Skip to content

Commit c6e82bd

Browse files
brown9804brown9804
committed
Permissions RBACs managed with TF + Cosmos DB SQL and contaier
1 parent beb39f2 commit c6e82bd

File tree

2 files changed

+175
-1
lines changed

2 files changed

+175
-1
lines changed

terraform-infrastructure/main.tf

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,10 @@ resource "azurerm_linux_function_app" "function_app" {
6161
storage_account_name = azurerm_storage_account.storage.name
6262
storage_account_access_key = azurerm_storage_account.storage.primary_access_key
6363

64+
identity {
65+
type = "SystemAssigned"
66+
}
67+
6468
site_config {
6569
# Other configurations can go here
6670
}
@@ -72,6 +76,44 @@ resource "azurerm_linux_function_app" "function_app" {
7276
}
7377
}
7478

79+
# Assign Storage Blob Data Contributor role
80+
resource "azurerm_role_assignment" "blob_data_contributor" {
81+
scope = azurerm_storage_account.storage.id
82+
role_definition_name = "Storage Blob Data Contributor"
83+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
84+
85+
86+
depends_on = [
87+
azurerm_linux_function_app.function_app,
88+
azurerm_storage_account.storage
89+
]
90+
91+
}
92+
93+
# Assign Storage File Data SMB Share Contributor role
94+
resource "azurerm_role_assignment" "file_data_smb_share_contributor" {
95+
scope = azurerm_storage_account.storage.id
96+
role_definition_name = "Storage File Data SMB Share Contributor"
97+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
98+
99+
depends_on = [
100+
azurerm_linux_function_app.function_app,
101+
azurerm_storage_account.storage
102+
]
103+
}
104+
105+
# Assign Storage Blob Data Reader role
106+
resource "azurerm_role_assignment" "blob_data_reader" {
107+
scope = azurerm_storage_account.storage.id
108+
role_definition_name = "Storage Blob Data Reader"
109+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
110+
111+
depends_on = [
112+
azurerm_linux_function_app.function_app,
113+
azurerm_storage_account.storage # Replace with the actual resource name
114+
]
115+
}
116+
75117

76118
# Service Plan
77119
resource "azurerm_service_plan" "asp" {
@@ -157,6 +199,103 @@ resource "azurerm_cosmosdb_account" "cosmosdb" {
157199
depends_on = [azurerm_resource_group.rg]
158200
}
159201

