use managed identity ACA Cosmos

Author: bmoussaud

README.md

@@ -209,4 +209,6 @@ This project is licensed under the MIT License. See the [LICENSE](LICENSE) file
 * https://azureossd.github.io/2024/02/12/Container-Apps-General-troubleshooting-with-Dapr-on-Container-Apps/
 * https://github.com/Azure/aca-dotnet-workshop
 * https://docs.dapr.io/developing-applications/building-blocks/state-management/howto-state-query-api/
+* https://github.com/Azure-Samples/Tutorial-Deploy-Dapr-Microservices-ACA/blob/main/azuredeploy.bicep
+
 

infra/main.bicep

@@ -753,7 +753,6 @@ module containerMovieGallerySvcApp 'modules/apps/movie-gallery-svc.bicep' = {
     acrPullRoleName: uaiAzureRambiAcrPull.name
     shared_secrets: shared_secrets
     containerAppsEnvironment: containerAppsEnv.name
-    kvName: kv.name
   }
 }
 

infra/modules/apps/movie-gallery-svc.bicep

@@ -51,6 +51,10 @@ resource containerAppsEnv 'Microsoft.App/managedEnvironments@2024-10-02-preview'
           name: 'collection'
           value: 'state'
         }
+        {
+          name: 'azureClientId'
+          value: managedIdentity.properties.clientId
+        }
       ]
       scopes: [
         containerName
@@ -63,9 +67,10 @@ resource containerMovieGallerySvcApp 'Microsoft.App/containerApps@2024-10-02-pre
   name: containerName
   location: location
   identity: {
-    type: 'SystemAssigned,UserAssigned'
+    type: 'UserAssigned'
     userAssignedIdentities: {
       '${uaiAzureRambiAcrPull.id}': {}
+      '${managedIdentity.id}': {}
     }
   }
   tags: { 'azd-service-name': replace(containerName, '-', '_') }
@@ -205,10 +210,15 @@ resource cosmosDbDatabaseCollection 'Microsoft.DocumentDB/databaseAccounts/sqlDa
 // Assign cosmosdb account read/write access to aca system assigned identity
 // To know more: https://learn.microsoft.com/azure/cosmos-db/how-to-setup-rbac
 resource backendApiService_cosmosdb_role_assignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-08-15' = {
-  name: guid(subscription().id, containerMovieGallerySvcApp.name, '00000000-0000-0000-0000-000000000002')
+  name: guid(
+    subscription().id,
+    'docdbcontributor',
+    containerMovieGallerySvcApp.name,
+    '00000000-0000-0000-0000-000000000002'
+  )
   parent: cosmosDbAccount
   properties: {
-    principalId: containerMovieGallerySvcApp.identity.principalId
+    principalId: managedIdentity.properties.principalId
     roleDefinitionId: resourceId(
       'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',
       cosmosDbAccount.name,
@@ -218,5 +228,10 @@ resource backendApiService_cosmosdb_role_assignment 'Microsoft.DocumentDB/databa
   }
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
+  name: 'dapr-state-store-identity'
+  location: location
+}
+
 output name string = containerMovieGallerySvcApp.name
 output fqdn string = containerMovieGallerySvcApp.properties.configuration.ingress.fqdn

src/movie_gallery_svc/entities.py

@@ -1,8 +1,8 @@
 import json
 import uuid
 import logging
-from pydantic import BaseModel
 from typing import List
+from pydantic import BaseModel
 
 class MovieRequest(BaseModel):
     """Request model for adding a new movie."""
@@ -15,7 +15,7 @@ def __init__(self, movie_id : str, title : str, description : str):
         dict.__init__(self, movie_id=movie_id, title=title, description=description)
 
     def __repr__(self):
-        return f"MovieGallery(id={self['movie_id']}, title={self['title']}, description={self['description']})"
+        return f"MovieGallery(movie_id={self['movie_id']}, title={self['title']}, description={self['description']})"
 
     def getattr(self, key):
         """Get attribute value by key."""
@@ -39,7 +39,7 @@ def from_bytes(json_bytes : bytes) -> 'Movie':
         """Convert bytes to Movie object."""
         item = json.loads(json_bytes.decode('utf-8'))
         return Movie(
-            item["id"],
+            item["movie_id"],
             item["title"],
             item["description"]
         )

src/movie_gallery_svc/store.py

@@ -18,14 +18,14 @@ def upsert(self, movie: Movie) -> Movie:
         """Add a movie to the store."""
         logging.info("Adding movie: %s", movie)
         logging.info("JSON %s", json.dumps(movie))
-        logging.info("saving movie to store %s using this key %s", self.state_store_name, movie['id'])
+        logging.info("saving movie to store %s using this key %s", self.state_store_name, movie['movie_id'])
         self.dapr_client.save_state(
             store_name=self.state_store_name,
-            key=movie['id'],
+            key=movie['movie_id'],
             value=json.dumps(movie)
         )
-        logging.info("Movie %s added to store", movie['id'])
-        return self.try_find_by_id(movie['id'])
+        logging.info("Movie %s added to store", movie['movie_id'])
+        return self.try_find_by_id(movie['movie_id'])
 
     def try_find_by_id(self, movie_id : str) -> Movie:
         """Find a movie by its ID."""