Conversation
* Initial plan * Add COSMOSDB_ENDPOINT environment variable to README.md Co-authored-by: sashimono-san <185106146+sashimono-san@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: sashimono-san <185106146+sashimono-san@users.noreply.github.com>
* Initial plan * Fix Docker build: Add -m flag to useradd in Dockerfiles Co-authored-by: sashimono-san <185106146+sashimono-san@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: sashimono-san <185106146+sashimono-san@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This pull request applies several fixes on top of the feature/VPNDeployment branch, focusing on Cosmos DB role assignment improvements, parameter mapping for admin user bootstrapping, Dockerfile user creation fixes, and deployment documentation updates.
Changes:
- Updates Cosmos DB role assignment to use SQL data-plane roles with proper built-in role definition IDs
- Adds ROOT_ADMIN_* parameter mappings in main.parameters.json for admin user bootstrapping
- Fixes Dockerfile user creation by adding
-mflag to useradd commands - Reorganizes and improves deployment documentation structure
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/scripts/postprovision.sh | Updates Cosmos DB role assignment to use SQL data-plane built-in Data Contributor role with proper role definition ID format |
| infra/scripts/postprovision.ps1 | Same role assignment updates as bash script, applied to both code paths (existing and new client ID) |
| infra/main.parameters.json | Adds parameter mappings for ROOT_ADMIN_EMAIL, ROOT_ADMIN_NAME, and ROOT_ADMIN_PASSWORD environment variables |
| functions/Dockerfile | Adds -m flag to useradd command to create home directory automatically |
| functions/Dockerfile.addon-dev | Same useradd fix as main Dockerfile |
| README.md | Updates deployment instructions, adds branch-specific initialization guidance, and updates backend setup environment variables |
| DEPLOYMENT.md | Reorganizes documentation by moving admin user setup section earlier, adds pre-package addon instructions, and improves deployment flow |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| --resource-group "$RESOURCE_GROUP_NAME" \ | ||
| --principal-id "$PRINCIPAL_ID" \ | ||
| --role-definition-id "${COSMOS_ACCOUNT_ID}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002" \ | ||
| --scope "$COSMOS_ACCOUNT_ID" \ |
There was a problem hiding this comment.
The --scope parameter should be "/" (root of the Cosmos account) instead of the full Azure resource ID. The Azure CLI expects a relative scope within the Cosmos account, not the full resource ID. This is consistent with the bicep template (infra/modules/cosmos.bicep:124) and the examples in README.md:143 and DEPLOYMENT.md:333 which all use --scope "/". The role assignment may fail or behave unexpectedly with the full resource ID as scope.
| --scope "$COSMOS_ACCOUNT_ID" \ | |
| --scope "/" \ |
| --resource-group $resourceGroupName ` | ||
| --principal-id $principalId ` | ||
| --role-definition-id "$cosmosAccountId/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002" ` | ||
| --scope $cosmosAccountId ` |
There was a problem hiding this comment.
The --scope parameter should be "/" (root of the Cosmos account) instead of the full Azure resource ID. The Azure CLI expects a relative scope within the Cosmos account, not the full resource ID. This is consistent with the bicep template (infra/modules/cosmos.bicep:124) and the examples in README.md:143 and DEPLOYMENT.md:333 which all use --scope "/". The role assignment may fail or behave unexpectedly with the full resource ID as scope.
| --scope $cosmosAccountId ` | |
| --scope "/" ` |
| --resource-group $resourceGroupName ` | ||
| --principal-id $principalId ` | ||
| --role-definition-id "$cosmosAccountId/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002" ` | ||
| --scope $cosmosAccountId ` |
There was a problem hiding this comment.
The --scope parameter should be "/" (root of the Cosmos account) instead of the full Azure resource ID. The Azure CLI expects a relative scope within the Cosmos account, not the full resource ID. This is consistent with the bicep template (infra/modules/cosmos.bicep:124) and the examples in README.md:143 and DEPLOYMENT.md:333 which all use --scope "/". The role assignment may fail or behave unexpectedly with the full resource ID as scope.
| --scope $cosmosAccountId ` | |
| --scope "/" ` |
| export COSMOSDB_CONNECTION_STRING="Your mongodb connection string" | ||
| export COSMOSDB_ENDPOINT="Your mongodb endpoint" | ||
|
|
||
| # For PowerShell | ||
| $env:AZURE_STORAGE_CONNECTION_STRING="Your Storage Account connection string" | ||
| $env:COSMOSDB_CONNECTION_STRING="Your mongodb connection string" | ||
| $env:COSMOSDB_ENDPOINT="Your mongodb endpoint" |
There was a problem hiding this comment.
The documentation incorrectly refers to "mongodb connection string" and "mongodb endpoint". The system uses Cosmos DB SQL API, not MongoDB API, as confirmed by DEPLOYMENT.md:292 and DEPLOYMENT.md:298. These should reference "Cosmos DB connection string" and "Cosmos DB endpoint" for consistency and accuracy.
| export COSMOSDB_CONNECTION_STRING="Your mongodb connection string" | |
| export COSMOSDB_ENDPOINT="Your mongodb endpoint" | |
| # For PowerShell | |
| $env:AZURE_STORAGE_CONNECTION_STRING="Your Storage Account connection string" | |
| $env:COSMOSDB_CONNECTION_STRING="Your mongodb connection string" | |
| $env:COSMOSDB_ENDPOINT="Your mongodb endpoint" | |
| export COSMOSDB_CONNECTION_STRING="Your Cosmos DB connection string" | |
| export COSMOSDB_ENDPOINT="Your Cosmos DB endpoint" | |
| # For PowerShell | |
| $env:AZURE_STORAGE_CONNECTION_STRING="Your Storage Account connection string" | |
| $env:COSMOSDB_CONNECTION_STRING="Your Cosmos DB connection string" | |
| $env:COSMOSDB_ENDPOINT="Your Cosmos DB endpoint" |
| azd up | ||
| ``` | ||
|
|
||
| To initialize the project targetting a specific branch, use the `--branch` flag: |
There was a problem hiding this comment.
Misspelling: "targetting" should be "targeting" (one 't').
| To initialize the project targetting a specific branch, use the `--branch` flag: | |
| To initialize the project targeting a specific branch, use the `--branch` flag: |
Small fixes on top of
feature/VPNDeployment:ROOT_ADMIN_*variables for bicep configuration