diff --git a/infra/main.json b/infra/main.json index ac292309b..2ad47e5b9 100644 --- a/infra/main.json +++ b/infra/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "4843965256692050769" + "version": "0.30.23.60470", + "templateHash": "12760434847212273886" } }, "parameters": { @@ -682,8 +682,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10162367437414363838" + "version": "0.30.23.60470", + "templateHash": "14453122839528928942" } }, "parameters": { @@ -847,8 +847,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "17778708028830863146" + "version": "0.30.23.60470", + "templateHash": "12121357715793816510" }, "description": "Creates an Azure Key Vault." }, @@ -940,8 +940,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13930677902562058633" + "version": "0.30.23.60470", + "templateHash": "13123022401063321803" }, "description": "Creates an Azure Cognitive Services instance." }, @@ -1095,8 +1095,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13930677902562058633" + "version": "0.30.23.60470", + "templateHash": "13123022401063321803" }, "description": "Creates an Azure Cognitive Services instance." }, @@ -1244,8 +1244,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -1313,8 +1313,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -1382,8 +1382,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -1451,8 +1451,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -1524,8 +1524,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13930677902562058633" + "version": "0.30.23.60470", + "templateHash": "13123022401063321803" }, "description": "Creates an Azure Cognitive Services instance." }, @@ -1692,8 +1692,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "7149284552544081554" + "version": "0.30.23.60470", + "templateHash": "15528430944298201007" } }, "parameters": { @@ -1924,8 +1924,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "3186814620975722299" + "version": "0.30.23.60470", + "templateHash": "13584246975784398226" }, "description": "Creates an Azure AI Search instance." }, @@ -2089,8 +2089,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "11910849835579950339" + "version": "0.30.23.60470", + "templateHash": "9286637480882627742" }, "description": "Creates an Azure App Service plan." }, @@ -2273,8 +2273,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "15380721951101386205" + "version": "0.30.23.60470", + "templateHash": "8651734742647371064" } }, "parameters": { @@ -2455,8 +2455,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "16756175373379165193" + "version": "0.30.23.60470", + "templateHash": "7732628295698757767" }, "description": "Creates an Azure App Service in an existing Azure App Service plan." }, @@ -2682,8 +2682,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "103667315154160978" + "version": "0.30.23.60470", + "templateHash": "16930852302813854027" }, "description": "Updates app settings for an Azure App Service." }, @@ -2760,8 +2760,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -2829,8 +2829,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -2898,8 +2898,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -2967,8 +2967,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -3033,8 +3033,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "1133867179681914334" + "version": "0.30.23.60470", + "templateHash": "465622386717580763" }, "description": "Assigns an Azure Key Vault access policy." }, @@ -3080,6 +3080,134 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name')))]" ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos-sql-role-definition", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[json(parameters('appSettings').AZURE_COSMOSDB_INFO).accountName]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "17906960830343188834" + }, + "description": "Creates a SQL role definition under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions", + "apiVersion": "2022-08-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName')), parameters('accountName'), 'sql-role'))]", + "properties": { + "assignableScopes": [ + "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + ], + "permissions": [ + { + "dataActions": [ + "Microsoft.DocumentDB/databaseAccounts/readMetadata", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*" + ], + "notDataActions": [] + } + ], + "roleName": "Reader Writer", + "type": "CustomRole" + } + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('accountName'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName')), parameters('accountName'), 'sql-role'))]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('cosmos-sql-user-role-{0}', format('{0}-app-module', parameters('name')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[json(parameters('appSettings').AZURE_COSMOSDB_INFO).accountName]" + }, + "roleDefinitionId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition'), '2022-09-01').outputs.id.value]" + }, + "principalId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name'))), '2022-09-01').outputs.identityPrincipalId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "2622922268469466870" + }, + "description": "Creates