feat: Redesign container-copy flow to select destination account and enable cross-account container creation

[BChoudhury-ms]

Preview this branch

Summary

This PR redesigns the container copy job feature to fix the conceptual direction of account selection, and extends createDatabase, createCollection, and Explorer.openEnableSynapseLinkDialog to operate against an arbitrary target account via a new AccountOverride parameter.

Also this PR upgrades the required RBAC permission for Container Copy jobs from the built-in Cosmos DB Reader role (00000000-0000-0000-0000-000000000001) to the built-in Cosmos DB Data Contributor role (00000000-0000-0000-0000-000000000002). The change ensures the destination account's managed identity has sufficient write access to execute copy jobs reliably.

---

What Changed

Data model changes (DataModels.ts, CopyJobTypes.ts)

• Added new AccountOverride interface (subscriptionId, resourceGroup, accountName).
• Swapped the shape of source / target in CopyJobContextState:
  • source now stores a flat subscriptionId: string (pre-filled from userContext).
  • target now stores a subscription: Subscription | null that the user selects.
• This reflects the corrected UX intent: the current account is always the source; the user picks the destination.

Copy-job feature flow

• CopyJobContext.tsx — initial state now pre-fills source from userContext and leaves target empty.
• SelectAccount screen — dropdowns (SubscriptionDropdown, AccountDropdown) now read from / write to target.
• useCreateCopyJobScreensList — validation now checks target.subscription and target.account.
• CopyJobActions.tsx — moved remoteAccountName from properties.source → properties.destination in the data-transfer API payload (fixing a bug where the remote account name was sent on the wrong side).

Cross-account container & database creation

• DataModels.CreateDatabaseParams and CreateCollectionParams now accept an optional targetAccountOverride.
• createDatabase.ts / createCollection.ts — when targetAccountOverride is set, ARM calls use its subscriptionId, resourceGroup, and accountName instead of userContext, and duplicate-ID validation is skipped.
• readDatabases.ts — new exported readDatabasesForAccount(subscriptionId, resourceGroup, accountName) function.

AddCollectionPanel improvements

• New props: targetAccountOverride?: AccountOverride and externalDatabaseOptions?: IDropdownOption[].
• getDatabaseOptions() returns externalDatabaseOptions when provided, bypassing the local Zustand store.
• Synapse Link is always shown as disabled (not relevant for cross-account creates); the "Enable" button now forwards the override to openEnableSynapseLinkDialog.
• On success in copy-job flows, refreshAllDatabases is skipped to avoid refreshing the source account's tree.
• Authorization errors are surfaced with a user-friendly message identifying the destination account.

AddCollectionPanelWrapper (copy-job flow)

• Fetches databases from the destination account via readDatabasesForAccount and passes them as externalDatabaseOptions.
• Shows a loading spinner while fetching and a MessageBar error on permission or network failures.
• Derives targetAccountOverride from the selected target account's ARM resource ID.
• Sub-heading is now dynamic: "Configure the properties for the new container on destination account \"<name>\".".

Explorer.openEnableSynapseLinkDialog

• Accepts an optional targetAccountOverride; uses its coordinates for the ARM update call.
• Only updates userContext.databaseAccount.properties.enableAnalyticalStorage when no override is present.

Permission Model

• RbacUtils.ts: assignRole now assigns the Data Contributor role definition
  instead of the Reader role.
• usePermissionsSection.tsx: checkTargetHasReaderRoleOnSource renamed to
  checkTargetHasReadWriteRoleOnSource. Validation logic expanded to:
  • Accept the built-in Contributor role ID (...000002).
  • Support wildcard data action scopes (databaseAccounts/*,
    containers/*, items/*).
  • Require both items/read and items/write data actions for custom roles.

UI label corrections (ContainerCopyMessages.ts, PreviewCopyJob.tsx)

• Renamed "Source subscription / Source account" → "Destination subscription / Destination account" throughout the preview screen and job-details panel.
• Description on the select-account screen updated from "select a source account from which to copy" → "select a destination account to copy to".

---