Skip to content

Commit c07a8fa

Browse files
AjitPadhi-MicrosoftAjitPadhi-Microsoft
committed
rabc and keys deployemnt changes
1 parent c42053a commit c07a8fa

7 files changed

+92
-7
lines changed

infra/app/function.bicep

+1
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ module function '../core/host/functions.bicep' = {
4242
runtimeName: runtimeName
4343
runtimeVersion: runtimeVersion
4444
dockerFullImageName: dockerFullImageName
45+
useKeyVault: useKeyVault
4546
appSettings: union(appSettings, {
4647
WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false'
4748
AZURE_AUTH_TYPE: authType

infra/app/web.bicep

+23
Original file line numberDiff line numberDiff line change
@@ -192,6 +192,29 @@ module webaccess '../core/security/keyvault-access.bicep' = if (useKeyVault) {
192192
}
193193
}
194194

195+
module cosmosRoleDefinition '../core/database/cosmos-sql-role-def.bicep' = {
196+
name: 'cosmos-sql-role-definition'
197+
params: {
198+
accountName: json(appSettings.AZURE_COSMOSDB_INFO).accountName
199+
}
200+
dependsOn: [
201+
web
202+
]
203+
}
204+
205+
206+
module cosmosUserRole '../core/database/cosmos-sql-role-assign.bicep' = {
207+
name: 'cosmos-sql-user-role-${web.name}'
208+
params: {
209+
accountName: json(appSettings.AZURE_COSMOSDB_INFO).accountName
210+
roleDefinitionId: cosmosRoleDefinition.outputs.id
211+
principalId: web.outputs.identityPrincipalId
212+
}
213+
dependsOn: [
214+
cosmosRoleDefinition
215+
]
216+
}
217+
195218
output FRONTEND_API_IDENTITY_PRINCIPAL_ID string = web.outputs.identityPrincipalId
196219
output FRONTEND_API_NAME string = web.outputs.name
197220
output FRONTEND_API_URI string = web.outputs.uri

infra/core/database/cosmos-sql-role-assign.bicep

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
metadata description = 'Creates a SQL role assignment under an Azure Cosmos DB account.'
2+
param accountName string
3+
4+
param roleDefinitionId string
5+
param principalId string = ''
6+
7+
resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
8+
parent: cosmos
9+
name: guid(roleDefinitionId, principalId, cosmos.id)
10+
properties: {
11+
principalId: principalId
12+
roleDefinitionId: roleDefinitionId
13+
scope: cosmos.id
14+
}
15+
}
16+
17+
resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
18+
name: accountName
19+
}

infra/core/database/cosmos-sql-role-def.bicep

+30
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
metadata description = 'Creates a SQL role definition under an Azure Cosmos DB account.'
2+
param accountName string
3+
4+
resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2022-08-15' = {
5+
parent: cosmos
6+
name: guid(cosmos.id, accountName, 'sql-role')
7+
properties: {
8+
assignableScopes: [
9+
cosmos.id
10+
]
11+
permissions: [
12+
{
13+
dataActions: [
14+
'Microsoft.DocumentDB/databaseAccounts/readMetadata'
15+
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
16+
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
17+
]
18+
notDataActions: []
19+
}
20+
]
21+
roleName: 'Reader Writer'
22+
type: 'CustomRole'
23+
}
24+
}
25+
26+
resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
27+
name: accountName
28+
}
29+
30+
output id string = roleDefinition.id

infra/core/host/functions.bicep

+12-2
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ param appServicePlanId string
99
param keyVaultName string = ''
1010
param managedIdentity bool = !empty(keyVaultName)
1111
param storageAccountName string
12+
param useKeyVault bool
1213

1314
// Runtime Properties
1415
@allowed([
@@ -67,10 +68,10 @@ module functions 'appservice.bicep' = {
6768
appSettings: union(
6869
appSettings,
6970
{
70-
AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
7171
FUNCTIONS_EXTENSION_VERSION: extensionVersion
7272
},
73-
!useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {}
73+
!useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {},
74+
useKeyVault ? { AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'} : {AzureWebJobsStorage__accountName: storage.name}
7475
)
7576
clientAffinityEnabled: clientAffinityEnabled
7677
enableOryxBuild: enableOryxBuild
@@ -90,6 +91,15 @@ module functions 'appservice.bicep' = {
9091
}
9192
}
9293

94+
module storageBlobRoleFunction '../security/role.bicep' = {
95+
name: 'storage-blob-role-function'
96+
params: {
97+
principalId: functions.outputs.identityPrincipalId
98+
roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
99+
principalType: 'ServicePrincipal'
100+
}
101+
}
102+
93103
resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
94104
name: storageAccountName
95105
}

infra/core/storage/storage-account.bicep

+2-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,8 @@ param tags object = {}
1111
param accessTier string = 'Hot'
1212
param allowBlobPublicAccess bool = false
1313
param allowCrossTenantReplication bool = true
14-
param allowSharedKeyAccess bool = true
14+
param useKeyVault bool
15+
param allowSharedKeyAccess bool = useKeyVault
1516
param containers array = []
1617
param defaultToOAuthAuthentication bool = false
1718
param deleteRetentionPolicy object = {}

infra/main.bicep

+5-4
Original file line numberDiff line numberDiff line change
@@ -1054,6 +1054,7 @@ module storage 'core/storage/storage-account.bicep' = {
10541054
params: {
10551055
name: storageAccountName
10561056
location: location
1057+
useKeyVault: useKeyVault
10571058
sku: {
10581059
name: 'Standard_GRS'
10591060
}
@@ -1086,7 +1087,7 @@ module storage 'core/storage/storage-account.bicep' = {
10861087

10871088
// USER ROLES
10881089
// Storage Blob Data Contributor
1089-
module storageRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
1090+
module storageRoleUser 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
10901091
scope: resourceGroup()
10911092
name: 'storage-role-user'
10921093
params: {
@@ -1097,7 +1098,7 @@ module storageRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
10971098
}
10981099

10991100
// Cognitive Services User
1100-
module openaiRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
1101+
module openaiRoleUser 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
11011102
scope: resourceGroup()
11021103
name: 'openai-role-user'
11031104
params: {
@@ -1108,7 +1109,7 @@ module openaiRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
11081109
}
11091110

11101111
// Contributor
1111-
module openaiRoleUserContributor 'core/security/role.bicep' = if (authType == 'rbac') {
1112+
module openaiRoleUserContributor 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
11121113
scope: resourceGroup()
11131114
name: 'openai-role-user-contributor'
11141115
params: {
@@ -1119,7 +1120,7 @@ module openaiRoleUserContributor 'core/security/role.bicep' = if (authType == 'r
11191120
}
11201121

11211122
// Search Index Data Contributor
1122-
module searchRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
1123+
module searchRoleUser 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
11231124
scope: resourceGroup()
11241125
name: 'search-role-user'
11251126
params: {

0 commit comments

Comments
 (0)