Azure · vhvb1989 · Jan 24, 2024 · Jan 11, 2024 · Jan 11, 2024 · Jan 11, 2024
@@ -19,8 +19,9 @@ armapimanagement
 armappconfiguration
 armappplatform
 armcognitiveservices
-asyncmy
+armcosmos
 armresourcegraph
+asyncmy
 asyncpg
 azapi
 AZCLI
@@ -52,8 +53,8 @@ buildpacks
 byoi
 cflags
 circleci
-cmdsubst
 cmdrecord
+cmdsubst
 cognitiveservices
 consolesize
 containerapp
@@ -97,8 +98,8 @@ hotspot
 iidfile
 ineffassign
 javac
-jquery
 jmes
+jquery
 keychain
 LASTEXITCODE
 ldflags
@@ -114,8 +115,8 @@ mockarmresources
 mockazcli
 mongojs
 mvnw
-mysqldb
 mysqlclient
+mysqldb
 nobanner
 nodeapp
 nolint
@@ -148,10 +149,10 @@ reauthentication
 relogin
 remarshal
 repourl
+requirepass
 resourcegraph
 restoreapp
 retriable
-requirepass
 rzip
 secureobject
 securestring
@@ -189,4 +190,4 @@ vuejs
 westus2
 wireinject
 yacspin
-zerr
+zerr
@@ -149,6 +149,14 @@ func ContainerAppName(name string) string {
 	return containerAppName(name, containerAppNameMaxLen)
 }
 
+// ContainerAppSecretName returns a suitable name a container app secret name.
+//
+// The name is treated to only contain lowercase alphanumeric and dash characters, and must start and end with an
+// alphanumeric character
+func ContainerAppSecretName(name string) string {
+	return strings.ReplaceAll(strings.ToLower(name), "_", "-")
+}
+
 // ContainerAppInfix returns a suitable infix for a container app resource.
 //
 // The name is treated to only contain alphanumeric and dash characters, with no repeated dashes, and no dashes

@@ -23,6 +23,7 @@ const RedisContainerAppService = "redis"
 
 const DaprStateStoreComponentType = "state"
 const DaprPubSubComponentType = "pubsub"
+const containerAppSecretConnectionString = "{{ connectionString "
 
 // genTemplates is the collection of templates that are used when generating infrastructure files from a manifest.
 var genTemplates *template.Template
@@ -32,9 +33,10 @@ func init() {
 		Option("missingkey=error").
 		Funcs(
 			template.FuncMap{
-				"bicepName":        scaffold.BicepName,
-				"alphaSnakeUpper":  scaffold.AlphaSnakeUpper,
-				"containerAppName": scaffold.ContainerAppName,
+				"bicepName":              scaffold.BicepName,
+				"alphaSnakeUpper":        scaffold.AlphaSnakeUpper,
+				"containerAppName":       scaffold.ContainerAppName,
+				"containerAppSecretName": scaffold.ContainerAppSecretName,
 			},
 		).
 		ParseFS(resources.AppHostTemplates, "apphost/templates/*")
@@ -338,6 +340,8 @@ func (b *infraGenerator) LoadManifest(m *Manifest) error {
 			b.addStorageTable(*comp.Parent, name)
 		case "azure.cosmosdb.account.v0":
 			b.addCosmosDbAccount(name)
+		case "azure.cosmosdb.database.v0":
+			b.addCosmosDatabase(*comp.Parent, name)
 		case "postgres.server.v0":
 			// We currently use a ACA Postgres Service per database. Because of this, we don't need to retain any
 			// information from the server resource.
@@ -411,7 +415,15 @@ func (b *infraGenerator) addAppInsights(name string) {
 }
 
 func (b *infraGenerator) addCosmosDbAccount(name string) {
-	b.bicepContext.CosmosDbAccounts[name] = genCosmosAccount{}
+	if _, exists := b.bicepContext.CosmosDbAccounts[name]; !exists {
+		b.bicepContext.CosmosDbAccounts[name] = genCosmosAccount{}
+	}
+}
+
+func (b *infraGenerator) addCosmosDatabase(cosmosDbAccount, dbName string) {
+	account := b.bicepContext.CosmosDbAccounts[cosmosDbAccount]
+	account.Databases = append(account.Databases, dbName)
+	b.bicepContext.CosmosDbAccounts[cosmosDbAccount] = account
 }
 
 func (b *infraGenerator) addProject(
@@ -663,8 +675,9 @@ func (b *infraGenerator) Compile() error {
 
 	for resourceName, docker := range b.dockerfiles {
 		projectTemplateCtx := genContainerAppManifestTemplateContext{
-			Name: resourceName,
-			Env:  make(map[string]string),
+			Name:    resourceName,
+			Env:     make(map[string]string),
+			Secrets: make(map[string]string),
 		}
 
