diff --git a/README.md b/README.md index 0029397..deb7b4d 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Costa Rica [![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/) [brown9804](https://github.com/brown9804) -Last updated: 2025-05-16 +Last updated: 2025-06-03 ---------- @@ -160,7 +160,7 @@ Last updated: 2025-05-16 This is an introductory workshop on Microsoft Fabric. Please follow as described below. -- If you're choosing the `Infrastructure via Azure Portal`, please start [here](#step-1-set-up-your-azure-environment). +- If you're choosing the `Infrastructure via Azure Portal`, please start [here with Set Up Your Azure Environment](#step-1-set-up-your-azure-environment) section. - If you're choosing the `Infrastructure via Terraform` approach: 1. Please follow the [Terraform guide](./terraform-infrastructure/) to deploy the necessary Azure resources for the workshop. 2. Then, follow each [each section](#step-1-set-up-your-azure-environment) but `skip the creation of each resource`. diff --git a/terraform-infrastructure/main.tf b/terraform-infrastructure/main.tf index 15f9c82..9a89281 100644 --- a/terraform-infrastructure/main.tf +++ b/terraform-infrastructure/main.tf @@ -61,6 +61,10 @@ resource "azurerm_linux_function_app" "function_app" { storage_account_name = azurerm_storage_account.storage.name storage_account_access_key = azurerm_storage_account.storage.primary_access_key + identity { + type = "SystemAssigned" + } + site_config { # Other configurations can go here } @@ -72,6 +76,44 @@ resource "azurerm_linux_function_app" "function_app" { } } +# Assign Storage Blob Data Contributor role +resource "azurerm_role_assignment" "blob_data_contributor" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_storage_account.storage + ] + +} + +# Assign Storage File Data SMB Share Contributor role +resource "azurerm_role_assignment" "file_data_smb_share_contributor" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage File Data SMB Share Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_storage_account.storage + ] +} + +# Assign Storage Blob Data Reader role +resource "azurerm_role_assignment" "blob_data_reader" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage Blob Data Reader" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_storage_account.storage # Replace with the actual resource name + ] +} + # Service Plan resource "azurerm_service_plan" "asp" { @@ -157,6 +199,103 @@ resource "azurerm_cosmosdb_account" "cosmosdb" { depends_on = [azurerm_resource_group.rg] } +# Cosmos DB SQL Database +resource "azurerm_cosmosdb_sql_database" "main" { + name = var.cosmosdb_sqldb_name + resource_group_name = azurerm_resource_group.rg.name + account_name = azurerm_cosmosdb_account.cosmosdb.name +} + +resource "azurerm_cosmosdb_sql_container" "outputcvscontainer" { + name = var.sql_container_name + resource_group_name = azurerm_resource_group.rg.name + account_name = azurerm_cosmosdb_account.cosmosdb.name + database_name = azurerm_cosmosdb_sql_database.main.name + throughput = var.throughput + partition_key_paths = ["/definition/id"] + partition_key_version = 1 + + indexing_policy { + indexing_mode = "consistent" + + included_path { + path = "/*" + } + + included_path { + path = "/included/?" + } + + excluded_path { + path = "/excluded/?" + } + } + + unique_key { + paths = ["/definition/idlong", "/definition/idshort"] + } +} + +# Cosmos DB Operator +resource "azurerm_role_assignment" "cosmosdb_operator" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Cosmos DB Operator" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# DocumentDB Account Contributor +resource "azurerm_role_assignment" "documentdb_contributor" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "DocumentDB Account Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# Azure AI Administrator +resource "azurerm_role_assignment" "azure_ai_admin" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Azure AI Administrator" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# Cosmos DB Account Reader Role +resource "azurerm_role_assignment" "cosmosdb_reader" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Cosmos DB Account Reader Role" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# Contributor +resource "azurerm_role_assignment" "contributor" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + # Azure Form Recognizer (Document Intelligence) resource "azurerm_cognitive_account" "form_recognizer" { name = var.form_recognizer_name @@ -172,3 +311,24 @@ resource "azurerm_cognitive_account" "form_recognizer" { command = "echo Form Recognizer: ${self.name}" } } + +# We need to assign custom or built-in Cosmos DB SQL roles +# (like Cosmos DB Built-in Data Reader, etc.) at the data plane level, +# which is not currently supported directly in Terraform as of now. +# Workaround: Use null_resource with local-exec integrating the CLI command into +# Terraform using a null_resource as follow: +locals { + cosmosdb_role_assignment_id = uuid() +} + +resource "null_resource" "cosmosdb_sql_role_assignment" { + provisioner "local-exec" { + command = "az cosmosdb sql role assignment create --resource-group ${azurerm_resource_group.rg.name} --account-name ${azurerm_cosmosdb_account.cosmosdb.name} --role-definition-id /subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.rg.name}/providers/Microsoft.DocumentDB/databaseAccounts/${azurerm_cosmosdb_account.cosmosdb.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002 --principal-id ${azurerm_linux_function_app.function_app.identity[0].principal_id} --scope ${azurerm_cosmosdb_account.cosmosdb.id} --role-assignment-id ${local.cosmosdb_role_assignment_id}" + } + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + diff --git a/terraform-infrastructure/variables.tf b/terraform-infrastructure/variables.tf index 86f34d7..657a8f2 100644 --- a/terraform-infrastructure/variables.tf +++ b/terraform-infrastructure/variables.tf @@ -51,4 +51,20 @@ variable "cosmosdb_account_name" { variable "form_recognizer_name" { description = "The name of the Form Recognizer resource." type = string -} \ No newline at end of file +} + +variable "cosmosdb_sqldb_name" { + description = "The name of the Cosmos DB SQL database to be created." + default = "outputdb" +} + +variable "sql_container_name" { + description = "The name of the Cosmos DB SQL container to be created within the database." + default = "outputcvscontainer" +} + +variable "throughput" { + description = "The throughput (RU/s) to be allocated to the Cosmos DB SQL database or container." + default = 400 +} +