Merge branch 'main' into jr/upstream-main/142-certs-kv-error

Author: jonnyry

CHANGELOG.md

@@ -18,6 +18,7 @@ ENHANCEMENTS:
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
 * Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
+* Fix Cosmos DB local debugging configuration ([#4340](https://github.com/microsoft/AzureTRE/pull/4340))
 
 COMPONENTS:
 

api_app/_version.py

@@ -1 +1 @@
-__version__ = "0.21.0"
+__version__ = "0.21.1"

api_app/api/dependencies/database.py

@@ -1,7 +1,6 @@
 from azure.cosmos.aio import CosmosClient, DatabaseProxy, ContainerProxy
-from azure.mgmt.cosmosdb.aio import CosmosDBManagementClient
 
-from core.config import MANAGED_IDENTITY_CLIENT_ID, STATE_STORE_ENDPOINT, STATE_STORE_KEY, STATE_STORE_SSL_VERIFY, SUBSCRIPTION_ID, RESOURCE_MANAGER_ENDPOINT, CREDENTIAL_SCOPES, RESOURCE_GROUP_NAME, COSMOSDB_ACCOUNT_NAME, STATE_STORE_DATABASE
+from core.config import STATE_STORE_ENDPOINT, STATE_STORE_KEY, STATE_STORE_SSL_VERIFY, STATE_STORE_DATABASE
 from core.credentials import get_credential_async
 from services.logging import logger
 
@@ -27,53 +26,32 @@ def __init__(cls):
     async def _connect_to_db(cls) -> CosmosClient:
         logger.debug(f"Connecting to {STATE_STORE_ENDPOINT}")
 
-        credential = await get_credential_async()
-        if MANAGED_IDENTITY_CLIENT_ID:
-            logger.debug("Connecting with managed identity")
-            cosmos_client = CosmosClient(
-                url=STATE_STORE_ENDPOINT,
-                credential=credential
-            )
-        else:
+        if STATE_STORE_KEY:
             logger.debug("Connecting with key")
-            primary_master_key = await cls._get_store_key(credential)
-
             if STATE_STORE_SSL_VERIFY:
                 logger.debug("Connecting with SSL verification")
                 cosmos_client = CosmosClient(
                     url=STATE_STORE_ENDPOINT,
-                    credential=primary_master_key
+                    credential=STATE_STORE_KEY
                 )
             else:
                 logger.debug("Connecting without SSL verification")
                 # ignore TLS (setup is a pain) when using local Cosmos emulator.
                 cosmos_client = CosmosClient(
                     url=STATE_STORE_ENDPOINT,
-                    credential=primary_master_key,
+                    credential=STATE_STORE_KEY,
                     connection_verify=False
                 )
-        logger.debug("Connection established")
-        return cosmos_client
-
-    @classmethod
-    async def _get_store_key(cls, credential) -> str:
-        logger.debug("Getting store key")
-        if STATE_STORE_KEY:
-            primary_master_key = STATE_STORE_KEY
         else:
-            async with CosmosDBManagementClient(
-                credential,
-                subscription_id=SUBSCRIPTION_ID,
-                base_url=RESOURCE_MANAGER_ENDPOINT,
-                credential_scopes=CREDENTIAL_SCOPES
-            ) as cosmosdb_mng_client:
-                database_keys = await cosmosdb_mng_client.database_accounts.list_keys(
-                    resource_group_name=RESOURCE_GROUP_NAME,
-                    account_name=COSMOSDB_ACCOUNT_NAME,
-                )
-                primary_master_key = database_keys.primary_master_key
+            logger.debug("Connecting with managed identity")
+            credential = await get_credential_async()
+            cosmos_client = CosmosClient(
+                url=STATE_STORE_ENDPOINT,
+                credential=credential
+            )
 
-        return primary_master_key
+        logger.debug("Connection established")
+        return cosmos_client
 
     @classmethod
     async def get_container_proxy(cls, container_name) -> ContainerProxy:

api_app/tests_ma/conftest.py

@@ -578,7 +578,6 @@ def simple_pipeline_step() -> PipelineStep:
 @pytest_asyncio.fixture(autouse=True)
 async def no_database():
     with patch('api.dependencies.database.get_credential_async', return_value=AsyncMock()), \
-         patch('api.dependencies.database.CosmosDBManagementClient', return_value=AsyncMock()), \
-         patch('api.dependencies.database.CosmosClient', return_value=AsyncMock(spec=CosmosClient)) as cosmos_client_mock:
+            patch('api.dependencies.database.CosmosClient', return_value=AsyncMock(spec=CosmosClient)) as cosmos_client_mock:
         cosmos_client_mock.return_value.get_database_client.return_value = AsyncMock(spec=DatabaseProxy)
         yield Database()

devops/scripts/setup_local_debugging.sh

@@ -91,6 +91,19 @@ az role assignment create \
     --assignee "${LOGGED_IN_OBJECT_ID}" \
     --scope "${STATE_STORE_RESOURCE_ID}"
 
+ROLE_DEFINITION_ID=$(az cosmosdb sql role definition list \
+    --resource-group "${RESOURCE_GROUP_NAME}" \
+    --account-name "${COSMOSDB_ACCOUNT_NAME}" \
+    --query "[?roleName=='Cosmos DB Built-in Data Contributor'].id" \
+    --output tsv)
+
+az cosmosdb sql role assignment create \
+    --resource-group "${RESOURCE_GROUP_NAME}" \
+    --account-name "${COSMOSDB_ACCOUNT_NAME}" \
+    --role-definition-id "${ROLE_DEFINITION_ID}" \
+    --principal-id "${LOGGED_IN_OBJECT_ID}" \
+    --scope "${STATE_STORE_RESOURCE_ID}"
+
 az role assignment create \
     --role "Contributor" \
     --assignee "${LOGGED_IN_OBJECT_ID}" \