added scope to be of the database rather than the whole cosmosdb account

2024-06-11 17:44:44 +05:30 · 2024-06-11 17:44:44 +05:30 · b8ed0da73f
--- a/Dockerfile.ci-rp
+++ b/Dockerfile.ci-rp
@ -67,5 +67,5 @@ LABEL aro-final=true
 RUN microdnf update && microdnf clean all
 COPY --from=builder /app/aro /app/e2e.test /usr/local/bin/
 ENTRYPOINT ["aro"]
-EXPOSE 2222/tcp 8080/tcp 8443/tcp 8444/tcp 8445/tcp
+EXPOSE 2222/tcp 8080/tcp 8443/tcp 8444/tcp
 USER 1000
--- a/cmd/aro/gateway.go
+++ b/cmd/aro/gateway.go
@ -45,11 +45,6 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 	}
 	logrusEntry := log.WithField("component", "database")

-	dbName, err := DBName(_env.IsLocalDevelopmentMode())
-	if err != nil {
-		return err
-	}
-
 	dbAccountName := os.Getenv(envDatabaseAccountName)
 	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope)}
 	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
@ -61,6 +56,11 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}

+	dbName, err := DBName(_env.IsLocalDevelopmentMode())
+	if err != nil {
+		return err
+	}
+
 	dbGateway, err := database.NewGateway(ctx, dbc, dbName)
 	if err != nil {
 		return err
--- a/cmd/aro/monitor.go
+++ b/cmd/aro/monitor.go
@ -88,9 +88,7 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 	}

 	dbAccountName := os.Getenv(envDatabaseAccountName)
-	// clientOptions := &policy.ClientOptions{
-	// 	ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
-	// }
+
 	logrusEntry := log.WithField("component", "database")
 	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope)}
 	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
--- a/cmd/aro/rp.go
+++ b/cmd/aro/rp.go
@ -125,6 +125,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 	if err != nil {
 		return err
 	}
+
 	dbAsyncOperations, err := database.NewAsyncOperations(ctx, _env.IsLocalDevelopmentMode(), dbc, dbName)
 	if err != nil {
 		return err
--- a/pkg/deploy/assets/rp-production.json
+++ b/pkg/deploy/assets/rp-production.json
@ -1119,7 +1119,7 @@
            "name": "[concat(parameters('databaseAccountName'), '/', guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('rpServicePrincipalId'), 'DocumentDB Data Contributor'))]",
            "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
            "properties": {
-                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]",
+                "scope": "[concat(resourceId('Microsoft.DocumentDB/databaseAccounts/', parameters('databaseAccountName')), '/dbs/', 'ARO']",
                "roleDefinitionId": "[concat(resourceId('Microsoft.DocumentDB/databaseAccounts/', parameters('databaseAccountName')), '/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002')]",
                "principalId": "[parameters('rpServicePrincipalId')]",
                "principalType": "ServicePrincipal"
@ -1133,7 +1133,7 @@
            "name": "[concat(parameters('databaseAccountName'), '/', guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('gatewayServicePrincipalId'), 'DocumentDB Data Contributor'))]",
            "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
            "properties": {
-                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]",
+                "scope": "[concat(resourceId('Microsoft.DocumentDB/databaseAccounts/', parameters('databaseAccountName')), '/dbs/', 'ARO']",
                "roleDefinitionId": "[concat(resourceId('Microsoft.DocumentDB/databaseAccounts/', parameters('databaseAccountName')), '/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002')]",
                "principalId": "[parameters('gatewayServicePrincipalId')]",
                "principalType": "ServicePrincipal"
--- a/pkg/deploy/deploy.go
+++ b/pkg/deploy/deploy.go
@ -43,13 +43,12 @@ type deployer struct {
 	log *logrus.Entry
 	env env.Core

-	globaldeployments features.DeploymentsClient
-	globalgroups      features.ResourceGroupsClient
-	globalrecordsets  dns.RecordSetsClient
-	globalaccounts    storage.AccountsClient
-	deployments       features.DeploymentsClient
-	groups            features.ResourceGroupsClient
-	// loadbalancers          network.LoadBalancersClient
+	globaldeployments      features.DeploymentsClient
+	globalgroups           features.ResourceGroupsClient
+	globalrecordsets       dns.RecordSetsClient
+	globalaccounts         storage.AccountsClient
+	deployments            features.DeploymentsClient
+	groups                 features.ResourceGroupsClient
 	userassignedidentities msi.UserAssignedIdentitiesClient
 	providers              features.ProvidersClient
 	publicipaddresses      network.PublicIPAddressesClient
--- a/pkg/deploy/generator/resources_rp.go
+++ b/pkg/deploy/generator/resources_rp.go
@ -874,20 +874,20 @@ func (g *generator) rpCosmosDB() []*arm.Resource {
 	if g.production {
 		rs = append(rs, g.database("'ARO'", true)...)
 		rs = append(rs, g.rpCosmosDBAlert(10, 90, 3, "rp-cosmosdb-alert", "PT5M", "PT1H"))
-		rs = append(rs, g.CosmosDBDataContributorRoleAssignment("rp"))
-		rs = append(rs, g.CosmosDBDataContributorRoleAssignment("gateway"))
+		rs = append(rs, g.CosmosDBDataContributorRoleAssignment("'ARO'", "rp"))
+		rs = append(rs, g.CosmosDBDataContributorRoleAssignment("'ARO'", "gateway"))
 	}

 	return rs
 }

-func (g *generator) CosmosDBDataContributorRoleAssignment(component string) *arm.Resource {
+func (g *generator) CosmosDBDataContributorRoleAssignment(databaseName, component string) *arm.Resource {
 	return &arm.Resource{
 		Resource: mgmtauthorization.RoleAssignment{
 			Name: to.StringPtr("[concat(parameters('databaseAccountName'), '/', guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('" + component + "ServicePrincipalId'), 'DocumentDB Data Contributor'))]"),
 			Type: to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments"),
 			RoleAssignmentPropertiesWithScope: &mgmtauthorization.RoleAssignmentPropertiesWithScope{
-				Scope:            to.StringPtr("[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"),
+				Scope:            to.StringPtr("[concat(resourceId('Microsoft.DocumentDB/databaseAccounts/', parameters('databaseAccountName')), '/dbs/', " + databaseName + "]"),
 				RoleDefinitionID: to.StringPtr("[concat(resourceId('Microsoft.DocumentDB/databaseAccounts/', parameters('databaseAccountName')), '/sqlRoleDefinitions/" + rbac.RoleDocumentDBDataContributor + "')]"),
 				PrincipalID:      to.StringPtr("[parameters('" + component + "ServicePrincipalId')]"),
 				PrincipalType:    mgmtauthorization.ServicePrincipal,