Azure-Samples · seesharprun · Oct 8, 2024 · Oct 8, 2024 · Oct 8, 2024
diff --git a/azure.yaml b/azure.yaml
@@ -15,7 +15,7 @@ hooks:
   postprovision:
     windows:
       run: |
-        dotnet user-secrets set "AZURE_COSMOS_DB_NOSQL_ENDPOINT" "$env:AZURE_COSMOS_ENDPOINT" --project ./src/web/Cosmos.Samples.NoSQL.Quickstart.Web.csproj
+        dotnet user-secrets set "AZURE_COSMOS_DB_NOSQL_ENDPOINT" "$env:AZURE_COSMOS_DB_NOSQL_ENDPOINT" --project ./src/web/Cosmos.Samples.NoSQL.Quickstart.Web.csproj
         Write-Host ""
         Write-Host "View the running web application in Azure Container Apps:"
         Write-Host "$env:AZURE_CONTAINER_APP_ENDPOINT" -ForegroundColor Cyan
@@ -24,7 +24,7 @@ hooks:
       interactive: true
     posix:
       run: |
-        dotnet user-secrets set "AZURE_COSMOS_DB_NOSQL_ENDPOINT" "$AZURE_COSMOS_ENDPOINT" --project ./src/web/Cosmos.Samples.NoSQL.Quickstart.Web.csproj
+        dotnet user-secrets set "AZURE_COSMOS_DB_NOSQL_ENDPOINT" "$AZURE_COSMOS_DB_NOSQL_ENDPOINT" --project ./src/web/Cosmos.Samples.NoSQL.Quickstart.Web.csproj
         echo ""
         echo "View the running web application in Azure Container Apps:"
         echo -e "\033[0;36m$AZURE_CONTAINER_APP_ENDPOINT\033[0m"

diff --git a/infra/abbreviations.json b/infra/abbreviations.json
@@ -2,7 +2,5 @@
   "containerRegistry": "containerreg",
   "containerAppsEnv": "container-env",
   "containerAppsApp": "container-app",
-  "cosmosDbAccount": "cosmos-db-nosql",
-  "openAiAccount": "openai",
-  "userAssignedIdentity": "ua-id"
+  "cosmosDbAccount": "cosmos-db-nosql"
 }
diff --git a/infra/app/web.bicep b/infra/app/web.bicep
@@ -9,14 +9,6 @@ param tags object = {}
 @description('Endpoint for Azure Cosmos DB for NoSQL account.')
 param databaseAccountEndpoint string
 
-type managedIdentity = {
-  resourceId: string
-  clientId: string
-}
-
-@description('Unique identifier for user-assigned managed identity.')
-param userAssignedManagedIdentity managedIdentity
-
 module containerAppsEnvironment '../core/host/container-apps/environments/managed.bicep' = {
   name: 'container-apps-env'
   params: {
@@ -40,29 +32,19 @@ module containerAppsApp '../core/host/container-apps/app.bicep' = {
         name: 'azure-cosmos-db-nosql-endpoint' // Create a uniquely-named secret
         value: databaseAccountEndpoint // NoSQL database account endpoint
       }
-      {
-        name: 'azure-managed-identity-client-id' // Create a uniquely-named secret
-        value: userAssignedManagedIdentity.clientId // Client ID of user-assigned managed identity
-      }
     ]
     environmentVariables: [
       {
         name: 'AZURE_COSMOS_DB_NOSQL_ENDPOINT' // Name of the environment variable referenced in the application
         secretRef: 'azure-cosmos-db-nosql-endpoint' // Reference to secret
       }
-      {
-        name: 'AZURE_MANAGED_IDENTITY_CLIENT_ID'
-        secretRef: 'azure-managed-identity-client-id'
-      }
     ]
     targetPort: 8080
-    enableSystemAssignedManagedIdentity: false
-    userAssignedManagedIdentityIds: [
-      userAssignedManagedIdentity.resourceId
-    ]
+    enableSystemAssignedManagedIdentity: true
     containerImage: 'mcr.microsoft.com/dotnet/samples:aspnetapp'
   }
 }
 
 output endpoint string = containerAppsApp.outputs.endpoint
 output envName string = containerAppsApp.outputs.name
+output systemAssignedManagedIdentityPrincipalId string =  containerAppsApp.outputs.systemAssignedManagedIdentityPrincipalId
diff --git a/infra/bicepconfig.json b/infra/bicepconfig.json
diff --git a/infra/core/database/cosmos-db/account.bicep b/infra/core/database/cosmos-db/account.bicep
@@ -14,7 +14,10 @@ param enableServerless bool = false
 @description('Disables key-based authentication. Defaults to false.')
 param disableKeyBasedAuth bool = false
 
-resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
+@description('List of capabilities for the account. Defaults to an empty array.')
+param capabilities object[] = []
+
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = {
   name: name
   location: location
   tags: tags
@@ -37,11 +40,13 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
       serverVersion: '4.2'
     } : {}
     disableLocalAuth: disableKeyBasedAuth
-    capabilities: (enableServerless) ? [
-      {
-        name: 'EnableServerless'
-      }
-    ] : []
+    capabilities: union(capabilities,
+      (enableServerless) ? [
+        {
+          name: 'EnableServerless'
+        }
+      ] : []
+    )
   }
 }
 

diff --git a/infra/core/database/cosmos-db/nosql/account.bicep b/infra/core/database/cosmos-db/nosql/account.bicep
@@ -7,8 +7,8 @@ param tags object = {}
 @description('Enables serverless for this account. Defaults to false.')
 param enableServerless bool = false
 
-@description('Disables key-based authentication. Defaults to false.')
-param disableKeyBasedAuth bool = false
+@description('Disables key-based authentication. Defaults to true.')
+param disableKeyBasedAuth bool = true
 
 module account '../account.bicep' = {
   name: 'cosmos-db-nosql-account'

diff --git a/infra/core/database/cosmos-db/nosql/container.bicep b/infra/core/database/cosmos-db/nosql/container.bicep
@@ -31,16 +31,16 @@ var options = setThroughput ? autoscale ? {
   throughput: throughput
 } : {}
 
-resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
   name: parentAccountName
 }
 
-resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2023-04-15' existing = {
+resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-05-15' existing = {
   name: parentDatabaseName
   parent: account
 }
 
-resource container 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2023-04-15' = {
+resource container 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers@2024-05-15' = {
   name: name
   parent: database
   tags: tags

diff --git a/infra/core/database/cosmos-db/nosql/database.bicep b/infra/core/database/cosmos-db/nosql/database.bicep
@@ -23,11 +23,11 @@ var options = setThroughput ? autoscale ? {
   throughput: throughput
 } : {}
 
-resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
   name: parentAccountName
 }
 
-resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2023-04-15' = {
+resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2024-05-15' = {
   name: name
   parent: account
   tags: tags

diff --git a/infra/core/database/cosmos-db/nosql/role/assignment.bicep b/infra/core/database/cosmos-db/nosql/role/assignment.bicep
@@ -9,17 +9,20 @@ param roleDefinitionId string
 @description('Id of the principal to assign the role definition for the account.')
 param principalId string
 
-resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
+@description('Scope of the role assignment. Defaults to the account.')
+param scope string = '/'
+
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
   name: targetAccountName
 }
 
-resource assignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-04-15' = {
+resource assignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2024-05-15' = {
   name: guid(roleDefinitionId, principalId, account.id)
   parent: account
   properties: {
     principalId: principalId
     roleDefinitionId: roleDefinitionId
-    scope: account.id
+    scope: '${account.id}${scope}'
   }
 }
 

diff --git a/infra/core/database/cosmos-db/nosql/role/definition.bicep b/infra/core/database/cosmos-db/nosql/role/definition.bicep
@@ -12,11 +12,11 @@ param permissionsDataActions string[] = []
 @description('An array of data actions that are denied. Defaults to an empty array.')
 param permissionsNonDataActions string[] = []
 
-resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
   name: targetAccountName
 }
 
