From c6e82bd1cb697a10684068007e0eced84775cea9 Mon Sep 17 00:00:00 2001 From: brown9804 Date: Tue, 3 Jun 2025 12:36:53 -0600 Subject: [PATCH 1/3] Permissions RBACs managed with TF + Cosmos DB SQL and contaier --- terraform-infrastructure/main.tf | 159 ++++++++++++++++++++++++++ terraform-infrastructure/variables.tf | 17 ++- 2 files changed, 175 insertions(+), 1 deletion(-) diff --git a/terraform-infrastructure/main.tf b/terraform-infrastructure/main.tf index 15f9c82..25a04d8 100644 --- a/terraform-infrastructure/main.tf +++ b/terraform-infrastructure/main.tf @@ -61,6 +61,10 @@ resource "azurerm_linux_function_app" "function_app" { storage_account_name = azurerm_storage_account.storage.name storage_account_access_key = azurerm_storage_account.storage.primary_access_key + identity { + type = "SystemAssigned" + } + site_config { # Other configurations can go here } @@ -72,6 +76,44 @@ resource "azurerm_linux_function_app" "function_app" { } } +# Assign Storage Blob Data Contributor role +resource "azurerm_role_assignment" "blob_data_contributor" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage Blob Data Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_storage_account.storage + ] + +} + +# Assign Storage File Data SMB Share Contributor role +resource "azurerm_role_assignment" "file_data_smb_share_contributor" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage File Data SMB Share Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_storage_account.storage + ] +} + +# Assign Storage Blob Data Reader role +resource "azurerm_role_assignment" "blob_data_reader" { + scope = azurerm_storage_account.storage.id + role_definition_name = "Storage Blob Data Reader" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_storage_account.storage # Replace with the actual resource name + ] +} + # Service Plan resource "azurerm_service_plan" "asp" { @@ -157,6 +199,103 @@ resource "azurerm_cosmosdb_account" "cosmosdb" { depends_on = [azurerm_resource_group.rg] } +# Cosmos DB SQL Database +resource "azurerm_cosmosdb_sql_database" "main" { + name = var.cosmosdb_sqldb_name + resource_group_name = azurerm_resource_group.rg.name + account_name = azurerm_cosmosdb_account.cosmosdb.name +} + +resource "azurerm_cosmosdb_sql_container" "outputcvscontainer" { + name = var.sql_container_name + resource_group_name = azurerm_resource_group.rg.name + account_name = azurerm_cosmosdb_account.cosmosdb.name + database_name = azurerm_cosmosdb_sql_database.main.name + throughput = var.throughput + partition_key_paths = ["/definition/id"] + partition_key_version = 1 + + indexing_policy { + indexing_mode = "consistent" + + included_path { + path = "/*" + } + + included_path { + path = "/included/?" + } + + excluded_path { + path = "/excluded/?" + } + } + + unique_key { + paths = ["/definition/idlong", "/definition/idshort"] + } +} + +# Cosmos DB Operator +resource "azurerm_role_assignment" "cosmosdb_operator" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Cosmos DB Operator" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# DocumentDB Account Contributor +resource "azurerm_role_assignment" "documentdb_contributor" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "DocumentDB Account Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# Azure AI Administrator +resource "azurerm_role_assignment" "azure_ai_admin" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Azure AI Administrator" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# Cosmos DB Account Reader Role +resource "azurerm_role_assignment" "cosmosdb_reader" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Cosmos DB Account Reader Role" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + +# Contributor +resource "azurerm_role_assignment" "contributor" { + scope = azurerm_cosmosdb_account.cosmosdb.id + role_definition_name = "Contributor" + principal_id = azurerm_linux_function_app.function_app.identity[0].principal_id + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} + # Azure Form Recognizer (Document Intelligence) resource "azurerm_cognitive_account" "form_recognizer" { name = var.form_recognizer_name @@ -172,3 +311,23 @@ resource "azurerm_cognitive_account" "form_recognizer" { command = "echo Form Recognizer: ${self.name}" } } + +# We