Skip to content

Add managed_identity policy KQL generation for Kusto databases#160

Merged
2 commits merged intomainfrom
copilot/add-managed-identity-policy-support
Apr 10, 2026
Merged

Add managed_identity policy KQL generation for Kusto databases#160
2 commits merged intomainfrom
copilot/add-managed-identity-policy-support

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 9, 2026
edited
Loading

Adds support for generating .alter-merge database ... policy managed_identity KQL from structured configuration, accessible via the .NET API without executing against a live cluster.

Changes

  • Model/ManagedIdentityPolicy.cs (new): Model with ObjectId (GUID string) and AllowedUsages (List<string>) properties. CreateScript(databaseName) emits the policy KQL with BracketIfIdentifier() escaping on the database name.
  • Model/Database.cs: Added ManagedIdentityPolicies (List<ManagedIdentityPolicy>) property.
  • Changes/DatabaseChanges.cs: Includes managed identity policy scripts in the database-level script comparison for both old and new state, enabling proper diff/change detection.

Generated KQL

.alter-merge database MyDatabase policy managed_identity ```[
  {
    "ObjectId": "12345678-1234-1234-1234-123456789abc",
    "AllowedUsages": "AutomatedFlows, ExternalTable, NativeIngestion"
  }
]```

Multiple ManagedIdentityPolicy entries in the list each produce a separate .alter-merge command. AllowedUsages values are joined with ", " to produce the comma-separated string Kusto expects.

Original prompt

Add support to KustoSchemaTools for generating Azure Data Explorer (Kusto) database managed_identity policy KQL, using user-assigned managed identity (GUID objectId) and a list of AllowedUsages.

Requirements:

  • KustoSchemaTools must ONLY generate KQL/config payload; it must not execute against a live Kusto cluster.
  • The new feature must be accessible from the .NET API that consumer apps call.
  • Configuration contract (Option A - structured):
    • objectId: string (GUID of user-assigned managed identity)
    • allowedUsages: string[] (must support AutomatedFlows, ExternalTable, NativeIngestion)
    • The target database name is provided separately (already in existing inputs); do not require database name inside the managed-identity settings object.
  • Generated KQL must follow this form (spacing/quoting can match existing formatting conventions in the repo):
    .alter-merge database policy managed_identity [
    { "ObjectId": "", "AllowedUsages": "AutomatedFlows,ExternalTable,NativeIngestion" }
    ]
  • Decide whether to support alter vs alter-merge; prefer alter-merge to avoid destroying other policy entries, unless the repo has a strong existing convention.
  • Wire the generator into the existing structured diff output model so that the managed identity policy KQL appears in the structured response for a given database.
  • Add unit tests that verify the exact generated KQL snippet (golden/snapshot style) for:
    • objectId = ""
    • allowedUsages = ["AutomatedFlows","ExternalTable","NativeIngestion"]
    • database = "MyDatabase"
  • Ensure tests are deterministic and do not depend on external services.
  • Keep changes small and readable; optimize for clear naming and minimal API surface.

Implementation steps (self-directed by agent):

  1. Explore the repo to find how KustoSchemaTools currently generates the structured diff / output KQL/config.
  2. Implement a new managed-identity policy generator module that outputs KQL text (and integrates with any existing structured response classes).
  3. Extend the .NET options/input model to accept the new managed identity settings.
  4. Add a unit test that asserts the produced KQL payload is correct.
  5. Create a PR branch off main, commit changes, and open a PR targeting main.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: yes, please do option A. I will connect KustoSchemaTools as .net package

Assistant: Perfect. Next step is to inspect KustoSchemaTools’ current .NET API surface for “settings/config” and how it builds/runs KQL. Then we’ll add a new strongly-typed option for:

  • objectId (string GUID)
  • allowedUsages (string[])

…and have it generate the single KQL statement per database:

.alter-merge database <DB> policy managed_identity [
  { "ObjectId": "<OBJECT_ID>", "AllowedUsages": "AutomatedFlows,ExternalTable,NativeIngestion" }
]

Small plan (agree)

  1. I’ll locate in github/KustoSchemaTools (your repo) the .NET project(s) and find where KQL “management commands” are built/executed.
  2. I’ll find the current pattern for passing config/settings (e.g., options classes, JSON/YAML model, or method parameters).
  3. I’ll propose the minimal new options class + wiring so your .net caller can pass objectId + allowedUsages.
  4. Then we implement it in the smallest number of files, add tests (or a test harness) that validates the generated KQL string.

Before I touch the repo code: I need one thing from you so I don’t assume wrong APIs.

Clarifying question (must-have)

Which package do you consume from KustoSchemaTools?

  • the name on NuGet (e.g. KustoSchemaTools.*), and
  • the main entry type you call (a class name), if you know it.

If you don’t know those, just paste:

  • the .csproj PackageReference line, and/or
  • the minimal C# snippet where you currently trigger schema deployment / policy apply.

Once you paste that, I’ll:

  • mirror the existing option style (Option A array),
  • and keep the change localized + readable.

Якщо треба “інтересне слово”: «паралельність»concurrency/parallelism, тобто робота з багатьма задачами одночасно (у нас зараз це не потрібно, але термін інколи важливий для пайплайнів деплою).

User: no, it would be the other way around. I will consume KustoSchemaTools in the other application.

Assistant: You’re right—your application will consume KustoSchemaTools (KustoSchemaTools provides a .NET API/package). ✅

Before we change anything, I need to find the actual repo code layout so we know where to add the new option and where KQL is executed.

Small plan (agree)

  1. I’ll inspect github/KustoSchemaTools to find:
    • the main .NET projects/entrypoints
    • existing “policy/management KQL” support (if any)
    • the configuration/options pattern (likely strongly-typed options classes)
  2. I’ll propose a minimal additive API:
    • ManagedIdentityPolicySettings { string ObjectId; string[] AllowedUsages; }
      ...

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Add support for managed identity policy KQL generation Add managed_identity policy KQL generation for Kusto databases Apr 9, 2026
Copilot AI requested a review from alex-slynko April 9, 2026 15:49
@alex-slynko alex-slynko closed this pull request by merging all changes into main in 88c62f3 Apr 10, 2026
@alex-slynko alex-slynko deleted the copilot/add-managed-identity-policy-support branch April 10, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex-slynko alex-slynko Awaiting requested review from alex-slynko

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@alex-slynko alex-slynko

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alex-slynko