diff --git a/Environments/Todo-Mongo-AKS/azuredeploy.json b/Environments/Todo-Mongo-AKS/azuredeploy.json index fb7cf37..03f1741 100644 --- a/Environments/Todo-Mongo-AKS/azuredeploy.json +++ b/Environments/Todo-Mongo-AKS/azuredeploy.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "8189193153050722730" + "templateHash": "926438374472775395" } }, "parameters": { @@ -41,13 +41,16 @@ "type": "string", "defaultValue": "" }, - "aksClusterIdentityObjectId": { - "type": "string" - }, "configStoreName": { "type": "string", "defaultValue": "" }, + "sharedAKSProjectName": { + "type": "string" + }, + "sharedAKSEnvironmentName": { + "type": "string" + }, "contentType": { "type": "string", "defaultValue": "", @@ -193,6 +196,7 @@ "webSitesFunctions": "func-", "webStaticSites": "stapp-" }, + "sharedAKSResourceGroup": "[format('{0}-{1}', parameters('sharedAKSProjectName'), parameters('sharedAKSEnvironmentName'))]", "abbrs": "[variables('$fxv#0')]", "resourceToken": "[toLower(uniqueString(subscription().id, parameters('environmentName'), parameters('location')))]", "tags": { @@ -254,25 +258,22 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "cosmos", + "name": "keyvault", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "accountName": "[if(not(empty(parameters('cosmosAccountName'))), createObject('value', parameters('cosmosAccountName')), createObject('value', format('{0}{1}', variables('abbrs').documentDBDatabaseAccounts, variables('resourceToken'))))]", - "databaseName": { - "value": "[parameters('cosmosDatabaseName')]" - }, + "name": "[if(not(empty(parameters('keyVaultName'))), createObject('value', parameters('keyVaultName')), createObject('value', format('{0}{1}', variables('abbrs').keyVaultVaults, variables('resourceToken'))))]", "location": { "value": "[parameters('location')]" }, "tags": { "value": "[variables('tags')]" }, - "keyVaultName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyvault'), '2022-09-01').outputs.name.value]" + "principalId": { + "value": "[parameters('principalId')]" } }, "template": { @@ -282,11 +283,12 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "11074299330608515845" - } + "templateHash": "18407114162280426775" + }, + "description": "Creates an Azure Key Vault." }, "parameters": { - "accountName": { + "name": { "type": "string" }, "location": { @@ -297,63 +299,160 @@ "type": "object", "defaultValue": {} }, - "collections": { - "type": "array", - "defaultValue": [ - { - "name": "TodoList", - "id": "TodoList", - "shardKey": "Hash", - "indexKey": "_id" + "principalId": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2022-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "tenantId": "[subscription().tenantId]", + "sku": { + "family": "A", + "name": "standard" }, - { - "name": "TodoItem", - "id": "TodoItem", - "shardKey": "Hash", - "indexKey": "_id" - } - ] + "accessPolicies": "[if(not(empty(parameters('principalId'))), createArray(createObject('objectId', parameters('principalId'), 'permissions', createObject('secrets', createArray('get', 'list')), 'tenantId', subscription().tenantId)), createArray())]" + } + } + ], + "outputs": { + "endpoint": { + "type": "string", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01').vaultUri]" }, - "databaseName": { + "name": { "type": "string", - "defaultValue": "" + "value": "[parameters('name')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "get-aks-name", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "appDeployName": { + "value": "todo-deploy" + }, + "aksResourceGroupName": { + "value": "[variables('sharedAKSResourceGroup')]" + }, + "identityName": { + "value": "[format('{0}dp-{1}', variables('abbrs').managedIdentityUserAssignedIdentities, variables('resourceToken'))]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "15711762243647057476" + } + }, + "parameters": { + "appDeployName": { + "type": "string", + "metadata": { + "description": "app deployment name" + } }, - "keyVaultName": { + "aksResourceGroupName": { + "type": "string", + "metadata": { + "description": "Shared AKS resource group" + } + }, + "timestamp": { + "type": "string", + "defaultValue": "[utcNow()]", + "metadata": { + "description": "Timestamp - utcNow can only be called as a default value of a parameter." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location to run the deployment script in" + } + }, + "identityName": { "type": "string" } }, "variables": { - "defaultDatabaseName": "Todo", - "actualDatabaseName": "[if(not(empty(parameters('databaseName'))), parameters('databaseName'), variables('defaultDatabaseName'))]" + "scriptToExecute": "$output = Get-AzResource -ResourceGroupName $Env:RESOURCEGROUP -ResourceType Microsoft.ContainerService/ManagedClusters\n\nWrite-Output $output\n$DeploymentScriptOutputs = @{}\n$DeploymentScriptOutputs['text'] = $output.Name\n" }, "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "name": "[parameters('identityName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "[format('{0}-get-aks-script', parameters('appDeployName'))]", + "kind": "AzurePowerShell", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "forceUpdateTag": "[parameters('timestamp')]", + "azPowerShellVersion": "7.2.0", + "retentionInterval": "PT1H", + "scriptContent": "[variables('scriptToExecute')]", + "cleanupPreference": "Always", + "environmentVariables": [ + { + "name": "RESOURCEGROUP", + "value": "[parameters('aksResourceGroupName')]" + } + ] + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]" + ] + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "cosmos-mongo", + "name": "read-role-assignment-to-aks", + "resourceGroup": "[parameters('aksResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "accountName": { - "value": "[parameters('accountName')]" - }, - "databaseName": { - "value": "[variables('actualDatabaseName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "collections": { - "value": "[parameters('collections')]" + "principalId": { + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')), '2023-01-31').principalId]" }, - "keyVaultName": { - "value": "[parameters('keyVaultName')]" - }, - "tags": { - "value": "[parameters('tags')]" + "roleDefinitionId": { + "value": "acdd72a7-3385-48ef-bd42-f606fba81ae7" } }, "template": { @@ -363,171 +462,561 @@ "_generator": { "name": "bicep", "version": "0.26.170.59819", - "templateHash": "3051764932488625981" + "templateHash": "2390256577307700589" }, - "description": "Creates an Azure Cosmos DB for MongoDB account with a database." + "description": "Creates a role assignment for a service principal." }, "parameters": { - "accountName": { - "type": "string" - }, - "databaseName": { + "principalId": { "type": "string" }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "collections": { - "type": "array", - "defaultValue": [] - }, - "connectionStringKey": { + "principalType": { "type": "string", - "defaultValue": "AZURE-COSMOS-CONNECTION-STRING" + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] }, - "keyVaultName": { + "roleDefinitionId": { "type": "string" } }, "resources": [ { - "copy": { - "name": "list", - "count": "[length(parameters('collections'))]" - }, - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections", - "apiVersion": "2022-08-15", - "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[0], split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[1], parameters('collections')[copyIndex()].name)]", - "properties": { - "resource": { - "id": "[parameters('collections')[copyIndex()].id]", - "shardKey": { - "_id": "[parameters('collections')[copyIndex()].shardKey]" - }, - "indexes": [ - { - "key": { - "keys": [ - "[parameters('collections')[copyIndex()].indexKey]" - ] - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.DocumentDB/databaseAccounts/mongodbDatabases', split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[0], split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[1])]" - ] - }, - { - "type": "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases", - "apiVersion": "2022-08-15", - "name": "[format('{0}/{1}', parameters('accountName'), parameters('databaseName'))]", - "tags": "[parameters('tags')]", - "properties": { - "resource": { - "id": "[parameters('databaseName')]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'cosmos-mongo-account')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "cosmos-mongo-account", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('accountName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "keyVaultName": { - "value": "[parameters('keyVaultName')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "connectionStringKey": { - "value": "[parameters('connectionStringKey')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "4693794629197446458" - }, - "description": "Creates an Azure Cosmos DB for MongoDB account." - }, - "parameters": { - "name": { - "type": "string" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} - }, - "keyVaultName": { - "type": "string" - }, - "connectionStringKey": { - "type": "string", - "defaultValue": "AZURE-COSMOS-CONNECTION-STRING" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "cosmos-account", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('name')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "connectionStringKey": { - "value": "[parameters('connectionStringKey')]" - }, - "keyVaultName": { - "value": "[parameters('keyVaultName')]" - }, - "kind": { - "value": "MongoDB" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]" + ] + } + ], + "outputs": { + "clusterName": { + "type": "string", + "value": "[if(empty(reference(resourceId('Microsoft.Resources/deploymentScripts', format('{0}-get-aks-script', parameters('appDeployName'))), '2020-10-01').outputs.text), '', reference(resourceId('Microsoft.Resources/deploymentScripts', format('{0}-get-aks-script', parameters('appDeployName'))), '2020-10-01').outputs.text)]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "aks", + "resourceGroup": "[variables('sharedAKSResourceGroup')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "aksName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'get-aks-name'), '2022-09-01').outputs.clusterName.