feat: Introduce new Azure Cosmos DB Change Feed Scaler

[yash2710]

Add internal KEDA scaler for Azure Cosmos DB change feed processor lag estimation. Translates the existing C# external scaler to a native Go internal scaler.

• REST API client with HMAC-SHA256 and workload identity auth
• Supports .NET and Java SDK lease formats (PK range and EPK based)
• Uses total estimated lag (sum across all partitions) as the scaling metric, matching the EventHub scaler's approach - small lag stays at 1 replica, HPA scales proportionally via ceil(totalLag / changeFeedLagThreshold)
• Lag capped at partitionCount * threshold to prevent over-scaling
• Configurable lag and activation thresholds
• Separate data and lease container connection support
• Partition split detection with automatic retry
• Unit tests with httptest mocks for all lease formats
• E2E test scaffold
• Auto-generated scaler metadata schema

Example with 4 partitions and changeFeedLagThreshold: 100:

Total Lag	Replicas	Explanation
0	0	Inactive, scale to zero
30	1	ceil(30/100) = 1
150	2	ceil(150/100) = 2
350	4	ceil(350/100) = 4, but capped at partition count
1000	4	Capped at 4 * 100 = 400 reported lag → 4 replicas

This was validated on AKS with gradual scale-up (1→2→3→4) and scale-down to zero with 300s cooldown.

Checklist

• When introducing a new scaler, I agree with the scaling governance policy
• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added (if applicable)
• Ensure make generate-scalers-schema has been run to update any outdated generated files
• Changelog has been updated and is aligned with our changelog requirements, only when the change impacts end users
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #7556

Relates to kedacore/keda-docs#1721

[github-actions]

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

• Add an entry in our changelog in alphabetical order and link related issue
• Update the documentation, if needed
• Add unit & e2e tests for your changes
• GitHub checks are passing
• Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[yash2710]

Question to the reviewer/maintainer -

1. Where do I need to define the connection string
2. What subscription needs to hold the test comos db account?

[rickbrouwer]

@JorTurFer Can you help with this? I bet you can do this faster than me.

[abhirockzz]

hello @zroubalik I wonder if you can review this or point us to folks who can help? much appreciated!

[abhirockzz]

Hi @rickbrouwer Appreciate your help with the reviews so far! Can you please help us finish with the final set of changes as well (hopefully!) @yash2710 has them ready for review. Thanks!

[rickbrouwer]

Here is a somewhat longer review. I haven't gone through everything by a long shot yet, but here is a first part of my input.

I see you're using azure.PublicCloud.ResourceIdentifiers.CosmosDB directly. But looking at azure_eventhub_scaler.go and azure_servicebus_scaler.go, there they resolve the cloud environment through azure.ParseEnvironmentProperty with a cloud metadata field. I think because of the hardcoded value here, workload identity won't work correctly against for example Azure China, US Gov or German clouds? What do you think, should we wire this through ParseEnvironmentProperty too?

Next I see you've built a full Cosmos DB REST client in this file (connection string parsing, session token parsing, 410 retry). The other Azure scalers seems to all delegate this to the official SDKs (eventhubs, servicebus, blob). Microsoft also ships github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos, which handles auth, cloud environments and token refresh. Is there a reason we can't use the SDK here?

In all the other scalers we put validation in a Validate() method on the metadata struct (see for example azureBlobMetadata.Validate() and azureServiceBusMetadata.Validate()). We should move the validation over to match that pattern for consistency.

Last for now. I see you are using a cosmosDBRestAPIVersion is set to 2018-12-31. That seems quite old for me. Do you know if there's a reason we're pinned to that older version?

[analogrelay]

Hi @rickbrouwer ! To set some context, both @yash2710 and I work on the Cosmos DB SDKs team and own the Go SDK you referenced.

Next I see you've built a full Cosmos DB REST client in this file (connection string parsing, session token parsing, 410 retry). The other Azure scalers seems to all delegate this to the official SDKs (eventhubs, servicebus, blob). Microsoft also ships github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos, which handles auth, cloud environments and token refresh. Is there a reason we can't use the SDK here?

