Permissions RBACs managed with TF + Cosmos DB SQL and contaier

README.md

@@ -8,7 +8,7 @@ Costa Rica
 [![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
 [brown9804](https://github.com/brown9804)
 
-Last updated: 2025-05-16
+Last updated: 2025-06-03
 
 ----------
 
@@ -160,7 +160,7 @@ Last updated: 2025-05-16
 
 This is an introductory workshop on Microsoft Fabric. Please follow as described below.
 
-- If you're choosing the `Infrastructure via Azure Portal`, please start [here](#step-1-set-up-your-azure-environment).
+- If you're choosing the `Infrastructure via Azure Portal`, please start [here with Set Up Your Azure Environment](#step-1-set-up-your-azure-environment) section.
 - If you're choosing the `Infrastructure via Terraform` approach:
     1. Please follow the [Terraform guide](./terraform-infrastructure/) to deploy the necessary Azure resources for the workshop.
     2. Then, follow each [each section](#step-1-set-up-your-azure-environment) but `skip the creation of each resource`.

terraform-infrastructure/main.tf

@@ -61,6 +61,10 @@ resource "azurerm_linux_function_app" "function_app" {
   storage_account_name       = azurerm_storage_account.storage.name
   storage_account_access_key = azurerm_storage_account.storage.primary_access_key
 
+  identity {
+    type = "SystemAssigned"
+  }
+
   site_config {
     # Other configurations can go here
   }
@@ -72,6 +76,44 @@ resource "azurerm_linux_function_app" "function_app" {
   }
 }
 
+# Assign Storage Blob Data Contributor role
+resource "azurerm_role_assignment" "blob_data_contributor" {
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_storage_account.storage
+  ]
+
+}
+
+# Assign Storage File Data SMB Share Contributor role
+resource "azurerm_role_assignment" "file_data_smb_share_contributor" {
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Storage File Data SMB Share Contributor"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_storage_account.storage
+  ]
+}
+
+# Assign Storage Blob Data Reader role
+resource "azurerm_role_assignment" "blob_data_reader" {
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_storage_account.storage # Replace with the actual resource name
+  ]
+}
+
 
 # Service Plan
 resource "azurerm_service_plan" "asp" {
@@ -157,6 +199,103 @@ resource "azurerm_cosmosdb_account" "cosmosdb" {
   depends_on = [azurerm_resource_group.rg]
 }
 
+# Cosmos DB SQL Database
+resource "azurerm_cosmosdb_sql_database" "main" {
+  name                = var.cosmosdb_sqldb_name
+  resource_group_name = azurerm_resource_group.rg.name
+  account_name        = azurerm_cosmosdb_account.cosmosdb.name
+}
+
+resource "azurerm_cosmosdb_sql_container" "outputcvscontainer" {
+  name                = var.sql_container_name
+  resource_group_name = azurerm_resource_group.rg.name
+  account_name        = azurerm_cosmosdb_account.cosmosdb.name
+  database_name       = azurerm_cosmosdb_sql_database.main.name
+  throughput          = var.throughput
+  partition_key_paths   = ["/definition/id"]
+  partition_key_version = 1
+
+  indexing_policy {
+    indexing_mode = "consistent"
+
+    included_path {
+      path = "/*"
+    }
+
+    included_path {
+      path = "/included/?"
+    }
+
+    excluded_path {
+      path = "/excluded/?"
+    }
+  }
+
+  unique_key {
+    paths = ["/definition/idlong", "/definition/idshort"]
+  }
+}
+
+# Cosmos DB Operator
+resource "azurerm_role_assignment" "cosmosdb_operator" {
+  scope                = azurerm_cosmosdb_account.cosmosdb.id
+  role_definition_name = "Cosmos DB Operator"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_cosmosdb_account.cosmosdb
+  ]
+}
+
+# DocumentDB Account Contributor
+resource "azurerm_role_assignment" "documentdb_contributor" {
+  scope                = azurerm_cosmosdb_account.cosmosdb.id
+  role_definition_name = "DocumentDB Account Contributor"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_cosmosdb_account.cosmosdb
+  ]
+}
+
+# Azure AI Administrator
+resource "azurerm_role_assignment" "azure_ai_admin" {
+  scope                = azurerm_cosmosdb_account.cosmosdb.id
+  role_definition_name = "Azure AI Administrator"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_cosmosdb_account.cosmosdb
+  ]
+}
+
+# Cosmos DB Account Reader Role
+resource "azurerm_role_assignment" "cosmosdb_reader" {
+  scope                = azurerm_cosmosdb_account.cosmosdb.id
+  role_definition_name = "Cosmos DB Account Reader Role"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_cosmosdb_account.cosmosdb
+  ]
+}
+
+# Contributor
+resource "azurerm_role_assignment" "contributor" {
+  scope                = azurerm_cosmosdb_account.cosmosdb.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_linux_function_app.function_app.identity[0].principal_id
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_cosmosdb_account.cosmosdb
+  ]
+}
+
 # Azure Form Recognizer (Document Intelligence)
 resource "azurerm_cognitive_account" "form_recognizer" {
   name                = var.form_recognizer_name
@@ -172,3 +311,24 @@ resource "azurerm_cognitive_account" "form_recognizer" {
     command = "echo Form Recognizer: ${self.name}"
   }
 }
+
+# We need to assign custom or built-in Cosmos DB SQL roles 
+# (like Cosmos DB Built-in Data Reader, etc.) at the data plane level, 
+# which is not currently supported directly in Terraform as of now.
+# Workaround: Use null_resource with local-exec integrating the CLI command into 
+# Terraform using a null_resource as follow:
+locals {
+  cosmosdb_role_assignment_id = uuid()
+}
+
+resource "null_resource" "cosmosdb_sql_role_assignment" {
+  provisioner "local-exec" {
+    command = "az cosmosdb sql role assignment create --resource-group ${azurerm_resource_group.rg.name} --account-name ${azurerm_cosmosdb_account.cosmosdb.name} --role-definition-id /subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.rg.name}/providers/Microsoft.DocumentDB/databaseAccounts/${azurerm_cosmosdb_account.cosmosdb.name}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002 --principal-id ${azurerm_linux_function_app.function_app.identity[0].principal_id} --scope ${azurerm_cosmosdb_account.cosmosdb.id} --role-assignment-id ${local.cosmosdb_role_assignment_id}"
+  }
+
+  depends_on = [
+    azurerm_linux_function_app.function_app,
+    azurerm_cosmosdb_account.cosmosdb
+  ]
+}
+

terraform-infrastructure/variables.tf

@@ -51,4 +51,20 @@ variable "cosmosdb_account_name" {
 variable "form_recognizer_name" {
   description = "The name of the Form Recognizer resource."
   type        = string
-}
+}
+
+variable "cosmosdb_sqldb_name" {
+  description = "The name of the Cosmos DB SQL database to be created."
+  default     = "outputdb"
+}
+
+variable "sql_container_name" {
+  description = "The name of the Cosmos DB SQL container to be created within the database."
+  default     = "outputcvscontainer"
+}
+
+variable "throughput" {
+  description = "The throughput (RU/s) to be allocated to the Cosmos DB SQL database or container."
+  default     = 400
+}
+