Merge pull request #14 from Azure-Samples/copilot/fix-13

Fix managed identity compliance by removing Cosmos DB connection string configuration

Author: spboyer

.github/prompts/managed-identity-prompt.md

@@ -0,0 +1,163 @@
+# Converting Azure Templates from Cosmos DB Connection Strings to Managed Identity
+
+This prompt provides step-by-step instructions for converting Azure Bicep templates from using Cosmos DB connection strings to managed identity authentication, ensuring compliance with Azure security policies that disallow local authentication methods.
+
+## Problem Context
+
+Azure security policies often require disabling local authentication methods for Cosmos DB, which means connection strings cannot be used. Templates must be updated to use managed identity authentication instead.
+
+## Prerequisites
+
+Before starting, ensure:
+- The application code already supports managed identity (using `DefaultAzureCredential` and endpoint-based authentication)
+- The template has system-assigned managed identity configured for the app service
+- You understand the structure of your Bicep template files
+
+## Step-by-Step Conversion Process
+
+### 1. Remove Connection String Configuration
+
+**In your Cosmos DB module (e.g., `infra/app/db-avm.bicep`):**
+
+Remove the following parameters and configurations:
+```bicep
+// Remove these parameters
+param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING'
+param keyVaultResourceId string
+
+// Remove this entire secretsExportConfiguration block
+secretsExportConfiguration:{
+  keyVaultResourceId: keyVaultResourceId
+  primaryWriteConnectionStringSecretName: connectionStringKey
+}
+
+// Remove this output
+output connectionStringKey string = connectionStringKey
+```
+
+**In your main template (e.g., `infra/main.bicep`):**
+
+Remove connection string related configurations:
+```bicep
+// Remove from cosmos module parameters
+keyVaultResourceId: keyVault.outputs.resourceId
+
+// Remove from app settings
+AZURE_COSMOS_CONNECTION_STRING_KEY: cosmos.outputs.connectionStringKey
+
+// Remove from template outputs
+output AZURE_COSMOS_CONNECTION_STRING_KEY string = cosmos.outputs.connectionStringKey
+```
+
+### 2. Enable Managed Identity Authentication
+
+**Add `disableLocalAuth: true` to your Cosmos DB module:**
+```bicep
+module cosmos 'br/public:avm/res/document-db/database-account:0.6.0' = {
+  name: 'cosmos-sql'
+  params: {
+    name: accountName
+    location: location
+    tags: tags
+    disableLocalAuth: true  // ← Add this line
+    // ... other parameters
+  }
+}
+```
+
+### 3. Handle Role Assignments Properly
+
+**Critical:** Avoid duplicate Cosmos DB deployments that can override the `disableLocalAuth` setting.
+
+**Create a separate role assignment module** (`infra/app/cosmos-role-assignment.bicep`):
+```bicep
+param cosmosAccountName string
+param apiPrincipalId string
+
+// Create a role assignment for the API's managed identity to access Cosmos DB
+// Using the built-in "Cosmos DB Built-in Data Contributor" role
+resource apiCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
+  name: '${cosmosAccountName}/${guid(apiPrincipalId, cosmosAccountName, '00000000-0000-0000-0000-000000000002')}'
+  properties: {
+    roleDefinitionId: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
+    principalId: apiPrincipalId
+    scope: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}'
+  }
+}
+```
+
+**In your main template, reference this module:**
+```bicep
+// Give the API access to Cosmos using a separate role assignment
+module apiCosmosRoleAssignment './app/cosmos-role-assignment.bicep' = {
+  name: 'api-cosmos-role'
+  scope: rg
+  params: {
+    cosmosAccountName: cosmos.outputs.accountName
+    apiPrincipalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
+  }
+}
+```
+
+### 4. Important Role Assignment Details
+
+**Use built-in role GUIDs, not custom role names:**
+- Cosmos DB Built-in Data Reader: `00000000-0000-0000-0000-000000000001`
+- Cosmos DB Built-in Data Contributor: `00000000-0000-0000-0000-000000000002`
+
+**Avoid these common mistakes:**
+- Using custom role definition names (like 'writer') instead of GUIDs
+- Creating standalone role assignment resources at subscription scope
+- Having circular dependencies between cosmos and API modules
+
+### 5. Verify Required Components Remain
+
+Ensure these components are preserved:
+- ✅ System-assigned managed identity for the API app service
+- ✅ `AZURE_COSMOS_ENDPOINT` environment variable for the API
+- ✅ Key Vault access policies for the API's managed identity (if using Key Vault)
+- ✅ Proper resource group scope for all resources
+
+### 6. Testing and Validation
+
+**Validate your changes:**
+1. Run `bicep build` on your templates to check for compilation errors
+2. Test deployment in a development environment
+3. Verify the application can authenticate using managed identity
+4. Confirm no connection string references remain in the template
+
+## Common Issues and Solutions
+
+### Issue: "Local authentication methods are not allowed"
+**Solution:** Ensure `disableLocalAuth: true` is set and no duplicate Cosmos DB deployments exist.
+
+### Issue: "Scope 'subscription' is not valid for this resource type"
+**Solution:** Use a module approach instead of standalone role assignment resources.
+
+### Issue: "SQL Role Definition name must be a GUID"
+**Solution:** Use built-in role GUIDs (`00000000-0000-0000-0000-000000000002`) instead of custom names.
+
+### Issue: Circular dependency errors
+**Solution:** Separate role assignment into its own module to break dependency cycles.
+
+## Final Checklist
+
+- [ ] Removed all connection string configuration parameters
+- [ ] Removed secretsExportConfiguration from Cosmos DB module
+- [ ] Added `disableLocalAuth: true` to Cosmos DB account
+- [ ] Created separate role assignment module using built-in role GUID
+- [ ] Removed connection string references from app settings
+- [ ] Verified no duplicate Cosmos DB module deployments exist
+- [ ] Ensured managed identity and Key Vault access are preserved
+- [ ] Tested template compilation and deployment
+
+## Application Code Requirements
+
+Your application code should already be using managed identity:
+
+```csharp
+var credential = new DefaultAzureCredential();
+var cosmosClient = new CosmosClient(builder.Configuration["AZURE_COSMOS_ENDPOINT"], credential, ...);
+```
+
+This approach uses the `AZURE_COSMOS_ENDPOINT` environment variable and managed identity instead of connection strings.

