This Terraform module is designed to create Azure Cosmos DB accounts, its related resources and APIs.
Warning
Major version Zero (0.y.z) is for initial development. Anything MAY change at any time. A module SHOULD NOT be considered stable till at least it is major version one (1.0.0) or greater. Changes will always be via new versions being published and no changes will be made to existing published versions. For more details please go to https://semver.org/
- Creation of accounts with NoSQL API with its databases and containers.
- EntraID authentication instead of access keys
- Support for customer-managed keys.
- Enable private endpoint, providing secure access over a private network.
- Enable diagnostic settings.
- Creation of role assignments
- Enable locks
- Enable managed identities both system and user assigned ones.
- The module does not support auto rotation of Customer Managed keys (CosmosDB doesn't support it yet)
- The module does not support the Gremlin API yet
- The module does not support the MongoDB API yet
- The module does not support the Table API yet
- The module does not support the Cassandra API yet
- Use only defaults values
- Specifying all possible parameters at account level
- Creation of sql api
- Creation of a serverless account
- Customer managed key pinning to a specific key version
- Enable managed identities
- Enable private endpoints with auto management of dns records
- Enable private endpoints with auto management of dns records
- Restrict public network access with access control list and service endpoints
The following requirements are needed by this module:
The following resources are used by this module:
- azurerm_cosmosdb_account.this (resource)
- azurerm_cosmosdb_mongo_collection.this (resource)
- azurerm_cosmosdb_mongo_database.this (resource)
- azurerm_cosmosdb_sql_container.this (resource)
- azurerm_cosmosdb_sql_database.this (resource)
- azurerm_cosmosdb_sql_dedicated_gateway.this (resource)
- azurerm_cosmosdb_sql_function.this (resource)
- azurerm_cosmosdb_sql_stored_procedure.this (resource)
- azurerm_cosmosdb_sql_trigger.this (resource)
- azurerm_management_lock.this (resource)
- azurerm_monitor_diagnostic_setting.this (resource)
- azurerm_private_endpoint.this_managed_dns_zone_groups (resource)
- azurerm_private_endpoint.this_unmanaged_dns_zone_groups (resource)
- azurerm_private_endpoint_application_security_group_association.this (resource)
- azurerm_role_assignment.this (resource)
- modtm_telemetry.telemetry (resource)
- random_uuid.telemetry (resource)
- time_sleep.wait_180_seconds_for_destroy (resource)
- azurerm_client_config.telemetry (data source)
- modtm_module_source.telemetry (data source)
The following input variables are required:
Description: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
Example Inputs: eastus
See more in CLI: az account list-locations -o table --query "[].name"
Type: string
Description: Specifies the name of the CosmosDB Account. Changing this forces a new resource to be created.
The name can contain only lowercase letters, numbers and the '-' character, must be between 3 and 44 characters long, and must not start or end with the character '-'.
Example Inputs: cosmos-sharepoint-prod-westus-001
See more: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftdocumentdb
Type: string
Description: The name of the resource group in which to create this resource.
Changing this forces a new resource to be created.
Name must be less than 90 characters long and must only contain underscores, hyphens, periods, parentheses, letters, or digits.
Example Inputs: rg-sharepoint-prod-westus-001
See more: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftresources
Type: string
The following input variables are optional (have default values):
Description: Defaults to false
. Is write operations on metadata resources (databases, containers, throughput) via account keys enabled?
Type: bool
Default: false
Description: Defaults to null
. Configuration related to the analytical storage of this account
schema_type
- (Required) - The schema type of the Analytical Storage for this Cosmos DB account. Possible values are FullFidelity and WellDefined.
Example inputs:
analytical_storage_config = {
schema_type = "WellDefined"
}
Type:
object({
schema_type = string
})
Default: null
Description: Defaults to false
. Enable Analytical Storage option for this Cosmos DB account. Enabling and then disabling analytical storage forces a new resource to be created.
Type: bool
Default: false
Description: Defaults to true
. Enable automatic failover for this Cosmos DB account.
Type: bool
Default: true
Description: Defaults to {}
. Configures the backup policy for this Cosmos DB account.
type
- (Optional) - Defaults toContinuous
. The type of the backup. Possible values areContinuous
andPeriodic
tier
- (Optional) - Defaults toContinuous30Days
. Used whentype
is set toContinuous
. The continuous backup tier. Possible values areContinuous7Days
andContinuous30Days
.interval_in_minutes
- (Optional) - Defaults to240
. Used whentype
is set toPeriodic
. The interval in minutes between two backups. Possible values are between60
and1440
retention_in_hours
- (Optional) - Defaults to8
. Used whentype
is set toPeriodic
. The time in hours that each backup is retained. Possible values are between8
and720
storage_redundancy
- (Optional) - Defaults toGeo
. Used whentype
is set toPeriodic
. The storage redundancy is used to indicate the type of backup residency. Possible values areGeo
,Local
andZone
Example inputs:
# For Continuous Backup
backup = {
type = "Continuous"
tier = "Continuous30Days"
}
# For Periodic Backup
backup = {
type = "Periodic"
storage_redundancy = "Geo"
interval_in_minutes = 240
retention_in_hours = 8
}
Type:
object({
retention_in_hours = optional(number, 8)
interval_in_minutes = optional(number, 240)
storage_redundancy = optional(string, "Geo")
type = optional(string, "Continuous")
tier = optional(string, "Continuous30Days")
})
Default: {}
Description: Defaults to []
. The capabilities which should be enabled for this Cosmos DB account.
name
- (Required) - The capability to enable - Possible values areAllowSelfServeUpgradeToMongo36
,DisableRateLimitingResponses
,EnableAggregationPipeline
,EnableCassandra
,EnableGremlin
,EnableMongo
,EnableMongo16MBDocumentSupport
,EnableMongoRetryableWrites
,EnableMongoRoleBasedAccessControl
,EnablePartialUniqueIndex
,EnableServerless
,EnableTable
,EnableTtlOnCustomPath
,EnableUniqueCompoundNestedDocs
,MongoDBv3.4
andmongoEnableDocLevelTTL
.
Example inputs:
capabilities = [
{
name = "DisableRateLimitingResponses"
}
]
Type:
set(object({
name = string
}))
Default: []
Description: Defaults to {}
. Configures the throughput limit for this Cosmos DB account.
total_throughput_limit
- (Optional) - Defaults to-1
. The total throughput limit imposed on this Cosmos DB account (RU/s). Possible values are at least -1. -1 means no limit.
Example inputs:
capacity = {
total_throughput_limit = -1
}
Type:
object({
total_throughput_limit = optional(number, -1)
})
Default: {}
Description: Defaults to {}
. Used to define the consistency policy for this CosmosDB account
consistency_level
- (Optional) - Defaults toConsistentPrefix
. The Consistency Level to use for this CosmosDB Account - can be eitherBoundedStaleness
,Eventual
,Session
,Strong
orConsistentPrefix
.max_interval_in_seconds
- (Optional) - Defaults to5
. Used whenconsistency_level
is set toBoundedStaleness
. When used with the Bounded Staleness consistency level, this value represents the time amount of staleness (in seconds) tolerated. The accepted range for this value is5
-86400
(1 day).max_staleness_prefix
- (Optional) - Defaults to100
. Used whenconsistency_level
is set toBoundedStaleness
. When used with the Bounded Staleness consistency level, this value represents the number of stale requests tolerated. The accepted range for this value is10
–2147483647
Example inputs:
consistency_policy = {
consistency_level = "ConsistentPrefix"
max_interval_in_seconds = 10
max_interval_in_seconds = 100
}
Type:
object({
max_interval_in_seconds = optional(number, 5)
max_staleness_prefix = optional(number, 100)
consistency_level = optional(string, "ConsistentPrefix")
})
Default: {}
Description: Defaults to null
. Configures the CORS rule for this Cosmos DB account.
allowed_headers
- (Required) - A list of headers that are allowed to be a part of the cross-origin request.allowed_methods
- (Required) - A list of HTTP headers that are allowed to be executed by the origin. Valid options areDELETE
,GET
,HEAD
,MERGE
,POST
,OPTIONS
,PUT
orPATCH
.allowed_origins
- (Required) - A list of origin domains that will be allowed by CORS.exposed_headers
- (Required) - A list of response headers that are exposed to CORS clients.max_age_in_seconds
- (Optional) - Defaults tonull
. The number of seconds the client should cache a preflight response. Possible values are between1
and2147483647
Example inputs:
cors_rule = {
allowed_headers = ["Custom-Header"]
allowed_methods = ["POST"]
allowed_origins = ["microsoft.com"]
exposed_headers = ["Custom-Header"]
max_age_in_seconds = 100
}
Type:
object({
allowed_headers = set(string)
allowed_methods = set(string)
allowed_origins = set(string)
exposed_headers = set(string)
max_age_in_seconds = optional(number, null)
})
Default: null
Description: Defaults to null
. Ignored for Basic and Standard. Defines a customer managed key to use for encryption.
-
key_name
- (Required) - The key name for the customer managed key in the key vault. -
key_vault_resource_id
- (Required) - The full Azure Resource ID of the key_vault where the customer managed key will be referenced from. -
key_version
- (Unsupported) -
user_assigned_identity
- (Required) - The user assigned identity to use when access the key vaultresource_id
- (Required) - The full Azure Resource ID of the user assigned identity.
Note: Remember to assign permission to the managed identity to access the key vault key. The Key vault used must have enabled soft delete and purge protection. The minimun required permissions is "Key Vault Crypto Service Encryption User"
Example Inputs:
customer_managed_key = {
key_name = "sample-customer-key"
key_vault_resource_id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{keyVaultName}"
user_assigned_identity {
resource_id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managedIdentityName}"
}
}
Type:
object({
key_name = string
key_vault_resource_id = string
key_version = optional(string, null) # Not supported in CosmosDB
user_assigned_identity = optional(object({
resource_id = string
}), null)
})
Default: null
Description: Defaults to {}
. A map of diagnostic settings to create. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name
- (Optional) - The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.log_categories
- (Optional) - Defaults to[]
. A set of log categories to export. Possible values are:DataPlaneRequests
,MongoRequests
,CassandraRequests
,GremlinRequests
,QueryRuntimeStatistics
,PartitionKeyStatistics
,PartitionKeyRUConsumption
,ControlPlaneRequests
orTableApiRequests
.log_groups
- (Optional) - Defaults to[]
if log_categories is set, if not it defaults to["allLogs", "audit"]
. A set of log groups to send to export. Possible values areallLogs
andaudit
.metric_categories
- (Optional) - Defaults to["AllMetrics"]
. A set of metric categories to export.log_analytics_destination_type
- (Optional) - Defaults toDedicated
. The destination log analytics workspace table for the diagnostic setting. Possible values areDedicated
andAzureDiagnostics
. Defaults toDedicated
.workspace_resource_id
- (Optional) - The resource ID of the log analytics workspace to send logs and metrics to.storage_account_resource_id
- (Optional) - The resource ID of the storage account to send logs and metrics to.event_hub_authorization_rule_resource_id
- (Optional) - The resource ID of the event hub authorization rule to send logs and metrics to.event_hub_name
- (Optional) - The name of the event hub. If none is specified, the default event hub will be selected.marketplace_partner_resource_id
- (Optional) - The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.
Note: See more in CLI: az monitor diagnostic-settings categories list --resource {cosmosAccountResourceId}
Example Inputs:
diagnostic_settings = {
diagnostic1 = {
event_hub_name = "hub-name"
log_analytics_destination_type = "Dedicated"
name = "diagnostics"
event_hub_authorization_rule_resource_id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.EventHub/namespaces/{eventHubNamespaceName}/authorizationRules/{authorizationRuleName}"
#log_categories = ["DataPlaneRequests", "MongoRequests", "CassandraRequests", "GremlinRequests", "QueryRuntimeStatistics", "PartitionKeyStatistics", "PartitionKeyRUConsumption", "ControlPlaneRequests", "TableApiRequests"]
metric_categories = ["AllMetrics"]
log_groups = ["allLogs", "audit"]
workspace_resource_id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}"
storage_account_resource_id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"
}
}
Type:
map(object({
name = optional(string, null)
log_categories = optional(set(string), [])
log_groups = optional(set(string), ["allLogs"])
metric_categories = optional(set(string), ["AllMetrics"])
log_analytics_destination_type = optional(string, "Dedicated")
workspace_resource_id = optional(string, null)
storage_account_resource_id = optional(string, null)
event_hub_authorization_rule_resource_id = optional(string, null)
event_hub_name = optional(string, null)
marketplace_partner_resource_id = optional(string, null)
}))
Default: {}
Description: Defaults to true
. This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Defaults to false
. Enable the Free Tier pricing option for this Cosmos DB account. Defaults to false. Changing this forces a new resource to be created.
Type: bool
Default: false
Description: Default to the region where the account was deployed with zone redundant enabled. Specifies a geo_location resource, used to define where data should be replicated with the failover_priority 0 specifying the primary location.
location
- (Required) - The name of the Azure location where the CosmosDB Account is being created.failover_priority
- (Required) - The failover priority of the region. A failover priority of 0 indicates a write region.zone_redundant
- (Optional) - Defaults totrue
. Whether or not the region is zone redundant.
Example inputs:
geo_locations = [
{
location = "eastus"
failover_priority = 0
zone_redundant = true
},
{
location = "westus"
failover_priority = 1
zone_redundant = true
}
]
Type:
set(object({
location = string
failover_priority = number
zone_redundant = optional(bool, true)
}))
Default: null
Description: Defaults to []
. CosmosDB Firewall Support: This value specifies the set of IP addresses or IP address ranges in CIDR form to be included as the allowed list of client IPs for a given database account.
Note: To enable the "Allow access from the Azure portal" behavior, you should add the IP addresses provided by the documentation to this list. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal Note: To enable the "Accept connections from within public Azure datacenters" behavior, you should add 0.0.0.0 to the list, see the documentation for more details. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-global-azure-datacenters-or-other-sources-within-azure
Type: set(string)
Default: []
Description: Defaults to true
. Ignored for non SQL APIs accounts. Disable local authentication and ensure only MSI and AAD can be used exclusively for authentication. Can be set only when using the SQL API.
Type: bool
Default: true
Description: Defaults to null
. Controls the Resource Lock configuration for this resource.
If specified, it will be inherited by child resources unless overriden when creating those child resources.
The following properties can be specified:
kind
- (Required) - The type of lock. Possible values areCanNotDelete
andReadOnly
.name
- (Optional) - The name of the lock. If not specified, a name will be generated based on thekind
value. Changing this forces the creation of a new resource.
Note: If you use
ReadOnly
kind lock, you must configure Terraform to use EntraId authentication, as the access of the account keys will be blocked thus terraform won't be to do its job.
Example Inputs:
lock = {
kind = "CanNotDelete"
name = "This resource cannot be deleted easily"
}
Type:
object({
kind = string
name = optional(string, null)
})
Default: null
Description: Defaults to {}
. Controls the Managed Identity configuration on this resource. The following properties can be specified:
system_assigned
- (Optional) - Defaults tofalse
. Specifies if the System Assigned Managed Identity should be enabled.user_assigned_resource_ids
- (Optional) - Defaults to[]
. Specifies a set of User Assigned Managed Identity resource IDs to be assigned to this resource.
Example Inputs:
managed_identities = {
system_assigned = true
user_assigned_resource_ids = [
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managedIdentityName}"
]
}
Type:
object({
system_assigned = optional(bool, false)
user_assigned_resource_ids = optional(set(string), [])
})
Default: {}
Description: Defaults to Tls12
. Specifies the minimal TLS version for the CosmosDB account. Possible values are: Tls12
Type: string
Default: "Tls12"
Description: Defaults to {}
. Manages SQL Databases within a Cosmos DB Account.
-
name
- (Required) - Specifies the name of the Cosmos DB Mongo Database. Changing this forces a new resource to be created. -
throughput
- (Optional) - Defaults tonull
. The throughput of the MongoDB database (RU/s). Must be set in increments of100
. The minimum value is400
. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply. -
autoscale_settings
- (Optional) - Defaults tonull
. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply.max_throughput
- (Required) - The maximum throughput of the SQL database (RU/s). Must be between1,000
and1,000,000
. Must be set in increments of1,000
. Conflicts withthroughput
.
-
collections
- (Optional) - Defaults to{}
. Manages a Mongo Collection within a Cosmos DB Account.-
name
- (Required) Specifies the name of the Cosmos DB Mongo Collection. Changing this forces a new resource to be created. -
throughput
- (Optional) - Defaults tonull
. The throughput of the MongoDB collection (RU/s). Must be set in increments of 100. The minimum value is 400. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply. -
default_ttl_seconds
- (Optional) - Defaults tonull
. The default Time To Live in seconds. If the value is -1, items are not automatically expired. -
shard_key
- (Optional) - Defaults tonull
. The name of the key to partition on for sharding. There must not be any other unique index keys. Changing this forces a new resource to be created. -
autoscale_settings
- (Optional) - Defaults tonull
. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply.max_throughput
- (Required) - The maximum throughput of the MongoDB collection (RU/s). Must be between 1,000 and 1,000,000. Must be set in increments of 1,000. Conflicts with throughput.
-
Index
- (Optional) - Defaults tonull
. Improve the efficiency of MongoDB database operations.keys
- (Required) Specifies the list of user settable keys for each Cosmos DB Mongo Collection.unique
- (Optional) Defaults tofalse
. Is the index unique or not?
-
Example inputs:
database_collection = {
name = "database_mongoDb_collections"
throughput = 400
collections = {
"collection" = {
name = "MongoDBcollection"
default_ttl_seconds = "3600"
shard_key = "_id"
throughput = 400
index = {
keys = ["_id"]
unique = true
}
}
}
}
Type:
map(object({
name = string
throughput = optional(number, null)
autoscale_settings = optional(object({
max_throughput = number
}), null)
collections = optional(map(object({
name = string
default_ttl_seconds = optional(string, null)
shard_key = optional(string, null)
throughput = optional(number, null)
autoscale_settings = optional(object({
max_throughput = number
}), null)
index = optional(object({
keys = list(string)
unique = optional(bool, false)
}), null)
})), {})
}))
Default: {}
Description: The Server Version of a MongoDB account. Defaults to 3.6
Possible values are 4.2
, 4.0
, 3.6
, and 3.2
Type: string
Default: "3.6"
Description: Defaults to false
. Ignored when backup.type
is Continuous
. Enable multi-region writes for this Cosmos DB account.
Type: bool
Default: false
Description: Defaults to false
. If Azure services can bypass ACLs.
Type: bool
Default: false
Description: Defaults to []
. The list of resource Ids for Network Acl Bypass for this Cosmos DB account.
Type: set(string)
Default: []
Description: Defaults to false
. Is partition merge on the Cosmos DB account enabled?
Type: bool
Default: false
Description: Default to {}
. A map of private endpoints to create. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
-
subnet_resource_id
- (Required) - The resource ID of the subnet to deploy the private endpoint in. -
subresource_name
- (Required) - The service name of the private endpoint. Possible value areSQL
,SqlDedicated
,Cassandra
,MongoDB
,Gremlin
orTable
. -
name
- (Optional) - The name of the private endpoint. One will be generated if not set. -
private_dns_zone_group_name
- (Optional) - The name of the private DNS zone group. One will be generated if not set. -
private_dns_zone_resource_ids
- (Optional) - A set of resource IDs of private DNS zones to associate with the private endpoint. If not set, no zone groups will be created and the private endpoint will not be associated with any private DNS zones. DNS records must be managed external to this module. -
application_security_group_associations
- (Optional) - A map of resource IDs of application security groups to associate with the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. -
private_service_connection_name
- (Optional) - The name of the private service connection. One will be generated if not set. -
network_interface_name
- (Optional) - The name of the network interface. One will be generated if not set. -
location
- (Optional) - The Azure location where the resources will be deployed. Defaults to the location of the resource group. -
resource_group_name
- (Optional) - The resource group where the resources will be deployed. Defaults to the resource group of the resource. -
ip_configurations
- (Optional) - A map of IP configurations to create on the private endpoint. If not specified the platform will create one. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.name
- (Required) - The name of the IP configuration.private_ip_address
- (Required) - The private IP address of the IP configuration.
-
role_assignments
- (Optional) - A map of role assignments to create on the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. Seevar.role_assignments
for more information. -
lock
- (Optional) - The lock level to apply to the private endpoint. Default isNone
. Possible values areNone
,CanNotDelete
, andReadOnly
. -
tags
- (Optional) - A mapping of tags to assign to the private endpoint.
Note: See more related to subresource_name in: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
Type:
map(object({
subnet_resource_id = string
subresource_name = string
name = optional(string, null)
private_dns_zone_group_name = optional(string, "default")
private_dns_zone_resource_ids = optional(set(string), [])
application_security_group_associations = optional(map(string), {})
private_service_connection_name = optional(string, null)
network_interface_name = optional(string, null)
location = optional(string, null)
resource_group_name = optional(string, null)
ip_configurations = optional(map(object({
name = string
private_ip_address = string
})), {})
tags = optional(map(string), null)
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null) # forced to be here by lint, not supported
condition = optional(string, null) # forced to be here by lint, not supported
condition_version = optional(string, null) # forced to be here by lint, not supported
})), {})
}))
Default: {}
Description: Default to true. Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy.
Type: bool
Default: true
Description: Defaults to false
. Whether or not public network access is allowed for this CosmosDB account.
Type: bool
Default: false
Description: Defaults to {}
. A map of role assignments to create. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
-
role_definition_id_or_name
- (Required) - The ID or name of the role definition to assign to the principal. -
principal_id
- (Required) - The ID of the principal to assign the role to. -
description
- (Optional) - The description of the role assignment. -
skip_service_principal_aad_check
- (Optional) - If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false. -
delegated_managed_identity_resource_id
- (Optional) - The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario. -
principal_type
- (Unsupported) -
condition
- (Unsupported) -
condition_version
- (Unsupported)
Note: only set
skip_service_principal_aad_check
to true if you are assigning a role to a service principal.
Example Inputs:
role_assignments = {
"key" = {
skip_service_principal_aad_check = false
role_definition_id_or_name = "Contributor"
description = "This is a test role assignment"
principal_id = "eb5260bd-41f3-4019-9e03-606a617aec13"
}
}
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null) # forced to be here by lint, not supported
condition = optional(string, null) # forced to be here by lint, not supported
condition_version = optional(string, null) # forced to be here by lint, not supported
}))
Default: {}
Description: Defaults to {}
. Manages SQL Databases within a Cosmos DB Account.
-
name
- (Required) - Specifies the name of the Cosmos DB SQL Container. Changing this forces a new resource to be created. -
throughput
- (Optional) - Defaults tonull
. The throughput of SQL database (RU/s). Must be set in increments of100
. The minimum value is400
. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply. -
autoscale_settings
- (Optional) - Defaults tonull
. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply.max_throughput
- (Required) - The maximum throughput of the SQL database (RU/s). Must be between1,000
and1,000,000
. Must be set in increments of1,000
. Conflicts withthroughput
.
-
containers
- (Optional) - Defaults to{}
. Manages SQL Containers within a Cosmos DB Account.-
partition_key_path
- (Required) - Define a partition key. Changing this forces a new resource to be created. -
name
- (Required) - Specifies the name of the Cosmos DB SQL Container. Changing this forces a new resource to be created. -
throughput
- (Optional) - Defaults tonull
. The throughput of SQL container (RU/s). Must be set in increments of100
. The minimum value is400
. This must be set upon container creation otherwise it cannot be updated without a manual terraform destroy-apply. -
default_ttl
- (Optional) - Defaults tonull
. The default time to live of SQL container. If missing, items are not expired automatically. If present and the value is set to-1
, it is equal to infinity, and items don't expire by default. If present and the value is set to some number n - items will expire n seconds after their last modified time. -
analytical_storage_ttl
- (Optional) - Defaults tonull
. The default time to live of Analytical Storage for this SQL container. If present and the value is set to-1
, it is equal to infinity, and items don't expire by default. If present and the value is set to some number n - items will expire n seconds after their last modified time. -
unique_keys
- (Optional) - Defaults to[]
. The unique keys of the container.paths
- (Required) - A list of paths to use for this unique key. Changing this forces a new resource to be created.
-
autoscale_settings
- (Optional) - Defaults tonull
. This must be set upon database creation otherwise it cannot be updated without a manual terraform destroy-apply.max_throughput
- (Required) - The maximum throughput of the SQL container (RU/s). Must be between1,000
and1,000,000
. Must be set in increments of1,000
. Conflicts withthroughput
.
-
functions
- (Optional) - Defaults to{}
. Manages SQL User Defined Functions.body
- (Required) - Body of the User Defined Function.name
- (Required) - The name which should be used for this SQL User Defined Function. Changing this forces a new SQL User Defined Function to be created.
-
stored_procedures
- (Optional) - Defaults to{}
. Manages SQL Stored Procedures within a Cosmos DB Account SQL Database.body
- (Required) - The body of the stored procedure.name
- (Required) - Specifies the name of the Cosmos DB SQL Stored Procedure. Changing this forces a new resource to be created.
-
triggers
- (Optional) - Defaults to{}
. Manages SQL Triggers.body
- (Required) - Body of the Trigger.type
- (Required) - Type of the Trigger. Possible values arePre
andPost
.operation
- (Required) - The operation the trigger is associated with. Possible values areAll
,Create
,Update
,Delete
andReplace
.name
- (Required) - The name which should be used for this SQL Trigger. Changing this forces a new SQL Trigger to be created.
-
conflict_resolution_policy
- (Optional) - Defaults tonull
. The conflict resolution policy of the container. Changing this forces a new resource to be created.mode
- (Required) - Indicates the conflict resolution mode. Possible values include:LastWriterWins
andCustom
.conflict_resolution_path
- Required ifLastWriterWins
is set asmode
- The conflict resolution path.conflict_resolution_procedure
- Required ifCustom
is set asmode
- The procedure to resolve conflicts .
-
indexing_policy
- (Optional) - Defaults to{}
. The indexing policy of the container.-
indexing_mode
- (Required) - Indicates the indexing mode. Possible values include:consistent
andnone
-
included_paths
- (Optional) - Defaults to[]
. Either included_path or excluded_path must contain the path/*
path
- (Required) - Path for which the indexing behaviour applies to.
-
excluded_paths
- (Optional) - Defaults to[]
. Either included_path or excluded_path must contain the path/*
path
- (Required) - Path that is excluded from indexing.
-
composite_indexes
- (Optional) - Defaults to[]
. The composite indexes of the indexing policy.indexes
- (Required) - The indexes of the composite indexes.path
- (Required) - Path for which the indexing behaviour applies to.order
- (Required) - Order of the index. Possible values areAscending
orDescending
.
-
spatial_indexes
- (Optional) - Defaults to[]
. The spatial indexes of the indexing policy.path
- (Required) - Path for which the indexing behaviour applies to. According to the service design, all spatial types including LineString, MultiPolygon, Point, and Polygon will be applied to the path.
-
-
Note: Switching between autoscale and manual throughput is not supported via Terraform and must be completed via the Azure Portal and refreshed. Note: For indexing policy See more in: https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/how-to-manage-indexing-policy?tabs=dotnetv3%2Cpythonv3
Example inputs:
sql_databases = {
database1 = {
name = "database1"
throughput = 400
# autoscale_settings = {
# max_throughput = 4000
# }
containers = {
container1 = {
partition_key_path = "/id"
name = "container1"
throughput = 400
default_ttl = 1000
analytical_storage_ttl = 1000
unique_keys = [
{
paths = ["/field1", "/field2"]
}
]
# autoscale_settings = {
# max_throughput = 4000
# }
functions = {
function1 = {
name = "functionName"
body = "function function1() { }"
}
}
stored_procedures = {
stored1 = {
name = "storedName"
body = "function stored1() { }"
}
}
triggers = {
trigger1 = {
name = "triggerName"
body = "function trigger1() { }"
type = "Pre"
operation = "All"
}
}
conflict_resolution_policy = {
mode = "LastWriterWins"
conflict_resolution_path = "/customProperty"
}
indexing_policy = {
indexing_mode = "consistent"
included_paths = [
{
path = "/*"
}
]
excluded_paths = [
{
path = "/excluded/*"
}
]
composite_indexes = [
{
indexes = [
{
path = "/field1"
order = "ascending"
}
]
}
]
spatial_indexes = [
{
path = "/location/*"
}
]
}
}
}
}
}
Type:
map(object({
name = string
throughput = optional(number, null)
autoscale_settings = optional(object({
max_throughput = number
}), null)
containers = optional(map(object({
partition_key_path = string
name = string
throughput = optional(number, null)
default_ttl = optional(number, null)
analytical_storage_ttl = optional(number, null)
unique_keys = optional(list(object({
paths = set(string)
})), [])
autoscale_settings = optional(object({
max_throughput = number
}), null)
functions = optional(map(object({
body = string
name = string
})), {})
stored_procedures = optional(map(object({
body = string
name = string
})), {})
triggers = optional(map(object({
body = string
type = string
operation = string
name = string
})), {})
conflict_resolution_policy = optional(object({
mode = string
conflict_resolution_path = optional(string, null)
conflict_resolution_procedure = optional(string, null)
}), null)
indexing_policy = optional(object({
indexing_mode = string
included_paths = optional(set(object({
path = string
})), [])
excluded_paths = optional(set(object({
path = string
})), [])
composite_indexes = optional(set(object({
indexes = set(object({
path = string
order = string
}))
})), [])
spatial_indexes = optional(set(object({
path = string
})), [])
}), null)
})), {})
}))
Default: {}
Description: Defaults to null
. Manages a SQL Dedicated Gateway within a Cosmos DB Account.
instance_size
- (Optional) - The instance size for the CosmosDB SQL Dedicated Gateway. Changing this forces a new resource to be created. Possible values areCosmos.D4s
,Cosmos.D8s
andCosmos.D16s
instance_count
- (Optional) - The instance count for the CosmosDB SQL Dedicated Gateway. Possible value is between1
and5
.
Note: To create a dedicated gateway in a zone redundant region you must request Azure to enable it into your account. See more in: https://learn.microsoft.com/en-us/azure/cosmos-db/dedicated-gateway#provisioning-the-dedicated-gateway
Example inputs:
sql_dedicated_gateway = {
instance_count = 1
instance_size = "Cosmos.D4s"
}
Type:
object({
instance_size = string
instance_count = optional(number, 1)
})
Default: null
Description: Defaults to {}
. A mapping of tags to assign to the resource. These tags will propagate to any child resource unless overriden when creating the child resource
Example Inputs:
tags = {
environment = "testing"
}
Type: map(string)
Default: null
Description: Defaults to []
. Used to define which subnets are allowed to access this CosmosDB account.
subnet_id
- (Required) - The ID of the virtual network subnet.
Note: Remember to enable Microsoft.AzureCosmosDB service endpoint on the subnet.
Example inputs:
virtual_network_rule = [
{
subnet_id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}"
}
]
Type:
set(object({
subnet_id = string
}))
Default: []
The following outputs are exported:
Description: The keys for the CosmosDB Account.
Description: The MongoDB connection strings for the CosmosDB Account.
Description: The SQL connection strings for the CosmosDB Account.
Description: A map of the MongoDB databases created, with the database name as the key and the database id and collections as the value.
Description: The name of the cosmos db account created.
Description: A map of the diagnostic settings created, with the diagnostic setting name as the key and the diagnostic setting ID as the value.
Description: The resource ID of the cosmos db account created.
Description: A map of the management locks created, with the lock name as the key and the lock ID as the value.
Description: A map of the management locks created, with the lock name as the key and the lock ID as the value.
Description: The IDs of the private endpoint application security group associations created.
Description: A map of the role assignments created, with the assignment key as the map key and the assignment value as the map value.
Description: A map of the SQL databases created, with the database name as the key and the database ID, containers, functions, stored_procedures and triggers as the value.
Description: The IDs of the SQL dedicated gateways created.
No modules.
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.