Bicep Module Documentation
← Back to Overview
Module cosmos-db-account
cosmosdbAccount
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| kind | 'GlobalDocumentDB' 'MongoDB' 'Parse' |
Indicates the type of database account. This can only be set at database account creation. (default: GlobalDocumentDB) |
| identity | identity | |
| analyticalStorageConfiguration | analyticalStorageConfiguration | Analytical storage specific properties. |
| apiProperties | apiProperties | API specific properties. Currently, supported only for MongoDB API. |
| backupPolicy | cosmosdbBackupPolicy | The object representing the policy for taking backups on an account. |
| capabilities | capabilities[] | List of Cosmos DB capabilities for the account |
| capacity | capacity | The object that represents all properties related to capacity enforcement on an account. |
| connectorOffer | 'Small' | The cassandra connector offer type for the Cosmos DB database C* account. |
| consistencyPolicy | consistencyPolicy | The consistency policy for the Cosmos DB account. |
| cors | cors[] | The CORS policy for the Cosmos DB database account. |
| createMode | 'Default' 'Restore' |
Enum to indicate the mode of account creation. (default: Default) |
| defaultIdentity | string | The default identity for accessing key vault used in features like customer managed keys. The default identity needs to be explicitly set by the users. It can be FirstPartyIdentity, SystemAssignedIdentity and more. (default: FirstPartyIdentity) |
| disableKeyBasedMetadataWriteAccess | bool | Disable write operations on metadata resources (databases, containers, throughput) via account keys |
| disableLocalAuth | bool | Opt-out of local authentication and ensure only MSI and AAD can be used exclusively for authentication. |
| enableAnalyticalStorage | bool | Flag to indicate whether to enable storage analytics. |
| enableAutomaticFailover | bool | Enables automatic failover of the write region in the rare event that the region is unavailable due to an outage. Automatic failover will result in a new write region for the account and is chosen based on the failover priorities configured for the account. |
| enableBurstCapacity | bool | Flag to indicate enabling/disabling of Burst Capacity Preview feature on the account |
| enableCassandraConnector | bool | Enables the cassandra connector on the Cosmos DB C* account |
| enableFreeTier | bool | Flag to indicate whether Free Tier is enabled. |
| enableMultipleWriteLocations | bool | Enables the account to write in multiple locations |
| enablePartitionMerge | bool | Flag to indicate enabling/disabling of Partition Merge feature on the account |
| ipRules | ipRules[] | List of IpRules. |
| isVirtualNetworkFilterEnabled | bool | Flag to indicate whether to enable/disable Virtual Network ACL rules. |
| keyVaultKeyUri | string | The URI of the key vault |
| locations (required) | locations[] | An array that contains the georeplication locations enabled for the Cosmos DB account. |
| minimalTlsVersion | 'Tls' 'Tls11' 'Tls12' |
Indicates the minimum allowed Tls version. The default value is Tls 1.2. Cassandra and Mongo APIs only work with Tls 1.2. |
| networkAclBypass | 'AzureServices' 'None' |
Indicates what services are allowed to bypass firewall checks. (default: None) |
| networkAclBypassResourceIds | string[] | An array that contains the Resource Ids for Network Acl Bypass for the Cosmos DB account. |
| publicNetworkAccess | 'Disabled' 'Enabled' 'SecuredByPerimeter' |
Whether requests from Public Network are allowed (default: Enabled) |
| virtualNetworkRules | virtualNetworkRules[] | List of Virtual Network ACL rules configured for the Cosmos DB account. |
| privateLink | privateLink | Settings for the Private Endpoint and Private Link for this resource |
| sqlDatabases | sqlDatabase[] | CosmosDB SQL Databases in the account |
| sqlRoleAssignments | sqlRoleAssignments[] | SQL role assignments |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
analyticalStorageConfiguration
| Property | Value | Description |
|---|---|---|
| schemaType (required) | 'FullFidelity' 'WellDefined' |