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "889274472255022532" + } + }, + "parameters": { + "aksName": { + "type": "string" + } + }, + "resources": [], + "outputs": { + "aksIdentityObjectId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksName')), '2023-10-02-preview').identityProfile.kubeletidentity.objectId]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'get-aks-name')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cluster-keyvault-access", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "keyVaultName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyvault'), '2022-09-01').outputs.name.value]" + }, + "principalId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('sharedAKSResourceGroup')), 'Microsoft.Resources/deployments', 'aks'), '2022-09-01').outputs.aksIdentityObjectId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "7922086847377910894" + }, + "description": "Assigns an Azure Key Vault access policy." + }, + "parameters": { + "name": { + "type": "string", + "defaultValue": "add" + }, + "keyVaultName": { + "type": "string" + }, + "permissions": { + "type": "object", + "defaultValue": { + "secrets": [ + "get", + "list" + ] + } + }, + "principalId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults/accessPolicies", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", + "properties": { + "accessPolicies": [ + { + "objectId": "[parameters('principalId')]", + "tenantId": "[subscription().tenantId]", + "permissions": "[parameters('permissions')]" + } + ] + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('sharedAKSResourceGroup')), 'Microsoft.Resources/deployments', 'aks')]", + "[resourceId('Microsoft.Resources/deployments', 'keyvault')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "api-cosmos-access", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos'), '2022-09-01').outputs.accountName.value]" + }, + "roleDefinitionId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos'), '2022-09-01').outputs.roleDefinitionId.value]" + }, + "principalId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('sharedAKSResourceGroup')), 'Microsoft.Resources/deployments', 'aks'), '2022-09-01').outputs.aksIdentityObjectId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "5580476706925703677" + }, + "description": "Creates a SQL role assignment under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))))]", + "properties": { + "principalId": "[parameters('principalId')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + } + } + ] + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('sharedAKSResourceGroup')), 'Microsoft.Resources/deployments', 'aks')]", + "[resourceId('Microsoft.Resources/deployments', 'cosmos')]" + ] + }, + { + "condition": "[not(equals(parameters('principalId'), ''))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "user-cosmos-access", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos'), '2022-09-01').outputs.accountName.value]" + }, + "roleDefinitionId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos'), '2022-09-01').outputs.roleDefinitionId.value]" + }, + "principalId": { + "value": "[parameters('principalId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "5580476706925703677" + }, + "description": "Creates a SQL role assignment under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))))]", + "properties": { + "principalId": "[parameters('principalId')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'cosmos')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": "[if(not(empty(parameters('cosmosAccountName'))), createObject('value', parameters('cosmosAccountName')), createObject('value', format('{0}{1}', variables('abbrs').documentDBDatabaseAccounts, variables('resourceToken'))))]", + "databaseName": { + "value": "[parameters('cosmosDatabaseName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[variables('tags')]" + }, + "keyVaultName": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyvault'), '2022-09-01').outputs.name.