feat: Update DocumentDB to secrets export spec (#2907)

## Description

- Updated current secrets export interface to spec as per
[ref](#1934 (comment))
- Updated to latest RBAC schema (cc: @krbar)
- Addressed warnings

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.document-db.database-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.database-account.yml/badge.svg?branch=users%2Falsehr%2FemittedSecretsTest&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.database-account.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ ] I'm sure there are no other open Pull Requests for the same
update/change
- [ ] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

avm/res/document-db/database-account/gremlin-database/graph/main.json

@@ -5,8 +5,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "3987394297554402770"
+ "version": "0.29.47.4906",
+ "templateHash": "9917502444704809829"
  },
  "name": "DocumentDB Database Accounts Gremlin Databases Graphs",
  "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.",

avm/res/document-db/database-account/gremlin-database/main.bicep

@@ -54,7 +54,7 @@ module gremlinDatabase_gremlinGraphs 'graph/main.bicep' = [
  name: graph.name
  gremlinDatabaseName: name
  databaseAccountName: databaseAccountName
- indexingPolicy: contains(graph, 'indexingPolicy') ? graph.indexingPolicy : true
+ indexingPolicy: graph.?indexingPolicy
  partitionKeyPaths: !empty(graph.partitionKeyPaths) ? graph.partitionKeyPaths : []
  }
  }

avm/res/document-db/database-account/gremlin-database/main.json

@@ -5,8 +5,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "6889435067791947905"
+ "version": "0.29.47.4906",
+ "templateHash": "7926803681315745584"
  },
  "name": "DocumentDB Database Account Gremlin Databases",
  "description": "This module deploys a Gremlin Database within a CosmosDB Account.",
@@ -99,7 +99,9 @@
  "databaseAccountName": {
  "value": "[parameters('databaseAccountName')]"
  },
- "indexingPolicy": "[if(contains(parameters('graphs')[copyIndex()], 'indexingPolicy'), createObject('value', parameters('graphs')[copyIndex()].indexingPolicy), createObject('value', true()))]",
+ "indexingPolicy": {
+ "value": "[tryGet(parameters('graphs')[copyIndex()], 'indexingPolicy')]"
+ },
  "partitionKeyPaths": "[if(not(empty(parameters('graphs')[copyIndex()].partitionKeyPaths)), createObject('value', parameters('graphs')[copyIndex()].partitionKeyPaths), createObject('value', createArray()))]"
  },
  "template": {
@@ -109,8 +111,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "3987394297554402770"
+ "version": "0.29.47.4906",
+ "templateHash": "9917502444704809829"
  },
  "name": "DocumentDB Database Accounts Gremlin Databases Graphs",
  "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.",

avm/res/document-db/database-account/modules/keyVaultExport.bicep

@@ -0,0 +1,50 @@
+@description('Required. The name of the Key Vault to set the ecrets in.')
+param keyVaultName string
+
+@description('Required. The secrets to set in the Key Vault.')
+param secretsToSet secretToSetType[]
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+ name: keyVaultName
+}
+
+resource secrets 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = [
+ for secret in secretsToSet: {
+ name: secret.name
+ parent: keyVault
+ properties: {
+ value: secret.value
+ }
+ }
+]
+
+@description('The references to the secrets exported to the provided Key Vault.')
+output secretsSet secretSetType[] = [
+ #disable-next-line outputs-should-not-contain-secrets // Only returning the references, not a secret value
+ for index in range(0, length(secretsToSet ?? [])): {
+ secretResourceId: secrets[index].id
+ secretUri: secrets[index].properties.secretUri
+ }
+]
+
+// =============== //
+// Definitions //
+// =============== //
+
+@export()
+type secretSetType = {
+ @description('The resourceId of the exported secret.')
+ secretResourceId: string
+
+ @description('The secret URI of the exported secret.')
+ secretUri: string
+}
+
+type secretToSetType = {
+ @description('Required. The name of the secret to set.')
+ name: string
+
+ @description('Required. The value of the secret to set.')
+ @secure()
+ value: string
+}

avm/res/document-db/database-account/mongodb-database/collection/main.json

@@ -4,8 +4,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "6235322895830297683"
+ "version": "0.29.47.4906",
+ "templateHash": "2005645426653376123"
  },
  "name": "DocumentDB Database Account MongoDB Database Collections",
  "description": "This module deploys a MongoDB Database Collection.",