Describes the types of schema for analytical storage. |
apiProperties
| Property | Value | Description |
|---|---|---|
| serverVersion (required) | '3.2' '3.6' '4.0' '4.2' '5.0' '6.0' |
Describes the ServerVersion of an a MongoDB account. |
capabilities
| Property | Value | Description |
|---|---|---|
| name (required) | string | Name of the Cosmos DB capability. For example, "name": "EnableCassandra". Current values also include "EnableTable" and "EnableGremlin". |
capacity
| Property | Value | Description |
|---|---|---|
| totalThroughputLimit (required) | int | The total throughput limit imposed on the account. A totalThroughputLimit of 2000 imposes a strict limit of max throughput that can be provisioned on that account to be 2000. A totalThroughputLimit of -1 indicates no limits on provisioning of throughput. |
consistencyPolicy
| Property | Value | Description |
|---|---|---|
| defaultConsistencyLevel (required) | 'BoundedStaleness' 'ConsistentPrefix' 'Eventual' 'Session' 'Strong' |
The default consistency level and configuration settings of the Cosmos DB account. (default: session) |
| maxIntervalInSeconds | int | When used with the Bounded Staleness consistency level, this value represents the time amount of staleness (in seconds) tolerated. Accepted range for this value is 5 - 86400. Required when defaultConsistencyPolicy is set to BoundedStaleness. |
| maxStalenessPrefix | int | When used with the Bounded Staleness consistency level, this value represents the number of stale requests tolerated. Accepted range for this value is 1 – 2,147,483,647. Required when defaultConsistencyPolicy is set to BoundedStaleness. |
cors
| Property | Value | Description |
|---|---|---|
| allowedHeaders | string | The request headers that the origin domain may specify on the CORS request. |
| allowedMethods | string | The methods (HTTP request verbs) that the origin domain may use for a CORS request. |
| allowedOrigins (required) | string | The origin domains that are permitted to make a request against the service via CORS. |
| exposedHeaders | string | The response headers that may be sent in the response to the CORS request and exposed by the browser to the request issuer. |
| maxAgeInSeconds | int | The maximum amount time that a browser should cache the preflight OPTIONS request. |
ipRules
| Property | Value | Description |
|---|---|---|
| ipAddressOrRange (required) | string | A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: “23.40.210.245” or “23.40.210.0/8”. |
locations
| Property | Value | Description |
|---|---|---|
| failoverPriority (required) | int | The failover priority of the region. A failover priority of 0 indicates a write region. The maximum value for a failover priority = (total number of regions - 1). Failover priority values must be unique for each of the regions in which the database account exists. |
| isZoneRedundant (required) | bool | Flag to indicate whether or not this region is an AvailabilityZone region |
| locationName (required) | string | The name of the region. |
virtualNetworkRules
| Property | Value | Description |
|---|---|---|
| id (required) | string | Resource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}. |
| ignoreMissingVNetServiceEndpoint (required) | bool | Create firewall rule before the virtual network has vnet service endpoint enabled. |
sqlRoleAssignments
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The unique identifier for the associated AAD principal in the AAD graph to which access is being granted through this Role Assignment. Tenant ID for the principal is inferred using the tenant associated with the subscription. |
| roleDefinition (required) | 'Cosmos DB Built-in Data Contributor' 'Cosmos DB Built-in Data Reader' |
The unique identifier for the associated Role Definition. |
cosmosdbBackupPolicy
Set the type property to specify the type of object.
For Continuous, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'Continuous' | |
| continuousModeProperties (required) | continuousModeProperties | Configuration values for continuous mode backup |
Set the type property to specify the type of object.