need to assign custom or built-in Cosmos DB SQL roles +# (like Cosmos DB Built-in Data Reader, etc.) at the data plane level, +# which is not currently supported directly in Terraform as of now. +# Workaround: Use null_resource with local-exec integrating the CLI command into +# Terraform using a null_resource as follow: +locals { + cosmosdb_role_assignment_id = uuid() +} + +resource "null_resource" "cosmosdb_sql_role_assignment" { + provisioner "local-exec" { + command = "az cosmosdb sql role assignment create --resource-group ${azurerm_resource_group.rg.name} --account-name ${azurerm_cosmosdb_account.cosmosdb.name} --role-definition-id /subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.rg.name}/providers/Microsoft.DocumentDB/databaseAccounts/${azurerm_cosmosdb_account.cosmosdb.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002 --principal-id ${azurerm_linux_function_app.function_app.identity[0].principal_id} --scope ${azurerm_cosmosdb_account.cosmosdb.id} --role-assignment-id ${local.cosmosdb_role_assignment_id}" + } + + depends_on = [ + azurerm_linux_function_app.function_app, + azurerm_cosmosdb_account.cosmosdb + ] +} diff --git a/terraform-infrastructure/variables.tf b/terraform-infrastructure/variables.tf index 86f34d7..5d84313 100644 --- a/terraform-infrastructure/variables.tf +++ b/terraform-infrastructure/variables.tf @@ -51,4 +51,19 @@ variable "cosmosdb_account_name" { variable "form_recognizer_name" { description = "The name of the Form Recognizer resource." type = string -} \ No newline at end of file +} + +variable "cosmosdb_sqldb_name" { + description = "The name of the Cosmos DB SQL database to be created." + default = "outputdb" +} + +variable "sql_container_name" { + description = "The name of the Cosmos DB SQL container to be created within the database." + default = "outputcvscontainer" +} + +variable "throughput" { + description = "The throughput (RU/s) to be allocated to the Cosmos DB SQL database or container." + default = 400 +} From cbeab5e70f45b344af2a18cb4b8bd5d9920df4df Mon Sep 17 00:00:00 2001 From: brown9804 Date: Tue, 3 Jun 2025 12:43:26 -0600 Subject: [PATCH 2/3] format --- README.md | 2 +- terraform-infrastructure/main.tf | 1 + terraform-infrastructure/variables.tf | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0029397..828dd7f 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,7 @@ Last updated: 2025-05-16 This is an introductory workshop on Microsoft Fabric. Please follow as described below. -- If you're choosing the `Infrastructure via Azure Portal`, please start [here](#step-1-set-up-your-azure-environment). +- If you're choosing the `Infrastructure via Azure Portal`, please start [here with Set Up Your Azure Environment](#step-1-set-up-your-azure-environment) section. - If you're choosing the `Infrastructure via Terraform` approach: 1. Please follow the [Terraform guide](./terraform-infrastructure/) to deploy the necessary Azure resources for the workshop. 2. Then, follow each [each section](#step-1-set-up-your-azure-environment) but `skip the creation of each resource`. diff --git a/terraform-infrastructure/main.tf b/terraform-infrastructure/main.tf index 25a04d8..9a89281 100644 --- a/terraform-infrastructure/main.tf +++ b/terraform-infrastructure/main.tf @@ -331,3 +331,4 @@ resource "null_resource" "cosmosdb_sql_role_assignment" { azurerm_cosmosdb_account.cosmosdb ] } + diff --git a/terraform-infrastructure/variables.tf b/terraform-infrastructure/variables.tf index 5d84313..657a8f2 100644 --- a/terraform-infrastructure/variables.tf +++ b/terraform-infrastructure/variables.tf @@ -67,3 +67,4 @@ variable "throughput" { description = "The throughput (RU/s) to be allocated to the Cosmos DB SQL database or container." default = 400 } + From ea2f24aef2dca72c40ea596abb131e6169e44d3c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 3 Jun 2025 18:43:44 +0000 Subject: [PATCH 3/3] Update last modified date in Markdown files --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 828dd7f..deb7b4d 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Costa Rica [![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/) [brown9804](https://github.com/brown9804) -Last updated: 2025-05-16 +Last updated: 2025-06-03 ----------