a SQL role assignment under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))))]", + "properties": { + "principalId": "[parameters('principalId')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition')]", + "[resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name')))]" + ] } ], "outputs": { @@ -3238,8 +3366,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "15380721951101386205" + "version": "0.30.23.60470", + "templateHash": "8651734742647371064" } }, "parameters": { @@ -3420,8 +3548,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "16756175373379165193" + "version": "0.30.23.60470", + "templateHash": "7732628295698757767" }, "description": "Creates an Azure App Service in an existing Azure App Service plan." }, @@ -3647,8 +3775,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "103667315154160978" + "version": "0.30.23.60470", + "templateHash": "16930852302813854027" }, "description": "Updates app settings for an Azure App Service." }, @@ -3725,8 +3853,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -3794,8 +3922,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -3863,8 +3991,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -3932,8 +4060,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -3998,8 +4126,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "1133867179681914334" + "version": "0.30.23.60470", + "templateHash": "465622386717580763" }, "description": "Assigns an Azure Key Vault access policy." }, @@ -4045,6 +4173,134 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name')))]" ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "cosmos-sql-role-definition", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[json(parameters('appSettings').AZURE_COSMOSDB_INFO).accountName]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "17906960830343188834" + }, + "description": "Creates a SQL role definition under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions", + "apiVersion": "2022-08-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName')), parameters('accountName'), 'sql-role'))]", + "properties": { + "assignableScopes": [ + "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + ], + "permissions": [ + { + "dataActions": [ + "Microsoft.DocumentDB/databaseAccounts/readMetadata", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*" + ], + "notDataActions": [] + } + ], + "roleName": "Reader Writer", + "type": "CustomRole" + } + } + ], + "outputs": { + "id": { + "type": "string", + "value": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('accountName'), guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName')), parameters('accountName'), 'sql-role'))]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('cosmos-sql-user-role-{0}', format('{0}-app-module', parameters('name')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "accountName": { + "value": "[json(parameters('appSettings').AZURE_COSMOSDB_INFO).accountName]" + }, + "roleDefinitionId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition'), '2022-09-01').outputs.id.value]" + }, + "principalId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name'))), '2022-09-01').outputs.identityPrincipalId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "2622922268469466870" + }, + "description": "Creates a SQL role assignment under an Azure Cosmos DB account." + }, + "parameters": { + "accountName": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalId": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments", + "apiVersion": "2022-05-15", + "name": "[format('{0}/{1}', parameters('accountName'), guid(parameters('roleDefinitionId'), parameters('principalId'), resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))))]", + "properties": { + "principalId": "[parameters('principalId')]", + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('accountName'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'cosmos-sql-role-definition')]", + "[resourceId('Microsoft.Resources/deployments', format('{0}-app-module', parameters('name')))]" + ] } ], "outputs": { @@ -4199,8 +4455,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "17327750493694934622" + "version": "0.30.23.60470", + "templateHash": "17862689402403811352" } }, "parameters": { @@ -4370,8 +4626,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "16756175373379165193" + "version": "0.30.23.60470", + "templateHash": "7732628295698757767" }, "description": "Creates an Azure App Service in an existing Azure App Service plan." }, @@ -4597,8 +4853,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "103667315154160978" + "version": "0.30.23.60470", + "templateHash": "16930852302813854027" }, "description": "Updates app settings for an Azure App Service." }, @@ -4675,8 +4931,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -4744,8 +5000,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -4813,8 +5069,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -4882,8 +5138,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -4948,8 +5204,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "1133867179681914334" + "version": "0.30.23.60470", + "templateHash": "465622386717580763" }, "description": "Assigns