[PR-20] setup cosmosdb connection string access in rest api (#29)

* add cosmosdb connection string as env variable in rest api from key vault

* reference as env variable

* todo comment

* fix biceps

* give arm access to kv

* deny access by default as best practice

* also add list

* enabledForTemplateDeployment true

* remove manual set access

* todo later

* rename cosmos secret string

Author: rodnyjoseph200

.github/workflows/deploy.yaml

@@ -64,7 +64,6 @@ jobs:
 
           parameters: |
             {
-              "environment": "Development",
               "envFriendlyName": "dev",
               "restApiContainerImage": "${{ env.REST_API_IMAGE_NAME }}:${{ env.IMAGE_TAG }}",
               "registryServer": "${{ secrets.AZURE_REGISTRY_LOGIN_SERVER }}",

deploy/azure/bicep/main.bicep

@@ -1,4 +1,3 @@
-param environment string
 param envFriendlyName string
 param restApiContainerImage string
 param registryServer string
@@ -13,7 +12,7 @@ param objectId string
 
 var serviceName = 'chat-service'
 
-module monitor './modules/shared/monitor.bicep' = {
+module monitorModule './modules/shared/monitor.bicep' = {
   name: 'monitor'
   params: {
     serviceName: serviceName
@@ -22,32 +21,17 @@ module monitor './modules/shared/monitor.bicep' = {
   }
 }
 
-module containerAppEnvironment './modules/shared/container-app-environment.bicep' = {
+module containerAppEnvironmentModule './modules/shared/container-app-environment.bicep' = {
   name: 'container-app-environment'
   params: {
     serviceName: serviceName
     envFriendlyName: envFriendlyName
     location: location
-    logAnalyticsWorkspaceName: monitor.outputs.logAnalyticsWorkspaceName
+    logAnalyticsWorkspaceName: monitorModule.outputs.logAnalyticsWorkspaceName
   }
 }
 
-module restApi './modules/apis-rest.bicep' = {
-  name: 'rest-api'
-  params: {
-    location: location
-    serviceName: serviceName
-    managedEnvironmentId: containerAppEnvironment.outputs.managedEnvironmentId
-    containerImage: restApiContainerImage
-    registryServer: registryServer
-    registryUsername: username
-    registryPassword: password
-    environment: environment
-    envFriendlyName: envFriendlyName
-  }
-}
-
-module cosmosDb './modules/shared/cosmosdb.bicep' = {
+module cosmosDbModule './modules/shared/cosmosdb.bicep' = {
   name: 'cosmos-db'
   params: {
     envFriendlyName: envFriendlyName
@@ -56,7 +40,7 @@ module cosmosDb './modules/shared/cosmosdb.bicep' = {
   }
 }
 
-module keyVault './modules/shared/key-vault.bicep' = {
+module keyVaultModule './modules/shared/key-vault.bicep' = {
   name: 'key-vault'
   params: {
     serviceName: serviceName
@@ -66,11 +50,27 @@ module keyVault './modules/shared/key-vault.bicep' = {
   }
 }
 
-module keyVaultSecrets './modules/shared/key-vault-secrets.bicep' = {
+module keyVaultSecretsModule './modules/shared/key-vault-secrets.bicep' = {
   name: 'key-vault-secrets'
   params: {
-    keyVaultName: keyVault.outputs.name
-    cosmosAccountName: cosmosDb.outputs.accountName
+    keyVaultName: keyVaultModule.outputs.name
+    cosmosAccountName: cosmosDbModule.outputs.accountName
+  }
+}
+
+module restApiModule './modules/container-app-rest-api.bicep' = {
+  name: 'rest-api'
+  params: {
+    location: location
+    serviceName: serviceName
+    managedEnvironmentId: containerAppEnvironmentModule.outputs.managedEnvironmentId
+    containerImage: restApiContainerImage
+    registryServer: registryServer
+    registryUsername: username
+    registryPassword: password
+    envFriendlyName: envFriendlyName
+    cosmosDbConnectionStringName: keyVaultSecretsModule.outputs.cosmosDbConnectionStringName
+    cosmosAccountName: cosmosDbModule.outputs.accountName
   }
 }
 

deploy/azure/bicep/modules/apis-rest.bicep deploy/azure/bicep/modules/container-app-rest-api.bicep

@@ -1,19 +1,28 @@
 param location string
 param managedEnvironmentId string
 param serviceName string
-param environment string
 param envFriendlyName string
 
 param containerImage string
 param registryServer string
 param registryUsername string
+param cosmosAccountName string
+param cosmosDbConnectionStringName string
 
 @secure()
 param registryPassword string
 
 var containerAppName = '${serviceName}-rest-api-${envFriendlyName}'
 var containerRegistryPasswordName = 'container-registry-password'
 
+//todo - later, reference from Key Vault
+resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' existing = {
+  name: cosmosAccountName
+}
+
+var cosmosDbConnectionString = 'AccountEndpoint=${cosmosAccount.properties.documentEndpoint};AccountKey=${cosmosAccount.listKeys().primaryMasterKey};'
+
+//todo - Reference secrets from Key Vault for added benefits like rotation
 resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
   name: containerAppName
   location: location
@@ -29,6 +38,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
           name: containerRegistryPasswordName
           value: registryPassword
         }
+        {
+          name: cosmosDbConnectionStringName
+          value: cosmosDbConnectionString
+        }
       ]
       registries: [
         {
@@ -43,6 +56,12 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
         {
           image: containerImage
           name: containerAppName
+          env: [
+            {
+              name: cosmosDbConnectionStringName
+              secretRef: cosmosDbConnectionStringName
+            }
+          ]
         }
       ]
     }

deploy/azure/bicep/modules/shared/key-vault-secrets.bicep

@@ -13,8 +13,10 @@ var cosmosDbConnectionString = 'AccountEndpoint=${cosmosAccount.properties.docum
 
 resource cosmosDbConnectionStringSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
   parent: keyVault
-  name: 'cosmosDbConnectionString'
+  name: 'cosmos-db-connection-string'
   properties: {
     value: cosmosDbConnectionString
   }
 }
+
+output cosmosDbConnectionStringName string = cosmosDbConnectionStringSecret.name

deploy/azure/bicep/modules/shared/key-vault.bicep

@@ -12,7 +12,7 @@ param enabledForDeployment bool = false
 param enabledForDiskEncryption bool = false
 
 @description('Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
-param enabledForTemplateDeployment bool = false
+param enabledForTemplateDeployment bool = true
 
 @description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.')
 param tenantId string = subscription().tenantId
@@ -63,7 +63,7 @@ resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
       family: 'A'
     }
     networkAcls: {
-      defaultAction: 'Allow'
+      defaultAction: 'Deny'
       bypass: 'AzureServices'
     }
   }