README.md

@@ -104,11 +104,11 @@ The Azure Developer CLI includes many other commands to help with your Azure dev
 
 ### Roles
 
-This template creates a [managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) for your app inside your Azure Active Directory tenant, and it is used to authenticate your app with Azure and other services that support Azure AD authentication like Key Vault via access policies. You will see principalId referenced in the infrastructure as code files, that refers to the id of the currently logged in Azure Developer CLI user, which will be granted access policies and permissions to run the application locally. To view your managed identity in the Azure Portal, follow these [steps](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-portal).
+This template creates a [managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) for your app inside your Azure Active Directory tenant, and it is used to authenticate your app with Azure and other services that support Azure AD authentication like Cosmos DB and Key Vault via access policies and role assignments. You will see principalId referenced in the infrastructure as code files, that refers to the id of the currently logged in Azure Developer CLI user, which will be granted access policies and permissions to run the application locally. To view your managed identity in the Azure Portal, follow these [steps](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-portal).
 
 ### Key Vault
 
-This template uses [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview) to securely store your Cosmos DB connection string for the provisioned Cosmos DB account. Key Vault is a cloud service for securely storing and accessing secrets (API keys, passwords, certificates, cryptographic keys) and makes it simple to give other Azure services access to them. As you continue developing your solution, you may add as many secrets to your Key Vault as you require.
+This template uses [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview) to securely store secrets such as Application Insights connection strings. Key Vault is a cloud service for securely storing and accessing secrets (API keys, passwords, certificates, cryptographic keys) and makes it simple to give other Azure services access to them. The application uses managed identity to authenticate with Cosmos DB directly, eliminating the need to store database connection strings. As you continue developing your solution, you may add as many secrets to your Key Vault as you require.
 
