Add support for managed identity in Azure Cosmos DB hosting component #7092
Conversation
| @@ -205,7 +156,7 @@ public static IResourceBuilder<AzureCosmosDBEmulatorResource> WithGatewayPort(th | |||
| /// <param name="builder">Builder for the Cosmos emulator container</param> | |||
| /// <param name="count">Desired partition count.</param> | |||
| /// <returns>Cosmos emulator resource builder.</returns> | |||
| /// <remarks>Not calling this method will result in the default of 25 partitions. The actual started partitions is always one more than specified. | |||
| /// <remarks>Not calling this method will result in the default of 10 partitions. The actual started partitions is always one more than specified. | |||
There was a problem hiding this comment.
11 (actual) is the default number of partitions when nothing is set, so updated to 10 since the actual is argument + 1
danmoseley
added
the
area-integrations
src/Components/Aspire.Microsoft.Azure.Cosmos/MicrosoftAzureCosmosSettings.cs
Outdated
Show resolved
Hide resolved
|
|
||
| internal EndpointReference EmulatorEndpoint => new(this, "emulator"); | ||
|
|
||
| /// <summary> | ||
| /// Gets the "connectionString" reference from the secret outputs of the Azure Cosmos DB resource. | ||
| /// | ||
| /// This is used when Entra ID authentication is used. The connection string is an output of the bicep template. | ||
| /// </summary> | ||
| public BicepSecretOutputReference ConnectionString => new("connectionString", this); |
There was a problem hiding this comment.
Isn't this supposed to be:
| public BicepSecretOutputReference ConnectionString => new("connectionString", this); | |
| public BicepOutputReference ConnectionString => new("connectionString", this); |
It's not a secret reference anymore - it is just a normal bicep output.
There was a problem hiding this comment.
That would be a breaking change. How do you suggest we deal with it?
There was a problem hiding this comment.
This is why I opt to not make things public unless we absolutely need to make them public.
I would suggest just making the breaking change, and document it. The fact that we are switching to managed identity by default is going to be an even bigger breaking change.
There was a problem hiding this comment.
This should be public for sure, we'll need to make this a reference expression.
There was a problem hiding this comment.
Actually, we can just expose another property
| namespace Aspire.Hosting.Azure.CosmosDB; | ||
|
|
||
| /// <summary> | ||
| /// This health check also creates default databases and containers for the Azure CosmosDB Emulator. |
There was a problem hiding this comment.
This feels like too much responsibility. Everytime we are checking for "health" we are rechecking all the dbs and containers.
I think it would be better if the health check was only a health check. And then we "waited" for it to be healthy and only ensure the db and containers are created once.
There was a problem hiding this comment.
The default health check is checking only one db and its containers (because its state is only for one db, I assume one could create more instances for other dbs). At least we could do the same, pick the first db.
But I did what you suggested at first, though this could introduce undesired effects that it's stated as healthy but we haven't created the db/containers yet. So while we are creating them other services could have started using them.
Another option would be to change the implementation to do like it does right now, but then store a bool and only check for the first db afterwards (not even the containers).
src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBEmulatorHealthCheck.cs
Outdated
Show resolved
Hide resolved
tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Outdated
Show resolved
Hide resolved
tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Outdated
Show resolved
Hide resolved
tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Outdated
Show resolved
Hide resolved
| var healthCheckKey = $"{builder.Resource.Name}_check"; | ||
| builder.ApplicationBuilder.Services.AddHealthChecks().AddAzureCosmosDB(sp => |
There was a problem hiding this comment.
Do we still need a reference on AspNetCore.HealthChecks.CosmosDb if we aren't using it?
| var principalIdParameter = new ProvisioningParameter(AzureBicepResource.KnownParameters.PrincipalId, typeof(string)); | ||
| infrastructure.Add(principalIdParameter); | ||
|
|
||
| cosmosAccount.CreateRoleAssignment(CosmosDBBuiltInRole.DocumentDBAccountContributor, RoleManagementPrincipalType.ServicePrincipal, principalIdParameter); |
There was a problem hiding this comment.
Why isn't this generating a prinicpalType like all the other Azure integrations?
There was a problem hiding this comment.
The method to create the role on cosmos doesn't take any. It's working though, you think it must still be missing?
There was a problem hiding this comment.
Yes this should be a parameter, @tg-msft?
|
/azd run |
|
/azd run |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| internal BicepSecretOutputReference? ConnectionStringSecretOutput { get; set; } | ||
|
|
||
| [MemberNotNullWhen(true, nameof(ConnectionStringSecretOutput))] | ||
| internal bool UseAccessKeyAuthentication => ConnectionStringSecretOutput is not null; |
There was a problem hiding this comment.
Maybe this should be public too.
|
Do we want this to be a breaking change? |
At some point, yes. We want managed identity to be the default everywhere, and this is the last integration that still uses secrets by default. So the question in my mind is: "When do we want to make the breaking change?". I think now is a good time. But I can see an argument to wait until the next major version. |
# Conflicts: # playground/CosmosEndToEnd/CosmosEndToEnd.ApiService/Program.cs # playground/CosmosEndToEnd/CosmosEndToEnd.AppHost/Program.cs # src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBExtensions.cs # src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBResource.cs # src/Aspire.Hosting.Azure.CosmosDB/PublicAPI.Unshipped.txt # tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Description
Fixes #3792
Checklist
<remarks />and<code />elements on your triple slash comments?breaking-changetemplate):doc-ideatemplate):