I have a cosmos db account that was created via terraform, in which i have multiple databases. When i go to data explorer, the api type is showing as NOSQL API and the kind is "GlobalDocumentDB". We have a security policy being enforced in the infra saying 'Cosmos DB database accounts should have local authentication methods disabled'. When i check the terraform documentation it mentions as: "local_authentication_disabled - (Optional) Disable local authentication and ensure only MSI and AAD can be used exclusively for authentication. Defaults to false. Can be set only when using the SQL API."
Could you please help me to understand how I can disable this in my case, without affecting the existing databases. On the authentication side i am planning to grant RBAC role to the webapp managed identity and add "COSMOS_ENDPOINT= " in the environment variable of the webapp (value = azurerm_cosmosdb_account.cosmos_account.endpoint).
I think the Terraform docs are just confusing/out-of-date - CosmosDB doesn't currently have a "SQL API". I have the same NOSQL configuration and local_authentication_disabled works just fine:
resource "azurerm_cosmosdb_account" "db" {
name = <name>
location = <location>
resource_group_name = <rgname>
offer_type = "Standard"
kind = "GlobalDocumentDB"
local_authentication_disabled = true
...
}
Not sure what you mean about "without affecting existing databases" though - local/secrets-based auth is enabled or disabled at the CosmosDB account level, so if you do disable it that will apply to all the account's databases. You can add the authorized RBAC reader/writer identities via Terraform too though:
resource "azurerm_cosmosdb_sql_role_assignment" "cache_role_assignment" {
for_each = toset([for user in authorized_users : user.object_id])
resource_group_name = <rgname>
account_name = azurerm_cosmosdb_account.db.name
role_definition_id = azurerm_cosmosdb_sql_role_definition.custom_role.id # or built-in role_id
scope = azurerm_cosmosdb_account.db.id
principal_id = each.value
}