Skip to content

Commit 9d6ecbd

Browse files
Abdul-MicrosoftAbdul-Microsoft
committed
Refactor Cosmos DB role definitions and assignments for clarity and compliance with Azure standards
1 parent 0e97262 commit 9d6ecbd

File tree

1 file changed

+9
-19
lines changed

1 file changed

+9
-19
lines changed

infra/main.bicep

Lines changed: 9 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1045,10 +1045,6 @@ var cosmosDbResourceName = 'cosmos-${solutionSuffix}'
10451045
var cosmosDbDatabaseName = 'macae'
10461046
var cosmosDbDatabaseMemoryContainerName = 'memory'
10471047

1048-
resource sqlContributorRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2024-11-15' existing = {
1049-
name: '${cosmosDbResourceName}/00000000-0000-0000-0000-000000000002'
1050-
}
1051-
10521048
//TODO: update to latest version of AVM module
10531049
module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
10541050
name: take('avm.res.document-db.database-account.${cosmosDbResourceName}', 64)
@@ -1073,22 +1069,16 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
10731069
]
10741070
}
10751071
]
1076-
// dataPlaneRoleDefinitions: [
1077-
// {
1078-
// // Cosmos DB Built-in Data Contributor: https://docs.azure.cn/en-us/cosmos-db/nosql/security/reference-data-plane-roles#cosmos-db-built-in-data-contributor
1079-
// roleName: 'Cosmos DB SQL Data Contributor'
1080-
// dataActions: [
1081-
// 'Microsoft.DocumentDB/databaseAccounts/readMetadata'
1082-
// 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
1083-
// 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
1084-
// ]
1085-
// assignments: [{ principalId: userAssignedIdentity.outputs.principalId }]
1086-
// }
1087-
// ]
1088-
dataPlaneRoleAssignments: [
1072+
dataPlaneRoleDefinitions: [
10891073
{
1090-
principalId: userAssignedIdentity.outputs.principalId
1091-
roleDefinitionId: sqlContributorRoleDefinition.id
1074+
// Cosmos DB Built-in Data Contributor: https://docs.azure.cn/en-us/cosmos-db/nosql/security/reference-data-plane-roles#cosmos-db-built-in-data-contributor
1075+
roleName: 'Cosmos DB SQL Data Contributor'
1076+
dataActions: [
1077+
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
1078+
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
1079+
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
1080+
]
1081+
assignments: [{ principalId: userAssignedIdentity.outputs.principalId }]
10921082
}
10931083
]
10941084
// WAF aligned configuration for Monitoring

0 commit comments

Comments
 (0)