Template Testing Failure Report

Template: Static React Web App + Functions with Python API and MongoDB
Author: Azure Dev
Test Date: 2025-07-10 15:52:11 UTC
Failure Phase: provision

Error Details

azd provision failed (exit code 1)

Detailed Error:
ERROR: deployment failed: error deploying infrastructure: deploying to subscription:

🔒 Managed Identity Update Required

This template needs to be updated to use Managed Identity instead of connection strings or secrets.

The error indicates that this template is using connection strings or other secrets that should be replaced with Managed Identity for better security and compliance with Azure security best practices.

⚠️ Note: The guidance below provides general steps and examples, primarily focused on Cosmos DB scenarios. Please adapt these steps to your specific template's requirements and Azure services. Not all steps may apply to your template.

📋 General Conversion Process

1. Identify and Remove Connection String Configuration

Common patterns to look for and remove:

• Connection string parameters (e.g., connectionStringKey, AZURE_*_CONNECTION_STRING)
• secretsExportConfiguration blocks in Azure resource modules
• Connection string outputs in Bicep/ARM templates
• Hardcoded secrets in app settings or configuration files

2. Enable Managed Identity Authentication for Azure Services

General approach:

• Add disableLocalAuth: true to Azure services that support it (where applicable)
• Configure system-assigned or user-assigned managed identity for compute resources
• Update resource configurations to use endpoint-based authentication instead of connection strings

⚠️ Cosmos DB Specific Note:

• If using MongoDB API, you may need to convert to SQL API as Azure policy may block MongoDB API with disableLocalAuth: true
• Change from mongodbDatabases/collections to sqlDatabases/containers
• Use paths property (not partitionKeyPaths) for ARM template containers

3. Configure Role Assignments

Set up appropriate RBAC permissions for your Azure services:

• Create role assignments that grant your managed identity access to required Azure services
• Use built-in roles when possible, create custom roles only when necessary
• Consider creating separate role assignment modules to avoid circular dependencies

Example for Cosmos DB (adapt for your services):

param cosmosAccountName string
param apiPrincipalId string

resource apiCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
  name: '${cosmosAccountName}/${guid(apiPrincipalId, cosmosAccountName, '00000000-0000-0000-0000-000000000002')}'
  properties: {
    roleDefinitionId: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002'
    principalId: apiPrincipalId
    scope: '${resourceGroup().id}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}'
  }
}

In your main template, reference this module:

module apiCosmosRoleAssignment './app/cosmos-role-assignment.bicep' = {
  name: 'api-cosmos-role'
  params: {
    cosmosAccountName: cosmos.outputs.accountName
    apiPrincipalId: api.outputs.SERVICE_API_IDENTITY_PRINCIPAL_ID
  }
}

4. Common Role Assignment Patterns

For Cosmos DB services:

• Cosmos DB Built-in Data Reader: 00000000-0000-0000-0000-000000000001
• Cosmos DB Built-in Data Contributor: 00000000-0000-0000-0000-000000000002

For other Azure services, consult the documentation for:

• Storage Account roles (Storage Blob Data Reader/Contributor)
• Key Vault roles (Key Vault Secrets User)
• Service Bus roles (Service Bus Data Receiver/Sender)
• Event Hub roles (Event Hubs Data Receiver/Sender)

Common mistakes to avoid:

• Using custom role definition names instead of built-in role GUIDs
• Creating standalone role assignment resources at incorrect scopes
• Having circular dependencies between resource modules

5. Update Application Code

Your application code must be updated to use managed identity. The specific changes depend on your programming language and Azure services used:

General pattern for all languages:

• Replace connection strings with service endpoints
• Use Azure SDK libraries that support DefaultAzureCredential
• Remove hardcoded secrets from configuration files

Example for C# applications using Cosmos DB:

var credential = new DefaultAzureCredential();
var cosmosClient = new CosmosClient(builder.Configuration["AZURE_COSMOS_ENDPOINT"], credential);

Example for Node.js applications using Cosmos DB:

const { DefaultAzureCredential } = require('@azure/identity');
const { CosmosClient } = require('@azure/cosmos');

const credential = new DefaultAzureCredential();
const client = new CosmosClient({
  endpoint: process.env.AZURE_COSMOS_ENDPOINT,
  aadCredentials: credential
});

Key application changes that may be needed:

• Replace database drivers if necessary (specific to your database/service)
• Implement repository patterns for data abstraction if converting between APIs
• Use service endpoints instead of connection strings (e.g., AZURE_COSMOS_ENDPOINT, AZURE_STORAGE_ACCOUNT_ENDPOINT)
• Ensure all Azure SDK calls use DefaultAzureCredential or similar managed identity patterns
• Update dependency injection and configuration patterns to support endpoint-based authentication

6. Validation Checklist

Infrastructure changes:

• Removed all connection string configuration parameters
• Removed secretsExportConfiguration from resource modules
• Added disableLocalAuth: true to applicable Azure services
• Converted API types if required (e.g., MongoDB API to SQL API for Cosmos DB)
• Created appropriate role assignment modules using built-in role identifiers
• Removed connection string references from app settings
• Verified no duplicate resource module deployments exist
• Ensured managed identity configuration is preserved

Application changes:

• Updated application code to use DefaultAzureCredential or equivalent
• Replaced connection strings with service endpoints
• Updated Azure SDK usage patterns
• Tested template compilation and deployment
• Verified application authentication works with managed identity

🛠️ Common Issues and Solutions

Issue: "Local authentication methods are not allowed"

Solution: Ensure disableLocalAuth: true is set on applicable Azure services and no duplicate resource deployments exist.