For Periodic, use:
| Property | Value | Description |
|---|---|---|
| type (required) | 'Periodic' | |
| backupIntervalInMinutes (required) | int | An integer representing the interval in minutes between two backups |
| backupRetentionIntervalInHours (required) | int | An integer representing the time (in hours) that each backup is retained |
| backupStorageRedundancy (required) | 'Geo' 'Local' 'Zone' |
Enum to indicate type of backup residency |
continuousModeProperties
| Property | Value | Description |
|---|---|---|
| tier (required) | 'Continuous30Days' 'Continuous7Days' |
Enum to indicate type of Continuous backup mode |
sqlDatabase
| Property | Value | Description |
|---|---|---|
| name (required) | string | The name of a computed property, for example - "cp_lowerName" |
| resource | resource | The standard JSON format of a SQL database |
| options | options | A key-value pair of options to be applied for the request. This corresponds to the headers sent with the request. |
| containers | sqlDatabaseContainer[] | SQL Database Containers in the SQL Database |
restoreParameters
| Property | Value | Description |
|---|---|---|
| restoreSource (required) | string | The id of the restorable database account from which the restore has to be initiated. For example: /subscriptions/{subscriptionId}/providers/Microsoft.DocumentDB/locations/{location}/restorableDatabaseAccounts/{restorableDatabaseAccountName} |
| restoreTimestampInUtc (required) | string | Time to which the account has to be restored (ISO-8601 format). |
| restoreWithTtlDisabled (required) | bool | Specifies whether the restored account will have Time-To-Live disabled upon the successful restore. |
resource
| Property | Value | Description |
|---|---|---|
| indexingPolicy | indexingPolicy | |
| partitionKey | partitionKey | The configuration of the partition key to be used for partitioning data into multiple partitions |
| uniqueKeyPolicy | uniqueKeyPolicy | The unique key policy configuration for specifying uniqueness constraints on documents in the collection in the Azure Cosmos DB service. |
autoscaleSettings
| Property | Value | Description |
|---|---|---|
| maxThroughput (required) | int | Represents maximum throughput, the resource can scale up to. |
options
| Property | Value | Description |
|---|---|---|
| autoscaleSettings | autoscaleSettings | Specifies the Autoscale settings. Note: Either throughput or autoscaleSettings is required, but not both. |
| throughput | int | Request Units per second. For example, "throughput": 10000 |
sqlDatabaseContainer
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| resource | resource | The standard JSON format of a container |
| options | options | A key-value pair of options to be applied for the request. This corresponds to the headers sent with the request. |
excludedPaths
| Property | Value | Description |
|---|---|---|
| path (required) | string | The path for which the indexing behavior applies to. Index paths typically start with root and end with wildcard (/path/*) |
indexes
| Property | Value | Description |
|---|---|---|
| dataType (required) | 'LineString' 'MultiPolygon' 'Number' 'Point' 'Polygon' 'String' |
The datatype for which the indexing behavior is applied to. |
| kind (required) | 'Hash' 'Range' 'Spatial' |
Indicates the type of index. |
| precision (required) | int | The precision of the index. -1 is maximum precision. |
includedPaths
| Property | Value | Description |
|---|---|---|
| indexes (required) | indexes[] | List of indexes for this path |
| path (required) | string | The path for which the indexing behavior applies to. Index paths typically start with root and end with wildcard (/path/*) |
spatialIndexes
| Property | Value | Description |
|---|---|---|
| path (required) | string | The path for which the indexing behavior applies to. Index paths typically start with root and end with wildcard (/path/*) |
| types (required) | Array containing any of: 'LineString' 'MultiPolygon' 'Point' 'Polygon' |
List of path's spatial type |
vectorIndexes
| Property | Value | Description |
|---|---|---|
| path (required) | string | The path to the vector field in the document. |
| type (required) | 'diskANN' 'flat' 'quantizedFlat' |
The index type of the vector. Currently, flat, diskANN, and quantizedFlat are supported. |
indexingPolicy
| Property | Value | Description |
|---|---|---|
| automatic (required) | bool | Indicates if the indexing policy is automatic |
| excludedPaths | excludedPaths[] | List of paths to exclude from indexing |
| includedPaths | includedPaths[] | List of paths to include in the indexing |
| indexingMode (required) | 'consistent' 'lazy' 'none' |
Indicates the indexing mode. |
| spatialIndexes | spatialIndexes[] | List of spatial specifics |
| vectorIndexes | vectorIndexes[] | List of paths to include in the vector indexing |
partitionKey
| Property | Value | Description |
|---|---|---|
| kind (required) | 'Hash' 'MultiHash' 'Range' |
Indicates the kind of algorithm used for partitioning. For MultiHash, multiple partition keys (upto three maximum) are supported for container create |
| paths (required) | string[] | List of paths using which data within the container can be partitioned |
| version | int | Indicates the version of the partition key definition |
uniqueKeys
| Property | Value | Description |
|---|---|---|
| paths (required) | string[] | List of paths must be unique for each document in the Azure Cosmos DB service |
uniqueKeyPolicy
| Property | Value | Description |
|---|---|---|
| uniqueKeys (required) | uniqueKeys[] | List of unique keys on that enforces uniqueness constraint on documents in the collection in the Azure Cosmos DB service. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
3.3.0 (2025-10-06)
Features
- update resource api versions
3.2.2 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
3.2.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
3.2.0 (2025-03-26)
Features
- add resourceName output
3.1.0 (2025-03-19)
Features
- add indexing policy
3.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
2.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
1.0.1 (2025-01-02)
Bug Fixes
- use new toObject function for UserAssignedIdentities