infra: add processor app RBAC roles for Storage and Cosmos DB

Processor container app also needs Storage Blob Data Contributor and Cosmos DB
Contributor roles. Added processorAppServicePrincipalId param to role-assignments
and wired it from both avm and bicep main.bicep.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Prachig-Microsoft

infra/avm/main.bicep

@@ -505,6 +505,7 @@ module role_assignments './modules/identity/role-assignments.bicep' = {
     aiProjectPrincipalId: aiProjectPrincipalId
     aiSearchPrincipalId: ''
     backendAppServicePrincipalId: ca_backend_api.outputs.principalId
+    processorAppServicePrincipalId: ca_processor.outputs.principalId
     cosmosDbAccountName: cosmosDBModule.outputs.name
   }
   scope: resourceGroup(resourceGroup().name)

infra/avm/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "15764079419575495208"
+      "templateHash": "12508925618781201963"
     }
   },
   "parameters": {
@@ -37788,6 +37788,9 @@
           "backendAppServicePrincipalId": {
             "value": "[reference('ca_backend_api').outputs.principalId.value]"
           },
+          "processorAppServicePrincipalId": {
+            "value": "[reference('ca_processor').outputs.principalId.value]"
+          },
           "cosmosDbAccountName": {
             "value": "[reference('cosmosDBModule').outputs.name.value]"
           }
@@ -37799,7 +37802,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.43.8.12551",
-              "templateHash": "16220137308567374453"
+              "templateHash": "2474904975964647902"
             }
           },
           "parameters": {
@@ -37845,6 +37848,13 @@
                 "description": "Principal ID of the backend App Service system-assigned identity (empty if not deployed)."
               }
             },
+            "processorAppServicePrincipalId": {
+              "type": "string",
+              "defaultValue": "",
+              "metadata": {
+                "description": "Principal ID of the processor App Service system-assigned identity (empty if not deployed)."
+              }
+            },
             "aiFoundryResourceId": {
               "type": "string",
               "defaultValue": "",
@@ -37997,6 +38007,18 @@
                 "principalType": "ServicePrincipal"
               }
             },
+            {
+              "condition": "[and(not(empty(parameters('storageAccountResourceId'))), not(empty(parameters('processorAppServicePrincipalId'))))]",
+              "type": "Microsoft.Authorization/roleAssignments",
+              "apiVersion": "2022-04-01",
+              "scope": "[resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/')))]",
+              "name": "[guid(parameters('solutionName'), resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), parameters('processorAppServicePrincipalId'), variables('roleDefinitions').storageBlobDataContributor)]",
+              "properties": {
+                "principalId": "[parameters('processorAppServicePrincipalId')]",
+                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefinitions').storageBlobDataContributor)]",
+                "principalType": "ServicePrincipal"
+              }
+            },
             {
               "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
               "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
@@ -38008,6 +38030,17 @@
                 "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDbAccountName'))]"
               }
             },
+            {
+              "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('processorAppServicePrincipalId'))))]",
+              "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
+              "apiVersion": "2025-10-15",
+              "name": "[format('{0}/{1}', parameters('cosmosDbAccountName'), guid(parameters('solutionName'), resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDbAccountName'), '00000000-0000-0000-0000-000000000002'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDbAccountName')), parameters('processorAppServicePrincipalId')))]",
+              "properties": {
+                "principalId": "[parameters('processorAppServicePrincipalId')]",
+                "roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDbAccountName'), '00000000-0000-0000-0000-000000000002')]",
+                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDbAccountName'))]"
+              }
+            },
             {
               "condition": "[and(parameters('useExistingAIProject'), not(empty(parameters('aiSearchPrincipalId'))))]",
               "type": "Microsoft.Resources/deployments",
@@ -38192,6 +38225,7 @@
       "dependsOn": [
         "ai_foundry_project",
         "ca_backend_api",
+        "ca_processor",
         "cosmosDBModule",
         "existing_project_setup",
         "storage_account"

infra/avm/modules/identity/role-assignments.bicep

@@ -28,6 +28,9 @@ param aiSearchPrincipalId string = ''
 @description('Principal ID of the backend App Service system-assigned identity (empty if not deployed).')
 param backendAppServicePrincipalId string = ''
 
+@description('Principal ID of the processor App Service system-assigned identity (empty if not deployed).')
+param processorAppServicePrincipalId string = ''
+
 // --- Resource References ---
 