an Azure Key Vault access policy." }, @@ -5145,8 +5401,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "17327750493694934622" + "version": "0.30.23.60470", + "templateHash": "17862689402403811352" } }, "parameters": { @@ -5316,8 +5572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "16756175373379165193" + "version": "0.30.23.60470", + "templateHash": "7732628295698757767" }, "description": "Creates an Azure App Service in an existing Azure App Service plan." }, @@ -5543,8 +5799,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "103667315154160978" + "version": "0.30.23.60470", + "templateHash": "16930852302813854027" }, "description": "Updates app settings for an Azure App Service." }, @@ -5621,8 +5877,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -5690,8 +5946,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -5759,8 +6015,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -5828,8 +6084,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -5894,8 +6150,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "1133867179681914334" + "version": "0.30.23.60470", + "templateHash": "465622386717580763" }, "description": "Assigns an Azure Key Vault access policy." }, @@ -6007,8 +6263,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "14824672405902859193" + "version": "0.30.23.60470", + "templateHash": "2390666818608223959" }, "description": "Creates an Application Insights instance and a Log Analytics workspace." }, @@ -6059,8 +6315,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "3321614781233750399" + "version": "0.30.23.60470", + "templateHash": "19694557100387265" }, "description": "Creates a Log Analytics workspace." }, @@ -6140,8 +6396,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "53484624287673645" + "version": "0.30.23.60470", + "templateHash": "16993757720869129667" }, "description": "Creates an Application Insights instance based on an existing Log Analytics workspace." }, @@ -6205,8 +6461,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "14911212182563532861" + "version": "0.30.23.60470", + "templateHash": "12524466040979787143" }, "description": "Creates a dashboard for an Application Insights instance." }, @@ -7540,8 +7796,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "2751741336760825109" + "version": "0.30.23.60470", + "templateHash": "15151749822990864279" } }, "parameters": { @@ -7623,8 +7879,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "20443133125141617" + "version": "0.30.23.60470", + "templateHash": "15030863077610448627" } }, "parameters": { @@ -7817,8 +8073,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "17585935035261876784" + "version": "0.30.23.60470", + "templateHash": "1242656561988928447" } }, "parameters": { @@ -8000,6 +8256,9 @@ "dockerFullImageName": { "value": "[parameters('dockerFullImageName')]" }, + "useKeyVault": { + "value": "[parameters('useKeyVault')]" + }, "appSettings": { "value": "[union(parameters('appSettings'), createObject('WEBSITES_ENABLE_APP_SERVICE_STORAGE', 'false', 'AZURE_AUTH_TYPE', parameters('authType'), 'USE_KEY_VAULT', if(parameters('useKeyVault'), parameters('useKeyVault'), ''), 'AZURE_OPENAI_API_KEY', if(parameters('useKeyVault'), parameters('openAIKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('azureOpenAIName')), '2023-05-01').key1), 'AZURE_SEARCH_KEY', if(parameters('useKeyVault'), parameters('searchKeyName'), listAdminKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.Search/searchServices', parameters('azureAISearchName')), '2021-04-01-preview').primaryKey), 'AZURE_BLOB_ACCOUNT_KEY', if(parameters('useKeyVault'), parameters('storageAccountKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').keys[0].value), 'AZURE_FORM_RECOGNIZER_KEY', if(parameters('useKeyVault'), parameters('formRecognizerKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('formRecognizerName')), '2023-05-01').key1), 'AZURE_CONTENT_SAFETY_KEY', if(parameters('useKeyVault'), parameters('contentSafetyKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('contentSafetyName')), '2023-05-01').key1), 'AZURE_SPEECH_SERVICE_KEY', if(parameters('useKeyVault'), parameters('speechKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('speechServiceName')), '2023-05-01').key1), 'AZURE_COMPUTER_VISION_KEY', if(or(parameters('useKeyVault'), equals(parameters('computerVisionName'), '')), parameters('computerVisionKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('computerVisionName')), '2023-05-01').key1)))]" } @@ -8010,8 +8269,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "15094851132007588437" + "version": "0.30.23.60470", + "templateHash": "8206949151292074536" }, "description": "Creates an Azure Function in an existing Azure App Service plan." }, @@ -8045,6 +8304,9 @@ "storageAccountName": { "type": "string" }, + "useKeyVault": { + "type": "bool" + }, "runtimeName": { "type": "string", "allowedValues": [ @@ -8166,7 +8428,7 @@ "value": "[parameters('appServicePlanId')]" }, "appSettings": { - "value": "[union(parameters('appSettings'), createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').keys[0].value, environment().suffixes.storage), 