fix: SFI Fixes & scope reverted to subscription (#1513)

Azure-Samples · Nov 25, 2024 · 97ced9f · 97ced9f
1 parent 2dbb0b1
commit 97ced9f
Show file tree

Hide file tree

Showing 8 changed files with 846 additions and 394 deletions.
diff --git a/infra/app/function.bicep b/infra/app/function.bicep
@@ -42,6 +42,7 @@ module function '../core/host/functions.bicep' = {
     runtimeName: runtimeName
     runtimeVersion: runtimeVersion
     dockerFullImageName: dockerFullImageName
+    useKeyVault: useKeyVault
     appSettings: union(appSettings, {
       WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false'
       AZURE_AUTH_TYPE: authType

diff --git a/infra/app/web.bicep b/infra/app/web.bicep
@@ -122,16 +122,16 @@ module web '../core/host/appservice.bicep' = {
             '2023-05-01'
           ).key1
       AZURE_COSMOSDB_ACCOUNT_KEY: (useKeyVault || cosmosDBKeyName == '')
-      ? cosmosDBKeyName
-      : listKeys(
-          resourceId(
-            subscription().subscriptionId,
-            resourceGroup().name,
-            'Microsoft.DocumentDB/databaseAccounts',
-            cosmosDBKeyName
-          ),
-          '2022-08-15'
-        ).primaryMasterKey
+        ? cosmosDBKeyName
+        : listKeys(
+            resourceId(
+              subscription().subscriptionId,
+              resourceGroup().name,
+              'Microsoft.DocumentDB/databaseAccounts',
+              cosmosDBKeyName
+            ),
+            '2022-08-15'
+          ).primaryMasterKey
     })
     keyVaultName: keyVaultName
     runtimeName: runtimeName
@@ -192,6 +192,22 @@ module webaccess '../core/security/keyvault-access.bicep' = if (useKeyVault) {
   }
 }
 
+resource cosmosRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2024-05-15' existing = {
+  name: '${json(appSettings.AZURE_COSMOSDB_INFO).accountName}/00000000-0000-0000-0000-000000000002'
+}
+
+module cosmosUserRole '../core/database/cosmos-sql-role-assign.bicep' = {
+  name: 'cosmos-sql-user-role-${web.name}'
+  params: {
+    accountName: json(appSettings.AZURE_COSMOSDB_INFO).accountName
+    roleDefinitionId: cosmosRoleDefinition.id
+    principalId: web.outputs.identityPrincipalId
+  }
+  dependsOn: [
+    cosmosRoleDefinition
+  ]
+}
+
 output FRONTEND_API_IDENTITY_PRINCIPAL_ID string = web.outputs.identityPrincipalId
 output FRONTEND_API_NAME string = web.outputs.name
 output FRONTEND_API_URI string = web.outputs.uri
diff --git a/infra/core/database/cosmos-sql-role-assign.bicep b/infra/core/database/cosmos-sql-role-assign.bicep
@@ -0,0 +1,19 @@
+metadata description = 'Creates a SQL role assignment under an Azure Cosmos DB account.'
+param accountName string
+
+param roleDefinitionId string
+param principalId string = ''
+
+resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
+  parent: cosmos
+  name: guid(roleDefinitionId, principalId, cosmos.id)
+  properties: {
+    principalId: principalId
+    roleDefinitionId: roleDefinitionId
+    scope: cosmos.id
+  }
+}
+
+resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = {
+  name: accountName
+}
diff --git a/infra/core/host/functions.bicep b/infra/core/host/functions.bicep
@@ -9,6 +9,7 @@ param appServicePlanId string
 param keyVaultName string = ''
 param managedIdentity bool = !empty(keyVaultName)
 param storageAccountName string
+param useKeyVault bool
 
 // Runtime Properties
 @allowed([
@@ -67,10 +68,14 @@ module functions 'appservice.bicep' = {
     appSettings: union(
       appSettings,
       {
-        AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
         FUNCTIONS_EXTENSION_VERSION: extensionVersion
       },
-      !useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {}
+      !useDocker ? { FUNCTIONS_WORKER_RUNTIME: runtimeName } : {},
+      useKeyVault
+        ? {
+            AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
+          }
+        : { AzureWebJobsStorage__accountName: storage.name }
     )
     clientAffinityEnabled: clientAffinityEnabled
     enableOryxBuild: enableOryxBuild
@@ -90,6 +95,15 @@ module functions 'appservice.bicep' = {
   }
 }
 
+module storageBlobRoleFunction '../security/role.bicep' = {
+  name: 'storage-blob-role-function'
+  params: {
+    principalId: functions.outputs.identityPrincipalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
   name: storageAccountName
 }

diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
@@ -11,7 +11,8 @@ param tags object = {}
 param accessTier string = 'Hot'
 param allowBlobPublicAccess bool = false
 param allowCrossTenantReplication bool = true
-param allowSharedKeyAccess bool = true
+param useKeyVault bool
+param allowSharedKeyAccess bool = useKeyVault
 param containers array = []
 param defaultToOAuthAuthentication bool = false
 param deleteRetentionPolicy object = {}