 @description('Resource ID of the AI Foundry account (empty if not deployed — new project path).')
@@ -227,9 +230,20 @@ resource backendAppStorageContributor 'Microsoft.Authorization/roleAssignments@2
   }
 }
 
+// Processor App → Storage Blob Data Contributor
+resource processorAppStorageContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(storageAccountResourceId) && !empty(processorAppServicePrincipalId)) {
+  name: guid(solutionName, storageAccount.id, processorAppServicePrincipalId, roleDefinitions.storageBlobDataContributor)
+  scope: storageAccount
+  properties: {
+    principalId: processorAppServicePrincipalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.storageBlobDataContributor)
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // ============================================================================
 // 4. COSMOS DB ROLE ASSIGNMENTS
-//    Backend App Service → Cosmos DB (data-plane, uses sqlRoleAssignments)
+//    Backend and Processor App Service → Cosmos DB (data-plane, uses sqlRoleAssignments)
 // ============================================================================
 
 resource backendAppCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2025-10-15' = if (!empty(cosmosDbAccountName) && !empty(backendAppServicePrincipalId)) {
@@ -242,3 +256,13 @@ resource backendAppCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/s
   }
 }
 
+resource processorAppCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2025-10-15' = if (!empty(cosmosDbAccountName) && !empty(processorAppServicePrincipalId)) {
+  parent: cosmosAccount
+  name: guid(solutionName, cosmosContributorRoleDefinition.id, cosmosAccount.id, processorAppServicePrincipalId)
+  properties: {
+    principalId: processorAppServicePrincipalId
+    roleDefinitionId: cosmosContributorRoleDefinition.id
+    scope: cosmosAccount.id
+  }
+}
+

infra/bicep/main.bicep

@@ -460,6 +460,7 @@ module role_assignments './modules/identity/role-assignments.bicep' = {
     deployerPrincipalId: deployingUserPrincipalId
     deployerPrincipalType: deployingUserPrincipalType
     backendAppServicePrincipalId: ca_backend_api.outputs.principalId
+    processorAppServicePrincipalId: ca_processor.outputs.principalId
     cosmosDbAccountName: cosmosDBModule.outputs.name
   }
   scope: resourceGroup(resourceGroup().name)

infra/bicep/main.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "2315337546245675369"
+      "templateHash": "8972167897125395354"
     }
   },
   "parameters": {
@@ -2571,6 +2571,9 @@
           "backendAppServicePrincipalId": {
             "value": "[reference(resourceId('Microsoft.Resources/deployments', take(format('module.ca-backend-api.{0}', parameters('solutionName')), 64)), '2025-04-01').outputs.principalId.value]"
           },
+          "processorAppServicePrincipalId": {
+            "value": "[reference(resourceId('Microsoft.Resources/deployments', take(format('module.ca-processor.{0}', parameters('solutionName')), 64)), '2025-04-01').outputs.principalId.value]"
+          },
           "cosmosDbAccountName": {
             "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, resourceGroup().name), 'Microsoft.Resources/deployments', take(format('module.cosmos-db.{0}', parameters('solutionName')), 64)), '2025-04-01').outputs.name.value]"
           }
@@ -2582,7 +2585,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.43.8.12551",
-              "templateHash": "17859174180959627964"
+              "templateHash": "14585030683408144049"
             }
           },
           "parameters": {
@@ -2628,6 +2631,13 @@
                 "description": "Principal ID of the backend App Service system-assigned identity (empty if not deployed)."
               }
             },
+            "processorAppServicePrincipalId": {
+              "type": "string",
+              "defaultValue": "",
+              "metadata": {
+                "description": "Principal ID of the processor App Service system-assigned identity (empty if not deployed)."
+              }
+            },
             "deployerPrincipalId": {
               "type": "string",
               "defaultValue": "",
@@ -2799,6 +2809,18 @@
                 "principalType": "ServicePrincipal"
               }
             },
+            {
+              "condition": "[and(not(empty(parameters('storageAccountResourceId'))), not(empty(parameters('processorAppServicePrincipalId'))))]",
+              "type": "Microsoft.Authorization/roleAssignments",
+              "apiVersion": "2022-04-01",
+              "scope": "[resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/')))]",
+              "name": "[guid(parameters('solutionName'), resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), parameters('processorAppServicePrincipalId'), variables('roleDefinitions').storageBlobDataContributor)]",
+              "properties": {
+                "principalId": "[parameters('processorAppServicePrincipalId')]",
+                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefinitions').storageBlobDataContributor)]",
+                "principalType": "ServicePrincipal"
+              }
+            },
             {
               "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
               "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
@@ -2810,6 +2832,17 @@
                 "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDbAccountName'))]"
               }
             },
+            {
+              "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('processorAppServicePrincipalId'))))]",
+              "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
+              "apiVersion": "2025-10-15",
+              "name": "[format('{0}/{1}', parameters('cosmosDbAccountName'), guid(parameters('solutionName'), resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDbAccountName'), '00000000-0000-0000-0000-000000000002'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDbAccountName')), parameters('processorAppServicePrincipalId')))]",
+              "properties": {
+                "principalId": "[parameters('processorAppServicePrincipalId')]",
+                "roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDbAccountName'), '00000000-0000-0000-0000-000000000002')]",
+                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosDbAccountName'))]"
+              }
+            },
             {
               "condition": "[and(and(not(parameters('useExistingAIProject')), not(empty(parameters('deployerPrincipalId')))), not(empty(parameters('aiFoundryResourceId'))))]",
               "type": "Microsoft.Authorization/roleAssignments",
@@ -3054,6 +3087,7 @@
       "dependsOn": [
         "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, resourceGroup().name), 'Microsoft.Resources/deployments', take(format('module.ai-foundry-project.{0}', parameters('solutionName')), 64))]",
         "[resourceId('Microsoft.Resources/deployments', take(format('module.ca-backend-api.{0}', parameters('solutionName')), 64))]",
+        "[resourceId('Microsoft.Resources/deployments', take(format('module.ca-processor.{0}', parameters('solutionName')), 64))]",
         "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, resourceGroup().name), 'Microsoft.Resources/deployments', take(format('module.cosmos-db.{0}', parameters('solutionName')), 64))]",
         "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('aiServiceSubscription'), variables('aiServiceResourceGroup')), 'Microsoft.Resources/deployments', take(format('module.existing-project-setup.{0}', parameters('solutionName')), 64))]",
         "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, resourceGroup().name), 'Microsoft.Resources/deployments', take(format('module.storage-account.{0}', parameters('solutionName')), 64))]"

