Fix transitive Azure role assignments through WaitFor dependencies

[Copilot]

Description

CollectDependenciesFromValue in ResourceExtensions.cs was calling CollectAnnotationDependencies on resources discovered through env var/argument value traversal. This leaked WaitAnnotation (and parent/redirect) dependencies from referenced resources into the caller's dependency set — even in DirectOnly mode used by AzureResourcePreparer.GetAzureReferences.

Result: webfrontend → server (WaitFor cache) produced a spurious webfrontend-roles-cache.bicep.

var cache = builder.AddAzureManagedRedis("cache").RunAsContainer();

var server = builder.AddProject<Projects.Server>("server")
    .WithReference(cache).WaitFor(cache);

// webfrontend incorrectly got a role assignment to cache
var webfrontend = builder.AddProject<Projects.Server>("webfrontend")
    .WithReference(server).WaitFor(server);

Fix: Remove CollectAnnotationDependencies calls from CollectDependenciesFromValue. Annotation-based dependencies are already collected:

• For the subject resource, via GatherDirectDependenciesAsync → CollectAnnotationDependencies
• For transitive deps in Recursive mode, via the recursive loop in GetResourceDependenciesAsync

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
  • No
• Does the change require an update in our Aspire docs?
  • Yes
  • No

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: /usr/local/bin/bicep /usr/local/bin/bicep build /tmp/aspire-bicepOKDnzw/env-acr.module.bicep --stdout (dns block)
  • Triggering command: /usr/local/bin/bicep /usr/local/bin/bicep build /tmp/aspire-bicepfw1kQr/teststorage.module.bicep --stdout (dns block)
  • Triggering command: /usr/local/bin/bicep /usr/local/bin/bicep build /tmp/aspire-bicepDgmTIe/env.module.bicep --stdout (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Azure resources are getting found transtively through a backend if the backend has a</issue_title>
<issue_description>When I have an apphost with a webfrontend and a backend, with the backend having a WaitFor to an azure service, I'm getting a role assignment for the webfrontend to the azure service, even though there is no direct dependency.

var builder = DistributedApplication.CreateBuilder(args);

builder.AddAzureContainerAppEnvironment("env");

var cache = builder.AddAzureManagedRedis("cache")
    .RunAsContainer();

var server = builder.AddProject<Projects.ReproTransitive_Server>("server")
    .WithHttpHealthCheck("/health")
    .WithExternalHttpEndpoints()
    .WithReference(cache).WaitFor(cache);

var webfrontend = builder.AddProject<Projects.ReproTransitive_Server>("webfrontend")
    .WithReference(server)
    .WaitFor(server);

builder.Build().Run();

aspire publish that and I see:

I shouldn't be getting a webfrontend-roles-cache.bicep since the webfrontend doesn't reference the cache.

I think the problem is in

aspire/src/Aspire.Hosting/ApplicationModel/ResourceExtensions.cs

Lines 1405 to 1440 in 6d4f747

	private static void CollectDependenciesFromValue(object? value, HashSet<IResource> dependencies, HashSet<IResource> newDependencies, HashSet<object> visitedValues)
	{
	if (value is null || !visitedValues.Add(value))
	{
	return;
	}
	// Direct resource references
	if (value is IResource resource)
	{
	if (dependencies.Add(resource))
	{
	newDependencies.Add(resource);
	}
	CollectAnnotationDependencies(resource, dependencies, newDependencies);
	}
	// Resource builder wrapping a resource
	if (value is IResourceBuilder<IResource> resourceBuilder)
	{
	if (dependencies.Add(resourceBuilder.Resource))
	{
	newDependencies.Add(resourceBuilder.Resource);
	}
	CollectAnnotationDependencies(resourceBuilder.Resource, dependencies, newDependencies);
	value = resourceBuilder.Resource;
	}
	// Recurse through IValueWithReferences
	if (value is IValueWithReferences valueWithReferences)
	{
	foreach (var reference in valueWithReferences.References)
	{
	CollectDependenciesFromValue(reference, dependencies, newDependencies, visitedValues);
	}
	}

This shouldn't be collecting annotation dependencies on a resource when the ResourceDependencyDiscoveryMode is DirectOnly.
</issue_description>

<agent_instructions>Please add a new test that ensures this scenario works correctly. The server should have a roles assignment, but the webfrontend shouldn't.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Azure resources are getting found transtively through a backend if the backend has a #14472

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14473

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14473"

[Copilot]

Pull request overview

This PR fixes a bug where Azure role assignments were incorrectly created for transitive dependencies through WaitFor relationships. When webfrontend referenced server (which had a WaitFor dependency on cache), the webfrontend incorrectly received role assignments to the cache resource.

Changes:

• Removed incorrect CollectAnnotationDependencies calls from CollectDependenciesFromValue in ResourceExtensions.cs that were leaking transitive WaitFor/Parent/Redirect dependencies into DirectOnly dependency discovery mode
• Added unit test verifying that DirectOnly mode excludes WaitFor dependencies from referenced resources
• Added integration test confirming Azure role assignments are not created for transitive WaitFor dependencies

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/Aspire.Hosting/ApplicationModel/ResourceExtensions.cs	Removed two CollectAnnotationDependencies calls from CollectDependenciesFromValue that incorrectly collected annotation-based dependencies (WaitFor, Parent, Redirect) from resources discovered through value traversal
tests/Aspire.Hosting.Tests/ResourceDependencyTests.cs	Added test DirectOnlyDoesNotIncludeWaitForDependenciesFromReferencedResources verifying that DirectOnly mode correctly excludes transitive WaitFor dependencies
tests/Aspire.Hosting.Azure.Tests/RoleAssignmentTests.cs	Added test WaitForDoesNotCreateTransitiveRoleAssignments verifying the exact bug scenario: server with cache dependency should get role assignment, but webfrontend referencing server should not

[karolz-ms]

/backport to main

[github-actions]

Started backporting to main: https://github.com/dotnet/aspire/actions/runs/21964924265