-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfunction.bicep.jinja
298 lines (245 loc) · 8.57 KB
/
function.bicep.jinja
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
@description('Location for all resources. Leave the default value.')
param location string = resourceGroup().location
// CMD parameters
@description('Short name for location')
param shortLocation string
@description('Object ID for your Azure AD user identity (see the README.md file in the Azure Quickstart guide for instructions on how to get your Azure AD user object ID).')
param azureADObjectID string
@description('Name of the project')
@maxLength(5)
param projectName string
@allowed([
'dev'
'test'
'prod'
])
param env string = 'dev'
// Names of resources
@description('''
Name of the Azure Data Lake Storage Gen2 storage account. Storage account name requirements:
- Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
- Your storage account name must be unique within Azure. No two storage accounts can have the same name.
''')
@minLength(3)
@maxLength(24)
param storageAccountName string = 'sa${projectName}${env}${uniqueString(resourceGroup().id)}'
@description('Name of the Azure Data Factory instance.')
param azureDataFactoryName string = 'adf-${projectName}-${shortLocation}-${env}'
// @description('Home Ip-adress')
// param HomeIp string
// @description('Work Ip-adress')
// param WorkIp string
@description('Do you want to deploy a new Azure Key Vault instance (true or false)? Leave default name if you choose false.')
param deployAzureKeyVault bool = true
@description('''
Name of the Azure Key Vault. Key Vault name requirements:
- Key vault names must be between 3 and 24 characters in length and may contain numbers, letters, and dashes only.
''')
@minLength(3)
@maxLength(24)
param azureKeyVaultName string = 'kv-${projectName}-${shortLocation}-${env}-001'
@description('The name of the function app that you wish to create.')
param appName string = 'func-${projectName}-${shortLocation}-${env}-001'
@description('The name of the service plan')
param planName string = 'plan-${projectName}-${shortLocation}-${env}-001'
var akvRoleName = 'Key Vault Secrets User'
// param databricksWorkspaceName string = 'dbs_${projectName}'
// var managedResourceGroupName = 'databricks-rg-${databricksWorkspaceName}-${uniqueString(databricksWorkspaceName, resourceGroup().id)}'
// Values for Azure Function
@description('The language worker runtime to load in the function app.')
@allowed([
'powershell'
'python'
])
param runtime string = 'python'
var functionAppName = appName
var hostingPlanName = planName
var functionWorkerRuntime = runtime
// Values for Azure KeyVault
var akvRoleIdMapping = {
'Key Vault Secrets User': '4633458b-17de-408a-b874-0445c86b69e6'
}
// Defining roles for RBAC security
@description('This is the built-in Storage Blob Data Contributor role')
resource sbdcRoleDefinitionResourceId 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
scope: subscription()
name: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
}
// @description('This is the built-in Databricks Contributor role')
// resource dbsRoleDefinitionResourceId 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
// scope: subscription()
// name: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
// }
// Storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: storageAccountName
location: location
sku: {
name:'Standard_LRS'
}
kind: 'StorageV2'
properties: {
minimumTlsVersion: 'TLS1_2'
isHnsEnabled: false
}
}
@description('Assigns the user to Storage Blob Data Contributor Role')
resource userRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: storageAccount
name: guid(storageAccount.id, azureADObjectID, sbdcRoleDefinitionResourceId.id)
properties: {
roleDefinitionId: sbdcRoleDefinitionResourceId.id
principalId: azureADObjectID
}
}
// resource databricksWorkspace 'Microsoft.Databricks/workspaces@2018-04-01' = {
// name: databricksWorkspaceName
// location: location
// sku: {
// name: 'standard'
// }
// properties: {
// managedResourceGroupId: subscriptionResourceId('Microsoft.Resources/resourceGroups', managedResourceGroupName)
// authorizations: []
// }
// }
// Azure Data Factory
resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' = {
name: azureDataFactoryName
location: location
identity: {
type: 'SystemAssigned'
}
}
@description('Assigns the ADF Managed Identity to Storage Blob Data Contributor Role')
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: storageAccount
name: guid(storageAccount.id, dataFactory.id, sbdcRoleDefinitionResourceId.id)
properties: {
roleDefinitionId: sbdcRoleDefinitionResourceId.id
principalId: dataFactory.identity.principalId
principalType: 'ServicePrincipal'
}
}
// @description('Assigns the user to Databricks workspace Contributor Role')
// resource adfDbsRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
// scope: adlsAccount
// name: guid(databricksWorkspace.id, azureADObjectID, dbsRoleDefinitionResourceId.id)
// properties: {
// roleDefinitionId: dbsRoleDefinitionResourceId.id
// principalId: azureADObjectID
// }
// }
// @description('Assigns the ADF Managed Identity to Databricks workspace Contributor Role')
// resource userDbsRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
// scope: databricksWorkspace
// name: guid(databricksWorkspace.id, dataFactory.id, dbsRoleDefinitionResourceId.id)
// properties: {
// roleDefinitionId: dbsRoleDefinitionResourceId.id
// principalId: dataFactory.identity.principalId
// principalType: 'ServicePrincipal'
// }
// }
resource storagLinkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
parent: dataFactory
name: '${storageAccountName}-linkedService'
properties: {
type: 'AzureBlobFS'
typeProperties: {
accountKey: storageAccount.listKeys().keys[0].value
url: storageAccount.properties.primaryEndpoints.dfs
}
}
}
// Setup Azure function and service plan
resource hostingPlan 'Microsoft.Web/serverfarms@2022-03-01' = {
name: hostingPlanName
location: location
kind: 'linux'
sku: {
name: 'Y1'
tier: 'Dynamic'
size: 'Y1'
family: 'Y'
}
properties: {
reserved: true
}
}
resource functionApp 'Microsoft.Web/sites@2022-03-01' = {
name: functionAppName
location: location
kind: 'functionapp,linux'
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: hostingPlan.id
reserved: true
siteConfig: {
appSettings: [
{
name: 'AzureWebJobsStorage'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
}
{
name: 'FUNCTIONS_EXTENSION_VERSION'
value: '~4'
}
{
name: 'FUNCTIONS_WORKER_RUNTIME'
value: functionWorkerRuntime
}
]
ftpsState: 'FtpsOnly'
minTlsVersion: '1.2'
remoteDebuggingEnabled:true
linuxFxVersion: 'python|{{pythonMinorVersion}}'
}
httpsOnly: true
}
}
// Azure KeyVault
resource akv 'Microsoft.KeyVault/vaults@2022-07-01' = if (deployAzureKeyVault) {
name: azureKeyVaultName
location: location
properties: {
enableRbacAuthorization: true
tenantId: subscription().tenantId
sku: {
name: 'standard'
family: 'A'
}
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
}
}
resource userAkvRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (deployAzureKeyVault) {
name: guid(akvRoleIdMapping[akvRoleName],azureADObjectID,akv.id)
scope: akv
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', akvRoleIdMapping[akvRoleName])
principalId: azureADObjectID
}
}
resource spAkvRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (deployAzureKeyVault) {
name: guid(akvRoleIdMapping[akvRoleName],dataFactory.id,akv.id)
scope: akv
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', akvRoleIdMapping[akvRoleName])
principalId: dataFactory.identity.principalId
principalType: 'ServicePrincipal'
}
}
resource azureKeyVaultLinkedService 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = if(deployAzureKeyVault){
parent: dataFactory
name: '${azureKeyVaultName}-linkedService'
properties: {
type: 'AzureKeyVault'
typeProperties: {
baseUrl: akv.properties.vaultUri
}
}
}