From a2373345b7b2af6ef867c728616a3d59f5e40589 Mon Sep 17 00:00:00 2001 From: Bryan <117635118+bryansan-msft@users.noreply.github.com> Date: Thu, 5 Dec 2024 18:48:39 +0100 Subject: [PATCH] feat: WAF Aligned review + Tests optimization (#3890) - Make TLS2 the minimum and only supported version - Delete resources created in tests that are not needed for that specific test. For example, the mongodb tests dont need to create and test diagnostic settings. There are other tests specific to that one. - Support account RU limits - Allow capabilities to be used without having to create any kind of database This PR contains breaking changes. (TLS2 one), but we cannot still increase the major version of the module Closes #3754 Closes #3753 ## Pipeline Reference | Pipeline | | -------- | | | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [x] Breaking changes and I have bumped the MAJOR version in `version.json`. - [x] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- .../document-db/database-account/README.md | 841 +++++------------- .../gremlin-database/graph/main.json | 4 +- .../gremlin-database/main.json | 8 +- .../document-db/database-account/main.bicep | 38 +- .../document-db/database-account/main.json | 35 +- .../mongodb-database/collection/main.json | 4 +- .../mongodb-database/main.json | 8 +- .../sql-database/container/main.json | 4 +- .../database-account/sql-database/main.json | 8 +- .../database-account/sql-role/main.json | 12 +- .../sql-role/sql-role-assignments/main.json | 4 +- .../sql-role/sql-role-definitions/main.json | 4 +- .../database-account/table/main.json | 4 +- .../tests/e2e/analytical/main.test.bicep | 2 +- .../e2e/boundedConsistency/main.test.bicep | 2 +- .../tests/e2e/defaults/main.test.bicep | 2 +- .../tests/e2e/gremlindb/dependencies.bicep | 52 -- .../tests/e2e/gremlindb/main.test.bicep | 83 +- .../tests/e2e/kvSecrets/main.test.bicep | 2 +- .../tests/e2e/managedIdentity/main.test.bicep | 2 +- .../tests/e2e/mongodb/dependencies.bicep | 52 -- .../tests/e2e/mongodb/main.test.bicep | 81 +- .../tests/e2e/multiRegion/main.test.bicep | 9 +- .../tests/e2e/plain/main.test.bicep | 24 +- .../publicRestrictedAccess/main.test.bicep | 2 +- .../tests/e2e/sqldb/main.test.bicep | 9 +- .../e2e/{role => sqlroles}/dependencies.bicep | 0 .../e2e/{role => sqlroles}/main.test.bicep | 2 +- .../tests/e2e/table/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 34 +- .../document-db/database-account/version.json | 10 +- 31 files changed, 361 insertions(+), 983 deletions(-) delete mode 100644 avm/res/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep delete mode 100644 avm/res/document-db/database-account/tests/e2e/mongodb/dependencies.bicep rename avm/res/document-db/database-account/tests/e2e/{role => sqlroles}/dependencies.bicep (100%) rename avm/res/document-db/database-account/tests/e2e/{role => sqlroles}/main.test.bicep (98%) diff --git a/avm/res/document-db/database-account/README.md b/avm/res/document-db/database-account/README.md index 4aa14673be..a48419fb6a 100644 --- a/avm/res/document-db/database-account/README.md +++ b/avm/res/document-db/database-account/README.md @@ -50,8 +50,8 @@ The following section provides usage examples for the module, which were used to - [Deploying multiple regions](#example-8-deploying-multiple-regions) - [Plain](#example-9-plain) - [Public network restricted access with ACL](#example-10-public-network-restricted-access-with-acl) -- [Deploying with a sql role definision and assignment](#example-11-deploying-with-a-sql-role-definision-and-assignment) -- [SQL Database](#example-12-sql-database) +- [SQL Database](#example-11-sql-database) +- [Deploying with a sql role definision and assignment](#example-12-deploying-with-a-sql-role-definision-and-assignment) - [API for Table](#example-13-api-for-table) - [WAF-aligned](#example-14-waf-aligned) @@ -320,20 +320,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: capabilitiesToAdd: [ 'EnableGremlin' ] - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] gremlinDatabases: [ { graphs: [ @@ -384,44 +370,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: } ] location: '' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } - ] - managedIdentities: { - systemAssigned: true - } - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - name: '' - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -448,22 +396,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "EnableGremlin" ] }, - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, "gremlinDatabases": { "value": [ { @@ -517,52 +449,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: }, "location": { "value": "" - }, - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - }, - { - "failoverPriority": 1, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "name": "", - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -584,20 +470,6 @@ param name = 'dddagrm002' param capabilitiesToAdd = [ 'EnableGremlin' ] -param diagnosticSettings = [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } -] param gremlinDatabases = [ { graphs: [ @@ -648,44 +520,6 @@ param gremlinDatabases = [ } ] param location = '' -param locations = [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } -] -param managedIdentities = { - systemAssigned: true -} -param roleAssignments = [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - name: '' - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } -] -param tags = { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' -} ``` @@ -946,36 +780,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: // Required parameters name: 'dddamng001' // Non-required parameters - diagnosticSettings: [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } - ] location: '' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } - ] - managedIdentities: { - systemAssigned: true - } mongodbDatabases: [ { collections: [ @@ -1162,29 +967,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: name: 'mdb-dddamng-002' } ] - roleAssignments: [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - name: '' - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } - ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -1206,44 +988,9 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "value": "dddamng001" }, // Non-required parameters - "diagnosticSettings": { - "value": [ - { - "eventHubAuthorizationRuleResourceId": "", - "eventHubName": "", - "metricCategories": [ - { - "category": "AllMetrics" - } - ], - "name": "customSetting", - "storageAccountResourceId": "", - "workspaceResourceId": "" - } - ] - }, "location": { "value": "" }, - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - }, - { - "failoverPriority": 1, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, - "managedIdentities": { - "value": { - "systemAssigned": true - } - }, "mongodbDatabases": { "value": [ { @@ -1431,33 +1178,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "name": "mdb-dddamng-002" } ] - }, - "roleAssignments": { - "value": [ - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Owner" - }, - { - "name": "", - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c" - }, - { - "principalId": "", - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "" - } - ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -1476,36 +1196,7 @@ using 'br/public:avm/res/document-db/database-account:' // Required parameters param name = 'dddamng001' // Non-required parameters -param diagnosticSettings = [ - { - eventHubAuthorizationRuleResourceId: '' - eventHubName: '' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - name: 'customSetting' - storageAccountResourceId: '' - workspaceResourceId: '' - } -] param location = '' -param locations = [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: '' - } -] -param managedIdentities = { - systemAssigned: true -} param mongodbDatabases = [ { collections: [ @@ -1692,29 +1383,6 @@ param mongodbDatabases = [ name: 'mdb-dddamng-002' } ] -param roleAssignments = [ - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Owner' - } - { - name: '' - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - } - { - principalId: '' - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: '' - } -] -param tags = { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' -} ``` @@ -1736,7 +1404,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: // Required parameters name: 'multi-region' // Non-required parameters - automaticFailover: false + automaticFailover: true backupIntervalInMinutes: 300 backupPolicyType: 'Periodic' backupRetentionIntervalInHours: 16 @@ -1782,7 +1450,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: }, // Non-required parameters "automaticFailover": { - "value": false + "value": true }, "backupIntervalInMinutes": { "value": 300 @@ -1840,7 +1508,7 @@ using 'br/public:avm/res/document-db/database-account:' // Required parameters param name = 'multi-region' // Non-required parameters -param automaticFailover = false +param automaticFailover = true param backupIntervalInMinutes = 300 param backupPolicyType = 'Periodic' param backupRetentionIntervalInHours = 16 @@ -1885,11 +1553,11 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: // Required parameters name: 'dddapln001' // Non-required parameters - backupPolicyContinuousTier: 'Continuous7Days' - backupPolicyType: 'Continuous' - defaultConsistencyLevel: 'ConsistentPrefix' - disableKeyBasedMetadataWriteAccess: true - disableLocalAuth: true + capabilitiesToAdd: [ + 'EnableServerless' + ] + databaseAccountOfferType: 'Standard' + enableTelemetry: false location: '' locations: [ { @@ -1898,11 +1566,21 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: locationName: '' } ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } sqlDatabases: [ { name: 'no-containers-specified' } ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + totalThroughputLimit: 4000 } } ``` @@ -1924,20 +1602,16 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "value": "dddapln001" }, // Non-required parameters - "backupPolicyContinuousTier": { - "value": "Continuous7Days" - }, - "backupPolicyType": { - "value": "Continuous" - }, - "defaultConsistencyLevel": { - "value": "ConsistentPrefix" + "capabilitiesToAdd": { + "value": [ + "EnableServerless" + ] }, - "disableKeyBasedMetadataWriteAccess": { - "value": true + "databaseAccountOfferType": { + "value": "Standard" }, - "disableLocalAuth": { - "value": true + "enableTelemetry": { + "value": false }, "location": { "value": "" @@ -1951,12 +1625,28 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: } ] }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, "sqlDatabases": { "value": [ { "name": "no-containers-specified" } ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "totalThroughputLimit": { + "value": 4000 } } } @@ -1975,11 +1665,11 @@ using 'br/public:avm/res/document-db/database-account:' // Required parameters param name = 'dddapln001' // Non-required parameters -param backupPolicyContinuousTier = 'Continuous7Days' -param backupPolicyType = 'Continuous' -param defaultConsistencyLevel = 'ConsistentPrefix' -param disableKeyBasedMetadataWriteAccess = true -param disableLocalAuth = true +param capabilitiesToAdd = [ + 'EnableServerless' +] +param databaseAccountOfferType = 'Standard' +param enableTelemetry = false param location = '' param locations = [ { @@ -1988,11 +1678,21 @@ param locations = [ locationName: '' } ] +param lock = { + kind: 'CanNotDelete' + name: 'myCustomLockName' +} param sqlDatabases = [ { name: 'no-containers-specified' } ] +param tags = { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' +} +param totalThroughputLimit = 4000 ``` @@ -2101,110 +1801,18 @@ param networkRestrictions = { ipRules: [ '79.0.0.0' '80.0.0.0' - ] - networkAclBypass: 'AzureServices' - publicNetworkAccess: 'Enabled' - virtualNetworkRules: [ - { - subnetResourceId: '' - } - ] -} -param sqlDatabases = [ - { - name: 'no-containers-specified' - } -] -``` - - -

- -### Example 11: _Deploying with a sql role definision and assignment_ - -This instance deploys the module with sql role definision and assignment - - -

- -via Bicep module - -```bicep -module databaseAccount 'br/public:avm/res/document-db/database-account:' = { - name: 'databaseAccountDeployment' - params: { - // Required parameters - name: 'role-ref' - // Non-required parameters - location: '' - sqlRoleAssignmentsPrincipalIds: [ - '' - ] - sqlRoleDefinitions: [ - { - name: 'cosmos-sql-role-test' - } - ] - } -} -``` - -
-

- -

- -via JSON parameters file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "role-ref" - }, - // Non-required parameters - "location": { - "value": "" - }, - "sqlRoleAssignmentsPrincipalIds": { - "value": [ - "" - ] - }, - "sqlRoleDefinitions": { - "value": [ - { - "name": "cosmos-sql-role-test" - } - ] - } - } -} -``` - -
-

- -

- -via Bicep parameters file - -```bicep-params -using 'br/public:avm/res/document-db/database-account:' - -// Required parameters -param name = 'role-ref' -// Non-required parameters -param location = '' -param sqlRoleAssignmentsPrincipalIds = [ - '' -] -param sqlRoleDefinitions = [ + ] + networkAclBypass: 'AzureServices' + publicNetworkAccess: 'Enabled' + virtualNetworkRules: [ + { + subnetResourceId: '' + } + ] +} +param sqlDatabases = [ { - name: 'cosmos-sql-role-test' + name: 'no-containers-specified' } ] ``` @@ -2212,7 +1820,7 @@ param sqlRoleDefinitions = [

-### Example 12: _SQL Database_ +### Example 11: _SQL Database_ This instance deploys the module with a SQL Database. @@ -2230,13 +1838,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: // Non-required parameters enableAnalyticalStorage: true location: '' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } - ] sqlDatabases: [ { containers: [ @@ -2514,15 +2115,6 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "location": { "value": "" }, - "locations": { - "value": [ - { - "failoverPriority": 0, - "isZoneRedundant": false, - "locationName": "" - } - ] - }, "sqlDatabases": { "value": [ { @@ -2794,13 +2386,6 @@ param name = 'dddasql001' // Non-required parameters param enableAnalyticalStorage = true param location = '' -param locations = [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: '' - } -] param sqlDatabases = [ { containers: [ @@ -3056,6 +2641,98 @@ param sqlDatabases = [

+### Example 12: _Deploying with a sql role definision and assignment_ + +This instance deploys the module with sql role definision and assignment + + +

+ +via Bicep module + +```bicep +module databaseAccount 'br/public:avm/res/document-db/database-account:' = { + name: 'databaseAccountDeployment' + params: { + // Required parameters + name: 'role-ref' + // Non-required parameters + location: '' + sqlRoleAssignmentsPrincipalIds: [ + '' + ] + sqlRoleDefinitions: [ + { + name: 'cosmos-sql-role-test' + } + ] + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "role-ref" + }, + // Non-required parameters + "location": { + "value": "" + }, + "sqlRoleAssignmentsPrincipalIds": { + "value": [ + "" + ] + }, + "sqlRoleDefinitions": { + "value": [ + { + "name": "cosmos-sql-role-test" + } + ] + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/document-db/database-account:' + +// Required parameters +param name = 'role-ref' +// Non-required parameters +param location = '' +param sqlRoleAssignmentsPrincipalIds = [ + '' +] +param sqlRoleDefinitions = [ + { + name: 'cosmos-sql-role-test' + } +] +``` + +
