Randomly authenticate to Azure Cosmos DB with key or data plane RBAC

Signed-off-by: Jianguo Ma <[email protected]>
majguo · Aug 8, 2024 · 6dd8358 · 6dd8358
1 parent 7ecbc63
commit 6dd8358
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 20 deletions.
diff --git a/.github/create-azure-resources.sh b/.github/create-azure-resources.sh
@@ -69,23 +69,3 @@ az cosmosdb create \
     -g ${RESOURCE_GROUP_NAME} \
     --default-consistency-level Session \
     --locations regionName='West US' failoverPriority=0 isZoneRedundant=False
-
-az cosmosdb sql database create \
-    -a ${COSMOSDB_ACCOUNT_NAME} \
-    -g ${RESOURCE_GROUP_NAME} \
-    -n demodb
-
-az cosmosdb sql container create \
-    -a ${COSMOSDB_ACCOUNT_NAME} \
-    -g ${RESOURCE_GROUP_NAME} \
-    -d demodb \
-    -n democontainer \
-    -p "/id"
-
-servicePrincipal=$(az ad sp list --filter "appId eq '$AZURE_CLIENT_ID'" --query '[0].id' -o tsv)
-az cosmosdb sql role assignment create \
-    --account-name ${COSMOSDB_ACCOUNT_NAME} \
-    --resource-group ${RESOURCE_GROUP_NAME} \
-    --scope "/" \
-    --principal-id ${servicePrincipal} \
-    --role-definition-id 00000000-0000-0000-0000-000000000002
diff --git a/.github/run-integration-test.sh b/.github/run-integration-test.sh
@@ -38,6 +38,36 @@ export QUARKUS_AZURE_COSMOS_ENDPOINT=$(az cosmosdb show \
     -g ${RESOURCE_GROUP_NAME} \
     --query documentEndpoint -o tsv)
 
+# Randomly authenticate to Azure Cosmos DB with key or data plane RBAC
+number=$(shuf -i 1-100 -n 1)
+if [ $((number % 2)) -eq 0 ]; then
+  # Export the key that has full access to the account including management plane and data plane operations
+  export QUARKUS_AZURE_COSMOS_KEY=$(az cosmosdb keys list \
+      -n ${COSMOSDB_ACCOUNT_NAME} \
+      -g ${RESOURCE_GROUP_NAME} \
+      --query primaryMasterKey -o tsv)
+else
+  # Create a database and a container beforehand as data plane operations with assigned role cannot create them
+  az cosmosdb sql database create \
+      -a ${COSMOSDB_ACCOUNT_NAME} \
+      -g ${RESOURCE_GROUP_NAME} \
+      -n demodb
+  az cosmosdb sql container create \
+      -a ${COSMOSDB_ACCOUNT_NAME} \
+      -g ${RESOURCE_GROUP_NAME} \
+      -d demodb \
+      -n democontainer \
+      -p "/id"
+
+  servicePrincipal=$(az ad sp list --filter "appId eq '$AZURE_CLIENT_ID'" --query '[0].id' -o tsv)
+  az cosmosdb sql role assignment create \
+      --account-name ${COSMOSDB_ACCOUNT_NAME} \
+      --resource-group ${RESOURCE_GROUP_NAME} \
+      --scope "/" \
+      --principal-id ${servicePrincipal} \
+      --role-definition-id 00000000-0000-0000-0000-000000000002
+fi
+
 # Run integration test with existing native executables against Azure services
 mvn -B test-compile failsafe:integration-test -Dnative -Dazure.test=true