Add support for managed identity in Azure Cosmos DB hosting component (…

…#7092)

Directory.Packages.props

@@ -25,7 +25,7 @@
     <PackageVersion Include="Azure.Storage.Blobs" Version="12.23.0" />
     <PackageVersion Include="Azure.Storage.Queues" Version="12.21.0" />
     <PackageVersion Include="Microsoft.Azure.AppConfiguration.AspNetCore" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Azure.Cosmos" Version="3.45.0" />
+    <PackageVersion Include="Microsoft.Azure.Cosmos" Version="3.46.1" />
     <PackageVersion Include="Microsoft.Azure.SignalR" Version="1.29.0" />
     <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.8.0" />
     <!-- Azure Management SDK for .NET dependencies -->
@@ -56,7 +56,7 @@
     <PackageVersion Include="AspNetCore.HealthChecks.Azure.Storage.Blobs" Version="8.0.1" />
     <PackageVersion Include="AspNetCore.HealthChecks.Azure.Storage.Queues" Version="8.0.1" />
     <PackageVersion Include="AspNetCore.HealthChecks.AzureServiceBus" Version="8.0.1" />
-    <PackageVersion Include="AspNetCore.HealthChecks.CosmosDb" Version="8.0.1" />
+    <PackageVersion Include="AspNetCore.HealthChecks.CosmosDb" Version="9.0.0" />
     <PackageVersion Include="AspNetCore.HealthChecks.Kafka" Version="8.0.1" />
     <PackageVersion Include="AspNetCore.HealthChecks.MongoDb" Version="9.0.0" />
     <PackageVersion Include="AspNetCore.HealthChecks.MySql" Version="8.0.1" />

playground/AzureContainerApps/AzureContainerApps.AppHost/Program.cs

@@ -19,7 +19,7 @@
 // Testing secret outputs
 var cosmosDb = builder.AddAzureCosmosDB("account")
                       .RunAsEmulator(c => c.WithLifetime(ContainerLifetime.Persistent))
-                      .AddDatabase("db");
+                      .WithDatabase("db");
 
 // Testing a connection string
 var blobs = builder.AddAzureStorage("storage")

playground/AzureContainerApps/AzureContainerApps.AppHost/account.module.bicep

@@ -1,11 +1,9 @@
 @description('The location for the resource(s) to be deployed.')
 param location string = resourceGroup().location
 
-param keyVaultName string
+param principalType string
 
-resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: keyVaultName
-}
+param principalId string
 
 resource account 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
   name: take('account-${uniqueString(resourceGroup().id)}', 44)
@@ -21,6 +19,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
       defaultConsistencyLevel: 'Session'
     }
     databaseAccountOfferType: 'Standard'
+    disableLocalAuth: true
   }
   kind: 'GlobalDocumentDB'
   tags: {
@@ -39,10 +38,4 @@ resource db 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-08-15' = {
   parent: account
 }
 
-resource connectionString 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
-  name: 'connectionString'
-  properties: {
-    value: 'AccountEndpoint=${account.properties.documentEndpoint};AccountKey=${account.listKeys().primaryMasterKey}'
-  }
-  parent: keyVault
-}
+output connectionString string = account.properties.documentEndpoint

playground/AzureContainerApps/AzureContainerApps.AppHost/api.module.bicep

@@ -5,13 +5,13 @@ param api_containerport string
 
 param storage_outputs_blobendpoint string
 
-param account_secretoutputs string
-
-param outputs_azure_container_registry_managed_identity_id string
+param account_outputs_connectionstring string
 
 @secure()
 param secretparam_value string
 
+param outputs_azure_container_registry_managed_identity_id string
+
 param outputs_managed_identity_client_id string
 
 param outputs_azure_container_apps_environment_id string
@@ -24,26 +24,12 @@ param certificateName string
 
 param customDomain string
 
-resource account_secretoutputs_kv 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: account_secretoutputs
-}
-
-resource account_secretoutputs_kv_connectionString 'Microsoft.KeyVault/vaults/secrets@2023-07-01' existing = {
-  name: 'connectionString'
-  parent: account_secretoutputs_kv
-}
-
 resource api 'Microsoft.App/containerApps@2024-03-01' = {
   name: 'api'
   location: location
   properties: {
     configuration: {
       secrets: [
-        {
-          name: 'connectionstrings--account'
-          identity: outputs_azure_container_registry_managed_identity_id
-          keyVaultUrl: account_secretoutputs_kv_connectionString.properties.secretUri
-        }
         {
           name: 'value'
           value: secretparam_value
@@ -106,7 +92,7 @@ resource api 'Microsoft.App/containerApps@2024-03-01' = {
             }
             {
               name: 'ConnectionStrings__account'
-              secretRef: 'connectionstrings--account'
+              value: account_outputs_connectionstring
             }
             {
               name: 'VALUE'

