Skip to content

Commit

Permalink
feat: WAF Aligned review + Tests optimization (#3890)
Browse files Browse the repository at this point in the history
- Make TLS2 the minimum and only supported version
- Delete resources created in tests that are not needed for that
specific test. For example, the mongodb tests dont need to create and
test diagnostic settings. There are other tests specific to that one.
- Support account RU limits
- Allow capabilities to be used without having to create any kind of
database

This PR contains breaking changes. (TLS2 one), but we cannot still
increase the major version of the module

Closes #3754 
Closes #3753 

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|          |

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [x] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [x] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [x] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
  • Loading branch information
bryansan-msft authored Dec 5, 2024
1 parent ad64aec commit a237334
Show file tree
Hide file tree
Showing 31 changed files with 361 additions and 983 deletions.
841 changes: 238 additions & 603 deletions avm/res/document-db/database-account/README.md

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "5396990720772518636"
"version": "0.31.92.45157",
"templateHash": "16994331830326213766"
},
"name": "DocumentDB Database Accounts Gremlin Databases Graphs",
"description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "14612267479855031826"
"version": "0.31.92.45157",
"templateHash": "6528096364275148764"
},
"name": "DocumentDB Database Account Gremlin Databases",
"description": "This module deploys a Gremlin Database within a CosmosDB Account.",
Expand Down Expand Up @@ -111,8 +111,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "5396990720772518636"
"version": "0.31.92.45157",
"templateHash": "16994331830326213766"
},
"name": "DocumentDB Database Accounts Gremlin Databases Graphs",
"description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.",
Expand Down
38 changes: 21 additions & 17 deletions avm/res/document-db/database-account/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -33,22 +33,22 @@ param locations failoverLocationsType[] = []
@description('Optional. Default to Session. The default consistency level of the Cosmos DB account.')
param defaultConsistencyLevel string = 'Session'

@description('Optional. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication.')
@description('Optional. Default to true. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication.')
param disableLocalAuth bool = true

@description('Optional. Flag to indicate whether to enable storage analytics.')
@description('Optional. Default to false. Flag to indicate whether to enable storage analytics.')
param enableAnalyticalStorage bool = false

@description('Optional. Enable automatic failover for regions.')
@description('Optional. Default to true. Enable automatic failover for regions.')
param automaticFailover bool = true

@description('Optional. Flag to indicate whether Free Tier is enabled.')
@description('Optional. Default to false. Flag to indicate whether Free Tier is enabled.')
param enableFreeTier bool = false

@description('Optional. Enables the account to write in multiple locations. Periodic backup must be used if enabled.')
@description('Optional. Default to false. Enables the account to write in multiple locations. Periodic backup must be used if enabled.')
param enableMultipleWriteLocations bool = false

@description('Optional. Disable write operations on metadata resources (databases, containers, throughput) via account keys.')
@description('Optional. Default to true. Disable write operations on metadata resources (databases, containers, throughput) via account keys.')
param disableKeyBasedMetadataWriteAccess bool = true

@minValue(1)
Expand Down Expand Up @@ -94,6 +94,9 @@ param tables array = []
@description('Optional. Enable/Disable usage telemetry for module.')
param enableTelemetry bool = true

@description('Optional. Default to unlimited. The total throughput limit imposed on this Cosmos DB account (RU/s).')
param totalThroughputLimit int = -1

@description('Optional. The lock settings of the service.')
param lock lockType

Expand Down Expand Up @@ -163,8 +166,6 @@ param networkRestrictions networkRestrictionsType = {
}

@allowed([
'Tls'
'Tls11'
'Tls12'
])
@description('Optional. Default to TLS 1.2. Enum to indicate the minimum allowed TLS version. Azure Cosmos DB for MongoDB RU and Apache Cassandra only work with TLS 1.2 or later.')
Expand Down Expand Up @@ -264,7 +265,11 @@ var databaseAccountProperties = union(
{
databaseAccountOfferType: databaseAccountOfferType
backupPolicy: backupPolicy
capabilities: capabilities
minimalTlsVersion: minimumTlsVersion
capacity: {
totalThrougputLimit: totalThroughputLimit
}
},
((!empty(sqlDatabases) || !empty(mongodbDatabases) || !empty(gremlinDatabases) || !empty(tables))
? {
Expand All @@ -275,11 +280,10 @@ var databaseAccountProperties = union(

ipRules: ipRules
virtualNetworkRules: virtualNetworkRules
networkAclBypass: networkRestrictions.?networkAclBypass ?? 'AzureServices'
publicNetworkAccess: networkRestrictions.?publicNetworkAccess ?? 'Enabled'
networkAclBypass: networkRestrictions.?networkAclBypass ?? 'None'
publicNetworkAccess: networkRestrictions.?publicNetworkAccess ?? 'Disabled'
isVirtualNetworkFilterEnabled: !empty(ipRules) || !empty(virtualNetworkRules)

capabilities: capabilities
enableFreeTier: enableFreeTier
enableAutomaticFailover: automaticFailover
enableAnalyticalStorage: enableAnalyticalStorage
Expand Down Expand Up @@ -964,18 +968,18 @@ type secretsOutputType = {
}

type networkRestrictionsType = {
@description('Required. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".')
ipRules: string[]
@description('Optional. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".')
ipRules: string[]?

