/
cosmos.bicep
217 lines (201 loc) · 5.56 KB
/
cosmos.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
// Imported params
param environment string
param appName string
param includeNetworkSecurity bool
param cosmosDBAccountName string
param cosmosDBName string
param cosmosDBContainers_Employees string
param region string = resourceGroup().location
param subnetName string
param virtualNetworkName string
param apiAppPrincipalId string
// Local params
param privateEndpointName string = 'pe-cosmos-${appName}-${environment}'
param tags object = {
'deploymentGroup':'cosmosdb'
}
var roleDefinitionId = guid('sql-role-definition-', apiAppPrincipalId, cosmosDbAccount.id)
var roleAssignmentId = guid(roleDefinitionId, apiAppPrincipalId, cosmosDbAccount.id)
var roleDefinitionName = 'Cosmos_ReadWrite'
var dataActions = [
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
]
var privateDnsZoneName = 'privatelink.documents.azure.com'
// Deployments - Coosmos DB Resources
resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2021-04-15' = {
name: cosmosDBAccountName
tags:tags
location: region
properties:{
databaseAccountOfferType:'Standard'
enableAutomaticFailover:false
enableMultipleWriteLocations:false
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
locations: [
{
locationName: region
failoverPriority: 0
isZoneRedundant: false
}
]
}
}
resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2021-06-15' = {
name: '${cosmosDbAccount.name}/${cosmosDBName}'
tags: tags
dependsOn: [
cosmosDbAccount
]
properties:{
resource:{
id:'db-${appName}'
}
}
}
resource employeesContainer 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2021-06-15' = {
name:'${cosmosDb.name}/${cosmosDBContainers_Employees}'
tags:tags
dependsOn: [
cosmosDbAccount
cosmosDb
]
properties:{
resource:{
id: cosmosDBContainers_Employees
partitionKey:{
paths:[
'/id'
]
}
}
}
}
// Deployments - Private Endpoint and Networking
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-07-01' = if(includeNetworkSecurity) {
name: privateEndpointName
location: region
properties: {
subnet: {
id: resourceId('Microsoft.Network/VirtualNetworks/subnets', virtualNetworkName, subnetName)
}
privateLinkServiceConnections: [
{
name: 'plsConnection'
properties: {
privateLinkServiceId: cosmosDbAccount.id
groupIds: [
'Sql'
]
}
}
]
}
}
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2018-09-01' = if(includeNetworkSecurity) {
name: privateDnsZoneName
location: 'global'
}
resource apiAppPvtDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-11-01' = if(includeNetworkSecurity) {
parent: privateEndpoint
dependsOn:[
privateDnsZone
privateEndpoint
]
name: 'default'
properties: {
privateDnsZoneConfigs: [
{
name: 'privatelink-documents-azure-com'
properties: {
privateDnsZoneId: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Network/privateDnsZones/${privateDnsZoneName}'
}
}
]
}
}
resource privateDnsZone_A_1 'Microsoft.Network/privateDnsZones/A@2018-09-01' = if(includeNetworkSecurity) {
parent: privateDnsZone
name: 'cosmos-app22-d5'
properties: {
metadata: {
creator: 'created by Pipeline'
}
ttl: 10
aRecords: [
{
ipv4Address: '192.168.4.36'
}
]
}
}
resource privateDnsZone_A_2 'Microsoft.Network/privateDnsZones/A@2018-09-01' = if(includeNetworkSecurity) {
parent: privateDnsZone
name: 'cosmos-app22-d5-eastus'
properties: {
metadata: {
creator: 'created by Pipeline'
}
ttl: 10
aRecords: [
{
ipv4Address: '192.168.4.37'
}
]
}
}
resource privateDnsZone_SOA 'Microsoft.Network/privateDnsZones/SOA@2018-09-01' = if(includeNetworkSecurity) {
parent: privateDnsZone
name: '@'
properties: {
ttl: 3600
soaRecord: {
email: 'azureprivatedns-host.microsoft.com'
expireTime: 2419200
host: 'azureprivatedns.net'
minimumTtl: 10
refreshTime: 3600
retryTime: 300
serialNumber: 1
}
}
}
resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2018-09-01' = if(includeNetworkSecurity) {
parent: privateDnsZone
name: '26goz5jemcopq'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}'
}
}
}
// Deployments - Azure RBAC Setup for App Service - Pending MS Support Ticket
resource sqlRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-04-15' = {
name: '${cosmosDbAccount.name}/${roleDefinitionId}'
properties: {
roleName: roleDefinitionName
type: 'CustomRole'
assignableScopes: [
cosmosDbAccount.id
]
permissions: [
{
dataActions: dataActions
}
]
}
}
resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2021-04-15' = {
name: '${cosmosDbAccount.name}/${roleAssignmentId}'
properties: {
roleDefinitionId: sqlRoleDefinition.id
principalId: apiAppPrincipalId
scope: cosmosDbAccount.id
}
}
output sqlRoleAssignmentId string = sqlRoleAssignment.id
output sqlRoleDefinitionId string = sqlRoleDefinition.id