avm/res/document-db/database-account/mongodb-database/main.json

@@ -5,8 +5,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "1527748615955553712"
+ "version": "0.29.47.4906",
+ "templateHash": "5589296472144391886"
  },
  "name": "DocumentDB Database Account MongoDB Databases",
  "description": "This module deploys a MongoDB Database within a CosmosDB Account.",
@@ -108,8 +108,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "6235322895830297683"
+ "version": "0.29.47.4906",
+ "templateHash": "2005645426653376123"
  },
  "name": "DocumentDB Database Account MongoDB Database Collections",
  "description": "This module deploys a MongoDB Database Collection.",

avm/res/document-db/database-account/sql-database/container/main.json

@@ -5,8 +5,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "3824205620211058652"
+ "version": "0.29.47.4906",
+ "templateHash": "15811275148784494613"
  },
  "name": "DocumentDB Database Account SQL Database Containers",
  "description": "This module deploys a SQL Database Container in a CosmosDB Account.",

avm/res/document-db/database-account/sql-database/main.json

@@ -5,8 +5,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "8319829662998768775"
+ "version": "0.29.47.4906",
+ "templateHash": "17028659150619761460"
  },
  "name": "DocumentDB Database Account SQL Databases",
  "description": "This module deploys a SQL Database in a CosmosDB Account.",
@@ -138,8 +138,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "3824205620211058652"
+ "version": "0.29.47.4906",
+ "templateHash": "15811275148784494613"
  },
  "name": "DocumentDB Database Account SQL Database Containers",
  "description": "This module deploys a SQL Database Container in a CosmosDB Account.",

avm/res/document-db/database-account/sql-role/main.json

@@ -4,8 +4,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.28.1.47646",
- "templateHash": "6438933554145929110"
+ "version": "0.29.47.4906",
+ "templateHash": "8574173933379504173"
  },
  "name": "DocumentDB Database Account SQL Role.",
  "description": "This module deploys SQL Role Definision and Assignment in a CosmosDB Account.",
@@ -91,8 +91,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.28.1.47646",
- "templateHash": "5774063578247320117"
+ "version": "0.29.47.4906",
+ "templateHash": "13173648139881140212"
  },
  "name": "DocumentDB Database Account SQL Role Definitions.",
  "description": "This module deploys a SQL Role Definision in a CosmosDB Account.",
@@ -212,8 +212,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.28.1.47646",
- "templateHash": "4968352550056104037"
+ "version": "0.29.47.4906",
+ "templateHash": "16344872287220693060"
  },
  "name": "DocumentDB Database Account SQL Role Assignments.",
  "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.",

avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json

@@ -4,8 +4,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.27.1.19265",
- "templateHash": "12924779272926798782"
+ "version": "0.29.47.4906",
+ "templateHash": "16344872287220693060"
  },
  "name": "DocumentDB Database Account SQL Role Assignments.",
  "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.",

avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json

@@ -4,8 +4,8 @@
  "metadata": {
  "_generator": {
  "name": "bicep",
- "version": "0.28.1.47646",
- "templateHash": "5774063578247320117"
+ "version": "0.29.47.4906",
+ "templateHash": "13173648139881140212"
  },
  "name": "DocumentDB Database Account SQL Role Definitions.",
  "description": "This module deploys a SQL Role Definision in a CosmosDB Account.",

avm/res/document-db/database-account/tests/e2e/gremlindb/main.test.bicep

@@ -153,6 +153,7 @@ module testDeployment '../../../main.bicep' = [
  principalType: 'ServicePrincipal'
  }
  {
+ name: guid('Custom seed ${namePrefix}${serviceShort}')
  roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
  principalId: nestedDependencies.outputs.managedIdentityPrincipalId
  principalType: 'ServicePrincipal'
@@ -175,9 +176,5 @@ module testDeployment '../../../main.bicep' = [
  Role: 'DeploymentValidation'
  }
  }
- dependsOn: [
- nestedDependencies
- diagnosticDependencies
- ]
  }
 ]

avm/res/document-db/database-account/tests/e2e/kvSecrets/dependencies.bicep

@@ -17,5 +17,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
  }
 }
 
-@description('The name of the Key Vault created.')
-output keyVaultName string = keyVaultName
+@description('The resource Id of the Key Vault created.')
+output keyVaultResourceId string = keyVault.id

