Support CosmosDB and Redis role assignments on app specific managed identity #8140
Conversation
eerhardt
requested review from
captainsafia,
Copilot and
davidfowl
and removed request for
Copilot
github-actions
bot
added
the
area-integrations
…dentity We currently don't support an easy API for modifying the role assignments on database resources. There are no role types that can be used from the Azure.Provisioning libraries today. So for now we will just move our existing role assignments to the ACA roles bicep module. To support database resources, we add a new annotation "RoleAssignmentCustomizationAnnotation" which contains a callback that the resource can implement to inject the role assignment objects into the Azure bicep infrastructure. Contributes to dotnet#6161
Fix dotnet#8142 Also fix tests for new behavior
eerhardt
force-pushed
the
AzureDatabaseRoleAssignments2
branch
from
b356d30 to
a1caca5
Compare
… role assignments to applied role assignments even when empty. Add test to ensure. - Update playground manifests - Fix tests
This works around an issue with CosmosDB where creating a managed identity and assigning a CosmosDB role assignment in the same bicep module fails.
captainsafia
left a comment
captainsafia
left a comment
There was a problem hiding this comment.
This looks good given the gnarliness you had to work around with the way role assignments are managed for these resource types.
src/Aspire.Hosting.Azure/RoleAssignmentCustomizationAnnotation.cs
Outdated
Show resolved
Hide resolved
src/Aspire.Hosting.Azure/RoleAssignmentCustomizationAnnotation.cs
Outdated
Show resolved
Hide resolved
src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppsInfrastructure.cs
Outdated
Show resolved
Hide resolved
fill out XML docs
|
@davidfowl @captainsafia - I believe this is now ready for review. |
captainsafia
left a comment
captainsafia
left a comment
There was a problem hiding this comment.
LGTM! Reads much easier than the annotations-based implementation. 😅
src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppsInfrastructure.cs
Show resolved
Hide resolved
| var resource = new AzureCosmosDBResource(name, ConfigureCosmosDBInfrastructure); | ||
| return builder.AddResource(resource); | ||
| return builder.AddResource(resource) | ||
| .WithAnnotation(new DefaultRoleAssignmentsAnnotation(new HashSet<RoleDefinition>())); |
There was a problem hiding this comment.
What does an empty DefaultRoleAssignmentsAnnotation actually help us achieve here? This is just here to pass through to AppliedRoleAssignmentsAnnotation in the non-ACA scenario, right?
There was a problem hiding this comment.
This is one part that I'm not super excited about, and would like some feedback on.
This is just here to pass through to AppliedRoleAssignmentsAnnotation in the non-ACA scenario, right?
No, this works for both ACA and non-ACA.
- You're right that in non-ACA scenarios this turns into an AppliedRoleAssignmentsAnnotation, which will inject the contributor role into the cosmos resource's bicep.
- In ACA scenarios, the AzureResourcePreparer will copy the DefaultRoleAssignmentsAnnotation to a regular (empty)
RoleAssignmentAnnotation, which will cause the role to be written to the role bicep file.
One thought I had was to make up a "fake" contributor/admin RoleDefinition with a random Guid, and check for that in both places. But just having the empty one serves the purposes I need it to.
Thoughts?
There was a problem hiding this comment.
In ACA scenarios, the AzureResourcePreparer will copy the DefaultRoleAssignmentsAnnotation to a regular (empty) RoleAssignmentAnnotation, which will cause the role to be written to the role bicep file.
Ah, I see where this happens.
Thoughts?
IMO, an empty one feels better than a fake role assignment. We clarified in an offline discussion why we need DefaultRoleAssignments vs RoleAssignment here.
src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppsInfrastructure.cs
Show resolved
Hide resolved
|
Merging now because this change and #8171 will conflict. So merging will help avoid conflicts now. I address the above feedback in Follow up on database role assignments (dotnet/aspire#8212) |
Adding role assignment support for PostgreSQL following the pattern set in dotnet#8140 Contributes to dotnet#6161
Conflicts between dotnet#8140 and dotnet#8182
Respond to feedback from dotnet#8140
Respond to feedback from #8140
Adding role assignment support for PostgreSQL following the pattern set in dotnet#8140 Contributes to dotnet#6161
…tity Adding role assignment support for PostgreSQL following the pattern set in dotnet#8140 Fix dotnet#6161
Adding role assignment support for PostgreSQL following the pattern set in dotnet#8140 Contributes to dotnet#6161
3 participants
Description
We currently don't support an easy API for modifying the role assignments on database resources. There are no role types that can be used from the Azure.Provisioning libraries today. So for now we will just move our existing role assignments to the ACA roles bicep module.
To support database resources, we add a new virtual method on AzureProvisioningResource -
AddRoleAssignmentspassing in a context object containing the information on the role assignments to add.Also needed to split all role assignments out of the {app}-roles bicep module because of an issue with CosmosDB failing if the role assignment is added in the same bicep file as the managed identity it is pointing to. This simplifies the code because the role assignment generation is the same whether the resource is existing or not.
Contributes to #6161
Fix #8142
Checklist
<remarks />and<code />elements on your triple slash comments?- Link to aspire-docs issue [New article]: Aspire 9.2 Azure WithRoleAssignments docs (dotnet/docs-aspire#2788)