@description('Optional. Default to AzureServices. Specifies the network ACL bypass for Azure services.')
@description('Optional. Default to None. Specifies the network ACL bypass for Azure services.')
networkAclBypass: ('AzureServices' | 'None')?

@description('Optional. Default to Enabled. Whether requests from Public Network are allowed.')
@description('Optional. Default to Disabled. Whether requests from Public Network are allowed.')
publicNetworkAccess: ('Enabled' | 'Disabled')?

@description('Required. List of Virtual Network ACL rules configured for the Cosmos DB account..')
@description('Optional. List of Virtual Network ACL rules configured for the Cosmos DB account..')
virtualNetworkRules: {
@description('Required. Resource ID of a subnet.')
subnetResourceId: string
}[]
}[]?
}
35 changes: 21 additions & 14 deletions avm/res/document-db/database-account/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"_generator": {
"name": "bicep",
"version": "0.31.92.45157",
"templateHash": "15087724607037385937"
"templateHash": "10855021340496431236"
},
"name": "DocumentDB Database Accounts",
"description": "This module deploys a DocumentDB Database Account.",
Expand Down Expand Up @@ -790,8 +790,9 @@
"items": {
"type": "string"
},
"nullable": true,
"metadata": {
"description": "Required. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: \"23.40.210.245\" or \"23.40.210.0/8\"."
"description": "Optional. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: \"23.40.210.245\" or \"23.40.210.0/8\"."
}
},
"networkAclBypass": {
Expand All @@ -802,7 +803,7 @@
],
"nullable": true,
"metadata": {
"description": "Optional. Default to AzureServices. Specifies the network ACL bypass for Azure services."
"description": "Optional. Default to None. Specifies the network ACL bypass for Azure services."
}
},
"publicNetworkAccess": {
Expand All @@ -813,7 +814,7 @@
],
"nullable": true,
"metadata": {
"description": "Optional. Default to Enabled. Whether requests from Public Network are allowed."
"description": "Optional. Default to Disabled. Whether requests from Public Network are allowed."
}
},
"virtualNetworkRules": {
Expand All @@ -829,8 +830,9 @@
}
}
},
"nullable": true,
"metadata": {
"description": "Required. List of Virtual Network ACL rules configured for the Cosmos DB account.."
"description": "Optional. List of Virtual Network ACL rules configured for the Cosmos DB account.."
}
}
}
Expand Down Expand Up @@ -923,42 +925,42 @@
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Optional. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication."
"description": "Optional. Default to true. Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication."
}
},
"enableAnalyticalStorage": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Flag to indicate whether to enable storage analytics."
"description": "Optional. Default to false. Flag to indicate whether to enable storage analytics."
}
},
"automaticFailover": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Optional. Enable automatic failover for regions."
"description": "Optional. Default to true. Enable automatic failover for regions."
}
},
"enableFreeTier": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Flag to indicate whether Free Tier is enabled."
"description": "Optional. Default to false. Flag to indicate whether Free Tier is enabled."
}
},
"enableMultipleWriteLocations": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Enables the account to write in multiple locations. Periodic backup must be used if enabled."
"description": "Optional. Default to false. Enables the account to write in multiple locations. Periodic backup must be used if enabled."
}
},
"disableKeyBasedMetadataWriteAccess": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Optional. Disable write operations on metadata resources (databases, containers, throughput) via account keys."
"description": "Optional. Default to true. Disable write operations on metadata resources (databases, containers, throughput) via account keys."
}
},
"maxStalenessPrefix": {
Expand Down Expand Up @@ -1046,6 +1048,13 @@
"description": "Optional. Enable/Disable usage telemetry for module."
}
},
"totalThroughputLimit": {
"type": "int",
"defaultValue": -1,
"metadata": {
"description": "Optional. Default to unlimited. The total throughput limit imposed on this Cosmos DB account (RU/s)."
}
},
"lock": {
"$ref": "#/definitions/lockType",
"metadata": {
Expand Down Expand Up @@ -1165,8 +1174,6 @@
"type": "string",
"defaultValue": "Tls12",
"allowedValues": [
"Tls",
"Tls11",
"Tls12"
],
"metadata": {
Expand Down Expand Up @@ -1243,7 +1250,7 @@
],
"kind": "[if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('gremlinDatabases')))), 'GlobalDocumentDB', if(not(empty(parameters('mongodbDatabases'))), 'MongoDB', 'GlobalDocumentDB'))]",
"backupPolicy": "[if(equals(parameters('backupPolicyType'), 'Continuous'), createObject('type', parameters('backupPolicyType'), 'continuousModeProperties', createObject('tier', parameters('backupPolicyContinuousTier'))), createObject('type', parameters('backupPolicyType'), 'periodicModeProperties', createObject('backupIntervalInMinutes', parameters('backupIntervalInMinutes'), 'backupRetentionIntervalInHours', parameters('backupRetentionIntervalInHours'), 'backupStorageRedundancy', parameters('backupStorageRedundancy'))))]",
