Updated configuring app settings for app services (#206)

Author: xenobiasoft

Sudoku.sln

@@ -1,4 +1,5 @@
-Microsoft Visual Studio Solution File, Format Version 12.00
+
+Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 18
 VisualStudioVersion = 18.0.11222.15
 MinimumVisualStudioVersion = 10.0.40219.1
@@ -42,6 +43,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "modules", "modules", "{F2DF
 		infra\modules\hostname.bicep = infra\modules\hostname.bicep
 		infra\modules\keyvault.bicep = infra\modules\keyvault.bicep
 		infra\modules\monitoring.bicep = infra\modules\monitoring.bicep
+		infra\modules\roleassignments.bicep = infra\modules\roleassignments.bicep
 		infra\modules\ssl.bicep = infra\modules\ssl.bicep
 		infra\modules\storage.bicep = infra\modules\storage.bicep
 	EndProjectSection

infra/main.bicep

@@ -132,9 +132,23 @@ module compute 'modules/compute.bicep' = {
     customDomainName: customDomainName
     enableCustomDomain: enableCustomDomain
     appInsightsConnectionString: monitoring.outputs.appInsightsConnectionString
+    keyVaultUri: keyvault.outputs.keyVaultUri
+    cosmosDbEndpoint: storage.outputs.cosmosDbEndpoint
   }
 }
 
+module roleassignments 'modules/roleassignments.bicep' = {
+  name: 'roleassignments'
+  params: {
+    webAppPrincipalId: compute.outputs.webAppPrincipalId
+    apiAppPrincipalId: compute.outputs.apiAppPrincipalId
+    keyVaultName: keyVaultName
+    cosmosDbAccountName: cosmosDbAccountName
+    appConfigName: appConfigName
+  }
+  dependsOn: [storage, keyvault, appconfig]
+}
+
 // Step 1: Bind the custom hostname to the web app (no SSL yet).
 // The managed certificate cannot be created until the hostname is bound.
 module hostname 'modules/hostname.bicep' = if (enableCustomDomain) {

infra/modules/compute.bicep

@@ -7,6 +7,8 @@ param appServicePlanSku string = 'B1'
 param customDomainName string = 'sudoku.xenobiasoft.com'
 param enableCustomDomain bool = false
 param appInsightsConnectionString string
+param keyVaultUri string
+param cosmosDbEndpoint string
 
 var corsAllowedOrigins = enableCustomDomain ? [
   'https://${customDomainName}'
@@ -113,6 +115,7 @@ resource webAppSettings 'Microsoft.Web/sites/config@2023-12-01' = {
   properties: {
     APPLICATIONINSIGHTS_CONNECTION_STRING: appInsightsConnectionString
     ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
+    'ConnectionStrings__AzureKeyVault': keyVaultUri
   }
 }
 
@@ -179,6 +182,9 @@ resource apiAppSettings 'Microsoft.Web/sites/config@2023-12-01' = {
   properties: {
     APPLICATIONINSIGHTS_CONNECTION_STRING: appInsightsConnectionString
     ApplicationInsightsAgent_EXTENSION_VERSION: '~3'
+    'ConnectionStrings__AzureKeyVault': keyVaultUri
+    'CosmosDb__UseManagedIdentity': 'true'
+    'CosmosDb__AccountEndpoint': cosmosDbEndpoint
   }
 }
 

