SFI: Use RBAC over key based auth

src/event-ingest-func/PlayerEvents.cs

@@ -40,7 +40,8 @@ public async Task<HttpResponseData> OnPlayerConnected([HttpTrigger(Authorization
             throw;
         }
 
-        await using (var client = new ServiceBusClient(configuration["service_bus_connection_string"]))
+        var credential = new DefaultAzureCredential();
+        await using (var client = new ServiceBusClient(configuration["ServiceBusConnection:fullyQualifiedNamespace"], credential))
         {
             var sender = client.CreateSender("player_connected_queue");
             await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(onPlayerConnected)));
@@ -67,7 +68,8 @@ public async Task<HttpResponseData> OnChatMessage([HttpTrigger(AuthorizationLeve
             throw;
         }
 
-        await using (var client = new ServiceBusClient(configuration["service_bus_connection_string"]))
+        var credential = new DefaultAzureCredential();
+        await using (var client = new ServiceBusClient(configuration["ServiceBusConnection:fullyQualifiedNamespace"], credential))
         {
             var sender = client.CreateSender("chat_message_queue");
             await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(onChatMessage)));
@@ -94,7 +96,8 @@ public async Task<HttpResponseData> OnMapVote([HttpTrigger(AuthorizationLevel.Fu
             throw;
         }
 
-        await using (var client = new ServiceBusClient(configuration["service_bus_connection_string"]))
+        var credential = new DefaultAzureCredential();
+        await using (var client = new ServiceBusClient(configuration["ServiceBusConnection:fullyQualifiedNamespace"], credential))
         {
             var sender = client.CreateSender("map_vote_queue");
             await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(onMapVote)));

src/event-ingest-func/PlayerEventsIngest.cs

@@ -37,7 +37,7 @@ public PlayerEventsIngest(
 
     [Function("ProcessOnPlayerConnected")]
     public async Task ProcessOnPlayerConnected(
-        [ServiceBusTrigger("player_connected_queue", Connection = "service_bus_connection_string")]
+        [ServiceBusTrigger("player_connected_queue", Connection = "ServiceBusConnection")]
         string myQueueItem)
     {
         OnPlayerConnected? onPlayerConnected;
@@ -98,7 +98,7 @@ public async Task ProcessOnPlayerConnected(
 
     [Function("ProcessOnChatMessage")]
     public async Task ProcessOnChatMessage(
-        [ServiceBusTrigger("chat_message_queue", Connection = "service_bus_connection_string")]
+        [ServiceBusTrigger("chat_message_queue", Connection = "ServiceBusConnection")]
         string myQueueItem)
     {
         OnChatMessage? onChatMessage;
@@ -146,7 +146,7 @@ public async Task ProcessOnChatMessage(
 
     [Function("ProcessOnMapVote")]
     public async Task ProcessOnMapVote(
-     [ServiceBusTrigger("map_vote_queue", Connection = "service_bus_connection_string")]
+     [ServiceBusTrigger("map_vote_queue", Connection = "ServiceBusConnection")]
         string myQueueItem)
     {
         OnMapVote? onMapVote;

src/event-ingest-func/ReprocessDeadLetterQueue.cs

@@ -33,7 +33,8 @@ public async Task<HttpResponseData> RunReprocessDeadLetterQueue([HttpTrigger(Aut
 
         try
         {
-            ServiceBusClient client = new ServiceBusClient(configuration["service_bus_connection_string"]);
+            var credential = new DefaultAzureCredential();
+            ServiceBusClient client = new ServiceBusClient(configuration["ServiceBusConnection:fullyQualifiedNamespace"], credential);
             ServiceBusSender sender = client.CreateSender(queueName);
 
             ServiceBusReceiver receiver = client.CreateReceiver(queueName, new ServiceBusReceiverOptions

src/event-ingest-func/ServerEvents.cs

@@ -40,7 +40,8 @@ public async Task<HttpResponseData> OnServerConnected([HttpTrigger(Authorization
             throw;
         }
 
