sparse-intern-71089
09/20/2023, 2:11 PMmillions-journalist-34868
09/20/2023, 6:20 PMmodern-quill-17695
09/22/2023, 6:01 PMSqlResourceSqlRoleAssignment
, not the usual RoleAssignment
. Here's some C# code I use in a project. This one creates a custom role inside Cosmos DB with with SqlResourceSqlRoleDefinition
object, then assigns it to a given principal using SqlResourceSqlRoleAssignment
. In this case it assigns it to the System Assigned Identity of an Azure Function, but you can supply your managed id.
//Allow the function app to read/write to Cosmos DB
//Make a custom role to access the database. Can't find a way to use a built in one, so we just make our own
var roleId = new Pulumi.Random.RandomUuid("my-role-id-uuid", new Pulumi.Random.RandomUuidArgs{ });
var roleAssignmentId = new Pulumi.Random.RandomUuid("my-role-assignment-id-uuid", new Pulumi.Random.RandomUuidArgs{ });
var cosmosDbContributorRole = new SqlResourceSqlRoleDefinition("arcade-device-management-cosmos-contributor", new AzureNative.DocumentDB.SqlResourceSqlRoleDefinitionArgs
{
ResourceGroupName = ResourceGroupName,
RoleName = "my-custom-contributor",
AccountName = cosmosDBInfra.Account.Name,
RoleDefinitionId = roleId.Result,
Type = RoleDefinitionType.CustomRole,
Permissions = new[]
{
new AzureNative.DocumentDB.Inputs.PermissionArgs
{
DataActions = new []
{
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*"
}
}
},
AssignableScopes = new[]
{
cosmosDBInfra.Account.Id
}
});
_ = new SqlResourceSqlRoleAssignment("my-role-assignment", new AzureNative.DocumentDB.SqlResourceSqlRoleAssignmentArgs
{
ResourceGroupName = ResourceGroupName,
PrincipalId = functionPrincipalId,
AccountName = cosmosDBInfra.Account.Name,
RoleDefinitionId = cosmosDbContributorRole.Id,
RoleAssignmentId = roleAssignmentId.Result,
Scope = cosmosDBInfra.Account.Id
});
powerful-printer-57241
09/25/2023, 3:16 PM