rabc and keys deployemnt changes

Roopan-Microsoft · Oct 18, 2024 · c07a8fa · c07a8fa
1 parent c42053a
commit c07a8fa
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 7 deletions.
diff --git a/infra/app/function.bicep b/infra/app/function.bicep
@@ -42,6 +42,7 @@ module function '../core/host/functions.bicep' = {
     runtimeName: runtimeName
     runtimeVersion: runtimeVersion
     dockerFullImageName: dockerFullImageName
+    useKeyVault: useKeyVault
     appSettings: union(appSettings, {
       WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false'
       AZURE_AUTH_TYPE: authType

diff --git a/infra/app/web.bicep b/infra/app/web.bicep
@@ -192,6 +192,29 @@ module webaccess '../core/security/keyvault-access.bicep' = if (useKeyVault) {
   }
 }
 
+module cosmosRoleDefinition '../core/database/cosmos-sql-role-def.bicep' = {
+  name: 'cosmos-sql-role-definition'
+  params: {
+    accountName: json(appSettings.AZURE_COSMOSDB_INFO).accountName
+  }
+  dependsOn: [
+    web
+  ]
+}
+
+
+module cosmosUserRole '../core/database/cosmos-sql-role-assign.bicep' = {
+  name: 'cosmos-sql-user-role-${web.name}'
+  params: {
+    accountName: json(appSettings.AZURE_COSMOSDB_INFO).accountName
+    roleDefinitionId: cosmosRoleDefinition.outputs.id
+    principalId: web.outputs.identityPrincipalId
+  }
+  dependsOn: [
+    cosmosRoleDefinition
+  ]
+}
+
 output FRONTEND_API_IDENTITY_PRINCIPAL_ID string = web.outputs.identityPrincipalId
 output FRONTEND_API_NAME string = web.outputs.name
 output FRONTEND_API_URI string = web.outputs.uri
diff --git a/infra/core/database/cosmos-sql-role-assign.bicep b/infra/core/database/cosmos-sql-role-assign.bicep
@@ -0,0 +1,19 @@
+metadata description = 'Creates a SQL role assignment under an Azure Cosmos DB account.'
+param accountName string
+
+param roleDefinitionId string
+param principalId string = ''
+
+resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
+  parent: cosmos
+  name: guid(roleDefinitionId, principalId, cosmos.id)
+  properties: {
+    principalId: principalId
+    roleDefinitionId: roleDefinitionId
+    scope: cosmos.id
+  }
+}
+
+resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
+  name: accountName
+}
diff --git a/infra/core/database/cosmos-sql-role-def.bicep b/infra/core/database/cosmos-sql-role-def.bicep
@@ -0,0 +1,30 @@
+metadata description = 'Creates a SQL role definition under an Azure Cosmos DB account.'
+param accountName string
+
+resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2022-08-15' = {
+  parent: cosmos
+  name: guid(cosmos.id, accountName, 'sql-role')
+  properties: {
+    assignableScopes: [
+      cosmos.id
+    ]
+    permissions: [
+      {
+        dataActions: [
+          'Microsoft.DocumentDB/databaseAccounts/readMetadata'
+          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
+          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
+        ]
+        notDataActions: []
+      }
+    ]
+    roleName: 'Reader Writer'
+    type: 'CustomRole'
+  }
+}
+
+resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
+  name: accountName
+}
+
+output id string = roleDefinition.id
diff --git a/infra/core/host/functions.bicep b/infra/core/host/functions.bicep
@@ -9,6 +9,7 @@ param appServicePlanId string
 param keyVaultName string = ''
 param managedIdentity bool = !empty(keyVaultName)
 param storageAccountName string
+param useKeyVault bool
 
 // Runtime Properties
 @allowed([
@@ -67,10 +68,10 @@ module functions 'appservice.bicep' = {
     appSettings: union(
       appSettings,
       {
-        AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
         FUNCTIONS_EXTENSION_VERSION: extensionVersion
       },
-      !useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {}
+      !useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {},
+      useKeyVault ? { AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'} : {AzureWebJobsStorage__accountName: storage.name}
     )
     clientAffinityEnabled: clientAffinityEnabled
     enableOryxBuild: enableOryxBuild
@@ -90,6 +91,15 @@ module functions 'appservice.bicep' = {
   }
 }
 
+module storageBlobRoleFunction '../security/role.bicep' = {
+  name: 'storage-blob-role-function'
+  params: {
+    principalId: functions.outputs.identityPrincipalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
   name: storageAccountName
 }

diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
@@ -11,7 +11,8 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = false
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param useKeyVault bool
+param allowSharedKeyAccess bool = useKeyVault
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}

diff --git a/infra/main.bicep b/infra/main.bicep
@@ -1054,6 +1054,7 @@ module storage 'core/storage/storage-account.bicep' = {
   params: {
     name: storageAccountName
     location: location
+    useKeyVault: useKeyVault
     sku: {
       name: 'Standard_GRS'
     }
@@ -1086,7 +1087,7 @@ module storage 'core/storage/storage-account.bicep' = {
 
 // USER ROLES
 // Storage Blob Data Contributor
-module storageRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
+module storageRoleUser 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
   scope: resourceGroup()
   name: 'storage-role-user'
   params: {
@@ -1097,7 +1098,7 @@ module storageRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
 }
 
 // Cognitive Services User
-module openaiRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
+module openaiRoleUser 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
   scope: resourceGroup()
   name: 'openai-role-user'
   params: {
@@ -1108,7 +1109,7 @@ module openaiRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
 }
 
 // Contributor
-module openaiRoleUserContributor 'core/security/role.bicep' = if (authType == 'rbac') {
+module openaiRoleUserContributor 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
   scope: resourceGroup()
   name: 'openai-role-user-contributor'
   params: {
@@ -1119,7 +1120,7 @@ module openaiRoleUserContributor 'core/security/role.bicep' = if (authType == 'r
 }
 
 // Search Index Data Contributor
-module searchRoleUser 'core/security/role.bicep' = if (authType == 'rbac') {
+module searchRoleUser 'core/security/role.bicep' = if (authType == 'rbac' && principalId != '') {
   scope: resourceGroup()
   name: 'search-role-user'
   params: {