"databaseAccountProperties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType'), 'backupPolicy', variables('backupPolicy'), 'minimalTlsVersion', parameters('minimumTlsVersion')), if(or(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('tables')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'enableMultipleWriteLocations', parameters('enableMultipleWriteLocations'), 'locations', if(empty(variables('databaseAccount_locations')), variables('defaultFailoverLocation'), variables('databaseAccount_locations')), 'ipRules', variables('ipRules'), 'virtualNetworkRules', variables('virtualNetworkRules'), 'networkAclBypass', coalesce(tryGet(parameters('networkRestrictions'), 'networkAclBypass'), 'AzureServices'), 'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Enabled'), 'isVirtualNetworkFilterEnabled', or(not(empty(variables('ipRules'))), not(empty(variables('virtualNetworkRules')))), 'capabilities', variables('capabilities'), 'enableFreeTier', parameters('enableFreeTier'), 'enableAutomaticFailover', parameters('automaticFailover'), 'enableAnalyticalStorage', parameters('enableAnalyticalStorage')), createObject()), if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('tables')))), createObject('disableLocalAuth', parameters('disableLocalAuth'), 'disableKeyBasedMetadataWriteAccess', parameters('disableKeyBasedMetadataWriteAccess')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]",
"databaseAccountProperties": "[union(createObject('databaseAccountOfferType', parameters('databaseAccountOfferType'), 'backupPolicy', variables('backupPolicy'), 'capabilities', variables('capabilities'), 'minimalTlsVersion', parameters('minimumTlsVersion'), 'capacity', createObject('totalThrougputLimit', parameters('totalThroughputLimit'))), if(or(or(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('mongodbDatabases')))), not(empty(parameters('gremlinDatabases')))), not(empty(parameters('tables')))), createObject('consistencyPolicy', variables('consistencyPolicy')[parameters('defaultConsistencyLevel')], 'enableMultipleWriteLocations', parameters('enableMultipleWriteLocations'), 'locations', if(empty(variables('databaseAccount_locations')), variables('defaultFailoverLocation'), variables('databaseAccount_locations')), 'ipRules', variables('ipRules'), 'virtualNetworkRules', variables('virtualNetworkRules'), 'networkAclBypass', coalesce(tryGet(parameters('networkRestrictions'), 'networkAclBypass'), 'None'), 'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Disabled'), 'isVirtualNetworkFilterEnabled', or(not(empty(variables('ipRules'))), not(empty(variables('virtualNetworkRules')))), 'enableFreeTier', parameters('enableFreeTier'), 'enableAutomaticFailover', parameters('automaticFailover'), 'enableAnalyticalStorage', parameters('enableAnalyticalStorage')), createObject()), if(or(not(empty(parameters('sqlDatabases'))), not(empty(parameters('tables')))), createObject('disableLocalAuth', parameters('disableLocalAuth'), 'disableKeyBasedMetadataWriteAccess', parameters('disableKeyBasedMetadataWriteAccess')), createObject()), if(not(empty(parameters('mongodbDatabases'))), createObject('apiProperties', createObject('serverVersion', parameters('serverVersion'))), createObject()))]",
"builtInRoleNames": {
"Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Cosmos DB Account Reader Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "1358778299011674509"
"version": "0.31.92.45157",
"templateHash": "9799909568020880663"
},
"name": "DocumentDB Database Account MongoDB Database Collections",
"description": "This module deploys a MongoDB Database Collection.",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "1169635175830874795"
"version": "0.31.92.45157",
"templateHash": "18295016247574474595"
},
"name": "DocumentDB Database Account MongoDB Databases",
"description": "This module deploys a MongoDB Database within a CosmosDB Account.",
Expand Down Expand Up @@ -108,8 +108,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "1358778299011674509"
"version": "0.31.92.45157",
"templateHash": "9799909568020880663"
},
"name": "DocumentDB Database Account MongoDB Database Collections",
"description": "This module deploys a MongoDB Database Collection.",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "165408036680070575"
"version": "0.31.92.45157",
"templateHash": "1471754747460263407"
},
"name": "DocumentDB Database Account SQL Database Containers",
"description": "This module deploys a SQL Database Container in a CosmosDB Account.",
Expand Down
8 changes: 4 additions & 4 deletions avm/res/document-db/database-account/sql-database/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "10274585444287252550"
"version": "0.31.92.45157",
"templateHash": "14039021912249335209"
},
"name": "DocumentDB Database Account SQL Databases",
"description": "This module deploys a SQL Database in a CosmosDB Account.",
Expand Down Expand Up @@ -138,8 +138,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "165408036680070575"
"version": "0.31.92.45157",
"templateHash": "1471754747460263407"
},
"name": "DocumentDB Database Account SQL Database Containers",
"description": "This module deploys a SQL Database Container in a CosmosDB Account.",
Expand Down
Loading

0 comments on commit a237334

Please sign in to comment.