Cosmos DB Scripts for Managed Identity Data Plane Permissions, and Database and Container Creation

[jarredm-demo]

(Previously #511, but was issued against incorrect branch - reissuing against Development)
Using a Managed Identity is the safest method of deploying. However, a Managed Identity can only access the Data Plane inside Cosmos DB, and in order to do so these permissions must be set via script (supplied Azure CLI and Azure PowerShell in this branch). Since Database and Container creation for Azure Cosmos DB is a Control Plane operation, these also need to be scripted and performed directly during deployment, as calls to the REST API go through the Data Plane and therefore cannot use the Managed Identity (they require Keys). Eventually the project aims to avoid using keys were possible.

[Copilot]

Pull Request Overview

This PR adds comprehensive Cosmos DB configuration scripts to enable secure deployment using Managed Identity authentication. The scripts provide both Azure CLI and PowerShell implementations for setting up data plane RBAC permissions and creating the required database and container infrastructure.

• Adds Managed Identity RBAC assignment scripts for both Bash and PowerShell
• Implements database and container creation scripts with proper existence checking
• Provides detailed documentation for deployment and execution in the ReadMe.md

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
managed_identity_cosmos_rbac.sh	Bash script to assign Cosmos DB Built-in Data Contributor role to System Managed Identity
managed_identity_cosmos_rbac.ps1	PowerShell equivalent for RBAC role assignment
database_and_container_creation.sh	Bash script to create SimpleChat database and 26 required containers with partition keys
database_and_container_creation.ps1	PowerShell equivalent for database and container creation
ReadMe.md	Comprehensive documentation for executing scripts in Cloud Shell or desktop environments

[Copilot]

The variable $AutoscaleDatabaseMaxThroughput is defined but never used in the script. The New-AzCosmosDBSqlDatabase command on line 63 does not specify any throughput parameter, resulting in the database being created without the intended throughput setting. Either add -Throughput $AutoscaleDatabaseMaxThroughput to the database creation command or remove this unused variable.

[Bionic711]

@jarredm-demo Couple things on this one. If you have it in your branch, there is a New-CosmosContainerDynamicRUs.ps1 in the deployers folder. Move that into this folder with this cosmos stuff. Makes sense to me. Also, in that script, is how to handle this (as RUs by default are set manually if not specified at creation (without checking I do not know if you can specify at creation via cmd line)).

[Copilot]

The step describes assigning RBAC permissions but is titled "Log in via Cloud Shell or Desktop Prompt". This should be titled "STEP 1: Log in and Set Subscription Context" to better reflect the actual content, which includes login and context setting procedures.

Suggested change

	## STEP 1: Log in via Cloud Shell or Desktop Prompt
	## STEP 1: Log in and Set Subscription Context

[Copilot]

Step numbering is inconsistent. Steps 1 and 3 use uppercase "STEP" while Step 2 uses title case "Step". All steps should follow the same capitalization pattern for consistency.

Suggested change

	## Step 2: Assign Cosmos DB Built-in Data Contributor to your System-Assigned Managed Identity
	## STEP 2: Assign Cosmos DB Built-in Data Contributor to your System-Assigned Managed Identity

[Bionic711]

@jarredm-demo Tackle the Copilot stuff I left open. Other than that, I wanted to ask about your thoughts on maintainability moving forward. The way it is currently written, we will need to remember to come by and add new containers here when we add new containers to the app. Thoughts on finding a way to parse the config.py to create a list of containers that need to be created?