Added new breaking changes docs

IEvangelist · IEvangelist · commit 0e54c3c6ac37 · 2025-04-02T15:16:49.000-05:00
diff --git a/docs/compatibility/9.2/generated-bicep-updates.md b/docs/compatibility/9.2/generated-bicep-updates.md
@@ -0,0 +1,62 @@
+---
+title: "Breaking change - Role Assignments separated from Azure resource bicep"
+description: "Learn about the breaking change in .NET Aspire 9.2 where role assignments are moved to separate bicep modules."
+ms.date: 4/2/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs-aspire/issues/2911
+---
+
+# Role Assignments separated from Azure resource bicep
+
+In .NET Aspire 9.2, role assignments for Azure resources are no longer included in the same bicep file as the resource. Instead, they're moved to separate bicep modules. This change affects how role assignments are customized during infrastructure configuration.
+
+## Version introduced
+
+.NET Aspire 9.2
+
+## Previous behavior
+
+Previously, when an Azure resource's bicep file was generated, default role assignments were included in the same bicep module as the resource. This allowed customization of role assignments in the `ConfigureInfrastructure` callback. For example:
+
+```csharp
+var storage = builder.AddAzureStorage("storage")
+    .ConfigureInfrastructure(infra =>
+    {
+        var roles = infra.GetProvisionableResources().OfType<RoleAssignment>().ToList();
+
+        foreach (var role in roles)
+        {
+            infra.Remove(role);
+        }
+
+        var storageAccount = infra.GetProvisionableResources().OfType<StorageAccount>().Single();
+        infra.Add(storageAccount.CreateRoleAssignment(StorageBuiltInRole.StorageBlobDataContributor, ...));
+    });
+```
+
+## New behavior
+
+Role assignments are now moved to their own bicep modules. The `ConfigureInfrastructure` callback no longer contains any `RoleAssignment` instances. Instead, role assignments are configured using the `WithRoleAssignments` API. For example:
+
+```csharp
+var storage = builder.AddAzureStorage("storage");
+
+builder.AddProject<Projects.AzureContainerApps_ApiService>("api")
+       .WithRoleAssignments(storage, StorageBuiltInRole.StorageBlobDataContributor);
+```
+
+## Type of breaking change
+
+This is a [behavioral change](../categories.md#behavioral-change).
+
+## Reason for change
+
+This change was necessary to implement the `WithRoleAssignments` APIs, which provide a more structured and flexible way to configure role assignments per application.
+
+## Recommended action
+
+To customize role assignments in .NET Aspire 9.2, use the `WithRoleAssignments` API instead of relying on the `ConfigureInfrastructure` callback. Update your code as shown in the [preceding example](#new-behavior).
+
+## Affected APIs
+
+- <xref:Aspire.Hosting.AzureProvisioningResourceExtensions.ConfigureInfrastructure``1(Aspire.Hosting.ApplicationModel.IResourceBuilder{``0},System.Action{Aspire.Hosting.Azure.AzureResourceInfrastructure})>
diff --git a/docs/compatibility/9.2/index.md b/docs/compatibility/9.2/index.md
@@ -2,7 +2,7 @@
 title: Breaking changes in .NET Aspire 9.2
 titleSuffix: ""
 description: Navigate to the breaking changes in .NET Aspire 9.2.
-ms.date: 03/25/2025
+ms.date: 04/02/2025
 ---
 
 # Breaking changes in .NET Aspire 9.2
@@ -18,6 +18,8 @@ If you're migrating an app to .NET Aspire 9.2, the breaking changes listed here
 