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "4256008595520895847" + } + }, + "parameters": { + "accountName": { + "type": "string" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "containers": { + "type": "array", + "defaultValue": [ + { + "name": "TodoList", + "id": "TodoList", + "partitionKey": "/id" + }, + { + "name": "TodoItem", + "id": "TodoItem", + "partitionKey": "/id" + } + ] + }, + "databaseName": { + "type": "string", + "defaultValue": "" + }, + "keyVaultName": { + "type": "string" + }, + "principalIds": { + "type": "array", + "defaultValue": [] + } + }, + "variables": { + "defaultDatabaseName": "Todo", + "actualDatabaseName": "[if(not(empty(parameters('databaseName'))), parameters('databaseName'), variables('defaultDatabaseName'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos-sql", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[parameters('accountName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "containers": { + "value": "[parameters('containers')]" + }, + "databaseName": { + "value": "[variables('actualDatabaseName')]" + }, + "keyVaultName": { + "value": "[parameters('keyVaultName')]" + }, + "principalIds": { + "value": "[parameters('principalIds')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "16116103805544296619" + }, + "description": "Creates an Azure Cosmos DB for NoSQL account with a database." + }, + "parameters": { + "accountName": { + "type": "string" + }, + "databaseName": { + "type": "string" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "containers": { + "type": "array", + "defaultValue": [] + }, + "keyVaultName": { + "type": "string" + }, + "principalIds": { + "type": "array", + "defaultValue": [] + } + }, + "resources": [ + { + "copy": { + "name": "list", + "count": "[length(parameters('containers'))]" + }, + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}/{2}', split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[0], split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[1], parameters('containers')[copyIndex()].name)]", + "properties": { + "resource": { + "id": "[parameters('containers')[copyIndex()].id]", + "partitionKey": { + "paths": [ + "[parameters('containers')[copyIndex()].partitionKey]" + ] + } + }, + "options": {} + }, + "dependsOn": [ + "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[0], split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[1])]" + ] + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}', parameters('accountName'), parameters('databaseName'))]", + "properties": { + "resource": { + "id": "[parameters('databaseName')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos-sql-account", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('accountName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "keyVaultName": { + "value": "[parameters('keyVaultName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "18220013070549790672" + }, + "description": "Creates an Azure Cosmos DB for NoSQL account." + }, + "parameters": { + "name": { + "type": "string" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "keyVaultName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos-account", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('name')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "keyVaultName": { + "value": "[parameters('keyVaultName')]" + }, + "kind": { + "value": "GlobalDocumentDB" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", @@ -641,16 +1130,165 @@ "id": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-account'), '2022-09-01').outputs.id.value]" + }, + "name": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-account'), '2022-09-01').outputs.name.value]" } } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos-sql-role-definition", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[parameters('accountName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "16206905209322787989" + }, + "description": "Creates a SQL role definition under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions", + "apiVersion": "2022-08-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName')), parameters('accountName'), 'sql-role'))]", + "properties": { + "assignableScopes": [ + "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + ], + "permissions": [ + { + "dataActions": [ + "Microsoft.DocumentDB/databaseAccounts/readMetadata", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*" + ], + "notDataActions": [] + } + ], + "roleName": "Reader Writer", + "type": "CustomRole" + } + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('accountName'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName')), parameters('accountName'), 'sql-role'))]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account')]", + "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[0], split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[1])]" + ] + }, + { + "copy": { + "name": "userRole", + "count": "[length(parameters('principalIds'))]", + "mode": "serial", + "batchSize": 1 + }, + "condition": "[not(empty(parameters('principalIds')[copyIndex()]))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('cosmos-sql-user-role-{0}', uniqueString(parameters('principalIds')[copyIndex()]))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[parameters('accountName')]" + }, + "roleDefinitionId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition'), '2022-09-01').outputs.id.value]" + }, + "principalId": { + "value": "[parameters('principalIds')[copyIndex()]]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.170.59819", + "templateHash": "5580476706925703677" + }, + "description": "Creates a SQL role assignment