How do we get a connection string for a cosmos database in in a module.

[JohnLudlow]

I have a cosmos database I'm deploying through bicep, and a function app which will interact with the database. I want to deploy the database and configure the app with the AccountEndpoint property.

Because I have a number of similar scenarios, I want to have a cosmosaccount.bicep module and a functionapp.bicep module, and pass the account endpoint from the cosmos account module to the function app module, but I'm not sure how to do that.

First I tried emitting it as an output:

output accountEndpoint string = cosmosAccount.listConnectionStrings().connectionStrings[0].connectionString

This fails because of this linter error (outputs shouldn't contain secrets). Fair enough, seems legit. I could override that but I want to do something that might compromise security.

I've seen this discussion where the recommended fix is to use the existing keyword to get the keyvault. My situation is slightly different (I'm calling listConnectionStrings not `listKeys``), but I'll give it a go:

module cosmacc 'modules/cosmacc.bicep' = { 
  // properties omitted for brevity
}

resource cosmacc_existing 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
  name: cosmacc.outputs.accountName
  scope: resourceGroup(resourceGroupName)
}

module functionapp 'modules/functionapp.bicep' = {
  name: 'functionapp'
  scope: resourceGroup(resourceGroupName)

  params: {
    appSettings: [
     {
       name: 'myConnectionString'
       value: listConnectionStrings(cosmacc_existing.id, cosmacc_existing.apiVersion).connectionStrings[0].connectionString
     }
    ]
  }
}

Running this through the PowerShell module, I get this:

PS> new-AzSubscriptionDeployment -Name "deployment" -TemplateFile main.bicep -Location uksouth -Verbose
VERBOSE: Using Bicep v0.11.1
VERBOSE: 
New-AzDeployment: 18:36:39 - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 
'The template resource 'functionapp' at line '539' and column '9' is not valid: 
The template function 'reference' is not expected at this location. Please see 
https://aka.ms/arm-template-expressions for usage details.. 
Please see https://aka.ms/arm-template-expressions for usage details.'.

New-AzDeployment: The deployment validation failed

Is listConnections not supposed to work the same way as listKeys? Have I missed something blindingly obvious? The common module examples just show a hardcoded string right in the .bicep which is obviously not ideal.

[AdamRiddick]

You can call list connection strings against your existing cosmos DB reference;

cosmacc_existing.listConnectionStrings().connectionStrings[0].connectionString

I wouldn't recommend putting that directly in the function app setting though, and I imagine you'll get warnings about it (I hope). It would be better to put this value in a key vault secret and use a key vault secret reference (https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli) from your function app settings.

[JohnLudlow]

Thanks,

We did get some warnings putting it in the app settings. The intention was to make a "clean" deployment where you start with an empty subscription and everything, including keyvaults, get deployed by bicep template.

We've seen some issues with certificate and secret security doing things that way though so I think we'll have a keyvault anyway.

I guess we'll just need that sooner than we thought.

Thanks for your help

[ishan1608]

@AdamRiddick Where can I find documentation for this?