fix(cosmosdb) Grant the Cosmos DB Built-in Data Contributor role to the database #299
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes a permissions issue where AI Foundry couldn't access Cosmos DB after deployment. The fix changes the role assignment scope from individual containers to the entire enterprise_memory database, following Microsoft's recommended approach.
Key Changes:
- Consolidated three container-specific Cosmos DB role assignments into a single database-level assignment
- Changed scope from
/dbs/enterprise_memory/colls/{container-name}to/dbs/enterprise_memory - Simplified the role assignment approach to align with Microsoft documentation and the official foundry-samples repository
| resource "azurerm_cosmosdb_sql_role_assignment" "cosmosdb_db_sql_role" { | ||
| count = var.agent_capability_host_connections != null ? 1 : 0 | ||
|
|
||
| depends_on = [ | ||
| azapi_resource.ai_foundry_project_capability_host | ||
| ] | ||
| name = uuidv5("dns", "${azapi_resource.ai_foundry_project.name}${azapi_resource.ai_foundry_project.output.identity.principalId}userthreadmessage_dbsqlrole") | ||
| name = uuidv5("dns", "${azapi_resource.ai_foundry_project.name}${azapi_resource.ai_foundry_project.output.identity.principalId}enterprise_memory_data_contributor") | ||
| resource_group_name = var.agent_capability_host_connections.cosmos_db.resource_group_name | ||
| account_name = var.agent_capability_host_connections.cosmos_db.name | ||
| scope = "${var.agent_capability_host_connections.cosmos_db.resource_id}/dbs/enterprise_memory/colls/${local.project_id_guid}-thread-message-store" | ||
| scope = "${var.agent_capability_host_connections.cosmos_db.resource_id}/dbs/enterprise_memory" | ||
| role_definition_id = "${var.agent_capability_host_connections.cosmos_db.resource_id}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002" | ||
| principal_id = azapi_resource.ai_foundry_project.output.identity.principalId | ||
| } |
There was a problem hiding this comment.
The module's README.md documentation still references the three removed Cosmos DB role assignment resources. The documentation should be regenerated to reflect the updated resource structure where cosmosdb_db_sql_role_aifp_user_thread_message_store, cosmosdb_db_sql_role_aifp_system_thread_name, and cosmosdb_db_sql_role_aifp_entity_store_name are replaced with the single cosmosdb_db_sql_role resource.
This appears to be auto-generated documentation (marked with <!-- BEGIN_TF_DOCS --> and <!-- END_TF_DOCS -->), so it likely needs to be regenerated using a documentation generation tool like terraform-docs.
1 participant
📥 Pull Request
❓ What are you trying to address
After deployment of the standard setup, AI Foundry shows error that it doesn't have sufficient permissions to Cosmos DB.
✨ Description of new changes
Grant the
Cosmos DB Built-in Data Contributorrole to the full enterprise_memory database, not the specific containers.This approach is recommended by the documentation: https://learn.microsoft.com/en-us/azure/ai-foundry/agents/concepts/standard-agent-setup?view=foundry-classic#manual
And this approach is implemented in the official foundry-samples repository:
https://github.com/azure-ai-foundry/foundry-samples/blob/2cb2e07560d1c17d66c321510fbbefbcf8675d0e/samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/modules-network-secured/cosmos-container-role-assignments.bicep#L35
☑️ Checklist