi 'br/public:avm/ptn/azd/apim-api:0.1.0' = if (useAPIM) {
 }
 
 // Data outputs
-output AZURE_COSMOS_CONNECTION_STRING_KEY string = cosmos.outputs.connectionStringKey
 output AZURE_COSMOS_DATABASE_NAME string = cosmos.outputs.databaseName
+output AZURE_COSMOS_ENDPOINT string = cosmos.outputs.endpoint
 
 // App outputs
 output APPLICATIONINSIGHTS_CONNECTION_STRING string = monitoring.outputs.applicationInsightsConnectionString

src/api/config/custom-environment-variables.json

@@ -1,6 +1,6 @@
 {
     "database": {
-        "connectionString": "AZURE_COSMOS_CONNECTION_STRING",
+        "endpoint": "AZURE_COSMOS_ENDPOINT",
         "databaseName": "AZURE_COSMOS_DATABASE_NAME"
     },
     "observability": {

src/api/config/default.json

@@ -1,6 +1,6 @@
 {
     "database": {
-        "connectionString": "",
+        "endpoint": "",
         "databaseName": "Todo"
     },
     "observability": {

src/api/config/test.json

@@ -0,0 +1,10 @@
+{
+    "database": {
+        "endpoint": "https://mock-cosmos-endpoint.documents.azure.com:443/",
+        "databaseName": "MockTodo"
+    },
+    "observability": {
+        "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000",
+        "roleName": "API"
+    }
+}