Cosmosdb l100 examples (microsoft#100)

Author: GinSiuCheng

quickstart/101-cosmos-db-aad-rbac/README.md

@@ -0,0 +1,199 @@
+# Cosmos db with role definition and assignment
+This template deploys a cosmos db account with sql db and aad role definition and assignment. A similar example can be created using the [azurerm/cosmosdb module](https://github.com/azure/terraform-azurerm-cosmosdb).
+
+## Terraform resource types
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_cosmosdb_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account)
+- [azurerm_cosmosdb_sql_database](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_database)
+- [azurerm_cosmosdb_sql_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container)
+- [azurerm_cosmosdb_sql_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_role_assignment)
+- [azurerm_cosmosdb_sql_role_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_role_definition)
+
+## Variables
+
+| Name | Description |
+|-|-|
+| `resource_group_name` | Resource group name |
+| `resource_group_location` | Resource group location | 
+| `cosmosdb_account_name` | Cosmos db account name | 
+| `cosmosdb_location` | Cosmos db primary location |
+| `throughput` | DB manual throughput | 
+| `sql_container_name` | Name of sql container | 
+
+## Example terraform.tfvars file
+```
+resource_group_name       = "rg-cosmosdb-101"
+location                  = "centralus"
+cosmosdb_account_name     = "cosmosdb-dev-centralus-101"
+cosmosdb_account_location = "centralus"
+cosmosdb_sqldb_name       = "sqlapidb"
+throughput                = 400
+sql_container_name        = "example-container"
+```
+
+## Usage
+
+```bash
+>terraform plan
+
+Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+  + create
+
+Terraform will perform the following actions:
+
+  # azurerm_cosmosdb_account.example will be created
+  + resource "azurerm_cosmosdb_account" "example" {
+      + access_key_metadata_writes_enabled    = true
+      + analytical_storage_enabled            = false
+      + connection_strings                    = (sensitive value)
+      + create_mode                           = (known after apply)
+      + default_identity_type                 = "FirstPartyIdentity"
+      + enable_automatic_failover             = false
+      + enable_free_tier                      = false
+      + enable_multiple_write_locations       = false
+      + endpoint                              = (known after apply)
+      + id                                    = (known after apply)
+      + is_virtual_network_filter_enabled     = false
+      + kind                                  = "GlobalDocumentDB"
+      + local_authentication_disabled         = false
+      + location                              = "centralus"
+      + mongo_server_version                  = (known after apply)
+      + name                                  = "cosmosdb-dev-centralus-101"
+      + network_acl_bypass_for_azure_services = false
+      + offer_type                            = "Standard"
+      + primary_key                           = (sensitive value)
+      + primary_readonly_key                  = (sensitive value)
+      + public_network_access_enabled         = true
+      + read_endpoints                        = (known after apply)
+      + resource_group_name                   = "rg-cosmosdb-101"
+      + secondary_key                         = (sensitive value)
+      + secondary_readonly_key                = (sensitive value)
+      + write_endpoints                       = (known after apply)
+
+      + analytical_storage {
+          + schema_type = (known after apply)
+        }
+
+      + backup {
+          + interval_in_minutes = (known after apply)
+          + retention_in_hours  = (known after apply)
+          + storage_redundancy  = (known after apply)
+          + type                = (known after apply)
+        }
+
+      + capabilities {
+          + name = (known after apply)
+        }
+
+      + capacity {