playground/AzureContainerApps/AzureContainerApps.AppHost/aspire-manifest.json

@@ -66,10 +66,11 @@
     },
     "account": {
       "type": "azure.bicep.v0",
-      "connectionString": "{account.secretOutputs.connectionString}",
+      "connectionString": "{account.outputs.connectionString}",
       "path": "account.module.bicep",
       "params": {
-        "keyVaultName": ""
+        "principalType": "",
+        "principalId": ""
       }
     },
     "storage": {
@@ -111,9 +112,9 @@
         "params": {
           "api_containerport": "{api.containerPort}",
           "storage_outputs_blobendpoint": "{storage.outputs.blobEndpoint}",
-          "account_secretoutputs": "{account.secretOutputs}",
-          "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
+          "account_outputs_connectionstring": "{account.outputs.connectionString}",
           "secretparam_value": "{secretparam.value}",
+          "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
           "outputs_managed_identity_client_id": "{.outputs.MANAGED_IDENTITY_CLIENT_ID}",
           "outputs_azure_container_apps_environment_id": "{.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID}",
           "outputs_azure_container_registry_endpoint": "{.outputs.AZURE_CONTAINER_REGISTRY_ENDPOINT}",

playground/CosmosEndToEnd/CosmosEndToEnd.ApiService/Program.cs

@@ -19,8 +19,8 @@
 app.MapDefaultEndpoints();
 app.MapGet("/", async (CosmosClient cosmosClient) =>
 {
-    var db = (await cosmosClient.CreateDatabaseIfNotExistsAsync("db")).Database;
-    var container = (await db.CreateContainerIfNotExistsAsync("entries", "/id")).Container;
+    var db = cosmosClient.GetDatabase("db");
+    var container = db.GetContainer("entries");
 
     // Add an entry to the database on each request.
     var newEntry = new Entry() { Id = Guid.NewGuid().ToString() };

playground/CosmosEndToEnd/CosmosEndToEnd.AppHost/Program.cs

@@ -5,7 +5,7 @@
 
 #pragma warning disable ASPIRECOSMOS001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
 var db = builder.AddAzureCosmosDB("cosmos")
-                .AddDatabase("db")
+                .WithDatabase("db", database => database.Containers.Add(new("entries", "/Id")))
                 .RunAsPreviewEmulator(e => e.WithDataExplorer());
 #pragma warning restore ASPIRECOSMOS001 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
 

playground/CosmosEndToEnd/CosmosEndToEnd.AppHost/aspire-manifest.json

@@ -3,10 +3,11 @@
   "resources": {
     "cosmos": {
       "type": "azure.bicep.v0",
-      "connectionString": "{cosmos.secretOutputs.connectionString}",
+      "connectionString": "{cosmos.outputs.connectionString}",
       "path": "cosmos.module.bicep",
       "params": {
-        "keyVaultName": ""
+        "principalType": "",
+        "principalId": ""
       }
     },
     "api": {

playground/CosmosEndToEnd/CosmosEndToEnd.AppHost/cosmos.module.bicep

@@ -1,11 +1,9 @@
 @description('The location for the resource(s) to be deployed.')
 param location string = resourceGroup().location
 
-param keyVaultName string
+param principalType string
 
-resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: keyVaultName
-}
+param principalId string
 
 resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
   name: take('cosmos-${uniqueString(resourceGroup().id)}', 44)
@@ -21,6 +19,7 @@ resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
       defaultConsistencyLevel: 'Session'
     }
     databaseAccountOfferType: 'Standard'
+    disableLocalAuth: true
   }
   kind: 'GlobalDocumentDB'
   tags: {
@@ -39,10 +38,20 @@ resource db 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-08-15' = {
   parent: cosmos
 }
 
-resource connectionString 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
-  name: 'connectionString'
+resource entries 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-08-15' = {
+  name: 'entries'
+  location: location
   properties: {
-    value: 'AccountEndpoint=${cosmos.properties.documentEndpoint};AccountKey=${cosmos.listKeys().primaryMasterKey}'
+    resource: {
+      id: 'entries'
+      partitionKey: {
+        paths: [
+          '/Id'
+        ]
+      }
+    }
   }
-  parent: keyVault
-}
+  parent: db
+}
+
+output connectionString string = cosmos.properties.documentEndpoint

playground/bicep/BicepSample.AppHost/Program.cs

@@ -42,7 +42,7 @@
                 .AddDatabase("db2");
 
 var cosmosDb = builder.AddAzureCosmosDB("cosmos")
-                      .AddDatabase("db3");
+                      .WithDatabase("db3");
 
 var logAnalytics = builder.AddAzureLogAnalyticsWorkspace("lawkspc");
 var appInsights = builder.AddAzureApplicationInsights("ai", logAnalytics);