'FUNCTIONS_EXTENSION_VERSION', parameters('extensionVersion')), if(not(parameters('useDocker')), createObject('FUNCTIONS_WORKER_RUNTIME', parameters('runtimeName')), createObject()))]" + "value": "[union(parameters('appSettings'), createObject('FUNCTIONS_EXTENSION_VERSION', parameters('extensionVersion')), if(not(parameters('useDocker')), createObject('FUNCTIONS_WORKER_RUNTIME', parameters('runtimeName')), createObject()), if(parameters('useKeyVault'), createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').keys[0].value, environment().suffixes.storage)), createObject('AzureWebJobsStorage__accountName', parameters('storageAccountName'))))]" }, "clientAffinityEnabled": { "value": "[parameters('clientAffinityEnabled')]" @@ -8218,8 +8480,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "16756175373379165193" + "version": "0.30.23.60470", + "templateHash": "7732628295698757767" }, "description": "Creates an Azure App Service in an existing Azure App Service plan." }, @@ -8445,8 +8707,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "103667315154160978" + "version": "0.30.23.60470", + "templateHash": "16930852302813854027" }, "description": "Updates app settings for an Azure App Service." }, @@ -8495,6 +8757,74 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage-blob-role-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-functions', parameters('name'))), '2022-09-01').outputs.identityPrincipalId.value]" + }, + "roleDefinitionId": { + "value": "ba92f5b4-2d11-453d-a403-e96b0029c9fe" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('{0}-functions', parameters('name')))]" + ] } ], "outputs": { @@ -8541,8 +8871,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -8610,8 +8940,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -8679,8 +9009,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -8748,8 +9078,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -8817,8 +9147,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -8883,8 +9213,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "1133867179681914334" + "version": "0.30.23.60470", + "templateHash": "465622386717580763" }, "description": "Assigns an Azure Key Vault access policy." }, @@ -9064,8 +9394,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "17585935035261876784" + "version": "0.30.23.60470", + "templateHash": "1242656561988928447" } }, "parameters": { @@ -9247,6 +9577,9 @@ "dockerFullImageName": { "value": "[parameters('dockerFullImageName')]" }, + "useKeyVault": { + "value": "[parameters('useKeyVault')]" + }, "appSettings": { "value": "[union(parameters('appSettings'), createObject('WEBSITES_ENABLE_APP_SERVICE_STORAGE', 'false', 'AZURE_AUTH_TYPE', parameters('authType'), 'USE_KEY_VAULT', if(parameters('useKeyVault'), parameters('useKeyVault'), ''), 'AZURE_OPENAI_API_KEY', if(parameters('useKeyVault'), parameters('openAIKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('azureOpenAIName')), '2023-05-01').key1), 'AZURE_SEARCH_KEY', if(parameters('useKeyVault'), parameters('searchKeyName'), listAdminKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.Search/searchServices', parameters('azureAISearchName')), '2021-04-01-preview').primaryKey), 'AZURE_BLOB_ACCOUNT_KEY', if(parameters('useKeyVault'), parameters('storageAccountKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').keys[0].value), 'AZURE_FORM_RECOGNIZER_KEY', if(parameters('useKeyVault'), parameters('formRecognizerKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('formRecognizerName')), '2023-05-01').key1), 'AZURE_CONTENT_SAFETY_KEY', if(parameters('useKeyVault'), parameters('contentSafetyKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('contentSafetyName')), '2023-05-01').key1), 'AZURE_SPEECH_SERVICE_KEY', if(parameters('useKeyVault'), parameters('speechKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('speechServiceName')), '2023-05-01').key1), 'AZURE_COMPUTER_VISION_KEY', if(or(parameters('useKeyVault'), equals(parameters('computerVisionName'), '')), parameters('computerVisionKeyName'), listKeys(resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.CognitiveServices/accounts', parameters('computerVisionName')), '2023-05-01').key1)))]" } @@ -9257,8 +9590,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "15094851132007588437" + "version": "0.30.23.60470", + "templateHash": "8206949151292074536" }, "description": "Creates an Azure Function in an existing Azure App Service plan." }, @@ -9292,6 +9625,9 @@ "storageAccountName": { "type": "string" }, + "useKeyVault": { + "type": "bool" + }, "runtimeName": { "type": "string", "allowedValues": [ @@ -9413,7 +9749,7 @@ "value": "[parameters('appServicePlanId')]" }, "appSettings": { - "value": "[union(parameters('appSettings'), createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').keys[0].value, environment().suffixes.storage), 