+

+ ### Example 13: _API for Table_ This instance deploys the module for an Azure Cosmos DB for Table account with two example tables. @@ -3179,6 +2856,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: // Required parameters name: 'dddawaf001' // Non-required parameters + automaticFailover: true diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -3188,10 +2866,12 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: } ] disableKeyBasedMetadataWriteAccess: true + disableLocalAuth: true location: '' - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' + minimumTlsVersion: 'Tls12' + networkRestrictions: { + networkAclBypass: 'None' + publicNetworkAccess: 'Disabled' } privateEndpoints: [ { @@ -3204,32 +2884,13 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: } service: 'Sql' subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } ] sqlDatabases: [ { - containers: [ - { - kind: 'Hash' - name: 'container-001' - paths: [ - '/myPartitionKey1' - ] - } - ] - name: 'sql-dddawaf-001' + name: 'no-containers-specified' } ] - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } } ``` @@ -3251,6 +2912,9 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "value": "dddawaf001" }, // Non-required parameters + "automaticFailover": { + "value": true + }, "diagnosticSettings": { "value": [ { @@ -3264,13 +2928,19 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: "disableKeyBasedMetadataWriteAccess": { "value": true }, + "disableLocalAuth": { + "value": true + }, "location": { "value": "" }, - "lock": { + "minimumTlsVersion": { + "value": "Tls12" + }, + "networkRestrictions": { "value": { - "kind": "CanNotDelete", - "name": "myCustomLockName" + "networkAclBypass": "None", + "publicNetworkAccess": "Disabled" } }, "privateEndpoints": { @@ -3284,37 +2954,16 @@ module databaseAccount 'br/public:avm/res/document-db/database-account: ] }, "service": "Sql", - "subnetResourceId": "", - "tags": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } + "subnetResourceId": "" } ] }, "sqlDatabases": { "value": [ { - "containers": [ - { - "kind": "Hash", - "name": "container-001", - "paths": [ - "/myPartitionKey1" - ] - } - ], - "name": "sql-dddawaf-001" + "name": "no-containers-specified" } ] - }, - "tags": { - "value": { - "Environment": "Non-Prod", - "hidden-title": "This is visible in the resource name", - "Role": "DeploymentValidation" - } } } } @@ -3333,6 +2982,7 @@ using 'br/public:avm/res/document-db/database-account:' // Required parameters param name = 'dddawaf001' // Non-required parameters +param automaticFailover = true param diagnosticSettings = [ { eventHubAuthorizationRuleResourceId: '' @@ -3342,10 +2992,12 @@ param diagnosticSettings = [ } ] param disableKeyBasedMetadataWriteAccess = true +param disableLocalAuth = true param location = '' -param lock = { - kind: 'CanNotDelete' - name: 'myCustomLockName' +param minimumTlsVersion = 'Tls12' +param networkRestrictions = { + networkAclBypass: 'None' + publicNetworkAccess: 'Disabled' } param privateEndpoints = [ { @@ -3358,32 +3010,13 @@ param privateEndpoints = [ } service: 'Sql' subnetResourceId: '' - tags: { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' - } } ] param sqlDatabases = [ { - containers: [ - { - kind: 'Hash' - name: 'container-001' - paths: [ - '/myPartitionKey1' - ] - } - ] - name: 'sql-dddawaf-001' + name: 'no-containers-specified' } ] -param tags = { - Environment: 'Non-Prod' - 'hidden-title': 'This is visible in the resource name' - Role: 'DeploymentValidation' -} ``` @@ -3401,7 +3034,7 @@ param tags = { | Parameter | Type | Description | | :-- | :-- | :-- | -| [`automaticFailover`](#parameter-automaticfailover) | bool | Enable automatic failover for regions. | +| [`automaticFailover`](#parameter-automaticfailover) | bool | Default to true. Enable automatic failover for regions. | | [`backupIntervalInMinutes`](#parameter-backupintervalinminutes) | int | Default to 240. An integer representing the interval in minutes between two backups. Only applies to periodic backup type. | | [`backupPolicyContinuousTier`](#parameter-backuppolicycontinuoustier) | string | Default to Continuous30Days. Configuration values for continuous mode backup. | | [`backupPolicyType`](#parameter-backuppolicytype) | string | Default to Continuous. Describes the mode of backups. Periodic backup must be used if multiple write locations are used. | @@ -3411,11 +3044,11 @@ param tags = { | [`databaseAccountOfferType`](#parameter-databaseaccountoffertype) | string | Default to Standard. The offer type for the Azure Cosmos DB database account. | | [`defaultConsistencyLevel`](#parameter-defaultconsistencylevel) | string | Default to Session. The default consistency level of the Cosmos DB account. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | -| [`disableKeyBasedMetadataWriteAccess`](#parameter-disablekeybasedmetadatawriteaccess) | bool | Disable write operations on metadata resources (databases, containers, throughput) via account keys. | -| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication. | -| [`enableAnalyticalStorage`](#parameter-enableanalyticalstorage) | bool | Flag to indicate whether to enable storage analytics. | -| [`enableFreeTier`](#parameter-enablefreetier) | bool | Flag to indicate whether Free Tier is enabled. | -| [`enableMultipleWriteLocations`](#parameter-enablemultiplewritelocations) | bool | Enables the account to write in multiple locations. Periodic backup must be used if enabled. | +| [`disableKeyBasedMetadataWriteAccess`](#parameter-disablekeybasedmetadatawriteaccess) | bool | Default to true. Disable write operations on metadata resources (databases, containers, throughput) via account keys. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Default to true. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication. | +| [`enableAnalyticalStorage`](#parameter-enableanalyticalstorage) | bool | Default to false. Flag to indicate whether to enable storage analytics. | +| [`enableFreeTier`](#parameter-enablefreetier) | bool | Default to false. Flag to indicate whether Free Tier is enabled. | +| [`enableMultipleWriteLocations`](#parameter-enablemultiplewritelocations) | bool | Default to false. Enables the account to write in multiple locations. Periodic backup must be used if enabled. | | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`gremlinDatabases`](#parameter-gremlindatabases) | array | Gremlin Databases configurations. | | [`location`](#parameter-location) | string | Default to current resource group scope location. Location for all resources. | @@ -3436,6 +3069,7 @@ param tags = { | [`sqlRoleDefinitions`](#parameter-sqlroledefinitions) | array | SQL Role Definitions configurations. | | [`tables`](#parameter-tables) | array | Table configurations. | | [`tags`](#parameter-tags) | object | Tags of the Database Account resource. | +| [`totalThroughputLimit`](#parameter-totalthroughputlimit) | int | Default to unlimited. The total throughput limit imposed on this Cosmos DB account (RU/s). | ### Parameter: `name` @@ -3446,7 +3080,7 @@ Name of the Database Account. ### Parameter: `automaticFailover` -Enable automatic failover for regions. +Default to true. Enable automatic failover for regions. - Required: No - Type: bool @@ -3716,7 +3350,7 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it ### Parameter: `disableKeyBasedMetadataWriteAccess` -Disable write operations on metadata resources (databases, containers, throughput) via account keys. +Default to true. Disable write operations on metadata resources (databases, containers, throughput) via account keys. - Required: No - Type: bool @@ -3724,7 +3358,7 @@ Disable write operations on metadata resources (databases, containers, throughpu ### Parameter: `disableLocalAuth` -Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication. +Default to true. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication. - Required: No - Type: bool @@ -3732,7 +3366,7 @@ Opt-out of local authentication and ensure only MSI and AAD can be used exclusiv ### Parameter: `enableAnalyticalStorage` -Flag to indicate whether to enable storage analytics. +Default to false. Flag to indicate whether to enable storage analytics. - Required: No - Type: bool @@ -3740,7 +3374,7 @@ Flag to indicate whether to enable storage analytics. ### Parameter: `enableFreeTier` -Flag to indicate whether Free Tier is enabled. +Default to false. Flag to indicate whether Free Tier is enabled. - Required: No - Type: bool @@ -3748,7 +3382,7 @@ Flag to indicate whether Free Tier is enabled. ### Parameter: `enableMultipleWriteLocations` -Enables the account to write in multiple locations. Periodic backup must be used if enabled. +Default to false. Enables the account to write in multiple locations. Periodic backup must be used if enabled. - Required: No - Type: bool @@ -3910,8 +3544,6 @@ Default to TLS 1.2. Enum to indicate the minimum allowed TLS version. Azure Cosm - Allowed: ```Bicep [ - 'Tls' - 'Tls11' 'Tls12' ] ``` @@ -3939,50 +3571,25 @@ The network configuration of this module. Defaults to `{ ipRules: [], virtualNet } ``` -**Required parameters** +**Optional parameters** | Parameter | Type | Description | | :-- | :-- | :-- | | [`ipRules`](#parameter-networkrestrictionsiprules) | array | A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8". | +| [`networkAclBypass`](#parameter-networkrestrictionsnetworkaclbypass) | string | Default to None. Specifies the network ACL bypass for Azure services. | +| [`publicNetworkAccess`](#parameter-networkrestrictionspublicnetworkaccess) | string | Default to Disabled. Whether requests from Public Network are allowed. | | [`virtualNetworkRules`](#parameter-networkrestrictionsvirtualnetworkrules) | array | List of Virtual Network ACL rules configured for the Cosmos DB account.. | -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`networkAclBypass`](#parameter-networkrestrictionsnetworkaclbypass) | string | Default to AzureServices. Specifies the network ACL bypass for Azure services. | -| [`publicNetworkAccess`](#parameter-networkrestrictionspublicnetworkaccess) | string | Default to Enabled. Whether requests from Public Network are allowed. | - ### Parameter: `networkRestrictions.ipRules` A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8". -- Required: Yes -- Type: array - -### Parameter: `networkRestrictions.virtualNetworkRules` - -List of Virtual Network ACL rules configured for the Cosmos DB account.. - -- Required: Yes +- Required: No - Type: array -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`subnetResourceId`](#parameter-networkrestrictionsvirtualnetworkrulessubnetresourceid) | string | Resource ID of a subnet. | - -### Parameter: `networkRestrictions.virtualNetworkRules.subnetResourceId` - -Resource ID of a subnet. - -- Required: Yes -- Type: string - ### Parameter: `networkRestrictions.networkAclBypass` -Default to AzureServices. Specifies the network ACL bypass for Azure services. +Default to None. Specifies the network ACL bypass for Azure services. - Required: No - Type: string @@ -3996,7 +3603,7 @@ Default to AzureServices. Specifies the network ACL bypass for Azure services. ### Parameter: `networkRestrictions.publicNetworkAccess` -Default to Enabled. Whether requests from Public Network are allowed. +Default to Disabled. Whether requests from Public Network are allowed. - Required: No - Type: string @@ -4008,6 +3615,26 @@ Default to Enabled. Whether requests from Public Network are allowed. ] ``` +### Parameter: `networkRestrictions.virtualNetworkRules` + +List of Virtual Network ACL rules configured for the Cosmos DB account.. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`subnetResourceId`](#parameter-networkrestrictionsvirtualnetworkrulessubnetresourceid) | string | Resource ID of a subnet. | + +### Parameter: `networkRestrictions.virtualNetworkRules.subnetResourceId` + +Resource ID of a subnet. + +- Required: Yes +- Type: string + ### Parameter: `privateEndpoints` Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. @@ -4931,6 +4558,14 @@ Tags of the Database Account resource. - Required: No - Type: object +### Parameter: `totalThroughputLimit` + +Default to unlimited. The total throughput limit imposed on this Cosmos DB account (RU/s). + +- Required: No +- Type: int +- Default: `-1` + ## Outputs | Output | Type | Description | diff --git a/avm/res/document-db/database-account/gremlin-database/graph/main.json b/avm/res/document-db/database-account/gremlin-database/graph/main.json index 96761953b4..e032fe503b 100644 --- a/avm/res/document-db/database-account/gremlin-database/graph/main.json +++ b/avm/res/document-db/database-account/gremlin-database/graph/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "5396990720772518636" + "version": "0.31.92.45157", + "templateHash": "16994331830326213766" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", diff --git a/avm/res/document-db/database-account/gremlin-database/main.json b/avm/res/document-db/database-account/gremlin-database/main.json index 5dcde760ef..b4f2a36c82 100644 --- a/avm/res/document-db/database-account/gremlin-database/main.json +++ b/avm/res/document-db/database-account/gremlin-database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "14612267479855031826" + "version": "0.31.92.45157", + "templateHash": "6528096364275148764" }, "name": "DocumentDB Database Account Gremlin Databases", "description": "This module deploys a Gremlin Database within a CosmosDB Account.", @@ -111,8 +111,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "5396990720772518636" + "version": "0.31.92.45157", + "templateHash": "16994331830326213766" }, "name": "DocumentDB Database Accounts Gremlin Databases Graphs", "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.", diff --git a/avm/res/document-db/database-account/main.bicep b/avm/res/document-db/database-account/main.bicep index bcb3560306..bf92e3aaaf 100644 --- a/avm/res/document-db/database-account/main.bicep +++ b/avm/res/document-db/database-account/main.bicep @@ -33,22 +33,22 @@ param locations failoverLocationsType[] = [] @description('Optional. Default to Session. The default consistency level of the Cosmos DB account.') param defaultConsistencyLevel string = 'Session' -@description('Optional. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication.') +@description('Optional. Default to true. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication.') param disableLocalAuth bool = true -@description('Optional. Flag to indicate whether to enable storage analytics.') +@description('Optional. Default to false. Flag to indicate whether to enable storage analytics.') param enableAnalyticalStorage bool = false -@description('Optional. Enable automatic failover for regions.') +@description('Optional. Default to true. Enable automatic failover for regions.') param automaticFailover bool = true -@description('Optional. Flag to indicate whether Free Tier is enabled.') +@description('Optional. Default to false. Flag to indicate whether Free Tier is enabled.') param enableFreeTier bool = false -@description('Optional. Enables the account to write in multiple locations. Periodic backup must be used if enabled.') +@description('Optional. Default to false. Enables the account to write in multiple locations. Periodic backup must be used if enabled.') param enableMultipleWriteLocations bool = false -@description('Optional. Disable write operations on metadata resources (databases, containers, throughput) via account keys.') +@description('Optional. Default to true. Disable write operations on metadata resources (databases, containers, throughput) via account keys.') param disableKeyBasedMetadataWriteAccess bool = true @minValue(1) @@ -94,6 +94,9 @@ param tables array = [] @description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true +@description('Optional. Default to unlimited. The total throughput limit imposed on this Cosmos DB account (RU/s).') +param totalThroughputLimit int = -1 + @description('Optional. The lock settings of the service.') param lock lockType @@ -163,8 +166,6 @@ param networkRestrictions networkRestrictionsType = { } @allowed([ - 'Tls' - 'Tls11' 'Tls12' ]) @description('Optional. Default to TLS 1.2. Enum to indicate the minimum allowed TLS version. Azure Cosmos DB for MongoDB RU and Apache Cassandra only work with TLS 1.2 or later.') @@ -264,7 +265,11 @@ var databaseAccountProperties = union( { databaseAccountOfferType: databaseAccountOfferType backupPolicy: backupPolicy + capabilities: capabilities minimalTlsVersion: minimumTlsVersion + capacity: { + totalThrougputLimit: totalThroughputLimit + } }, ((!empty(sqlDatabases) || !empty(mongodbDatabases) || !empty(gremlinDatabases) || !empty(tables)) ? { @@ -275,11 +280,10 @@ var databaseAccountProperties = union( ipRules: ipRules virtualNetworkRules: virtualNetworkRules - networkAclBypass: networkRestrictions.?networkAclBypass ?? 'AzureServices' - publicNetworkAccess: networkRestrictions.?publicNetworkAccess ?? 'Enabled' + networkAclBypass: networkRestrictions.?networkAclBypass ?? 'None' + publicNetworkAccess: networkRestrictions.?publicNetworkAccess ?? 'Disabled' isVirtualNetworkFilterEnabled: !empty(ipRules) || !empty(virtualNetworkRules) - capabilities: capabilities enableFreeTier: enableFreeTier enableAutomaticFailover: automaticFailover enableAnalyticalStorage: enableAnalyticalStorage @@ -964,18 +968,18 @@ type secretsOutputType = { } type networkRestrictionsType = { - @description('Required. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".') - ipRules: string[] + @description('Optional. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".') + ipRules: string[]? - @description('Optional. Default to AzureServices. Specifies the network ACL bypass for Azure services.') + @description('Optional. Default to None. Specifies the network ACL bypass for Azure services.') networkAclBypass: ('AzureServices' | 'None')? - @description('Optional. Default to Enabled. Whether requests from Public Network are allowed.') + @description('Optional. Default to Disabled. Whether requests from Public Network are allowed.') publicNetworkAccess: ('Enabled' | 'Disabled')? - @description('Required. List of Virtual Network ACL rules configured for the Cosmos DB account..') + @description('Optional. List of Virtual Network ACL rules configured for the Cosmos DB account..') virtualNetworkRules: { @description('Required. Resource ID of a subnet.') subnetResourceId: string - }[] + }[]? } diff --git a/avm/res/document-db/database-account/main.json b/avm/res/document-db/database-account/main.json index da1073c7de..9572791de3 100644 --- a/avm/res/document-db/database-account/main.json +++ b/avm/res/document-db/database-account/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.31.92.45157", - "templateHash": "15087724607037385937" + "templateHash": "10855021340496431236" }, "name": "DocumentDB Database Accounts", "description": "This module deploys a DocumentDB Database Account.", @@ -790,8 +790,9 @@ "items": { "type": "string" }, + "nullable": true, "metadata": { - "description": "Required. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: \"23.40.210.245\" or \"23.40.210.0/8\"." + "description": "Optional. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: \"23.40.210.245\" or \"23.40.210.0/8\"." } }, "networkAclBypass": { @@ -802,7 +803,7 @@ ], "nullable": true, "metadata": { - "description": "Optional. Default to AzureServices. Specifies the network ACL bypass for Azure services." + "description": "Optional. Default to None. Specifies the network ACL bypass for Azure services." } }, "publicNetworkAccess": { @@ -813,7 +814,7 @@ ], "nullable": true, "metadata": { - "description": "Optional. Default to Enabled. Whether requests from Public Network are allowed." + "description": "Optional. Default to Disabled. Whether requests from Public Network are allowed." } }, "virtualNetworkRules": { @@ -829,8 +830,9 @@ } } }, + "nullable": true, "metadata": { - "description": "Required. List of Virtual Network ACL rules configured for the Cosmos DB account.." + "description": "Optional. List of Virtual Network ACL rules configured for the Cosmos DB account.." } } } @@ -923,42 +925,42 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication." + "description": "Optional. Default to true. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication." } }, "enableAnalyticalStorage": { "type": "bool", "defaultValue": false, "metadata": { - "description": "Optional. Flag to indicate whether to enable storage analytics." + "description": "Optional. Default to false. Flag to indicate whether to enable storage analytics." } }, "automaticFailover": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Enable automatic failover for regions." + "description": "Optional. Default to true. Enable automatic failover for regions." } }, "enableFreeTier": { "type": "bool", "defaultValue": false, "metadata": { - "description": "Optional. Flag to indicate whether Free Tier is enabled." + "description": "Optional. Default to false. Flag to indicate whether Free Tier is enabled." } }, "enableMultipleWriteLocations": { "type": "bool", "defaultValue": false, "metadata": { - "description": "Optional. Enables the account to write in multiple locations. Periodic backup must be used if enabled." + "description": "Optional. Default to false. Enables the account to write in multiple locations. Periodic backup must be used if enabled." } }, "disableKeyBasedMetadataWriteAccess": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Disable write operations on metadata resources (databases, containers, throughput) via account keys." + "description": "Optional. Default to true. Disable write operations on metadata resources (databases, containers, throughput) via account keys." } }, "maxStalenessPrefix": { @@ -1046,6 +1048,13 @@ "description": "Optional. Enable/Disable usage telemetry for module." } }, + "totalThroughputLimit": { + "type": "int", + "defaultValue": -1, + "metadata": { + "description": "Optional. Default to unlimited. The total throughput limit imposed on this Cosmos DB account (RU/s)." + } + }, "lock": { "$ref": "#/definitions/lockType", "metadata": { @@ -1165,8 +1174,6 @@ "type": "string", "defaultValue": "Tls12", "allowedValues": [ - "Tls", - "Tls11", "Tls12" ], "metadata": { @@ -1243,7 +1250,7 @@ ], "kind": "[if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('gremlinDatabases')))), 'GlobalDocumentDB', if(not(empty(parameters('mongodbDatabases'))), 'MongoDB', 'GlobalDocumentDB'))]", "backupPolicy": "[if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('type', parameters('backupPolicyType'), 'continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject('type', parameters('backupPolicyType'), 'periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))))]", - "databaseAccountProperties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType'), 'backupPolicy', variables('backupPolicy'), 'minimalTlsVersion', parameters('minimumTlsVersion')), if(or(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('tables')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'enableMultipleWriteLocations', parameters('enableMultipleWriteLocations'), 'locations', if(empty(variables('databaseAccount_locations')), variables('defaultFailoverLocation'), variables('databaseAccount_locations')), 'ipRules', variables('ipRules'), 'virtualNetworkRules', variables('virtualNetworkRules'), 'networkAclBypass', coalesce(tryGet(parameters('networkRestrictions'), 'networkAclBypass'), 'AzureServices'), 'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Enabled'), 'isVirtualNetworkFilterEnabled', or(not(empty(variables('ipRules'))), not(empty(variables('virtualNetworkRules')))), 'capabilities', variables('capabilities'), 'enableFreeTier', parameters('enableFreeTier'), 'enableAutomaticFailover', parameters('automaticFailover'), 'enableAnalyticalStorage', parameters('enableAnalyticalStorage')), createObject()), if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('tables')))), createObject('disableLocalAuth', parameters('disableLocalAuth'), 'disableKeyBasedMetadataWriteAccess', parameters('disableKeyBasedMetadataWriteAccess')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]", + "databaseAccountProperties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType'), 'backupPolicy', variables('backupPolicy'), 'capabilities', variables('capabilities'), 'minimalTlsVersion', parameters('minimumTlsVersion'), 'capacity', createObject('totalThrougputLimit', parameters('totalThroughputLimit'))), if(or(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('tables')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'enableMultipleWriteLocations', parameters('enableMultipleWriteLocations'), 'locations', if(empty(variables('databaseAccount_locations')), variables('defaultFailoverLocation'), variables('databaseAccount_locations')), 'ipRules', variables('ipRules'), 'virtualNetworkRules', variables('virtualNetworkRules'), 'networkAclBypass', coalesce(tryGet(parameters('networkRestrictions'), 'networkAclBypass'), 'None'), 'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Disabled'), 'isVirtualNetworkFilterEnabled', or(not(empty(variables('ipRules'))), not(empty(variables('virtualNetworkRules')))), 'enableFreeTier', parameters('enableFreeTier'), 'enableAutomaticFailover', parameters('automaticFailover'), 'enableAnalyticalStorage', parameters('enableAnalyticalStorage')), createObject()), if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('tables')))), createObject('disableLocalAuth', parameters('disableLocalAuth'), 'disableKeyBasedMetadataWriteAccess', parameters('disableKeyBasedMetadataWriteAccess')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]", "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", diff --git a/avm/res/document-db/database-account/mongodb-database/collection/main.json b/avm/res/document-db/database-account/mongodb-database/collection/main.json index f40b7ac4c3..cda65c0191 100644 --- a/avm/res/document-db/database-account/mongodb-database/collection/main.json +++ b/avm/res/document-db/database-account/mongodb-database/collection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "1358778299011674509" + "version": "0.31.92.45157", + "templateHash": "9799909568020880663" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", diff --git a/avm/res/document-db/database-account/mongodb-database/main.json b/avm/res/document-db/database-account/mongodb-database/main.json index dd4a34ab45..4810186569 100644 --- a/avm/res/document-db/database-account/mongodb-database/main.json +++ b/avm/res/document-db/database-account/mongodb-database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "1169635175830874795" + "version": "0.31.92.45157", + "templateHash": "18295016247574474595" }, "name": "DocumentDB Database Account MongoDB Databases", "description": "This module deploys a MongoDB Database within a CosmosDB Account.", @@ -108,8 +108,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "1358778299011674509" + "version": "0.31.92.45157", + "templateHash": "9799909568020880663" }, "name": "DocumentDB Database Account MongoDB Database Collections", "description": "This module deploys a MongoDB Database Collection.", diff --git a/avm/res/document-db/database-account/sql-database/container/main.json b/avm/res/document-db/database-account/sql-database/container/main.json index 8cac0c2a0e..e28c27d04b 100644 --- a/avm/res/document-db/database-account/sql-database/container/main.json +++ b/avm/res/document-db/database-account/sql-database/container/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "165408036680070575" + "version": "0.31.92.45157", + "templateHash": "1471754747460263407" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", diff --git a/avm/res/document-db/database-account/sql-database/main.json b/avm/res/document-db/database-account/sql-database/main.json index f2458dc625..d86c1554fa 100644 --- a/avm/res/document-db/database-account/sql-database/main.json +++ b/avm/res/document-db/database-account/sql-database/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "10274585444287252550" + "version": "0.31.92.45157", + "templateHash": "14039021912249335209" }, "name": "DocumentDB Database Account SQL Databases", "description": "This module deploys a SQL Database in a CosmosDB Account.", @@ -138,8 +138,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "165408036680070575" + "version": "0.31.92.45157", + "templateHash": "1471754747460263407" }, "name": "DocumentDB Database Account SQL Database Containers", "description": "This module deploys a SQL Database Container in a CosmosDB Account.", diff --git a/avm/res/document-db/database-account/sql-role/main.json b/avm/res/document-db/database-account/sql-role/main.json index 9aed15aeb5..b23d9bf1bd 100644 --- a/avm/res/document-db/database-account/sql-role/main.json +++ b/avm/res/document-db/database-account/sql-role/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "13088569006752107887" + "version": "0.31.92.45157", + "templateHash": "3860121931480041680" }, "name": "DocumentDB Database Account SQL Role.", "description": "This module deploys SQL Role Definision and Assignment in a CosmosDB Account.", @@ -91,8 +91,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "5054354703268051893" + "version": "0.31.92.45157", + "templateHash": "2222650596260487600" }, "name": "DocumentDB Database Account SQL Role Definitions.", "description": "This module deploys a SQL Role Definision in a CosmosDB Account.", @@ -212,8 +212,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "4561927123418147924" + "version": "0.31.92.45157", + "templateHash": "12993275952067538651" }, "name": "DocumentDB Database Account SQL Role Assignments.", "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.", diff --git a/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json b/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json index cb563bafe6..1a4bb60619 100644 --- a/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json +++ b/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "4561927123418147924" + "version": "0.31.92.45157", + "templateHash": "12993275952067538651" }, "name": "DocumentDB Database Account SQL Role Assignments.", "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.", diff --git a/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json b/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json index 6a2e1eee82..1c51e78dbb 100644 --- a/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json +++ b/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "5054354703268051893" + "version": "0.31.92.45157", + "templateHash": "2222650596260487600" }, "name": "DocumentDB Database Account SQL Role Definitions.", "description": "This module deploys a SQL Role Definision in a CosmosDB Account.", diff --git a/avm/res/document-db/database-account/table/main.json b/avm/res/document-db/database-account/table/main.json index fc12ec0229..0ee46be7c0 100644 --- a/avm/res/document-db/database-account/table/main.json +++ b/avm/res/document-db/database-account/table/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "15712676324433329983" + "version": "0.31.92.45157", + "templateHash": "6722170581524078621" }, "name": "Azure Cosmos DB account tables", "description": "This module deploys a table within an Azure Cosmos DB Account.", diff --git a/avm/res/document-db/database-account/tests/e2e/analytical/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/analytical/main.test.bicep index 9b0cd336ab..8583aa4dc8 100644 --- a/avm/res/document-db/database-account/tests/e2e/analytical/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/analytical/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============== // // General resources diff --git a/avm/res/document-db/database-account/tests/e2e/boundedConsistency/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/boundedConsistency/main.test.bicep index da06bc091a..cdbef5bfe3 100644 --- a/avm/res/document-db/database-account/tests/e2e/boundedConsistency/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/boundedConsistency/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============== // // General resources diff --git a/avm/res/document-db/database-account/tests/e2e/defaults/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/defaults/main.test.bicep index f82b846cc7..4ffb4ba6da 100644 --- a/avm/res/document-db/database-account/tests/e2e/defaults/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/defaults/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // diff --git a/avm/res/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep b/avm/res/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep deleted file mode 100644 index fff7781e6b..0000000000 --- a/avm/res/document-db/database-account/tests/e2e/gremlindb/dependencies.bicep +++ /dev/null @@ -1,52 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId( - 'Microsoft.Authorization/roleDefinitions', - 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - ) // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../../utilities/e2e-template-assets/scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/document-db/database-account/tests/e2e/gremlindb/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/gremlindb/main.test.bicep index 1c3416efa0..688c10311e 100644 --- a/avm/res/document-db/database-account/tests/e2e/gremlindb/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/gremlindb/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // @@ -32,30 +32,6 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { location: enforcedLocation } -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - location: enforcedLocation - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../../utilities/e2e-template-assets/templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, enforcedLocation)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: enforcedLocation - } -} - // ============== // // Test Execution // // ============== // @@ -67,35 +43,10 @@ module testDeployment '../../../main.bicep' = [ name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}002' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: enforcedLocation - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] + location: enforcedLocation capabilitiesToAdd: [ 'EnableGremlin' ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] gremlinDatabases: [ { graphs: [ @@ -145,36 +96,6 @@ module testDeployment '../../../main.bicep' = [ name: '${namePrefix}-gdb-${serviceShort}-002' } ] - location: enforcedLocation - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - name: guid('Custom seed ${namePrefix}${serviceShort}') - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId( - 'Microsoft.Authorization/roleDefinitions', - 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - ) - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } } } ] diff --git a/avm/res/document-db/database-account/tests/e2e/kvSecrets/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/kvSecrets/main.test.bicep index 4523b10735..61e282ac88 100644 --- a/avm/res/document-db/database-account/tests/e2e/kvSecrets/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/kvSecrets/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============== // // General resources diff --git a/avm/res/document-db/database-account/tests/e2e/managedIdentity/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/managedIdentity/main.test.bicep index 68c45535a2..fe841fdff1 100644 --- a/avm/res/document-db/database-account/tests/e2e/managedIdentity/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/managedIdentity/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // diff --git a/avm/res/document-db/database-account/tests/e2e/mongodb/dependencies.bicep b/avm/res/document-db/database-account/tests/e2e/mongodb/dependencies.bicep deleted file mode 100644 index fff7781e6b..0000000000 --- a/avm/res/document-db/database-account/tests/e2e/mongodb/dependencies.bicep +++ /dev/null @@ -1,52 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -@description('Required. The name of the Deployment Script to create to get the paired region name.') -param pairedRegionScriptName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: managedIdentityName - location: location -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') - properties: { - principalId: managedIdentity.properties.principalId - roleDefinitionId: subscriptionResourceId( - 'Microsoft.Authorization/roleDefinitions', - 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - ) // Reader - principalType: 'ServicePrincipal' - } -} - -resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { - name: pairedRegionScriptName - location: location - kind: 'AzurePowerShell' - identity: { - type: 'UserAssigned' - userAssignedIdentities: { - '${managedIdentity.id}': {} - } - } - properties: { - azPowerShellVersion: '8.0' - retentionInterval: 'P1D' - arguments: '-Location \\"${location}\\"' - scriptContent: loadTextContent('../../../../../../utilities/e2e-template-assets/scripts/Get-PairedRegion.ps1') - } - dependsOn: [ - roleAssignment - ] -} - -@description('The name of the paired region.') -output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/document-db/database-account/tests/e2e/mongodb/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/mongodb/main.test.bicep index 3e5184830c..e6f676b8a6 100644 --- a/avm/res/document-db/database-account/tests/e2e/mongodb/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/mongodb/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // @@ -32,30 +32,6 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { location: enforcedLocation } -module nestedDependencies 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies' - params: { - managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' - location: enforcedLocation - } -} - -// Diagnostics -// =========== -module diagnosticDependencies '../../../../../../utilities/e2e-template-assets/templates/diagnostic.dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, enforcedLocation)}-diagnosticDependencies' - params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' - logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' - eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' - eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' - location: enforcedLocation - } -} - // ============== // // Test Execution // // ============== // @@ -67,32 +43,6 @@ module testDeployment '../../../main.bicep' = [ name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: enforcedLocation - } - { - failoverPriority: 1 - isZoneRedundant: false - locationName: nestedDependencies.outputs.pairedRegionName - } - ] - diagnosticSettings: [ - { - name: 'customSetting' - metricCategories: [ - { - category: 'AllMetrics' - } - ] - eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId - storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId - workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId - } - ] location: enforcedLocation mongodbDatabases: [ { @@ -280,35 +230,6 @@ module testDeployment '../../../main.bicep' = [ name: '${namePrefix}-mdb-${serviceShort}-002' } ] - roleAssignments: [ - { - roleDefinitionIdOrName: 'Owner' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - name: guid('Custom seed ${namePrefix}${serviceShort}') - roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c' - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - { - roleDefinitionIdOrName: subscriptionResourceId( - 'Microsoft.Authorization/roleDefinitions', - 'acdd72a7-3385-48ef-bd42-f606fba81ae7' - ) - principalId: nestedDependencies.outputs.managedIdentityPrincipalId - principalType: 'ServicePrincipal' - } - ] - managedIdentities: { - systemAssigned: true - } - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } } } ] diff --git a/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep index f7bd07e61b..6c431d8a02 100644 --- a/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep @@ -39,14 +39,17 @@ module testDeployment '../../../main.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}' params: { - automaticFailover: false location: enforcedLocation + name: '${namePrefix}-multi-region' + + automaticFailover: true + enableMultipleWriteLocations: true + backupPolicyType: 'Periodic' backupIntervalInMinutes: 300 backupStorageRedundancy: 'Zone' backupRetentionIntervalInHours: 16 - enableMultipleWriteLocations: true - name: '${namePrefix}-multi-region' + locations: [ { failoverPriority: 0 diff --git a/avm/res/document-db/database-account/tests/e2e/plain/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/plain/main.test.bicep index 589dee9f6e..a5c5bc331d 100644 --- a/avm/res/document-db/database-account/tests/e2e/plain/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/plain/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============== // // General resources @@ -41,11 +41,18 @@ module testDeployment '../../../main.bicep' = [ params: { name: '${namePrefix}${serviceShort}001' location: enforcedLocation - disableLocalAuth: true - backupPolicyType: 'Continuous' - disableKeyBasedMetadataWriteAccess: true - defaultConsistencyLevel: 'ConsistentPrefix' - backupPolicyContinuousTier: 'Continuous7Days' + + enableTelemetry: false + databaseAccountOfferType: 'Standard' + totalThroughputLimit: 4000 + capabilitiesToAdd: [ + 'EnableServerless' + ] + + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } locations: [ { failoverPriority: 0 @@ -58,6 +65,11 @@ module testDeployment '../../../main.bicep' = [ name: 'no-containers-specified' } ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } } } ] diff --git a/avm/res/document-db/database-account/tests/e2e/publicRestrictedAccess/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/publicRestrictedAccess/main.test.bicep index e7ec0e1c31..902a35566c 100644 --- a/avm/res/document-db/database-account/tests/e2e/publicRestrictedAccess/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/publicRestrictedAccess/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // diff --git a/avm/res/document-db/database-account/tests/e2e/sqldb/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/sqldb/main.test.bicep index fb686fd49b..0e1f223e18 100644 --- a/avm/res/document-db/database-account/tests/e2e/sqldb/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/sqldb/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============== // // General resources @@ -40,13 +40,6 @@ module testDeployment '../../../main.bicep' = { location: enforcedLocation enableAnalyticalStorage: true name: '${namePrefix}${serviceShort}001' - locations: [ - { - failoverPriority: 0 - isZoneRedundant: false - locationName: enforcedLocation - } - ] sqlDatabases: [ { containers: [ diff --git a/avm/res/document-db/database-account/tests/e2e/role/dependencies.bicep b/avm/res/document-db/database-account/tests/e2e/sqlroles/dependencies.bicep similarity index 100% rename from avm/res/document-db/database-account/tests/e2e/role/dependencies.bicep rename to avm/res/document-db/database-account/tests/e2e/sqlroles/dependencies.bicep diff --git a/avm/res/document-db/database-account/tests/e2e/role/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/sqlroles/main.test.bicep similarity index 98% rename from avm/res/document-db/database-account/tests/e2e/role/main.test.bicep rename to avm/res/document-db/database-account/tests/e2e/sqlroles/main.test.bicep index 2227608475..986a067796 100644 --- a/avm/res/document-db/database-account/tests/e2e/role/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/sqlroles/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============== // // General resources diff --git a/avm/res/document-db/database-account/tests/e2e/table/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/table/main.test.bicep index c8bdb0337f..bcf549a915 100644 --- a/avm/res/document-db/database-account/tests/e2e/table/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/table/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // diff --git a/avm/res/document-db/database-account/tests/e2e/waf-aligned/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/waf-aligned/main.test.bicep index ab2ce5d564..aa2d40d347 100644 --- a/avm/res/document-db/database-account/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/document-db/database-account/tests/e2e/waf-aligned/main.test.bicep @@ -19,7 +19,7 @@ param namePrefix string = '#_namePrefix_#' // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts. #disable-next-line no-hardcoded-location -var enforcedLocation = 'eastus2' +var enforcedLocation = 'spaincentral' // ============ // // Dependencies // @@ -67,10 +67,15 @@ module testDeployment '../../../main.bicep' = { params: { name: '${namePrefix}${serviceShort}001' location: enforcedLocation + + disableLocalAuth: true + automaticFailover: true + minimumTlsVersion: 'Tls12' disableKeyBasedMetadataWriteAccess: true - lock: { - kind: 'CanNotDelete' - name: 'myCustomLockName' + + networkRestrictions: { + networkAclBypass: 'None' + publicNetworkAccess: 'Disabled' } diagnosticSettings: [ { @@ -91,31 +96,12 @@ module testDeployment '../../../main.bicep' = { } service: 'Sql' subnetResourceId: nestedDependencies.outputs.subnetResourceId - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } } ] sqlDatabases: [ { - containers: [ - { - name: 'container-001' - kind: 'Hash' - paths: [ - '/myPartitionKey1' - ] - } - ] - name: '${namePrefix}-sql-${serviceShort}-001' + name: 'no-containers-specified' } ] - tags: { - 'hidden-title': 'This is visible in the resource name' - Environment: 'Non-Prod' - Role: 'DeploymentValidation' - } } } diff --git a/avm/res/document-db/database-account/version.json b/avm/res/document-db/database-account/version.json index b8b30a0125..a830c3d961 100644 --- a/avm/res/document-db/database-account/version.json +++ b/avm/res/document-db/database-account/version.json @@ -1,7 +1,7 @@ { - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.9", - "pathFilters": [ - "./main.json" - ] + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.10", + "pathFilters": [ + "./main.json" + ] } \ No newline at end of file