-        await using (var client = new ServiceBusClient(configuration["service_bus_connection_string"]))
+        var credential = new DefaultAzureCredential();
+        await using (var client = new ServiceBusClient(configuration["ServiceBusConnection:fullyQualifiedNamespace"], credential))
         {
             var sender = client.CreateSender("server_connected_queue");
             await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(onServerConnected)));
@@ -67,7 +68,8 @@ public async Task<HttpResponseData> OnMapChange([HttpTrigger(AuthorizationLevel.
             throw;
         }
 
-        await using (var client = new ServiceBusClient(configuration["service_bus_connection_string"]))
+        var credential = new DefaultAzureCredential();
+        await using (var client = new ServiceBusClient(configuration["ServiceBusConnection:fullyQualifiedNamespace"], credential))
         {
             var sender = client.CreateSender("map_change_queue");
             await sender.SendMessageAsync(new ServiceBusMessage(JsonConvert.SerializeObject(onMapChange)));

src/event-ingest-func/ServerEventsIngest.cs

@@ -24,7 +24,7 @@ public ServerEventsIngest(
 
     [Function("ProcessOnServerConnected")]
     public async Task ProcessOnServerConnected(
-        [ServiceBusTrigger("server_connected_queue", Connection = "service_bus_connection_string")]
+        [ServiceBusTrigger("server_connected_queue", Connection = "ServiceBusConnection")]
         string myQueueItem)
     {
         OnServerConnected? onServerConnected;
@@ -53,7 +53,7 @@ public async Task ProcessOnServerConnected(
 
     [Function("ProcessOnMapChange")]
     public async Task ProcessOnMapChange(
-        [ServiceBusTrigger("map_change_queue", Connection = "service_bus_connection_string")]
+        [ServiceBusTrigger("map_change_queue", Connection = "ServiceBusConnection")]
         string myQueueItem)
     {
         OnMapChange? onMapChange;

terraform/function_app.tf

@@ -42,9 +42,10 @@ resource "azurerm_linux_function_app" "app" {
   }
 
   app_settings = {
-    "WEBSITE_RUN_FROM_PACKAGE"                          = "0" # This will be set to 0 on initial creation but will be updated to 1 when the package is deployed (required for azurerm_function_app_host_keys)
-    "ApplicationInsightsAgent_EXTENSION_VERSION"        = "~3"
-    "service_bus_connection_string"                     = format("@Microsoft.KeyVault(VaultName=%s;SecretName=%s)", azurerm_key_vault.kv.name, azurerm_key_vault_secret.service_bus_connection_string_secret.name)
+    "WEBSITE_RUN_FROM_PACKAGE"                      = "0" # This will be set to 0 on initial creation but will be updated to 1 when the package is deployed (required for azurerm_function_app_host_keys)
+    "ApplicationInsightsAgent_EXTENSION_VERSION"    = "~3"
+    "ServiceBusConnection__fullyQualifiedNamespace" = format("%s.servicebus.windows.net", azurerm_servicebus_namespace.ingest.name)
+    //"service_bus_connection_string"                     = format("@Microsoft.KeyVault(VaultName=%s;SecretName=%s)", azurerm_key_vault.kv.name, azurerm_key_vault_secret.service_bus_connection_string_secret.name)
     "apim_base_url"                                     = data.azurerm_api_management.core.gateway_url
     "portal_repository_apim_subscription_key_primary"   = format("@Microsoft.KeyVault(VaultName=%s;SecretName=%s)", azurerm_key_vault.kv.name, azurerm_key_vault_secret.repository_api_subscription_secret_primary.name)
     "portal_repository_apim_subscription_key_secondary" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=%s)", azurerm_key_vault.kv.name, azurerm_key_vault_secret.repository_api_subscription_secret_secondary.name)