Issue: "Scope '[scope]' is not valid for this resource type"

Solution: Use appropriate scopes for role assignments and consider using module-based approaches.

Issue: "Role Definition name must be a GUID"

Solution: Use built-in role GUIDs instead of custom role names. Consult Azure documentation for service-specific role identifiers.

Issue: API compatibility problems (specific to certain services)

Solution: Some Azure services may require API version changes when enabling managed identity. Consult service-specific documentation.

Issue: Circular dependency errors

Solution: Separate role assignments into dedicated modules to break dependency cycles between resource modules.

📚 Resources for Implementation

• Safe Secrets Standard - Azure security policy requirements
• Managed Identity Overview - Understanding managed identities
• Configure Managed Identities - Setup instructions
• Azure SDK with Managed Identity - Application code examples
• Azure RBAC Documentation - Role assignment guidance
• C# Cosmos DB Template Example - Detailed C# implementation for Cosmos DB
• Node.js Cosmos DB Template Example - Working Node.js conversion with full context
• Azure Managed Identity Documentation - General managed identity concepts
• Service-specific managed identity guides - Search for "[service-name] managed identity" for your specific Azure services

💡 Tip: The examples above are specific to Cosmos DB scenarios. Use them as reference patterns but adapt the approaches to your template's specific Azure services and requirements.

🤖 GitHub Copilot Integration

This guidance provides general patterns that should be adapted to your specific template. When working with GitHub Copilot to address this issue:

1. Specify your template's context: Include information about the specific Azure services, programming languages, and frameworks used
2. Reference this guidance: Use this as a starting point but ask Copilot to adapt the steps to your specific scenario
3. Focus on your services: If your template doesn't use Cosmos DB, ask Copilot to focus on the Azure services you do use
4. Ask for service-specific guidance: Request guidance for your specific Azure services (Storage, Service Bus, Key Vault, etc.)

Example Copilot prompt:

@copilot This Azure template is failing with a managed identity requirement error (https://aka.ms/safesecretsstandard). The template uses [YOUR_SERVICES] with [YOUR_LANGUAGE] application code. Please help me convert from connection strings to managed identity authentication. Focus on [YOUR_SERVICES] instead of Cosmos DB, and provide specific steps for my stack.

Template-specific information to include:

• Programming language and framework (C#/.NET, Node.js, Python, Java, etc.)
• Azure services used (Storage, Service Bus, Key Vault, Cosmos DB, etc.)
• Current authentication patterns in your code
• Specific error messages from your template deployment

Template Information

• Repository: https://github.com/Azure-Samples/todo-python-mongo-swa-func
• Tags: bicep, mongodb, reactjs, fastapi, msft
• Azure Services: swa, functions, cosmosdb, monitor, keyvault, appservice
• Languages: python, typescript, javascript

Test Environment

• Azure Region: eastus2
• AZD Version: c241503424c35882c04d9a909ff9bb1469cd68c8)

Detailed Logs

General Logs

Cloning https://github.com/Azure-Samples/todo-python-mongo-swa-func to C:\Users\shboyer\AppData\Local\Temp\azd-test-deb89dec-3275-48e5-b5c0-830fb59743e6-g_amf3nk
Template requires Docker - checking if Docker is running...
✅ Docker is running - proceeding with deployment
Environment: test-static-react-web-app-functions-1752177137, Region: eastus2
Resource Group: rg-azd-test-static-react-web-app-functions-1752177137
Running azd provision...

AZD Provision Output

Provisioning Azure resources (azd provision)
Provisioning Azure resources can take some time.

Initialize bicep provider
Reading subscription and location from environment...
Subscription: shboyer subscription 
Location: East US 2

Creating a deployment plan
Comparing deployment state
Creating/Updating resources
  You can view detailed progress in the Azure Portal:
  https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F[MASKED]%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Ftest-static-react-web-app-functions-1752177137-1752177145

  (✓) Done: Resource group: rg-test-static-react-web-app-functions-1752177137 (436ms)

ERROR: deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information.
RequestDisallowedByPolicy: Resource 'cosmos-yqozpj4bpgxp6' was disallowed by policy. Reasons: 'This request was denied due to internal policy. Local authentication methods are not allowed. For more information, refer to https://aka.ms/safesecretsstandard.'. See error details for policy resource IDs.
InvalidTemplateDeployment: The template deployment failed because of policy violation. Please see details for more information.
RequestDisallowedByPolicy: Resource 'styqozpj4bpgxp6' was disallowed by policy. Reasons: 'This request was denied due to internal policy. Anonymous blob access is not allowed. For more information, refer to https://aka.ms/denyblobaccess.','This request was denied due to internal policy. Local authentication methods are not allowed. For more information, refer to https://aka.ms/safesecretsstandard.'. See error details for policy resource IDs.

TraceID: b9cdb21f32276216c7436cd63c32726c

Updated resource group name from azd output: rg-test-static-react-web-app-functions-1752177137
Cleaning up environment: test-static-react-web-app-functions-1752177137
Target resource group: rg-test-static-react-web-app-functions-1752177137
Using project directory for azd commands: C:\Users\shboyer\AppData\Local\Temp\azd-test-deb89dec-3275-48e5-b5c0-830fb59743e6-g_amf3nk
Executing: azd down --force --purge
Confirmed azd environment 'test-static-react-web-app-functions-1752177137' exists
Fast cleanup mode enabled - skipping azd down, using direct resource group deletion

Action Required

This template failed automated testing. Please:

1. Review the error details above
2. Test the template manually if needed
3. Contact the template author if necessary
4. Consider updating the template or removing it from the feed

This issue was automatically created by the AZD Template Testing Framework