Move to using managed identity for auth to CosmosDB.

CHANGELOG.md

@@ -7,6 +7,7 @@ FEATURES:
 
 ENHANCEMENTS:
 * Switch from OpenCensus to OpenTelemetry for logging ([#3762](https://github.com/microsoft/AzureTRE/pull/3762))
+* Use mangaged identity for API connection to CosmosDB ([#345](https://github.com/microsoft/AzureTRE/issues/345))
 
 BUG FIXES:
 

api_app/_version.py

@@ -1 +1 @@
-__version__ = "0.17.1"
+__version__ = "0.17.7"

api_app/api/dependencies/database.py

@@ -4,6 +4,7 @@
 from azure.mgmt.cosmosdb.aio import CosmosDBManagementClient
 from fastapi import Depends, FastAPI, HTTPException
 from fastapi import Request, status
+from core.config import MANAGED_IDENTITY_CLIENT_ID
 from core import config, credentials
 from db.errors import UnableToAccessDatabase
 from db.repositories.base import BaseRepository
@@ -13,27 +14,34 @@
 
 async def connect_to_db() -> CosmosClient:
     logger.debug(f"Connecting to {config.STATE_STORE_ENDPOINT}")
-
-    try:
-        async with credentials.get_credential_async() as credential:
-            primary_master_key = await get_store_key(credential)
-
-        if config.STATE_STORE_SSL_VERIFY:
+    async with credentials.get_credential_async() as credential:
+        if MANAGED_IDENTITY_CLIENT_ID:
+            logger.debug("Connecting with managed identity")
             cosmos_client = CosmosClient(
-                url=config.STATE_STORE_ENDPOINT, credential=primary_master_key
+                url=config.STATE_STORE_ENDPOINT,
+                credential=credential
             )
         else:
-            # ignore TLS (setup is a pain) when using local Cosmos emulator.
-            cosmos_client = CosmosClient(
-                config.STATE_STORE_ENDPOINT, primary_master_key, connection_verify=False
-            )
-        logger.debug("Connection established")
-        return cosmos_client
-    except Exception:
-        logger.exception("Connection to state store could not be established.")
+            logger.debug("Connecting with key")
+            primary_master_key = await get_store_key(credential)
+
+            if config.STATE_STORE_SSL_VERIFY:
+                logger.debug("Connecting with SSL verification")
+                cosmos_client = CosmosClient(
+                    url=config.STATE_STORE_ENDPOINT, credential=primary_master_key
+                )
+            else:
+                logger.debug("Connecting without SSL verification")
+                # ignore TLS (setup is a pain) when using local Cosmos emulator.
+                cosmos_client = CosmosClient(
+                    config.STATE_STORE_ENDPOINT, primary_master_key, connection_verify=False
+                )
+    logger.debug("Connection established")
+    return cosmos_client
 
 
 async def get_store_key(credential) -> str:
+    logger.debug("Getting store key")
     if config.STATE_STORE_KEY:
         primary_master_key = config.STATE_STORE_KEY
     else:

api_app/db/events.py

@@ -15,5 +15,6 @@ async def bootstrap_database(app) -> bool:
             await ResourceRepository.create(client)
             return True
     except Exception as e:
+        logger.exception("Could not bootstrap database")
         logger.debug(e)
         return False

api_app/services/health_checker.py

@@ -1,11 +1,10 @@
 from typing import Tuple
 from azure.core import exceptions
-from azure.cosmos.aio import CosmosClient
 from azure.servicebus.aio import ServiceBusClient
 from azure.mgmt.compute.aio import ComputeManagementClient
 from azure.cosmos.exceptions import CosmosHttpResponseError
 from azure.servicebus.exceptions import ServiceBusConnectionError, ServiceBusAuthenticationError
-from api.dependencies.database import get_store_key
+from api.dependencies.database import connect_to_db
 
 from core import config
 from models.schemas.status import StatusEnum
@@ -16,10 +15,8 @@
 async def create_state_store_status(credential) -> Tuple[StatusEnum, str]:
     status = StatusEnum.ok
     message = ""
-    debug = True if config.LOGGING_LEVEL == "DEBUG" else False
     try:
-        primary_master_key = await get_store_key(credential)
-        cosmos_client = CosmosClient(config.STATE_STORE_ENDPOINT, primary_master_key, connection_verify=debug)
+        cosmos_client = connect_to_db()
         async with cosmos_client:
             list_databases_response = cosmos_client.list_databases()
             [database async for database in list_databases_response]

core/terraform/api-identity.tf

@@ -45,3 +45,16 @@ resource "azurerm_role_assignment" "cosmos_contributor" {
   principal_id         = azurerm_user_assigned_identity.id.principal_id
 }
 
+data "azurerm_cosmosdb_sql_role_definition" "cosmosdb_db_contributor" {
+  resource_group_name = azurerm_resource_group.core.name
+  account_name        = azurerm_cosmosdb_account.tre_db_account.name
+  role_definition_id  = "00000000-0000-0000-0000-000000000002" # Cosmos DB Built-in Data Contributor
+}
+
+resource "azurerm_cosmosdb_sql_role_assignment" "tre_db_contributor" {
+  resource_group_name = azurerm_resource_group.core.name
+  account_name        = azurerm_cosmosdb_account.tre_db_account.name
+  role_definition_id  = data.azurerm_cosmosdb_sql_role_definition.cosmosdb_db_contributor.id
+  principal_id        = azurerm_user_assigned_identity.id.principal_id
+  scope               = azurerm_cosmosdb_account.tre_db_account.id
+}