playground/bicep/BicepSample.AppHost/aspire-manifest.json

@@ -113,10 +113,11 @@
     },
     "cosmos": {
       "type": "azure.bicep.v0",
-      "connectionString": "{cosmos.secretOutputs.connectionString}",
+      "connectionString": "{cosmos.outputs.connectionString}",
       "path": "cosmos.module.bicep",
       "params": {
-        "keyVaultName": ""
+        "principalType": "",
+        "principalId": ""
       }
     },
     "lawkspc": {

playground/bicep/BicepSample.AppHost/cosmos.module.bicep

@@ -1,11 +1,9 @@
 @description('The location for the resource(s) to be deployed.')
 param location string = resourceGroup().location
 
-param keyVaultName string
+param principalType string
 
-resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: keyVaultName
-}
+param principalId string
 
 resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
   name: take('cosmos-${uniqueString(resourceGroup().id)}', 44)
@@ -21,6 +19,7 @@ resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
       defaultConsistencyLevel: 'Session'
     }
     databaseAccountOfferType: 'Standard'
+    disableLocalAuth: true
   }
   kind: 'GlobalDocumentDB'
   tags: {
@@ -39,10 +38,4 @@ resource db3 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-08-15' = {
   parent: cosmos
 }
 
-resource connectionString 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
-  name: 'connectionString'
-  properties: {
-    value: 'AccountEndpoint=${cosmos.properties.documentEndpoint};AccountKey=${cosmos.listKeys().primaryMasterKey}'
-  }
-  parent: keyVault
-}
+output connectionString string = cosmos.properties.documentEndpoint

playground/cdk/CdkSample.AppHost/Program.cs

@@ -9,7 +9,7 @@
 
 var builder = DistributedApplication.CreateBuilder(args);
 
-var cosmosdb = builder.AddAzureCosmosDB("cosmos").AddDatabase("cosmosdb");
+var cosmosdb = builder.AddAzureCosmosDB("cosmos").WithDatabase("cosmosdb");
 
 var sku = builder.AddParameter("storagesku");
 var locationOverride = builder.AddParameter("locationOverride");

playground/cdk/CdkSample.AppHost/aspire-manifest.json

@@ -3,10 +3,11 @@
   "resources": {
     "cosmos": {
       "type": "azure.bicep.v0",
-      "connectionString": "{cosmos.secretOutputs.connectionString}",
+      "connectionString": "{cosmos.outputs.connectionString}",
       "path": "cosmos.module.bicep",
       "params": {
-        "keyVaultName": ""
+        "principalType": "",
+        "principalId": ""
       }
     },
     "storagesku": {

playground/cdk/CdkSample.AppHost/cosmos.module.bicep

@@ -1,11 +1,9 @@
 @description('The location for the resource(s) to be deployed.')
 param location string = resourceGroup().location
 
-param keyVaultName string
+param principalType string
 
-resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: keyVaultName
-}
+param principalId string
 
 resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
   name: take('cosmos-${uniqueString(resourceGroup().id)}', 44)
@@ -21,6 +19,7 @@ resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-08-15' = {
       defaultConsistencyLevel: 'Session'
     }
     databaseAccountOfferType: 'Standard'
+    disableLocalAuth: true
   }
   kind: 'GlobalDocumentDB'
   tags: {
@@ -39,10 +38,4 @@ resource cosmosdb 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-08-15
   parent: cosmos
 }
 
-resource connectionString 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
-  name: 'connectionString'
-  properties: {
-    value: 'AccountEndpoint=${cosmos.properties.documentEndpoint};AccountKey=${cosmos.listKeys().primaryMasterKey}'
-  }
-  parent: keyVault
-}
+output connectionString string = cosmos.properties.documentEndpoint

src/Aspire.Hosting.Azure.CosmosDB/Aspire.Hosting.Azure.CosmosDB.csproj

@@ -20,7 +20,8 @@
   <ItemGroup>
     <ProjectReference Include="..\Aspire.Hosting.Azure\Aspire.Hosting.Azure.csproj" />
     <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="AspNetCore.HealthChecks.CosmosDb" />
+    <PackageReference Include="Microsoft.Azure.Cosmos" />
+    <PackageReference Include="Newtonsoft.Json" /> <!-- Required by Microsoft.Azure.Cosmos -->
     <PackageReference Include="Azure.Provisioning" />
     <PackageReference Include="Azure.Provisioning.CosmosDB" />
   </ItemGroup>

src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBEmulatorConnectionString.cs

@@ -2,7 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using Aspire.Hosting.ApplicationModel;
-using Aspire.Hosting.Azure.Cosmos;
+using Aspire.Hosting.Azure.CosmosDB;
 
 namespace Aspire.Hosting.Azure;