-resource definition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2023-04-15' = {
+resource definition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2024-05-15' = {
   name: guid('nosql-role-definition', account.id)
   parent: account
   properties: {

diff --git a/infra/core/database/cosmos-db/table/account.bicep b/infra/core/database/cosmos-db/table/account.bicep
@@ -0,0 +1,31 @@
+metadata description = 'Create an Azure Cosmos DB for Table account.'
+
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('Enables serverless for this account. Defaults to false.')
+param enableServerless bool = false
+
+@description('Disables key-based authentication. Defaults to true.')
+param disableKeyBasedAuth bool = true
+
+module account '../account.bicep' = {
+  name: 'cosmos-db-table-account'
+  params: {
+    name: name
+    location: location
+    tags: tags
+    kind: 'GlobalDocumentDB'
+    enableServerless: enableServerless
+    disableKeyBasedAuth: disableKeyBasedAuth
+    capabilities: [
+      {
+        name: 'EnableTable'
+      }
+    ]
+  }
+}
+
+output endpoint string = account.outputs.endpoint
+output name string = account.outputs.name
diff --git a/infra/core/database/cosmos-db/table/role/assignment.bicep b/infra/core/database/cosmos-db/table/role/assignment.bicep
@@ -0,0 +1,29 @@
+metadata description = 'Create an Azure Cosmos DB for Table role assignment.'
+
+@description('Name of the target Azure Cosmos DB account.')
+param targetAccountName string
+
+@description('Id of the role definition to assign to the targeted principal and account.')
+param roleDefinitionId string
+
+@description('Id of the principal to assign the role definition for the account.')
+param principalId string
+
+@description('Scope of the role assignment. Defaults to the account.')
+param scope string = '/'
+
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
+  name: targetAccountName
+}
+
+resource assignment 'Microsoft.DocumentDB/databaseAccounts/tableRoleAssignments@2024-05-15' = {
+  name: guid(roleDefinitionId, principalId, account.id)
+  parent: account
+  properties: {
+    principalId: principalId
+    roleDefinitionId: roleDefinitionId
+    scope: '${account.id}${scope}'
+  }
+}
+
+output id string = assignment.id
diff --git a/infra/core/database/cosmos-db/table/role/definition.bicep b/infra/core/database/cosmos-db/table/role/definition.bicep
@@ -0,0 +1,37 @@
+metadata description = 'Create an Azure Cosmos DB for Table role definition.'
+
+@description('Name of the target Azure Cosmos DB account.')
+param targetAccountName string
+
+@description('Name of the role definiton.')
+param definitionName string
+
+@description('An array of data actions that are allowed. Defaults to an empty array.')
+param permissionsDataActions string[] = []
+
+@description('An array of data actions that are denied. Defaults to an empty array.')
+param permissionsNonDataActions string[] = []
+
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
+  name: targetAccountName
+}
+
+resource definition 'Microsoft.DocumentDB/databaseAccounts/tableRoleDefinitions@2024-05-15' = {
+  name: guid('table-role-definition', account.id)
+  parent: account
+  properties: {
+    assignableScopes: [
+      account.id
+    ]
+    permissions: [
+      {
+        dataActions: permissionsDataActions
+        notDataActions: permissionsNonDataActions
+      }
+    ]
+    roleName: definitionName
+    type: 'CustomRole'
+  }
+}
+
+output id string = definition.id
diff --git a/infra/core/database/cosmos-db/table/table.bicep b/infra/core/database/cosmos-db/table/table.bicep
@@ -0,0 +1,42 @@
+metadata description = 'Create an Azure Cosmos DB for Table table.'
+
+param name string
+param tags object = {}
+
+@description('Name of the parent Azure Cosmos DB account.')
+param parentAccountName string
+
+@description('Enables throughput setting at this resource level. Defaults to false.')
+param setThroughput bool = false
+
+@description('Enables autoscale. If setThroughput is enabled, defaults to false.')
+param autoscale bool = false
+
+@description('The amount of throughput set. If setThroughput is enabled, defaults to 400.')
+param throughput int = 400
+
+var options = setThroughput ? autoscale ? {
+  autoscaleSettings: {
+    maxThroughput: throughput
+  }
+} : {
+  throughput: throughput
+} : {}
+
+resource account 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' existing = {
+  name: parentAccountName
+}
+
+resource table 'Microsoft.DocumentDB/databaseAccounts/tables@2024-05-15' = {
+  name: name
+  parent: account
+  tags: tags
+  properties: {
+    options: options
+    resource: {
+      id: name
+    }
+  }
+}
+
+output name string = table.name