 		ingress, err := buildIngress(docker.Bindings)
@@ -683,8 +696,9 @@ func (b *infraGenerator) Compile() error {
 
 	for resourceName, project := range b.projects {
 		projectTemplateCtx := genContainerAppManifestTemplateContext{
-			Name: resourceName,
-			Env:  make(map[string]string),
+			Name:    resourceName,
+			Env:     make(map[string]string),
+			Secrets: make(map[string]string),
 		}
 
 		binding, err := validateAndMergeBindings(project.Bindings)
@@ -868,10 +882,14 @@ func (b infraGenerator) evalBindingRef(v string, emitType inputEmitType) (string
 			return "",
 				fmt.Errorf("malformed binding expression, expected bindings.<binding-name>.[host|port|url] but was: %s", v)
 		}
-	case targetType == "postgres.database.v0" || targetType == "redis.v0":
+	case targetType == "postgres.database.v0" ||
+		targetType == "redis.v0" ||
+		targetType == "azure.cosmosdb.account.v0" ||
+		targetType == "azure.cosmosdb.database.v0":
 		switch prop {
 		case "connectionString":
-			return fmt.Sprintf(`{{ connectionString "%s" }}`, resource), nil
+			// returns something like {{ connectionString "resource" }}
+			return fmt.Sprintf(`%s"%s" }}`, containerAppSecretConnectionString, resource), nil
 		default:
 			return "", errUnsupportedProperty(targetType, prop)
 		}
@@ -902,8 +920,7 @@ func (b infraGenerator) evalBindingRef(v string, emitType inputEmitType) (string
 	case targetType == "azure.keyvault.v0" ||
 		targetType == "azure.storage.blob.v0" ||
 		targetType == "azure.storage.queue.v0" ||
-		targetType == "azure.storage.table.v0" ||
-		targetType == "azure.cosmosdb.account.v0":
+		targetType == "azure.storage.table.v0":
 		switch prop {
 		case "connectionString":
 			return fmt.Sprintf("{{ .Env.SERVICE_BINDING_%s_ENDPOINT }}", scaffold.AlphaSnakeUpper(resource)), nil
@@ -953,8 +970,14 @@ func (b *infraGenerator) buildEnvBlock(env map[string]string, manifestCtx *genCo
 
 		// remove the trailing newline. yaml marshall will add a newline at the end of the string, as the new line is
 		// expected at the end of the yaml document. But we are getting a single value with valid yaml here, so we don't
-		// need the newline.
-		manifestCtx.Env[k] = string(yamlString[0 : len(yamlString)-1])
+		// need the newline
+		value := string(yamlString[0 : len(yamlString)-1])
+
+		if strings.Contains(value, containerAppSecretConnectionString) {
+			manifestCtx.Secrets[k] = value
+		} else {
+			manifestCtx.Env[k] = value
+		}
 	}
 
 	return nil

@@ -206,17 +206,22 @@ func TestBuildEnvResolveServiceToConnectionString(t *testing.T) {
 	expected := map[string]string{
 		"VAR1": "value1",
 		"VAR2": "value2",
+	}
+
+	expectedSecrets := map[string]string{
 		"VAR3": `complex {{ connectionString "service" }} expression`,
 	}
 
 	manifestCtx := &genContainerAppManifestTemplateContext{
-		Env: make(map[string]string),
+		Env:     make(map[string]string),
+		Secrets: make(map[string]string),
 	}
 
 	// Call the method being tested
 	err := mockGenerator.buildEnvBlock(env, manifestCtx)
 	require.NoError(t, err)
 	require.Equal(t, expected, manifestCtx.Env)
+	require.Equal(t, expectedSecrets, manifestCtx.Secrets)
 }
 
 func TestAddContainerAppService(t *testing.T) {

@@ -9,6 +9,7 @@ type genStorageAccount struct {
 }
 
 type genCosmosAccount struct {
+	Databases []string
 }
 
 type genServiceBus struct {
@@ -106,6 +107,7 @@ type genContainerAppManifestTemplateContext struct {
 	Name    string
 	Ingress *genContainerAppIngress
 	Env     map[string]string
+	Secrets map[string]string
 	Dapr    *genContainerAppManifestTemplateContextDapr
 }
 

@@ -73,7 +73,6 @@ resource mysqlabstract 'Microsoft.App/containerApps@2023-05-02-preview' = {
   tags: union(tags, {'aspire-resource-name': 'mysqlabstract'})
 }
 
-
 output MANAGED_IDENTITY_CLIENT_ID string = managedIdentity.properties.clientId
 output AZURE_CONTAINER_APPS_ENVIRONMENT_ID string = containerAppEnvironment.id
 output AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN string = containerAppEnvironment.properties.defaultDomain

