Open Besdima opened 2 days ago
avm-team-linter[bot]
commented
2 days ago @Besdima, thanks for submitting this issue for the avm/res/document-db/database-account module!
[!IMPORTANT] A member of the @Azure/avm-res-documentdb-databaseaccount-module-owners-bicep or @Azure/avm-res-documentdb-databaseaccount-module-contributors-bicep team will review it soon!
Besdima
commented
2 days ago I run it in the testing environment, and the deployment seems to ignore the publicNetworkAccess parameter and deploys the CDB with the public endpoint on.
Probably there is an issue with this logic in the template:
'publicNetworkAccess', coalesce(tryGet(parameters('networkRestrictions'), 'publicNetworkAccess'), 'Enabled')
seesharprun
commented
1 day ago In the current Azure Cosmos DB configuration, you can only disable public network access if you declare child resources like a NoSQL, Gremlin, MongoDB, or Table database.
Here's the corresponding line: https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/document-db/database-account/main.bicep#L273
I'm testing a change to fix this in a new version so you can disable public network access even if you don't define resources.
Besdima
commented
1 day ago edt.
I see what you mean now - thank you.
Check for previous/existing GitHub issues
Issue Type?
Bug
Module Name
avm/res/document-db/database-account
(Optional) Module Version
0.8.1
Description
We have a policy configured for CosmosDB accounts to disable public network access, and when we provision CosmosDB accounts with the following parameters:
It still violates the policy:
New-AzResourceGroupDeployment : 1:16:53 AM - Error: Code=RequestDisallowedByPolicy; Message=Resource 'xxxx' was disallowed by policy.
(Optional) Correlation Id
No response