Block CosmosDB key authentication (#4175)

Co-authored-by: Tamir Kamara <[email protected]>
microsoft · Dec 9, 2024 · d718721 · d718721
1 parent 0e30b9b
commit d718721
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ ENHANCEMENTS:
 * Add partial (core resources only) support for customer managed keys  ([#4141](https://github.com/microsoft/AzureTRE/issues/4142),  [#4144](https://github.com/microsoft/AzureTRE/issues/4144))
 * Update the Azure CLI version to 2.67.0 in dev container and vmss ([#4157](https://github.com/microsoft/AzureTRE/pull/4157))
 * Move Github PR bot commands into main documentation ([#4167](https://github.com/microsoft/AzureTRE/pull/4167))
+* Block Authentication with keys to CosmosDB SQL account ([#4175](https://github.com/microsoft/AzureTRE/pull/4175))
 
 BUG FIXES:
 - Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

diff --git a/core/terraform/statestore.tf b/core/terraform/statestore.tf
@@ -1,12 +1,13 @@
 resource "azurerm_cosmosdb_account" "tre_db_account" {
-  name                       = "cosmos-${var.tre_id}"
-  location                   = azurerm_resource_group.core.location
-  resource_group_name        = azurerm_resource_group.core.name
-  offer_type                 = "Standard"
-  kind                       = "GlobalDocumentDB"
-  automatic_failover_enabled = false
-  ip_range_filter            = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
-  tags                       = local.tre_core_tags
+  name                          = "cosmos-${var.tre_id}"
+  location                      = azurerm_resource_group.core.location
+  resource_group_name           = azurerm_resource_group.core.name
+  offer_type                    = "Standard"
+  kind                          = "GlobalDocumentDB"
+  automatic_failover_enabled    = false
+  ip_range_filter               = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
+  local_authentication_disabled = true
+  tags                          = local.tre_core_tags
 
   dynamic "capabilities" {
     # We can't change an existing cosmos

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.5"
+__version__ = "0.11.6"