 ## Reporting Issues and Feedback
 

infra/app/cosmos-role-assignment.bicep

@@ -0,0 +1,13 @@
+param cosmosAccountName string
+param apiPrincipalId string
+
+// Create a role assignment for the API's managed identity to access Cosmos DB
+// Using the built-in "Cosmos DB Built-in Data Contributor" role
+resource apiCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
+  name: '${cosmosAccountName}/${guid(apiPrincipalId, cosmosAccountName, '00000000-0000-0000-0000-000000000002')}'
+  properties: {
+    roleDefinitionId: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
+    principalId: apiPrincipalId
+    scope: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}'
+  }
+}

infra/app/db-avm.bicep

@@ -1,9 +1,7 @@
 param accountName string
 param location string = resourceGroup().location
 param tags object = {}
-param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING'
 param databaseName string = ''
-param keyVaultResourceId string
 param principalId string = ''
 
 @allowed([
@@ -23,17 +21,15 @@ module cosmos 'br/public:avm/res/document-db/database-account:0.6.0' = {
     location: location
     tags: tags
     backupPolicyType: backupPolicyType
+    disableLocalAuth: true
     locations: [
       {
         failoverPriority: 0
         locationName: location
         isZoneRedundant: false
       }
     ]
-    secretsExportConfiguration:{
-      keyVaultResourceId: keyVaultResourceId
-      primaryWriteConnectionStringSecretName: connectionStringKey
-    }
+
     capabilitiesToAdd: [ 'EnableServerless' ] 
     automaticFailover: false
     sqlDatabases: [
@@ -52,15 +48,9 @@ module cosmos 'br/public:avm/res/document-db/database-account:0.6.0' = {
       }
     ] 
     sqlRoleAssignmentsPrincipalIds: [ principalId ]
-    sqlRoleDefinitions: [
-      {
-        name: 'writer'
-      }
-    ]
   }
 }
 
 output accountName string = cosmos.outputs.name
-output connectionStringKey string = connectionStringKey
 output databaseName string = actualDatabaseName
 output endpoint string = cosmos.outputs.endpoint

infra/main.bicep

@@ -74,7 +74,6 @@ module api './app/api-appservice-avm.bicep' = {
     }
     appSettings: {
       AZURE_KEY_VAULT_ENDPOINT: keyVault.outputs.uri
-      AZURE_COSMOS_CONNECTION_STRING_KEY: cosmos.outputs.connectionStringKey
       AZURE_COSMOS_DATABASE_NAME: cosmos.outputs.databaseName
       AZURE_COSMOS_ENDPOINT: cosmos.outputs.endpoint
       API_ALLOW_ORIGINS: web.outputs.SERVICE_WEB_URI
@@ -121,28 +120,22 @@ module cosmos './app/db-avm.bicep' = {
     accountName: !empty(cosmosAccountName) ? cosmosAccountName : '${abbrs.documentDBDatabaseAccounts}${resourceToken}'
     location: location
     tags: tags
-    keyVaultResourceId: keyVault.outputs.resourceId
     principalId: principalId
     backupPolicyType: 'Periodic'
   }
 }
 
-// Give the API the role to access Cosmos
-module apiCosmosSqlRoleAssign 'br/public:avm/res/document-db/database-account:0.5.5' = {
-  name: 'api-cosmos-access'
+// Give the API access to Cosmos using a separate role assignment
+module apiCosmosRoleAssignment './app/cosmos-role-assignment.bicep' = {
+  name: 'api-cosmos-role'
   scope: rg
   params: {
-    name: cosmos.outputs.accountName
-    location: location
-    sqlRoleAssignmentsPrincipalIds: [ api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID ]
-    sqlRoleDefinitions: [
-      {
-        name: 'writer'
-      }
-    ]
+    cosmosAccountName: cosmos.outputs.accountName
+    apiPrincipalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
   }
 }
 
+
 // Create an App Service Plan to group applications under the same payment plan and SKU
 module appServicePlan 'br/public:avm/res/web/serverfarm:0.1.1' = {
   name: 'appserviceplan'
@@ -237,7 +230,6 @@ module apimApi 'br/public:avm/ptn/azd/apim-api:0.1.0' = if (useAPIM) {
 
 // Data outputs
 output AZURE_COSMOS_ENDPOINT string = cosmos.outputs.endpoint
-output AZURE_COSMOS_CONNECTION_STRING_KEY string = cosmos.outputs.connectionStringKey
 output AZURE_COSMOS_DATABASE_NAME string = cosmos.outputs.databaseName
 
 // App outputs