'FUNCTIONS_EXTENSION_VERSION', parameters('extensionVersion')), if(not(parameters('useDocker')), createObject('FUNCTIONS_WORKER_RUNTIME', parameters('runtimeName')), createObject()))]" + "value": "[union(parameters('appSettings'), createObject('FUNCTIONS_EXTENSION_VERSION', parameters('extensionVersion')), if(not(parameters('useDocker')), createObject('FUNCTIONS_WORKER_RUNTIME', parameters('runtimeName')), createObject()), if(parameters('useKeyVault'), createObject('AzureWebJobsStorage', format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix={2}', parameters('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').keys[0].value, environment().suffixes.storage)), createObject('AzureWebJobsStorage__accountName', parameters('storageAccountName'))))]" }, "clientAffinityEnabled": { "value": "[parameters('clientAffinityEnabled')]" @@ -9465,8 +9801,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "16756175373379165193" + "version": "0.30.23.60470", + "templateHash": "7732628295698757767" }, "description": "Creates an Azure App Service in an existing Azure App Service plan." }, @@ -9692,8 +10028,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "103667315154160978" + "version": "0.30.23.60470", + "templateHash": "16930852302813854027" }, "description": "Updates app settings for an Azure App Service." }, @@ -9742,6 +10078,74 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage-blob-role-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-functions', parameters('name'))), '2022-09-01').outputs.identityPrincipalId.value]" + }, + "roleDefinitionId": { + "value": "ba92f5b4-2d11-453d-a403-e96b0029c9fe" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('{0}-functions', parameters('name')))]" + ] } ], "outputs": { @@ -9788,8 +10192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -9857,8 +10261,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -9926,8 +10330,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -9995,8 +10399,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -10064,8 +10468,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -10130,8 +10534,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "1133867179681914334" + "version": "0.30.23.60470", + "templateHash": "465622386717580763" }, "description": "Assigns an Azure Key Vault access policy." }, @@ -10234,8 +10638,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13930677902562058633" + "version": "0.30.23.60470", + "templateHash": "13123022401063321803" }, "description": "Creates an Azure Cognitive Services instance." }, @@ -10385,8 +10789,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13930677902562058633" + "version": "0.30.23.60470", + "templateHash": "13123022401063321803" }, "description": "Creates an Azure Cognitive Services instance." }, @@ -10539,8 +10943,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10992796846575118308" + "version": "0.30.23.60470", + "templateHash": "6699069410959282929" } }, "parameters": { @@ -10632,6 +11036,9 @@ "location": { "value": "[variables('location')]" }, + "useKeyVault": { + "value": "[parameters('useKeyVault')]" + }, "sku": { "value": { "name": "Standard_GRS" @@ -10667,8 +11074,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "6009030871838517804" + "version": "0.30.23.60470", + "templateHash": "10401188783540495741" }, "description": "Creates an Azure storage account." }, @@ -10701,9 +11108,12 @@ "type": "bool", "defaultValue": true }, + "useKeyVault": { + "type": "bool" + }, "allowSharedKeyAccess": { "type": "bool", - "defaultValue": true + "defaultValue": "[parameters('useKeyVault')]" }, "containers": { "type": "array", @@ -10862,7 +11272,7 @@ } }, { - "condition": "[equals(parameters('authType'), 'rbac')]", + "condition": "[and(equals(parameters('authType'), 'rbac'), not(equals(parameters('principalId'), '')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "storage-role-user", @@ -10888,8 +11298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -10928,7 +11338,7 @@ } }, { - "condition": "[equals(parameters('authType'), 'rbac')]", + "condition": "[and(equals(parameters('authType'), 'rbac'), not(equals(parameters('principalId'), '')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "openai-role-user", @@ -10954,8 +11364,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -10994,7 +11404,7 @@ } }, { - "condition": "[equals(parameters('authType'), 'rbac')]", + "condition": "[and(equals(parameters('authType'), 'rbac'), not(equals(parameters('principalId'), '')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "openai-role-user-contributor", @@ -11020,8 +11430,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -11060,7 +11470,7 @@ } }, { - "condition": "[equals(parameters('authType'), 'rbac')]", + "condition": "[and(equals(parameters('authType'), 'rbac'), not(equals(parameters('principalId'), '')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "search-role-user", @@ -11086,8 +11496,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12421327006867392541" + "version": "0.30.23.60470", + "templateHash": "14973584850527407631" }, "description": "Creates a role assignment for a service principal." }, @@ -11168,8 +11578,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "648404900818606545" + "version": "0.30.23.60470", + "templateHash": "17372485166957435450" } }, "parameters": {