under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))))]", + "properties": { + "principalId": "[parameters('principalId')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account')]", + "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[0], split(format('{0}/{1}', parameters('accountName'), parameters('databaseName')), '/')[1])]", + "[resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition')]" + ] } ], "outputs": { + "accountId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account'), '2022-09-01').outputs.id.value]" + }, + "accountName": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account'), '2022-09-01').outputs.name.value]" + }, "connectionStringKey": { "type": "string", - "value": "[parameters('connectionStringKey')]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account'), '2022-09-01').outputs.connectionStringKey.value]" }, "databaseName": { "type": "string", @@ -658,7 +1296,11 @@ }, "endpoint": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-mongo-account'), '2022-09-01').outputs.endpoint.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-account'), '2022-09-01').outputs.endpoint.value]" + }, + "roleDefinitionId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition'), '2022-09-01').outputs.id.value]" } } } @@ -666,170 +1308,28 @@ } ], "outputs": { - "connectionStringKey": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-mongo'), '2022-09-01').outputs.connectionStringKey.value]" - }, - "databaseName": { + "accountName": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-mongo'), '2022-09-01').outputs.databaseName.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql'), '2022-09-01').outputs.accountName.value]" }, - "endpoint": { + "connectionStringKey": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-mongo'), '2022-09-01').outputs.endpoint.value]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', 'keyvault')]" - ] - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "keyvault", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": "[if(not(empty(parameters('keyVaultName'))), createObject('value', parameters('keyVaultName')), createObject('value', format('{0}{1}', variables('abbrs').keyVaultVaults, variables('resourceToken'))))]", - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[variables('tags')]" - }, - "principalId": { - "value": "[parameters('principalId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "18407114162280426775" - }, - "description": "Creates an Azure Key Vault." - }, - "parameters": { - "name": { - "type": "string" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql'), '2022-09-01').outputs.connectionStringKey.value]" }, - "location": { + "databaseName": { "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "tags": { - "type": "object", - "defaultValue": {} + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql'), '2022-09-01').outputs.databaseName.value]" }, - "principalId": { - "type": "string", - "defaultValue": "" - } - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-07-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "tenantId": "[subscription().tenantId]", - "sku": { - "family": "A", - "name": "standard" - }, - "accessPolicies": "[if(not(empty(parameters('principalId'))), createArray(createObject('objectId', parameters('principalId'), 'permissions', createObject('secrets', createArray('get', 'list')), 'tenantId', subscription().tenantId)), createArray())]" - } - } - ], - "outputs": { "endpoint": { "type": "string", - "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01').vaultUri]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql'), '2022-09-01').outputs.endpoint.value]" }, - "name": { + "roleDefinitionId": { "type": "string", - "value": "[parameters('name')]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql'), '2022-09-01').outputs.roleDefinitionId.value]" } } } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "cluster-keyvault-access", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "keyVaultName": { - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyvault'), '2022-09-01').outputs.name.value]" - }, - "principalId": { - "value": "[parameters('aksClusterIdentityObjectId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "7922086847377910894" - }, - "description": "Assigns an Azure Key Vault access policy." - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "add" - }, - "keyVaultName": { - "type": "string" - }, - "permissions": { - "type": "object", - "defaultValue": { - "secrets": [ - "get", - "list" - ] - } - }, - "principalId": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", - "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('name'))]", - "properties": { - "accessPolicies": [ - { - "objectId": "[parameters('principalId')]", - "tenantId": "[subscription().tenantId]", - "permissions": "[parameters('permissions')]" - } - ] - } - } - ] - } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'keyvault')]"