 | Title | Type of change | Introduced version |
 |--|--|--|
-| [WithCommand obsolete and new overload with CommandOptions](withcommand-obsolete.md) | Source incompatible | 9.2 |
-| [With authentication API creates keyvault resource in the app model](withauthentication-changes.md) | Behavioral change | 9.2 |
+| [AzureContainerApps infrastructure creates managed identity per container app](managed-identity-per-app.md) | Behavioral change | 9.2 |
 | [KeyVault default role assignment changing from KeyVaultAdministrator to KeyVaultSecretsUser](keyvault-role-assignment-changes.md) | Behavioral change | 9.2 |
+| [Role Assignments separated from Azure resource bicep](generated-bicep-updates.md) | Behavioral change | 9.2 |
+| [With authentication API creates keyvault resource in the app model](withauthentication-changes.md) | Behavioral change | 9.2 |
+| [WithCommand obsolete and new overload with CommandOptions](withcommand-obsolete.md) | Source incompatible | 9.2 |
diff --git a/docs/compatibility/9.2/managed-identity-per-app.md b/docs/compatibility/9.2/managed-identity-per-app.md
@@ -0,0 +1,52 @@
+---
+title: "Breaking change - AzureContainerApps infrastructure creates managed identity per container app"
+description: "Learn about the breaking change in .NET Aspire 9.2 where each ContainerApp now has its own managed identity."
+ms.date: 4/2/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs-aspire/issues/2914
+---
+
+# Azure Container Apps managed identity changes
+
+Starting with .NET Aspire 9.2, each Azure Container App created using [📦 Aspire.Hosting.Azure.AppContainers](https://www.nuget.org/packages/Aspire.Hosting.Azure.AppContainers) NuGet package now has its own Azure Managed Identity. This change enables more granular role assignments for Azure resources but might require updates to applications that rely on shared managed identities.
+
+## Version introduced
+
+.NET Aspire 9.2
+
+## Previous behavior
+
+All ContainerApps shared a single Azure Managed Identity. This allowed applications to interact with Azure resources using a common identity.
+
+## New behavior
+
+Each ContainerApp now has its own unique Azure Managed Identity. This enables applications to have distinct role assignments for different Azure resources.
+
+## Type of breaking change
+
+This is a [behavioral change](../categories.md#behavioral-change).
+
+## Reason for change
+
+This change was introduced to support scenarios where applications require different role assignments for different Azure resources. By assigning a unique managed identity to each ContainerApp, applications can now operate with more granular access control.
+
+## Recommended action
+
+### Azure SQL Server
+
+Grant access to all Azure Managed Identities that need to interact with the database. Follow the guidance in [Configure and manage Azure AD authentication with Azure SQL](https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure).
+
+### Azure PostgreSQL
+
+Grant necessary privileges to all Azure Managed Identities that need to interact with the database. Use the PostgreSQL documentation on [granting privileges](https://www.postgresql.org/docs/current/ddl-priv.html) as a reference. For example:
+
+```sql
+GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO <managed_identity_user>;
+```
+
+## Affected APIs
+
+- `Aspire.Hosting.AzureContainerAppExtensions.AddAzureContainerAppsInfrastructure`
+- `Aspire.Hosting.AzureContainerAppProjectExtensions.PublishAsAzureContainerApp`
+- `Aspire.Hosting.AzureContainerAppExecutableExtensions.PublishAsAzureContainerApp`
+- `Aspire.Hosting.AzureContainerAppContainerExtensions.PublishAsAzureContainerApp`
diff --git a/docs/compatibility/toc.yml b/docs/compatibility/toc.yml
@@ -13,12 +13,17 @@ items:
   - name: Breaking changes in 9.2
     expanded: true
     items:
-    - name: WithCommand obsolete, use new overload
-      href: 9.2/withcommand-obsolete.md
-    - name: With authentication APIs include semantic changes
-      href: 9.2/withauthentication-changes.md
+    - name: Azure Container Apps managed identity changes
+      href: 9.2/managed-identity-per-app.md
     - name: KeyVault default role assignment changes
       href: 9.2/keyvault-role-assignment-changes.md
+    - name: Role Assignments is separate bicep
+      href: 9.2/generated-bicep-updates.md
+    - name: With authentication APIs include semantic changes
+      href: 9.2/withauthentication-changes.md
+    - name: WithCommand obsolete, use new overload
+      href: 9.2/withcommand-obsolete.md
+
 - name: .NET Aspire 9.1
   expanded: false
   items:
