1. Managing Permissions in Cosmos DB with Azure RBAC


    To manage permissions in Azure Cosmos DB using Role-Based Access Control (RBAC), you need to set up Azure AD identities (such as users, groups, or service principals) and assign them appropriate roles that grant permissions to perform various actions on Cosmos DB resources.

    In Pulumi, you can manage Cosmos DB RBAC by creating Azure AD role assignments for the Cosmos DB account. You will need to use the azure-native.authorization.RoleAssignment resource, which assigns a role to a specific principal (user, group, service principal, or managed identity).

    Below is a Pulumi program written in Python that demonstrates how to create a new Azure Cosmos DB account, database, container, and assigns an Azure RBAC role to a principal. This program uses pulumi_azure_native package, which is the direct mapping of Azure Resource Manager to Pulumi, offering complete access to the Azure API surface.

    First, you will need to specify the role definition ID for the role you wish to assign and the principal ID of the user, group, or service principal to whom you wish to assign the role. Ensure you have these values before running the program.

    import pulumi from pulumi_azure_native import documentdb as cosmos_db from pulumi_azure_native import authorization as azure_auth from pulumi_azure_native import resources # Create a resource group for the Cosmos DB account resource_group = resources.ResourceGroup('my-resource-group') # Create a new Azure Cosmos DB account cosmosdb_account = cosmos_db.DatabaseAccount('my-cosmosdb-account', resource_group_name=resource_group.name, database_account_offer_type=cosmos_db.DatabaseAccountOfferType.STANDARD, locations=[cosmos_db.LocationArgs( location_name='West US', failover_priority=0, is_zone_redundant=False, )]) # Create a new Azure Cosmos DB SQL database within the account cosmosdb_sql_database = cosmos_db.SqlResourceSqlDatabase('my-sql-database', account_name=cosmosdb_account.name, resource_group_name=resource_group.name, resource=cosmos_db.SqlDatabaseResourceArgs( id='my-sql-database', ), options=cosmos_db.CreateUpdateOptionsArgs()) # Create a new Azure Cosmos DB SQL container within the SQL database cosmosdb_sql_container = cosmos_db.SqlResourceSqlContainer('my-sql-container', account_name=cosmosdb_account.name, database_name=cosmosdb_sql_database.name, resource_group_name=resource_group.name, resource=cosmos_db.SqlContainerResourceArgs( id='my-sql-container', partition_key=cosmos_db.ContainerPartitionKeyArgs( paths=['/myPartitionKey'], kind='Hash', ), ), options=cosmos_db.CreateUpdateOptionsArgs()) # Example role assignment, using a built-in Reader role (replace role_definition_id and principal_id with actual values) role_assignment = azure_auth.RoleAssignment('my-role-assignment', scope=cosmosdb_account.id, # Assigning at the account level role_assignment_name=pulumi.Output.uuid(), # Generates a unique UUID for role assignment name role_definition_id='/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}', # Replace with actual role definition ID principal_id='{principalId}') # Replace with actual principal ID # Export the account's endpoint and primary key primary_key = pulumi.Output.secret(cosmosdb_account.primary_master_key) pulumi.export('account_endpoint', cosmosdb_account.document_endpoint) pulumi.export('primary_master_key', primary_key)

    In this program, we start by creating a new resource group, then a Cosmos DB account, SQL database, and SQL container. After that, we create a role assignment using the azure_auth.RoleAssignment resource, which binds a specific role to a principal (e.g., user or service principal) for a designated scope, which can be a subscription, resource group, or a specific resource. The scope in this example is the Cosmos DB account we created.

    Replace the placeholders {subscriptionId}, {roleDefinitionId}, and {principalId} in the role_definition_id and principal_id properties with the actual subscription ID, role definition ID of the role you wish to assign, and the principal ID of the user/group/service principal respectively.

    Please make sure you have the necessary permissions to assign roles and that the principal you're assigning the role to exists within Azure Active Directory.

    You can also manage role definitions (custom roles) using Pulumi if the built-in roles do not fit your specific requirements, but that is a more advanced topic and beyond the scope of this introduction.

    To run this Pulumi program, save it to a file (e.g., cosmosdb_rbac.py), ensure you have the pulumi_azure_native package installed, and use the Pulumi CLI to up the stack. The Pulumi CLI will prompt you for required configuration settings and authenticate against Azure to fulfill the resource deployments.