use shared aks project name and environment name instead of identity …

…profile object id

Environments/Todo-Mongo-AKS/get-aks-info.bicep

@@ -0,0 +1,5 @@
+param aksName string
+resource aks 'Microsoft.ContainerService/managedClusters@2023-10-02-preview' existing = {
+  name: aksName
+}
+output aksIdentityObjectId string = aks.properties.identityProfile.kubeletidentity.objectId

Environments/Todo-Mongo-AKS/get-shared-aks-name.bicep

@@ -0,0 +1,62 @@
+@description('app deployment name')
+param appDeployName string
+
+@description('Shared AKS resource group')
+param aksResourceGroupName string
+
+@description('Timestamp - utcNow can only be called as a default value of a parameter.')
+param timestamp string = utcNow()
+
+@description('The location to run the deployment script in')
+param location string = resourceGroup().location
+
+param identityName string
+
+var scriptToExecute = '''
+$output = Get-AzResource -ResourceGroupName $Env:RESOURCEGROUP -ResourceType Microsoft.ContainerService/ManagedClusters
+
+Write-Output $output
+$DeploymentScriptOutputs = @{}
+$DeploymentScriptOutputs['text'] = $output.Name
+'''
+
+resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: identityName
+  location: location
+}
+
+module roleAssignemnt './core/security/role.bicep' = {
+  name: 'read-role-assignment-to-aks'
+  scope: resourceGroup(aksResourceGroupName)
+  params: {
+    principalId: identity.properties.principalId
+    roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+  }
+}
+
+resource script 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+  kind: 'AzurePowerShell'
+  name: '${appDeployName}-get-aks-script'
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identity.id}' : {}
+    }
+  }
+  properties: {
+    forceUpdateTag: timestamp
+    azPowerShellVersion: '7.2.0'
+    retentionInterval: 'PT1H'
+    scriptContent: scriptToExecute
+    cleanupPreference: 'Always'
+    environmentVariables: [
+      {
+        name: 'RESOURCEGROUP'
+        value: aksResourceGroupName
+      }
+    ]
+  }
+}
+
+output clusterName string = empty(script.properties.outputs.text) ? '' : script.properties.outputs.text

Environments/Todo-Mongo-AKS/main.bicep

@@ -11,25 +11,15 @@ param cosmosAccountName string = ''
 param cosmosDatabaseName string = ''
 param keyVaultName string = ''
 param principalId string = ''
-param aksClusterIdentityObjectId string
 param configStoreName string = ''
+param sharedAKSProjectName string
+param sharedAKSEnvironmentName string 
+var sharedAKSResourceGroup = '${sharedAKSProjectName}-${sharedAKSEnvironmentName}'
 
 var abbrs = loadJsonContent('./abbreviations.json')
 var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
 var tags = { 'azd-env-name': environmentName }
 
-// The application database
-module cosmos './app/db.bicep' = {
-  name: 'cosmos'
-  params: {
-    accountName: !empty(cosmosAccountName) ? cosmosAccountName : '${abbrs.documentDBDatabaseAccounts}${resourceToken}'
-    databaseName: cosmosDatabaseName
-    location: location
-    tags: tags
-    keyVaultName: keyVault.outputs.name
-  }
-}
-
 // Store secrets in a keyvault
 module keyVault './core/security/keyvault.bicep' = {
   name: 'keyvault'
@@ -41,14 +31,66 @@ module keyVault './core/security/keyvault.bicep' = {
   }
 }
 
+
+module aksName 'get-shared-aks-name.bicep' = {
+  name: 'get-aks-name'
+  params: {
+    appDeployName: 'todo-deploy'
+    aksResourceGroupName: sharedAKSResourceGroup
+    identityName : '${abbrs.managedIdentityUserAssignedIdentities}dp-${resourceToken}'
+    location: location
+  }
+}
+
+module aks 'get-aks-info.bicep' = {
+  name: 'aks'
+  scope: resourceGroup(sharedAKSResourceGroup)
+  params: {
+    aksName: aksName.outputs.clusterName
+  }
+}
+
 module clusterKeyVaultAccess './core/security/keyvault-access.bicep' = {
   name: 'cluster-keyvault-access'
   params: {
     keyVaultName: keyVault.outputs.name
-    principalId: aksClusterIdentityObjectId
+    principalId: aks.outputs.aksIdentityObjectId
   }
 }
 
+// Give the API the role to access Cosmos
+module apiCosmosSqlRoleAssign './core/database/cosmos/sql/cosmos-sql-role-assign.bicep' = {
+  name: 'api-cosmos-access'
+  params: {
+    accountName: cosmos.outputs.accountName
+    roleDefinitionId: cosmos.outputs.roleDefinitionId
+    principalId: aks.outputs.aksIdentityObjectId
+  }
+}
+
+// Give the API the role to access Cosmos
+module userComsosSqlRoleAssign './core/database/cosmos/sql/cosmos-sql-role-assign.bicep' = if (principalId != '') {
+  name: 'user-cosmos-access'
+  params: {
+    accountName: cosmos.outputs.accountName
+    roleDefinitionId: cosmos.outputs.roleDefinitionId
+    principalId: principalId
+  }
+}
+
+// The application database
+module cosmos './app/db.bicep' = {
+  name: 'cosmos'
+  params: {
+    accountName: !empty(cosmosAccountName) ? cosmosAccountName : '${abbrs.documentDBDatabaseAccounts}${resourceToken}'
+    databaseName: cosmosDatabaseName
+    location: location
+    tags: tags
+    keyVaultName: keyVault.outputs.name
+  }
+}
+
+
 @description('Specifies the content type of the key-value resources. For feature flag, the value should be application/vnd.microsoft.appconfig.ff+json;charset=utf-8. For Key Value reference, the value should be application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8. Otherwise, it\'s optional.')
 param contentType string = ''
 

Environments/Todo-Mongo-AKS/manifest.yaml

@@ -18,8 +18,14 @@ parameters:
   type: string
   required: true
 
-- id: "aksClusterIdentityObjectId"
-  name: "AKS Cluster Identity Object Id"
-  description: "Object Id of the identity used by the AKS cluster to access the KeyVault"
+- id: "sharedAKSProjectName"
+  name: "sharedAKSProjectName"
+  description: "ADE Project name for the shared AKS cluster"
+  type: string
+  required: true
+
+- id: "sharedAKSEnvironmentName"
+  name: "sharedAKSEnvironmentName"
+  description: "ADE environment name for the shared AKS cluster"
   type: string
   required: true