infra/modules/roleassignments.bicep

@@ -0,0 +1,95 @@
+param webAppPrincipalId string
+param apiAppPrincipalId string
+param keyVaultName string
+param cosmosDbAccountName string
+param appConfigName string
+
+// ---------------------------------------------------------------------------
+// Role definition IDs (built-in)
+// ---------------------------------------------------------------------------
+
+var keyVaultSecretsUserRoleId = '4633458b-17de-408a-b874-0445c86b69e0'
+var appConfigDataReaderRoleId = '516239f1-63e1-4d78-a4de-a74fb236a071'
+
+// Cosmos DB Built-in Data Contributor is a Cosmos DB SQL role, not a standard
+// Azure RBAC role — its ID is a well-known constant.
+var cosmosBuiltinDataContributorRoleId = '00000000-0000-0000-0000-000000000002'
+
+// ---------------------------------------------------------------------------
+// Existing resource references
+// ---------------------------------------------------------------------------
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
+  name: cosmosDbAccountName
+}
+
+resource appConfigStore 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: appConfigName
+}
+
+// ---------------------------------------------------------------------------
+// Key Vault — Secrets User for both apps
+// ---------------------------------------------------------------------------
+
+resource webAppKeyVaultRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(webAppPrincipalId, keyVaultSecretsUserRoleId, keyVault.id)
+  scope: keyVault
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultSecretsUserRoleId)
+    principalId: webAppPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+resource apiAppKeyVaultRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(apiAppPrincipalId, keyVaultSecretsUserRoleId, keyVault.id)
+  scope: keyVault
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultSecretsUserRoleId)
+    principalId: apiAppPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+// ---------------------------------------------------------------------------
+// App Configuration — Data Reader for both apps
+// ---------------------------------------------------------------------------
+
+resource webAppConfigRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(webAppPrincipalId, appConfigDataReaderRoleId, appConfigStore.id)
+  scope: appConfigStore
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', appConfigDataReaderRoleId)
+    principalId: webAppPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+resource apiAppConfigRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(apiAppPrincipalId, appConfigDataReaderRoleId, appConfigStore.id)
+  scope: appConfigStore
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', appConfigDataReaderRoleId)
+    principalId: apiAppPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Cosmos DB — Built-in Data Contributor for API only
+// (Blazor is a frontend and talks to the API via HTTP, not Cosmos DB directly)
+// ---------------------------------------------------------------------------
+
+resource apiCosmosRole 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
+  parent: cosmosDbAccount
+  name: guid(apiAppPrincipalId, cosmosDbAccount.id, cosmosBuiltinDataContributorRoleId)
+  properties: {
+    roleDefinitionId: '${cosmosDbAccount.id}/sqlRoleDefinitions/${cosmosBuiltinDataContributorRoleId}'
+    principalId: apiAppPrincipalId
+    scope: '/'
+  }
+}

scripts/set-app-config.sh

@@ -48,6 +48,7 @@ set_key "CosmosDb:DatabaseName"         "sudoku"
 set_key "CosmosDb:ContainerName"        "games"
 set_key "CosmosDb:UseManagedIdentity"   "true"
 set_key "CosmosDb:AccountEndpoint"      "https://cosmos-sudoku-prod.documents.azure.com:443/"
+set_key "CosmosDb:ConnectionMode"       "Direct"
 
 # -----------------------------------------------------------------------------
 # Azure Storage

src/backend/Sudoku.Infrastructure/Configuration/CosmosDbOptions.cs

@@ -1,3 +1,5 @@
+using Microsoft.Azure.Cosmos;
+
 namespace Sudoku.Infrastructure.Configuration;
 
 public class CosmosDbOptions
@@ -9,4 +11,5 @@ public class CosmosDbOptions
     public bool DisableSslValidation { get; set; }
     public bool UseManagedIdentity { get; set; }
     public string? AccountEndpoint { get; set; }
+    public ConnectionMode ConnectionMode { get; set; } = ConnectionMode.Gateway;
 }

src/backend/Sudoku.Infrastructure/Configuration/InfrastructureServiceCollectionExtensions.cs

@@ -47,7 +47,7 @@ private IServiceCollection AddCosmosDbServices(IConfiguration configuration)
 
                 var clientOptions = new CosmosClientOptions
                 {
-                    ConnectionMode = ConnectionMode.Direct,
+                    ConnectionMode = cosmosDbOptions?.ConnectionMode ?? ConnectionMode.Gateway,
                     RequestTimeout = TimeSpan.FromSeconds(30),
                     MaxRetryAttemptsOnRateLimitedRequests = 3,
                     MaxRetryWaitTimeOnRateLimitedRequests = TimeSpan.FromSeconds(15)