202+
# Cosmos DB SQL Database
203+
resource "azurerm_cosmosdb_sql_database" "main" {
204+
name = var.cosmosdb_sqldb_name
205+
resource_group_name = azurerm_resource_group.rg.name
206+
account_name = azurerm_cosmosdb_account.cosmosdb.name
207+
}
208+
209+
resource "azurerm_cosmosdb_sql_container" "outputcvscontainer" {
210+
name = var.sql_container_name
211+
resource_group_name = azurerm_resource_group.rg.name
212+
account_name = azurerm_cosmosdb_account.cosmosdb.name
213+
database_name = azurerm_cosmosdb_sql_database.main.name
214+
throughput = var.throughput
215+
partition_key_paths = ["/definition/id"]
216+
partition_key_version = 1
217+
218+
indexing_policy {
219+
indexing_mode = "consistent"
220+
221+
included_path {
222+
path = "/*"
223+
}
224+
225+
included_path {
226+
path = "/included/?"
227+
}
228+
229+
excluded_path {
230+
path = "/excluded/?"
231+
}
232+
}
233+
234+
unique_key {
235+
paths = ["/definition/idlong", "/definition/idshort"]
236+
}
237+
}
238+
239+
# Cosmos DB Operator
240+
resource "azurerm_role_assignment" "cosmosdb_operator" {
241+
scope = azurerm_cosmosdb_account.cosmosdb.id
242+
role_definition_name = "Cosmos DB Operator"
243+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
244+
245+
depends_on = [
246+
azurerm_linux_function_app.function_app,
247+
azurerm_cosmosdb_account.cosmosdb
248+
]
249+
}
250+
251+
# DocumentDB Account Contributor
252+
resource "azurerm_role_assignment" "documentdb_contributor" {
253+
scope = azurerm_cosmosdb_account.cosmosdb.id
254+
role_definition_name = "DocumentDB Account Contributor"
255+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
256+
257+
depends_on = [
258+
azurerm_linux_function_app.function_app,
259+
azurerm_cosmosdb_account.cosmosdb
260+
]
261+
}
262+
263+
# Azure AI Administrator
264+
resource "azurerm_role_assignment" "azure_ai_admin" {
265+
scope = azurerm_cosmosdb_account.cosmosdb.id
266+
role_definition_name = "Azure AI Administrator"
267+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
268+
269+
depends_on = [
270+
azurerm_linux_function_app.function_app,
271+
azurerm_cosmosdb_account.cosmosdb
272+
]
273+
}
274+
275+
# Cosmos DB Account Reader Role
276+
resource "azurerm_role_assignment" "cosmosdb_reader" {
277+
scope = azurerm_cosmosdb_account.cosmosdb.id
278+
role_definition_name = "Cosmos DB Account Reader Role"
279+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
280+
281+
depends_on = [
282+
azurerm_linux_function_app.function_app,
283+
azurerm_cosmosdb_account.cosmosdb
284+
]
285+
}
286+
287+
# Contributor
288+
resource "azurerm_role_assignment" "contributor" {
289+
scope = azurerm_cosmosdb_account.cosmosdb.id
290+
role_definition_name = "Contributor"
291+
principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id
292+
293+
depends_on = [
294+
azurerm_linux_function_app.function_app,
295+
azurerm_cosmosdb_account.cosmosdb
296+
]
297+
}
298+
160299
# Azure Form Recognizer (Document Intelligence)
161300
resource "azurerm_cognitive_account" "form_recognizer" {
162301
name = var.form_recognizer_name
@@ -172,3 +311,23 @@ resource "azurerm_cognitive_account" "form_recognizer" {
172311
command = "echo Form Recognizer: ${self.name}"
173312
}
174313
}
314+
315+
# We need to assign custom or built-in Cosmos DB SQL roles
316+
# (like Cosmos DB Built-in Data Reader, etc.) at the data plane level,
317+
# which is not currently supported directly in Terraform as of now.
318+
# Workaround: Use null_resource with local-exec integrating the CLI command into
319+
# Terraform using a null_resource as follow:
320+
locals {
321+
cosmosdb_role_assignment_id = uuid()
322+
}
323+
324+
resource "null_resource" "cosmosdb_sql_role_assignment" {
325+
provisioner "local-exec" {
326+
command = "az cosmosdb sql role assignment create --resource-group ${azurerm_resource_group.rg.name} --account-name ${azurerm_cosmosdb_account.cosmosdb.name} --role-definition-id /subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.rg.name}/providers/Microsoft.DocumentDB/databaseAccounts/${azurerm_cosmosdb_account.cosmosdb.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002 --principal-id ${azurerm_linux_function_app.function_app.identity[0].principal_id} --scope ${azurerm_cosmosdb_account.cosmosdb.id} --role-assignment-id ${local.cosmosdb_role_assignment_id}"
327+
}
328+
329+
depends_on = [
330+
azurerm_linux_function_app.function_app,
331+
azurerm_cosmosdb_account.cosmosdb
332+
]
333+
}

terraform-infrastructure/variables.tf

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,4 +51,19 @@ variable "cosmosdb_account_name" {
5151
variable "form_recognizer_name" {
5252
description = "The name of the Form Recognizer resource."
5353
type = string
54-
}
54+
}
55+
56+
variable "cosmosdb_sqldb_name" {
57+
description = "The name of the Cosmos DB SQL database to be created."
58+
default = "outputdb"
59+
}
60+
61+
variable "sql_container_name" {
62+
description = "The name of the Cosmos DB SQL container to be created within the database."
63+
default = "outputcvscontainer"
64+
}
65+
66+
variable "throughput" {
67+
description = "The throughput (RU/s) to be allocated to the Cosmos DB SQL database or container."
68+
default = 400
69+
}

0 commit comments

Comments
 (0)