To help set some context here: Yes, we could use the current v1 of the SDK here. However, the Cosmos DB SDK is quite complicated, with a lot of failover policies, cross partition query support, and even custom TCP protocols when implemented fully. The v1 Go SDK does not implement most of this functionality. Fortunately, the functionality needed to read change feed processor state is minimal and is indeed currently supported by that v1 Go SDK. The problem isn't now, it's the future roadmap. As part of an effort to make our SDK maintenance more sustainable (we maintain 6 SDKs right now, each of which has to implement this complex logic the same way), we are moving down a path towards using a core native "driver" component (like libpq for Postgres, or other similar database libraries).

Our current plan is to shift to wrapping this native component in a v2 Go SDK, which means that SDK depends on CGo. Obviously, that's got a lot of risk and challenges to it, but most critical to right now is that using this v2 SDK would end up requiring KEDA to build with CGo and link to this native component. We don't believe this is a reasonable thing to ask KEDA to do. Fortunately, the functionality needed for KEDA here is, as I mentioned before, minimal and expressed in the fully supported, documented, and highly stable REST API (which documents authentication, basic retry policies, and the "streaming" queries needed for reading this state).

So, rather than add a dependency on the v1 Go SDK that likely will end up trapped on v1 (even after v1 goes out of support), our thinking was to build this component independent of the Go SDK. We're happy to take on maintenance of this component, as we believe that burden to be minimal and much easier than trying to maintain support for the entire v1 Go SDK indefinitely.

Last for now. I see you are using a cosmosDBRestAPIVersion is set to 2018-12-31. That seems quite old for me. Do you know if there's a reason we're pinned to that older version?

This is the minimum required version from the servers to access the APIs we need, it's quite common to reference the lowest necessary version in this case.

---

Hope that clarifies things a bit! As for the other questions, I'll leave that to @yash2710 !

[rickbrouwer]

@analogrelay

That certainly clarifies it! Thanks for the detailed answer. Then that seems perfectly fine to me.

[yash2710]

@rickbrouwer addressed the comments. Also, can you help answer #7557 (comment)

[rickbrouwer]

I see that in estimateOnce a single partition error causes the whole estimation to fail. If you have a container with many partitions and one has a transient issue, you lose all metrics for that polling interval. Just checking if that is correct and intended that way.

Further, the lease query uses STARTSWITH(c.id, @prefix) with just the processor name, which means a processor named app would also match leases from a processor named app-extended. Should we append a separator like . to the prefix to avoid this collision?"

And the static check is failing, please run go fmt on the affected file.

[rickbrouwer]

Suggested change

	// 5. If 410 Gone: report lag = -1 (split/merge)
	// 5. If 410 Gone: report lag = 0 (split/merge)

[Copilot]

Pull request overview

This PR introduces a new native (internal) KEDA scaler type (azure-cosmosdb) that estimates Azure Cosmos DB Change Feed Processor lag by querying lease documents and reading the change feed via the Cosmos DB REST API, enabling scaling without an external gRPC scaler.

Changes:

• Added the internal azure-cosmosdb scaler implementation and unit tests (including lease format variants and split retry behavior).
• Registered the scaler in the scaler builder and updated generated scaler metadata schema (YAML/JSON).
• Added an e2e test scaffold and a new .env variable placeholder, plus a changelog entry.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
pkg/scalers/azure_cosmosdb_scaler.go	Implements Cosmos DB change feed lag estimation (REST client + auth) and exposes metrics for KEDA scaling.
pkg/scalers/azure_cosmosdb_scaler_test.go	Adds unit tests for metadata parsing, auth token generation, lease parsing, lag estimation, and split retry.
pkg/scaling/scalers_builder.go	Registers the new azure-cosmosdb scaler type in the scaler factory.
schema/generated/scalers-schema.yaml	Adds schema entry for azure-cosmosdb trigger metadata/auth parameters.
schema/generated/scalers-schema.json	Adds schema entry for azure-cosmosdb trigger metadata/auth parameters.
tests/scalers/azure/azure_cosmosdb/azure_cosmosdb_test.go	Adds an e2e test scaffold for the new scaler and helper REST calls to create resources and inject documents.
tests/.env	Adds TF_AZURE_COSMOSDB_CONNECTION_STRING placeholder for e2e runs.
CHANGELOG.md	Announces the new Azure Cosmos DB Change Feed scaler.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.