Conversation
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 67 out of 67 changed files in this pull request and generated 11 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
infra/modules/cosmos.bicep
Outdated
| <<<<<<< HEAD | ||
|
|
||
| @description('List of SQL API container names to provision') | ||
| param containerNames array = [ | ||
| 'Users' |
There was a problem hiding this comment.
This file still contains unresolved Git merge conflict markers (e.g., <<<<<<< HEAD, =======, >>>>>>>). Bicep compilation will fail until the conflict is resolved and the markers are removed.
infra/main.bicep
Outdated
| @description('Enable IP filtering for the web application (when true, only allowedWebIp can access the Container App API)') | ||
| <<<<<<< HEAD | ||
| param enableWebIpFiltering bool = false | ||
| ======= | ||
| param enableWebIpFiltering bool = true | ||
| >>>>>>> origin/main |
There was a problem hiding this comment.
Unresolved merge conflict markers are present in this file (e.g., around enableWebIpFiltering and networking params). The template will not compile/apply until these conflicts are resolved and the duplicated/branch-only blocks are removed.
backend/src/MedBench.API/Program.cs
Outdated
| <<<<<<< HEAD | ||
| using Microsoft.Azure.Cosmos; | ||
| using System.Text.Json; | ||
| ======= | ||
| >>>>>>> origin/main |
There was a problem hiding this comment.
This file contains unresolved merge conflict markers in the using/import section. The project will not build until the conflict is resolved and only the intended imports remain.
| <<<<<<< HEAD | |
| using Microsoft.Azure.Cosmos; | |
| using System.Text.Json; | |
| ======= | |
| >>>>>>> origin/main | |
| using Microsoft.Azure.Cosmos; | |
| using System.Text.Json; |
backend/src/MedBench.API/Program.cs
Outdated
| builder.Services.AddSingleton(sp => | ||
| { | ||
| <<<<<<< HEAD | ||
| var dbName = Environment.GetEnvironmentVariable("COSMOSDB_DATABASE") | ||
| ?? builder.Configuration["CosmosDb:DatabaseName"]; | ||
|
|
||
| if (string.IsNullOrWhiteSpace(dbName)) | ||
| { | ||
| throw new InvalidOperationException("Cosmos DB database name not found. Set COSMOSDB_DATABASE or CosmosDb:DatabaseName."); | ||
| } | ||
|
|
||
| return new MedBench.Core.Cosmos.CosmosContainerProvider( | ||
| sp.GetRequiredService<CosmosClient>(), | ||
| dbName); | ||
| ======= |
There was a problem hiding this comment.
There is an unresolved merge conflict inside the DI registration for Cosmos/Mongo (starting at <<<<<<< HEAD). Resolve the conflict and remove the MongoDB-based branch entirely if the codebase has migrated to Cosmos SQL API, otherwise the application will not compile.
| // Store Cosmos DB endpoint for managed identity authentication | ||
| resource cosmosEndpointSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = { | ||
| parent: keyVault | ||
| name: 'cosmos-connection-string' | ||
| name: 'cosmos-endpoint' | ||
| properties: { | ||
| value: cosmosAccount.properties.documentEndpoint | ||
| } | ||
| } |
There was a problem hiding this comment.
cosmosEndpointSecret is defined here, but the file also contains another cosmosEndpointSecret resource later (duplicate declaration). Deployment will fail with a duplicate resource definition; keep only one secret resource for the Cosmos endpoint.
| "name": "bicep", | ||
| "version": "0.38.33.27573", | ||
| "templateHash": "16783774531187217924" | ||
| "templateHash": "3963363190777727422", | ||
| } | ||
| }, |
There was a problem hiding this comment.
This JSON is invalid due to a trailing comma after the templateHash property. Remove the trailing comma so infra/main.json parses correctly.
| <<<<<<< HEAD | ||
| This project supports two deployment networking modes: | ||
|
|
||
| - `DEPLOYMENT_NETWORKING=open` (default): public ingress | ||
| - `DEPLOYMENT_NETWORKING=private`: internal-only networking (VNet) | ||
|
|
There was a problem hiding this comment.
This documentation file still contains unresolved Git merge conflict markers (<<<<<<<, =======, >>>>>>>). Resolve the conflict and remove the markers so the rendered docs are correct.
| with open(path, "r", encoding="utf-8") as f: | ||
| content = f.read().strip() | ||
| if not content: | ||
| return [] | ||
|
|
||
| if content.startswith("["): | ||
| data = json.loads(content) | ||
| if not isinstance(data, list): | ||
| raise ValueError("Expected a JSON array") | ||
| return data |
There was a problem hiding this comment.
_iter_documents reads the entire file into memory to detect JSON-array vs NDJSON, and later docs = list(_iter_documents(...)) materializes everything again. For large exports this can cause high memory usage; consider streaming (peek first non-whitespace char, then iterate items/lines) and upserting incrementally.
| if key in ("$numberDouble", "$numberDecimal"): | ||
| return float(inner) |
There was a problem hiding this comment.
Mongo Extended JSON $numberDecimal is converted to float, which can lose precision. Consider using decimal.Decimal (or preserving as string) for $numberDecimal while keeping $numberDouble as float.
| public async Task<DataObject> GetByIdWithIndexAsync(string id) | ||
| { | ||
| var dataObject = await GetByIdAsync(id); | ||
|
|
||
| // Backwards compatibility: populate OriginalDataFile and OriginalIndex if needed |
There was a problem hiding this comment.
