From d7187217d14dd7a63af101c8d283addfb60004d5 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Mon, 9 Dec 2024 22:40:23 +0200
Subject: [PATCH] Block CosmosDB key authentication (#4175)

Co-authored-by: Tamir Kamara <takamara@microsoft.com>
---
 CHANGELOG.md                 |  1 +
 core/terraform/statestore.tf | 17 +++++++++--------
 core/version.txt             |  2 +-
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 10dd8ad4f3..1aa46af3c5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ ENHANCEMENTS:
 * Add partial (core resources only) support for customer managed keys  ([#4141](https://github.com/microsoft/AzureTRE/issues/4142),  [#4144](https://github.com/microsoft/AzureTRE/issues/4144))
 * Update the Azure CLI version to 2.67.0 in dev container and vmss ([#4157](https://github.com/microsoft/AzureTRE/pull/4157))
 * Move Github PR bot commands into main documentation ([#4167](https://github.com/microsoft/AzureTRE/pull/4167))
+* Block Authentication with keys to CosmosDB SQL account ([#4175](https://github.com/microsoft/AzureTRE/pull/4175))
 
 BUG FIXES:
 - Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
diff --git a/core/terraform/statestore.tf b/core/terraform/statestore.tf
index 450ede5444..0bc9c9c51f 100644
--- a/core/terraform/statestore.tf
+++ b/core/terraform/statestore.tf
@@ -1,12 +1,13 @@
 resource "azurerm_cosmosdb_account" "tre_db_account" {
-  name                       = "cosmos-${var.tre_id}"
-  location                   = azurerm_resource_group.core.location
-  resource_group_name        = azurerm_resource_group.core.name
-  offer_type                 = "Standard"
-  kind                       = "GlobalDocumentDB"
-  automatic_failover_enabled = false
-  ip_range_filter            = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
-  tags                       = local.tre_core_tags
+  name                          = "cosmos-${var.tre_id}"
+  location                      = azurerm_resource_group.core.location
+  resource_group_name           = azurerm_resource_group.core.name
+  offer_type                    = "Standard"
+  kind                          = "GlobalDocumentDB"
+  automatic_failover_enabled    = false
+  ip_range_filter               = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}"
+  local_authentication_disabled = true
+  tags                          = local.tre_core_tags
 
   dynamic "capabilities" {
     # We can't change an existing cosmos
diff --git a/core/version.txt b/core/version.txt
index 91df9743fe..be379744b8 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.5"
+__version__ = "0.11.6"