avm/res/document-db/database-account/tests/e2e/kvSecrets/main.test.bicep

@@ -48,9 +48,24 @@ module testDeployment '../../../main.bicep' = {
  params: {
  location: enforcedLocation
  name: '${namePrefix}-kv-ref'
- secretsKeyVault: {
- keyVaultName: nestedDependencies.outputs.keyVaultName
- primaryReadonlyConnectionStringSecretName: 'custom-secret-name'
+ secretsExportConfiguration: {
+ keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId
+ primaryReadOnlyKeySecretName: 'primaryReadOnlyKey'
+ primaryWriteKeySecretName: 'primaryWriteKey'
+ primaryReadonlyConnectionStringSecretName: 'primaryReadonlyConnectionString'
+ primaryWriteConnectionStringSecretName: 'primaryWriteConnectionString'
+ secondaryReadonlyConnectionStringSecretName: 'secondaryReadonlyConnectionString'
+ secondaryReadonlyKeySecretName: 'secondaryReadonlyKey'
+ secondaryWriteConnectionStringSecretName: 'secondaryWriteConnectionString'
+ secondaryWriteKeySecretName: 'secondaryWriteKey'
  }
  }
 }
+
+// Output usage examples
+output specificSecret string = testDeployment.outputs.exportedSecrets.primaryReadOnlyKey.secretResourceId
+output allEportedSecrets object = testDeployment.outputs.exportedSecrets
+output allExportedSecretResourceIds array = map(
+ items(testDeployment.outputs.exportedSecrets),
+ item => item.value.secretResourceId
+)

avm/res/document-db/database-account/tests/e2e/managedIdentity/main.test.bicep

@@ -65,6 +65,7 @@ module testDeployment '../../../main.bicep' = {
  principalType: 'ServicePrincipal'
  }
  {
+ name: guid('Custom seed ${namePrefix}${serviceShort}')
  roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
  principalId: nestedDependencies.outputs.managedIdentityPrincipalId
  principalType: 'ServicePrincipal'
@@ -79,7 +80,4 @@ module testDeployment '../../../main.bicep' = {
  }
  ]
  }
- dependsOn: [
- nestedDependencies
- ]
 }

avm/res/document-db/database-account/tests/e2e/mongodb/main.test.bicep

@@ -287,6 +287,7 @@ module testDeployment '../../../main.bicep' = [
  principalType: 'ServicePrincipal'
  }
  {
+ name: guid('Custom seed ${namePrefix}${serviceShort}')
  roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
  principalId: nestedDependencies.outputs.managedIdentityPrincipalId
  principalType: 'ServicePrincipal'
@@ -309,9 +310,5 @@ module testDeployment '../../../main.bicep' = [
  Role: 'DeploymentValidation'
  }
  }
- dependsOn: [
- nestedDependencies
- diagnosticDependencies
- ]
  }
 ]

avm/res/document-db/database-account/tests/e2e/publicRestrictedAccess/main.test.bicep

@@ -9,11 +9,9 @@ metadata description = 'This instance deploys the module with public network acc
 
 @description('Optional. The name of the resource group to deploy for testing purposes.')
 @maxLength(90)
-// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg'
 param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test
 param serviceShort string = 'dddapres'
 
 @description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.')
@@ -70,7 +68,4 @@ module testDeployment '../../../main.bicep' = {
  }
  ]
  }
- dependsOn: [
- nestedDependencies
- ]
 }

avm/res/document-db/database-account/tests/e2e/waf-aligned/main.test.bicep

@@ -9,11 +9,9 @@ metadata description = 'This instance deploys the module in alignment with the b
 
 @description('Optional. The name of the resource group to deploy for testing purposes.')
 @maxLength(90)
-// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg'
 param resourceGroupName string = 'dep-${namePrefix}-documentdb.databaseaccounts-${serviceShort}-rg'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test
 param serviceShort string = 'dddawaf'
 
 @description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.')
@@ -84,9 +82,13 @@ module testDeployment '../../../main.bicep' = {
  ]
  privateEndpoints: [
  {
- privateDnsZoneResourceIds: [
- nestedDependencies.outputs.privateDNSZoneResourceId
- ]
+ privateDnsZoneGroup: {
+ privateDnsZoneGroupConfigs: [
+ {
+ privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId
+ }
+ ]
+ }
  service: 'Sql'
  subnetResourceId: nestedDependencies.outputs.subnetResourceId
  tags: {
@@ -116,8 +118,4 @@ module testDeployment '../../../main.bicep' = {
  Role: 'DeploymentValidation'
  }
  }
- dependsOn: [
- nestedDependencies
- diagnosticDependencies
- ]
 }