This GetByIdWithIndexAsync method was added, but the file still contains another GetByIdWithIndexAsync implementation further down (MongoDB-based). The duplicate method signature will prevent compilation; remove/rename the stale implementation so only one method remains.
sashimono-san
left a comment
sashimono-san
left a comment
There was a problem hiding this comment.
I tested the deployment and fixed a few things along the way, please check: #58
Main pending issue is the mismatch between DB and FE admin roles, and the merge conflicts in DEPLOYMENT.md. I left some other comments to consider
| Id = Guid.NewGuid().ToString(), | ||
| Name = name, | ||
| Email = email, | ||
| Roles = new List<string> { "Administrator" }, |
There was a problem hiding this comment.
The DB does get populated when env variables are set, but the role itself is different from what the frontend expects, in the FE these pages checks for admin instead of Administrator:
Admin.tsxDashboard.tsxNavigation.tsxAuthContext.tsx
But then, RequireAdministratorRole checks for Administrator.
| deploymentNetworking: "${DEPLOYMENT_NETWORKING=private}" | ||
| createVnet: "${CREATE_VNET=true}" | ||
| existingVnetResourceId: "${EXISTING_VNET_RESOURCE_ID=}" | ||
| existingAcaInfrastructureSubnetId: "${EXISTING_ACA_INFRASTRUCTURE_SUBNET_ID=}" | ||
| existingFunctionsIntegrationSubnetId: "${EXISTING_FUNCTIONS_INTEGRATION_SUBNET_ID=}" | ||
| vnetAddressSpace: "${VNET_ADDRESS_SPACE=10.30.0.0/16}" | ||
| acaInfrastructureSubnetPrefix: "${ACA_INFRASTRUCTURE_SUBNET_PREFIX=10.30.0.0/23}" | ||
| functionsIntegrationSubnetPrefix: "${FUNCTIONS_INTEGRATION_SUBNET_PREFIX=10.30.2.0/24}" | ||
| gatewaySubnetPrefix: "${GATEWAY_SUBNET_PREFIX=10.30.255.0/27}" | ||
| createVpnGateway: "${CREATE_VPN_GATEWAY=true}" | ||
| vpnClientAddressPool: "${VPN_CLIENT_ADDRESS_POOL=172.16.200.0/24}" | ||
| vpnGatewaySku: "${VPN_GATEWAY_SKU=VpnGw1}" | ||
| createPrivateEndpoint: "${CREATE_PRIVATE_ENDPOINT=true}" | ||
| privateEndpointSubnetPrefix: "${PRIVATE_ENDPOINT_SUBNET_PREFIX=10.30.4.0/27}" | ||
| createDnsResolver: "${CREATE_DNS_RESOLVER=true}" | ||
| dnsResolverSubnetPrefix: "${DNS_RESOLVER_SUBNET_PREFIX=10.30.3.0/27}" | ||
| dnsResolverInboundIp: "${DNS_RESOLVER_INBOUND_IP=}" | ||
| rootAdminEmail: "${ROOT_ADMIN_EMAIL=}" | ||
| rootAdminName: "${ROOT_ADMIN_NAME=}" | ||
| rootAdminPassword: "${ROOT_ADMIN_PASSWORD=}" | ||
| enableWebIpFiltering: "${ENABLE_WEB_IP_FILTERING}" |
There was a problem hiding this comment.
We have all that under main.parameters.json, and I think having both is redundant.
| hooks: | ||
| prepackage: | ||
| shell: sh | ||
| run: ../../package_addon.sh evaluator | ||
| continueOnError: false |
There was a problem hiding this comment.
We still need to run this script, so I added some instructions in the deployment guide (see #58)
| #### IP Filtering & Security Configuration | ||
|
|
||
| <<<<<<< HEAD | ||
| This project supports two deployment networking modes: |
There was a problem hiding this comment.
Deployments take long, so if possible it's better to have these instructions should come before the Step 3: Deploy the Infrastructure section.
| To start the deployment process, run: | ||
|
|
||
| ```bash | ||
| azd up | ||
| ``` | ||
|
|
||
| During deployment you will be prompted for any required variable not yet set, such as subscription, resource group and location. | ||
|
|
||
| This command will: | ||
| - Provision all Azure infrastructure (Container Apps, Functions, Storage, Cosmos DB, etc.) | ||
| - Deploy backend API (with integrated frontend) | ||
| - Create or configure Azure OpenAI service | ||
| - Set up shared blob storage for all components | ||
| - Configure authentication via Entra ID App Registration |
There was a problem hiding this comment.
This section kind of duplicates and extends from section Step 3: Deploy the Infrastructure. When resolving merge conflicts we should merge these two parts of the guide
| > Cosmos DB **local auth is disabled** in this deployment. For local development, run `az login` and ensure your current identity has Cosmos **data-plane** permissions on the target account. | ||
| > The API also uses **managed identity / Entra ID** for Storage, so your signed-in identity needs Storage Blob **data-plane** permissions on the target account. |
There was a problem hiding this comment.
We could add this permission to the user running deployment directly with bicep. I think it would be a nice to have.
Also, the postprovision script is not assigning this data-plane permission. Instead it's assigning the Azure RBAC role for cosmos. See my new PR for this fix
Refactor to cosmos without mongo api and deploying inside a vnet by default to satisfy security feedback.