Convert template from MongoDB API to SQL API with managed identity authentication

[Copilot]

This PR converts the Azure template from using connection strings to managed identity authentication to resolve Azure policy violations that were causing deployment failures.

Problem

The template was failing deployment with the following policy violations:

• Local authentication methods are not allowed for Cosmos DB
• Anonymous blob access is not allowed for Storage Account

Solution

Infrastructure Changes

• Cosmos DB: Converted from MongoDB API to SQL API with disableLocalAuth: true
• Role Assignments: Added proper RBAC using built-in Cosmos DB Data Contributor role (00000000-0000-0000-0000-000000000002)
• Storage Account: Disabled public blob access (allowBlobPublicAccess: false)
• Configuration: Replaced connection string parameters with endpoint-based authentication

Application Changes

• Authentication: Replaced connection strings with DefaultAzureCredential
• Database Layer: Migrated from MongoDB/Beanie to Cosmos DB SQL API
• Dependencies: Updated requirements.txt to use azure-cosmos instead of beanie
• Data Models: Converted from MongoDB documents to SQL API containers

API Compatibility

The public REST API endpoints remain unchanged, ensuring backward compatibility:

GET/POST /lists
GET/PUT/DELETE /lists/{id}
GET/POST /lists/{id}/items
GET/PUT/DELETE /lists/{id}/items/{id}
GET /lists/{id}/items/state/{state}

Key Files Modified

• infra/app/db-avm.bicep - Converted to SQL API with disabled local auth
• infra/app/cosmos-role-assignment.bicep - New RBAC module
• infra/main.bicep - Updated app settings and role assignments
• src/api/todo/models.py - Complete rewrite using SQL API
• src/api/todo/app.py - Managed identity integration
• src/api/todo/routes.py - Updated to use SQL API operations

Security Improvements

✅ Eliminated connection string storage and usage
✅ Implemented managed identity authentication
✅ Proper RBAC with minimal required permissions
✅ Disabled public storage account access
✅ Complies with Azure security policies

The template now follows Azure security best practices and should deploy successfully without policy violations.

Fixes #11.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: bicep build infra/main.bicep (dns block)
  • Triggering command: bicep build infra/app/cosmos-role-assignment.bicep --stdout (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.