@@ -95,7 +95,6 @@ resource mysqlabstract 'Microsoft.App/containerApps@2023-05-02-preview' = {
   tags: union(tags, {'aspire-resource-name': 'mysqlabstract'})
 }
 
-
 output MANAGED_IDENTITY_CLIENT_ID string = managedIdentity.properties.clientId
 output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerRegistry.properties.loginServer
 output AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID string = managedIdentity.id

@@ -16,19 +16,22 @@ properties:
     registries:
     - server: {{ .Env.AZURE_CONTAINER_REGISTRY_ENDPOINT }}
       identity: {{ .Env.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID }}
+    secrets:
+      - name: connectionstrings--db
+        value: '{{ connectionString "db" }}'
   template:
     containers:
     - image: {{ .Image }}
       name: api
       env:
       - name: AZURE_CLIENT_ID
         value: {{ .Env.MANAGED_IDENTITY_CLIENT_ID }}
-      - name: ConnectionStrings__db
-        value: '{{ connectionString "db" }}'
       - name: OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EVENT_LOG_ATTRIBUTES
         value: "true"
       - name: OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EXCEPTION_LOG_ATTRIBUTES
         value: "true"
+      - name: ConnectionStrings__db
+        secretRef: connectionstrings--db
     scale:
       minReplicas: 1
 tags:

@@ -130,7 +130,6 @@ resource photosQueuesRoleAssignment 'Microsoft.Authorization/roleAssignments@202
   }
 }
 
-
 output MANAGED_IDENTITY_CLIENT_ID string = managedIdentity.properties.clientId
 output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerRegistry.properties.loginServer
 output AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID string = managedIdentity.id

@@ -5,7 +5,9 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 	"github.com/azure/azure-dev/cli/azd/pkg/azsdk/storage"
+	"github.com/azure/azure-dev/cli/azd/pkg/cosmosdb"
 	"github.com/azure/azure-dev/cli/azd/pkg/environment"
 	"github.com/azure/azure-dev/cli/azd/pkg/infra/provisioning"
 	infraBicep "github.com/azure/azure-dev/cli/azd/pkg/infra/provisioning/bicep"
@@ -109,6 +111,12 @@ func (p *DefaultPlatform) ConfigureContainer(container *ioc.NestedContainer) err
 	container.RegisterSingleton(storage.NewBlobClient)
 	container.RegisterSingleton(storage.NewBlobSdkClient)
 
+	// cosmosdb
+	container.RegisterSingleton(func() *arm.ClientOptions {
+		return &arm.ClientOptions{}
+	})
+	container.RegisterSingleton(cosmosdb.NewCosmosDbService)
+
 	// Templates
 
 	// Gets a list of default template sources used in azd.

@@ -98,7 +98,7 @@ func registerDeployMocks(mockContext *mocks.MockContext) {
 		return request.Method == http.MethodPost && strings.Contains(request.URL.Path, "/api/zipdeploy")
 	}).RespondFn(func(request *http.Request) (*http.Response, error) {
 		response, _ := mocks.CreateEmptyHttpResponse(request, http.StatusAccepted)
-		response.Header.Set("Location", "http://myapp.scm.azurewebsites.net/deployments/latest")
+		response.Header.Set("Location", "https://myapp.scm.azurewebsites.net/deployments/latest")
 
 		return response, nil
 	})

@@ -0,0 +1,55 @@
+package cosmosdb
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2"
+)
+
+// CosmosDbService is the interface for the CosmosDbService
+type CosmosDbService interface {
+	ConnectionString(ctx context.Context, subId, rgName, accountName string) (string, error)
+}
+
+type cosmosDbClient struct {
+	credential azcore.TokenCredential
+	options    *arm.ClientOptions
+}
+
+// NewCosmosDbService creates a new instance of the CosmosDbService
+func NewCosmosDbService(
+	credential azcore.TokenCredential,
+	options *arm.ClientOptions,
+) (CosmosDbService, error) {
+	return &cosmosDbClient{
+		credential: credential,
+		options:    options,
+	}, nil
+}
+
+// ConnectionString returns the connection string for the CosmosDB account
+func (c *cosmosDbClient) ConnectionString(ctx context.Context, subId, rgName, accountName string) (string, error) {
+	client, err := armcosmos.NewDatabaseAccountsClient(subId, c.credential, c.options)
+	if err != nil {
+		return "", err
+	}
+	res, err := client.ListConnectionStrings(
+		ctx, rgName, accountName, &armcosmos.DatabaseAccountsClientListConnectionStringsOptions{})
+
+	if err != nil {
+		return "", err
+	}
+
+	if res.ConnectionStrings == nil {
+		return "", fmt.Errorf("connection strings are nil")
+	}
+
+	if len(res.ConnectionStrings) == 0 {
+		return "", fmt.Errorf("no connection strings found")
+	}
+
+	return *res.ConnectionStrings[0].ConnectionString, nil
+}