infra/bicep/modules/identity/role-assignments.bicep

@@ -28,6 +28,9 @@ param aiSearchPrincipalId string = ''
 @description('Principal ID of the backend App Service system-assigned identity (empty if not deployed).')
 param backendAppServicePrincipalId string = ''
 
+@description('Principal ID of the processor App Service system-assigned identity (empty if not deployed).')
+param processorAppServicePrincipalId string = ''
+
 @description('Principal ID of the deploying user (for user access roles).')
 param deployerPrincipalId string = ''
 
@@ -235,9 +238,20 @@ resource backendAppStorageContributor 'Microsoft.Authorization/roleAssignments@2
   }
 }
 
+// Processor App → Storage Blob Data Contributor
+resource processorAppStorageContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(storageAccountResourceId) && !empty(processorAppServicePrincipalId)) {
+  name: guid(solutionName, storageAccount.id, processorAppServicePrincipalId, roleDefinitions.storageBlobDataContributor)
+  scope: storageAccount
+  properties: {
+    principalId: processorAppServicePrincipalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.storageBlobDataContributor)
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // ============================================================================
 // 4. COSMOS DB ROLE ASSIGNMENTS
-//    Backend App Service → Cosmos DB (data-plane, uses sqlRoleAssignments)
+//    Backend and Processor App Service → Cosmos DB (data-plane, uses sqlRoleAssignments)
 // ============================================================================
 
 resource backendAppCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2025-10-15' = if (!empty(cosmosDbAccountName) && !empty(backendAppServicePrincipalId)) {
@@ -250,6 +264,16 @@ resource backendAppCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/s
   }
 }
 
+resource processorAppCosmosRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2025-10-15' = if (!empty(cosmosDbAccountName) && !empty(processorAppServicePrincipalId)) {
+  parent: cosmosAccount
+  name: guid(solutionName, cosmosContributorRoleDefinition.id, cosmosAccount.id, processorAppServicePrincipalId)
+  properties: {
+    principalId: processorAppServicePrincipalId
+    roleDefinitionId: cosmosContributorRoleDefinition.id
+    scope: cosmosAccount.id
+  }
+}
+
 // ============================================================================
 // 5. DEPLOYER (USER) ROLE ASSIGNMENTS
 //    Deploying user → AI Services, Search, Storage (Bicep-only)