-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for managed identity in Azure Cosmos DB hosting component #7092
base: main
Are you sure you want to change the base?
Conversation
@@ -205,7 +156,7 @@ public static IResourceBuilder<AzureCosmosDBEmulatorResource> WithGatewayPort(th | |||
/// <param name="builder">Builder for the Cosmos emulator container</param> | |||
/// <param name="count">Desired partition count.</param> | |||
/// <returns>Cosmos emulator resource builder.</returns> | |||
/// <remarks>Not calling this method will result in the default of 25 partitions. The actual started partitions is always one more than specified. | |||
/// <remarks>Not calling this method will result in the default of 10 partitions. The actual started partitions is always one more than specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
11 (actual) is the default number of partitions when nothing is set, so updated to 10 since the actual is argument + 1
src/Components/Aspire.Microsoft.Azure.Cosmos/MicrosoftAzureCosmosSettings.cs
Outdated
Show resolved
Hide resolved
|
||
internal EndpointReference EmulatorEndpoint => new(this, "emulator"); | ||
|
||
/// <summary> | ||
/// Gets the "connectionString" reference from the secret outputs of the Azure Cosmos DB resource. | ||
/// | ||
/// This is used when Entra ID authentication is used. The connection string is an output of the bicep template. | ||
/// </summary> | ||
public BicepSecretOutputReference ConnectionString => new("connectionString", this); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this supposed to be:
public BicepSecretOutputReference ConnectionString => new("connectionString", this); | |
public BicepOutputReference ConnectionString => new("connectionString", this); |
It's not a secret reference anymore - it is just a normal bicep output.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be a breaking change. How do you suggest we deal with it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is why I opt to not make things public unless we absolutely need to make them public.
I would suggest just making the breaking change, and document it. The fact that we are switching to managed identity by default is going to be an even bigger breaking change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be public for sure, we'll need to make this a reference expression.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, we can just expose another property
namespace Aspire.Hosting.Azure.CosmosDB; | ||
|
||
/// <summary> | ||
/// This health check also creates default databases and containers for the Azure CosmosDB Emulator. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like too much responsibility. Everytime we are checking for "health" we are rechecking all the dbs and containers.
I think it would be better if the health check was only a health check. And then we "waited" for it to be healthy and only ensure the db and containers are created once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The default health check is checking only one db and its containers (because its state is only for one db, I assume one could create more instances for other dbs). At least we could do the same, pick the first db.
But I did what you suggested at first, though this could introduce undesired effects that it's stated as healthy but we haven't created the db/containers yet. So while we are creating them other services could have started using them.
Another option would be to change the implementation to do like it does right now, but then store a bool and only check for the first db afterwards (not even the containers).
src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBEmulatorHealthCheck.cs
Outdated
Show resolved
Hide resolved
tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Outdated
Show resolved
Hide resolved
tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Outdated
Show resolved
Hide resolved
tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Outdated
Show resolved
Hide resolved
var healthCheckKey = $"{builder.Resource.Name}_check"; | ||
builder.ApplicationBuilder.Services.AddHealthChecks().AddAzureCosmosDB(sp => |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we still need a reference on AspNetCore.HealthChecks.CosmosDb
if we aren't using it?
var principalIdParameter = new ProvisioningParameter(AzureBicepResource.KnownParameters.PrincipalId, typeof(string)); | ||
infrastructure.Add(principalIdParameter); | ||
|
||
cosmosAccount.CreateRoleAssignment(CosmosDBBuiltInRole.DocumentDBAccountContributor, RoleManagementPrincipalType.ServicePrincipal, principalIdParameter); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why isn't this generating a prinicpalType like all the other Azure integrations?
aspire/src/Aspire.Hosting.Azure.AppConfiguration/AzureAppConfigurationExtensions.cs
Lines 38 to 43 in 882ae2b
var principalTypeParameter = new ProvisioningParameter(AzureBicepResource.KnownParameters.PrincipalType, typeof(string)); | |
infrastructure.Add(principalTypeParameter); | |
var principalIdParameter = new ProvisioningParameter(AzureBicepResource.KnownParameters.PrincipalId, typeof(string)); | |
infrastructure.Add(principalIdParameter); | |
infrastructure.Add(store.CreateRoleAssignment(AppConfigurationBuiltInRole.AppConfigurationDataOwner, principalTypeParameter, principalIdParameter)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The method to create the role on cosmos doesn't take any. It's working though, you think it must still be missing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this should be a parameter, @tg-msft?
/azd run |
/azd run |
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
internal BicepSecretOutputReference? ConnectionStringSecretOutput { get; set; } | ||
|
||
[MemberNotNullWhen(true, nameof(ConnectionStringSecretOutput))] | ||
internal bool UseAccessKeyAuthentication => ConnectionStringSecretOutput is not null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this should be public too.
Do we want this to be a breaking change? |
At some point, yes. We want managed identity to be the default everywhere, and this is the last integration that still uses secrets by default. So the question in my mind is: "When do we want to make the breaking change?". I think now is a good time. But I can see an argument to wait until the next major version. |
# Conflicts: # playground/CosmosEndToEnd/CosmosEndToEnd.ApiService/Program.cs # playground/CosmosEndToEnd/CosmosEndToEnd.AppHost/Program.cs # src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBExtensions.cs # src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBResource.cs # src/Aspire.Hosting.Azure.CosmosDB/PublicAPI.Unshipped.txt # tests/Aspire.Hosting.Azure.Tests/AzureCosmosDBEmulatorFunctionalTests.cs
Description
Fixes #3792
Checklist
<remarks />
and<code />
elements on your triple slash comments?breaking-change
template):doc-idea
template):