Fix InitClientEncryption configuration not being respected in CosmosDataSinkExtension

[Copilot]

Problem

When using the Cosmos data migration tool with UseRbacAuth: true and InitClientEncryption: false, the tool was incorrectly attempting to initialize encryption on the Cosmos container, causing the following error:

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. 
(Parameter 'InitializeEncryptionAsync requires the use of an encryption-enabled client. 
Please refer to https://aka.ms/CosmosClientEncryption for more details.')

This was a regression where the InitClientEncryption: false setting was being ignored when UseRbacAuth: true.

Root Cause

The CosmosDataSinkExtension.WriteAsync() method had faulty logic that unconditionally called InitializeEncryptionAsync() whenever UseRbacAuth was true, regardless of the InitClientEncryption setting:

// Buggy code - always initializes encryption when UseRbacAuth is true
Container container = settings.UseRbacAuth
    ? await client.GetContainer(settings.Database, settings.Container).InitializeEncryptionAsync(cancellationToken)
    : await CreateDatabaseAndContainerAsync(client, settings, logger, cancellationToken);

Solution

Fixed the container initialization logic to properly respect both settings:

// Fixed code - only initializes encryption when both UseRbacAuth AND InitClientEncryption are true
Container container;
if (settings.UseRbacAuth)
{
    var cosmosContainer = client.GetContainer(settings.Database, settings.Container);
    container = settings.InitClientEncryption
        ? await cosmosContainer.InitializeEncryptionAsync(cancellationToken)
        : cosmosContainer;
}
else
{
    container = await CreateDatabaseAndContainerAsync(client, settings, logger, cancellationToken);
}

Behavior After Fix

• ✅ UseRbacAuth=false: Uses CreateDatabaseAndContainerAsync (unchanged)
• ✅ UseRbacAuth=true, InitClientEncryption=false: Gets container without encryption initialization
• ✅ UseRbacAuth=true, InitClientEncryption=true: Gets container with encryption initialization

Additional Changes

• Added comprehensive unit tests for InitClientEncryption validation scenarios
• Aligned sink extension behavior with source extension (which already had correct logic)
• All existing tests continue to pass, ensuring no regressions

Testing

Verified the fix with:

• All existing unit tests pass (25 passed, 2 skipped)
• New validation tests for all InitClientEncryption scenarios
• Full solution builds successfully
• Manual verification of the logic paths

Fixes #189.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.microsoft.com
  • Triggering command: dotnet build CosmosDbDataMigrationTool.sln (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[philnach]

@copilot , Good catch copilot. Re-reading the issue I do see that it's with the setting :false and your change makes complete sense. I was also the one who introduced the regression.

[philnach]

@bowencode @markjbrown , I caused this regression. CoPilot coded up a fix and added new unit tests. This will resolve the issue. Could either one of you code review? We'll want to cut a new release after this goes in.

[markjbrown]

@philnach published new binaries and package. rev to 2.4.0 Thanks!