+          + total_throughput_limit = (known after apply)
+        }
+
+      + consistency_policy {
+          + consistency_level       = "BoundedStaleness"
+          + max_interval_in_seconds = 300
+          + max_staleness_prefix    = 100000
+        }
+
+      + geo_location {
+          + failover_priority = 0
+          + id                = (known after apply)
+          + location          = "centralus"
+          + zone_redundant    = false
+        }
+    }
+
+  # azurerm_cosmosdb_sql_container.example will be created
+  + resource "azurerm_cosmosdb_sql_container" "example" {
+      + account_name          = "cosmosdb-dev-centralus-101"
+      + database_name         = "sqlapidb"
+      + default_ttl           = (known after apply)
+      + id                    = (known after apply)
+      + name                  = "example-container"
+      + partition_key_path    = "/definition/id"
+      + partition_key_version = 1
+      + resource_group_name   = "rg-cosmosdb-101"
+      + throughput            = 400
+
+      + conflict_resolution_policy {
+          + conflict_resolution_path      = (known after apply)
+          + conflict_resolution_procedure = (known after apply)
+          + mode                          = (known after apply)
+        }
+
+      + indexing_policy {
+          + indexing_mode = "consistent"
+
+          + excluded_path {
+              + path = "/excluded/?"
+            }
+
+          + included_path {
+              + path = "/*"
+            }
+          + included_path {
+              + path = "/included/?"
+            }
+        }
+
+      + unique_key {
+          + paths = [
+              + "/definition/idlong",
+              + "/definition/idshort",
+            ]
+        }
+    }
+
+  # azurerm_cosmosdb_sql_database.example will be created
+  + resource "azurerm_cosmosdb_sql_database" "example" {
+      + account_name        = "cosmosdb-dev-centralus-101"
+      + id                  = (known after apply)
+      + name                = "sqlapidb"
+      + resource_group_name = "rg-cosmosdb-101"
+      + throughput          = 400
+    }
+
+  # azurerm_cosmosdb_sql_role_assignment.example will be created
+  + resource "azurerm_cosmosdb_sql_role_assignment" "example" {
+      + account_name        = "cosmosdb-dev-centralus-101"
+      + id                  = (known after apply)
+      + name                = (known after apply)
+      + principal_id        = "1b887731-4609-4904-a699-64f06f3d380d"
+      + resource_group_name = "rg-cosmosdb-101"
+      + role_definition_id  = (known after apply)
+      + scope               = "/subscriptions/aa86e73d-372b-4cd6-a37e-0d12ae93e964/resourceGroups/rg-cosmosdb-101/providers/Microsoft.DocumentDB/databaseAccounts/cosmosdb-dev-centralus-101"
+    }
+
+  # azurerm_cosmosdb_sql_role_definition.example will be created
+  + resource "azurerm_cosmosdb_sql_role_definition" "example" {
+      + account_name        = "cosmosdb-dev-centralus-101"
+      + assignable_scopes   = [
+          + "/subscriptions/aa86e73d-372b-4cd6-a37e-0d12ae93e964/resourceGroups/rg-cosmosdb-101/providers/Microsoft.DocumentDB/databaseAccounts/cosmosdb-dev-centralus-101",
+        ]
+      + id                  = (known after apply)
+      + name                = "examplesqlroledef"
+      + resource_group_name = "rg-cosmosdb-101"
+      + role_definition_id  = (known after apply)
+      + type                = "CustomRole"
+
+      + permissions {
+          + data_actions = [
+              + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
+            ]
+        }
+    }
+
+  # azurerm_resource_group.example will be created
+  + resource "azurerm_resource_group" "example" {
+      + id       = (known after apply)
+      + location = "centralus"
+      + name     = "rg-cosmosdb-101"
+    }
+
+Plan: 6 to add, 0 to change, 0 to destroy.
+
+Changes to Outputs:
+  + cosmosdb_account_id      = (known after apply)
+  + cosmosdb_sql_database_id = (known after apply)
+```
+

quickstart/101-cosmos-db-aad-rbac/main.tf

@@ -0,0 +1,86 @@
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "example" {
+  name     = var.resource_group_name
+  location = var.location
+}
+
+resource "azurerm_cosmosdb_account" "example" {
+  name                      = var.cosmosdb_account_name
+  location                  = var.cosmosdb_account_location
+  resource_group_name       = azurerm_resource_group.example.name
+  offer_type                = "Standard"
+  kind                      = "GlobalDocumentDB"
+  enable_automatic_failover = false
+  geo_location {
+    location          = var.location
+    failover_priority = 0
+  }
+
+  consistency_policy {
+    consistency_level       = "BoundedStaleness"
+    max_interval_in_seconds = 300
+    max_staleness_prefix    = 100000
+  }
+
+  depends_on = [
+    azurerm_resource_group.example
+  ]
+}
+
+resource "azurerm_cosmosdb_sql_database" "example" {
+  name                = var.cosmosdb_sqldb_name
+  resource_group_name = azurerm_resource_group.example.name
+  account_name        = azurerm_cosmosdb_account.example.name
+  throughput          = var.throughput
+}
+
+resource "azurerm_cosmosdb_sql_container" "example" {
+  name                  = var.sql_container_name
+  resource_group_name   = azurerm_resource_group.example.name
+  account_name          = azurerm_cosmosdb_account.example.name
+  database_name         = azurerm_cosmosdb_sql_database.example.name
+  partition_key_path    = "/definition/id"
+  partition_key_version = 1
+  throughput            = 400
+
+  indexing_policy {
+    indexing_mode = "consistent"
+
+    included_path {
+      path = "/*"
+    }
+
+    included_path {
+      path = "/included/?"
+    }
+
+    excluded_path {
+      path = "/excluded/?"
+    }
+  }
+
+  unique_key {
+    paths = ["/definition/idlong", "/definition/idshort"]
+  }
+}
+
+resource "azurerm_cosmosdb_sql_role_definition" "example" {
+  name                = "examplesqlroledef"
+  resource_group_name = azurerm_resource_group.example.name
+  account_name        = azurerm_cosmosdb_account.example.name
+  type                = "CustomRole"
+  assignable_scopes   = ["/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.example.name}/providers/Microsoft.DocumentDB/databaseAccounts/${azurerm_cosmosdb_account.example.name}"]
+
+  permissions {
+    data_actions = ["Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"]
+  }
+}
+
+resource "azurerm_cosmosdb_sql_role_assignment" "example" {
+  resource_group_name = azurerm_resource_group.example.name
+  account_name        = azurerm_cosmosdb_account.example.name
+  role_definition_id  = azurerm_cosmosdb_sql_role_definition.example.id
+  principal_id        = data.azurerm_client_config.current.object_id
+  scope               = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.example.name}/providers/Microsoft.DocumentDB/databaseAccounts/${azurerm_cosmosdb_account.example.name}"
+}

quickstart/101-cosmos-db-aad-rbac/outputs.tf

@@ -0,0 +1,7 @@
+output "cosmosdb_account_id" {
+  value = azurerm_cosmosdb_account.example.id
+}
+
+output "cosmosdb_sql_database_id" {
+  value = azurerm_cosmosdb_sql_database.example.id
+}

quickstart/101-cosmos-db-aad-rbac/providers.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.0.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

quickstart/101-cosmos-db-aad-rbac/variables.tf

@@ -0,0 +1,42 @@
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group name"
+}
+
+variable "location" {
+  type        = string
+  description = "Resource group location"
+}
+
+variable "cosmosdb_account_name" {
+  type        = string
+  description = "Cosmos db account name"
+}
+
+variable "cosmosdb_account_location" {
+  type        = string
+  description = "Cosmos db account location"
+}
+
+variable "cosmosdb_sqldb_name" {
+  type        = string
+  description = "value"
+}
+
+variable "throughput" {
+  type        = number
+  description = "Cosmos db database throughput"
+  validation {
+    condition     = var.throughput >= 400 && var.throughput <= 1000000
+    error_message = "Cosmos db manual throughput should be equal to or greater than 400 and less than or equal to 1000000."
+  }
+  validation {
+    condition     = var.throughput % 100 == 0
+    error_message = "Cosmos db throughput should be in increments of 100."
+  }
+}
+
+variable "sql_container_name" {
+  type        = string
+  description = "SQL API container name."
+}